Noz3001's Blog

WriteProcessMemory Examples

noz3001 — Wed, 07 Oct 2009 13:16:02 +0000

Why?
It’s time to put all the beginner tutorials back onto my blog. I’ll start with a WriteProcessMemory tutorial (the basics of memory editing). WriteProcessMemory is useful when you don’t want to be loaded into the memory space of the target program.

First of all you are going to need to know the address of the memory you want to edit. Use Cheat Engine or some similar program (I recommend Cheat Engine, obviously) to find it.

In this example, I am going to write to a game called Star Sonata and enable a speed hack. You don’t have to get this game, you can use any game but make sure you change the addresses to the ones you find.

The Code
The code formatting on here doesn’t work very well so all of my code examples are going to be stored at codepad.org.

There’s not much to explain for this code so I’ve commented most lines in the source. Should make it easy to understand.
Source: View

T3xt 2 l33t

noz3001 — Sat, 05 Sep 2009 23:28:28 +0000

Lovely program to convert text strings into zomg 1337.

LeetConverter.h
#include


BOOL InitInstance(

    HINSTANCE, INT

);
LRESULT CALLBACK WndProc(

    HWND, UINT, WPARAM, LPARAM

);
ATOM MyRegisterClass(

    HINSTANCE

);
BOOL APIENTRY WinMain(

    HINSTANCE hInstance,

    HINSTANCE hPrevInstance,

    LPSTR lpCmdLine,

    INT nCmdShow

);
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")

#pragma comment (lib, "comctl32.lib")
HWND hWnd;

HWND hControls[3];

HINSTANCE hInst;
LPCWSTR szWindowClass = TEXT("Leet_MainClass");

LPCWSTR szWindowTitle = TEXT("1337 Converter");
// Control IDs

#define IDC_LEET            1001

#define IDC_CONV            1002

#define IDC_ABOUT            1003

#define IDC_CLEAR            1004
//////////////////////////////////////////

// Convert 1337 Function (Changed a bit //

//////////////////////////////////////////

const std::string a = "abcdefghijklmnopqrstuvwxyz";

const std::string b[] = { "4", "ß", "(", "|)", "3", "Ph", "9", "|-|", "1",

                          "j", "|<", "`/", "2" };
void replace1337(std::string& c)

{

    std::string t;

    for(int i = 0; i < c.length(); i++) {

        for(int j = 0; j < a.length(); j++) {

            if(tolower(c.at(i)) == a.at(j))    {

                t.append(b[j]);

                break;

            }

        }
        switch (c.at(i)) { // Keep escapes

                case ' ':

                    t.append(1, ' ');

                    break;
                case '\n':

                    t.append("\n");

                    break;
                case '\r':

                    t.append("\r");

                    break;

//case '\t': //t.append("\t"); //break; } } c=t; }

LeetConverter.cpp
#include #include #include


#include "LeetConverter.h"
BOOL APIENTRY WinMain(

    HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nCmdShow)

{

    UNREFERENCED_PARAMETER(hPrevInstance);

    UNREFERENCED_PARAMETER(lpCmdLine);
    MSG msg;

    INITCOMMONCONTROLSEX InitCtrls;
    InitCtrls.dwICC = ICC_STANDARD_CLASSES;

    InitCtrls.dwSize = sizeof(INITCOMMONCONTROLSEX);

    InitCommonControlsEx(&InitCtrls);
    hInst = hInstance; // Store global copy

    if (!MyRegisterClass(hInst)) {

        return GetLastError();

    }
    if (!InitInstance(hInst, nCmdShow)) {

        return GetLastError();

    }
    while (GetMessage(&msg, NULL, 0, 0)) {

            TranslateMessage(&msg);

            DispatchMessage(&msg);

    }
    return (BOOL)msg.wParam;

}
BOOL InitInstance(

    HINSTANCE hInstance, INT nCmdShow)

{

    DWORD dwMainStyle = WS_CAPTION|WS_BORDER|WS_VISIBLE|WS_MINIMIZEBOX|WS_SYSMENU;
    hWnd = CreateWindow(szWindowClass, szWindowTitle, dwMainStyle, CW_USEDEFAULT,

                        CW_USEDEFAULT, 323, 150, NULL, NULL, hInstance, NULL);
    if (!hWnd) {

        return FALSE;

    }
    ShowWindow(hWnd, nCmdShow);

    UpdateWindow(hWnd);
    return TRUE;

}
ATOM MyRegisterClass(

    HINSTANCE hInstance)

