API tools faq
paste
Advertisement
Guest User

ReadProcessMemory in vb.net AB

a guest
Aug 29th, 2013
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 13.27 KB | None | 0 0
raw download clone embed print report
  1. ''The required API's and structs/enums..
  2.     Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer() As Byte, ByVal iSize As Int32, ByRef lpNumberOfBytesRead As Integer) As Boolean
  3.    
  4.     Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpbaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As Int32, ByRef dwNumberOfBytesWritten As Int32) As Boolean
  5.  
  6.     Public Declare Sub GetSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SystemInfo)
  7.    
  8.     Public Structure MemoryBasicInformation
  9.         Dim BaseAddress As IntPtr
  10.         Dim AllocationBase As IntPtr
  11.         Dim AllocationProtect As UInt32
  12.         Dim RegionSize As Int32
  13.         Dim State As UInt32
  14.         Dim Protect As UInt32
  15.         Dim AllocationType As UInt32
  16.     End Structure
  17.     Public Structure SystemInfo
  18.         Dim wProcessorArchitecture As Int16
  19.         Dim wReserved As Int16
  20.         Dim dwPageSize As Int32
  21.         Dim lpMinimumApplicationAddress As IntPtr
  22.         Dim lpMaximumApplicationAddress As IntPtr
  23.         Dim dwActiveProcessorMask As Int32
  24.         Dim dwNumberOfProcessors As Int32
  25.         Dim dwProcessorType As Int32
  26.         Dim dwAllocationGranularity As Int32
  27.         Dim wProcessorLevel As Int16
  28.         Dim wProcessorRevision As Int16
  29.     End Structure
  30.     Public Enum OpenProcessMemoryRights As UInt32
  31.         PROCESS_ALL_ACCESS = &H1F0FFF 'xp only ? Should OR the different values..TODO:
  32.         PROCESS_VM_OPERATION = &H8
  33.         PROCESS_VM_READ = &H10
  34.         PROCESS_VM_WRITE = &H20
  35.     End Enum
  36.  
  37. '' MemoryManager Class
  38. ''''''''''''''''''''''''''''''''''''''''''''''''''
  39. Public Class MemoryManager
  40. #Region "Private"
  41.         Private _isAttached As Boolean = False '' Required for pretty much everything.
  42.         Private _targetProcessID As Int32 = 0
  43.         Private _targetProcess As New System.Diagnostics.Process
  44.         Private _targetProcessHandle As IntPtr = IntPtr.Zero '' Obtained from Winapi.OpenProcess()
  45.         Private _systemInfo As WinAPI.SystemInfo '' Useful information about cpu and ram.  
  46.         Private _mbiSize As Int32 = 0 '' SizeOf(WinAPI.MEMORY_BASIC_INFORMATION) in bytes.
  47. #End Region
  48.  
  49.         Public Sub New()
  50.             ''Store these values in the class so they don't have to be calculated/looked up each time.
  51.             WinAPI.GetSystemInfo(_systemInfo) '' Useful info about cpu and ram.
  52.             _mbiSize = System.Runtime.InteropServices.Marshal.SizeOf(New WinAPI.MemoryBasicInformation) ''size in bytes
  53.         End Sub
  54. #Region "Target Process"
  55.         Public Function AttachToProcess(ByVal processID As Int32) As Boolean
  56.             If _isAttached Then
  57.                 Return False '' and yet, IsAttached is True. Misleading.
  58.             Else
  59.                 ''Does this processID exists? (ie. is that processID being used)
  60.                 For Each pp As Process In Process.GetProcesses
  61.                     'Loop over list of all running processes and compare ID's
  62.                     If pp.Id = processID Then
  63.                         'This is our target process
  64.                         _targetProcessHandle = WinAPI.OpenProcess(WinAPI.OpenProcessMemoryRights.PROCESS_ALL_ACCESS, False, processID)
  65.                         If _targetProcessHandle <> IntPtr.Zero Then '' SUCCESS
  66.                             _isAttached = True
  67.                             _targetProcessID = processID
  68.                             _targetProcess = pp
  69.                         Else
  70.                             _isAttached = False '' Fail. Current User Account can't do PROCESS_ALL_ACCESS ?
