Using a memory adress in c#

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Using a memory adress in c#

Postby TopHat » Sun Aug 07, 2011 7:04 am

Hello guys! I've been looking around the C# forums and this forum (for about 8-10 hours in total) looking for a way to recive the data in the memory at a specific location using C#.

The problem i have is that it don't seem to get anything from the adress that i supply to my program. The adress is taken from MHS and using the windows calculator I convert it from HEX to DEC since the memory_read Function wants an IntPtr.

I'm not a Hacking genius(obviously that's why I ask for help), And if someone of you grandmasters of hacking (with knowledge in c#) could take a quick peek at my code it is much appreciated.

note:I did download The memory editor class from "http://www.youtube.com/watch?v=sXu3jl2VxGc". If you want some more information just make a post below.

The memory editor class:
Code: Select all
using System;
using System.Text;
using System.Collections.Generic;
using System.Data;
using System.Linq;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace Memedit
{

    public class MemoryEditor
    {

        [DllImport("kernel32.dll")]
        static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, out IntPtr lpNumberOfBytesWritten);

        [DllImport("Kernel32.dll")]
        static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead);
        string pname = "";
        IntPtr hand;
        public MemoryEditor(string ProcName)
        {
            pname = ProcName.Replace(".exe", "");
            Process[] proclist = Process.GetProcesses();
            foreach (Process pr in proclist)
            {

                if (pr.ToString() == "System.Diagnostics.Process (" + pname + ")")
                {
                    hand = pr.Handle;
                }
            }
        }

        public bool Write(int Address, byte[] data)
        {
            bool success = false;
            Process[] proclist = Process.GetProcesses();
            IntPtr bytesout;
            success = WriteProcessMemory(hand, (IntPtr)Address, data, (UIntPtr)data.Length, out bytesout);
            return success;
        }


        public byte[] Read(int Address, int length, bool GlobalAdress)
        {
            if (GlobalAdress)
            {
                hand = (IntPtr)0;
            }
            byte[] ret = new byte[length];
            uint o = 0;
            ReadProcessMemory(hand, (IntPtr)Address, ret, (UInt32)ret.Length, ref o);
            return ret;
           
        }
        public int ReadInt32(int Address)
        {
            return BitConverter.ToInt32(Read(Address, 4,false), 0);
        }
        public float ReadSingle(int Address)
        {
            return BitConverter.ToSingle(Read(Address, 4, false), 0);
        }

        public string ReadString(int Address ,  int length, bool isUnicode)
        {
           
            if (isUnicode)
            {
                UnicodeEncoding enc = new UnicodeEncoding();
                return enc.GetString(Read(Address, length, false));
            }
            else
            {
                ASCIIEncoding enc = new ASCIIEncoding();
                return enc.GetString(Read(Address, length, false));
            }
        }
    }
}


The windows form Code:
Code: Select all
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using Memedit;

namespace MemoryhackTest
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            MemoryEditor Editor = new MemoryEditor("TheProgram.exe");
            label1.Text = Editor.ReadString(81963736, 10, false);
        }
    }
}


Thanks
//TopHat
TopHat
I Have A Few Questions
 
Posts: 9
Joined: Sun Aug 07, 2011 6:13 am

Re: Using a memory adress in c#

Postby L. Spiro » Mon Aug 08, 2011 12:46 pm

You never opened the process. You must do so via:


Code: Select all
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess( int dwDesiredAccess, bool bInheritHandle, int dwProcessId );


        public MemoryEditor(string ProcName)
        {
            pname = ProcName.Replace(".exe", "");
            Process[] proclist = Process.GetProcesses();
            foreach (Process pr in proclist)
            {

                if (pr.ToString() == "System.Diagnostics.Process (" + pname + ")")
                {
                    hand = OpenProcess( 0x0010 | 0x0020, true, pr.Id );
                }
            }
        }


Furthermore, addresses are not int. They are UIntPtr. Change Write(int Address, byte[] data) and friends to Write(UIntPtr Address, byte[] data).
Finally, use 0x4E2AAD8 instead of 81963736.
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Using a memory adress in c#

Postby TopHat » Mon Aug 08, 2011 9:52 pm

Thank you very much! :D. I bow to your greatness and lift my hat for you sir. :wink:

(I got higher priority project at the moment but I'll try it out soon. I will report the results as soon as possible :))

Edit: I did manage to get a successful read of a string in the memory. Thank you!
TopHat
I Have A Few Questions
 
Posts: 9
Joined: Sun Aug 07, 2011 6:13 am

Re: Using a memory adress in c#

Postby TopHat » Mon Aug 15, 2011 9:16 pm

Hi again!

Just one little question, why UIntPtr? At http://pinvoke.net/default.aspx/kernel32/ReadProcessMemory.html all the examples uses an IntPtr and IntPtr is currently working for me.

(http://social.msdn.microsoft.com/forums/en-US/clr/thread/026818c7-dcf6-482a-9481-fd0147619c84)
I've read that UIntPtr is preferred when using Unmanaged pointers since they are not negative. Because we use Unmanaged pointer i guess UIntPtr is to prefer so If I want to use UIntPtr Instead, is it just to change all IntPtrs to UIntPtr then (including the DLL imports)?

//TopHat
TopHat
I Have A Few Questions
 
Posts: 9
Joined: Sun Aug 07, 2011 6:13 am

Re: Using a memory adress in c#

Postby L. Spiro » Tue Aug 16, 2011 7:26 am

Yes.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron