Cpp Memory Manipulation


Author: Dave
Date: 04.25.20 - 9:25am



Soo I often have to manipulate raw memory outside of traditional structures or arrays in C/Cpp.

The two main ways to go seem to be a bunch of crappy casts which suck to type and suck to read, or the traditional memcpy route which is long to type and requires multiple lines of code.

Consider the following:
.text:AABBCCDD FF 35 44 33 22 11   push   tlsSlotVar
memory offset AABBCCDD, I want to:
  • read the first two bytes to validate expected opcode
  • read the next four bytes to get the offset of tlsSlotVar
int someExport = (int)GetProcAddress(h,"someExport");
short p = (short)(*(int*)someExport);
int tlsSlotVar= (*(int*)(someExport+2));
if ( p != 0x35FF ) return 0;
int tlsMem = (int)TlsGetValue(*(int*) tlsSlotVar);
tlsMem += 0x18;
(*(int*)tlsMem) = (int)&dummy;


The reason I want with int over int* was just to make the math normal when calculating offsets. (*(int*)(someExport+2)); seems a touch easier to read and sanity check than *((char*)someExport+2));

If someExport was an int* then any +2 will add 8 bytes not 2 unless you cast the pointer to a 1 byte type. Great for arrays, shitty for raw memory manipulations. (Yes I know they dont really want you doing raw memory manipulations)

I am not really a big fan of using memcpy's for the read and writes. When i work in vb6 this is the goto and while it works and is fairly readable it is a lot of typing and forward variable declarations leading to more lines of code.

So i guess I am now leaning towards the following:

int* pPlus(int * p, int increment){
  _asm{
	mov eax, p
	add eax, increment
   }
}

int* someExport = (int*)GetProcAddress(h,"someExport");
short p = (short)(*someExport);
int*  tlsSlotVar = (int*)(*pPlus(someExport,2));
int* tlsMem = (int*)TlsGetValue(*tlsSlotVar);
*pPlus(tlsMem,0x18) = (int)&dummy;


Maybe some kind of hybrid approach:

short p; int* tlsSlotVar; int dummy[10] = {0};
char* someExport = (char*)GetProcAddress(h,"someExport");
memcpy(&p, someExport, 2);
memcpy(&tlsSlotVar, someExport+2, 4);
if ( p != 0x35FF ) return 0;
int* tlsMem = (int*)((char*)TlsGetValue(*tlsSlotVar)+0x18);
if ( tlsMem == 0 ) return 0;
*tlsMem = (int)&dummy;


I still kind of wish I was dealing with straight C where you dont have to cast a void* explicitly into an int*, but the other advantages of Cpp make me live with it. I do wish we could disable that though with a pragma.

If anyone has any better solutions I would love to hear them.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 94 + 77 = ? followed by the letter: M 



About Me
More Blogs
Main Site
Posts: (All)
2024 ( 2 )
2023 ( 9 )
2022 ( 4 )
2021 ( 2 )
2020 (4)
     NTFileSize
     BSTR from C Dll to VB
     Cpp Memory Manipulation
     ActiveX Binary Compatability
2019 (5)
     Console tricks
     FireFox temp dir
     OCX License
     Extract substring
     VB6 Console Apps
2018 (6)
     VB6 UDTs
     VB6 Debugger View As Hex tooltips
     VB6 - C Share registry data
     VB6 Addin Missing Menus
     VB6 Class Init Params
     VB6 isIn function
2017 ( 6 )
2016 ( 22 )
2015 ( 15 )
2014 ( 25 )
2013 ( 4 )
2012 ( 10 )
2011 ( 7 )
2010 ( 11 )
2009 ( 3 )