修改内存区域-返回0xCC VC ++ [英] Modifying region of memory - returns 0xCC VC++
问题描述
我正在修改在dll中编译的可执行代码的某些部分.但是我修改的整个段中固定地址的单个字节无法更改,甚至无法读取.
I am modifying some sections of an executable code compiled in a dll. But a single byte at a fixed address from the entire segment that I am modifying can't be changed, not even read.
代码很简单:
SEGMENT_DATA segInfo = getSegmentInfo(mHandle, segmentName);
if (segInfo.inFileSegmentAddr == 0) return false;
DWORD mOlProtection;
DWORD mOlProtection_1;
if (segInfo.architecture != MY_ARCH) {
printf(" Not the same architecture!\n");
return 0;
}
if(VirtualProtect((LPVOID)segInfo.segmentAddr, segInfo.segmentSize, PAGE_EXECUTE_READWRITE, &mOlProtection)==0) return false;
DWORD i=0;
for (size_t k = 0; k < segInfo.segmentSize; k++) {
BYTE *lpByteValue = (BYTE*)(segInfo.segmentAddr + k);
BYTE temp = *lpByteValue;
*lpByteValue = temp ^ lDecryptionKey[i];
i++;
i %= decryptionKeyLength;
}
if(VirtualProtect((LPVOID)segInfo.segmentAddr, segInfo.segmentSize, mOlProtection, &mOlProtection_1)==0) return false;
观察:
- 在修改内存之前,我使用
PAGE_EXECUTE_READWRITE
标志取消保护"该区域. - Visual Studio中的内存视图"清楚地向我显示了该特定地址的值.甚至更奇怪的是,第二次我从调试器手动修改了该值,我的代码也能够更改该值. 示例代码中的
-
temp
变量包含值0xCC
- 从字面上看,该字节是其他数百个字节中唯一不变的一个字节.这是内存视图"中唯一标记为黑色的字节(其余均为红色,因为它们已更改)
- Dll是在Debug/x86中编译的./MTd标志设置.没有随机地址(/DYNAMICBASE:否,/FIXED:否).否整个程序优化.
- 未修改的字节不是变量.因此它不能被未初始化".它实际上是一个非常重要的字节:它是指令操作码.一切都在那个字节上崩溃了.
- 解密例程(XOR代码)对错误没有影响.我进入代码,并在
temp
达到xor
之前查看它的值.这意味着永远不会使用解密密钥,因此不会导致问题. - 虚拟保护成功.
- Before I modify the memory, I "unprotect" the region with
PAGE_EXECUTE_READWRITE
flag. - Memory View in visual studio clearly shows me the value at that particular address. Even weirder is that in the second I modify the value manually from the debugger, my code is also able to change that value.
temp
variable in the example code contains the value0xCC
- This byte is literally the only one unchanged in a sea of hundred other bytes. It is the only byte marked black in Memory View (the rest are red because they were changed)
- Dll is compiled in Debug/x86 . /MTd flag set. No random address (/DYNAMICBASE : NO , /FIXED: NO). No Whole program optimization.
- The unmodified byte IS NOT a variable. So it can't be "uninitialized". It is actually a very important byte: it is the instruction opcode. Everything crashes on that byte.
- The decryption routine (XOR code) has no effect on the error. I step into the code and look at
temp
's value before it reaches thexor
. This means the decryption key is never used and therefore it can't cause the problem. - Virtual protect succeeds.
快照:
Visual Studio可以读取地址
Visual studio can read the address
无法读取程序内部的字节
Can't read byte inside program
我知道不是单个地址上的字节值引起了问题(因为我发现其他具有相同值的字节已被成功处理).也许该字节仍处于受保护"状态?
I know it's not the value of the byte at that single address that is causing problems (because I found other bytes with the same value that were processed successfully). Perhaps the byte is still "protected"?
为什么会这样?
推荐答案
您可以很好地处理 Software Breakpoints
的非常常见的情况.实际上,通过将要断点的指令替换为断点指令来设置软件断点
.
You could very well deal with a very common scenario of Software Breakpoints
.
Software breakpoints
are in fact set by replacing the instruction to be breakpointed with a breakpoint instruction.
断点指令存在于大多数CPU中,通常与最短指令一样短,因此x86(0xCC,INT 3)上只有 1个字节
.
The breakpoint instruction is present in most CPUs, and usually as short as the shortest instruction, so only one byte on x86 (0xCC, INT 3)
.
由于我不知道您的源代码中是否有任何断点,所以我只能假设这是您的问题.
As I don't know if there are any breakpoints at all in your source I can only assume that this is your problem.
这篇关于修改内存区域-返回0xCC VC ++的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!