Hello everyone.
I have read this thread: New 32-bit Detection Method Added and tried to understand the scopes of trusted addresses in HBDetectionPacketHandler, but without success. Then I found a big space at the end of Wow.exe image, filled with zeroes. Googled it, but haven't found reliable information about this segment. My question: is it safe to write to this part of process memory (I mean client crushes)? Thank you.
Code:
private class AllocatedMemory : IDisposable
{
private IntPtr Address;
private readonly int Length;
private readonly uint ReferenceProtectionType;
private const uint PAGE_EXECUTE_READWRITE = 64;
public AllocatedMemory(IntPtr address, int length)
{
Address = address;
Length = length;
if (!VirtualProtectEx(_wowProcess.Memory.ProcessHandle, address, (UIntPtr) length, PAGE_EXECUTE_READWRITE, out ReferenceProtectionType))
{
throw new Exception("Can't change memory protection type, address: 0x" + Address.ToInt32().ToString("X") + ", length: " + length);
}
}
public void Dispose()
{
_wowProcess.Memory.WriteBytes(Address, new byte[Length]);
uint temp;
if (!VirtualProtectEx(_wowProcess.Memory.ProcessHandle, Address, (UIntPtr)Length, ReferenceProtectionType, out temp))
{
throw new Exception("Can't change memory protection type (Dispose()), address: 0x" + Address.ToInt32().ToString("X") + ", length: " + Length);
}
}
public static AllocatedMemory Find(int length)
{
byte[] emptyBytes = new byte[length];
int start = (int)(_wowProcess.Memory.ImageBase + _wowProcess.Memory.Process.MainModule.ModuleMemorySize - 100 - emptyBytes.Length);
int end = (int)_wowProcess.Memory.ImageBase;
for (int i = start; i > end; i--)
{
byte[] temp = _wowProcess.Memory.ReadBytes((IntPtr) i, emptyBytes.Length);
if (temp.SequenceEqual(emptyBytes))
{
Log.Print("AllocatedMemory: Found address: 0x" + i.ToString("X"));
return new AllocatedMemory((IntPtr) i, length);
}
}
throw new Exception("AllocatedMemory: can't find memory!");
}
[DllImport("kernel32.dll")]
private static extern bool VirtualProtectEx(SafeMemoryHandle hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}