How do I edit protected process memory?

Question

I'm trying to make a memory-editing program. Currently, I'm attempting to edit the memory of lsass.exe. However, I do not see any changes meaning my code isn't successful in editing the memory. lsass.exe is a Windows protected process, so it doesn't allow me to edit the memory of it. Is there a way to get around this? (I know that my code does edit memory as it edited explorer.exe's memory)

I've tried running as an Administrator, running on x64 and x84, no luck. I also tried getting debug permissions through code, still doesn't work. Is there any way I can edit memory of a protected process?

#include <iostream>
#include <string>
#include <windows.h>
#include <tlhelp32.h>

using namespace std;
bool GetDebugPrivilege();
DWORD FindProcessId(string process);
void DeleteString(DWORD processID, DWORD address);
void ScanAndDelete(DWORD processID, string ScanAndDelete);

bool GetDebugPrivilege()
{
    TOKEN_PRIVILEGES TokenPriv;
    LUID luid;
    HANDLE ThisToken;

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &ThisToken))
    {
        if (GetLastError() == ERROR_NO_TOKEN)
        {
            ImpersonateSelf(SecurityImpersonation);
            if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &ThisToken))
                return FALSE;
        }
    }

    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
        return FALSE;

    TokenPriv.PrivilegeCount = 1;
    TokenPriv.Privileges[0].Luid = luid;
    TokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(ThisToken, false, &TokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

    CloseHandle(ThisToken);

    if (GetLastError() != ERROR_SUCCESS)
        return false;

    return true;
}
int main()
{
    GetDebugPrivilege();
    Sleep(100);
    DeleteString(FindProcessId("lsass.exe"), 0x7fffc41fab58);
}


void DeleteString(DWORD processID, DWORD address)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
    string writing = "Vape Lite.exe";
    auto writingSize = writing.size();
    WriteProcessMemory(hProcess, (LPVOID)address, &writing, writingSize, NULL);
    CloseHandle(hProcess);
}



void ScanAndDelete(DWORD processID, string ScanAndDelete)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);

}

DWORD FindProcessId(string process)
{
    wstring processName(process.begin(), process.end());
    PROCESSENTRY32 processInfo;
    processInfo.dwSize = sizeof(processInfo);

    HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    if (processesSnapshot == INVALID_HANDLE_VALUE)
        return 0;

    Process32First(processesSnapshot, &processInfo);
    if (!processName.compare(processInfo.szExeFile))
    {
        CloseHandle(processesSnapshot);
        return processInfo.th32ProcessID;
    }

    while (Process32Next(processesSnapshot, &processInfo))
    {
        if (!processName.compare(processInfo.szExeFile))
        {
            CloseHandle(processesSnapshot);
            return processInfo.th32ProcessID;
        }
    }

    CloseHandle(processesSnapshot);
    return 0;
}

Answer 1

As part of Windows security, you cannot edit memory of processes running as SYSTEM which lsass.exe does.

In order to edit lsass.exe you will need to at a bare minimum also be running as SYSTEM by grabbing a SYSTEM token. But since Windows 8.1 lsass.exe is a Protected Process Light (PPL) process, therefore it is no longer that easy.

You can read more about it on Alex Ionescu's Blog

In additional, your WriteProcessMemory call will not work correctly because you're calling it with an std::string as the source argument. You will want to use std::string::c_str() so it's correctly indexing through the actual c string that the container represents.