API tools faq
paste
Advertisement
coderail

Memory Scanner - VB.NET

coderail
Nov 9th, 2011
3,150
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.05 KB | None | 0 0
raw download clone embed print report
  1. Imports System.Runtime.InteropServices
  2. Imports System.Reflection
  3.  
  4. '------------------
  5. 'Creator: aeonhack
  6. 'Site: elitevs.net
  7. 'Created: 11/9/2011
  8. 'Changed: 3/17/2012
  9. 'Version: 1.2.0
  10. '------------------
  11. Class Scanner
  12.  
  13. Public ProgressChangeEvent As ProgressChangeDG
  14. Delegate Sub ProgressChangeDG(ByVal value As Integer)
  15.  
  16. Sub New(progressChange As ProgressChangeDG)
  17. ProgressChangeEvent = progressChange
  18. End Sub
  19.  
  20. #Region " Properties "
  21.  
  22. Property Handle() As IntPtr
  23.  
  24. Private _Pages As New List(Of PAGE)
  25. ReadOnly Property Pages() As PAGE()
  26. Get
  27. Return _Pages.ToArray
  28. End Get
  29. End Property
  30.  
  31. Private _Results As New List(Of Integer)
  32. Property Results As Integer()
  33. Get
  34. Return _Results.ToArray
  35. End Get
  36. Set(value As Integer())
  37. _Results = New List(Of Integer)(value)
  38. End Set
  39. End Property
  40.  
  41. #End Region
  42.  
  43. #Region " Process "
  44.  
  45. Private PID As Integer
  46. Public Sub OpenProcess(ByVal processId As Integer)
  47. PID = processId
  48. _Handle = OpenProcess(1080, False, processId)
  49. If _Handle = IntPtr.Zero Then
  50. Dim Win32Error As Integer = Marshal.GetLastWin32Error
  51.  
  52. If Win32Error = 5 Then
  53. 'Requires elevation.
  54. End If
  55.  
  56. Throw New Exception(CStr(Win32Error))
  57. End If
  58. End Sub
  59.  
  60. Public Sub CloseProcess()
  61. CloseHandle(_Handle)
  62.  
  63. _Handle = IntPtr.Zero
  64. _Pages.Clear()
  65. _Results.Clear()
  66.  
  67. _Mask = Nothing
  68. _Data = Nothing
  69. _Search = Nothing
  70. End Sub
  71.  
  72. #End Region
  73.  
  74. #Region " Scanning "
  75.  
  76. Public Sub ScanPages()
  77. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  78.  
  79. _Pages.Clear()
  80. Dim Current As Integer
  81.  
  82. While True
  83. Dim T As New INFORMATION
  84. If QueryEx(_Handle, Current, T, 28) = 0 Then Exit While
  85.  
  86. If T.State = 4096 AndAlso T.Protect = 4 AndAlso Not T.RegionSize = 0 Then
  87. _Pages.Add(New PAGE(T.BaseAddress, T.RegionSize))
  88. End If
  89.  
  90. If (CUInt(T.BaseAddress.ToInt32) + CUInt(T.RegionSize)) > Integer.MaxValue Then Exit While
  91. Current = T.BaseAddress.ToInt32 + T.RegionSize
  92. End While
  93. End Sub
  94.  
  95. Public Sub FirstScan(ByVal search As Byte(), Optional ByVal index As Integer = 0, Optional ByVal [step] As Integer = 4, Optional ByVal mask As Byte() = Nothing)
  96. CheckParameters(search, mask)
  97. If [step] = 0 Then Throw New ArgumentOutOfRangeException
  98.  
  99. _Results.Clear()
  100. ProgressChangeEvent(0)
  101.  
  102. Dim Count As Integer
  103. Dim Size As Integer
  104. Dim Base As Integer
  105.  
  106. For I As Integer = 0 To Pages.Length - 1
  107. Size = Pages(I).Size
  108. If Size >= (search.Length + index) Then
  109.  
  110. Base = Pages(I).Base.ToInt32
  111. _Data = New Byte(Size - 1) {}
  112.  
  113. If ReadMem(_Handle, Base, _Data, _Data.Length, Count) Then
  114. For O As Integer = index To Count - search.Length Step [step]
  115. If ScanData(O) Then _Results.Add(Base + O)
  116. Next
  117. End If
  118. End If
  119.  
  120. ProgressChangeEvent(CInt(((I + 1) / Pages.Length) * 100))
  121. Next
  122.  
  123. ProgressChangeEvent(100)
  124. End Sub
  125.  
  126. Public Sub NextScan(ByVal search As Byte(), Optional ByVal mask As Byte() = Nothing)
  127. CheckParameters(search, mask)
  128. If _Results.Count = 0 Then Throw New ArgumentOutOfRangeException
  129. ProgressChangeEvent(0)
  130.  
  131. Dim Clean As Boolean
  132. Dim Count As Integer
  133. Dim Index As Integer
  134.  
  135. Dim Current As Integer
  136. Dim Maximum As Integer = _Results.Count
  137.  
  138. _Data = New Byte(search.Length - 1) {}
  139. Do Until Clean OrElse _Results.Count = 0
  140. Clean = True
  141. For R As Integer = Index To _Results.Count - 1
  142. Index = R
  143. Current += 1
  144.  
  145. If ReadMem(_Handle, _Results(R), _Data, _Data.Length, Count) Then
  146. Clean = ScanData(0)
  147. Else
  148. Clean = False
  149. End If
  150.  
  151. If Not Clean Then
  152. _Results.RemoveAt(R)
  153. Exit For
  154. End If
  155.  
  156. ProgressChangeEvent(CInt((Current / Maximum) * 100))
  157. Next
  158. Loop
  159.  
  160. ProgressChangeEvent(100)
  161. End Sub
  162.  
  163. Private _Mask As Byte()
  164. Private _Data As Byte()
  165. Private _Search As Byte()
  166. Private HandleMask As Boolean
  167. Private MaskIndex As Integer
  168.  
  169. Private Function ScanData(ByVal offset As Integer) As Boolean
  170. If HandleMask Then
  171. For I As Integer = MaskIndex To _Search.Length - 1
  172. If _Mask(I) = 255 AndAlso Not _Data(offset + I) = _Search(I) Then Return False
  173. Next
  174. Else
  175. For I As Integer = 0 To _Search.Length - 1
  176. If Not _Data(offset + I) = _Search(I) Then Return False
  177. Next
  178. End If
  179.  
  180. Return True
  181. End Function
  182.  
  183. #End Region
  184.  
  185. #Region " Validation "
  186.  
  187. Private Sub CheckParameters(ByVal search As Byte(), ByVal mask As Byte())
  188. _Search = search
  189. _Mask = mask
  190.  
  191. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  192. If search.Length = 0 Then Throw New ArgumentOutOfRangeException
  193.  
  194. If mask IsNot Nothing Then
  195. If Not search.Length = mask.Length Then Throw New ArgumentOutOfRangeException
  196. If Not CheckMask(mask) Then Throw New FormatException
  197. HandleMask = True
  198. Else
  199. HandleMask = False
  200. End If
  201. End Sub
  202.  
  203. Private Function CheckMask(ByVal mask As Byte()) As Boolean
  204. For I As Integer = 0 To mask.Length - 1
  205. If mask(I) = 255 Then
  206. MaskIndex = I
  207. Return True
  208. End If
  209. Next
  210.  
  211. Return False
  212. End Function
  213.  
  214. #End Region
  215.  
  216. #Region " Read / Write "
  217.  
  218. Public Function ReadMemory(ByVal address As Integer, ByVal length As Integer) As Byte()
  219. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  220. If address < 0 Then Throw New ArgumentOutOfRangeException
  221. If length < 1 Then Throw New ArgumentOutOfRangeException
  222.  
  223. Dim Count As Integer
  224. Dim Data(length - 1) As Byte
  225.  
  226. If Not ReadMem(_Handle, address, Data, Data.Length, Count) Then Throw New Exception(CStr(Marshal.GetLastWin32Error))
  227.  
  228. Return Data
  229. End Function
  230.  
  231. Public Sub WriteMemory(ByVal address As Integer, ByVal data As Byte())
  232. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  233. If address < 0 Then Throw New ArgumentOutOfRangeException
  234. If data.Length = 0 Then Throw New ArgumentOutOfRangeException
  235.  
  236. Dim Count As Integer
  237. If Not WriteMem(_Handle, address, data, data.Length, Count) Then Throw New Exception(CStr(Marshal.GetLastWin32Error))
  238. End Sub
  239.  
  240. #End Region
  241.  
  242. #Region " Alloc / Free "
  243.  
  244. Public Function Alloc(ByVal length As Integer) As Integer
  245. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  246. If length < 1 Then Throw New ArgumentOutOfRangeException
  247.  
  248. Dim T As Integer = AllocEx(_Handle, 0, length, 12288, 4).ToInt32
  249. If T = 0 Then Throw New Exception(CStr(Marshal.GetLastWin32Error))
  250.  
  251. Return T
  252. End Function
  253.  
  254. Public Sub Free(ByVal address As Integer)
  255. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  256. If address < 0 Then Throw New ArgumentOutOfRangeException
  257.  
  258. If Not FreeEx(_Handle, address, 0, 32768) Then Throw New Exception(CStr(Marshal.GetLastWin32Error))
  259. End Sub
  260.  
  261. #End Region
  262.  
  263. #Region " Suspend / Resume "
  264.  
  265. Public Sub Suspend()
  266. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  267.  
  268. Dim Handle As IntPtr
  269. Dim P As Process = Process.GetProcessById(PID)
  270.  
  271. For Each T As ProcessThread In P.Threads
  272. Handle = OpenThread(2, False, T.Id)
  273.  
