vb.net ReadProcessMemory and VirtualProtectEx example.

[abuckau907]

edit: title: ReadProcessMemory and VirtualQueryEx (with some VirtualProtectEx)

Some code I finally got working to scan another process' memory
Uses VirtualQueryEx to find the pages and only scan pages who's Protection is READWRITE (could be changed)
I was having trouble learning about using VirtualQueryEx and figured I'd post this code now that it's working. I'm sure there is some room for efficiency improvements, but overall I think I used ReadProcessMemory somewhat effectively?? Anyway..

Code:

  Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAcess As UInt32, ByVal bInheritHandle As Boolean, ByVal dwProcessId As UInt32) As IntPtr
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer() As Byte, ByVal iSize As Integer, ByRef lpNumberOfBytesRead As Integer) As Boolean
    Private Declare Function VirtualQueryEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As UInt32) As Int32
     Private Declare Sub GetSystemInfo Lib "kernel32.dll" (ByRef lpSystemInfo As SYSTEM_INFO)

Code:

    Public Enum MemoryAllocationProtectionType As UInt32
        PAGE_NOACCESS = &H1
        PAGE_READONLY = &H2
        PAGE_READWRITE = &H4
        PAGE_WRITECOPY = &H8
        PAGE_EXECUTE = &H10
        PAGE_EXECUTE_READ = &H20
        PAGE_EXECUTE_READWRITE = &H40
        PAGE_EXECUTE_WRITECOPY = &H80
        PAGE_GUARD = &H100
        PAGE_NOCACHE = &H200
        PAGE_WRITECOMBINE = &H400
        PAGE_CANREAD = PAGE_READONLY Or PAGE_READWRITE ' Or PAGE_EXECUTE_READ Or PAGE_EXECUTE_READWRITE
    End Enum
    Public Enum MemoryAllocationType As UInt32
        MEM_IMAGE = &H1000000
        MEM_MAPPED = &H40000
        MEM_PRIVATE = &H20000
    End Enum
    Public Enum MemoryAllocationState As UInt32
        Commit = &H1000
        Reserve = &H2000
        Decommit = &H4000
        Release = &H8000
        Reset = &H80000
        Physical = &H400000
        TopDown = &H100000
        WriteWatch = &H200000
        LargePages = &H20000000
    End Enum

The function below assumes you've already done OpenProcess() and that _targetProcessHandle was returned successfully.
Also DoOutput is a public function which updates a txtBox on my main window form. (which is why i call app.doevents() --not efficient. works well enough)

Code:

    Public Sub AnalyzeRam()
        Dim _mbi As MEMORY_BASIC_INFORMATION
        Dim _addr As IntPtr = IntPtr.Zero 'could use _sysInfo.lpMinProcAddr
        Dim _sysInfo As SYSTEM_INFO
        GetSystemInfo(_sysInfo) ''useful API. Tells us things like # of processors, ram page size, more ram stuff.
        Do
            VirtualQueryEx(_targetProcessHandle, _addr, _mbi, System.Runtime.InteropServices.Marshal.SizeOf(_mbi))
            If _mbi.State = MemoryAllocationState.Commit Then
                'this region of ram actively being used by process (commited at least..)
                If _mbi.Protect = MemoryAllocationProtectionType.PAGE_READWRITE Then
                    DoOutput("Base: " & _mbi.BaseAddress.ToString("X"))
                    DoOutput("size: " & _mbi.RegionSize.ToString)
                    Application.DoEvents()
                    Threading.Thread.Sleep(1000)
                    ''elsee
                    ''VirtualProtectEx() :: and restore old protections when finished
                End If
            End If
            ''increment _addr to next region
            _addr = _mbi.BaseAddress + _mbi.RegionSize
        Loop While _addr.ToInt32 < _sysInfo.lpMaximumApplicationAddress
    End Sub

I hope this helps someone.

-Andrew

ps. I hate using IntPtr.ToInt32 () :/
I don't have a 64 bit machine so I can't test/debug for that..this code should fail on 64 bit because of the .ToInt32 calls. not sure.


edit: I don't use ReadProcessMemory in this example :P But I made a second function similar to
FindPattern. (ie. in addition to code above, it also reads each page and checks if it contains a value)
if anyone is interested.

