C# ReadProcessMemory

Question

I'm basically trying to figure out how to search for a value in a process without giving an exact offset. The process can be anything (notepad, iexplorer, msword, etc.). Just looking for search a value between the first and last memory address of a process instead of giving a specific offset, which is I had to find from another application like ollydbg.

Here's what I have

const int PROCESS_WM_READ = 0x0010;

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess,
Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

public static string search = "somestring";

static void Main(string[] args)
{
    Process process = Process.GetProcessById(15728);
    IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);

    int bytesRead = 0;
    byte[] buffer = new byte[16]; 

    ReadProcessMemory((int)processHandle, 0x20BC4ADE4C8, buffer, buffer.Length, ref bytesRead);

    Console.WriteLine(Encoding.Unicode.GetString(buffer) +
          " (" + bytesRead.ToString() + "bytes)");
    if (Encoding.Unicode.GetString(buffer).Contains(somestring))
        Console.WriteLine("Match");
    else
        Console.WriteLine("Didint Match");
    Console.ReadLine();
}

See pinvoke. IntPtr are 32 bit pointer. You have lpBaseAddress defined as a Int64 which will not work. You also have to move the byte[] in c# from managed memory to unmanaged memory before passing to dll : http://www.pinvoke.net/default.aspx/user32/ReadProcessMemory.html — jdweng, Dec 31 '18 at 14:11
`ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, IntPtr nSize, out IntPtr lpNumberOfBytesRead)` — GSerg, Dec 31 '18 at 14:12
a resource for this kind of work http://pinvoke.net/ as @jdweng provide the specific case. — kenny, Dec 31 '18 at 14:13
Code work without any problem. but i dont wanna give specific memory offset — lstngl, Dec 31 '18 at 14:20
Are you trying to search for a string across the entire address space of a process? — Kit, Dec 31 '18 at 14:26
Yes 'Kit' sir exactly im looking for that. Maybe is there any way to do that like this. Maybe search between range adresses or smthing like that. — lstngl, Dec 31 '18 at 15:13

Kit · Answer 1 · 2019-01-02T22:59:44.660

You cannot avoid passing an address into ReadProcessMemory as it is required, and I don't believe there are any other APIs out there that allow you to read a process's memory.

So, what you have to do is pass in the base address. Rather than get the base address, you can calculate it yourself. This question can help.

Next you will need to find the size of the process's memory and pass that to the nSize parameter. But... that might be a bad idea because

you have to determine what that value is (I'm not sure how; you could brute force it by doing a binary search across the largest possible value and finding the largest value that doesn't force ReadProcessMemory to return false or perhaps using a performance counter or some other mechanism).
Deal with memory constraints of having to allocate a huge chunk of memory for your buffer.

So instead of reading all of the memory, make multiple calls to ReadProcessMemory with smaller buffer sizes. The algorithm could be something like

while not an error
    read into a buffer, scanning it for your string
    if found
        return true;
    bump the offset

If the above loop does not find your string, you're still not done because the string could have spanned the boundary between two buffers. To deal with this, create another loop that scan each boundary from boundary offset - string size to boundary offset + string size, returning true if found.

Thank you for your time sir. Will check diffrent way to code it as u said. if i success to do it proper way i will write down here. — lstngl, Jan 02 '19 at 21:34

C# ReadProcessMemory

1 Answers1