C# Read/Write another Process' Memory ZZ

Today's tutorial is about...processes' memory! In this article I'll show you how to read/write a process' memory using C#. This is a good way to learn a part of WinAPI and also understand the basics of memory allocation.

Before starting, we need a "target" - I choose notepad.exe.

1.Finding the Memory Address

As you might probably know, applications store each variable's value at a specific memory address,
we need to know that memory adress in order to edit anything. Since
there's not other way around (or I'm not aware of it?) the only solution
is to start searching, using a debugger.

To get that memory address, I used OllyDbg - don't worry, all the steps are written below.

First, open notepad.exe, type some text (like "hello world") and attach OllyDbg (File->Attach). Press F9 and then ALT+M to open the Memory Map.

It should look like this:

Press CTRL+B and it will open the Binary Search Window. Now, because the value is stored in memory as Unicode, you have to type the string you're looking for in the 2nd textbox:

Once you hit Ok another window will pop up - the Memory Dump. Here, look at the very first memory address
(on the left) - from that address we'll start reading. In the image
below, the highlighted part contains the message I typed in Notepad.

Note: don't use the memory address from the image - it's not the same memory address every time

We got the memory address, now...don't close/restart the application. If you restart it, the memory for the text will be reallocated, so the address will most likely be changed.

2.Read Process' Memory

In order to read the value from that memory address, we need to import 2 functions into C#: OpenProcess() and ReadProcessMemory() from kernel32.dll.

1. [DllImport("kernel32.dll")]
2. public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
3. [DllImport("kernel32.dll")]
4. public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

When a process is opened, you must also specify the desired access (this
time, you request access for reading the memory), so this constant is
needed:

1. const int PROCESS_WM_READ = 0x0010;

Since the whole code is self explanatory, I'll just add short comments where they're needed:

1. using System;
2. using System.Diagnostics;
3. using System.Runtime.InteropServices;
4. using System.Text;
5. public class MemoryRead
6. {
7. const int PROCESS_WM_READ = 0x0010;
8. [DllImport("kernel32.dll")]
9. public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
10. [DllImport("kernel32.dll")]
11. public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
12. public static void Main()
13. {
14. Process process = Process.GetProcessesByName("notepad")[0];
15. IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
16. int bytesRead = 0;
17. byte[] buffer = new byte[24]; //'Hello World!' takes 12*2 bytes because of Unicode
18. // 0x0046A3B8 is the address where I found the string, replace it with what you found
19. ReadProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesRead);
20. Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
21. Console.ReadLine();
22. }
23. }

3.Write Process' Memory

Writing to a memory address is a little bit different: you'll need OpenProcess() and WriteProcessMemory().

1. [DllImport("kernel32.dll")]
2. public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
3. [DllImport("kernel32.dll", SetLastError = true)]
4. static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);

However, special permissions are required: while opening the process request the following access: PROCESS_VM_WRITE | PROCESS_VM_OPERATION.

1. const int PROCESS_VM_WRITE = 0x0020;
2. const int PROCESS_VM_OPERATION = 0x0008;

Note: notepad's textbox is storing the number of bytes
it has to read from the memory - that value is updated only when the
text is changed by user. If you write to the memory address a longer
string, it will be truncated.

The complete code is available below:

1. using System;
2. using System.Diagnostics;
3. using System.Runtime.InteropServices;
4. using System.Text;
5. public class MemoryRead
6. {
7. const int PROCESS_VM_WRITE = 0x0020;
8. const int PROCESS_VM_OPERATION = 0x0008;
9. [DllImport("kernel32.dll")]
10. public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
11. [DllImport("kernel32.dll", SetLastError = true)]
12. static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
13. public static void Main()
14. {
15. Process process = Process.GetProcessesByName("notepad")[0];
16. IntPtr processHandle = OpenProcess(0x1F0FFF, false, process.Id);
17. int bytesWritten = 0;
18. byte[] buffer = Encoding.Unicode.GetBytes("It works!\0"); // '\0' marks the end of string
19. // replace 0x0046A3B8 with your address
20. WriteProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesWritten);
21. Console.ReadLine();
22. }
23. }