{

    WNDCLASSEX wcex;
    wcex.cbSize = sizeof(WNDCLASSEX);
    wcex.style            = CS_HREDRAW | CS_VREDRAW;

    wcex.lpfnWndProc    = WndProc;

    wcex.cbClsExtra        = 0;

    wcex.cbWndExtra        = 0;

    wcex.hInstance        = hInstance;

    wcex.hIcon            = LoadIcon(hInstance, IDI_SHIELD);

    wcex.hCursor        = LoadCursor(NULL, IDC_ARROW);

    wcex.hbrBackground    = (HBRUSH)(COLOR_WINDOW);

    wcex.lpszClassName    = szWindowClass;

    wcex.hIconSm        = LoadIcon(wcex.hInstance, IDI_SHIELD);

    wcex.lpszMenuName    = NULL;
    if(!RegisterClassEx(&wcex))

        return FALSE;

    return TRUE;

}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)

{

    static INT wmId, wmEvent;

    static PAINTSTRUCT ps;

    static HDC hdc;

    static HFONT hDefFont = (HFONT)GetStockObject(DEFAULT_GUI_FONT);

    static char szBuf[1024];

    static std::string s;
    #define dwDefault WS_VISIBLE|WS_CHILD
    switch (message)

    {

        case WM_CREATE:

            hControls[0] = CreateWindow(TEXT("EDIT"), NULL, dwDefault|ES_MULTILINE|WS_BORDER|ES_AUTOVSCROLL|WS_VSCROLL, 10, 10, 305, 80, hWnd, (HMENU)IDC_LEET, hInst, NULL);

            hControls[1] = CreateWindow(TEXT("BUTTON"), TEXT("Convert"), dwDefault, 10, 93, 81, 23, hWnd, (HMENU)IDC_CONV, hInst, NULL);

            hControls[2] = CreateWindow(TEXT("BUTTON"), TEXT("About"), dwDefault, 227, 93, 71, 23, hWnd, (HMENU)IDC_ABOUT, hInst, NULL);

            hControls[3] = CreateWindow(TEXT("BUTTON"), TEXT("Clear"), dwDefault, 90, 93, 81, 23, hWnd, (HMENU)IDC_CLEAR, hInst, NULL);
            SendMessage(hControls[0], WM_SETFONT, (WPARAM)hDefFont, MAKELPARAM(TRUE, 0));

            SendMessage(hControls[1], WM_SETFONT, (WPARAM)hDefFont, MAKELPARAM(TRUE, 0));

            SendMessage(hControls[2], WM_SETFONT, (WPARAM)hDefFont, MAKELPARAM(TRUE, 0));

            SendMessage(hControls[3], WM_SETFONT, (WPARAM)hDefFont, MAKELPARAM(TRUE, 0));

        break;
        case WM_COMMAND:

            wmId    = LOWORD(wParam);

            wmEvent = HIWORD(wParam);

            // Parse the selections:

            switch (wmId)

            {

                case IDC_CONV:

                    GetWindowTextA(hControls[0], szBuf, 1024);

                    s.assign(szBuf, strlen(szBuf));

                    replace1337(s);

                    SetWindowTextA(hControls[0], s.c_str());

                    SetFocus(hControls[0]);

                break;
                case IDC_ABOUT:

                    MessageBox(NULL, TEXT("Much love from Noz3001 <3"), TEXT("<3"), MB_ICONINFORMATION);

                    SetFocus(hControls[0]);

                break;
                case IDC_CLEAR:

                    SetWindowText(hControls[0], NULL);

                    SetFocus(hControls[0]);

                    break;
                default: return DefWindowProc(hWnd, message, wParam, lParam);

            }

            break;
        case WM_PAINT:

            hdc = BeginPaint(hWnd, &ps);
            EndPaint(hWnd, &ps);

            break;
        case WM_DESTROY:

            PostQuitMessage(0);

            break;
        case WM_SETFOCUS:

            SetFocus(hControls[0]);

            break;

default: return DefWindowProc(hWnd, message, wParam, lParam); } return 0; }

Beginner Driver Programming

noz3001 — Wed, 16 May 2007 22:38:06 +0000

Haha, finally time to write another blog. I’ve been having too much fun messing around in kernel mode and getting random BSOD’s because I messed something up.

Anyway, this blog will teach you the very basics of writing kernel mode drivers for windows 2000 / XP.

Note: Kernel-Mode Drivers will NOT work on Windows Vista because of it’s security!

//=====================
// Writing a driver for windows
//=====================

Tools Needed:

Windows Driver Development Kit: Download
Driver Tools: Download
A Text Editor (For writing the source code)
Medium level C knowledge

Win DDK

Before you start creating drivers you will need to understand the DDK – What it is and how to use it.
By now I hope you have already installed the DDK and have it ready for use.

