C#: Search a byte[] array in another process's memory
How is it possible to search for a byte[] array in the memory of another process and then get the address at the place where the byte[] array is located?
I want to w
-
Is it possible to be done in C#?
Yes. But very hard. It is hard from a native application where there is no impedance mismatched with the unmanaged view of processes and their memory maps you will need to use.
Considerations:
- You will need permission to open the process to get a handle.
- While the virtual memory space of a 32bit process is from two to four GB in size (depending on host OS and /3GB switch), much of this address range will not be allocated, and reading it will cause a page fault. You really need to find out what pages are allocated and for what to avoid lots of invalid page accesses.
Suggestions:
- Do you really really need to do this? Seriously this will be hard.
- Consider doing a native application, this will avoid working across the native/managed fence (this could include a native library with a managed driver application).
- Do you really need to do this?
- Consider doing the work inside the target process. This will require some cleverness (documented) to inject a thread, but should then be much faster.
- Start by reading up on Windows how process memory works (start with Windows Internals and (can't recall its name in the latest edition) Jeffrey Richter's book on Win32 application development.
- Do you really need to do this? There must be something simpler... could you automated a debugger?
讨论(0) -
You'll want to use these APIs:
[DllImport("Kernel32.Dll")] public static extern uint VirtualQueryEx(IntPtr ProcessHandle, uint Address, ref MEMORY_BASIC_INFORMATION MemInfo, int MemInfoLength); [DllImport("Kernel32.Dll")] public static extern bool ReadProcessMemory(IntPtr ProcessHandle, uint Address, byte[] Buffer, uint Size, ref uint BytesRead); [DllImport("Kernel32.Dll")] public static extern bool WriteProcessMemory(IntPtr ProcessHandle, uint Address, byte[] Buffer, uint Size, ref uint BytesRead);pinvoke.net is a great resource for Windows API calls. I wrote a trainer for GTA: Vice City that uses these calls if you want to check out the code on sourceforge. The code isn't pretty, it was a long time ago and I just threw it together, but there are helper classes for enumerating memory regions for a process and searching for certain bytes or strings.
讨论(0) -
This may help you find the right way:
private static int GetMemoryAddressOfString(byte[] searchedBytes, Process p) { //List<int> addrList = new List<int>(); int addr = 0; int speed = 1024*64; for (int j = 0x400000; j < 0x7FFFFFFF; j+= speed) { ManagedWinapi.ProcessMemoryChunk mem = new ProcessMemoryChunk(p, (IntPtr)j, speed + searchedBytes.Length); byte[] bigMem = mem.Read(); for (int k = 0; k < bigMem.Length - searchedBytes.Length; k++) { bool found = true; for (int l = 0; l < searchedBytes.Length; l++) { if(bigMem[k+l] != searchedBytes[l]) { found = false; break; } } if(found) { addr = k+j; break; } } if (addr != 0) { //addrList.Add(addr); //addr = 0; break; } } //return addrList; return addr; }讨论(0) -
I guess you could use the ReadProcessMemory Windows API call. There's even a premade P/Invoke signature for it so you don't need to bother with manually crafting it. You page through the memory of the process, search through it for your pattern and you're done.
讨论(0) -
Is it possible to be done in C#? Everithing is possible in c#(or any other languge), u just need to fiind how;
Hard coding here:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Diagnostics; using System.Runtime.InteropServices; namespace ConsoleApplication1 { class Program { [DllImport("kernel32.dll", SetLastError = true)] static extern bool ReadProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead ); [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] static extern bool CloseHandle(IntPtr hObject); static void Main(string[] args) { Process[] procs = Process.GetProcessesByName("explorer"); if (procs.Length <= 0) //proces not found return; //can replace with exit nag(message)+exit; IntPtr p = OpenProcess(0x10 | 0x20, true, procs[0].Id); //0x10-read 0x20-write uint PTR = 0x0; //begin of memory byte[] bit2search1 = {0xEB ,0x20,0x68,0x21,0x27,0x65}; //your bit array until ?? int k = 1; //numer of missing array (??) byte[] bit2search2 = {0x21,0x64,0xA1};//your bit array after ?? byte[] buff = new byte[bit2search1.Length+1+bit2search2.Length]; //your array lenght; int bytesReaded; bool finded = false; while (PTR != 0xFF000000) //end of memory // u can specify to read less if u know he does not fill it all { ReadProcessMemory(p, (IntPtr)PTR, buff, buff.Length, out bytesReaded); if (SpecialByteCompare(buff, bit2search1,bit2search2,k)) { //do your stuff finded = true; break; } PTR += 0x1; } if (!finded) Console.WriteLine("sry no byte array found"); } private static bool SpecialByteCompare(byte[] b1, byte[] b2, byte[] b3, int k) //readed memory, first byte array, second byte array, number of missing byte's { if (b1.Length != (b2.Length + k + b3.Length)) return false; for (int i = 0; i < b2.Length; i++) { if (b1[i] != b2[i]) return false; } for (int i = 0; i < b3.Length; i++) { if (b1[b2.Length + k + i] != b3[i]) return false; } return true; } }}
讨论(0)
加载中...
- 热议问题