Win32/Sojaner.MemoryScanner/MemoryScanner.cs

using System;
using System.Collections.Generic;
using System.Text;
using System.Diagnostics;
using System.Threading;
using System.Runtime.InteropServices;
using RomCheater.Logging;
using RomCheater.Core;
using System.IO;

namespace Sojaner.MemoryScanner
{
    // code borrowed from: http://www.codeproject.com/KB/cs/sojaner_memory_scanner.aspx    
    #region ProcessMemoryReader class
    //Thanks goes to Arik Poznanski for P/Invokes and methods needed to read and write the Memory
    //For more information refer to "Minesweeper, Behind the scenes" article by Arik Poznanski at Codeproject.com
    public class ProcessMemoryReader
    {

        public ProcessMemoryReader()
        {
        }

        /// <summary>   
        /// Process from which to read          
        /// </summary>
        public Process ReadProcess
        {
            get
            {
                return m_ReadProcess;
            }
            set
            {
                m_ReadProcess = value;
            }
        }

        private Process m_ReadProcess = null;

        private IntPtr m_hProcess = IntPtr.Zero;

        public void OpenProcess()
        {
            //                  m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id);
            ProcessMemoryReaderApi.ProcessAccessType access;
            access = ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_READ
                | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_WRITE
                | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_OPERATION;
            m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
        }

        public void CloseHandle()
        {
            try
            {
                int iRetValue;
                iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess);
                if (iRetValue == 0)
                {
                    throw new Exception("CloseHandle failed");
                }
            }
            catch (Exception ex)
            {
                //System.Windows.Forms.MessageBox.Show(ex.Message, "error", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Warning);
                throw ex;
            }
        }


        public bool DumpMemory(string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
        {
            bytesRead = 0;
            uint byte_alignment = 512; // 4mb alignment
            uint address = MemoryAddress;
            try
            {
                using (FileStream fs = new FileStream(filename, FileMode.OpenOrCreate, FileAccess.ReadWrite, FileShare.ReadWrite))
                {
                    BinaryWriter bw = new BinaryWriter(fs);
                    //foreach (byte b in data) { bw.Write(b); }

                    for (uint i = 0; i <= bytesToRead; i += byte_alignment)
                    {
                        byte[] buffer = new byte[byte_alignment];
                        uint bytes_to_read = byte_alignment;
                        IntPtr ptrBytesRead;
                        ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (IntPtr)address, buffer, bytes_to_read, out ptrBytesRead);
                        bytesRead = ptrBytesRead.ToInt32();
                        bw.Write(buffer);
                        bw.Flush();
                        address += byte_alignment;
                    }
                    bw.Close();
                }
                return true;
            }
            catch (OutOfMemoryException ex)
            {
                logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
                logger.Error.WriteLine(ex.ToString());
            }
            catch (Exception ex)
            {
                logger.Error.WriteLine("DumpMemory(): Exception");
                logger.Error.WriteLine(ex.ToString());
            }
            return false;
        }

        public byte[] ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead)
        {
            bytesRead = 0;
            uint address = MemoryAddress;
            List<byte[]> aligned_array_list = new List<byte[]>();
            try
            {
                uint byte_alignment = 512; // 4mb alignment
               

                for (uint i = 0; i <= bytesToRead; i += byte_alignment)
                {
                    byte[] buffer = new byte[byte_alignment];
                    uint bytes_to_read = byte_alignment;
                    IntPtr ptrBytesRead;
                    ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (IntPtr)address, buffer, bytes_to_read, out ptrBytesRead);
                    bytesRead = ptrBytesRead.ToInt32();
                    aligned_array_list.Add(buffer);                    
                    address += byte_alignment;
                }

                //List<byte> big_array = new List<byte>();
                //foreach (byte[] aligned_array in aligned_array_list) { foreach (byte b in aligned_array) { big_array.Add(b); } }

                return new byte[] { };
            }
            catch (OutOfMemoryException ex)
            {
                logger.Error.WriteLine("ReadProcessMemory(): OutOfMemoryException");
                logger.Error.WriteLine(ex.ToString());
            }
            catch (Exception ex)
            {
                logger.Error.WriteLine("ReadProcessMemory(): Exception");
                logger.Error.WriteLine(ex.ToString());
            }
            return new byte[] { };
        }

        public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
        {
            IntPtr ptrBytesWritten;
            ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);

            bytesWritten = ptrBytesWritten.ToInt32();
        }


        /// <summary>
        /// ProcessMemoryReader is a class that enables direct reading a process memory
        /// </summary>
        class ProcessMemoryReaderApi
        {
            // constants information can be found in <winnt.h>
            [Flags]
            public enum ProcessAccessType
            {
                PROCESS_TERMINATE = (0x0001),
                PROCESS_CREATE_THREAD = (0x0002),
                PROCESS_SET_SESSIONID = (0x0004),
                PROCESS_VM_OPERATION = (0x0008),
                PROCESS_VM_READ = (0x0010),
                PROCESS_VM_WRITE = (0x0020),
                PROCESS_DUP_HANDLE = (0x0040),
                PROCESS_CREATE_PROCESS = (0x0080),
                PROCESS_SET_QUOTA = (0x0100),
                PROCESS_SET_INFORMATION = (0x0200),
                PROCESS_QUERY_INFORMATION = (0x0400)
            }

            // function declarations are found in the MSDN and in <winbase.h> 

            //          HANDLE OpenProcess(
            //                  DWORD dwDesiredAccess,  // access flag
            //                  BOOL bInheritHandle,    // handle inheritance option
            //                  DWORD dwProcessId       // process identifier
            //                  );
            [DllImport("kernel32.dll")]
            public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);

            //          BOOL CloseHandle(
            //                  HANDLE hObject   // handle to object
            //                  );
            [DllImport("kernel32.dll")]
            public static extern Int32 CloseHandle(IntPtr hObject);

            //          BOOL ReadProcessMemory(
            //                  HANDLE hProcess,              // handle to the process
            //                  LPCVOID lpBaseAddress,        // base of memory area
            //                  LPVOID lpBuffer,              // data buffer
            //                  SIZE_T nSize,                 // number of bytes to read
            //                  SIZE_T * lpNumberOfBytesRead  // number of bytes read
            //                  );
            [DllImport("kernel32.dll")]
            public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);

            //          BOOL WriteProcessMemory(
            //                  HANDLE hProcess,                // handle to process
            //                  LPVOID lpBaseAddress,           // base of memory area
            //                  LPCVOID lpBuffer,               // data buffer
            //                  SIZE_T nSize,                   // count of bytes to write
            //                  SIZE_T * lpNumberOfBytesWritten // count of bytes written
            //                  );
            [DllImport("kernel32.dll")]
            public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);


