Tuesday, October 07, 2008

How to modify memory of a running process

Kahled asked me how to modify memory at a certain addess.

So here we go...

Launch notepad and type "hallo"

image

Now attach windbg to it and search for the "hallo" string using the scan memory pattern:

0:001> s -u 0x00000000 L?0xffffffff "hallo"

00184958  0068 0061 006c 006c 006f 0000 0000 0000  h.a.l.l.o.......

You can now modify the string at memory location 00184958 with the e (Enter Values) command:

0:001> eu 00184958 "hello"

You will see after letting the process run again (g) that the german "hallo" switched to an english "hello":

image