Parent Directory
| 
Revision Log
| 
Patch
--- trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs 2012/05/31 07:13:43 198
+++ trunk/Win32/Sojaner.MemoryScanner/MemoryScanner.cs 2012/06/02 18:31:40 229
@@ -14,7 +14,7 @@
#region ProcessMemoryReader class
//Thanks goes to Arik Poznanski for P/Invokes and methods needed to read and write the Memory
//For more information refer to "Minesweeper, Behind the scenes" article by Arik Poznanski at Codeproject.com
- public class ProcessMemoryReader
+ public class ProcessMemoryReader : IPatchMemory, IReadMemory
{
public ProcessMemoryReader()
@@ -77,13 +77,25 @@
#endregion
#region ReadProcessMemory
- public byte[] ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ public void ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data)
{
RamDumper dumper = new RamDumper();
- return dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead);
+ dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead, out data);
}
+ //public void ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead,out sbyte[] data)
+ //{
+ // RamDumper dumper = new RamDumper();
+ // dumper.DumpMemoryToByteArray(ReadProcess, MemoryAddress, bytesToRead, out bytesRead, out data);
+ //}
#endregion
+ #region ReadProcessMemory
+ public bool ReadFirstNonZeroByte(uint MemoryAddress, uint bytesToRead, out uint address)
+ {
+ RamDumper dumper = new RamDumper();
+ return dumper.ReadFirstNonZeroByte(ReadProcess, MemoryAddress, bytesToRead, out address);
+ }
+ #endregion
#region WriteProcessMemory
public void WriteProcessMemory(UIntPtr MemoryAddress, byte byteToWrite, out int bytesWritten)
{
@@ -97,11 +109,241 @@
}
#endregion
+
+ #region IPatchMemory members
+ public bool PatchMemory(uint address, byte value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ byte check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, sbyte value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ sbyte check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, ushort value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ ushort check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, short value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ short check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, uint value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ uint check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, int value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ int check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, ulong value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ ulong check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ public bool PatchMemory(uint address, long value)
+ {
+ int bytesWritten;
+ byte[] bitData = BitConverter.GetBytes(value);
+ WriteProcessMemory((UIntPtr)address, bitData, out bytesWritten);
+ CloseHandle();
+ long check = 0;
+ ReadMemory(address, out check);
+ if (check == value) return true;
+ return false;
+ }
+ #endregion
+ #region IReadMemory members
+ public bool ReadMemory(uint address, out byte value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = bitData[0];
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out sbyte value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = Convert.ToSByte(bitData[0]);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out ushort value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToUInt16(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out short value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToInt16(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out uint value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToUInt32(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out int value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToInt32(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out ulong value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToUInt64(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ public bool ReadMemory(uint address, out long value)
+ {
+ try
+ {
+ value = 0;
+ int bytesReadSize;
+ byte[] bitData;
+ ReadProcessMemory(address, sizeof(byte), out bytesReadSize, out bitData);
+ value = BitConverter.ToInt64(bitData, 0);
+ return true;
+ }
+ catch
+ {
+ value = 0x00;
+ return false;
+ }
+ }
+ #endregion
+
#region RamDumper
private interface IRamDumper
{
bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead);
- byte[] DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead);
+ void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data);
}
private class RamDumper : IRamDumper
{
@@ -114,7 +356,7 @@
#region DumpMemoryToFile
public bool DumpMemoryToFile(Process ppid, string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
{
- logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
bytesRead = 0;
uint byte_alignment = 0;
// get common init parameters
@@ -185,13 +427,14 @@
}
#endregion
#region DumpMemoryToByteArray
- public byte[] DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead)
+ public void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data)
{
- logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ data = new byte[] { };
+ //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
bytesRead = 0;
- uint byte_alignment = 0;
+ uint byte_alignment = 1;
// get common init parameters
- InitMemoryDump(out byte_alignment);
+ //InitMemoryDump(out byte_alignment);
uint address = MemoryAddress;
uint _bytesToRead = bytesToRead;
byte[] buffer = new byte[] { };
@@ -235,9 +478,9 @@
}
bw.Close();
- return ms.ToArray();
+ data = ms.ToArray();
}
- logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
}
catch (OutOfMemoryException ex)
{
@@ -251,9 +494,153 @@
logger.Error.WriteLine("DumpMemory(): Exception");
logger.Error.WriteLine(ex.ToString());
}
- return new byte[]{};
}
#endregion
+ #region DumpMemoryToByteArray (sbyte)
+ //public void DumpMemoryToByteArray(Process ppid, uint MemoryAddress, uint bytesToRead, out int bytesRead, out sbyte[] data)
+ //{
+ // data = new sbyte[] { };
+ // //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ // bytesRead = 0;
+ // uint byte_alignment = 1;
+ // // get common init parameters
+ // //InitMemoryDump(out byte_alignment);
+ // uint address = MemoryAddress;
+ // uint _bytesToRead = bytesToRead;
+ // sbyte[] buffer = new sbyte[] { };
+ // try
+ // {
+ // using (MemoryStream ms = new MemoryStream())
+ // {
+ // BinaryWriter bw = new BinaryWriter(ms);
+ // //foreach (byte b in data) { bw.Write(b); }
+
+ // for (uint i = 0; i <= bytesToRead; )
+ // {
+ // if (_bytesToRead < byte_alignment)
+ // {
+ // _bytesToRead = bytesToRead;
+ // buffer = new sbyte[_bytesToRead];
+ // }
+ // else
+ // {
+ // _bytesToRead = byte_alignment;
+ // buffer = new sbyte[byte_alignment];
+ // }
+ // IntPtr ptrBytesRead;
+
+ // ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)address, (byte[])(Array)buffer, _bytesToRead, out ptrBytesRead);
+ // bytesRead = ptrBytesRead.ToInt32();
+ // bw.Write((byte[])(Array)buffer);
+ // bw.Flush();
+
+ // if (_bytesToRead < byte_alignment)
+ // {
+ // i += _bytesToRead;
+ // address += _bytesToRead;
+ // }
+ // else
+ // {
+ // i += byte_alignment;
+ // address += byte_alignment;
+ // }
+
+
+ // }
+ // bw.Close();
+ // data = (sbyte[])(Array)ms.ToArray();
+ // }
+ // //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ // }
+ // catch (OutOfMemoryException ex)
+ // {
+ // logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ // logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
+ // logger.Error.WriteLine(ex.ToString());
+ // }
+ // catch (Exception ex)
+ // {
+ // logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ // logger.Error.WriteLine("DumpMemory(): Exception");
+ // logger.Error.WriteLine(ex.ToString());
+ // }
+ //}
+ #endregion
+ #endregion
+
+ #region ReadFirstNonZeroByte
+ public bool ReadFirstNonZeroByte(Process ppid, uint MemoryAddress, uint bytesToRead, out uint address)
+ {
+ //logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ address = 0;
+ uint byte_alignment = 1;
+ // get common init parameters
+ //InitMemoryDump(out byte_alignment);
+ uint mem_address = MemoryAddress;
+ uint _bytesToRead = bytesToRead;
+ byte[] buffer = new byte[] { };
+ try
+ {
+ //using (MemoryStream ms = new MemoryStream())
+ //{
+ // //BinaryWriter bw = new BinaryWriter(ms);
+ // //foreach (byte b in data) { bw.Write(b); }
+ for (uint i = 0; i <= bytesToRead; )
+ {
+ if (_bytesToRead < byte_alignment)
+ {
+ _bytesToRead = bytesToRead;
+ buffer = new byte[_bytesToRead];
+ }
+ else
+ {
+ _bytesToRead = byte_alignment;
+ buffer = new byte[byte_alignment];
+ }
+ IntPtr ptrBytesRead;
+ ProcessMemoryReader.ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (UIntPtr)mem_address, buffer, _bytesToRead, out ptrBytesRead);
+ //bw.Write(buffer);
+ //bw.Flush();
+ if (_bytesToRead < byte_alignment)
+ {
+ i += _bytesToRead;
+ mem_address += _bytesToRead;
+ }
+ else
+ {
+ i += byte_alignment;
+ mem_address += byte_alignment;
+ }
+ for (uint j = 0; j < buffer.Length; j++)
+ {
+ if (buffer[j] != 0)
+ {
+ address = mem_address;
+ break;
+ }
+ }
+ if (address != 0)
+ break;
+ }
+ // bw.Close();
+ //}
+ //logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ return true;
+ }
+ catch (OutOfMemoryException ex)
+ {
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
+ logger.Error.WriteLine(ex.ToString());
+ }
+ catch (Exception ex)
+ {
+ logger.Error.WriteLine("Failed to dump memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName));
+ logger.Error.WriteLine("DumpMemory(): Exception");
+ logger.Error.WriteLine(ex.ToString());
+ }
+ return false;
+ }
#endregion
}
#endregion
| ViewVC Help | |
| Powered by ViewVC 1.1.22 |