        }
    }
    #endregion
}
Revision:	162
Committed:	Mon May 28 07:12:37 2012 UTC (10 years, 10 months ago) by william
File size:	9017 byte(s)
Log Message:	+ add support to dump ram to file (even if it is ~2gb or more)
#	Content
1	using System;
2	using System.Collections.Generic;
3	using System.Text;
4	using System.Diagnostics;
5	using System.Threading;
6	using System.Runtime.InteropServices;
7	using RomCheater.Logging;
8	using RomCheater.Core;
9	using System.IO;
10
11	namespace Sojaner.MemoryScanner
12	{
13	// code borrowed from: http://www.codeproject.com/KB/cs/sojaner_memory_scanner.aspx
14	#region ProcessMemoryReader class
15	//Thanks goes to Arik Poznanski for P/Invokes and methods needed to read and write the Memory
16	//For more information refer to "Minesweeper, Behind the scenes" article by Arik Poznanski at Codeproject.com
17	public class ProcessMemoryReader
18	{
19
20	public ProcessMemoryReader()
21	{
22	}
23
24	/// <summary>
25	/// Process from which to read
26	/// </summary>
27	public Process ReadProcess
28	{
29	get
30	{
31	return m_ReadProcess;
32	}
33	set
34	{
35	m_ReadProcess = value;
36	}
37	}
38
39	private Process m_ReadProcess = null;
40
41	private IntPtr m_hProcess = IntPtr.Zero;
42
43	public void OpenProcess()
44	{
45	// m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id);
46	ProcessMemoryReaderApi.ProcessAccessType access;
47	access = ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_READ
48	\| ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_WRITE
49	\| ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_OPERATION;
50	m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
51	}
52
53	public void CloseHandle()
54	{
55	try
56	{
57	int iRetValue;
58	iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess);
59	if (iRetValue == 0)
60	{
61	throw new Exception("CloseHandle failed");
62	}
63	}
64	catch (Exception ex)
65	{
66	//System.Windows.Forms.MessageBox.Show(ex.Message, "error", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Warning);
67	throw ex;
68	}
69	}
70
71
72	public bool DumpMemory(string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead)
73	{
74	bytesRead = 0;
75	uint byte_alignment = 512; // 4mb alignment
76	uint address = MemoryAddress;
77	try
78	{
79	using (FileStream fs = new FileStream(filename, FileMode.OpenOrCreate, FileAccess.ReadWrite, FileShare.ReadWrite))
80	{
81	BinaryWriter bw = new BinaryWriter(fs);
82	//foreach (byte b in data) { bw.Write(b); }
83
84	for (uint i = 0; i <= bytesToRead; i += byte_alignment)
85	{
86	byte[] buffer = new byte[byte_alignment];
87	uint bytes_to_read = byte_alignment;
88	IntPtr ptrBytesRead;
89	ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (IntPtr)address, buffer, bytes_to_read, out ptrBytesRead);
90	bytesRead = ptrBytesRead.ToInt32();
91	bw.Write(buffer);
92	bw.Flush();
93	address += byte_alignment;
94	}
95	bw.Close();
96	}
97	return true;
98	}
99	catch (OutOfMemoryException ex)
100	{
101	logger.Error.WriteLine("DumpMemory(): OutOfMemoryException");
102	logger.Error.WriteLine(ex.ToString());
103	}
104	catch (Exception ex)
105	{
106	logger.Error.WriteLine("DumpMemory(): Exception");
107	logger.Error.WriteLine(ex.ToString());
108	}
109	return false;
110	}
111
112	public byte[] ReadProcessMemory(uint MemoryAddress, uint bytesToRead, out int bytesRead)
113	{
114	bytesRead = 0;
115	uint address = MemoryAddress;
116	List<byte[]> aligned_array_list = new List<byte[]>();
117	try
118	{
119	uint byte_alignment = 512; // 4mb alignment
120
121
122	for (uint i = 0; i <= bytesToRead; i += byte_alignment)
123	{
124	byte[] buffer = new byte[byte_alignment];
125	uint bytes_to_read = byte_alignment;
126	IntPtr ptrBytesRead;
127	ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, (IntPtr)address, buffer, bytes_to_read, out ptrBytesRead);
128	bytesRead = ptrBytesRead.ToInt32();
129	aligned_array_list.Add(buffer);
130	address += byte_alignment;
131	}
132
133	//List<byte> big_array = new List<byte>();
134	//foreach (byte[] aligned_array in aligned_array_list) { foreach (byte b in aligned_array) { big_array.Add(b); } }
135
136	return new byte[] { };
137	}
138	catch (OutOfMemoryException ex)
139	{
140	logger.Error.WriteLine("ReadProcessMemory(): OutOfMemoryException");
141	logger.Error.WriteLine(ex.ToString());
142	}
143	catch (Exception ex)
144	{
145	logger.Error.WriteLine("ReadProcessMemory(): Exception");
146	logger.Error.WriteLine(ex.ToString());
147	}
148	return new byte[] { };
149	}
150
151	public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
152	{
153	IntPtr ptrBytesWritten;
154	ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, (uint)bytesToWrite.Length, out ptrBytesWritten);
155
156	bytesWritten = ptrBytesWritten.ToInt32();
157	}
158
159
160	/// <summary>
161	/// ProcessMemoryReader is a class that enables direct reading a process memory
162	/// </summary>
163	class ProcessMemoryReaderApi
164	{
165	// constants information can be found in <winnt.h>
166	[Flags]
167	public enum ProcessAccessType
168	{
169	PROCESS_TERMINATE = (0x0001),
170	PROCESS_CREATE_THREAD = (0x0002),
171	PROCESS_SET_SESSIONID = (0x0004),
172	PROCESS_VM_OPERATION = (0x0008),
173	PROCESS_VM_READ = (0x0010),
174	PROCESS_VM_WRITE = (0x0020),
175	PROCESS_DUP_HANDLE = (0x0040),
176	PROCESS_CREATE_PROCESS = (0x0080),
177	PROCESS_SET_QUOTA = (0x0100),
178	PROCESS_SET_INFORMATION = (0x0200),
179	PROCESS_QUERY_INFORMATION = (0x0400)
180	}
181
182	// function declarations are found in the MSDN and in <winbase.h>
183
184	// HANDLE OpenProcess(
185	// DWORD dwDesiredAccess, // access flag
186	// BOOL bInheritHandle, // handle inheritance option
187	// DWORD dwProcessId // process identifier
188	// );
189	[DllImport("kernel32.dll")]
190	public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
191
192	// BOOL CloseHandle(
193	// HANDLE hObject // handle to object
194	// );
195	[DllImport("kernel32.dll")]
196	public static extern Int32 CloseHandle(IntPtr hObject);
197
198	// BOOL ReadProcessMemory(
199	// HANDLE hProcess, // handle to the process
200	// LPCVOID lpBaseAddress, // base of memory area
201	// LPVOID lpBuffer, // data buffer
202	// SIZE_T nSize, // number of bytes to read
203	// SIZE_T * lpNumberOfBytesRead // number of bytes read
204	// );
205	[DllImport("kernel32.dll")]
206	public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);
207
208	// BOOL WriteProcessMemory(
209	// HANDLE hProcess, // handle to process
210	// LPVOID lpBaseAddress, // base of memory area
211	// LPCVOID lpBuffer, // data buffer
212	// SIZE_T nSize, // count of bytes to write
213	// SIZE_T * lpNumberOfBytesWritten // count of bytes written
214	// );
215	[DllImport("kernel32.dll")]
216	public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);
217
218
219	}
220	}
221	#endregion
222	}