| 1 |
#region Logging Defines |
| 2 |
// include this any class or method that required logging, and comment-out what is not needed |
| 3 |
|
| 4 |
#region Enabled logging levels |
| 5 |
#define LOGGING_ENABLE_INFO |
| 6 |
#define LOGGING_ENABLE_WARN |
| 7 |
#define LOGGING_ENABLE_DEBUG |
| 8 |
#define LOGGING_ENABLE_VERBOSEDEBUG |
| 9 |
#define LOGGING_ENABLE_ERROR |
| 10 |
#define LOGGING_ENABLE_VERBOSEERROR |
| 11 |
//#define LOGGING_ENABLE_PROFILER |
| 12 |
#endregion |
| 13 |
#endregion |
| 14 |
using System; |
| 15 |
using System.Collections.Generic; |
| 16 |
using System.Text; |
| 17 |
using System.Diagnostics; |
| 18 |
using System.Threading; |
| 19 |
using System.Runtime.InteropServices; |
| 20 |
using RomCheater.Logging; |
| 21 |
using System.IO; |
| 22 |
using Sojaner.MemoryScanner.MemoryProviers; |
| 23 |
using Microsoft.Win32.SafeHandles; |
| 24 |
using Microsoft.Win32.Interop; |
| 25 |
using System.ComponentModel; |
| 26 |
using ManagedWinapi; |
| 27 |
using RomCheater.Interfaces; |
| 28 |
using Enterprise.Logging; |
| 29 |
|
| 30 |
namespace Sojaner.MemoryScanner |
| 31 |
{ |
| 32 |
// code borrowed from: http://www.codeproject.com/KB/cs/sojaner_memory_scanner.aspx |
| 33 |
#region ProcessMemoryReader class |
| 34 |
//Thanks goes to Arik Poznanski for P/Invokes and methods needed to read and write the Memory |
| 35 |
//For more information refer to "Minesweeper, Behind the scenes" article by Arik Poznanski at Codeproject.com |
| 36 |
internal class ProcessMemoryReader : IMemoryReader, IMemoryWriter, IFileWriter, IPatchMemory, IReadMemory, Events.IAcceptsBytesReadEvent |
| 37 |
{ |
| 38 |
// constants information can be found in <winnt.h> |
| 39 |
[Flags] |
| 40 |
enum ProcessAccessFlags : uint |
| 41 |
{ |
| 42 |
All = 0x001F0FFF, |
| 43 |
Terminate = 0x00000001, |
| 44 |
CreateThread = 0x00000002, |
| 45 |
VMOperation = 0x00000008, |
| 46 |
VMRead = 0x00000010, |
| 47 |
VMWrite = 0x00000020, |
| 48 |
DupHandle = 0x00000040, |
| 49 |
SetInformation = 0x00000200, |
| 50 |
QueryInformation = 0x00000400, |
| 51 |
Synchronize = 0x00100000 |
| 52 |
} |
| 53 |
[Flags] |
| 54 |
public enum AllocationProtect : uint |
| 55 |
{ |
| 56 |
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx |
| 57 |
NONE = 0, |
| 58 |
PAGE_NOACCESS = 0x00000001, |
| 59 |
PAGE_READONLY = 0x00000002, |
| 60 |
PAGE_READWRITE = 0x00000004, |
| 61 |
PAGE_WRITECOPY = 0x00000008, |
| 62 |
PAGE_EXECUTE = 0x00000010, |
| 63 |
PAGE_EXECUTE_READ = 0x00000020, |
| 64 |
PAGE_EXECUTE_READWRITE = 0x00000040, |
| 65 |
PAGE_EXECUTE_WRITECOPY = 0x00000080, |
| 66 |
PAGE_GUARD = 0x00000100, |
| 67 |
PAGE_NOCACHE = 0x00000200, |
| 68 |
PAGE_WRITECOMBINE = 0x00000400 |
| 69 |
} |
| 70 |
[StructLayout(LayoutKind.Sequential)] |
| 71 |
public struct MEMORY_BASIC_INFORMATION |
| 72 |
{ |
| 73 |
public IntPtr BaseAddress; |
| 74 |
public IntPtr AllocationBase; |
| 75 |
public AllocationProtect AllocationProtect; |
| 76 |
public IntPtr RegionSize; |
| 77 |
public uint State; |
| 78 |
public uint Protect; |
| 79 |
public uint Type; |
| 80 |
} |
| 81 |
|
| 82 |
public ProcessMemoryReader() |
| 83 |
{ |
| 84 |
} |
| 85 |
public event BaseEventHandler<Events.OnBytesReadEventArgs> OnBytesRead; |
| 86 |
/// <summary> |
| 87 |
/// Process from which to read |
| 88 |
/// </summary> |
| 89 |
public Process ReadProcess |
| 90 |
{ |
| 91 |
get |
| 92 |
{ |
| 93 |
return m_ReadProcess; |
| 94 |
} |
| 95 |
set |
| 96 |
{ |
| 97 |
m_ReadProcess = value; |
| 98 |
} |
| 99 |
} |
| 100 |
|
| 101 |
private Process m_ReadProcess = null; |
| 102 |
|
| 103 |
//SafeWaitHandle handle; |
| 104 |
//private IntPtr handle = IntPtr.Zero; |
| 105 |
//SafeWaitHandle m_hProcess; /* unused */ |
| 106 |
//public void OpenProcess() |
| 107 |
//{ |
| 108 |
// try |
| 109 |
// { |
| 110 |
// // m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id); |
