更改另一个应用程序的地址指针

Question

I need somebody to edit the title, I can't find better title.

---

Assume a have this simple program called source.exe :

#include <stdio.h>

int main()
{
   int a = 5;
   printf("%p", &a);
   return 0;
}

I want to write another application, change.exe , that changes a in the above.

I tried something like this:

int main()
{
   int * p = (int*) xxx; // xxx is what have printed above
   *p = 1;
   printf("%d", *p);
   return 0;
}

It doesn't work. assuming I have Administrator rights, is there a way to do what I've tried above? thanks.

Answer 1

In first place, when you run the second program, the a in the first will be long gone (or loaded in a different position). In second place, many OS's protect programs by loading them in separate spaces.

What you really seem to be looking for is Inter-Process Communication (IPC) mechanisms, specifically shared memory or memory-mapped files.

Answer 2

On most traditional computers that people deal with, the operating system makes use of virtual memory. This means that two processes can both use address 0x12340000 and it can refer to two different pieces of memory.

This is helpful for a number of reasons, including memory fragmentation, and allowing multiple applications to start and stop at random times.

On some systems, like TI DSPs for example, there is no MMU, and thus no virtual memory. On these systems, something like your demo application could work.

Answer 3

I was feeling a bit adventurous, so I thought about writing something like this under Windows, using the WinAPI, of course. Like Linux's ptrace , the calls used by this code should only be used by debuggers and aren't normally seen in any normal application code.

Furthermore, opening another process' memory for writing requires you to open the process handle with PROCESS_VM_WRITE and PROCESS_VM_OPERATION privileges. This, however, is only possible if the application opening the process has the SeDebugPriviledge priviledge enabled. I ran the application in elevated mode with administrator privileges, however I don't really know if that has any effect on the SeDebugPriviledge .

Anyhow, here's the code that I used for this. It was compiled with VS2008.

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    char cmd[2048];
    int a = 5;
    printf("%p %d\n", &a, a);

    sprintf(cmd, "MemChange.exe %lu %x", GetCurrentProcessId(), &a);
    system(cmd);

    printf("%p %d\n", &a, a);

    return 0;
}

And here's the code for MemChange.exe that this code calls.

#include <windows.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    DWORD pId;
    LPVOID pAddr;
    HANDLE pHandle;
    SIZE_T bytesWritten;
    int newValue = 666;

    sscanf(argv[1], "%lu", &pId);
    sscanf(argv[2], "%x", &pAddr);

    pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
    WriteProcessMemory(pHandle, pAddr, &newValue, sizeof(newValue), &bytesWritten);
    CloseHandle(pHandle);

    fprintf(stderr, "Written %u bytes to process %u.\n", bytesWritten, pId);
    return 0;
}

But please don't use this code. It is horrible, has no error checks and probably leaks like holy hell. It was created only to illustrate what can be done with WriteProcessMemory . Hope it helps.

Answer 4

1. Why do you think that this is possible - debuggers can only read?
2. If it was possible then all sorts of mayhem could happen!
3. Shared memory springs to mind.