C# ReadProcessMemory












-3















I'm basically trying to figure out how to search for a value in a process without giving an exact offset. The process can be anything (notepad, iexplorer, msword, etc.). Just looking for search a value between the first and last memory address of a process instead of giving a specific offset, which is I had to find from another application like ollydbg.



Here's what I have



const int PROCESS_WM_READ = 0x0010;



[DllImport("kernel32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);



[DllImport("kernel32.dll")]

public static extern bool ReadProcessMemory(int hProcess,

Int64 lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead);



public static string search = "somestring";



static void Main(string args)

{

    Process process = Process.GetProcessById(15728);

    IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);



    int bytesRead = 0;

    byte buffer = new byte[16]; 



    ReadProcessMemory((int)processHandle, 0x20BC4ADE4C8, buffer, buffer.Length, ref bytesRead);



    Console.WriteLine(Encoding.Unicode.GetString(buffer) +

          " (" + bytesRead.ToString() + "bytes)");

    if (Encoding.Unicode.GetString(buffer).Contains(somestring))

        Console.WriteLine("Match");

    else

        Console.WriteLine("Didint Match");

    Console.ReadLine();

}





c# memory readprocessmemory







share|improve this question




















  • 2





    Is there an actual question there?

    – MickyD
    Dec 31 '18 at 14:10











  • See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

    – jdweng
    Dec 31 '18 at 14:11













  • ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

    – GSerg
    Dec 31 '18 at 14:12













  • a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

    – kenny
    Dec 31 '18 at 14:13













  • Code work without any problem. but i dont wanna give specific memory offset

    – lstngl
    Dec 31 '18 at 14:20
















-3















I'm basically trying to figure out how to search for a value in a process without giving an exact offset. The process can be anything (notepad, iexplorer, msword, etc.). Just looking for search a value between the first and last memory address of a process instead of giving a specific offset, which is I had to find from another application like ollydbg.



Here's what I have



const int PROCESS_WM_READ = 0x0010;



[DllImport("kernel32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);



[DllImport("kernel32.dll")]

public static extern bool ReadProcessMemory(int hProcess,

Int64 lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead);



public static string search = "somestring";



static void Main(string args)

{

    Process process = Process.GetProcessById(15728);

    IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);



    int bytesRead = 0;

    byte buffer = new byte[16]; 



    ReadProcessMemory((int)processHandle, 0x20BC4ADE4C8, buffer, buffer.Length, ref bytesRead);



    Console.WriteLine(Encoding.Unicode.GetString(buffer) +

          " (" + bytesRead.ToString() + "bytes)");

    if (Encoding.Unicode.GetString(buffer).Contains(somestring))

        Console.WriteLine("Match");

    else

        Console.WriteLine("Didint Match");

    Console.ReadLine();

}





c# memory readprocessmemory







share|improve this question




















  • 2





    Is there an actual question there?

    – MickyD
    Dec 31 '18 at 14:10











  • See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

    – jdweng
    Dec 31 '18 at 14:11













  • ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

    – GSerg
    Dec 31 '18 at 14:12













  • a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

    – kenny
    Dec 31 '18 at 14:13













  • Code work without any problem. but i dont wanna give specific memory offset

    – lstngl
    Dec 31 '18 at 14:20














-3












-3








-3








I'm basically trying to figure out how to search for a value in a process without giving an exact offset. The process can be anything (notepad, iexplorer, msword, etc.). Just looking for search a value between the first and last memory address of a process instead of giving a specific offset, which is I had to find from another application like ollydbg.



Here's what I have



const int PROCESS_WM_READ = 0x0010;



[DllImport("kernel32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);



[DllImport("kernel32.dll")]

public static extern bool ReadProcessMemory(int hProcess,

Int64 lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead);



public static string search = "somestring";



static void Main(string args)

{

    Process process = Process.GetProcessById(15728);

    IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);



    int bytesRead = 0;

    byte buffer = new byte[16]; 



    ReadProcessMemory((int)processHandle, 0x20BC4ADE4C8, buffer, buffer.Length, ref bytesRead);



    Console.WriteLine(Encoding.Unicode.GetString(buffer) +

          " (" + bytesRead.ToString() + "bytes)");

    if (Encoding.Unicode.GetString(buffer).Contains(somestring))

        Console.WriteLine("Match");

    else

        Console.WriteLine("Didint Match");

    Console.ReadLine();

}





c# memory readprocessmemory







share|improve this question
















I'm basically trying to figure out how to search for a value in a process without giving an exact offset. The process can be anything (notepad, iexplorer, msword, etc.). Just looking for search a value between the first and last memory address of a process instead of giving a specific offset, which is I had to find from another application like ollydbg.



Here's what I have



const int PROCESS_WM_READ = 0x0010;



[DllImport("kernel32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);



[DllImport("kernel32.dll")]

public static extern bool ReadProcessMemory(int hProcess,

Int64 lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead);



public static string search = "somestring";



static void Main(string args)

{

    Process process = Process.GetProcessById(15728);

    IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);



    int bytesRead = 0;

    byte buffer = new byte[16]; 



    ReadProcessMemory((int)processHandle, 0x20BC4ADE4C8, buffer, buffer.Length, ref bytesRead);



    Console.WriteLine(Encoding.Unicode.GetString(buffer) +

          " (" + bytesRead.ToString() + "bytes)");

    if (Encoding.Unicode.GetString(buffer).Contains(somestring))

        Console.WriteLine("Match");

    else

        Console.WriteLine("Didint Match");

    Console.ReadLine();

}





c# memory readprocessmemory




c# memory readprocessmemory






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 31 '18 at 15:28









Kit

8,91323268




8,91323268










asked Dec 31 '18 at 14:05









lstngllstngl

41




41








  • 2





    Is there an actual question there?

    – MickyD
    Dec 31 '18 at 14:10











  • See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

    – jdweng
    Dec 31 '18 at 14:11













  • ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

    – GSerg
    Dec 31 '18 at 14:12













  • a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

    – kenny
    Dec 31 '18 at 14:13













  • Code work without any problem. but i dont wanna give specific memory offset

    – lstngl
    Dec 31 '18 at 14:20














  • 2





    Is there an actual question there?

    – MickyD
    Dec 31 '18 at 14:10











  • See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

    – jdweng
    Dec 31 '18 at 14:11













  • ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

    – GSerg
    Dec 31 '18 at 14:12













  • a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

    – kenny
    Dec 31 '18 at 14:13













  • Code work without any problem. but i dont wanna give specific memory offset

    – lstngl
    Dec 31 '18 at 14:20








2




2





Is there an actual question there?

– MickyD
Dec 31 '18 at 14:10





Is there an actual question there?

– MickyD
Dec 31 '18 at 14:10













See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

– jdweng
Dec 31 '18 at 14:11







See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte in c# from managed memory to unmanaged memory before passing to dll : pinvoke.net/default.aspx/user32/ReadProcessMemory.html

– jdweng
Dec 31 '18 at 14:11















ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

– GSerg
Dec 31 '18 at 14:12







ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)

– GSerg
Dec 31 '18 at 14:12















a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

– kenny
Dec 31 '18 at 14:13







a resource for this kind of work pinvoke.net as @jdweng provide the specific case.

– kenny
Dec 31 '18 at 14:13















Code work without any problem. but i dont wanna give specific memory offset

– lstngl
Dec 31 '18 at 14:20





Code work without any problem. but i dont wanna give specific memory offset

– lstngl
Dec 31 '18 at 14:20












1 Answer
1






active

oldest

votes


















0














You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.



So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.



Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because




  1. you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).


  2. Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.



So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like



while not an error

    read into a buffer, scanning it for your string

    if found

        return true;

    bump the offset


If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.






share|improve this answer


























  • Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

    – lstngl
    Jan 2 at 21:34











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53988352%2fc-sharp-readprocessmemory%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.



So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.



Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because




  1. you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).


  2. Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.



So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like



while not an error

    read into a buffer, scanning it for your string

    if found

        return true;

    bump the offset


If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.






share|improve this answer


























  • Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

    – lstngl
    Jan 2 at 21:34
















0














You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.



So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.



Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because




  1. you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).


  2. Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.



So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like



while not an error

    read into a buffer, scanning it for your string

    if found

        return true;

    bump the offset


If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.






share|improve this answer


























  • Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

    – lstngl
    Jan 2 at 21:34














0












0








0







You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.



So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.



Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because




  1. you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).


  2. Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.



So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like



while not an error

    read into a buffer, scanning it for your string

    if found

        return true;

    bump the offset


If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.






share|improve this answer















You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.



So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.



Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because




  1. you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).


  2. Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.



So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like



while not an error

    read into a buffer, scanning it for your string

    if found

        return true;

    bump the offset


If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 2 at 22:59

























answered Jan 2 at 18:06









KitKit

8,91323268




8,91323268













  • Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

    – lstngl
    Jan 2 at 21:34



















  • Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

    – lstngl
    Jan 2 at 21:34

















Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

– lstngl
Jan 2 at 21:34





Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here.

– lstngl
Jan 2 at 21:34




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53988352%2fc-sharp-readprocessmemory%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more