| 111 |
// //if (!TokenAdjuster.AdjustProcessTokenPrivileges("SeDebugPrivilege")) |
| 112 |
// //{ |
| 113 |
// // logger.Warn.WriteLine("Failed to set SeDebugPrivilege on current process"); |
| 114 |
// //} |
| 115 |
// ProcessAccessFlags access; |
| 116 |
// access = ProcessAccessFlags.VMRead |
| 117 |
// | ProcessAccessFlags.VMWrite |
| 118 |
// | ProcessAccessFlags.VMOperation; |
| 119 |
// //m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id); |
| 120 |
// handle = ProcessMemoryReaderApi.OpenProcess(access, true, m_ReadProcess.Id); |
| 121 |
// //m_hProcess = new SafeWaitHandle(handle, false); |
| 122 |
// } |
| 123 |
// catch (SEHException ex) |
| 124 |
// { |
| 125 |
// logger.Error.WriteLine("WriteProcessMemoryToFile() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 126 |
// logger.Error.WriteLine(ex.ToString()); |
| 127 |
// throw ex; |
| 128 |
// } |
| 129 |
// catch (Exception ex) |
| 130 |
// { |
| 131 |
// logger.Error.WriteLine(ex.ToString()); |
| 132 |
// throw ex; |
| 133 |
// } |
| 134 |
//} |
| 135 |
|
| 136 |
//public void CloseHandle() |
| 137 |
//{ |
| 138 |
// try |
| 139 |
// { |
| 140 |
// ////if (handle.IsInvalid) { return; } |
| 141 |
// ////if (handle.IsClosed) { return; } |
| 142 |
// //m_hProcess.Close(); |
| 143 |
// //m_hProcess.Dispose(); |
| 144 |
// //m_hProcess = null; |
| 145 |
// //handle = IntPtr.Zero; |
| 146 |
// //m_ReadProcess = null; |
| 147 |
// //string stack_trace = System.Environment.StackTrace; |
| 148 |
// int iRetValue; |
| 149 |
// iRetValue = ProcessMemoryReaderApi.CloseHandle(handle); |
| 150 |
// handle = IntPtr.Zero; |
| 151 |
// ReadProcess = null; |
| 152 |
// if (iRetValue == 0) |
| 153 |
// { |
| 154 |
// throw new Exception("CloseHandle failed"); |
| 155 |
// } |
| 156 |
// } |
| 157 |
// catch (SEHException ex) |
| 158 |
// { |
| 159 |
// logger.Error.WriteLine("WriteProcessMemoryToFile() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 160 |
// logger.Error.WriteLine(ex.ToString()); |
| 161 |
// throw ex; |
| 162 |
// } |
| 163 |
// catch (Exception ex) |
| 164 |
// { |
| 165 |
// logger.Error.WriteLine(ex.ToString()); |
| 166 |
// throw ex; |
| 167 |
// } |
| 168 |
//} |
| 169 |
///// <summary> |
| 170 |
///// ProcessMemoryReader is a class that enables direct reading a process memory |
| 171 |
///// </summary> |
| 172 |
//private class ProcessMemoryReaderApi |
| 173 |
////{ |
| 174 |
//[DllImport("kernel32.dll")] |
| 175 |
//public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); |
| 176 |
|
| 177 |
// // function declarations are found in the MSDN and in <winbase.h> |
| 178 |
|
| 179 |
// // HANDLE OpenProcess( |
| 180 |
// // DWORD dwDesiredAccess, // access flag |
| 181 |
// // BOOL bInheritHandle, // handle inheritance option |
| 182 |
// // DWORD dwProcessId // process identifier |
| 183 |
// // ); |
| 184 |
// [DllImport("kernel32.dll")] |
| 185 |
// public static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); |
| 186 |
|
| 187 |
// // BOOL CloseHandle( |
| 188 |
// // HANDLE hObject // handle to object |
| 189 |
// // ); |
| 190 |
// [DllImport("kernel32.dll")] |
| 191 |
// public static extern Int32 CloseHandle(IntPtr hObject); |
| 192 |
|
| 193 |
// // BOOL ReadProcessMemory( |
| 194 |
// // HANDLE hProcess, // handle to the process |
| 195 |
// // LPCVOID lpBaseAddress, // base of memory area |
| 196 |
// // LPVOID lpBuffer, // data buffer |
| 197 |
// // SIZE_T nSize, // number of bytes to read |
| 198 |
// // SIZE_T * lpNumberOfBytesRead // number of bytes read |
| 199 |
// // ); |
| 200 |
// [DllImport("kernel32.dll", SetLastError = true)] |
| 201 |
// public static extern bool ReadProcessMemory( |
| 202 |
// IntPtr hProcess, |
| 203 |
// IntPtr lpBaseAddress, |
| 204 |
// [Out] byte[] lpBuffer, |
| 205 |
// uint dwSize, |
| 206 |
// out int lpNumberOfBytesRead |
| 207 |
// ); |
| 208 |
|
| 209 |
// // BOOL WriteProcessMemory( |
| 210 |
// // HANDLE hProcess, // handle to process |
| 211 |
// // LPVOID lpBaseAddress, // base of memory area |
| 212 |
// // LPCVOID lpBuffer, // data buffer |
| 213 |
// // SIZE_T nSize, // count of bytes to write |
| 214 |
// // SIZE_T * lpNumberOfBytesWritten // count of bytes written |
| 215 |
// // ); |
| 216 |
// [DllImport("kernel32.dll", SetLastError = true)] |
| 217 |
// public static extern bool WriteProcessMemory( |
| 218 |
// IntPtr hProcess, |
| 219 |
// IntPtr lpBaseAddress, |
| 220 |
// byte[] lpBuffer, |
| 221 |
// uint nSize, |
| 222 |
// out UIntPtr lpNumberOfBytesWritten); |
| 223 |
|
| 224 |
|
| 225 |
//} |
| 226 |
|
| 227 |
#region IMemoryReader Members |
| 228 |
#region public bool ReadFirstNonZeroByte(uint MemoryAddress, uint bytesToRead, out int address) |
| 229 |
public bool ReadFirstNonZeroByte(ulong MemoryAddress, ulong bytesToRead, out ulong address) |
| 230 |
{ |
| 231 |
//logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName)); |
| 232 |
address = 0; |
| 233 |
uint byte_alignment = 1; |
| 234 |
// get common init parameters |
| 235 |
//InitMemoryDump(out byte_alignment); |
| 236 |
ulong mem_address = MemoryAddress; |
| 237 |
ulong _bytesToRead = bytesToRead; |
| 238 |
byte[] buffer = new byte[] { }; |
| 239 |
try |
| 240 |
{ |
| 241 |
//using (MemoryStream ms = new MemoryStream()) |
| 242 |
//{ |
| 243 |
// //BinaryWriter bw = new BinaryWriter(ms); |
| 244 |
// //foreach (byte b in data) { bw.Write(b); } |
| 245 |
for (ulong i = 0; i <= bytesToRead; ) |
| 246 |
{ |
| 247 |
if (_bytesToRead < byte_alignment) |
| 248 |
{ |
| 249 |
_bytesToRead = bytesToRead; |
| 250 |
buffer = new byte[_bytesToRead]; |
| 251 |
} |
| 252 |
else |
| 253 |
{ |
| 254 |
_bytesToRead = byte_alignment; |
| 255 |
buffer = new byte[byte_alignment]; |
| 256 |
} |
| 257 |
ulong bytesRead = 0; |
| 258 |
ReadProcessMemory(mem_address, _bytesToRead, out bytesRead, out buffer); |
| 259 |
if (buffer.Length == 0 && bytesRead == 0) |
| 260 |
{ |
| 261 |
throw new Exception(string.Format("Failed to read memory from process: {0}", ReadProcess.ToString())); |
| 262 |
} |
| 263 |
//bw.Write(buffer); |
| 264 |
//bw.Flush(); |
| 265 |
if (_bytesToRead < byte_alignment) |
| 266 |
{ |
| 267 |
i += _bytesToRead; |
| 268 |
mem_address += (ulong)_bytesToRead; |
| 269 |
} |
| 270 |
else |
| 271 |
{ |
| 272 |
i += byte_alignment; |
| 273 |
mem_address += (ulong)byte_alignment; |
| 274 |
} |
| 275 |
for (uint j = 0; j < buffer.Length; j++) |
| 276 |
{ |
| 277 |
if (buffer[j] != 0) |
| 278 |
{ |
| 279 |
address = mem_address; |
| 280 |
break; |
| 281 |
} |
| 282 |
} |
| 283 |
if (address != 0) |
| 284 |
break; |
| 285 |
} |
| 286 |
// bw.Close(); |
| 287 |
//} |
| 288 |
//logger.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({2})", MemoryAddress, MemoryAddress + bytesToRead, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName)); |
| 289 |
return true; |
| 290 |
} |
| 291 |
catch (SEHException ex) |
| 292 |
{ |
| 293 |
gLog.Error.WriteLine("ReadFirstNonZeroByte() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 294 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 295 |
throw ex; |
| 296 |
} |
| 297 |
catch (OutOfMemoryException ex) |
| 298 |
{ |
| 299 |
gLog.Error.WriteLine("ReadFirstNonZeroByte(): OutOfMemoryException"); |
| 300 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 301 |
} |
| 302 |
catch (Exception ex) |
| 303 |
{ |
| 304 |
gLog.Error.WriteLine("ReadFirstNonZeroByte(): Exception"); |
| 305 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 306 |
throw ex; |
| 307 |
} |
| 308 |
return false; |
| 309 |
} |
| 310 |
#endregion |
| 311 |
|
| 312 |
|
| 313 |
public List<MEMORY_REGION_INFORMATION> QueryMemoryRegions(ulong start, ulong size) |
| 314 |
{ |
| 315 |
List<MEMORY_REGION_INFORMATION> regions = new List<MEMORY_REGION_INFORMATION>(); |
| 316 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)0, 0)) |
| 317 |
{ |
| 318 |
regions = mem.QueryMemoryRegions(start, size); |
| 319 |
} |
| 320 |
return regions; |
| 321 |
} |
| 322 |
|
| 323 |
public void UpdateAddressArray(ulong[] addresses, ulong size, out byte[][] values) |
| 324 |
{ |
| 325 |
// size = size of data to read at each address |
| 326 |
values = new byte[addresses.Length][]; |
| 327 |
for (int x = 0; x < values.Length; x++) { values[x] = new byte[size]; } |
| 328 |
|
| 329 |
for (ulong i = 0; i < (ulong)addresses.Length; i++) |
| 330 |
{ |
| 331 |
byte[] data = new byte[size]; |
| 332 |
ulong bytesRead = 0; |
| 333 |
var address = addresses[i]; |
| 334 |
this.ReadProcessMemory(address, size, out bytesRead, out data); |
| 335 |
values[i] = data; |
| 336 |
} |
| 337 |
} |
| 338 |
|
| 339 |
|
| 340 |
public void ReadProcessMemoryAtOnce(ulong MemoryAddress, ulong bytesToRead, object UserState) |
| 341 |
{ |
| 342 |
const uint size = 128; |
| 343 |
//int count = 0; |
| 344 |
for (ulong j = MemoryAddress; j < (MemoryAddress + bytesToRead); j += size) |
| 345 |
{ |
| 346 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)j, (int)size)) |
| 347 |
{ |
| 348 |
byte[] bigMem = mem.Read(); |
| 349 |
//count += bigMem.Length; |
| 350 |
if (this.OnBytesRead != null) |
| 351 |
{ |
| 352 |
Events.OnBytesReadEventArgs t = new Events.OnBytesReadEventArgs(this, UserState, bigMem, j, bytesToRead); |
| 353 |
this.OnBytesRead.Invoke(t); |
| 354 |
if (t.Canceled) |
| 355 |
{ |
| 356 |
bigMem = null; |
| 357 |
break; |
| 358 |
} |
| 359 |
|
| 360 |
} |
| 361 |
bigMem = null; |
| 362 |
} |
| 363 |
} |
| 364 |
} |
| 365 |
public void ReadProcessMemoryAtOnce(ulong MemoryAddress, ulong bytesToRead, out ulong bytesRead, out byte[] data) |
| 366 |
{ |
| 367 |
Stopwatch st = new Stopwatch(); |
| 368 |
st.Start(); |
| 369 |
List<byte> buffer_list = new List<byte>(); |
| 370 |
const uint size = 16; |
| 371 |
for (ulong j = MemoryAddress; j < (MemoryAddress + bytesToRead); j += size) |
| 372 |
{ |
| 373 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)j, (int)size)) |
| 374 |
{ |
| 375 |
byte[] bigMem = mem.Read(); |
| 376 |
foreach (byte b in bigMem) { buffer_list.Add(b); } |
| 377 |
bigMem = null; |
| 378 |
} |
| 379 |
} |
| 380 |
bytesRead = (ulong)buffer_list.Count; |
| 381 |
data = new byte[bytesToRead]; |
| 382 |
data.Initialize(); |
| 383 |
Buffer.BlockCopy(buffer_list.ToArray(), 0, data, 0, (int)bytesToRead); |
| 384 |
st.Stop(); |
| 385 |
gLog.Profiler.WriteLine("ReadProcessMemoryAtOnce(): start=0x{0:x8} end=0x{1:x8} took {2:0.0000} seconds", MemoryAddress, MemoryAddress + bytesToRead, st.Elapsed.TotalSeconds); |
| 386 |
} |
| 387 |
#region public void ReadProcessMemory(int MemoryAddress, uint bytesToRead, out int bytesRead, out byte[] data) |
| 388 |
public void ReadProcessMemory(long MemoryAddress, long bytesToRead, out ulong bytesRead, out byte[] data) |
| 389 |
{ |
| 390 |
ReadProcessMemory((ulong)MemoryAddress, (ulong)bytesToRead, out bytesRead, out data); |
| 391 |
} |
| 392 |
public void ReadProcessMemory(ulong MemoryAddress, ulong bytesToRead, out ulong bytesRead, out byte[] data) |
| 393 |
{ |
| 394 |
try |
| 395 |
{ |
| 396 |
ReadProcessMemoryAtOnce(MemoryAddress, bytesToRead, out bytesRead, out data); |
| 397 |
} |
| 398 |
catch (SEHException ex) |
| 399 |
{ |
| 400 |
gLog.Error.WriteLine("ReadProcessMemory() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 401 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 402 |
throw ex; |
| 403 |
} |
| 404 |
catch (Exception ex) |
| 405 |
{ |
| 406 |
gLog.Error.WriteLine("ReadProcessMemory(): Exception"); |
| 407 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 408 |
throw ex; |
| 409 |
} |
| 410 |
} |
| 411 |
#endregion |
| 412 |
#endregion |
| 413 |
|
| 414 |
#region IMemoryWriter Members |
| 415 |
#region public void WriteProcessMemory(uint MemoryAddress, byte[] bytesToWrite, out int bytesWritten) |
| 416 |
public void WriteProcessMemory(long MemoryAddress, byte[] bytesToWrite, out ulong bytesWritten) |
| 417 |
{ |
| 418 |
ulong _bytesWritten = 0; |
| 419 |
WriteProcessMemory((ulong)MemoryAddress, bytesToWrite, out _bytesWritten); |
| 420 |
bytesWritten = (ulong)_bytesWritten; |
| 421 |
} |
| 422 |
public void WriteProcessMemory(ulong MemoryAddress, byte[] bytesToWrite, out ulong bytesWritten) |
| 423 |
{ |
| 424 |
try |
| 425 |
{ |
| 426 |
//uint _bytesWritten = 0; |
| 427 |
ulong _MemoryAddress = MemoryAddress; |
| 428 |
|
| 429 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)MemoryAddress, (int)bytesToWrite.Length)) |
| 430 |
{ |
| 431 |
mem.Write(0, bytesToWrite); |
| 432 |
} |
| 433 |
bytesWritten = (uint)bytesToWrite.Length; |
| 434 |
} |
| 435 |
catch (SEHException ex) |
| 436 |
{ |
| 437 |
gLog.Error.WriteLine("WriteProcessMemory() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 438 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 439 |
throw ex; |
| 440 |
} |
| 441 |
catch (Exception ex) |
| 442 |
{ |
| 443 |
|
| 444 |
gLog.Error.WriteLine("WriteProcessMemory() Exception"); |
| 445 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 446 |
bytesWritten = 0; |
| 447 |
throw ex; |
| 448 |
} |
| 449 |
} |
| 450 |
#endregion |
| 451 |
#endregion |
| 452 |
|
| 453 |
#region IFileWriter Members |
| 454 |
#region public bool WriteProcessMemoryToFile(string filename, uint MemoryAddress, uint bytesToRead, out int bytesRead) |
| 455 |
public bool WriteProcessMemoryToFile(string filename, ulong MemoryAddress, ulong bytesToRead, out ulong bytesRead) |
| 456 |
{ |
| 457 |
//logger.Info.WriteLine("Dumping memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ppid.Id, ppid.ProcessName)); |
| 458 |
bytesRead = 0; |
| 459 |
ulong _bytesRead = 0; |
| 460 |
//uint byte_alignment = 102400; |
| 461 |
ulong address = MemoryAddress; |
| 462 |
//ulong _bytesToRead = bytesToRead; |
| 463 |
byte[] buffer = new byte[] { }; |
| 464 |
try |
| 465 |
{ |
| 466 |
const ulong MEM_1KB = 1024; |
| 467 |
const ulong MEM_1MB = MEM_1KB * MEM_1KB; |
| 468 |
const ulong ByteChunkSize = MEM_1MB * 32; |
| 469 |
FileInfo fi = new FileInfo(filename); |
| 470 |
if (fi.Exists) |
| 471 |
fi.Delete(); |
| 472 |
using (FileStream fs = new FileStream(filename, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.ReadWrite)) |
| 473 |
{ |
| 474 |
using (BinaryWriter bw = new BinaryWriter(fs)) |
| 475 |
{ |
| 476 |
ulong addr = MemoryAddress; |
| 477 |
for (ulong i = 0; i < bytesToRead; i += ByteChunkSize) |
| 478 |
{ |
| 479 |
addr += i; |
| 480 |
this.ReadProcessMemory(addr, ByteChunkSize, out bytesRead, out buffer); |
| 481 |
if (bytesRead == ByteChunkSize) |
| 482 |
{ |
| 483 |
_bytesRead += ByteChunkSize; |
| 484 |
foreach (var b in buffer) |
| 485 |
{ |
| 486 |
bw.Write(b); |
| 487 |
} |
| 488 |
} |
| 489 |
else |
| 490 |
{ |
| 491 |
throw new InvalidOperationException("Failed to read a byte from memory"); |
| 492 |
} |
| 493 |
} |
| 494 |
bw.Flush(); |
| 495 |
bw.Close(); |
| 496 |
} |
| 497 |
bytesRead = _bytesRead; |
| 498 |
} |
| 499 |
gLog.Info.WriteLine("Succefully dumped memory (0x{0:x8}-0x{1:x8}) from pid=({3}) to file {2}", MemoryAddress, MemoryAddress + bytesToRead, filename, string.Format("0x{0:x4} {1}.exe", ReadProcess.Id, ReadProcess.ProcessName)); |
| 500 |
return true; |
| 501 |
} |
| 502 |
catch (SEHException ex) |
| 503 |
{ |
| 504 |
gLog.Error.WriteLine("WriteProcessMemoryToFile() SEHException was thrown: (0x{0:x8}) - {1}", ex.ErrorCode, ex.Message); |
| 505 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 506 |
throw ex; |
| 507 |
} |
| 508 |
catch (OutOfMemoryException ex) |
| 509 |
{ |
| 510 |
gLog.Error.WriteLine("WriteProcessMemoryToFile(): Exception"); |
| 511 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 512 |
} |
| 513 |
catch (Exception ex) |
| 514 |
{ |
| 515 |
gLog.Error.WriteLine("WriteProcessMemoryToFile(): Exception"); |
| 516 |
gLog.Verbose.Error.WriteLine(ex.ToString()); |
| 517 |
throw ex; |
| 518 |
} |
| 519 |
return false; |
| 520 |
} |
| 521 |
#endregion |
| 522 |
#endregion |
| 523 |
|
| 524 |
#region IPatchMemory members |
| 525 |
#region public virtual bool PatchMemory(uint address, byte value) |
| 526 |
public virtual bool PatchMemory(ulong address, byte value) |
| 527 |
{ |
| 528 |
byte[] bitData = BitConverter.GetBytes(value); |
| 529 |
//UIntPtr ptrBytesWritten; |
| 530 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 531 |
{ |
| 532 |
mem.Write(0, bitData); |
| 533 |
} |
| 534 |
//ProcessMemoryReaderApi.WriteProcessMemory(handle, (IntPtr)address, bitData, (uint)bitData.Length, out ptrBytesWritten); |
| 535 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 536 |
// return false; |
| 537 |
byte check = 0; |
| 538 |
ReadMemory(address, out check); |
| 539 |
if (check == value) return true; |
| 540 |
return false; |
| 541 |
} |
| 542 |
#endregion |
| 543 |
#region public virtual bool PatchMemory(uint address, sbyte value) |
| 544 |
public virtual bool PatchMemory(ulong address, sbyte value) |
| 545 |
{ |
| 546 |
byte[] bitData = BitConverter.GetBytes(value); |
| 547 |
//UIntPtr ptrBytesWritten; |
| 548 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 549 |
{ |
| 550 |
mem.Write(0, bitData); |
| 551 |
} |
| 552 |
//ProcessMemoryReaderApi.WriteProcessMemory(handle, (IntPtr)address, bitData, (uint)bitData.Length, out ptrBytesWritten); |
| 553 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 554 |
// return false; |
| 555 |
sbyte check = 0; |
| 556 |
ReadMemory(address, out check); |
| 557 |
if (check == value) return true; |
| 558 |
return false; |
| 559 |
} |
| 560 |
#endregion |
| 561 |
#region public virtual bool PatchMemory(uint address, ushort value) |
| 562 |
public virtual bool PatchMemory(ulong address, ushort value) |
| 563 |
{ |
| 564 |
byte[] bitData = BitConverter.GetBytes(value); |
| 565 |
//UIntPtr ptrBytesWritten; |
| 566 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 567 |
{ |
| 568 |
mem.Write(0, bitData); |
| 569 |
} |
| 570 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 571 |
// return false; |
| 572 |
ushort check = 0; |
| 573 |
ReadMemory(address, out check); |
| 574 |
if (check == value) return true; |
| 575 |
return false; |
| 576 |
} |
| 577 |
#endregion |
| 578 |
#region public virtual bool PatchMemory(uint address, short value) |
| 579 |
public virtual bool PatchMemory(ulong address, short value) |
| 580 |
{ |
| 581 |
byte[] bitData = BitConverter.GetBytes(value); |
| 582 |
//UIntPtr ptrBytesWritten; |
| 583 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 584 |
{ |
| 585 |
mem.Write(0, bitData); |
| 586 |
} |
| 587 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 588 |
// return false; |
| 589 |
short check = 0; |
| 590 |
ReadMemory(address, out check); |
| 591 |
if (check == value) return true; |
| 592 |
return false; |
| 593 |
} |
| 594 |
#endregion |
| 595 |
#region public virtual bool PatchMemory(uint address, uint value) |
| 596 |
public virtual bool PatchMemory(ulong address, uint value) |
| 597 |
{ |
| 598 |
byte[] bitData = BitConverter.GetBytes(value); |
| 599 |
//UIntPtr ptrBytesWritten; |
| 600 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 601 |
{ |
| 602 |
mem.Write(0, bitData); |
| 603 |
} |
| 604 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 605 |
// return false; |
| 606 |
uint check = 0; |
| 607 |
ReadMemory(address, out check); |
| 608 |
if (check == value) return true; |
| 609 |
return false; |
| 610 |
} |
| 611 |
#endregion |
| 612 |
#region public virtual bool PatchMemory(uint address, int value) |
| 613 |
public virtual bool PatchMemory(ulong address, int value) |
| 614 |
{ |
| 615 |
byte[] bitData = BitConverter.GetBytes(value); |
| 616 |
//UIntPtr ptrBytesWritten; |
| 617 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 618 |
{ |
| 619 |
mem.Write(0, bitData); |
| 620 |
} |
| 621 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 622 |
// return false; |
| 623 |
int check = 0; |
| 624 |
ReadMemory(address, out check); |
| 625 |
if (check == value) return true; |
| 626 |
return false; |
| 627 |
} |
| 628 |
#endregion |
| 629 |
#region public virtual bool PatchMemory(uint address, ulong value) |
| 630 |
public virtual bool PatchMemory(ulong address, ulong value) |
| 631 |
{ |
| 632 |
byte[] bitData = BitConverter.GetBytes(value); |
| 633 |
//UIntPtr ptrBytesWritten; |
| 634 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 635 |
{ |
| 636 |
mem.Write(0, bitData); |
| 637 |
} |
| 638 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 639 |
// return false; |
| 640 |
ulong check = 0; |
| 641 |
ReadMemory(address, out check); |
| 642 |
if (check == value) return true; |
| 643 |
return false; |
| 644 |
} |
| 645 |
#endregion |
| 646 |
#region public virtual bool PatchMemory(uint address, long value) |
| 647 |
public virtual bool PatchMemory(ulong address, long value) |
| 648 |
{ |
| 649 |
byte[] bitData = BitConverter.GetBytes(value); |
| 650 |
//UIntPtr ptrBytesWritten; |
| 651 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address,(int)bitData.Length)) |
| 652 |
{ |
| 653 |
mem.Write(0, bitData); |
| 654 |
} |
| 655 |
//if (ptrBytesWritten.ToUInt32() == 0) |
| 656 |
// return false; |
| 657 |
long check = 0; |
| 658 |
ReadMemory(address, out check); |
| 659 |
if (check == value) return true; |
| 660 |
return false; |
| 661 |
} |
| 662 |
#endregion |
| 663 |
#endregion |
| 664 |
|
| 665 |
#region IReadMemory members |
| 666 |
#region public virtual bool ReadMemory(uint address, out byte value) |
| 667 |
public virtual bool ReadMemory(ulong address, out byte value) |
| 668 |
{ |
| 669 |
value = 0; |
| 670 |
try |
| 671 |
{ |
| 672 |
//int bytesRead; |
| 673 |
uint size = sizeof(byte); |
| 674 |
byte[] bitData = new byte[size]; |
| 675 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 676 |
{ |
| 677 |
bitData = mem.Read(0, (int)size); |
| 678 |
} |
| 679 |
//if (bytesRead == 0) |
| 680 |
// return false; |
| 681 |
value = bitData[0]; |
| 682 |
return true; |
| 683 |
} |
| 684 |
catch |
| 685 |
{ |
| 686 |
value = 0x00; |
| 687 |
return false; |
| 688 |
} |
| 689 |
} |
| 690 |
#endregion |
| 691 |
#region public virtual bool ReadMemory(uint address, out sbyte value) |
| 692 |
public virtual bool ReadMemory(ulong address, out sbyte value) |
| 693 |
{ |
| 694 |
value = 0; |
| 695 |
try |
| 696 |
{ |
| 697 |
//int bytesRead; |
| 698 |
uint size = sizeof(sbyte); |
| 699 |
byte[] bitData = new byte[size]; |
| 700 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 701 |
{ |
| 702 |
bitData = mem.Read(0, (int)size); |
| 703 |
} |
| 704 |
//if (bytesRead == 0) |
| 705 |
// return false; |
| 706 |
value = Convert.ToSByte(bitData[0]); |
| 707 |
return true; |
| 708 |
} |
| 709 |
catch |
| 710 |
{ |
| 711 |
value = 0x00; |
| 712 |
return false; |
| 713 |
} |
| 714 |
} |
| 715 |
#endregion |
| 716 |
#region public virtual bool ReadMemory(uint address, out ushort value) |
| 717 |
public virtual bool ReadMemory(ulong address, out ushort value) |
| 718 |
{ |
| 719 |
value = 0; |
| 720 |
try |
| 721 |
{ |
| 722 |
//int bytesRead; |
| 723 |
uint size = sizeof(ushort); |
| 724 |
byte[] bitData = new byte[size]; |
| 725 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 726 |
{ |
| 727 |
bitData = mem.Read(0, (int)size); |
| 728 |
} |
| 729 |
//if (bytesRead == 0) |
| 730 |
// return false; |
| 731 |
value = BitConverter.ToUInt16(bitData, 0); |
| 732 |
return true; |
| 733 |
} |
| 734 |
catch |
| 735 |
{ |
| 736 |
value = 0x00; |
| 737 |
return false; |
| 738 |
} |
| 739 |
} |
| 740 |
#endregion |
| 741 |
#region public virtual bool ReadMemory(uint address, out short value) |
| 742 |
public virtual bool ReadMemory(ulong address, out short value) |
| 743 |
{ |
| 744 |
value = 0; |
| 745 |
try |
| 746 |
{ |
| 747 |
//int bytesRead; |
| 748 |
uint size = sizeof(short); |
| 749 |
byte[] bitData = new byte[size]; |
| 750 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 751 |
{ |
| 752 |
bitData = mem.Read(0, (int)size); |
| 753 |
} |
| 754 |
//if (bytesRead == 0) |
| 755 |
// return false; |
| 756 |
value = BitConverter.ToInt16(bitData, 0); |
| 757 |
return true; |
| 758 |
} |
| 759 |
catch |
| 760 |
{ |
| 761 |
value = 0x00; |
| 762 |
return false; |
| 763 |
} |
| 764 |
} |
| 765 |
#endregion |
| 766 |
#region public virtual bool ReadMemory(uint address, out uint value) |
| 767 |
public virtual bool ReadMemory(ulong address, out uint value) |
| 768 |
{ |
| 769 |
value = 0; |
| 770 |
try |
| 771 |
{ |
| 772 |
//int bytesRead; |
| 773 |
uint size = sizeof(uint); |
| 774 |
byte[] bitData = new byte[size]; |
| 775 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 776 |
{ |
| 777 |
bitData = mem.Read(0, (int)size); |
| 778 |
} |
| 779 |
//if (bytesRead == 0) |
| 780 |
// return false; |
| 781 |
value = BitConverter.ToUInt32(bitData, 0); |
| 782 |
return true; |
| 783 |
} |
| 784 |
catch |
| 785 |
{ |
| 786 |
value = 0x00; |
| 787 |
return false; |
| 788 |
} |
| 789 |
} |
| 790 |
#endregion |
| 791 |
#region public virtual bool ReadMemory(uint address, out int value) |
| 792 |
public virtual bool ReadMemory(ulong address, out int value) |
| 793 |
{ |
| 794 |
value = 0; |
| 795 |
try |
| 796 |
{ |
| 797 |
//int bytesRead; |
| 798 |
uint size = sizeof(int); |
| 799 |
byte[] bitData = new byte[size]; |
| 800 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 801 |
{ |
| 802 |
bitData = mem.Read(0, (int)size); |
| 803 |
} |
| 804 |
//if (bytesRead == 0) |
| 805 |
// return false; |
| 806 |
value = BitConverter.ToInt32(bitData, 0); |
| 807 |
return true; |
| 808 |
} |
| 809 |
catch |
| 810 |
{ |
| 811 |
value = 0x00; |
| 812 |
return false; |
| 813 |
} |
| 814 |
} |
| 815 |
#endregion |
| 816 |
#region public virtual bool ReadMemory(uint address, out ulong value) |
| 817 |
public virtual bool ReadMemory(ulong address, out ulong value) |
| 818 |
{ |
| 819 |
value = 0; |
| 820 |
try |
| 821 |
{ |
| 822 |
//int bytesRead; |
| 823 |
uint size = sizeof(ulong); |
| 824 |
byte[] bitData = new byte[size]; |
| 825 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 826 |
{ |
| 827 |
bitData = mem.Read(0, (int)size); |
| 828 |
} |
| 829 |
//if (bytesRead == 0) |
| 830 |
// return false; |
| 831 |
value = BitConverter.ToUInt64(bitData, 0); |
| 832 |
return true; |
| 833 |
} |
| 834 |
catch |
| 835 |
{ |
| 836 |
value = 0x00; |
| 837 |
return false; |
| 838 |
} |
| 839 |
} |
| 840 |
#endregion |
| 841 |
#region public virtual bool ReadMemory(uint address, out long value) |
| 842 |
public virtual bool ReadMemory(ulong address, out long value) |
| 843 |
{ |
| 844 |
value = 0; |
| 845 |
try |
| 846 |
{ |
| 847 |
// int bytesRead; |
| 848 |
uint size = sizeof(long); |
| 849 |
byte[] bitData = new byte[size]; |
| 850 |
using (ProcessMemoryChunk mem = new ProcessMemoryChunk(m_ReadProcess, (IntPtr)address, (int)size)) |
| 851 |
{ |
| 852 |
bitData = mem.Read(0, (int)size); |
| 853 |
} |
| 854 |
//if (bytesRead == 0) |
| 855 |
// return false; |
| 856 |
value = BitConverter.ToInt64(bitData, 0); |
| 857 |
return true; |
| 858 |
} |
| 859 |
catch |
| 860 |
{ |
| 861 |
value = 0x00; |
| 862 |
return false; |
| 863 |
} |
| 864 |
} |
| 865 |
#endregion |
| 866 |
#endregion |
| 867 |
} |
| 868 |
#endregion |
| 869 |
} |
