I am using RtlCaptureStackBackTrace in my kernel mode driver and trying to get the call trace, but it is capturing zero frames. Code is :
PVOID *stackTrace = NULL;
PULONG traceHash = NULL;
USHORT capturedFrames = 0;
capturedFrames = RtlCaptureStackBackTrace(0, 10, stackTrace, traceHash);
when i check stacktrace, it is NULL.
you provide stackTrace as NULL but according to the documentation:
Caller-allocated array in which pointers to the return addresses
captured from the current stack trace are returned.
this means that you need to allocate an array for the BackTrace Parameter.
For Example:
#define ARRAY_SIZE 10
PVOID stackTrace[ARRAY_SIZE] = {0};
USHORT capturedFrames = 0;
capturedFrames = RtlCaptureStackBackTrace(0, ARRAY_SIZE, stackTrace, NULL);
Note: don't use it in production code, it is better if you use dynamic allocation using ExAllocatePoolWithTag())
Also look at this Microsoft Sample
Related
I want to find the number of running processes using EnumProcesses function from psapi library. The function requieres an array that will receive the list of process identifiers. It also writes the total number of bytes of found data into a given variable. I didn't want the process list, just their number. I did the following.
DWORD listSize;
DWORD a;
EnumProcesses( &a, 1000*sizeof(DWORD), &listSize ) ;
listSize/=sizeof(DWORD);
printf("%d",listSize);
This writes the real number of processes into listSize however the program stops working after that. I was wondering if there is a way to immediately send the retrieved data into oblivion and just get the number of it.
Not possible. However providing a big enough array isn't really much of an issue on modern systems.
I recommend writing a helper function that wraps this all away for you with a dynamically sized container, so you can handle cases where more processes exist than your original array can hold:
DWORD GetNumberOfProcesses()
{
std::vector<DWORD> processes;
DWORD size = 0;
DWORD bytesReturned = 0;
while (bytesReturned == size)
{
size += 1024 * sizeof(DWORD);
processes.resize(size / sizeof(DWORD));
if (!EnumProcesses(processes.data(), size, &bytesReturned))
{
return -1;
}
}
return bytesReturned / sizeof(DWORD);
}
I'm currently trying to do some hardware generation for a friend of mine and I noticed that GetAdaptersInfo kinda behaves weirdly. According to MSDN pOutBufLen should be pointing to a variable holding the value of sizeof(IP_ADAPTER_INFO) (640). But when I use that value it returns 111 (ERROR_BUFFER_OVERFLOW) and sets outBufLen to 2560. When calling the function with outBufLen set to 2560 it just crashes.
Minimal reproduction code:
#include <windows.h>
#include <Iphlpapi.h>
int main()
{
IP_ADAPTER_INFO adapter_inf;
unsigned long int outBufLen = sizeof(IP_ADAPTER_INFO);
GetAdaptersInfo(nullptr, &outBufLen); // returning 111 (ERROR_BUFFER_OVERFLOW) and setting outBufLen to 2560
GetAdaptersInfo(&adapter_inf, &outBufLen); // crash during this call
return 0;
}
Don't know if it matters but 64-bit Windows 8 here.
GetAdaptersInfo(nullptr, &outBufLen);
After this returns a value in outBufLen you are expected to pass a buffer of that length in the subsequent call. You do not do that, hence the runtime error.
You need to allocate the pAdapterInfo dynamically using the length returned in outBufLen.
ULONG outBufLen = 0;
if (GetAdaptersInfo(nullptr, &outBufLen) != ERROR_BUFFER_OVERFLOW)
// handle error
PIP_ADAPTER_INFO pAdapterInfo = (PIP_ADAPTER_INFO) malloc(outBufLen);
if (GetAdaptersInfo(pAdapterInfo, &outBufLen) != ERROR_SUCCESS)
// handle error
I've used malloc here, and a C style cast, but you might prefer to use new and a C++ style cast. I didn't do that through my own lack of familiarity.
