Tuesday, October 07, 2008

How to modify memory of a running process

Kahled asked me how to modify memory at a certain addess.

So here we go...

Launch notepad and type "hallo"

image

Now attach windbg to it and search for the "hallo" string using the scan memory pattern:

0:001> s -u 0x00000000 L?0xffffffff "hallo"

00184958  0068 0061 006c 006c 006f 0000 0000 0000  h.a.l.l.o.......

You can now modify the string at memory location 00184958 with the e (Enter Values) command:

0:001> eu 00184958 "hello"

You will see after letting the process run again (g) that the german "hallo" switched to an english "hello":

image

Gepostet von Volker von Einem unter 9:05 AM
Labels: ,

2 comments:

Anonymous said...

The previous showed how to modify the address and enter a string value, what about if I want to enter a direct hexadecimal value rather than String.

Wednesday, October 08, 2008 11:10:00 AM
Volker von Einem said...

Use ed to enter double values

Wednesday, October 08, 2008 1:01:00 PM

Post a Comment

Subscribe to: Post Comments (Atom)