C# Read/Write another Process' Memory ZZ
Today's tutorial is about...processes' memory! In this article I'll show you how to read/write a process' memory using C#. This is a good way to learn a part of WinAPI and also understand the basics of memory allocation.
Before starting, we need a "target" - I choose notepad.exe.
1.Finding the Memory Address
As you might probably know, applications store each variable's value at a specific memory address,
we need to know that memory adress in order to edit anything. Since
there's not other way around (or I'm not aware of it?) the only solution
is to start searching, using a debugger.
To get that memory address, I used OllyDbg - don't worry, all the steps are written below.
First, open notepad.exe, type some text (like "hello world") and attach OllyDbg (File->Attach). Press F9 and then ALT+M to open the Memory Map.
It should look like this:
Press CTRL+B and it will open the Binary Search Window. Now, because the value is stored in memory as Unicode, you have to type the string you're looking for in the 2nd textbox:
Once you hit Ok another window will pop up - the Memory Dump. Here, look at the very first memory address
(on the left) - from that address we'll start reading. In the image
below, the highlighted part contains the message I typed in Notepad.
Note: don't use the memory address from the image - it's not the same memory address every time
We got the memory address, now...don't close/restart the application. If you restart it, the memory for the text will be reallocated, so the address will most likely be changed.
2.Read Process' Memory
In order to read the value from that memory address, we need to import 2 functions into C#: OpenProcess() and ReadProcessMemory() from kernel32.dll.
- [DllImport("kernel32.dll")]
- public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
- [DllImport("kernel32.dll")]
- public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
When a process is opened, you must also specify the desired access (this
time, you request access for reading the memory), so this constant is
needed:
- const int PROCESS_WM_READ = 0x0010;
Since the whole code is self explanatory, I'll just add short comments where they're needed:
- using System;
- using System.Diagnostics;
- using System.Runtime.InteropServices;
- using System.Text;
- public class MemoryRead
- {
- const int PROCESS_WM_READ = 0x0010;
- [DllImport("kernel32.dll")]
- public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
- [DllImport("kernel32.dll")]
- public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
- public static void Main()
- {
- Process process = Process.GetProcessesByName("notepad")[0];
- IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
- int bytesRead = 0;
- byte[] buffer = new byte[24]; //'Hello World!' takes 12*2 bytes because of Unicode
- // 0x0046A3B8 is the address where I found the string, replace it with what you found
- ReadProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesRead);
- Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
- Console.ReadLine();
- }
- }
3.Write Process' Memory
Writing to a memory address is a little bit different: you'll need OpenProcess() and WriteProcessMemory().
- [DllImport("kernel32.dll")]
- public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
However, special permissions are required: while opening the process request the following access: PROCESS_VM_WRITE | PROCESS_VM_OPERATION.
- const int PROCESS_VM_WRITE = 0x0020;
- const int PROCESS_VM_OPERATION = 0x0008;
Note: notepad's textbox is storing the number of bytes
it has to read from the memory - that value is updated only when the
text is changed by user. If you write to the memory address a longer
string, it will be truncated.
The complete code is available below:
- using System;
- using System.Diagnostics;
- using System.Runtime.InteropServices;
- using System.Text;
- public class MemoryRead
- {
- const int PROCESS_VM_WRITE = 0x0020;
- const int PROCESS_VM_OPERATION = 0x0008;
- [DllImport("kernel32.dll")]
- public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
- public static void Main()
- {
- Process process = Process.GetProcessesByName("notepad")[0];
- IntPtr processHandle = OpenProcess(0x1F0FFF, false, process.Id);
- int bytesWritten = 0;
- byte[] buffer = Encoding.Unicode.GetBytes("It works!\0"); // '\0' marks the end of string
- // replace 0x0046A3B8 with your address
- WriteProcessMemory((int)processHandle, 0x0046A3B8, buffer, buffer.Length, ref bytesWritten);
- Console.ReadLine();
- }
- }
C# Read/Write another Process' Memory ZZ的更多相关文章
- C# Read/Write another Process' Memory z
http://www.codeproject.com/Articles/670373/Csharp-Read-Write-another-Process-Memory This article aim ...
