How is it possible to access memory of other processes?

P

5

34

I thought that one process cannot read the memory of other processes. But I'm shocked to see an application named "WinHex" which has "RAM Editor" and it is able to access the entire memory. Of all the processes.

How is that possible? And it is even able to modify the memory of other processes. Doesn't this become malicious?

Palace answered 1/1, 2010 at 21:57 Comment(3)

If you have the right privileges you can read and write anything. – Thessa 1/1, 2010 at 22:6

You can do the same thing with almost any debugger... again, provided you have the required rights. – Triploid 1/1, 2010 at 22:13

See codeproject.com/KB/threads/MDumpAll.aspx – Fishery 1/1, 2010 at 22:16

A

31

In all likelyhood, the tool uses ReadProcessMemory or some variant, which requires PROCESS_VM_READ access.

With respect to your "malicious" comment, remember that you (or the process invoking this API, which likely needs Administrator-level permissions) already has total control over the machine. The security game is already lost at this point.

Ancier answered 1/1, 2010 at 22:8 Comment(1)

OMG!! I never knew this. I should immediately change my to less previlage level. I guess this is the reason why they added user confirmation options in vista & windows 7. – Palace 1/1, 2010 at 22:12

A

4

Well, that's one of the things a process with the right privileges, granted by the operating system, can do. Processes cannot access other processes' memory in principle. In practice the underlying operating system usually offers this mechanism to privileged processes.

Astounding answered 1/1, 2010 at 22:6 Comment(0)

U

2

Accessing other process' memory is a piece of cake.
You can even use Windows Driver Kit to access and modify everything.

Check out for example rootkits to see how fragile is the OS when you don't restrict programs' privileges.

Unwarranted answered 1/1, 2010 at 22:22 Comment(2)

ReadProcessMemory or some variant, which requires PROCESS_VM_READ access.1. Will this come under Windows Driver Kit? 2. Will these programs be running in kernel mode for acessing entire memory? – Palace 2/1, 2010 at 5:1

@Alice, WDK is an extra API. With it you gain access to kernel objects/mode. If you really want to understand and dive in the inner workings of OS I recommend 3 books that I have: amazon.com/Microsoft-Windows-Internals-4th-Server/dp/B002DMJTXM/… amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/… amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/… – Unwarranted 2/1, 2010 at 8:49

S

1

If you're running as Administrator, you can obtain privileges to read all of memory; it seems that WinHex is doing this on your behalf.

Have you tried this on a more restricted account?

Schear answered 1/1, 2010 at 22:4 Comment(0)

F

0

I think it uses some DLL injection technique.

See http://en.wikipedia.org/wiki/DLL_injection for more information

Faina answered 1/1, 2010 at 22:5 Comment(0)

Recommended topics

Hot tags