https://codingvision.net/security/c-read-write-another-process-memory

Today’s tutorial is about…processes’ memory! In this article I’ll show you how to read/write a process’ memory using C#. This is a good way to learn a part of WinAPI and also understand the basics of memory allocation.

Before starting, we need a “target” - I choose notepad.exe.

1.Finding the Memory Address

As you might probably know, applications store each variable’s value at a specific memory address, we need to know that memory adress in order to edit anything. Since there’s not other way around (or I’m not aware of it?) the only solution is to start searching, using a debugger.

To get that memory address, I used OllyDbg - don’t worry, all the steps are written below.

First, open notepad.exe, type some text (like “hello world”) and attach OllyDbg (File->Attach). Press F9 and then ALT+M to open the Memory Map.

对应的Unicode的字节数组是68 00 65 00 6C 00 6C 00 6F 00 20 00 77 00 6F 00 72 00 6C 00 64 00

It should look like this:

Press CTRL+B and it will open the Binary Search Window. Now, because the value is stored in memory as Unicode, you have to type the string you’re looking for in the 2nd textbox:

Once you hit Ok another window will pop up - the Memory Dump. Here, look at the very first memory address (on the left) - from that address we’ll start reading. In the image below, the highlighted part contains the message I typed in Notepad.

Note: don’t use the memory address from the image - it’s not the same memory address every time

We got the memory address, now…don’t close/restart the application. If you restart it, the memory for the text will be reallocated, so the address will most likely be changed.

复制出地址000000B9A6B78542,然后通过菜单的detach

2.Read Process’ Memory

In order to read the value from that memory address, we need to import 2 functions into C#: OpenProcess() and ReadProcessMemory() from kernel32.dll.

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

When a process is opened, you must also specify the desired access (this time, you request access for reading the memory), so this constant is needed:

const int PROCESS_WM_READ = 0x0010;

Since the whole code is self explanatory, I’ll just add short comments where they’re needed:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text; public class MemoryRead
{
const int PROCESS_WM_READ = 0x0010; [DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); public static void Main()
{ Process process = Process.GetProcessesByName("notepad")[];
IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id); int bytesRead = ;
byte[] buffer = new byte[]; //'Hello World!' takes 12*2 bytes because of Unicode // 0x0046A3B8 is the address where I found the string, replace it with what you found
ReadProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesRead); Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
Console.ReadLine();
}
}

3.Write Process’ Memory

Writing to a memory address is a little bit different: you’ll need OpenProcess() and WriteProcessMemory().

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);

However, special permissions are required: while opening the process request the following privileges: PROCESS_VM_WRITE | PROCESS_VM_OPERATION.

const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_OPERATION = 0x0008;

Note: notepad’s textbox is storing the number of bytes it has to read from the memory - that value is updated only when the text is changed by user. If you write to the memory address a longer string, it will be truncated.

The complete code is available below:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text; public class MemoryRead
{
const int PROCESS_ALL_ACCESS = 0x1F0FFF; [DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten); public static void Main()
{ Process process = Process.GetProcessesByName("notepad")[];
IntPtr processHandle = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id); int bytesWritten = ;
byte[] buffer = Encoding.Unicode.GetBytes("It works!\0"); // '\0' marks the end of string // replace 0x0046A3B8 with your address
WriteProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesWritten);
Console.ReadLine();
}
}

C# Read/Write another Process' Memory的更多相关文章

  1. C# Read/Write another Process' Memory z

    http://www.codeproject.com/Articles/670373/Csharp-Read-Write-another-Process-Memory This article aim ...

  2. C# Read/Write another Process' Memory ZZ

    Today's tutorial is about...processes' memory! In this article I'll show you how to read/write a pro ...

  3. ORA-04030: out of process memory when trying to allocate 152 bytes (Logminer LCR c,krvtadc)

    今天使用LogMiner找回误更新的数据时,查询v$logmnr_contents时,遇到了"ORA-04030: out of process memory when trying to ...

  4. SAP work process Memory allocate

    Memory allocation sequence to dialog work processes in SAP What is the memory allocation sequence to ...

  5. Automated Memory Analysis

    catalogue . 静态分析.动态分析.内存镜像分析对比 . Memory Analysis Approach . volatility: An advanced memory forensics ...

  6. Process Explorer使用图文教程

    这是一款由Sysinternals开发的Windows系统和应用程序监视工具,目前Sysinternals已经被微软收购,此款不仅结合了文件监视和注册表监视两个工具的功能,还增加了多项重要的增强功能, ...

  7. mm/memory

    /* *  linux/mm/memory.c * *  Copyright (C) 1991, 1992  Linus Torvalds */ /* * demand-loading started ...

  8. Read ListViewItem content from another process z

    Normal Windows GUI applications work with messages that are sent to a window or control and the cont ...

  9. 通过ctypes获得python windows process的内存使用情况

    通过ctypes 类库中的win32方法GetProcessMemoryInfo()获得当前进程的内存使用情况.该函数可以在32或者64位,python2.6+及python3.x之上都能有用. &q ...

随机推荐

  1. Oracle 调试存储过程

    调试过程对找到一个存过的bug或错误是非常重要的,Oracle作为一款强大的商业数据库,其上面的存过少则10几行,多则上千行,免不了bug的存在,存过上千行的话,找bug也很费力,通过调试可以大大减轻 ...

  2. lua table vs closure

    最近在重构自己写的框架中的定时器模块,需要把回调函数保存起来,大概如下: function timer_mgr:save_timer( this,callback ) return { this = ...

  3. 【loj#6220】sum

    题目传送门:https://loj.ac/problem/6220 题意:对于一个序列$a$,找出它的一个子序列$b$,使$\sum_{a_i \in b}a_i \equiv 0 \pmod n$ ...

  4. 命令行工具--netstat

    目录 netstat命令使用 一.简介 二.安装 三.常见参数 四.使用案例 1.列出所有端口(包括监听和为监听的) 2.列出所有 tcp 端口 3.列出所有 udp 端口 4.列出正在监听的端口 5 ...

  5. Flutter——ListView组件(平铺列表组件)

    ListView的常见参数: 名称 类型 说明 scrollDirection Axis Axis.horizontal 水平列表 Axis.vertical 垂直列表 padding EdgeIns ...

  6. 不创建父窗体的情况下他其他窗体的信息显示在第一个打开的窗体!(winfrom)

    公司使用vs2008做的东西,用vs2017都打不开了(编译错误) 叫我更新一下,我看了一下,08的项目 和 winform 差不多  如何就用winfrom来做了 (winform  很久没碰了,, ...

  7. C语言创建线程以及使用锁进行读写分离

    线程的使用 1.线程的创建 线程的相关操作放在<pthread.h>中. 1.1我们定义一个线程,首先要进行定义一个函数,类似我们创建一个a线程 void *thread_a(void * ...

  8. POI读取Excel数据

    POI读取Excel表格数据 * {所需相关jar下载: * commons-collections4-4.4.jar * commons-compress-1.19.jar * poi-4.1.1. ...

  9. IP段的正则表达式

    IPv4 prefix格式:比如: 192.168.1.0/24 ^(?=(\b|\D))(((\d{1,2})|(1\d{1,2})|(2[0-4]\d)|(25[0-5]))\.){3}((\d{ ...

  10. c#客户端自动更新模块

    一.概述 将需要更新的文件上传到服务器端,然后客户端从服务器下载更新文件并覆盖本地文件. 二.功能模块 1.将更新文件放入指定文件夹,检测更新,生成更新配置文件,并上传到服务器 2.获取服务器的更新配 ...