  71.                             System.Windows.Forms.MessageBox.Show("MemoryManager was unable to attach to the process." & Environment.NewLine _
  72.                                                  & "OpenProcess() Failed. Are you administrator?" & Environment.NewLine _
  73.                                                  & "Details: " & Environment.NewLine & Environment.NewLine _
  74.                                                  & "Window Title: " & CStr(IIf(String.IsNullOrEmpty(pp.MainWindowTitle), "No Window", pp.MainWindowTitle)) & Environment.NewLine _
  75.                                                  & "Process Name: " & pp.ProcessName & Environment.NewLine _
  76.                                                  & "Process ID: " & pp.Id.ToString, "MemoryManager Unknown Error")
  77.                         End If
  78.                         Exit For 'don't bother checking rest of processes
  79.                     End If
  80.                 Next
  81.                 ''If we get here the processID was not found. FAIL
  82.             End If
  83.  
  84.             Return _isAttached
  85.         End Function
  86.  
  87.         Public Sub DetachFromProcess()
  88.             If _isAttached Then
  89.                 If Not WinAPI.CloseHandle(_targetProcessHandle) Then
  90.                     System.Windows.Forms.MessageBox.Show("MemoryManager Unable to detach from process. Unknown Error.", "MemoryManager Unknown Error") '' Does this happen / why ? (App. already closed?)
  91.                     '' TODO: call GetLastError(). Detach anyway.
  92.                 End If
  93.                 _isAttached = False
  94.             End If
  95.         End Sub
  96.         Public ReadOnly Property IsAttached() As Boolean
  97.             Get
  98.                 Return _isAttached
  99.             End Get
  100.         End Property
  101.  
  102.         Public ReadOnly Property TargetProcessID As Int32
  103.             Get
  104.                 Return _targetProcessID
  105.             End Get
  106.         End Property
  107. #End Region
  108.  
  109. #Region "Read"
  110.         Public Function ReadByte(ByVal addr As IntPtr) As Byte
  111.             Dim _byte(0) As Byte '' Awkward. Winapi function is declared as array() instead of as IntPtr.
  112.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _byte, 1, New Int32)
  113.             Return _byte(0)
  114.         End Function
  115.         Public Function ReadInt16(ByVal addr As IntPtr) As Int16
  116.             Dim _bytes(1) As Byte
  117.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 2, New Int32)
  118.             Return BitConverter.ToInt16(_bytes, 0)
  119.         End Function
  120.         Public Function ReadInt32(ByVal addr As IntPtr) As Int32
  121.             Dim _bytes(3) As Byte
  122.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 4, New Int32)
  123.             Return BitConverter.ToInt32(_bytes, 0)
  124.         End Function
  125.         Public Function ReadInt64(ByVal addr As IntPtr) As Int64
  126.             Dim _bytes(7) As Byte
  127.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 8, New Int32)
  128.             Return BitConverter.ToInt64(_bytes, 0)
  129.         End Function
  130.         Public Function ReadUInt16(ByVal addr As IntPtr) As UInt16
  131.             Dim _bytes(1) As Byte
  132.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 2, New Int32)
  133.             Return BitConverter.ToUInt16(_bytes, 0)
  134.         End Function
  135.         Public Function ReadUInt32(ByVal addr As IntPtr) As UInt32
  136.             Dim _bytes(3) As Byte
  137.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 4, New Int32)
  138.             Return BitConverter.ToUInt32(_bytes, 0)
  139.         End Function
  140.         Public Function ReadUInt64(ByVal addr As IntPtr) As UInt64
  141.             Dim _bytes(7) As Byte
  142.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 8, New Int32)
  143.             Return BitConverter.ToUInt64(_bytes, 0)
  144.         End Function
  145.         Public Function ReadFloat(ByVal addr As IntPtr) As Single
  146.             Dim _bytes(3) As Byte
  147.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 4, New Int32)
  148.             Return BitConverter.ToSingle(_bytes, 0)
  149.         End Function
  150.         Public Function ReadDouble(ByVal addr As IntPtr) As Double
  151.             Dim _bytes(7) As Byte
  152.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, 8, New Int32)
  153.             Return BitConverter.ToDouble(_bytes, 0)
  154.         End Function
  155.  
  156.         Public Function ReadIntPtr(ByVal addr As IntPtr) As IntPtr
  157.             Dim _bytes(IntPtr.Size - 1) As Byte
  158.             WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, IntPtr.Size, New Int32)
  159.                 If IntPtr.Size = 4 Then
  160.                     Return New IntPtr(BitConverter.ToUInt32(_bytes, 0))
  161.                 Else
  162.                     Return New IntPtr(BitConverter.ToInt64(_bytes, 0))
  163.                 End If
  164.         End Function
  165.  
  166.         Public Function ReadAsciiString(ByVal addr As IntPtr, Optional ByVal maxLength As Int32 = 25) As String
  167.             If _isAttached And maxLength > 0 Then
  168.                 Dim _bytes(maxLength - 1) As Byte
  169.                 WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, maxLength, New Int32)
  170.                 Return System.Text.Encoding.ASCII.GetString(_bytes, 0, maxLength)
  171.             Else
  172.                 Return String.Empty '' fail. not attached to any process (or maxLength = 0).
  173.             End If
  174.         End Function
  175.  
