VirtualQueryEx - Possible to call from a 64-bit app to a 32-bit app?

[Tanaris4]

All-

I'm trying to un protect some memory (in the DLL space w/in wow) by using VirtualQueryEx, then writing memory. But of course, I'm always receiving ERROR_INVALID_ADDRESS, even though I believe it's a valid memory address. My theory is that my app is 64-bit, and the wow process is 32-bit, and that's why there are some problems.

Although I will say I'll open cheat engine, view the address, and it tells me it's in a dll's memory space, but it's all question marks (probably b/c read isn't enabled on those pages?)

Anyone have any ideas which would allow me to do this?

Here is the code I'm trying:

Code:

        [DllImport("kernel32", SetLastError = true)]
        static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] Bytes, int dwSize, out int lpBytesWritten);

        [DllImport("kernel32", SetLastError = true)]
        internal static extern int VirtualProtectEx(IntPtr hProcess, IntPtr lpBaseAddress, int dwSize, uint newProtect, out uint oldProtect);

        void PatchBytes(int Address, byte[] NewBytes)
        {
            uint OldProtect;

            if (VirtualProtectEx(hProcess, new IntPtr(Address), NewBytes.Length, PAGE_READWRITE, out OldProtect) == 0)
            {
                Int32 error = Imports.GetLastError();
                throw new Exception(String.Format("PatchBytes VirtualProtectEx Fail 1 {0:X} Error: {1}", Address, error));
            }

            WriteBytes(Address, NewBytes);

            if (VirtualProtectEx(hProcess, new IntPtr(Address), NewBytes.Length, OldProtect, out OldProtect) == 0)
            {
                Int32 error = Imports.GetLastError();
                throw new Exception(String.Format("PatchBytes VirtualProtectEx Fail 2 {0:X} Error: {1}", Address, error));
            }
        }

        void WriteBytes(int Address, byte[] TheBytes)
        {
            int BytesWritten;
            //Console.WriteLine("WriteBytes @ 0x" + Address.ToString("x") + " (0x" + TheBytes.Length.ToString("x") + " bytes)");
            WriteProcessMemory(hProcess, new IntPtr(Address), TheBytes, TheBytes.Length, out BytesWritten);
        }

Thanks in advance!
~ Tanaris

[Tanaris4]

Of course VirtualQueryEx works fine given the same address, so I don't really understand why VirtualProtectEx is telling me ERROR_INVALID_ADDRESS

[DarkLinux]

Code:

       
        DWORD Start = 0x00000000;
        DWORD End = 0xFFFFFFFF;
        VirtualProtectEx(hProcess,(LPVOID)Start,End,0x40,&old);

Not the best idea.. but why not... Or pull the range out of the header...
See if that fails...

[Tanaris4]

Code:

       
        DWORD Start = 0x00000000;
        DWORD End = 0xFFFFFFFF;
        VirtualProtectEx(hProcess,(LPVOID)Start,End,0x40,&old);

Not the best idea.. but why not... Or pull the range out of the header...
See if that fails...

Haha nope. I even tried to loop through all of them:

Code:

            long MaxAddress = 0x7fffffff;
            long address = 0;
            do
            {
                 MEMORY_BASIC_INFORMATION m;
                 int result = VirtualQueryEx(hProcess, (IntPtr)address, out m, (uint)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION)));


                 if ((uint)m.BaseAddress <= Address && Address < (uint)m.BaseAddress + (uint)m.RegionSize - 1)
                 {
                     Console.WriteLine("{0:X} - {1:X} : {2} bytes result={3}", (uint)m.BaseAddress, (uint)m.BaseAddress + (uint)m.RegionSize - 1, m.RegionSize, result);

                     if (VirtualProtectEx(hProcess, m.BaseAddress, (int)m.RegionSize, PAGE_READWRITE, out OldProtect) == 0)
                     {
                         Console.WriteLine("Doesn't work /tear ");
                     }
                 }

                 if (address == (long)m.BaseAddress + (long)m.RegionSize)
                 break;
                 address = (long)m.BaseAddress + (long)m.RegionSize;
            } while (address <= MaxAddress);

Then just set the entire region, but it doesn't work. I'm wondering if it's due to wow64 how it emulates the NT dll and other dlls? Really at a loss here.

[Tanaris4]

Interestingly enough, if I compile my app in 32-bit mode (My OS is 64-bit Windows 7), I can run the above code perfectly fine...

Odd yes? Anyone have any ideas as to why?

[sitnspinlock]

the wow64 thunk layer has no effect on this api, there must be something you are overlooking (i didn't look at your source).

cheat engine will show question marks for various reasons:

-nothing is mapped at that virtual address
-the pages are marked as guard pages
-the pages are marked as no_access

[andy012345]

Interestingly enough, if I compile my app in 32-bit mode (My OS is 64-bit Windows 7), I can run the above code perfectly fine...

Odd yes? Anyone have any ideas as to why?

It could be the structure and alignment changes in MEMORY_BASIC_INFORMATION across architecture, for a x86 app you should be using MEMORY_BASIC_INFORMATION32.

Edit: nevermind thats just your test code