Delphi - Access violation when try to overwrite an

2019-09-05 05:05发布

问题:

Good morning. I'm trying to learn about DLL injection, so I've wrote a little software, that just gets a String, compares with StrCmp() and if the input was equal "Winner", the software gives a Good boy message, with the porpouse of learn DLL injection. So I write a DLL that loads a Form when inject, the porpouse is using the DLL injection, to modify the Instruction of comparison( JNZ(74) to JMP(EB)), and make the software, accept any string. My DLL code is:

library Project2;
uses
  SysUtils,
  Windows,
  Classes,
  Unit1 in 'Unit1.pas' {Form1};

{$R *.res}
var
Hproccess:THandle;
Hid:Cardinal;
b:Boolean=false;

       Procedure Chamar;
       begin
        Form1:=TForm1.Create(nil);
       Form1.ShowModal;
       end;
begin
Hproccess:=OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessID);
CreateRemoteThread(Hproccess,nil,0,@Chamar,@Chamar,0,Hid);
end.

How can you see, the DLL just Create a new Thread to load the Form(Form1). The problem is, when I write in the Memory Addres to overwrite the JNZ instruction, Windows don't let me do it, and returns the Message of Access Violation at Address 005B55A9. My form code also is very simple.

    unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls;

type
  TForm1 = class(TForm)
    Button2: TButton;
    procedure Button2Click(Sender: TObject);

  private

  public

  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}
procedure TForm1.Button2Click(Sender: TObject);
var
Memory:Dword;
begin
Memory:=$005B55A9;
PDWORD(Memory)^:=225; {EB=225}
Free();
end;
end.

What Am I doing of wrong? How can I overwrite the instruction of JNZ(74) to JMP(EB) without Access Violation error? Sorry for my mistakes, I started to read about it yesterday, that was my first example. I already have the Injector(Extreme Injector). My doubt is just about the DLL coding. Can you help me?

I forgot to say, I use Windows 10...

回答1:

Assuming that, as you claim, that address is a valid address in your process, an access violation would indicate that the protection flags for that address do not permit writing. That would typically be the case for the code in your process.

A couple of ways to deal with that:

  1. Use VirtualProtect to change the protection for that address. Typically you'll want to restore the protection to its original value once you have made your modification.
  2. Use [WriteProcessMemory][3] to perform the memory write. This will change the protection to allow writing, make the modification, and restore the original protection. If the address in fact refers to a different process, then you have to use WriteProcessMemory to modify the memory.

Examples of using VirtualProtect for such purposes abound. For instance, this post shows how to patch some code, and use VirtualProtect to arrange that the memory can be written to. The actual data written in that post differs from yours, but the point is to demonstrate how to use VirtualProtect.

Before you proceed, make sure you read the documentation carefully.