WriteProcessMemory on an Android VM

[abuckau907]

That doesnt make any sense...getting a handle with ALL_Access should not change the .protect of memory regions...

hopefully this helps; if so, you can re-work code later. Please post full output (if you have more than 100 scan results, maybe put inside [ s p o i l e r ] ... [ / s p o i l e r ] tags. or upload to some external site like pastebin.com -- if your account can't post links yet, just add spaces inside the url).

Don't forget to manually run the executable as admin ...please.

replace your entire for loop() with this:

Code:

bool bChangedProtect;
cout << search_results[cur_result].size() << " items found.\n" << endl; 
for (int xy = 0; xy < search_results[cur_result].size(); xy++) 
{ 
   bChangedProtect = false;
   if (ReadProcessMemory(phandle,(void*)search_results[cur_result][xy],&sResult,8,nullptr) == 8) 
   {
      if (sResult==double_val) 
	  {
	 cout <<"item #" << xy << "\t";
         if (VirtualQueryEx(phandle, (void*)search_results[cur_result][xy], &mBI, sizeof(MEMORY_BASIC_INFORMATION)))
		 {
			 if ((mBI.Protect & PAGE_WRITECOPY) || (mBI.Protect & PAGE_EXECUTE_WRITECOPY))
			 {
				 cout << hex << search_results[cur_result][xy] << " was WRITE_COPY or EXEC_WRITE_COPY ..skipping, just because." << endl;
				 continue;
			 }
			 else if ((mBI.Protect & PAGE_EXECUTE) || (mBI.Protect & PAGE_EXECUTE_READ))
			 { 
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,PAGE_EXECUTE_READWRITE,&OLDPROTECT))
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) SUCCESS" << endl;
					bChangedProtect = true;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) FAIL. skipping write." << endl;
					 continue;
				 }
			 }
			 else if (mBI.Protect & PAGE_READONLY)
			 {
				 if (VirtualProtectEx(phandle, (void*)search_results[cur_result][xy],8,PAGE_READWRITE,&OLDPROTECT))
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) SUCCESS" << endl;
				 bChangedProtect = true;
				 }
				 else
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) FAIL. skipping write." << endl;
				 continue;
				 }
			 }
			 //if we get here, apparently it's writable (and not copy-forward). 
                         if (!bChangedProtect)
                           cout << hex << search_results[cur_result][xy]; //will be first time we show the addr. todo: re-work logic because this feels awkward.

			 if (WriteProcessMemory(phandle,(void*)search_results[cur_result][xy],&double_ans,8,nullptr))
			 {
				 cout << " WriteProcessMemory() OK!" << endl;
			 }
			 else
			 {
				 cout << " WriteProcessMemory() FAIL!" << endl;
				 if (VirtualQueryEx(phandle,(void*)search_results[cur_result][xy],&mBI,sizeof(MEMORY_BASIC_INFORMATION)))
				 {
					 cout <<"Current Protect: " << hex << mBI.Protect << endl;
				 }
				 else
				 {
					 cout <<"Current Protect: Unknown. VirtualQueryEx() Failed -- but why? -- does this happen?" << endl;
				 }	 
			 }
			 //
			 if (bChangedProtect)
			 {
				 DWORD idk = 0;
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,OLDPROTECT,&idk)) //not sure if you should use same var for old and new protect. will it set 'oldProtect' to the old protection before writing. is a temporary used? idk. try if you care.
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) SUCCESS" << endl;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) FAIL -- does this happen?" << endl;
				 }
			 }
		 }
		 else
		 {
			 cout <<"VirtualQueryEx FAILED for " << hex << search_results[cur_result][xy] << ". Skipping." << endl;
		 }
	  }
	  else
	  {
		  cout << hex << search_results[cur_result][xy] << " sResult != double_val ... It was when we scanned, but not now. Skipped." << endl;
	  }
   }
   else
   {
	   cout << hex << search_results[cur_result][xy] << " was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?" << endl;
   }
	
}

[LunaRebirth]

That doesnt make any sense...getting a handle with ALL_Access should not change the .protect of memory regions...

hopefully this helps; if so, you can re-work code later. Please post full output (if you have more than 100 scan results, maybe put inside [ s p o i l e r ] ... [ / s p o i l e r ] tags. or upload to some external site like pastebin.com -- if your account can't post links yet, just add spaces inside the url).