The Driver Development Kit coontains all the header files needed to compile your kernel driver and it also compiles your source. For example: In a normal Windows Usermode application you would be a custom to including windows.h as a header file. In kernel mode this is replaced by ntddk.h. The kernel mode “version” of windows.h.
ntddk.h is where most kernel mode API are declared.

Later, after you learn the skeleton of a driver source, I will explain how to compile a driver with the DDK.

The Source

Now I am going to show you how a basic driver should look. Think of this as the drivr version of the “hello world” program. Infact, I think we should make our driver print hello world!

Now, as I stated in the DDK explanation, the header file ntddk.h MUST be included at the top of your source:

#include "ntddk.h"

If you have already programmed for the console in C / C++, i’ll assume that you know about the int main() function. Well the driver equivalent to that is DriverEntry:

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

Treat this exaclty as you would int main(). But as you can see, DriverEntry is type NTSTATUS which means it will return NTSTATUS. So in the body of DriverEntry we will put:

return STATUS_SUCCESS;

And this will tell the Operating system that the function succeeded.

Here is an example of what your driver source should look like at the moment:

#include "ntddk.h"


NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )

{

return STATUS_SUCCESS; }

It might seem too simple to be a kernel mode driver but this will compile and can be loaded successfully.

DbgPrint(“Noz3001″);

If you have written C / C++ programs in the past, you might have found yourself in a situation where you need to print information to the screen for debugging or other purposes. If you use C, you will probably be familiar with using the printf() function to print information.
There is an equivalent function in kernel mode. It takes the same paramaters and is just as easy to call! The only problem is that viewing the output is not as simple as using printf. This function is DbgPrint();.

We are going to make our driver print “hello world” when it’s run by using DbgPrint. An example of doing so is shown below:

DbgPrint("Hello World!");

If you place this code in the DriverEntry function, the driver will print our string when it is run. The only problem is that we have nothing to view the string with! Don’t worry, thats why I made you download the “driver tools” at the beginning og this article. Extract them to your computer using WinRAR and open the file called “Dbgview”.

It should look like this:

This program catches all the strings “DbgPrinted” and display them to you! This is how you are going to view your hello world string later on.

Now add your DbgPrint() code to your source. My source looks like this:

#include "ntddk.h"


NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )

{
    DbgPrint("Hello World!");

DriverObject->DriverUnload; // Unload the driver. return STATUS_SUCCESS; }

Note the line DriverObject->DriverUnload; // Unload the driver. You always need to unload your driver so the user doesn’t have to restart to unload it!

Compiling your first Driver

This is the fun part!! Getting to use the DDK!!
Firsly, I hope you have created your source file on the same drive as you installed the DDK! If not, copy it over.

Note: Make sure the folder / source name have NO spaces in them!

There are two more small files you need to create before the DDK will compile your source. SOURCES and MAKEFILE.
Both have NO file extension and MAKEFILE is always the same.

MAKEFILE
!INCLUDE $(NTMAKEENV)\makefile.def

SOURCES
TARGETNAME=Noz3001_Driver

TARGETPATH=Release

TARGETTYPE=DRIVER

SOURCES=DriverMain.c

In SOURCES, TARGETNAME is the filename of the compiled driver. TARGETPATH is the folder where the driver will be put. TARGETTYPE is pretty self-explanatory and SOURCES is your source file.

Ok now we can open the DDK compiler. Click Start->Development Kits and look for “Windows XP Free Build Environment”
once here type “cd..” and press enter until the current directory cant get any lower. Eg “C:/>”.

Now type CD again and after it put the full path to the folder where your 3 files are. Now type “build” (without the ” ’s) and press enter. You should see something like this:

Note: If you get any errors, review your source and try to find what you did wrong.

If your DDK screen looks like mine, CONGRATULATIONS! You just created your first Kernel-Mode driver!
But wait, thats not all! You still have to make sure it works.

Make sure you still have DbgView open so ou can see the result of your DbgPrint. Now it’s time o use the other program i included in my “driver tools” file, “INSTDRV”. This program can load your driver for you! It saves you a lot of time when you are still testing your driver so keep it handy!

Once opened it will look like this:

Now enter the full path to your driver in the pathname text box and click install. Once the status says “Operation successful”, click the start button to start your driver.

Now go back to DbgView. If your driver has worked you will see something like this:

WELL DONE!! You just created a working kernel mode driver AND used a kernel mode function!

I think you should give yourself a pat on the back!