[abuckau907]

here is the second function. basically FindPattern(). Again, it assumes you have already called OpenProcess and _targetProcessHandle was a valid return.

Code:

    Private Declare Function VirtualProtectEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal lpSize As IntPtr, ByVal dwNewProtect As UInt32, ByRef dwOldProtect As UInt32) As Boolean

Code:

Public Function ScanForBytes(ByVal buff() As Byte) As IntPtr()
        Dim _rtns As New List(Of IntPtr)
        _rtns.Capacity = 1000
        buff.Reverse() 'endianness of ram
        Dim _mbi As MEMORY_BASIC_INFORMATION, _sysInfo As SYSTEM_INFO
        Dim _mbiSize As Int32 = System.Runtime.InteropServices.Marshal.SizeOf(_mbi)
        GetSystemInfo(_sysInfo)
        Dim _addr As IntPtr = IntPtr.Zero
        Dim _readBuff(_sysInfo.dwPageSize - 1) As Byte

        Dim _bigBuff(0) As Byte
        Dim _actualBytesRead As Int32 = 0 ''actual length of bytes copied during ReadProcessMemory()
        Dim _oldPageProtection As UInt32 = 0 ''To restore old VirtualProtectEx() values after ReadProcessMemory
        Dim _didWeChangeProtection As Boolean = False
        Dim _mbiIsReadable As Boolean = False
     
        Do
            VirtualQueryEx(_targetProcessHandle, _addr, _mbi, _mbiSize)
            If Not (_mbi.State = MemoryAllocationState.Commit And _mbi.zType = MemoryAllocationType.MEM_PRIVATE) Then
                'DoOutput("Base: " & _addr.ToString("X") & "[system page]")
            Else
                DoOutput("Base: " & _addr.ToString("X"))
                DoOutput("Size: " & _mbi.RegionSize.ToString("x"))
                Threading.Thread.Sleep(750)
                'this region of ram actively being used by process (commited at least..)
                If Not (_mbi.Protect And MemoryAllocationProtectionType.PAGE_CANREAD) Then ''bitwise mask checking
                    'page isn't parked as readable (ie. PAGE_READONLY, PAGE_READWRITE, etc. Maybe is PAGE_GUARD ;)
                    If VirtualProtectEx(_targetProcessHandle, _addr, _mbi.RegionSize, MemoryAllocationProtectionType.PAGE_READWRITE, _oldPageProtection) Then

                        DoOutput("Patching->0x" & _addr.ToString("X"))
                        _didWeChangeProtection = True
                    Else
                        DoOutput("Patching->0x" & _addr.ToString("X") & " FAIL. RPM about to fail..")
                        Application.DoEvents()
                        Threading.Thread.Sleep(2000)
                    End If
                End If
                If _mbi.RegionSize.ToInt32 <= _sysInfo.dwPageSize Then
                    'small page. Read entire page into buffer.
                    If ReadProcessMemory(_targetProcessHandle, _mbi.BaseAddress, _readBuff, _mbi.RegionSize, _actualBytesRead) Then
                        If (_actualBytesRead <> _mbi.RegionSize) Then
                            'not able to read all data, handle gracefully. do nothing :)
                            DoOutput("ScanForBytes() RPM->ActualBytesRead too low!")
                        Else
                            For xx As Int32 = 0 To _mbi.RegionSize - buff.Length
                                For yy As Int32 = 0 To buff.Length - 1
                                    If buff(yy) = _readBuff(xx + yy) Then
                                        If yy = buff.Length - 1 Then
                                            'found it
                                            _rtns.Add(_addr)
                                        End If
                                    Else
                                        Exit For
                                    End If
                                Next
                            Next
                        End If

                    Else
                        DoOutput("ScanForBytes::ReadProcessMemory FAIL at 0x" & _mbi.BaseAddress.ToString("X"))
                        Application.DoEvents()
                        Beep()
                        Threading.Thread.Sleep(2000)
                    End If
                Else
                    'large page. Read page in chunks.
                    _bigBuff = ReadLargeRamChunk(_addr, IntPtr.Add(_addr, _mbi.RegionSize.ToInt32))
                    For xx As Int32 = 0 To _bigBuff.Length - buff.Length
                        For yy As Int32 = 0 To buff.Length - 1
                            If buff(yy) = _bigBuff(xx + yy) Then
                                If yy = buff.Length - 1 Then
                                    'found it
                                    _rtns.Add(_addr + xx)
                                End If
                            Else
                                Exit For
                            End If
                        Next
                    Next

                End If
                'did we change the page's access protection? Change it back.
                If _didWeChangeProtection Then
                    DoOutput("unPatching->0x" & _addr.ToString("X"))
                    VirtualProtectEx(_targetProcessHandle, _addr, _mbi.RegionSize, _oldPageProtection, vbNull)
                    _didWeChangeProtection = False
                    'if this fails..is very weird because it succeeded the first time (ie. "UnGUARDing")
                End If
            End If
          
            ''increment _addr to next region
            _addr = _mbi.BaseAddress + _mbi.RegionSize
        Loop While _addr.ToInt32 < _sysInfo.lpMaximumApplicationAddress

        Return _rtns.ToArray
    End Function

Lots of byte stuff, not too sure about efficiency and my byte buffers..I think I did it right.
Also..i switched it from READONLY to several protection types...now I get an error on the very last (ofc..) scan at 0x7FE0FFFF I think? or 0x7FE00000.
I'm pretty sure it has something to do with PAGE_GUARD or shared dll code? or OS code?, but not 100% sure yet, still debugging. Try messing around with which page types you read
(READONLY, READ_WRITE, EXECUTE_READ_WRITE) ..if you stay READ_WRITE it should have no error, but if you want to read other regions, like
the .code section, you'll need to play.

More to come tomorrow.

[Borretos]

Really thanks!!! Very helpful for my investigations

this is my conversion to C# with some little changes:

(Remove all those log lines to improve performance)

using Magic;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;

namespace BlackMagicTest
{
public enum MemoryAllocationProtectionType : int
{
[Description("PAGE_NOACCESS")]
PAGE_NOACCESS = 0x1,
[Description("PAGE_READONLY")]
PAGE_READONLY = 0x2,
[Description("PAGE_READWRITE")]
PAGE_READWRITE = 0x4,
[Description("PAGE_WRITECOPY")]
PAGE_WRITECOPY = 0x8,
[Description("PAGE_EXECUTE")]
PAGE_EXECUTE = 0x10,
[Description("PAGE_EXECUTE_READ")]
PAGE_EXECUTE_READ = 0x20,
[Description("PAGE_EXECUTE_READWRITE")]
PAGE_EXECUTE_READWRITE = 0x40,
[Description("PAGE_EXECUTE_WRITECOPY")]
PAGE_EXECUTE_WRITECOPY = 0x80,
[Description("PAGE_GUARD")]
PAGE_GUARD = 0x100,
[Description("PAGE_NOCACHE")]
PAGE_NOCACHE = 0x200,
[Description("PAGE_WRITECOMBINE")]
PAGE_WRITECOMBINE = 0x400,
[Description("PAGE_CANREAD")]
PAGE_CANREAD = PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE
// Or PAGE_EXECUTE_READ Or PAGE_EXECUTE_READWRITE
}
public enum MemoryAllocationType : int
{
MEM_IMAGE = 0x1000000,
MEM_MAPPED = 0x40000,
MEM_PRIVATE = 0x20000
}
public enum MemoryAllocationState : int
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}

[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION{
public int BaseAddress;
public int AllocationBase;
public int AllocationProtect;
public int RegionSize;
public int State;
public int Protect;
public int lType;
}

public struct SYSTEM_INFO
{
public uint dwOemId;
public uint dwPageSize;
public uint lpMinimumApplicationAddress;
public uint lpMaximumApplicationAddress;
public uint dwActiveProcessorMask;
public uint dwNumberOfProcessors;
public uint dwProcessorType;
public uint dwAllocationGranularity;
public uint dwProcessorLevel;
public uint dwProcessorRevision;
}

public class MemoryReader
{


[DllImport("kernel32.dll")]
public static extern int VirtualQueryEx(
int hProcess,
int lpAddress,
[MarshalAs(UnmanagedType.Struct)] ref MEMORY_BASIC_INFORMATION lpBuffer,
int dwLength
);

[DllImport("kernel32.dll")]
public static extern void GetSystemInfo(ref SYSTEM_INFO pSI);

[DllImport("kernel32.dll")]
public static extern int VirtualProtectEx(
int hProcess,
int lpAddress,
int dwSize,
int flNewProtect,
int lpflOldProtect);

public void AnalyzeRam(int _targetProcessHandle)
{


Console.WriteLine("Starting analizing: 0x{0:X08}", _targetProcessHandle);

MEMORY_BASIC_INFORMATION _mbi = default(MEMORY_BASIC_INFORMATION);
IntPtr _addr = IntPtr.Zero;
//could use _sysInfo.lpMinProcAddr
SYSTEM_INFO _sysInfo = default(SYSTEM_INFO);
GetSystemInfo(ref _sysInfo);

double regionCounter = 0;
//'useful API. Tells us things like # of processors, ram page size, more ram stuff.
do
{
int sizeOfMBI = System.Runtime.InteropServices.Marshal.SizeOf(_mbi);
VirtualQueryEx(_targetProcessHandle, (int)_addr, ref _mbi, sizeOfMBI);
if ((int)_mbi.State == (int)MemoryAllocationState.Commit)
{
//this region of ram actively being used by process (commited at least..)
if ((int)_mbi.Protect == (int)MemoryAllocationProtectionType.PAGE_READWRITE)
{
Console.WriteLine("Base: 0x{0:X08} Size: 0x{0:X08}", _mbi.BaseAddress , _mbi.RegionSize);
// Application.DoEvents();
regionCounter++;
//'elsee
//'VirtualProtectEx() :: and restore old protections when finished
}
}
//'increment _addr to next region
_addr = (IntPtr)(_mbi.BaseAddress + _mbi.RegionSize);
} while (_addr.ToInt32() < _sysInfo.lpMaximumApplicationAddress);
}

public IntPtr[] ScanForBytes(int _targetProcessHandle, byte[] buff)
{
List<IntPtr> _rtns = new List<IntPtr>();
_rtns.Capacity = 1000;
buff.Reverse();
//endianness of ram
MEMORY_BASIC_INFORMATION _mbi = default(MEMORY_BASIC_INFORMATION);
SYSTEM_INFO _sysInfo = default(SYSTEM_INFO);
Int32 _mbiSize = System.Runtime.InteropServices.Marshal.SizeOf(_mbi);
GetSystemInfo(ref _sysInfo);
IntPtr _addr = IntPtr.Zero;
byte[] _readBuff = new byte[_sysInfo.dwPageSize];

byte[] _bigBuff = new byte[1];
Int32 _actualBytesRead = 0;
//'actual length of bytes copied during ReadProcessMemory()
UInt32 _oldPageProtection = 0;
//'To restore old VirtualProtectEx() values after ReadProcessMemory
bool _didWeChangeProtection = false;
bool _mbiIsReadable = false;

double regionCoutuer = 0;

do
{

VirtualQueryEx(_targetProcessHandle, (int)_addr, ref _mbi, _mbiSize);
Console.WriteLine(regionCoutuer++ + " --------- 0x{0:X08} --------------", _addr);
Console.WriteLine("_mbi.State: 0x{0:X08}: ", _mbi.State);
Console.WriteLine("_mbi.Protect: 0x{0:X08}: ", _mbi.Protect);
Console.WriteLine("_mbi.RegionSize: 0x{0:X08}: ", _mbi.RegionSize);
Console.WriteLine("_sysInfo.dwPageSize: 0x{0:X08}: ", _sysInfo.dwPageSize);

if (!((int)_mbi.State == (int)MemoryAllocationState.Commit && (int)_mbi.lType == (int)MemoryAllocationType.MEM_PRIVATE))
{
Console.WriteLine("[System Page]");
//DoOutput("Base: " & _addr.ToString("X") & "[system page]")
}
else
{

