Native WriteProcessMemory Api Replacement

posted 14 Sep 2010, 17:25 by Danny Rancher   [ updated 14 Sep 2010, 18:58 ]
This unit enables you to replace WriteProcessMemory calls with the native api equivalents.

The attached delphi source code details usage of the unit in the External Downloader example.

unit uWriteProcessMemory;

{
  Author: Counterstrikewi
  Thank you: fijack
  Compiled: Delphi 2007
  Website: www.delphibasics.info
}

interface

uses
  Windows;

function xWriteProcessMemory(hProcess: THandle;
                             lpBaseAddress: Pointer;
                             lpBuffer: Pointer;
                             nSize: DWORD;
                         var lpNumberOfBytesWritten: DWORD
                             ): BOOL; stdcall;

implementation

type
  PPVOID = ^Pointer;
  PULONG = ^LongWord;

  TNtProtectVirtualMemory = function (ProcessHandle: THandle; BaseAddress: PPVOID; ProtectSize: PULONG; NewProtect: Longword; OldProtect: PULONG): Longint; stdcall;
  TNtWriteVirtualMemory = function (ProcessHandle: THandle; BaseAddress: Pointer; Buffer: Pointer; BufferLength: Longword; ReturnLength: PULONG): Longint; stdcall;
  TNtFlushInstructionCache = function (ProcessHandle: THandle; BaseAddress: Pointer; FlushSize: Longword): Longint; stdcall;

var
  hNtdll : THandle;
  xNtProtectVirtualMemory : TNtProtectVirtualMemory;
  xNtWriteVirtualMemory : TNtWriteVirtualMemory;
  xNtFlushInstructionCache : TNtFlushInstructionCache;

function xWriteProcessMemory(hProcess: THandle;
                             lpBaseAddress: Pointer;
                             lpBuffer: Pointer;
                             nSize: DWORD;
                         var lpNumberOfBytesWritten: DWORD
                             ): BOOL; stdcall;
var
  NumberOfBytesWritten, OldAccessProtection, Status : DWord;
begin
  Result := False;
  lpNumberOfBytesWritten := 0;
  Status := xNtProtectVirtualMemory(hProcess, @lpBaseAddress, @nSize, PAGE_READWRITE, @OldAccessProtection);
  if Status = 0 then
  begin
    Status := xNtWriteVirtualMemory( hProcess, lpBaseAddress, lpBuffer, nSize, @NUmberOfBytesWritten);
    if (Status = 0) and (NumberOfBytesWritten = nSize) then
    begin
      Status := xNtFlushInstructionCache(hProcess,lpBaseAddress,nSize);
      If Status = 0 then
      begin
        lpNumberOfBytesWritten := NumberOfBytesWritten;
        Result := True;
      end;
    end;
  end;
end;

initialization

  hNtdll := GetModuleHandleA('ntdll.dll');
  xNtProtectVirtualMemory := GetProcAddress(hNtdll, 'NtProtectVirtualMemory');
  xNtWriteVirtualMemory := GetProcAddress(hNtdll, 'NtWriteVirtualMemory');
  xNtFlushInstructionCache := GetProcAddress(hNtdll, 'NtFlushInstructionCache');

end.

Only Delphi source code is included in the archive.
ċ
ExternalDownloader.rar
(3k)
Danny Rancher,
14 Sep 2010, 18:23
Comments