Writememory
ulong Writememory(const void *buf,ulong addr,ulong size,int mode);
Writes data to the memory of the debugged process. As
this operation is time-consuming, OllyDbg caches write requests and
flushes them when process resumes or on explicit call to Flushmemorycache().
Writememory() checks whether memory exists and guesses whether it is writable or not. If requested memory is missing or only partially writable, Writememory()
stops on the first error. It neither restores the already modified
data, nor attempts to write the remaining data. Due to the caching, it
may happen that Writememory() returns success but Flushmemorycache() will fail, reporting error "Unable to flush cache at XXXXXXXX".
If
range contains active INT3 breakpoints, they will be overwritten. Even
if breakpoints are deactivated or disabled, there is usually no
guarantee that they will point to the first bytes of new commands,
or that commands are not replaced by the data. To avoid problems,
always set MM_REMOVEINT3 (removes all INT3 breakpoints) or MM_ADJUSTINT3 (adjusts and reapplies INT3 breakpoint at address addr and removes all remaining breakpoints).
If code is modified, associated analysis data is usually no longer valid. Call Removeanalysis() to discard analysis, predictions and comments from the addressed memory range.
In
most cases, write requests are preceded by memory reads. To assure
memory consistency in a read-modify-write sequence, put this
sequence inside the pair Suspendallthreads()
/ Resumeallthreads().
Parameters:
buf
(in) Data to be written, size bytes long
addr
(in) Start
address of the memory block in the context of debugged process
size
(in) Data size, bytes
mode
(in) Memory write options, a combination of the following flags:
MM_REPORT -
display error message if memory is not writable (default). Can't be
combined with MM_SILENT
MM_SILENT -
don't display error message if memory is not writable. Can't be
combined with MM_REPORT
MM_WRITETHRU - writes directly
to memory without caching. If several write requests point to the same
memory page, direct writing may be significantly slower than cached
MM_REMOVEINT3 - asks to remove all INT3 breakpoints from the addressed memory range, see discussion above
MM_ADJUSTINT3 - asks to adjust INT3 breakpoint at address addr, if any, and remove all INT3 breakpoints from the remaining address range. See discussion above
MM_FAILGUARD
- requests to fail if memory is guarded or
read-protected.
Default action is to change for a short moment the memory attributes of
the specified block and retry writing
Return
values:
Size
of the data written to the memory of debugged process. If returned value is less than size, an error has occured.
See
also: