EMO Style ForumPro - Hos Geldiniz
Giriş yap

Şifremi unuttum

Istatistikler
Toplam 202 kayıtlı kullanıcımız var
Son kaydolan kullanıcımız: AnthonyFurey3

Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
Tarıyıcı
 Kapı
 Indeks
 Üye Listesi
 Profil
 SSS
 Arama
Arama
 
 

Sonuç :
 


Rechercher çıkıntı araştırma

RSS akısı


Yahoo! 
MSN 
AOL 
Netvibes 
Bloglines 


Kimler hatta?
Toplam 1 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 1 Misafir

Yok

[ Bütün listeye bak ]


Sitede bugüne kadar en çok 92 kişi Paz Ağus. 28, 2016 6:58 am tarihinde online oldu.
En son konular
» İnternetten Para Kazandıran Oyun ! Ödeme Alt Limiti Yok ! DEV KONU
Cuma Ağus. 29, 2014 8:33 am tarafından Hello EMO

» goldenchase.net maden yaparak para kazanma
Cuma Ağus. 29, 2014 8:18 am tarafından Hello EMO

» etichal hacker görsel egitim seti
Çarş. Ağus. 06, 2014 4:57 am tarafından Hello EMO

» KO TBL Source C#
Ptsi Ara. 09, 2013 6:36 am tarafından Hello EMO

» x86 Registers
C.tesi Ağus. 24, 2013 5:02 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de WYD
Çarş. Tem. 10, 2013 7:25 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de CS Metodo²
Çarş. Tem. 10, 2013 7:23 am tarafından Hello EMO

» [Tutorial] Aprendendo basico deASM OLLYDBG
Çarş. Tem. 10, 2013 7:22 am tarafından Hello EMO

» Basic C# DLL injector
Ptsi Tem. 08, 2013 7:48 am tarafından Hello EMO

Reklam

C# Memory Scanning

Önceki başlık Sonraki başlık Aşağa gitmek

C# Memory Scanning

Mesaj tarafından EMO Bir Perş. Haz. 02, 2011 9:01 am

Alright, so I've seen plenty of these posts on the forums, but I haven't found one with a straight up answer. Here is my code:



Code:
[DllImport("kernel32.dll")]

internal static extern Int32 VirtualQueryEx(IntPtr hProcess, IntPtr
lpAddress, out Memory.MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);



private MEMORY_BASIC_INFORMATION MBI;



[StructLayout(LayoutKind.Sequential)]

public struct MEMORY_BASIC_INFORMATION

{

public IntPtr BaseAddress;

public IntPtr AllocationBase;

public uint AllocationProtect;

public IntPtr RegionSize;

public uint State;

public uint Protect;

public uint Type;

}



public int AOBScan(byte[] bBytesToSearch, long iStartAddress = 0, long iEndAddress = 0x7FFFFFFF)

{

long iAddress = iStartAddress; IntPtr ptrBytesRead; byte[] bBuffer;



do

{

int iRead = API.VirtualQueryEx(hReadProcess, (IntPtr)iAddress, out MBI, (uint)Marshal.SizeOf(MBI));

if ((iRead > 0) && ((int)MBI.RegionSize > 0))

{

bBuffer = new byte[(int)MBI.RegionSize];

API.ReadProcessMemory(hReadProcess, MBI.BaseAddress, bBuffer, (uint)bBuffer.Length, out ptrBytesRead);

//Search Buffer for specified bytes. Not included so I don't have to include the FindBytesinByteArray function.

}

iAddress = (long)(MBI.BaseAddress.ToInt64() + MBI.RegionSize.ToInt64());

} while (iAddress <= iEndAddress);

return 0;

}



To be clear, this code WORKS, however, I feel like I should add
something to it to make it safer/easier to use/debug. I haven't included
any Types like MEM_PRIVATE, etc., or States like MEM_COMMIT, etc..
Should these be added or should any additional checks be made within the
function? Sorry if I'm being unclear. I'm simply asking if there's
anything I've overlooked that I should include as a good practice.



Also, I've seen many different DLLImports for this function. This one
seems to work while the others didn't, but just to make sure, is this
correct, or will I somehow lose some data when it's in the wrong format?
I'm more concerned about the struct than the import itself.


-------------------------------------------------------------------------

This is how I did it a while back:

Code:
using System;

using System.Collections.Generic;

using System.Diagnostics;

using System.Linq;

using System.Runtime.InteropServices;

using System.Text;

using Microsoft.Win32.SafeHandles;



//

// sigScan C# Implementation - Written by atom0s [aka Wiccaan]

// Class Version: 2.0.0

//

// [ CHANGE LOG ] -------------------------------------------------------------------------

//

// 2.0.0

// - Updated to no longer require unsafe or fixed code.

// - Removed unneeded methods and code.

//

// 1.0.0

// - First version written and release.

//

// [ CREDITS ] ----------------------------------------------------------------------------

//

// sigScan is based on the FindPattern code written by

// dom1n1k and Patrick at GameDeception.net

//

// Full credit to them for the purpose of this code. I, atom0s, simply

// take credit for converting it to C#.

//

// [ USAGE ] ------------------------------------------------------------------------------

//

// Examples:

//

// SigScan _sigScan = new SigScan();

// _sigScan.Process = someProc;

// _sigScan.Address = new IntPtr(0x123456);

// _sigScan.Size = 0x1000;

// IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);

//

// SigScan _sigScan = new SigScan(someProc, new IntPtr(0x123456), 0x1000);

// IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);

//

// ----------------------------------------------------------------------------------------

namespace SigScan.Classes

{

public class SigScan

{

///

/// ReadProcessMemory

///

/// API import definition for ReadProcessMemory.

///


/// Handle to the process we want to read from.

/// The base address to start reading from.

/// The return buffer to write the read data to.

/// The size of data we wish to read.

/// The number of bytes successfully read.

///

[DllImport("kernel32.dll", SetLastError = true)]

private static extern bool ReadProcessMemory(

IntPtr hProcess,

IntPtr lpBaseAddress,

[Out()] byte[] lpBuffer,

int dwSize,

out int lpNumberOfBytesRead

);



///

/// m_vDumpedRegion

///

/// The memory dumped from the external process.

///


private byte[] m_vDumpedRegion;



///

/// m_vProcess

///

/// The process we want to read the memory of.

///


private Process m_vProcess;



///

/// m_vAddress

///

/// The starting address we want to begin reading at.

///


private IntPtr m_vAddress;



///

/// m_vSize

///

/// The number of bytes we wish to read from the process.

///


private Int32 m_vSize;





#region "sigScan Class Construction"

///

/// SigScan

///

/// Main class constructor that uses no params.

/// Simply initializes the class properties and

/// expects the user to set them later.

///


public SigScan()

{

this.m_vProcess = null;

this.m_vAddress = IntPtr.Zero;

this.m_vSize = 0;

this.m_vDumpedRegion = null;

}

///

/// SigScan

///

/// Overloaded class constructor that sets the class

/// properties during construction.

///


/// The process to dump the memory from.

/// The started address to begin the dump.

/// The size of the dump.

public SigScan(Process proc, IntPtr addr, int size)

{

this.m_vProcess = proc;

this.m_vAddress = addr;

this.m_vSize = size;

}

#endregion



#region "sigScan Class Private Methods"

///

/// DumpMemory

///

/// Internal memory dump function that uses the set class

/// properties to dump a memory region.

///


/// Boolean based on RPM results and valid properties.

private bool DumpMemory()

{

try

{

// Checks to ensure we have valid data.

if (this.m_vProcess == null)

return false;

if (this.m_vProcess.HasExited == true)

return false;

if (this.m_vAddress == IntPtr.Zero)

return false;

if (this.m_vSize == 0)

return false;



// Create the region space to dump into.

this.m_vDumpedRegion = new byte[this.m_vSize];



bool bReturn = false;

int nBytesRead = 0;



// Dump the memory.

bReturn = ReadProcessMemory(

this.m_vProcess.Handle, this.m_vAddress, this.m_vDumpedRegion, this.m_vSize, out nBytesRead

);



// Validation checks.

if (bReturn == false || nBytesRead != this.m_vSize)

return false;

return true;

}

catch (Exception ex)

{

return false;

}

}



///

/// MaskCheck

///

/// Compares the current pattern byte to the current memory dump

/// byte to check for a match. Uses wildcards to skip bytes that

/// are deemed unneeded in the compares.

///


/// Offset in the dump to start at.

/// Pattern to scan for.

/// Mask to compare against.

/// Boolean depending on if the pattern was found.

private bool MaskCheck(int nOffset, byte[] btPattern, string strMask)

{

// Loop the pattern and compare to the mask and dump.

for (int x = 0; x < btPattern.Length; x++)

{

// If the mask char is a wildcard, just continue.

if (strMask[x] == '?')

continue;



// If the mask char is not a wildcard, ensure a match is made in the pattern.

if ((strMask[x] == 'x') && (btPattern[x] != this.m_vDumpedRegion[nOffset + x]))

return false;

}



// The loop was successful so we found the pattern.

return true;

}

#endregion



#region "sigScan Class Public Methods"

///

/// FindPattern

///

/// Attempts to locate the given pattern inside the dumped memory region

/// compared against the given mask. If the pattern is found, the offset

/// is added to the located address and returned to the user.

///


/// Byte pattern to look for in the dumped region.

/// The mask string to compare against.

/// The offset added to the result address.

/// IntPtr - zero if not found, address if found.

public IntPtr FindPattern(byte[] btPattern, string strMask, int nOffset)

{

try

{

// Dump the memory region if we have not dumped it yet.

if (this.m_vDumpedRegion == null || this.m_vDumpedRegion.Length == 0)

{

if (!this.DumpMemory())

return IntPtr.Zero;

}



// Ensure the mask and pattern lengths match.

if (strMask.Length != btPattern.Length)

return IntPtr.Zero;



// Loop the region and look for the pattern.

for (int x = 0; x < this.m_vDumpedRegion.Length; x++)

{

if (this.MaskCheck(x, btPattern, strMask))

{

// The pattern was found, return it.

return new IntPtr((int)this.m_vAddress + (x + nOffset));

}

}



// Pattern was not found.

return IntPtr.Zero;

}

catch (Exception ex)

{

return IntPtr.Zero;

}

}



///

/// ResetRegion

///

/// Resets the memory dump array to nothing to allow

/// the class to redump the memory.

///


public void ResetRegion()

{

this.m_vDumpedRegion = null;

}

#endregion



#region "sigScan Class Properties"

public Process Process

{

get { return this.m_vProcess; }

set { this.m_vProcess = value; }

}

public IntPtr Address

{

get { return this.m_vAddress; }

set { this.m_vAddress = value; }

}

public Int32 Size

{

get { return this.m_vSize; }

set { this.m_vSize = value; }

}

#endregion



}

}



This uses the FindPattern method that is fairly commonly known, I just converted it to C#.



This doesn't wrap around VirtualQueryEx so the base + size is up to you
to be sure is proper and accessible. This also dumps the memory once
rather then per-each scan. If you need to rescan with a new dump each
time just call ResetRegion() before scanning again.



This is from 2009 so you can write things a bit cleaner with Linq and such now.
avatar
EMO
EMO Team
EMO Team

Cinsiyet : Erkek
Burçlar : Yay
Yılan
Mesaj Sayısı : 184
Puan : 110693
Rep Puanı : 5
Doğum tarihi : 28/11/89
Kayıt tarihi : 18/05/11
Yaş : 27
Nerden : EMO world
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO

Kullanıcı profilini gör

Sayfa başına dön Aşağa gitmek

Önceki başlık Sonraki başlık Sayfa başına dön


 
Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz