/[RomCheater]/trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs
ViewVC logotype

Contents of /trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs

Parent Directory Parent Directory | Revision Log Revision Log


Revision 229 - (show annotations) (download)
Sat Jun 2 18:31:40 2012 UTC (8 years, 6 months ago) by william
File size: 31159 byte(s)

1 using System;
2 using System.Collections.Generic;
3 using System.Text;
4 using System.Diagnostics;
5 using System.Threading;
6 using System.Runtime.InteropServices;
7 using RomCheater.Logging;
8 using RomCheater.Core;
9 using System.IO;
10
11 namespace Sojaner.MemoryScanner
12 {
13 // code borrowed from: http://www.codeproject.com/KB/cs/sojaner_memory_scanner.aspx
14 #region ProcessMemoryReader class
15 //Thanks goes to Arik Poznanski for P/Invokes and methods needed to read and write the Memory
16 //For more information refer to "Minesweeper, Behind the scenes" article by Arik Poznanski at Codeproject.com
17 public class ProcessMemoryReader : IPatchMemory, IReadMemory
18 {
19
20 public ProcessMemoryReader()
21 {
22 }
23
24 /// <summary>
25 /// Process from which to read
26 /// </summary>
27 public Process ReadProcess
28 {
29 get
30 {
31 return m_ReadProcess;
32 }
33 set
34 {
35 m_ReadProcess = value;
36 }
37 }
38
39 private Process m_ReadProcess = null;
40
41 private static IntPtr m_hProcess = IntPtr.Zero;
42
43 public void OpenProcess()
44 {
45 // m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id);
46 ProcessMemoryReaderApi.ProcessAccessType access;
47 access = ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_READ
48 | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_WRITE
49 | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_OPERATION;
50 m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
51 }
52
53 public void CloseHandle()
54 {
55 try
56 {
57 int iRetValue;
58 iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess);
59 if (iRetValue == 0)
60 {
61 throw new Exception("CloseHandle failed");
62 }
63 }
64 catch (Exception ex)
65 {
66 //System.Windows.Forms.MessageBox.Show(ex.Message, "error", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Warning);
67 throw ex;
68 }
69 }
70
71 #region WriteProcessMemoryToFile
72 public bool WriteProcessMemoryToFile(string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
73 {
74 RamDumper dumper = new RamDumper();
75 return dumper.DumpMemoryToFile(ReadProcess, filename, MemoryAddress, bytesToRead, out bytesRead);
76 }
77 #endregion
78
79 #region ReadProcessMemory
80 public void ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data)
81 {
82 RamDumper dumper = new RamDumper();
83 dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead, out data);
84 }
85 //public void ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead,out sbyte[] data)
86 //{
87 // RamDumper dumper = new RamDumper();
88 // dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead, out data);
89 //}
90 #endregion
91
92 #region ReadProcessMemory
93 public bool ReadFirstNonZeroByte(uint MemoryAddress, uint bytesToRead, out uint address)
94 {
95 RamDumper dumper = new RamDumper();
96 return dumper.ReadFirstNonZeroByte(ReadProcess, MemoryAddress, bytesToRead, out address);
97 }
98 #endregion
99 #region WriteProcessMemory
100 public void WriteProcessMemory(UIntPtr MemoryAddress, byte byteToWrite, out int bytesWritten)
101 {
102 WriteProcessMemory(MemoryAddress, new byte[] { byteToWrite }, out bytesWritten);
103 }
104 public void WriteProcessMemory(UIntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
105 {
106 IntPtr ptrBytesWritten;
107 ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);
108 bytesWritten = ptrBytesWritten.ToInt32();
109 }
110 #endregion
111
112
113 #region IPatchMemory members
114 public bool PatchMemory(uint address, byte value)
115 {
116 int bytesWritten;
117 byte[] bitData = BitConverter.GetBytes(value);