//this region of ram actively being used by process (commited at least..)
//'bitwise mask checking

if ((_mbi.Protect & (int)MemoryAllocationProtectionType.PAGE_CANREAD) == 0)
{

//page isn't parked as readable (ie. PAGE_READONLY, PAGE_READWRITE, etc. Maybe is PAGE_GUARD
int pageRW = (int)MemoryAllocationProtectionType.PAGE_READWRITE;
if ( (VirtualProtectEx(_targetProcessHandle, (int)_addr, (int)_mbi.RegionSize, pageRW, (int)_oldPageProtection) ) != 0)
{
Console.WriteLine("Patching->0x{0:X08}", _addr);
_didWeChangeProtection = true;
}
else
{
Console.WriteLine("Patching->0x{0:X08} {}" , _addr , " FAIL. RPM about to fail..");

// System.Threading.Thread.Sleep(2000);
}
}


if ((int)_mbi.RegionSize <= _sysInfo.dwPageSize)
{
//small page. Read entire page into buffer.
Console.WriteLine("Small Page");

byte[] bData = SMemory.ReadBytes(new IntPtr(_targetProcessHandle), (uint)_mbi.BaseAddress, (int)_sysInfo.dwPageSize);

//if (ReadProcessMemory(_targetProcessHandle, _mbi.BaseAddress, _readBuff, _mbi.RegionSize, _actualBytesRead))
if (bData != null && bData.Length > 0)
{
//if ((_actualBytesRead != _mbi.RegionSize))
if ((bData.Length != _mbi.RegionSize))
{
//not able to read all data, handle gracefully. do nothing
Console.WriteLine("ScanForBytes() RPM->ActualBytesRead too low!");
}
else
{
for (Int32 xx = 0; xx <= _mbi.RegionSize - buff.Length; xx++)
{
for (Int32 yy = 0; yy <= buff.Length - 1; yy++)
{
if (buff[yy] == _readBuff[xx + yy])
{
if (yy == buff.Length - 1)
{
//found it
_rtns.Add(_addr);
}
}
else
{
break; // TODO: might not be correct. Was : Exit For
}
}
}
}

}
else
{
Console.WriteLine("ScanForBytes::ReadProcessMemory FAIL at 0x{0:X08}" , _mbi.BaseAddress);
//System.Threading.Thread.Sleep(2000);
}
}
else
{

//large page. Read page in chunks.
Console.WriteLine("Large Page");
_bigBuff = SMemory.ReadBytes(new IntPtr(_targetProcessHandle), (uint)_mbi.BaseAddress, (int)_mbi.RegionSize);
// _bigBuff = ReadLargeRamChunk(_addr, IntPtr.Add(_addr, _mbi.RegionSize.ToInt32));
if (_bigBuff != null)
{

for (Int32 xx = 0; xx <= _bigBuff.Length - buff.Length; xx++)
{
for (Int32 yy = 0; yy <= buff.Length - 1; yy++)
{
if (buff[yy] == '?' || buff[yy] == _bigBuff[xx + yy])
{
if (yy == buff.Length - 1)
{
//found it
_rtns.Add(_addr + xx);
}
}
else
{
break; // TODO: might not be correct. Was : Exit For
}
}
}
}
else
{
Console.WriteLine("Large Page -> Read Null");
}

}
//did we change the page's access protection? Change it back.
if (_didWeChangeProtection)
{
Console.WriteLine("unPatching->0x{0:X08}", _addr);
VirtualProtectEx(_targetProcessHandle, (int)_addr, (int)_mbi.RegionSize, (int)_oldPageProtection, 0);
_didWeChangeProtection = false;
//if this fails..is very weird because it succeeded the first time (ie. "UnGUARDing")
}
}

//'increment _addr to next region
_addr = (IntPtr)(_mbi.BaseAddress + _mbi.RegionSize);
} while (_addr.ToInt32() < _sysInfo.lpMaximumApplicationAddress);

return _rtns.ToArray();
}


}
}

[abuckau907]

