Tiny memory reading question

[L33ch]

Hello All,

first of.... I'd like to thank the veterans (basically all of you who posted here) for some of their info they posted.
I've been following this forum for a long time (sort of) and learned a lot...

second... don't mind the name, I normally go by a different one but when i first signed up it was only to look at a link in one of these post (didn't intend to go back here as often as i did....)

right... on to the dirty question...

I've seen a lot of memory reading examples and it keeps me actually wondering for a few days now...

I use this class as my memory reader (main thread opens the process once and closes it once, read gets fired every now and then to update my objects list)

Code:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;

namespace Reader
{
    /// <summary>
    /// ProcessMemoryReader is a class that enables direct reading a process memory
    /// </summary>
    class ProcessMemoryReaderApi
    {
        // constants information can be found in <winnt.h>
        public const uint PROCESS_TERMINATE = 0x0001;
        public const uint PROCESS_CREATE_THREAD = 0x0002;
        public const uint PROCESS_SET_SESSIONID = 0x0004;
        public const uint PROCESS_VM_OPERATION = 0x0008;
        public const uint PROCESS_VM_READ = 0x0010;
        public const uint PROCESS_VM_WRITE = 0x0020;
        public const uint PROCESS_DUP_HANDLE = 0x0040;
        public const uint PROCESS_CREATE_PROCESS = 0x0080;
        public const uint PROCESS_SET_QUOTA = 0x0100;
        public const uint PROCESS_SET_INFORMATION = 0x0200;
        public const uint PROCESS_QUERY_INFORMATION = 0x0400;

        public const uint TH32CS_SNAPHEAPLIST = 0x00000001;
        public const uint TH32CS_SNAPPROCESS = 0x00000002;
        public const uint TH32CS_SNAPTHREAD = 0x00000004;
        public const uint TH32CS_SNAPMODULE = 0x00000008;
        public const uint TH32CS_SNAPMODULE32 = 0x00000010;
        public const uint TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE);
        public const uint TH32CS_INHERIT = 0x80000000;

        public const int SE_PRIVILEGE_ENABLED = 0x00000002;
        public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        public const int TOKEN_QUERY = 0x00000008;

        // function declarations are found in the MSDN and in <winbase.h> 

        //		HANDLE OpenProcess(
        //			DWORD dwDesiredAccess,  // access flag
        //			BOOL bInheritHandle,    // handle inheritance option
        //			DWORD dwProcessId       // process identifier
        //			);
        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);

        //		BOOL CloseHandle(
        //			HANDLE hObject   // handle to object
        //			);
        [DllImport("kernel32.dll")]
        public static extern Int32 CloseHandle(IntPtr hObject);

        //		BOOL ReadProcessMemory(
        //			HANDLE hProcess,              // handle to the process
        //			LPCVOID lpBaseAddress,        // base of memory area
        //			LPVOID lpBuffer,              // data buffer
        //			SIZE_T nSize,                 // number of bytes to read
        //			SIZE_T * lpNumberOfBytesRead  // number of bytes read
        //			);
        [DllImport("kernel32.dll")]
        public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);

        //		BOOL WriteProcessMemory(
        //			HANDLE hProcess,                // handle to process
        //			LPVOID lpBaseAddress,           // base of memory area
        //			LPCVOID lpBuffer,               // data buffer
        //			SIZE_T nSize,                   // count of bytes to write
        //			SIZE_T * lpNumberOfBytesWritten // count of bytes written
        //			);
        [DllImport("kernel32.dll")]
        public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        public static extern int GetSecurityInfo(int HANDLE, int SE_OBJECT_TYPE, int SECURITY_INFORMATION, int psidOwner, int psidGroup, out IntPtr pDACL, IntPtr pSACL, out IntPtr pSecurityDescriptor);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        public static extern int SetSecurityInfo(int HANDLE, int SE_OBJECT_TYPE, int SECURITY_INFORMATION, int psidOwner, int psidGroup, IntPtr pDACL, IntPtr pSACL);
		
    }

    public class ProcessMemoryReader
    {

        public ProcessMemoryReader()
        {
        }

        /// <summary>	
        /// Process from which to read		
        /// </summary>
        public Process ReadProcess
        {
            get
            {
                return m_ReadProcess;
            }
            set
            {
                m_ReadProcess = value;
            }
        }

        private Process m_ReadProcess = null;

        private IntPtr m_hProcess = IntPtr.Zero;

        public void OpenProcess()
        {
            m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_CREATE_PROCESS | ProcessMemoryReaderApi.PROCESS_QUERY_INFORMATION | ProcessMemoryReaderApi.PROCESS_VM_OPERATION | ProcessMemoryReaderApi.PROCESS_VM_WRITE | ProcessMemoryReaderApi.PROCESS_VM_READ | ProcessMemoryReaderApi.PROCESS_TERMINATE, 1, (uint)m_ReadProcess.Id);
            if (m_hProcess == IntPtr.Zero)
            {
                IntPtr pDACL, pSecDesc;

                ProcessMemoryReaderApi.GetSecurityInfo((int)Process.GetCurrentProcess().Handle, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4, 0, 0, out pDACL, IntPtr.Zero, out pSecDesc);
                m_hProcess = ProcessMemoryReaderApi.OpenProcess(0x40000, 0, (uint)ReadProcess.Id);
                ProcessMemoryReaderApi.SetSecurityInfo((int)m_hProcess, /*SE_KERNEL_OBJECT*/ 6, /*DACL_SECURITY_INFORMATION*/ 4 | /*UNPROTECTED_DACL_SECURITY_INFORMATION*/ 0x20000000, 0, 0, pDACL, IntPtr.Zero);
                ProcessMemoryReaderApi.CloseHandle(m_hProcess);

                m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_CREATE_PROCESS | ProcessMemoryReaderApi.PROCESS_QUERY_INFORMATION | ProcessMemoryReaderApi.PROCESS_VM_OPERATION | ProcessMemoryReaderApi.PROCESS_VM_WRITE | ProcessMemoryReaderApi.PROCESS_VM_READ | ProcessMemoryReaderApi.PROCESS_TERMINATE, 0, (uint)m_ReadProcess.Id);
                if (m_hProcess == IntPtr.Zero)
                {
                    MessageBox.Show("no handle found", "scan stopped");
                    return;
                }
            }
        }

        public void CloseHandle()
        {
            int iRetValue;
            iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess);
            if (iRetValue == 0)
            {
                throw new Exception("CloseHandle failed");
            }
        }

        public byte[] ReadProcessMemory(IntPtr MemoryAddress, uint bytesToRead, out int bytesReaded)
        {
            byte[] buffer = new byte[bytesToRead];

            IntPtr ptrBytesReaded;
            ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, MemoryAddress, buffer, bytesToRead, out ptrBytesReaded);

            bytesReaded = ptrBytesReaded.ToInt32();

            return buffer;
        }

        public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
        {
            IntPtr ptrBytesWritten;
            ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);

            bytesWritten = ptrBytesWritten.ToInt32();
        }
    }
}

only starts ONE "reading session", i've found in the past that opening -> reading -> closing, ... repeat.... can get you kicked... or well... had that several times...

I was wondering if it was good enough (it, so far, always has worked for me).
I've been programming in C# since like... 2-3 months after it got "released" but all has been done by either elarning from myself or... learning from others... never had any schooling about coding...

it might be that it's outdated or maybe terribly slow but i don't know, just would like to talk about it with more ppl.

I have found it to be better to talk about your code, for optimalization and stuff, with more ppl although i'd rather not share all of my code...

also, I'd like to know what g_ClientConnection is based on... I recently started to learn to reverse (lena151's AWSOME tutorials) and was wondering if i could do this in the future for myself.. (to find the g_ClientConnection or even CurMgroffset)... eventhough i'd like other ppl's opinions i'd like to be able to continue this solo (in case all of you decide to stop doing this...just in case....)


last: I'm sorry for my crappy english, i'm not a native speaker but I try ;-)

[Quarters]

Heya,

g_clinetConnection is essentially a pointer to the object manager - I hope thats what you needed to know

As far as your memory/process manipulation class goes, if your having doubts about what you've created then take a look at Shynd's BlackMagic source for inspiration. I think it can either be found here or on GameDeception.net . Also I think Apoc has one posted in the memory editing section if you can find it.

[L33ch]

Hey, Thanks Quarters,

I've looked for Shynd's BlackMagic (with example) and I Like it
Thanks for pointing that out

also I knew that G_ClientConnection was a pointer, I was just wondering how poeple get it (did they find it by reversing W0W or know waht to look for (i see stuff about a pattern in blackmagic's test program, IP address?))

And ofcouce: Thanks to Shynd for the/your code (blackmagic 1.1) , although I'm kind of scared of the fasm thingy ( generally afraid of the unknown new stuff ) as i'm testing out most of my stuff on a running W0W account.... which i'd like to keep....