change a pointer of address of another application

Question

I need somebody to edit the title, I can't find better title.

Assume a have this simple program called source.exe:

#include <stdio.h>

int main()
{
   int a = 5;
   printf("%p", &a);
   return 0;
}

I want to write another application, change.exe, that changes a in the above.

I tried something like this:

int main()
{
   int * p = (int*) xxx; // xxx is what have printed above
   *p = 1;
   printf("%d", *p);
   return 0;
}

It doesn't work. assuming I have Administrator rights, is there a way to do what I've tried above? thanks.

Since debuggers can do it, the answer is 'yes, it is possible', but it is not something you would normally expect to do. All else apart, the `source.exe` would be running so briefly that it would be hard to time the execution of `change.exe` correctly to get a chance to change anything in `source.exe`. Assuming you add some mechanism to delay the exit of `source.exe`, you are still running into all sorts of problems. One of the purposes of an O/S is to stop ProcessA from messing with the memory of ProcessB — so you are subverting that protection. — Jonathan Leffler, Aug 20 '13 at 04:20
To know the answer requires the operating system. On Linux you use ptrace. On Windows you can use WriteProcessMemory. — Zan Lynx, Aug 20 '13 at 04:22
An address in one application is not the same as the same address in another. Read http://en.wikipedia.org/wiki/Virtual_address_space — chris, Aug 20 '13 at 04:22
http://stackoverflow.com/questions/865106/is-there-something-like-linux-ptrace-syscall-in-windows — Jeyaram, Aug 20 '13 at 04:28
Why would you want to do something like this? Is there a real problem you are trying to solve? If so, state the problem rather than present a solution. — JackCColeman, Aug 20 '13 at 07:18

score 1 · Answer 1 · answered Aug 20 '13 at 04:23

In first place, when you run the second program, the a in the first will be long gone (or loaded in a different position). In second place, many OS's protect programs by loading them in separate spaces.

What you really seem to be looking for is Inter-Process Communication (IPC) mechanisms, specifically shared memory or memory-mapped files.

score 1 · Answer 2 · answered Aug 20 '13 at 04:33

On most traditional computers that people deal with, the operating system makes use of virtual memory. This means that two processes can both use address 0x12340000 and it can refer to two different pieces of memory.

This is helpful for a number of reasons, including memory fragmentation, and allowing multiple applications to start and stop at random times.

On some systems, like TI DSPs for example, there is no MMU, and thus no virtual memory. On these systems, something like your demo application could work.

score 1 · Answer 3 · answered Aug 20 '13 at 07:07

I was feeling a bit adventurous, so I thought about writing something like this under Windows, using the WinAPI, of course. Like Linux's ptrace, the calls used by this code should only be used by debuggers and aren't normally seen in any normal application code.

Furthermore, opening another process' memory for writing requires you to open the process handle with PROCESS_VM_WRITE and PROCESS_VM_OPERATION privileges. This, however, is only possible if the application opening the process has the SeDebugPriviledge priviledge enabled. I ran the application in elevated mode with administrator privileges, however I don't really know if that has any effect on the SeDebugPriviledge.

Anyhow, here's the code that I used for this. It was compiled with VS2008.

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    char cmd[2048];
    int a = 5;
    printf("%p %d\n", &a, a);

    sprintf(cmd, "MemChange.exe %lu %x", GetCurrentProcessId(), &a);
    system(cmd);

    printf("%p %d\n", &a, a);

    return 0;
}

And here's the code for MemChange.exe that this code calls.

#include <windows.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    DWORD pId;
    LPVOID pAddr;
    HANDLE pHandle;
    SIZE_T bytesWritten;
    int newValue = 666;

    sscanf(argv[1], "%lu", &pId);
    sscanf(argv[2], "%x", &pAddr);

    pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
    WriteProcessMemory(pHandle, pAddr, &newValue, sizeof(newValue), &bytesWritten);
    CloseHandle(pHandle);

    fprintf(stderr, "Written %u bytes to process %u.\n", bytesWritten, pId);
    return 0;
}

But please don't use this code. It is horrible, has no error checks and probably leaks like holy hell. It was created only to illustrate what can be done with WriteProcessMemory. Hope it helps.

score 0 · Answer 4 · answered Aug 20 '13 at 04:21

0

Why do you think that this is possible - debuggers can only read?
If it was possible then all sorts of mayhem could happen!
Shared memory springs to mind.

answered Aug 20 '13 at 04:21

Ed Heal

59,252
17
87
127

1

Well, there *is* `WriteProcessMemory` on Windows. – chris Aug 20 '13 at 04:21
1

And see all the sorts of mayhem constantly going on in Windows? – aschepler Aug 20 '13 at 04:24
I think @Ed Heal meant "If it was **that** simple". – Mario Rossi Aug 20 '13 at 04:27
@aschepler, Agreed, but that's why it's so fun to program for. – chris Aug 20 '13 at 04:39
@EdHeal You can very much read and write to the memory of other processes, e.g. by mmaping /proc//mem on linux. Also, most debuggers can write to the memory of the process it is attached to. – nos Aug 20 '13 at 07:13
This perspective is NOT out of bounds. The question doesn't state the requirement that it is trying to meet. It is more of a "what the heck let's do this" – JackCColeman Aug 20 '13 at 07:16

change a pointer of address of another application

4 Answers4

Linked

Related