- ORA-04030: out of process memory when trying to allocate 152 bytes (Logminer LCR c,krvtadc)
今天使用LogMiner找回误更新的数据时,查询v$logmnr_contents时,遇到了"ORA-04030: out of process memory when trying to ...
- SAP work process Memory allocate
Memory allocation sequence to dialog work processes in SAP What is the memory allocation sequence to ...
- C# Read/Write another Process' Memory
https://codingvision.net/security/c-read-write-another-process-memory Today’s tutorial is about…proc ...
- Automated Memory Analysis
catalogue . 静态分析.动态分析.内存镜像分析对比 . Memory Analysis Approach . volatility: An advanced memory forensics ...
- Process Explorer使用图文教程
这是一款由Sysinternals开发的Windows系统和应用程序监视工具,目前Sysinternals已经被微软收购,此款不仅结合了文件监视和注册表监视两个工具的功能,还增加了多项重要的增强功能, ...
- mm/memory
/* * linux/mm/memory.c * * Copyright (C) 1991, 1992 Linus Torvalds */ /* * demand-loading started ...
- Read ListViewItem content from another process z
Normal Windows GUI applications work with messages that are sent to a window or control and the cont ...
- 通过ctypes获得python windows process的内存使用情况
通过ctypes 类库中的win32方法GetProcessMemoryInfo()获得当前进程的内存使用情况.该函数可以在32或者64位,python2.6+及python3.x之上都能有用. &q ...
随机推荐
- iOS .pch文件的使用
什么是.pch文件预编译头文件(一般扩展名为.PCH),是把一个工程中较稳定的代码预先编译好放在一个文件(.PCH)里.这些预先编译好的代码可以是任何的C/C++代码--甚至可以是inline函数,只 ...
- jfinal不能正确加载html网页,总是报错的解决方法
今天自学jfinal,遇到一个很奇怪的问题,render("/index.html");总是报错. 仔细看错误日志,才发现原来是因为html网页放到了WEB-INF文件夹下面了,所 ...
- 用crontab、crond在嵌入式系统中添加定时任务
在嵌入式系统中,定时任务通过crond和cronttab两个系统命令来联合执行. 其中crond是定时任务的守护进程,系统开始时是没有开启的.crontab主要作用是管理用户的crontab file ...
- processon完全装逼指南
一.引言 作为一名IT从业者,不仅要有扎实的知识储备,出色的业务能力,还需要具备一定的软实力.软实力体现在具体事务的处理能力,包括沟通,协作,团队领导,问题的解决方案等,这些能力在关键时刻比硬性的技术 ...
- Traveller数据访问路径
2015年10月数据访问路径
- jquery api 笔记(2) 事件 事件对象
事件 #1.resize() 缩放窗体:window.resizeTo(width, height); 并不是兼容做法. #2 .scroll() ->获取滚动条的位置: .scro ...
- 织梦DedeCMS网站地图模板
亲和百度蜘蛛,分页多层次特色,织梦系统最好用的网站地图! 用 DedeCMS(织梦) 系统搭建的网站多数都是以优化为主要目标的网站类型,既然是优化站 SEO 手段就离不开为网站设置网站地图.可是 De ...
- Vim粘贴代码时缩进混乱
Vim粘贴代码时缩进混乱 via 背景 在终端Vim中粘贴代码时,发现插入的代码会有多余的缩进,而且会逐行累加.原因是终端把粘贴的文本存入键盘缓存(Keyboard Buffer)中,Vim则把这些内 ...
- C语言学习笔记——堆和栈——未整理
C语言笔记 栈区 栈stack是一种先进后出的内存结构,所有的自动变量,函数的形参都是由编译器自动放出栈中,当一个自动变量超出其作用域时,自动从栈中弹出.出入栈是由C语言编译器自动分配 ...
- 阿里云centOS6 下python安装及配置、pip安装及配置、ipython安装及配置
我是在阿里云服务器上进行的python环境搭建,阿里云服务器会自带python但是版本低,所以打算自己安装一个,期间遇到各种问题,而且百度根本不够用无奈上的外网很快解决了.在此分享一下. 一.pyth ...