├── .gitignore ├── LICENSE ├── README.md ├── dotNetMemoryScan.sln ├── dotNetMemoryScan ├── EnablePrivileges.cs ├── Properties │ └── AssemblyInfo.cs ├── ScanMemory.cs └── dotNetMemoryScan.csproj └── example ├── csharp_console ├── App.config ├── Program.cs ├── Properties │ └── AssemblyInfo.cs └── csharp_console.csproj └── vb_console ├── App.config ├── Module1.vb ├── My Project ├── Application.Designer.vb ├── Application.myapp ├── AssemblyInfo.vb ├── Resources.Designer.vb ├── Resources.resx ├── Settings.Designer.vb └── Settings.settings └── vb_console.vbproj /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # MSTest test Results 33 | [Tt]est[Rr]esult*/ 34 | [Bb]uild[Ll]og.* 35 | 36 | # NUNIT 37 | *.VisualState.xml 38 | TestResult.xml 39 | 40 | # Build Results of an ATL Project 41 | [Dd]ebugPS/ 42 | [Rr]eleasePS/ 43 | dlldata.c 44 | 45 | # .NET Core 46 | project.lock.json 47 | project.fragment.lock.json 48 | artifacts/ 49 | **/Properties/launchSettings.json 50 | 51 | *_i.c 52 | *_p.c 53 | *_i.h 54 | *.ilk 55 | *.meta 56 | *.obj 57 | *.pch 58 | *.pdb 59 | *.pgc 60 | *.pgd 61 | *.rsp 62 | *.sbr 63 | *.tlb 64 | *.tli 65 | *.tlh 66 | *.tmp 67 | *.tmp_proj 68 | *.log 69 | *.vspscc 70 | *.vssscc 71 | .builds 72 | *.pidb 73 | *.svclog 74 | *.scc 75 | 76 | # Chutzpah Test files 77 | _Chutzpah* 78 | 79 | # Visual C++ cache files 80 | ipch/ 81 | *.aps 82 | *.ncb 83 | *.opendb 84 | *.opensdf 85 | *.sdf 86 | *.cachefile 87 | *.VC.db 88 | *.VC.VC.opendb 89 | 90 | # Visual Studio profiler 91 | *.psess 92 | *.vsp 93 | *.vspx 94 | *.sap 95 | 96 | # TFS 2012 Local Workspace 97 | $tf/ 98 | 99 | # Guidance Automation Toolkit 100 | *.gpState 101 | 102 | # ReSharper is a .NET coding add-in 103 | _ReSharper*/ 104 | *.[Rr]e[Ss]harper 105 | *.DotSettings.user 106 | 107 | # JustCode is a .NET coding add-in 108 | .JustCode 109 | 110 | # TeamCity is a build add-in 111 | _TeamCity* 112 | 113 | # DotCover is a Code Coverage Tool 114 | *.dotCover 115 | 116 | # Visual Studio code coverage results 117 | *.coverage 118 | *.coveragexml 119 | 120 | # NCrunch 121 | _NCrunch_* 122 | .*crunch*.local.xml 123 | nCrunchTemp_* 124 | 125 | # MightyMoose 126 | *.mm.* 127 | AutoTest.Net/ 128 | 129 | # Web workbench (sass) 130 | .sass-cache/ 131 | 132 | # Installshield output folder 133 | [Ee]xpress/ 134 | 135 | # DocProject is a documentation generator add-in 136 | DocProject/buildhelp/ 137 | DocProject/Help/*.HxT 138 | DocProject/Help/*.HxC 139 | DocProject/Help/*.hhc 140 | DocProject/Help/*.hhk 141 | DocProject/Help/*.hhp 142 | DocProject/Help/Html2 143 | DocProject/Help/html 144 | 145 | # Click-Once directory 146 | publish/ 147 | 148 | # Publish Web Output 149 | *.[Pp]ublish.xml 150 | *.azurePubxml 151 | # TODO: Comment the next line if you want to checkin your web deploy settings 152 | # but database connection strings (with potential passwords) will be unencrypted 153 | *.pubxml 154 | *.publishproj 155 | 156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 157 | # checkin your Azure Web App publish settings, but sensitive information contained 158 | # in these scripts will be unencrypted 159 | PublishScripts/ 160 | 161 | # NuGet Packages 162 | *.nupkg 163 | # The packages folder can be ignored because of Package Restore 164 | **/packages/* 165 | # except build/, which is used as an MSBuild target. 166 | !**/packages/build/ 167 | # Uncomment if necessary however generally it will be regenerated when needed 168 | #!