1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
|
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Globalization;
namespace WinFormReadMemory
{
public partial class frmReadMemory : Form
{
//portee globale
private IntPtr processHandle;
public frmReadMemory()
{
InitializeComponent();
}
//textBox1 : affichage apres conversion en char
//textBox2 : affichage en hex
private void button1_Click(object sender, EventArgs e)
{
// Get process by name (ici instance en cours d'execution notepad).
Process notepad = Process.GetProcessesByName("devenv")[0];
processHandle = notepad.Handle;
// ici un exemple de specification d'offset memoire particulier
// IntPtr Offset = new IntPtr(132290);
// pointe à l'adresse debut de l'image memoire executable
// commence toujours par 2 premiers fameux octets "MZ"
// (signature des exe binaires DOS & WIN32 par Microsoft)
// C'est le fameux forrmat Coff de MS...suivi du message "This program cannot be run in DOS mode."
// pour les exes destines à WIN32...
IntPtr ptrEntry = notepad.MainModule.BaseAddress;
IntPtr Offset = ptrEntry;
byte[] buffer = new byte[1000];
uint size = (UInt32)buffer.Length;
label1.Text = ptrEntry.ToString("X");
uint ptrNumBytesRead = 0;
if (ReadProcessMemory(processHandle, Offset, buffer, size, ptrNumBytesRead))
{
char[] arrChar = new char[buffer.ToArray().Length];
for (int i = 0; i < buffer.Length;i++ )
{
arrChar[i] =(char) buffer[i];
textBox1.Text = textBox1.Text + arrChar[i].ToString() ;
textBox2.Text = textBox2.Text + buffer[i].ToString("X");
}
}
else
{
MessageBox.Show("failed ...");
}
CloseHandle(processHandle);
}
private void button2_Click(object sender, EventArgs e)
{
// Get process by name .
// Un process .Net cette fois car notepad.exe est un binaire natif...
Process winTestReadMemory = Process.GetProcessesByName("WinTestReadMemory")[0];
processHandle = winTestReadMemory.Handle;
IntPtr ptrEntry = winTestReadMemory.MainModule.BaseAddress;
IntPtr Offset = ptrEntry;
byte[] buffer = new byte[1000];
uint size = (UInt32)buffer.Length;
label1.Text = ptrEntry.ToString("X");
uint ptrNumBytesRead = 0;
if (ReadProcessMemory(processHandle, Offset, buffer, size, ptrNumBytesRead))
{
IEnumerable<byte> q = buffer.OfType<byte>();
char[] arrChar = new char[q.ToArray().Length];
for (int i = 0; i < q.ToArray().Length; i++)
{
arrChar[i] = (char)q.ToArray()[i];
textBox1.Text = textBox1.Text + arrChar[i].ToString();
textBox2.Text = textBox2.Text + q.ToArray()[i].ToString("X");
}
}
else
{
MessageBox.Show("failed ...");
}
CloseHandle(processHandle);
}
//liberer le handle obtenu ....
public void CloseHandle()
{
if (processHandle != IntPtr.Zero)
{
bool result = CloseHandle(processHandle);
if (!result)
{
throw new Exception("unable to cmlose process...");
}
processHandle = IntPtr.Zero;
}
}
[DllImport("Kernel32.dll")]
public static extern bool ReadProcessMemory(
[In] IntPtr hProcess,
[In] IntPtr lpBaseAddress, [Out] byte[] lpBuffer, uint nSize, [Out] uint lpNumberOfBytesRead);
[DllImport("kernel32.dll", EntryPoint = "CloseHandle", SetLastError = true)]
public static extern bool CloseHandle(IntPtr handle);
}
} |
Partager