C# Memory Scanning

tarafından **EMO** Perş. Haz. 02, 2011 9:01 am

Alright, so I've seen plenty of these posts on the forums, but I haven't found one with a straight up answer. Here is my code:

Code:

[DllImport("kernel32.dll")]

internal static extern Int32 VirtualQueryEx(IntPtr hProcess, IntPtr
lpAddress, out Memory.MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);

private MEMORY_BASIC_INFORMATION MBI;

[StructLayout(LayoutKind.Sequential)]

public struct MEMORY_BASIC_INFORMATION

{

public IntPtr BaseAddress;

public IntPtr AllocationBase;

public uint AllocationProtect;

public IntPtr RegionSize;

public uint State;

public uint Protect;

public uint Type;

}

public int AOBScan(byte[] bBytesToSearch, long iStartAddress = 0, long iEndAddress = 0x7FFFFFFF)

{

long iAddress = iStartAddress; IntPtr ptrBytesRead; byte[] bBuffer;

do

{

int iRead = API.VirtualQueryEx(hReadProcess, (IntPtr)iAddress, out MBI, (uint)Marshal.SizeOf(MBI));

if ((iRead > 0) && ((int)MBI.RegionSize > 0))

{

bBuffer = new byte[(int)MBI.RegionSize];

API.ReadProcessMemory(hReadProcess, MBI.BaseAddress, bBuffer, (uint)bBuffer.Length, out ptrBytesRead);

//Search Buffer for specified bytes. Not included so I don't have to include the FindBytesinByteArray function.

}

iAddress = (long)(MBI.BaseAddress.ToInt64() + MBI.RegionSize.ToInt64());

} while (iAddress <= iEndAddress);

return 0;

}

To be clear, this code WORKS, however, I feel like I should add
something to it to make it safer/easier to use/debug. I haven't included
any Types like MEM_PRIVATE, etc., or States like MEM_COMMIT, etc..
Should these be added or should any additional checks be made within the
function? Sorry if I'm being unclear. I'm simply asking if there's
anything I've overlooked that I should include as a good practice.

Also, I've seen many different DLLImports for this function. This one
seems to work while the others didn't, but just to make sure, is this
correct, or will I somehow lose some data when it's in the wrong format?
I'm more concerned about the struct than the import itself.

-------------------------------------------------------------------------

This is how I did it a while back:

Code:

using System;

using System.Collections.Generic;

using System.Diagnostics;

using System.Linq;

using System.Runtime.InteropServices;

using System.Text;

using Microsoft.Win32.SafeHandles;

//

// sigScan C# Implementation - Written by atom0s [aka Wiccaan]

// Class Version: 2.0.0

//

// [ CHANGE LOG ] -------------------------------------------------------------------------

//

// 2.0.0

// - Updated to no longer require unsafe or fixed code.

// - Removed unneeded methods and code.

//

// 1.0.0

// - First version written and release.

//

// [ CREDITS ] ----------------------------------------------------------------------------

//

// sigScan is based on the FindPattern code written by

// dom1n1k and Patrick at GameDeception.net

//

// Full credit to them for the purpose of this code. I, atom0s, simply

// take credit for converting it to C#.

//

// [ USAGE ] ------------------------------------------------------------------------------

//

// Examples:

//

// SigScan _sigScan = new SigScan();

// _sigScan.Process = someProc;

// _sigScan.Address = new IntPtr(0x123456);

// _sigScan.Size = 0x1000;

// IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);

//

// SigScan _sigScan = new SigScan(someProc, new IntPtr(0x123456), 0x1000);

// IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);

//

// ----------------------------------------------------------------------------------------

namespace SigScan.Classes

{

public class SigScan

{

///

/// ReadProcessMemory

///

/// API import definition for ReadProcessMemory.

///

/// Handle to the process we want to read from.

/// The base address to start reading from.

/// The return buffer to write the read data to.

/// The size of data we wish to read.

/// The number of bytes successfully read.

///

[DllImport("kernel32.dll", SetLastError = true)]

private static extern bool ReadProcessMemory(

IntPtr hProcess,

IntPtr lpBaseAddress,

[Out()] byte[] lpBuffer,

int dwSize,

out int lpNumberOfBytesRead

);

///

/// m_vDumpedRegion

///

/// The memory dumped from the external process.

///

private byte[] m_vDumpedRegion;

///

/// m_vProcess

///

/// The process we want to read the memory of.

///

private Process m_vProcess;

///

/// m_vAddress

///

/// The starting address we want to begin reading at.

///

private IntPtr m_vAddress;

///

/// m_vSize

///

/// The number of bytes we wish to read from the process.

///

private Int32 m_vSize;

#region "sigScan Class Construction"

///

/// SigScan

///

/// Main class constructor that uses no params.

