May 15th, 2014

Is WriteProcessMemory atomic?

A customer asked, “Does Write­Process­Memory write the memory atomically? I mean, if I use Write­Process­Memory to write 10 instructions for a total of 20 bytes, can Write­Process­Memory write those 20 bytes atomically?”

CPUs typically provide only modest atomic update capabilities. The x86 family of processors, for example, can update up to eight bytes atomically. Twenty bytes is beyond the capability of the processor.

I was kind of baffled at what sort of mental model of computing the customer had developed. It apparently permits Write­Process­Memory to accomplish something that the CPU is not physically capable of performing.

“Will my aluminum hammer withstand temperatures above 700C?”

Given that aluminum melts at 660C, it doesn’t matter whether you make a hammer or a ladder or a scaffold. As long as you make it out of aluminum, it will melt at 660C because that’s a fundamental property of aluminum.

The only thing I can think of is that the customer thought that maybe the kernel suspended all of the threads in the process, updated the memory, and then unfroze them all. It wouldn’t be an atomic update in an absolute sense (somebody else doing a Read­Process­Memory might read an in-progress write), but it would be atomic from the viewpoint of the process being written to.

But no, the Write­Process­Memory function does no such thing. It merely writes the memory into the process address space.

Another way of thinking about it is using the thought experiment “Imagine if this were true.” If it were true that Write­Process­Memory provided atomicity guarantees for 20 bytes, then all sorts of multi-threaded synchronization problems would magically disappear. If you wanted to update a block of memory in your process atomically, you would just call Write­Process­Memory on your own process handle!

I noted that the underlying scenario sounds really fishy. Using Write­Process­Memory to update code in a process sounds an awful lot like the customer is writing a virus. One of my colleagues who studies malware agreed, adding, “On the other hand, some anti-malware products also use that approach, as dubious as it is. For the record, I would like to add, ‘yuck’.” My colleague asked the customer for further details on what they are doing, and why they think that Write­Process­Memory is what they need, so that a proper solution to their underlying problem could be developed.

We never heard back from the customer.

Topics
Code

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.