Don't forget to manually run the executable as admin ...please.

replace your entire for loop() with this:

Code:

bool bChangedProtect;
cout << search_results[cur_result].size() << " items found.\n" << endl; 
for (int xy = 0; xy < search_results[cur_result].size(); xy++) 
{ 
   bChangedProtect = false;
   if (ReadProcessMemory(phandle,(void*)search_results[cur_result][xy],&sResult,8,nullptr) == 8) 
   {
      if (sResult==double_val) 
	  {
	 cout <<"item #" << xy << "\t";
         if (VirtualQueryEx(phandle, (void*)search_results[cur_result][xy], &mBI, sizeof(MEMORY_BASIC_INFORMATION)))
		 {
			 if ((mBI.Protect & PAGE_WRITECOPY) || (mBI.Protect & PAGE_EXECUTE_WRITECOPY))
			 {
				 cout << hex << search_results[cur_result][xy] << " was WRITE_COPY or EXEC_WRITE_COPY ..skipping, just because." << endl;
				 continue;
			 }
			 else if ((mBI.Protect & PAGE_EXECUTE) || (mBI.Protect & PAGE_EXECUTE_READ))
			 { 
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,PAGE_EXECUTE_READWRITE,&OLDPROTECT))
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) SUCCESS" << endl;
					bChangedProtect = true;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) FAIL. skipping write." << endl;
					 continue;
				 }
			 }
			 else if (mBI.Protect & PAGE_READONLY)
			 {
				 if (VirtualProtectEx(phandle, (void*)search_results[cur_result][xy],8,PAGE_READWRITE,&OLDPROTECT))
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) SUCCESS" << endl;
				 bChangedProtect = true;
				 }
				 else
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) FAIL. skipping write." << endl;
				 continue;
				 }
			 }
			 //if we get here, apparently it's writable (and not copy-forward). 
                         if (!bChangedProtect)
                           cout << hex << search_results[cur_result][xy]; //will be first time we show the addr. todo: re-work logic because this feels awkward.

			 if (WriteProcessMemory(phandle,(void*)search_results[cur_result][xy],&double_ans,8,nullptr))
			 {
				 cout << " WriteProcessMemory() OK!" << endl;
			 }
			 else
			 {
				 cout << " WriteProcessMemory() FAIL!" << endl;
				 if (VirtualQueryEx(phandle,(void*)search_results[cur_result][xy],&mBI,sizeof(MEMORY_BASIC_INFORMATION)))
				 {
					 cout <<"Current Protect: " << hex << mBI.Protect << endl;
				 }
				 else
				 {
					 cout <<"Current Protect: Unknown. VirtualQueryEx() Failed -- but why? -- does this happen?" << endl;
				 }	 
			 }
			 //
			 if (bChangedProtect)
			 {
				 DWORD idk = 0;
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,OLDPROTECT,&idk)) //not sure if you should use same var for old and new protect. will it set 'oldProtect' to the old protection before writing. is a temporary used? idk. try if you care.
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) SUCCESS" << endl;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) FAIL -- does this happen?" << endl;
				 }
			 }
		 }
		 else
		 {
			 cout <<"VirtualQueryEx FAILED for " << hex << search_results[cur_result][xy] << ". Skipping." << endl;
		 }
	  }
	  else
	  {
		  cout << hex << search_results[cur_result][xy] << " sResult != double_val ... It was when we scanned, but not now. Skipped." << endl;
	  }
   }
   else
   {
	   cout << hex << search_results[cur_result][xy] << " was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?" << endl;
   }
	
}

Ran your code.
Here's the output:

3 items found.
43956a48 was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?
43fd14a8 was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?
44ae4b50 was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?

No change if I use ALL_ACCESS or not - same output. Thanks!

[LunaRebirth]

I'd never used ReadProcessMemory's return value as the sizeof a variable.
I'm sure you know more than I do on using it, but I went to try !=0 instead of ==8, and here's the new output:

3 items found.
item #0 3d174308 WriteProcessMemory() FAIL!
Current Protect: 4
item #1 3d224868 WriteProcessMemory() FAIL!
Current Protect: 4
item #2 3d239860 WriteProcessMemory() FAIL!
Current Protect: 4

If your ==8 was correct, and my test above was completely unnecessary, disregard the above.
Thanks!!

[abuckau907]

Oops. No, you're right; just check readprocessmemory's return value for zero/non-zero. After all, we are passing in a var for 'actualBytesRead' - not sure what I was thinking.