/// Simply initializes the class properties and

/// expects the user to set them later.

///

public SigScan()

{

this.m_vProcess = null;

this.m_vAddress = IntPtr.Zero;

this.m_vSize = 0;

this.m_vDumpedRegion = null;

}

///

/// SigScan

///

/// Overloaded class constructor that sets the class

/// properties during construction.

///

/// The process to dump the memory from.

/// The started address to begin the dump.

/// The size of the dump.

public SigScan(Process proc, IntPtr addr, int size)

{

this.m_vProcess = proc;

this.m_vAddress = addr;

this.m_vSize = size;

}

#endregion

#region "sigScan Class Private Methods"

///

/// DumpMemory

///

/// Internal memory dump function that uses the set class

/// properties to dump a memory region.

///

/// Boolean based on RPM results and valid properties.

private bool DumpMemory()

{

try

{

// Checks to ensure we have valid data.

if (this.m_vProcess == null)

return false;

if (this.m_vProcess.HasExited == true)

return false;

if (this.m_vAddress == IntPtr.Zero)

return false;

if (this.m_vSize == 0)

return false;

// Create the region space to dump into.

this.m_vDumpedRegion = new byte[this.m_vSize];

bool bReturn = false;

int nBytesRead = 0;

// Dump the memory.

bReturn = ReadProcessMemory(

this.m_vProcess.Handle, this.m_vAddress, this.m_vDumpedRegion, this.m_vSize, out nBytesRead

);

// Validation checks.

if (bReturn == false || nBytesRead != this.m_vSize)

return false;

return true;

}

catch (Exception ex)

{

return false;

}

}

///

/// MaskCheck

///

/// Compares the current pattern byte to the current memory dump

/// byte to check for a match. Uses wildcards to skip bytes that

/// are deemed unneeded in the compares.

///

/// Offset in the dump to start at.

/// Pattern to scan for.

/// Mask to compare against.

/// Boolean depending on if the pattern was found.

private bool MaskCheck(int nOffset, byte[] btPattern, string strMask)

{

// Loop the pattern and compare to the mask and dump.

for (int x = 0; x < btPattern.Length; x++)

{

// If the mask char is a wildcard, just continue.

if (strMask[x] == '?')

continue;

// If the mask char is not a wildcard, ensure a match is made in the pattern.

if ((strMask[x] == 'x') && (btPattern[x] != this.m_vDumpedRegion[nOffset + x]))

return false;

}

// The loop was successful so we found the pattern.

return true;

}

#endregion

#region "sigScan Class Public Methods"

///

/// FindPattern

///

/// Attempts to locate the given pattern inside the dumped memory region

/// compared against the given mask. If the pattern is found, the offset

/// is added to the located address and returned to the user.

///

/// Byte pattern to look for in the dumped region.

/// The mask string to compare against.

/// The offset added to the result address.

/// IntPtr - zero if not found, address if found.

public IntPtr FindPattern(byte[] btPattern, string strMask, int nOffset)

{

try

{

// Dump the memory region if we have not dumped it yet.

if (this.m_vDumpedRegion == null || this.m_vDumpedRegion.Length == 0)

{

if (!this.DumpMemory())

return IntPtr.Zero;

}

// Ensure the mask and pattern lengths match.

if (strMask.Length != btPattern.Length)

return IntPtr.Zero;

// Loop the region and look for the pattern.

for (int x = 0; x < this.m_vDumpedRegion.Length; x++)

{

if (this.MaskCheck(x, btPattern, strMask))

{

// The pattern was found, return it.

return new IntPtr((int)this.m_vAddress + (x + nOffset));

}

}

// Pattern was not found.

return IntPtr.Zero;

}

catch (Exception ex)

{

return IntPtr.Zero;

}

}

///

/// ResetRegion

///

/// Resets the memory dump array to nothing to allow

/// the class to redump the memory.

///

public void ResetRegion()

{

this.m_vDumpedRegion = null;

}

#endregion

#region "sigScan Class Properties"

public Process Process

{

get { return this.m_vProcess; }

set { this.m_vProcess = value; }

}

public IntPtr Address

{

get { return this.m_vAddress; }

set { this.m_vAddress = value; }

}

public Int32 Size

{

get { return this.m_vSize; }

set { this.m_vSize = value; }

}

#endregion

}

}

This uses the FindPattern method that is fairly commonly known, I just converted it to C#.

This doesn't wrap around VirtualQueryEx so the base + size is up to you
to be sure is proper and accessible. This also dumps the memory once
rather then per-each scan. If you need to rescan with a new dump each
time just call ResetRegion() before scanning again.

This is from 2009 so you can write things a bit cleaner with Linq and such now.