Question about WriteProcessMemory

just write whatever you want
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Question about WriteProcessMemory

Post by Pawn_Fox »

Hello and sorry if i'm posting at a wrong category of this forum.

I have a ".dll" that is injecting into a game (an anti-cheat) and i want to monitor all the external "WriteProcessMemory" that interacts with this game, so then i can monitor all the shitty cheats that are changing the game's addresses, can someone help me with this piece of code? I am willing to pay.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

Are cheats not usually loaded right into the game process? If so, they will not use WriteProcessMemory, but simply directly write to the RAM, with no APIs called at all.

But if there are cheats which operate by calling WriteProcessMemory, you should be able to hook those, but you'll probably need a system wide API hook. You could probably use madCodeHook for that purpose.

Another option would be to change the memory address such a cheat would write to constantly, using some sort of random, so the cheats can't hard code the address.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:Are cheats not usually loaded right into the game process? If so, they will not use WriteProcessMemory, but simply directly write to the RAM, with no APIs called at all.

But if there are cheats which operate by calling WriteProcessMemory, you should be able to hook those, but you'll probably need a system wide API hook. You could probably use madCodeHook for that purpose.

Another option would be to change the memory address such a cheat would write to constantly, using some sort of random, so the cheats can't hard code the address.
Most of the cheats that i'm facing with are based on the classic WriteProcessMemory method and for me it's a pain in the ass to search and hook all the time the addresses that a cheat is constantly changing. Sometimes they find new addresses and i have to be always updated with their cheat.

I'll look into documentation of madCodeHook. Thanks.

Edit: One more question, if i use madCodeHook for WPM and i don't ADD anything to my new WPM function, will the new function edit the memory anyway? because i need to make it stop editing memory.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

Using madCodeHook, your hook dll would be called whenever any user mode process calls WriteProcessMemory. Your hook dll gets called *instead* of the real WriteProcessMemory API. You can then decide if you want to allow that specific WriteProcessMemory call (e.g. you would probably allow it if it doesn't target your game) or if you want to block it. If you want to block it, your hook callback function would simply return. If you want to allow it, you would pass the call on to the original API.

Your hook dll would look something like this:

Code: Select all

library YourHookDll;

uses Windows, madCodeHook;

var WriteProcessMemoryNextHook : function (...) : BOOL; stdcall;

function WriteProcessMemoryCallback(...) : BOOL; stdcall;
begin
  if madCodeHook.ProcessHandleToId(hProcess) = YourGamesProcessId then
  begin
    // someone wants to modify the game - we block that!!
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
  end
  else
    // someone wants to modify some other process, that's fine with us, so we pass the call on to the original API
    result := WriteProcessMemoryNextHook(...);
end;

initialization
  HookAPI('kernel32.dll', 'WriteProcessMemory', @WriteProcessMemoryCallback, @WriteProcessMemoryNextHook);
end.
That's all!! Pretty simply, isn't it? The only thing missing in this source code is how the hook dll will know which ID your game process has. Instead of comparing the ID you could use "madCodeHook.ProcessIdToFileName(madCodeHook.ProcessHandleToId(hProcess), ...)" to get the file name of the target process and then do a string comparison to see if it's your game.

The code above is Delphi code, of course the same would work in C++.

In order to do system wide API hooking with madCodeHook, you will need to have a code signing certificate, capable of signing drivers (e.g. from Verisign or GlobalSign). If you need Windows 10 SecureBoot compatability, you will probably even need one of those new EV certificates. You need the certificate because madCodeHook uses a little kernel mode driver to automatically inject your hook dll into all newly started processes. Newer Windows versions (especially x64) require drivers to be signed, otherwise the OS won't load them. So that's why you will need a certificate.

P.S: And in order to install the driver, you will need admin rights. You could solve this by installing the driver in your game installer, and by requiring admin rights for the installer.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:Using madCodeHook, your hook dll would be called whenever any user mode process calls WriteProcessMemory. Your hook dll gets called *instead* of the real WriteProcessMemory API. You can then decide if you want to allow that specific WriteProcessMemory call (e.g. you would probably allow it if it doesn't target your game) or if you want to block it. If you want to block it, your hook callback function would simply return. If you want to allow it, you would pass the call on to the original API.

Your hook dll would look something like this:

Code: Select all

library YourHookDll;

uses Windows, madCodeHook;

var WriteProcessMemoryNextHook : function (...) : BOOL; stdcall;

function WriteProcessMemoryCallback(...) : BOOL; stdcall;
begin
  if madCodeHook.ProcessHandleToId(hProcess) = YourGamesProcessId then
  begin
    // someone wants to modify the game - we block that!!
    result := false;
    SetLastError(ERROR_ACCESS_DENIED);
  end
  else
    // someone wants to modify some other process, that's fine with us, so we pass the call on to the original API
    result := WriteProcessMemoryNextHook(...);
end;

initialization
  HookAPI('kernel32.dll', 'WriteProcessMemory', @WriteProcessMemoryCallback, @WriteProcessMemoryNextHook);
end.
That's all!! Pretty simply, isn't it? The only thing missing in this source code is how the hook dll will know which ID your game process has. Instead of comparing the ID you could use "madCodeHook.ProcessIdToFileName(madCodeHook.ProcessHandleToId(hProcess), ...)" to get the file name of the target process and then do a string comparison to see if it's your game.

The code above is Delphi code, of course the same would work in C++.