 

Using != 0 is slightly redundant (read verbose) in an if() condition--> that is what it's checking for anyway; any value that isn't 0 is considered TRUE, or, 0 is the only value that = false. So if you have

if (someFuncCall)
DoTheThing();

// will do the thing as long as someFuncCall() doesn't return 0.

Well a .protect of '4' is PAGE_READWRITE, and if you're calling OpenProcess() with

PROCESS_VM_OPERATION (0x0008) Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory).
PROCESS_VM_READ (0x0010) Required to read memory in a process using ReadProcessMemory.
PROCESS_VM_WRITE (0x0020) Required to write to memory in a process using WriteProcessMemory.

And running the program as admin,
Writeprocessmemory should succeed.

Im at a loss for the moment (im guessing the VM is detouring wpm? But why? Im not familiar with vm internals (?) so i cant say). Hopefully someone else has an idea.


I suggest you google to see if someone else has had a similar problem with this VM and writeprocessmemory

[LunaRebirth]

Hmm..
I'll continue searching around.

Thanks for your help

[LunaRebirth]

I found absolutely nothing online while searching literally all day.
Do you think I'd get the same results trying a different VM?
I know BlueStacks won't even allow Cheat Engine to change values, so I'm staying away from that..
But there aren't really any other VMs I've heard good things about.

[abuckau907]

"I'm not familiar with vm internals (?) so i cant say."
It's possible, I suppose.

Apparently there is another (undocumented) windows api for writing to memory...
NtWriteVirtualMemory I believe. Maybe your vm isnt detouring that one...worth a shot. I dont know anything about it so dont even ask

edit:
We could talk about how to check if the vm is detouring wpm, and ways to get around it..but tbh, youre new to this stuff and im not willing/able to discuss such a broad subject/so many new concepts. If you have a specific question, ask away : )

[LunaRebirth]

I tried downloading a new VM (Droid4X) and was getting the same results. I suspect it'll be the same, regardless my option of VM.

I then followed some examples of NtWriteVirtualMemory online and downloaded the required .DLL. There was no change in the program, and writing still wasn't working.

Fair enough that I don't know much on "this stuff," but if mentioning that I'm in a Computer Science major with a Game Programming focus at a Uni is worth anything to you, I may as well just say it. I'm very quick at learning, and willing to do my research.

[LunaRebirth]

I spent the last few hours learning Lua syntax and Cheat Engine functions, since Cheat Engine was working but my program wasn't.
Using Lua to create a window with buttons and text editors, I tested it on a PC game. It worked wonderfully fast and amazing.
Everything worked!
Then I loaded the Android VM and tried it on the Android game.
Nothing happened.
I don't understand???
It seems to be working fine for Cheat Engine manual changes. But when I use my program or even Cheat Engine's Lua scripting, nothing is working?
That doesn't make any sense to me...

With the info provided above, is there something maybe I'm missing??

[maestro1994]

That doesnt make any sense...getting a handle with ALL_Access should not change the .protect of memory regions...

hopefully this helps; if so, you can re-work code later. Please post full output (if you have more than 100 scan results, maybe put inside [ s p o i l e r ] ... [ / s p o i l e r ] tags. or upload to some external site like pastebin.com -- if your account can't post links yet, just add spaces inside the url).

Don't forget to manually run the executable as admin ...please.

replace your entire for loop() with this:

Code:

bool bChangedProtect;
cout << search_results[cur_result].size() << " items found.\n" << endl; 
for (int xy = 0; xy < search_results[cur_result].size(); xy++) 
{ 
   bChangedProtect = false;
   if (ReadProcessMemory(phandle,(void*)search_results[cur_result][xy],&sResult,8,nullptr) == 8) 
   {
      if (sResult==double_val) 
	  {
	 cout <<"item #" << xy << "\t";
         if (VirtualQueryEx(phandle, (void*)search_results[cur_result][xy], &mBI, sizeof(MEMORY_BASIC_INFORMATION)))
		 {
			 if ((mBI.Protect & PAGE_WRITECOPY) || (mBI.Protect & PAGE_EXECUTE_WRITECOPY))
			 {
				 cout << hex << search_results[cur_result][xy] << " was WRITE_COPY or EXEC_WRITE_COPY ..skipping, just because." << endl;
				 continue;
			 }
			 else if ((mBI.Protect & PAGE_EXECUTE) || (mBI.Protect & PAGE_EXECUTE_READ))
			 { 
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,PAGE_EXECUTE_READWRITE,&OLDPROTECT))
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) SUCCESS" << endl;
					bChangedProtect = true;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " Was EXEC or EXEC_R --> VirtualProtectEx(EXEC_RW) FAIL. skipping write." << endl;
					 continue;
				 }
			 }
			 else if (mBI.Protect & PAGE_READONLY)
			 {
				 if (VirtualProtectEx(phandle, (void*)search_results[cur_result][xy],8,PAGE_READWRITE,&OLDPROTECT))
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) SUCCESS" << endl;
				 bChangedProtect = true;
				 }
				 else
				 { 
				 cout << hex << search_results[cur_result][xy] << " Was READ_ONLY --> VirtualProtectEx(READ_WRITE) FAIL. skipping write." << endl;
				 continue;
				 }
			 }
			 //if we get here, apparently it's writable (and not copy-forward). 
                         if (!bChangedProtect)
                           cout << hex << search_results[cur_result][xy]; //will be first time we show the addr. todo: re-work logic because this feels awkward.

