PDA

Click to See Complete Forum and Search --> : Problems with memory reading inside injected dll

jondwillis
June 16th, 2009, 02:55 PM
Hi all,
(deep breath)

So, I have an injected dll that is constantly looping the following code:

long startAddress = atol(szRecvBufferSplit);
szRecvBufferSplit = strtok(NULL, "|");
int numberOfBytes = atoi(szRecvBufferSplit);

MEMORY_BASIC_INFORMATION mbi;

if(VirtualQuery((LPCVOID)startAddress, &mbi, sizeof(mbi)))
{
if (&mbi && mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS && mbi.Protect != PAGE_GUARD)
{
if(VirtualProtect((LPVOID)startAddress, numberOfBytes, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
//if(safeMethod)
//memcpy(szSendBuffer, (void*)startAddress, numberOfBytes);
for(int i = 0; i < numberOfBytes; i++)
{
szSendBuffer[i] = *(unsigned char*)(startAddress + i);
}
VirtualProtect((LPVOID)startAddress, numberOfBytes, dwOldProtect, &dwOldProtect);
}
}
}

The intent of the following code is to read memory without calling ReadProcessMemory and is part of a memory scanning application that I've written. The application scans all of the process' private memory once, and then when it begins a second iteration, it will crash.

The crash occurs when memory is read, after VirtualProtect reports a successful operation. As you can determine from the code, the memory region I am unprotecting and reading from is committed and accessible.

I'm completely baffled as to why reading memory a second time is causing a crash.
jondwillis
June 16th, 2009, 06:48 PM
Shameless bump with more/updated information:

if(VirtualQuery((LPCVOID)startAddress, &mbi, sizeof(mbi)))
{
if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS && mbi.Protect != PAGE_GUARD)
{
if(VirtualProtect((LPVOID)startAddress, numberOfBytes, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
if(!IsBadReadPtr((LPCVOID)startAddress, numberOfBytes))
{
//if(safeMethod)
//memcpy(szSendBuffer, (void*)startAddress, numberOfBytes);
for(int i = 0; i < numberOfBytes; i++)
{
sendBuffer[i] = *(unsigned char*)(startAddress + i);
}
}
VirtualProtect((LPVOID)startAddress, numberOfBytes, dwOldProtect, &dwOldProtect);
}
}
}

Causes either:

Problem Event Name: APPCRASH
Application Name: hl.exe
Application Version: 1.1.1.1
Application Timestamp: 3fd11900
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7127.0
Fault Module Timestamp: 4a03d5a1
Exception Code: c0000005
Exception Offset: 0001fd37

Or, sometimes (I cannot reproduce it at the moment), the Fault module name is StackHash_XXXX (where XXXX is a hex number)

StackHash is not a module, and googling the error provides little useful information.

I tried de-protecting each page that my memory region to scan resides on (startAddress to startAddress+numberOfBytes), and it still crashed. I may have screwed up the code, however.
dc_2000
June 24th, 2009, 07:05 PM
I have an injected dll that is constantly looping the following code:
Where exactly in DLL do you call this code from?

Also what are you trying to inject it into - Half Life?
ProgramArtist
June 26th, 2009, 10:14 AM
Is it possible that your sendBuffer (or szSendBuffer) buffer is too small?

Possible scenario:
1. Read from injected dll (Ok)
2. Write to the szSendBuffer, but writing too much -> destroying something meaningful inside your app
3. Again trying to do 1. and 2. -> Crashing, because memory of your app does not contain what you expect

With regards
Programartist