I want to write an offset to some address of process memory, but I cannot allocate memory or change the memory address type to be "writable". so I cannot write any offset or value to my process memory. I am not sure, but I think my process memory is just readable! Please help me to solve this issue.
This is what I tried:
#region dll import
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle,
uint dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
[DllImport("user32.dll")]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll")]
public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, uint dwFreeType);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
#endregion
public const int
PAGE_READWRITE = 0x40,
PROCESS_VM_OPERATION = 0x0008,
PROCESS_VM_READ = 0x0010,
PROCESS_VM_WRITE = 0x0020;
internal static bool write(IntPtr whWnd)
{
uint pid;
GetWindowThreadProcessId(whWnd, out pid);
if (pid != 0)
{
IntPtr hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE |
PROCESS_VM_READ, false, pid);
const int
MEM_COMMIT = 0x1000,
MEM_RELEASE = 0x800,
MEM_RESERVE = 0x2000;
byte[] data = System.Text.Encoding.UTF8.GetBytes
("write string to hex offset of memLoc");
uint lpflOldProtect;
int bytesWritten;
IntPtr memLoc = (IntPtr)0x001D7AB4;
IntPtr lpRemoteBuffer = IntPtr.Zero;
VirtualProtectEx(hProcess, memLoc, 160, PAGE_READWRITE,
out lpflOldProtect);
IntPtr cave = VirtualAllocEx(hProcess, IntPtr.Zero, 16, MEM_COMMIT |
MEM_RESERVE, PAGE_READWRITE);
if (lpRemoteBuffer == IntPtr.Zero)
{
MessageBox.Show("can't VirtualAlloc");
return false;
}
else
{
MessageBox.Show("VirtualAlloc ok");
VirtualAllocEx(hProcess, memLoc, 4096, MEM_COMMIT, PAGE_READWRITE);
VirtualFreeEx(hProcess, memLoc, 4096, MEM_RELEASE);
WriteProcessMemory(hProcess, memLoc, data, 16, out bytesWritten);
CloseHandle(hProcess);
return true;
}
}
else
{
MessageBox.Show("can't find the windows");
return false;
}
}
private void button1_Click(object sender, EventArgs e)
{
IntPtr whWnd = FindWindow(null, "the windows name");
write( whWnd);
}
}
}
Read your code one more time. You create a var with a value and check some lines after if the value remains the same. Of course this is the same because your code does not change it.
I'm sure you wanted to check the var
cavein your condition. :)Also, to check if your question correctly alter the process memory, use a program like Cheat Engine. It allows you to view the protection of a memory region and be sure that your memory location exists.
You can also use an injection library like MemorySharp (I'm the author) to perform what you want.