			 if (WriteProcessMemory(phandle,(void*)search_results[cur_result][xy],&double_ans,8,nullptr))
			 {
				 cout << " WriteProcessMemory() OK!" << endl;
			 }
			 else
			 {
				 cout << " WriteProcessMemory() FAIL!" << endl;
				 if (VirtualQueryEx(phandle,(void*)search_results[cur_result][xy],&mBI,sizeof(MEMORY_BASIC_INFORMATION)))
				 {
					 cout <<"Current Protect: " << hex << mBI.Protect << endl;
				 }
				 else
				 {
					 cout <<"Current Protect: Unknown. VirtualQueryEx() Failed -- but why? -- does this happen?" << endl;
				 }	 
			 }
			 //
			 if (bChangedProtect)
			 {
				 DWORD idk = 0;
				 if (VirtualProtectEx(phandle,(void*)search_results[cur_result][xy],8,OLDPROTECT,&idk)) //not sure if you should use same var for old and new protect. will it set 'oldProtect' to the old protection before writing. is a temporary used? idk. try if you care.
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) SUCCESS" << endl;
				 }
				 else
				 {
					 cout << hex << search_results[cur_result][xy] << " VirtualProtectEx(ORIG) FAIL -- does this happen?" << endl;
				 }
			 }
		 }
		 else
		 {
			 cout <<"VirtualQueryEx FAILED for " << hex << search_results[cur_result][xy] << ". Skipping." << endl;
		 }
	  }
	  else
	  {
		  cout << hex << search_results[cur_result][xy] << " sResult != double_val ... It was when we scanned, but not now. Skipped." << endl;
	  }
   }
   else
   {
	   cout << hex << search_results[cur_result][xy] << " was found to be a result..but now ReadProcessMemory() fails/partial read -- does this happen?" << endl;
   }
	
}

Very interesting question. This goes topped.

* Avoid using namespace std;
* Preferable to define a variable as late and in the inner-most scope possible.
Yes, non-trivial class-types are a common exception where avoiding destruction and re-creation might be more performant.
* Your indentation isn't so much consistent, consider using your auto-formatter of choice.
* You seem to suffer from severe adoration of braces. But still, you didn't use them in one place ... Why? Eheh.
* std::hex actually persists after getting applied to a stream, do you know that (obviously until explicitly countermanded) .. ?
* Obviously, adding a reference for search_results[cur_result] at the start, aside from possibly being more performant, would also reduce the code.
Same thing for expression[xy] at the start of each loop. But actually, if you didn't need xy for some reason, using a range-for-loop would also be better.
* You should learn how to simplify basic operations:

Code:

if((mBI.Protect & PAGE_WRITECOPY) || (mBI.Protect & PAGE_EXECUTE_WRITECOPY))

Equals to:

Code:

if(mBI.Protect & (PAGE_WRITECOPY | PAGE_EXECUTE_WRITECOPY))

* You don't need to use a type as argument to sizeof, rather use the appropriate expression.

Code:

(sizeof mBI rather of sizeof(MEMORY_BASIC_INFORMATION))

* Is there some specific reason you explicitly flush the output-stream on each newline, or ... do you like flushing your performance down the drain?
* Why do you use all the C-style casts to void*? I'm very suspicious of casts, and because I don't know the type of search_results[cur_result][xy], I have not any idea whether the cast is just superfluous and bad form, necessary due to bad choice of types, or also an outright bug the compiler had the impertinence to complain about.
* You should read a basic tutorial if you don't know what pass-by-reference and pass-by-value mean, and when you have each in C++.
Exactly, OLDPROTECT is safe to use there (It's not a macro, why upper-case?).