Glad it helped. The one thing I'm not sure about is how much ReadProcessMemory can read in 1 go. And if/how it returns partial results? ie. if you try to read too large of a range, the buffer may have a bunch of data but with missing chunks(if there were any fails)?? Maybe this code isn't needed, but here is my large chunk read code. :/

Code:

    Private Function ReadLargeRamPage(ByVal aStart As IntPtr, ByVal aStop As IntPtr) As Byte()
        Dim _rtnBuffSize As Int32 = aStop.ToInt32 - aStart.ToInt32 'theoretical max size: may be smaller due to Read fails
        Dim _sizeRemaining As Int32 = _rtnBuffSize
        Dim _byteBuff(_rtnBuffSize - 1) As Byte
        Dim _byteBuffCurrIndex As Int32 = 0 'actual size of data to be returned
        Dim _curAddr As IntPtr = aStart
        Dim _readBuff(_systemInfo.dwPageSize) As Byte
        Dim _actualBytesRead As Int32 = 0 '' Actual count of bytes read by ReadProcessMemory()
        'start reading
        Do

            If _sizeRemaining >= _systemInfo.dwPageSize Then
                If ReadProcessMemory(_targetProcessHandle, _curAddr, _readBuff, _systemInfo.dwPageSize, _actualBytesRead) Then
                    If (_actualBytesRead <> _systemInfo.dwPageSize) Then
                        'didn't read all data?! Don't append _readBuff to byteBuff
                        DoOutput("ReadLargeRamChunk() RPM->ActualBytesRead too low! 0x" & _curAddr.ToString("X"))
                    Else
                        Array.Copy(_readBuff, 0, _byteBuff, _byteBuffCurrIndex, _systemInfo.dwPageSize)
                        _byteBuffCurrIndex += _systemInfo.dwPageSize
                    End If
                Else
                    DoOutput("ReadLargeRamChunk() RPM->FAIL! 0x" & _curAddr.ToString("X"))
                    Application.DoEvents()
                    'Beep()
                    Threading.Thread.Sleep(2000)
                End If
                _curAddr = _curAddr.ToInt32 + _systemInfo.dwPageSize
                _sizeRemaining -= _systemInfo.dwPageSize
                If _sizeRemaining = 0 Then Exit Do
            Else
                'almost at end of mem scan. 1 small piece left
                If ReadProcessMemory(_targetProcessHandle, _curAddr, _readBuff, _sizeRemaining, _actualBytesRead) Then
                    If (_actualBytesRead <> _sizeRemaining) Then
                        'not able to read entire area
                        DoOutput("ReadLargeRamChunk() RPM->ActualBytesRead too low! (final chunk)")
                    Else
                        Array.Copy(_readBuff, 0, _byteBuff, _byteBuffCurrIndex, _sizeRemaining)
                        'success
                        Exit Do
                    End If

                Else
                    DoOutput("ReadLargeRamChunk() RPM->FAIL! (final chunk)")
                    Application.DoEvents()
                    Beep()
                    Threading.Thread.Sleep(2000)
                End If
            End If
        Loop
        If _byteBuffCurrIndex < _rtnBuffSize Then
            'not all data read. _byteBuff is too large. Shrink it.
            ReDim Preserve _byteBuff(_byteBuffCurrIndex + 1) ''sloppy and inefficient? rarely happens.?
        End If

        Return _byteBuff
    End Function

Note this function doesn't check the permissions of the region (ie. if you can read it). The way I use it in my code, I already check permissions before calling this function. And isonly called on one region at a time, never spanning multiple regions. It could, with some mods, just not how I used it.

looks like you made memmanager functions static, ReadBytes(hProcess,start,stop) --> I keep track of process inside the class, and my functions act on that process, you're making it take hprocess as a parameter so some of it will be different.

I jumped the gun on making this post, I re-wrote it in 2 parts at

Part 1: http://www.ownedcore.com/forums/gene...y-reading.html
Part 2: http://www.ownedcore.com/forums/gene...-part-2-a.html