In order to do system wide API hooking with madCodeHook, you will need to have a code signing certificate, capable of signing drivers (e.g. from Verisign or GlobalSign). If you need Windows 10 SecureBoot compatability, you will probably even need one of those new EV certificates. You need the certificate because madCodeHook uses a little kernel mode driver to automatically inject your hook dll into all newly started processes. Newer Windows versions (especially x64) require drivers to be signed, otherwise the OS won't load them. So that's why you will need a certificate.

P.S: And in order to install the driver, you will need admin rights. You could solve this by installing the driver in your game installer, and by requiring admin rights for the installer.
Alright, thank you for the good answers! But one more thing before i get started, do i have to hook WriteDMALong and WriteDMAInteger too ? Are these functions using WriteProcessMemory?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

I've never even heard of WriteDMALong/Integer yet, to be honest.

After a google search it seems to me that "WriteDMALong/Integer" are not APIs offered by Microsoft, but they seem to be functions in some demo source code. They seem to be based on calling WriteProcessMemory internally, but I'm not 100% sure. You only need to hook the win32 APIs such functions internally use.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:I've never even heard of WriteDMALong/Integer yet, to be honest.

After a google search it seems to me that "WriteDMALong/Integer" are not APIs offered by Microsoft, but they seem to be functions in some demo source code. They seem to be based on calling WriteProcessMemory internally, but I'm not 100% sure. You only need to hook the win32 APIs such functions internally use.
I understand, but do i really need to uninstall my hook every time the process is killed or ended? Would affect if i'm not uninstalling it?
And one more thing, would this hooking method get picked up by the antiviruses?

Edit: Is this forum only related to the madCode products or i can ask whatever questions i want about developing?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

You don't have to kill the hook at all. You can run it at all times. Whether doing that is in the interest of the end user is another question, though.

Anti-virus software tends to be relaxed if you properly sign your exe, dll and driver files. There's no guarantee that there will never be a false positive, of course, but I haven't had complaints about that for a long time now from madCodeHook users. Just be careful that you don't do anything "bad" in your software. E.g. don't hide your process(es) or things like that.

This forum is mainly meant for madExcept and madCodeHook products. I don't have the resources to turn this forum into an "ask any kind of question and madshi answers" forum. I don't mind getting the odd question once in a while, but I won't regularly answer questions that are totally unrelated to my products.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:You don't have to kill the hook at all. You can run it at all times. Whether doing that is in the interest of the end user is another question, though.

Anti-virus software tends to be relaxed if you properly sign your exe, dll and driver files. There's no guarantee that there will never be a false positive, of course, but I haven't had complaints about that for a long time now from madCodeHook users. Just be careful that you don't do anything "bad" in your software. E.g. don't hide your process(es) or things like that.

This forum is mainly meant for madExcept and madCodeHook products. I don't have the resources to turn this forum into an "ask any kind of question and madshi answers" forum. I don't mind getting the odd question once in a while, but I won't regularly answer questions that are totally unrelated to my products.
Okay. My application already has some code written for detecting new opened procs and i'm currently trying to figure out how to hook every new opened proc.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

If you already have code for that, you might not need the madCodeHook driver. However, if you wait for the new opened processes to start before you hook them it might already be too late, they might already have called WriteProcessMemory before you hooked them. The madCodeHook driver automatically injects your hook dll before the newly opened processes even start running. So if you use the madCodeHook driver, you don't have to do anything, but everything will work automatically, and quickly enough to catch those WriteProcessMemory API calls.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:If you already have code for that, you might not need the madCodeHook driver. However, if you wait for the new opened processes to start before you hook them it might already be too late, they might already have called WriteProcessMemory before you hooked them. The madCodeHook driver automatically injects your hook dll before the newly opened processes even start running. So if you use the madCodeHook driver, you don't have to do anything, but everything will work automatically, and quickly enough to catch those WriteProcessMemory API calls.
For me it doesen't matter if i wait for that program to open because it's constantly changing memory and i want to stop this. My problem is related to injecting my hooked code to the new opened process.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

Ok, if you can wait then you can use madCodeHook's "InjectLibrary(processHandleOfNewlyStartedProcess, 'YourHook.dll')" API to inject the newly started process with your hook dll. In this case you don't need the kernel mode driver, and you don't need the certificate. Signing your exe + hook dlls with a certificate would still be a good idea, though, to improve the changes that your files don't get flagged as dangerous by anti-virus software. A simple code signing certificate from GlobalSign would be sufficient for that, though, no EV certificate needed, as long as you don't use the driver.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:Ok, if you can wait then you can use madCodeHook's "InjectLibrary(processHandleOfNewlyStartedProcess, 'YourHook.dll')" API to inject the newly started process with your hook dll. In this case you don't need the kernel mode driver, and you don't need the certificate. Signing your exe + hook dlls with a certificate would still be a good idea, though, to improve the changes that your files don't get flagged as dangerous by anti-virus software. A simple code signing certificate from GlobalSign would be sufficient for that, though, no EV certificate needed, as long as you don't use the driver.
Oh, ok, but i'm not using an external ".dll" file for injection.

Edit: I guess i'll have to open every process and write to it.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Question about WriteProcessMemory

Post by madshi »

You need to do the WriteProcessMemory hooking in every running user mode process. In order to do that your hooking code should be in a dll, and that dll needs to be injected into all those processes.
Pawn_Fox
Posts: 9
Joined: Tue Mar 21, 2017 9:01 pm

Re: Question about WriteProcessMemory

Post by Pawn_Fox »

madshi wrote:You need to do the WriteProcessMemory hooking in every running user mode process. In order to do that your hooking code should be in a dll, and that dll needs to be injected into all those processes.
I understand. Would something like this work:
http://pastebin.com/vFTTsdS5 ?

Thanks.
Post Reply