文档章节

C# Read/Write another Process' Memory

o
 osc_bkdv2it5
发布于 2019/08/19 13:03
字数 777
阅读 20
收藏 0

精选30+云产品,助力企业轻松上云!>>>

 

 

 

 

https://codingvision.net/security/c-read-write-another-process-memory

Today’s tutorial is about…processes’ memory! In this article I’ll show you how to read/write a process’ memory using C#. This is a good way to learn a part of WinAPI and also understand the basics of memory allocation.

Before starting, we need a “target” - I choose notepad.exe.

1.Finding the Memory Address

As you might probably know, applications store each variable’s value at a specific memory address, we need to know that memory adress in order to edit anything. Since there’s not other way around (or I’m not aware of it?) the only solution is to start searching, using a debugger.

To get that memory address, I used OllyDbg - don’t worry, all the steps are written below.

First, open notepad.exe, type some text (like “hello world”) and attach OllyDbg (File->Attach). Press F9 and then ALT+M to open the Memory Map.

对应的Unicode的字节数组是68 00 65 00 6C 00 6C 00 6F 00 20 00 77 00 6F 00 72 00 6C 00 64 00

 

It should look like this:

 

 

 

Press CTRL+B and it will open the Binary Search Window. Now, because the value is stored in memory as Unicode, you have to type the string you’re looking for in the 2nd textbox:

 

 

Once you hit Ok another window will pop up - the Memory Dump. Here, look at the very first memory address (on the left) - from that address we’ll start reading. In the image below, the highlighted part contains the message I typed in Notepad.

Note: don’t use the memory address from the image - it’s not the same memory address every time

 

We got the memory address, now…don’t close/restart the application. If you restart it, the memory for the text will be reallocated, so the address will most likely be changed.

复制出地址000000B9A6B78542,然后通过菜单的detach

 

 

2.Read Process’ Memory

In order to read the value from that memory address, we need to import 2 functions into C#: OpenProcess() and ReadProcessMemory() from kernel32.dll.

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

When a process is opened, you must also specify the desired access (this time, you request access for reading the memory), so this constant is needed:

const int PROCESS_WM_READ = 0x0010;

Since the whole code is self explanatory, I’ll just add short comments where they’re needed:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class MemoryRead
{
    const int PROCESS_WM_READ = 0x0010;

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll")]
    public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

    public static void Main()
    {

        Process process = Process.GetProcessesByName("notepad")[0]; 
        IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id); 

        int bytesRead = 0;
        byte[] buffer = new byte[24]; //'Hello World!' takes 12*2 bytes because of Unicode 

        // 0x0046A3B8 is the address where I found the string, replace it with what you found
        ReadProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesRead);

        Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
        Console.ReadLine();
    }
}

 

3.Write Process’ Memory

Writing to a memory address is a little bit different: you’ll need OpenProcess() and WriteProcessMemory().

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);

However, special permissions are required: while opening the process request the following privileges: PROCESS_VM_WRITE | PROCESS_VM_OPERATION.

const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_OPERATION = 0x0008;

Note: notepad’s textbox is storing the number of bytes it has to read from the memory - that value is updated only when the text is changed by user. If you write to the memory address a longer string, it will be truncated.

The complete code is available below:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class MemoryRead
{
    const int PROCESS_ALL_ACCESS = 0x1F0FFF;

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);

    public static void Main()
    {

        Process process = Process.GetProcessesByName("notepad")[0];
        IntPtr processHandle = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id); 

        int bytesWritten = 0;
        byte[] buffer = Encoding.Unicode.GetBytes("It works!\0"); // '\0' marks the end of string

        // replace 0x0046A3B8 with your address
        WriteProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesWritten);
        Console.ReadLine();
    }
}

 

o
粉丝 0
博文 500
码字总数 0
作品 0
私信 提问
加载中
请先登录后再评论。
c# 传递Null的string值导致的调用C++的dll报错 Attempted to read or write protected memory.

c# 调用C++的dll报错 Attempted to read or write protected memory: 原因是:c# 传递Null的string值导致的,将Null改为string.empty即可 本文转自94cool博客园博客,原文链接:http://www....

老朱教授
2017/11/26
0
0
FileDb

filedb FileDB - A C# database to store files FileDB is a free, fast, lightweight C# (v3.5) DLL project to store, retrive and delete files using a single file container on disk. ......

osc_qguxi63b
2019/04/05
5
0
Codesys 使用共享内存 打通通讯

Codesys V3.5 平台 提供了库SysShm,其中包含了共享内存操作的接口函数: SysSharedMemoryClose; SysSharedMemoryCreate; SysSharedMemoryDelete; SysSharedMemoryGetPointer; SysSharedMemo......

osc_nrqfdybm
2019/03/09
5
0
Game Engine Architecture 5

【Game Engine Architecture 5】 1、Memory Ordering Semantics   These mysterious and vexing problems can only occur on a multicore machine with a multilevel cache.        ......

osc_cnw29rq0
2019/03/14
2
0
什么是write-allocate policy?

在有cache的单机系统中,通常有两种写策略:write through和write back。这两种写策略都是针对写命中(write hit)情况而言的:write through是既写cache也写main memory;write back是只写c...

RyaneLuo
2014/11/28
338
0

没有更多内容

加载失败,请刷新页面

加载更多

我们一定会在人生的更高处相见的

2020.6.7 我知道没人会看到 2021.6.7 我再来写下 每天进步一点点 一年后我就是不一样的我 你也是。 高考加油!

osc_9oidllr2
43分钟前
16
0
esp8266物联网开发一:MicroPython初战江湖

用esp8266做的物联网开发,涉及到固件烧写,固件擦除,代码编写等方面,做一一记录。 1. 固件烧写 首先,下载固件烧写工具:https://www.espressif.com/sites/default/files/tools/flash_dow...

osc_s2b5kacl
44分钟前
20
0
获小黄衫有感

这个作业属于哪个课程 https://edu.cnblogs.com/campus/fzu/2020SpringW/ 一、与软工的开始 在选课的时候咨询学长意见,听上届学长说这门课会有寒假作业,心里很忐忑,又抱有侥幸心理——可能...

osc_r5t7sskd
46分钟前
9
0
ppt 视频不显示控制条

1 正常解决方法 2 如果还不能显示可能是ppt是兼容模式,另存为非兼容模式就好了 后缀是.ppt 现存就好了

osc_hzf6peqc
47分钟前
20
0
五笔经常打不出来的字:温故而知新

遍 ynmp 凸凹 hgmm 凸 hgm 凹mmgd

osc_iy56i6w3
48分钟前
14
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部