C# Easy Memory Operations

[CbRooT]

Before code, !! IMPORTANT !!:
Only get the 'Process HANDLE' when you'll use it.
'Process.Handle' property gives an handle.
Process.GetProcess...() is almost equals the 'OpenProcess(...)' api.
This means, when you request a process instance,
Windows creates new handle for process and lefts it opened.
And when you read 'Process.Handle' property on different times/different zones of code, you'll see each Handle will be different. (sometimes Windows returns same open handle but there's no guarantee).

Whatever... I only want to warn you because I made sick of researching process memory operations and it didn't work because of i requested new handles...
And I didn't find a good information in google. Is no one knows this?? I got angry


Here are some methods for 'Write/Read Process Memory':
And, sorry for my bad English.

Code:

using System;
using System.Text;
using System.Collections.Generic;
using System.Diagnostics;



public class PMemTest {
   #region API Decls.
        [DllImport( "kernel32.dll", EntryPoint = "WriteProcessMemory", SetLastError = true )]
    public static extern int WriteProcessMemory( IntPtr hProcess, IntPtr lpAddr, byte[] lpBuffer, int nSize, ref int lpNumberOfBytesWritten );
        [DllImport( "kernel32.dll", EntryPoint = "ReadProcessMemory", SetLastError = true )]
    public static extern int ReadProcessMemory( IntPtr hProcess, IntPtr lpAddr, byte[] lpBuffer, int nSize, ref int lpNumberOfBytesWritten );
   #endregion

    public int getCurrentProcessId() { return Process.GetCurrentProcess().Id; }

    public bool writeMemory(int pid, IntPtr lpAddr, byte[] buffer) {
        Process.EnterDebugMode();      // Usally, this isn't needed. Gives the process 'SeDebugPriviledge' (if logged user has 'Administrator' rights - or 'Debug' rigths.

        Process[] processArr=Process.GetProcessById(pid);
        if (processArr==null || processArr.Length==0)
           return false;

        int len = buffer.Length;
        int bytes = 0;
        Process p=processArr[0];
        IntPtr hProcess = p.Handle;
        WriteProcessMemory( hProcess, lpAddr, buffer, len, ref bytes );
        return (bytes>0);
    }

    public bool readMemory(int pid, IntPtr lpAddr, byte[] buffer) {
        Process.EnterDebugMode();      // Usally, this isn't needed. Gives the process 'SeDebugPriviledge' (if logged user has 'Administrator' rights - or 'Debug' rigths.

        Process[] processArr=Process.GetProcessById(pid);
        if (processArr==null || processArr.Length==0)
           return false;

        int len = buffer.Length;
        int bytes = 0;
        Process p=processArr[0];
        IntPtr hProcess = p.Handle;
        ReadProcessMemory( hProcess, lpAddr, buffer, len, ref bytes );
        return (bytes>0);
    }

[kakamunsug]

Notice that this will NOT work for games such as WoW which does indeed protect their game a bit. Using VirtualProtect you can simulate wow in another state of which it allows you to read and edit as you please.

Just a heads up, using "BlackMagic" dll is a very nice thing to do when Shynd put down such great work to it.

[Krillere]

kakamunsug, do you have an example of how to edit wow ? Will we need to use Packets or just special code? :-)

[spawnfestis]

kakamunsug, do you have an example of how to edit wow ? Will we need to use Packets or just special code? :-)

Either use VirtualProtect() invoked, or use BlackMagic.dll. :wave:

[visitor]

im using Visual Studio's C# and it always says (not only at this code):

Code:

Error	1	The type or namespace name 'DllImport' could not be found (are you missing a using directive or an assembly reference?)	C:\Users\Viktor\AppData\Local\Temporary Projects\ConsoleApplication1\Program.cs	11	10	ConsoleApplication1

Please help
mod: solved

Code:

using System.Runtime.InteropServices;

[Nesox]

Lol i must say.. here's a small example using BlackMagic:

Code:

Process[] processes = Process.GetProcessByName("Wow");
BlackMagic wow = new BlackMagic(processes[0].Id);

uint playerBase = wow.ReaUint(wow.ReadUInt(wow.ReadUint(0x010B65F4) + 0x34) + 0x24);

private void Health
{
    get { return wow.ReadInt(wow.ReadUInt(playerBase + 0x08) + 0x17 * 4); }
}

private void MaxHealth
{
    get { return wow.ReadInt(wow.ReadUInt(playerBase + 0x08) + 0x1F * 4); }
}

while(true)
{
    Console.WriteLine("Health:{0}/{1}", Health, MaxHealth);  
}

the descriptor offsets are from Cypher's descriptor dump.
the pointer at 0x08 from a object points to the start of the descriptor array.
And the reason you multiply it with 4 is because it's aligned evry 4 bytes

[Sinorai]

"adUInt(playerBase + 0x08) + 0x17 * 4); }" <- could u explain why 0x08 and 0x17??.. how did u find that offset?? been searching around, cant seem to find a way of locating those values.. :S

[spitfire21]

Use a memory editor

[Sinorai]

Use a memory editor

could u show/teach me how???

[spitfire21]

Look at the cheat engine forum tutorial section I won't show yo ubecause plenty of other people have made some really good tutorials on how to do it. So just check out the cheat engine forums.