Obviously you need to free the memory when you are finished with it.
I have a crash using protobuf, i need to use it with reflection.
enum ipVersionType{
ipv4 = 0;
ipv6 = 1;
}
message IpAddress {
required ipVersionType ipVersion = 1;
required uint32 IpPart1 = 2;
required uint32 IpPart2 = 3;
required uint32 IpPart3 = 4;
required uint32 IpPart4 = 5;
}
message TcpUdpCdr {
...
optional IpAddress DestinationIp = 8;
optional IpAddress UEIP = 11;
optional uint32 PacketUpLink = 12;
....
}
message cdr {
optional TcpUdpCdr tcpCdr = 1;
}
When i use TcpUdpCdr without cdr, i got no crash.
If I use TcpUdpCdr within cdr, i got a crash.
here is the code that i am using to set Ipaddress
//Fill proto ip address sruct
ProtoCdr::IpAddress * ipAddressMsg = new ProtoCdr::IpAddress();
ipAddressMsg->set_ipversion(ProtoCdr::ipVersionType::ipv4);
ipAddressMsg->set_ippart1(pi_ipAddress.GetAddresPointer()[0]);
ipAddressMsg->set_ippart2(pi_ipAddress.GetAddresPointer()[1]);
ipAddressMsg->set_ippart3(pi_ipAddress.GetAddresPointer()[2]);
ipAddressMsg->set_ippart4(pi_ipAddress.GetAddresPointer()[3]);
google::protobuf::Message& find_msg = cdrMsg.GetReflection()->GetMessage... with local recursive function
find_msg is of type TcpUdpCdr
find_msg.GetReflection()->SetAllocatedMessage(
&find_msg,
ipAddressMsg,
this->m_fdArray[m_iNestingSize-1]);
Up to here ther is no crash...
If i try to get the pointer with GetReflection GetMessage, i receive the same pointer address that have been Set with SetAllocatedMessage but when i try to use it it crash. It crash for the second IpAddress UEIP but not for the first one....
The problem is that you're using SetAllocatedMessage to assign ownership of ipAddressMsg to find_msg, but ipAddressMsg is already owned by cdrMsg. Because ipAddressMsg is now owned by two different protos, you will quickly run into problems because both owners will eventually try to delete it. I think your code is trying to use that submessage after it has already been deleted.
Note that in general with protobuf, methods that contain the word release or allocated are a bit of an advanced feature--they can improve performance but they increase complexity and require you to do more manual memory management. With those methods it's easy to accidentally run into memory leaks, double deletes, and use-after-delete. Unless you really need the performance, it's best to avoid them. In your case, you could just assign to the result MutableMessage() instead of calling SetAllocatedMessage().
Hello sorry for my bad English.
I want to calculate an address with offset.
The example I have got a base address: 0x00D2038 with offset 0x1c
I have tried this.
DWORD address = 0x004D2038;
DWORD offset = 0x1c;
DWORD base = (DWORD)(address + offset);
int old_value = 0;
int value = 3000;
//Obtain new address form the address whit offset.
DWORD addr2 = ReadProcessMemory(phandle,(void*)base,&old_value,sizeof(old_value),0);
//Write Memory
WriteProcessMemory(phandle,(void*)addr2,&value,(DWORD)sizeof(value),NULL);
But it does not work.
Memory is not changed. what is my error?
According to msdn, ReadProcessMemory returns a BOOL and you use that as addr2 to WriteProcessMemory. How can the memory be changed?
Suggest search from msdn on ReadProcessMemory and WriteProcessMemory and their example and learn how to use these 2 functions.
Think you have a simple typo -- Try;
//Write Memory
WriteProcessMemory(phandle,(void*)base,&value,(DWORD)sizeof(value),NULL);
I wonder why this code doesn't work:
#include <iostream>
using namespace std;
int main()
{
int *pointer = (int*)0x02F70BCC;
cout<<*pointer;
return 0;
}
In my opinion it should write on the screen value of 0x02F70BCC,
instead of this my programm crashes.