  176.         Public Function ReadUnicodeString(ByVal addr As IntPtr, Optional ByVal maxLength As Int32 = 25) As String
  177.             If _isAttached And maxLength > 0 Then
  178.                 maxLength = maxLength * 2 '' 2  bytes per unicode character. (only utf16?!?) TODO: fix this function.
  179.                 Dim _bytes(maxLength - 1) As Byte
  180.                 WinAPI.ReadProcessMemory(_targetProcessHandle, addr, _bytes, maxLength, New Int32)
  181.                 Return System.Text.Encoding.Unicode.GetString(_bytes)
  182.             Else
  183.                 Return String.Empty '' fail. not attached to any process (or maxLength = 0).
  184.             End If
  185.         End Function
  186.  
  187.         Public Function ReadBytes(ByVal addr As IntPtr, ByRef byteBuff() As Byte, ByVal size As Int32, ByRef actualBytesRead As Int32) As Boolean
  188.             Return WinAPI.ReadProcessMemory(_targetProcessHandle, addr, byteBuff, size, actualBytesRead)
  189.         End Function
  190. #End Region
  191. #Region "Write*"
  192.         Public Function WriteByte(ByVal addr As IntPtr, ByVal aByte As Byte) As Boolean
  193.             Dim _bts(0) As Byte '' Awkward. Winapi function is declared as array() instead of as IntPtr
  194.             _bts(0) = aByte
  195.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, _bts, 1, New Int32)
  196.         End Function
  197.         Public Function WriteInt16(ByVal addr As IntPtr, ByVal data As Int16) As Boolean
  198.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 2, New Int32)
  199.         End Function
  200.         Public Function WriteUInt16(ByVal addr As IntPtr, ByVal data As UInt16) As Boolean
  201.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 2, New Int32)
  202.         End Function
  203.         Public Function WriteInt32(ByVal addr As IntPtr, ByVal data As Int32) As Boolean
  204.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 4, New Int32)
  205.         End Function
  206.         Public Function WriteInt64(ByVal addr As IntPtr, ByVal data As Int64) As Boolean
  207.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 8, New Int32)
  208.         End Function
  209.         Public Function WriteUInt64(ByVal addr As IntPtr, ByVal data As UInt64) As Boolean
  210.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 8, New Int32)
  211.         End Function
  212.         Public Function WriteFloat(ByVal addr As IntPtr, ByVal data As Single) As Boolean
  213.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 4, New Int32)
  214.         End Function
  215.         Public Function WriteDouble(ByVal addr As IntPtr, ByVal data As Double) As Boolean
  216.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(data), 8, New Int32)
  217.         End Function
  218.  
  219.         Public Function WriteIntPtr(ByVal addr As IntPtr, ByVal ptr As IntPtr) As Boolean
  220.             Dim _bytes(IntPtr.Size - 1) As Byte
  221.  
  222.             If IntPtr.Size = 4 Then
  223.                 _bytes = BitConverter.GetBytes(Convert.ToUInt32(ptr))
  224.                 Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, _bytes, 4, New Int32)
  225.             Else
  226.                 _bytes = BitConverter.GetBytes(Convert.ToUInt64(ptr))
  227.                 Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, _bytes, 8, New Int32)
  228.             End If
  229.         End Function
  230.  
  231.         Public Function WriteAsciiString(ByVal addr As IntPtr, ByVal str As String, ByRef actualBytesWritten As UInt32) As Boolean
  232.             Dim _bytes() As Byte = System.Text.Encoding.ASCII.GetBytes(str)
  233.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, _bytes, _bytes.Length, New Int32)
  234.         End Function
  235.  
  236.         Public Function WriteUnicodeString(ByVal addr As IntPtr, ByVal str As String) As Boolean
  237.             Dim _bytes() As Byte = System.Text.Encoding.Unicode.GetBytes(str)
  238.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, _bytes, _bytes.Length, New Int32) ' System.Text.Encoding.Unicode.GetBytes(str)
  239.         End Function
  240.  
  241.         Public Function WriteBytes(ByVal addr As IntPtr, ByVal bytes() As Byte, ByRef actualBytesWritten As Int32) As Boolean
  242.             Return WinAPI.WriteProcessMemory(_targetProcessHandle, addr, bytes, bytes.Length, actualBytesWritten)
  243.         End Function
  244. #End Region
  245.  
  246.  
  247.  
  248.     End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!