118 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
119 CloseHandle();
120 byte check = 0;
121 ReadMemory(address, out check);
122 if (check == value) return true;
123 return false;
124 }
125 public bool PatchMemory(uint address, sbyte value)
126 {
127 int bytesWritten;
128 byte[] bitData = BitConverter.GetBytes(value);
129 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
130 CloseHandle();
131 sbyte check = 0;
132 ReadMemory(address, out check);
133 if (check == value) return true;
134 return false;
135 }
136 public bool PatchMemory(uint address, ushort value)
137 {
138 int bytesWritten;
139 byte[] bitData = BitConverter.GetBytes(value);
140 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
141 CloseHandle();
142 ushort check = 0;
143 ReadMemory(address, out check);
144 if (check == value) return true;
145 return false;
146 }
147 public bool PatchMemory(uint address, short value)
148 {
149 int bytesWritten;
150 byte[] bitData = BitConverter.GetBytes(value);
151 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
152 CloseHandle();
153 short check = 0;
154 ReadMemory(address, out check);
155 if (check == value) return true;
156 return false;
157 }
158 public bool PatchMemory(uint address, uint value)
159 {
160 int bytesWritten;
161 byte[] bitData = BitConverter.GetBytes(value);
162 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
163 CloseHandle();
164 uint check = 0;
165 ReadMemory(address, out check);
166 if (check == value) return true;
167 return false;
168 }
169 public bool PatchMemory(uint address, int value)
170 {
171 int bytesWritten;
172 byte[] bitData = BitConverter.GetBytes(value);
173 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
174 CloseHandle();
175 int check = 0;
176 ReadMemory(address, out check);
177 if (check == value) return true;
178 return false;
179 }
180 public bool PatchMemory(uint address, ulong value)
181 {
182 int bytesWritten;
183 byte[] bitData = BitConverter.GetBytes(value);
184 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
185 CloseHandle();
186 ulong check = 0;
187 ReadMemory(address, out check);
188 if (check == value) return true;
189 return false;
190 }
191 public bool PatchMemory(uint address, long value)
192 {
193 int bytesWritten;
194 byte[] bitData = BitConverter.GetBytes(value);
195 WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
196 CloseHandle();
197 long check = 0;
198 ReadMemory(address, out check);
199 if (check == value) return true;
200 return false;
201 }
202 #endregion
203 #region IReadMemory members
204 public bool ReadMemory(uint address, out byte value)
205 {
206 try
207 {
208 value = 0;
209 int bytesReadSize;
210 byte[] bitData;
211 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
212 value = bitData[0];
213 return true;
214 }
215 catch
216 {
217 value = 0x00;
218 return false;
219 }
220 }
221 public bool ReadMemory(uint address, out sbyte value)
222 {
223 try
224 {
225 value = 0;
226 int bytesReadSize;
227 byte[] bitData;
228 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
229 value = Convert.ToSByte(bitData[0]);
230 return true;
231 }
232 catch
233 {
234 value = 0x00;
235 return false;
236 }
237 }
238 public bool ReadMemory(uint address, out ushort value)
239 {
240 try
241 {
242 value = 0;
243 int bytesReadSize;
244 byte[] bitData;
245 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
246 value = BitConverter.ToUInt16(bitData, 0);
247 return true;
248 }
249 catch
250 {
251 value = 0x00;
252 return false;
253 }
254 }
255 public bool ReadMemory(uint address, out short value)
256 {
257 try
258 {
259 value = 0;
260 int bytesReadSize;
261 byte[] bitData;
262 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
263 value = BitConverter.ToInt16(bitData, 0);
264 return true;
265 }
266 catch
267 {
268 value = 0x00;
269 return false;
270 }
271 }
272 public bool ReadMemory(uint address, out uint value)
273 {
274 try
275 {
276 value = 0;
277 int bytesReadSize;
278 byte[] bitData;
279 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
280 value = BitConverter.ToUInt32(bitData, 0);
281 return true;
282 }
283 catch
284 {
285 value = 0x00;
286 return false;
287 }
288 }
289 public bool ReadMemory(uint address, out int value)
290 {
291 try
292 {
293 value = 0;
294 int bytesReadSize;
295 byte[] bitData;
296 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
297 value = BitConverter.ToInt32(bitData, 0);
298 return true;
299 }
300 catch
301 {
302 value = 0x00;
303 return false;
304 }
305 }
306 public bool ReadMemory(uint address, out ulong value)
307 {
308 try
309 {
310 value = 0;
311 int bytesReadSize;
312 byte[] bitData;
313 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
314 value = BitConverter.ToUInt64(bitData, 0);
315 return true;
316 }
317 catch
318 {
319 value = 0x00;
320 return false;
321 }
322 }
323 public bool ReadMemory(uint address, out long value)
324 {
325 try
326 {
327 value = 0;
328 int bytesReadSize;
329 byte[] bitData;
330 ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
331 value = BitConverter.ToInt64(bitData, 0);
332 return true;
333 }
334 catch
335 {
336 value = 0x00;
337 return false;
338 }
339 }
340 #endregion
341
342 #region RamDumper
343 private interface IRamDumper
344 {
345 bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead);
346 void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data);
347 }
348 private class RamDumper : IRamDumper
349 {
350 public RamDumper() { }
351 private void InitMemoryDump(out uint byte_alignment)
352 {
353 byte_alignment = 102400; // get memory in 100mb chunks
354 }
355 #region IRamDumper members
356 #region DumpMemoryToFile
357 public bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
358 {
359 //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
360 bytesRead = 0;
361 uint byte_alignment = 0;
362 // get common init parameters
363 InitMemoryDump(out byte_alignment);
364 uint address = MemoryAddress;
365 uint _bytesToRead = bytesToRead;
366 byte[] buffer = new byte[] { };
367 try
368 {
369 FileInfo fi = new FileInfo(filename);
370 if (fi.Exists)
371 fi.Delete();
372 using (FileStream fs = new FileStream(filename, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.ReadWrite))
373 {
374 BinaryWriter bw = new BinaryWriter(fs);
375 //foreach (byte b in data) { bw.Write(b); }
376
377 for (uint i = 0; i <= bytesToRead; )
378 {
379 if (_bytesToRead < byte_alignment)
380 {
381 _bytesToRead = bytesToRead;
382 buffer = new byte[_bytesToRead];
383 }
384 else
385 {
386 _bytesToRead = byte_alignment;
387 buffer = new byte[byte_alignment];
388 }
389 IntPtr ptrBytesRead;
390
391 ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, _bytesToRead, out ptrBytesRead);
392 bytesRead = ptrBytesRead.ToInt32();
393 bw.Write(buffer);
394 bw.Flush();
395
396 if (_bytesToRead < byte_alignment)
397 {
398 i += _bytesToRead;
399 address += _bytesToRead;
400 }
401 else
402 {
403 i += byte_alignment;
404 address += byte_alignment;
405 }
406
407
408 }
409 bw.Close();
410 }
411 logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
412 return true;
413 }
414 catch (OutOfMemoryException ex)
415 {
416 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
417 logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
418 logger.Error.WriteLine(ex.ToString());
419 }
420 catch (Exception ex)
421 {
422 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
423 logger.Error.WriteLine("DumpMemory(): Exception");
424 logger.Error.WriteLine(ex.ToString());
425 }
426 return false;
427 }
428 #endregion
429 #region DumpMemoryToByteArray
430 public void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data)
431 {
432 data = new byte[] { };
433 //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
434 bytesRead = 0;
435 uint byte_alignment = 1;
436 // get common init parameters
437 //InitMemoryDump(out byte_alignment);
438 uint address = MemoryAddress;
439 uint _bytesToRead = bytesToRead;
440 byte[] buffer = new byte[] { };
441 try
442 {
443 using (MemoryStream ms = new MemoryStream())
444 {
445 BinaryWriter bw = new BinaryWriter(ms);
446 //foreach (byte b in data) { bw.Write(b); }
447
448 for (uint i = 0; i <= bytesToRead; )
449 {
450 if (_bytesToRead < byte_alignment)
451 {
452 _bytesToRead = bytesToRead;
453 buffer = new byte[_bytesToRead];
454 }
455 else
456 {
457 _bytesToRead = byte_alignment;
458 buffer = new byte[byte_alignment];
459 }
460 IntPtr ptrBytesRead;
461
462 ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, buffer, _bytesToRead, out ptrBytesRead);
463 bytesRead = ptrBytesRead.ToInt32();
464 bw.Write(buffer);
465 bw.Flush();
466
467 if (_bytesToRead < byte_alignment)
468 {
469 i += _bytesToRead;
470 address += _bytesToRead;
471 }
472 else
473 {
474 i += byte_alignment;
475 address += byte_alignment;
476 }
477
478
479 }
480 bw.Close();
481 data = ms.ToArray();
482 }
483 //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
484 }
485 catch (OutOfMemoryException ex)
486 {
487 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
488 logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
489 logger.Error.WriteLine(ex.ToString());
490 }
491 catch (Exception ex)
492 {
493 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
494 logger.Error.WriteLine("DumpMemory(): Exception");
495 logger.Error.WriteLine(ex.ToString());
496 }
497 }
498 #endregion
499 #region DumpMemoryToByteArray (sbyte)
500 //public void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out sbyte[] data)
501 //{
502 // data = new sbyte[] { };
503 // //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
504 // bytesRead = 0;
505 // uint byte_alignment = 1;
506 // // get common init parameters
507 // //InitMemoryDump(out byte_alignment);
508 // uint address = MemoryAddress;
509 // uint _bytesToRead = bytesToRead;
510 // sbyte[] buffer = new sbyte[] { };
511 // try
512 // {
513 // using (MemoryStream ms = new MemoryStream())
514 // {
515 // BinaryWriter bw = new BinaryWriter(ms);
516 // //foreach (byte b in data) { bw.Write(b); }
517
518 // for (uint i = 0; i <= bytesToRead; )
519 // {
520 // if (_bytesToRead < byte_alignment)
521 // {
522 // _bytesToRead = bytesToRead;
523 // buffer = new sbyte[_bytesToRead];
524 // }
525 // else
526 // {
527 // _bytesToRead = byte_alignment;
528 // buffer = new sbyte[byte_alignment];
529 // }
530 // IntPtr ptrBytesRead;
531
532 // ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, (byte[])(Array)buffer, _bytesToRead, out ptrBytesRead);
533 // bytesRead = ptrBytesRead.ToInt32();
534 // bw.Write((byte[])(Array)buffer);
535 // bw.Flush();
536
537 // if (_bytesToRead < byte_alignment)
538 // {
539 // i += _bytesToRead;
540 // address += _bytesToRead;
541 // }
542 // else
543 // {
544 // i += byte_alignment;
545 // address += byte_alignment;
546 // }
547
548
549 // }
550 // bw.Close();
551 // data = (sbyte[])(Array)ms.ToArray();
552 // }
553 // //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
554 // }
555 // catch (OutOfMemoryException ex)
556 // {
557 // logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
558 // logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
559 // logger.Error.WriteLine(ex.ToString());
560 // }
561 // catch (Exception ex)
562 // {
563 // logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
564 // logger.Error.WriteLine("DumpMemory(): Exception");
565 // logger.Error.WriteLine(ex.ToString());
566 // }
567 //}
568 #endregion
569 #endregion
570
571 #region ReadFirstNonZeroByte
572 public bool ReadFirstNonZeroByte(Process ppid, uint MemoryAddress, uint bytesToRead, out uint address)
573 {
574 //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
575 address = 0;
576 uint byte_alignment = 1;
577 // get common init parameters
578 //InitMemoryDump(out byte_alignment);
579 uint mem_address = MemoryAddress;
580 uint _bytesToRead = bytesToRead;
581 byte[] buffer = new byte[] { };
582 try
583 {
584 //using (MemoryStream ms = new MemoryStream())
585 //{
586 // //BinaryWriter bw = new BinaryWriter(ms);
587 // //foreach (byte b in data) { bw.Write(b); }
588 for (uint i = 0; i <= bytesToRead; )
589 {
590 if (_bytesToRead < byte_alignment)
591 {
592 _bytesToRead = bytesToRead;
593 buffer = new byte[_bytesToRead];
594 }
595 else
596 {
597 _bytesToRead = byte_alignment;
598 buffer = new byte[byte_alignment];
599 }
600 IntPtr ptrBytesRead;
601 ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)mem_address, buffer, _bytesToRead, out ptrBytesRead);
602 //bw.Write(buffer);
603 //bw.Flush();
604 if (_bytesToRead < byte_alignment)
605 {
606 i += _bytesToRead;
607 mem_address += _bytesToRead;
608 }
609 else
610 {
611 i += byte_alignment;
612 mem_address += byte_alignment;
613 }
614 for (uint j = 0; j < buffer.Length; j++)
615 {
616 if (buffer[j] != 0)
617 {
618 address = mem_address;
619 break;
620 }
621 }
622 if (address != 0)
623 break;
624 }
625 // bw.Close();
626 //}
627 //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
628 return true;
629 }
630 catch (OutOfMemoryException ex)
631 {
632 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
633 logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
634 logger.Error.WriteLine(ex.ToString());
635 }
636 catch (Exception ex)
637 {
638 logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
639 logger.Error.WriteLine("DumpMemory(): Exception");
640 logger.Error.WriteLine(ex.ToString());
641 }
642 return false;
643 }
644 #endregion
645 }
646 #endregion
647 /// <summary>
648 /// ProcessMemoryReader is a class that enables direct reading a process memory
649 /// </summary>
650 public class ProcessMemoryReaderApi
651 {
652 // constants information can be found in <winnt.h>
653 [Flags]
654 public enum ProcessAccessType
655 {
656 PROCESS_TERMINATE = (0x0001),
657 PROCESS_CREATE_THREAD = (0x0002),
658 PROCESS_SET_SESSIONID = (0x0004),
659 PROCESS_VM_OPERATION = (0x0008),
660 PROCESS_VM_READ = (0x0010),
661 PROCESS_VM_WRITE = (0x0020),
662 PROCESS_DUP_HANDLE = (0x0040),
663 PROCESS_CREATE_PROCESS = (0x0080),
664 PROCESS_SET_QUOTA = (0x0100),
665 PROCESS_SET_INFORMATION = (0x0200),
666 PROCESS_QUERY_INFORMATION = (0x0400)
667 }
668
669 // function declarations are found in the MSDN and in <winbase.h>
670
671 // HANDLE OpenProcess(
672 // DWORD dwDesiredAccess, // access flag
673 // BOOL bInheritHandle, // handle inheritance option
674 // DWORD dwProcessId // process identifier
675 // );
676 [DllImport("kernel32.dll")]
677 public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
678
679 // BOOL CloseHandle(
680 // HANDLE hObject // handle to object
681 // );
682 [DllImport("kernel32.dll")]
683 public static extern Int32 CloseHandle(IntPtr hObject);
684
685 // BOOL ReadProcessMemory(
686 // HANDLE hProcess, // handle to the process
687 // LPCVOID lpBaseAddress, // base of memory area
688 // LPVOID lpBuffer, // data buffer
689 // SIZE_T nSize, // number of bytes to read
690 // SIZE_T * lpNumberOfBytesRead // number of bytes read
691 // );
692 [DllImport("kernel32.dll")]
693 public static extern Int32 ReadProcessMemory(IntPtr hProcess, UIntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);
694
695 // BOOL WriteProcessMemory(
696 // HANDLE hProcess, // handle to process
697 // LPVOID lpBaseAddress, // base of memory area
698 // LPCVOID lpBuffer, // data buffer
699 // SIZE_T nSize, // count of bytes to write
700 // SIZE_T * lpNumberOfBytesWritten // count of bytes written
701 // );
702 [DllImport("kernel32.dll")]
703 public static extern Int32 WriteProcessMemory(IntPtr hProcess, UIntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);
704
705
706 }
707 }
708 #endregion
709 }

  ViewVC Help
Powered by ViewVC 1.1.22