写入c#中的进程内存

本文关键字:进程 内存 写入 | 更新日期: 2023-09-27 18:26:49

我想向进程内存的某个地址写入偏移量,但我无法分配内存或将内存地址类型更改为"可写"。因此我无法将任何偏移量或值写入进程内存。我不确定,但我认为我的过程记忆是可读的!请帮我解决这个问题。

这就是我尝试的:

    #region dll import
    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle,
      uint dwProcessId);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, 
      byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
    [DllImport("user32.dll")]
    public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
    [DllImport("user32.dll")]
    public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint dwProcessId);
    [DllImport("kernel32.dll")]
    public static extern bool CloseHandle(IntPtr handle);
    [DllImport("kernel32.dll")]
    public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, 
      uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")]
    public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, 
      uint dwSize, uint dwFreeType);
    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, 
      int dwSize, uint flNewProtect, out uint lpflOldProtect);
    #endregion
    public const int
    PAGE_READWRITE = 0x40,
    PROCESS_VM_OPERATION = 0x0008,
    PROCESS_VM_READ = 0x0010,
    PROCESS_VM_WRITE = 0x0020;
    internal static bool write(IntPtr whWnd)
    {
        uint pid;
        GetWindowThreadProcessId(whWnd, out pid);
        if (pid != 0)
        {
            IntPtr hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE |
              PROCESS_VM_READ, false, pid);
            const int
               MEM_COMMIT = 0x1000,
               MEM_RELEASE = 0x800,
               MEM_RESERVE = 0x2000;
            byte[] data = System.Text.Encoding.UTF8.GetBytes
              ("write string to hex offset of memLoc");
            uint lpflOldProtect;
            int bytesWritten;
            IntPtr memLoc = (IntPtr)0x001D7AB4;
            IntPtr lpRemoteBuffer = IntPtr.Zero;
            VirtualProtectEx(hProcess, memLoc, 160, PAGE_READWRITE, 
              out lpflOldProtect);
            IntPtr cave = VirtualAllocEx(hProcess, IntPtr.Zero, 16, MEM_COMMIT | 
              MEM_RESERVE, PAGE_READWRITE);
            if (lpRemoteBuffer == IntPtr.Zero)
            {
                MessageBox.Show("can't VirtualAlloc");
                return false;
            }
            else
            {
                MessageBox.Show("VirtualAlloc ok");
                VirtualAllocEx(hProcess, memLoc, 4096, MEM_COMMIT, PAGE_READWRITE);
                VirtualFreeEx(hProcess, memLoc, 4096, MEM_RELEASE);
                WriteProcessMemory(hProcess, memLoc, data, 16, out bytesWritten);
                CloseHandle(hProcess);
                return true;
            }
        }
        else
        {
            MessageBox.Show("can't find the windows");
            return false;
        }
    }
    private void button1_Click(object sender, EventArgs e)
    {
        IntPtr whWnd = FindWindow(null, "the windows name");
        write( whWnd);
    }
}
}

写入c#中的进程内存

再次阅读您的代码。您可以创建一个带有值的var,并在值保持不变后检查一些行。当然这是一样的,因为你的代码不会改变它

IntPtr lpRemoteBuffer = IntPtr.Zero;
// [...]
if (lpRemoteBuffer == IntPtr.Zero)
{
    MessageBox.Show("can't VirtualAlloc");
    return false;
}

我确信您想在您的条件下检查var cave。:)

此外,要检查您的问题是否正确地改变了进程内存,请使用类似作弊引擎的程序。它允许您查看内存区域的保护情况,并确保您的内存位置存在。

您还可以使用MemorySharp(我是作者)这样的注入库来执行您想要的操作。

// Set the address to edit
var address = new IntPtr(0x001D7AB4);
// Open the process with MemorySharp
using (var m = new MemorySharp(Process.GetCurrentProcess()))
{
    // Edit the address
    m[address].WriteString("write string to hex offset of memLoc");
}