I know that memory with adress 0x02F70BCC stores value of 20.
But like I said no matter what it just doesn't want to show correct number.
Please help me guys, detailed explanation would be very nice of you.
It doesn't work, because you won't get access to every location in memory you want. Not every location in memory is valid, you may want to read about Virtual Address Space.
Some addresses are reserved for device drivers and kernel mode operations. Another range of addresses (for example 0xCCCCCCCC and higher) may be reserved for uninitialized pointers.
Even if some location is valid, operating system may still deny access to write to/read from certain location, if that would cause undefined behaviour or violate system safety.
EDIT
I think you might be interested in creating some kind of "GameHack", that allows you to modify amount of resources, number of units, experience level, attributes or anything.
Memory access is not a simple topic. Different OSes use different strategies to prevent security violations. But many thing can be done here, after all there is a lot software for doing such things.
First of all, do you really need to write your own tool? If you just want some cheating, use ArtMoney - it is a great memory editor, that I have been using for years.
But if you really have to write it manually, you need to do some research first.
On Windows, for example, I would start from these:
ReadProcessMemory
WriteProcessMemory
Also, I am quite certain, that one of possible techniques is to pretend, that you are a debugger:
DebugActiveProcess.
EDIT 2
I have done some research and it looks, that on Windows (I assume this is your platform, since you mentioned gaming; can't imagine playing anything on crappy Linux), steps required to write another process' memory are:
1. Enumerate processes: (EnumProcesses)
const size_t MAX_PROC_NUM = 512;
DWORD procIDs[MAX_PROC_NUM] = { 0 };
DWORD idsNum = 0;
if(!EnumProcesses(procIDs, sizeof(DWORD) * MAX_PROC_NUM, &idsNum))
//handle error here
idsNum /= sizeof(DWORD); //After EnumProcesses(), idsNum contains number of BYTES!
2. Open required process. (OpenProcess,GetModuleFileNameEx)
const char* game_exe_path = "E:\\Games\\Spellforce\\Spellforce.exe"; //Example
HANDLE game_proc_handle = nullptr;
DWORD proc_access = PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE; //read & write memory, query info needed to get .exe name
const DWORD MAX_EXE_PATH_LEN = 1024;
for(DWORD n = 0 ; n < idsNum ; ++idsNum)
{
DWORD current_id = procIDs[n];
HANDLE current_handle = OpenProcess(proc_access, false, current_id);
if(!current_handle)
{
//handle error here
continue;
}
char current_path[MAX_EXE_PATH_LEN];
DWORD length = GetModuleFileNameEx(current_handle, nullptr, current_path, MAX_EXE_PATH_LEN);
if(length > 0)
{
if(strcmp(current_path, game_exe_path) == 0) //that's our game!
{
game_proc_handle = current_handle;
break;
}
}
CloseHandle(current_handle); //don't forget this!
}
if(!game_proc_handle)
//sorry, game not found
3. Write memory (WriteProcessMemory)
void* pointer = reinterpret_cast<void*>(0x02F70BCC);
int new_value = 5000; //value to be written
BOOL success = WriteProcessMemory(game_proc_handle, pointer, &new_value, sizeof(int), nullptr);
if(success)
//data successfully written!
else
//well, that's... em...
This code is written just 'as is', but I see no errors, so you can use it as your starting point. I also provided links for all functions I used, so with some additional research (if necessary), you can achieve what you are trying to.
Cheers.
When you use,
cout<<*pointer;
the program tries to dereference the value of the pointer and writes the value at the address.
If you want to print just the pointer, use:
cout << pointer;
Example:
int main()
{
int i = 20;
int* p = &i;
std::cout << *p << std::endl; // print the value stored at the address
// pointed to by p. In this case, it will
// print the value of i, which is 20
std::cout << p << std::endl; // print the address that p points to
// It will print the address of i.
}