**/packages/repositories.config 169 | # NuGet v3's project.json files produces more ignorable files 170 | *.nuget.props 171 | *.nuget.targets 172 | 173 | # Microsoft Azure Build Output 174 | csx/ 175 | *.build.csdef 176 | 177 | # Microsoft Azure Emulator 178 | ecf/ 179 | rcf/ 180 | 181 | # Windows Store app package directories and files 182 | AppPackages/ 183 | BundleArtifacts/ 184 | Package.StoreAssociation.xml 185 | _pkginfo.txt 186 | 187 | # Visual Studio cache files 188 | # files ending in .cache can be ignored 189 | *.[Cc]ache 190 | # but keep track of directories ending in .cache 191 | !*.[Cc]ache/ 192 | 193 | # Others 194 | ClientBin/ 195 | ~$* 196 | *~ 197 | *.dbmdl 198 | *.dbproj.schemaview 199 | *.jfm 200 | *.pfx 201 | *.publishsettings 202 | orleans.codegen.cs 203 | 204 | # Since there are multiple workflows, uncomment next line to ignore bower_components 205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 206 | #bower_components/ 207 | 208 | # RIA/Silverlight projects 209 | Generated_Code/ 210 | 211 | # Backup & report files from converting an old project file 212 | # to a newer Visual Studio version. Backup files are not needed, 213 | # because we have git ;-) 214 | _UpgradeReport_Files/ 215 | Backup*/ 216 | UpgradeLog*.XML 217 | UpgradeLog*.htm 218 | 219 | # SQL Server files 220 | *.mdf 221 | *.ldf 222 | *.ndf 223 | 224 | # Business Intelligence projects 225 | *.rdl.data 226 | *.bim.layout 227 | *.bim_*.settings 228 | 229 | # Microsoft Fakes 230 | FakesAssemblies/ 231 | 232 | # GhostDoc plugin setting file 233 | *.GhostDoc.xml 234 | 235 | # Node.js Tools for Visual Studio 236 | .ntvs_analysis.dat 237 | node_modules/ 238 | 239 | # Typescript v1 declaration files 240 | typings/ 241 | 242 | # Visual Studio 6 build log 243 | *.plg 244 | 245 | # Visual Studio 6 workspace options file 246 | *.opt 247 | 248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 249 | *.vbw 250 | 251 | # Visual Studio LightSwitch build output 252 | **/*.HTMLClient/GeneratedArtifacts 253 | **/*.DesktopClient/GeneratedArtifacts 254 | **/*.DesktopClient/ModelManifest.xml 255 | **/*.Server/GeneratedArtifacts 256 | **/*.Server/ModelManifest.xml 257 | _Pvt_Extensions 258 | 259 | # Paket dependency manager 260 | .paket/paket.exe 261 | paket-files/ 262 | 263 | # FAKE - F# Make 264 | .fake/ 265 | 266 | # JetBrains Rider 267 | .idea/ 268 | *.sln.iml 269 | 270 | # CodeRush 271 | .cr/ 272 | 273 | # Python Tools for Visual Studio (PTVS) 274 | __pycache__/ 275 | *.pyc 276 | 277 | # Cake - Uncomment if you are using it 278 | # tools/** 279 | # !tools/packages.config 280 | 281 | # Telerik's JustMock configuration file 282 | *.jmconfig 283 | 284 | # BizTalk build output 285 | *.btp.cs 286 | *.btm.cs 287 | *.odx.cs 288 | *.xsd.cs 289 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 SmoLL_iCe 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # dotNetMemoryScan 2 | 3 | [![forthebadge](https://forthebadge.com/images/badges/made-with-c-sharp.svg)](https://forthebadge.com) 4 | 5 | ## What is it ? 6 | This is a .NET library for reading and writing memory. focuses mainly on byte array scanning. 7 | using a specific search pattern. 8 | You can look for an AOB pattern in all process memory, dynamic and static. 9 | 10 | ## Example of use: 11 | C# 12 | ```csharp 13 | dotNetMemoryScan find_aob = new dotNetMemoryScan(); 14 | 15 | // with simple array 16 | var find_ptr = find_aob.scan_all("test.exe", "83 05 ?? ?? ?? ?? 0A A1"); 17 | 18 | //... or 19 | 20 | // with pattern and mask 21 | var find_ptr = find_aob.scan_all("test.exe", @"\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx"); 22 | 23 | var p = Process.GetProcessesByName("test"); 24 | if (p != null && p.Count() > 0) 25 | { 26 | // can be used by passing the process handle directly. 