Dumping protected memory?
 

Hi folks,

i have done a small loader which loads a process and changed the access
flags via VirtualProtectEx() but if i try to read memory of the loaded process
i got an error (can't remember which one). I know that some protections
set the NO_ACCESS or PAGE_GUARD flags on creation of memory so is there
a way to circumvent this? maybe with a kernel driver? or is there another
way under ring3?

thx for help
tr1stan

Better describe the error, since PAGE_NOACCESS is the only method in Ring3 I know. Probably you are modyfying the page in a wrong way... what about the error? You encountered exception?

Regards.

Ok have to check that later...
btw found this on woodmann
hxxp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx

which describes some new memory protection for winxp sp2, which could be
the reason that new armadillo and asprotect report problems on sp2 systems...

t.

before reading any memory locations... try these steps first:
1. open your process' token
2. check your privilege value
3. enable the SeDebugPrivilege by adjusting your process' token

don't remember the exact api names for these (too lazy to search)
but that should be enough to find the api's im referring to.

DEP, as far as i've seen/heard, just prohibits code from being executed in the stack/heap, and requires VirtualAlloc() with the right flags, or VirtualProtect() to alter the page. am i missing something here? is it not possible to alter the page for the stack/heap?

Use LordPE...
 

Use Lord PE or WinHex to scan the memory (before your proggy) to see what is set originally... Maybe you're setting the memory range incorrectly.

/LordVader/

Thx for the help...I think i have found my problem...the programm
starts itself again via CreateProcessA so i always use a false PID
for reading memory have to fix that asap.

tAz: nice info thx...will give it a try :)