  274. If Not Handle = IntPtr.Zero Then
  275. SuspendThread(Handle)
  276. End If
  277. Next
  278. End Sub
  279.  
  280. Public Sub [Resume]()
  281. If _Handle = IntPtr.Zero Then Throw New InvalidOperationException
  282.  
  283. Dim Handle As IntPtr
  284. Dim P As Process = Process.GetProcessById(PID)
  285.  
  286. For Each T As ProcessThread In P.Threads
  287. Handle = OpenThread(2, False, T.Id)
  288.  
  289. If Not Handle = IntPtr.Zero Then
  290. ResumeThread(Handle)
  291. End If
  292. Next
  293. End Sub
  294.  
  295. #End Region
  296.  
  297. #Region " Win32 Calls "
  298.  
  299. <DllImport("kernel32.dll", EntryPoint:="OpenProcess", SetLastError:=True)> _
  300. Private Shared Function OpenProcess( _
  301. ByVal access As UInteger, _
  302. ByVal inherit As Boolean, _
  303. ByVal process As Integer) As IntPtr
  304. End Function
  305.  
  306. <DllImport("kernel32.dll", EntryPoint:="OpenThread")> _
  307. Private Shared Function OpenThread( _
  308. ByVal access As UInteger, _
  309. ByVal inherit As Boolean, _
  310. ByVal thread As Integer) As IntPtr
  311. End Function
  312.  
  313. <DllImport("kernel32.dll", EntryPoint:="SuspendThread")> _
  314. Private Shared Function SuspendThread( _
  315. ByVal handle As IntPtr) As Integer
  316. End Function
  317.  
  318. <DllImport("kernel32.dll", EntryPoint:="ResumeThread")> _
  319. Private Shared Function ResumeThread( _
  320. ByVal handle As IntPtr) As Integer
  321. End Function
  322.  
  323. <DllImport("kernel32.dll", EntryPoint:="VirtualQueryEx")> _
  324. Private Shared Function QueryEx( _
  325. ByVal handle As IntPtr, _
  326. ByVal base As Integer, _
  327. ByRef information As INFORMATION, _
  328. ByVal length As Integer) As Integer
  329. End Function
  330.  
  331. <DllImport("kernel32.dll", EntryPoint:="VirtualAllocEx", SetLastError:=True)> _
  332. Private Shared Function AllocEx( _
  333. ByVal handle As IntPtr, _
  334. ByVal address As Integer, _
  335. ByVal length As Integer, _
  336. ByVal type As Integer, _
  337. ByVal protect As Integer) As IntPtr
  338. End Function
  339.  
  340. <DllImport("kernel32.dll", EntryPoint:="VirtualFreeEx", SetLastError:=True)> _
  341. Private Shared Function FreeEx( _
  342. ByVal handle As IntPtr, _
  343. ByVal address As Integer, _
  344. ByVal length As Integer, _
  345. ByVal type As Integer) As Boolean
  346. End Function
  347.  
  348. <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory", SetLastError:=True)> _
  349. Shared Function ReadMem( _
  350. ByVal handle As IntPtr, _
  351. ByVal base As Integer, _
  352. ByVal data As Byte(), _
  353. ByVal dataLength As Integer, _
  354. ByRef length As Integer) As Boolean
  355. End Function
  356.  
  357. <DllImport("kernel32.dll", EntryPoint:="WriteProcessMemory", SetLastError:=True)> _
  358. Shared Function WriteMem( _
  359. ByVal handle As IntPtr, _
  360. ByVal base As Integer, _
  361. ByVal data As Byte(), _
  362. ByVal dataLength As Integer, _
  363. ByRef length As Integer) As Boolean
  364. End Function
  365.  
  366. <DllImport("kernel32.dll", EntryPoint:="CloseHandle")> _
  367. Private Shared Function CloseHandle( _
  368. ByVal handle As IntPtr) As Boolean
  369. End Function
  370.  
  371. #End Region
  372.  
  373. #Region " Structures "
  374.  
  375. Structure PAGE
  376. Private _Base As IntPtr
  377. ReadOnly Property Base() As IntPtr
  378. Get
  379. Return _Base
  380. End Get
  381. End Property
  382.  
  383. Private _Size As Integer
  384. ReadOnly Property Size() As Integer
  385. Get
  386. Return _Size
  387. End Get
  388. End Property
  389.  
  390. Sub New(ByVal base As IntPtr, ByVal size As Integer)
  391. _Base = base
  392. _Size = size
  393. End Sub
  394. End Structure
  395.  
  396. <StructLayout(LayoutKind.Sequential, Pack:=1)> _
  397. Private Structure INFORMATION
  398. Public BaseAddress As IntPtr
  399. Public AllocationBase As IntPtr
  400. Public AllocationProtect As UInteger
  401. Public RegionSize As Integer
  402. Public State As UInteger
  403. Public Protect As UInteger
  404. Public Type As UInteger
  405. End Structure
  406.  
  407. #End Region
  408.  
  409. End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!