27 | var find_ptr = find_aob.scan_all(p[0].Handle, "83 05 ?? ?? ?? ?? 0A A1"); 28 | 29 | // can be used by passing the process. 30 | var find_ptr = find_aob.scan_all(p[0], "83 05 ?? ?? ?? ?? 0A A1"); 31 | 32 | // can be used by passing the process id. 33 | var find_ptr = find_aob.scan_all(p[0].Id, "83 05 ?? ?? ?? ?? 0A A1"); 34 | } 35 | 36 | // scan_module: scans only the static part of the module 37 | var find_ptr = find_aob.scan_module("test.exe", "test.exe", "83 05 ?? ?? ?? ?? 0A A1"); 38 | 39 | // with pattern and mask 40 | var find_ptr = find_aob.scan_module("test.exe", "name.dll", @"\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx"); 41 | 42 | // Writing in memory. 43 | find_aob.write_mem("test.exe", find_ptr, "90 90 90 90 90 90 90"); 44 | ``` 45 | 46 | VB 47 | ```vb 48 | Dim find_aob As New dotNetMemoryScan() 49 | ' with simple array 50 | Dim find_ptr = find_aob.scan_all("test.exe", "83 05 ?? ?? ?? ?? 0A A1") 51 | 52 | ' with pattern And mask 53 | Dim find_ptr = find_aob.scan_all("test.exe", "\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx") 54 | 55 | Dim p = Process.GetProcessesByName("test") 56 | If Not IsNothing(p) And p.Count() > 0 Then 57 | ' can be used by passing the process handle directly. 58 | Dim find_ptr = find_aob.scan_all(p(0).Handle, "83 05 ?? ?? ?? ?? 0A A1") 59 | 60 | ' can be used by passing the process. 61 | Dim find_ptr = find_aob.scan_all(p(0), "83 05 ?? ?? ?? ?? 0A A1") 62 | 63 | ' can be used by passing the process id. 64 | Dim find_ptr = find_aob.scan_all(p(0).Id, "83 05 ?? ?? ?? ?? 0A A1") 65 | End If 66 | 67 | ' scan_module: scans only the Static part Of the Module 68 | Dim find_ptr = find_aob.scan_module("test.exe", "test.exe", "83 05 ?? ?? ?? ?? 0A A1") 69 | 70 | ' with pattern And mask 71 | Dim find_ptr = find_aob.scan_module("test.exe", "name.dll", "\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx") 72 | 73 | ' Writing in memory. 74 | find_aob.write_mem("test.exe", find_ptr, "90 90 90 90 90 90 90") 75 | 76 | ' or 77 | find_aob.write_mem("test.exe", find_ptr, "\x90\x90\x90\x90\x90\x90\x90") 78 | ``` 79 | ## License 80 | [![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)](https://raw.githubusercontent.com/guilhermelim/Process-Memory-Tools/master/LICENSE) 81 | -------------------------------------------------------------------------------- /dotNetMemoryScan.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29230.47 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "dotNetMemoryScan", "dotNetMemoryScan\dotNetMemoryScan.csproj", "{87D0E88E-AADA-4391-9297-45310CD6A906}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "csharp_console", "example\csharp_console\csharp_console.csproj", "{80948843-A691-4A55-8300-264DCA6AF71E}" 9 | EndProject 10 | Project("{F184B08F-C81C-45F6-A57F-5ABD9991F28F}") = "vb_console", "example\vb_console\vb_console.vbproj", "{8AFA6731-3960-456F-893E-D0792CB6ED64}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Debug|x64.ActiveCfg = Debug|x64 21 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Debug|x64.Build.0 = Debug|x64 22 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Debug|x86.ActiveCfg = Debug|x86 23 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Debug|x86.Build.0 = Debug|x86 24 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Release|x64.ActiveCfg = Release|x64 25 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Release|x64.Build.0 = Release|x64 26 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Release|x86.ActiveCfg = Release|x86 27 | {87D0E88E-AADA-4391-9297-45310CD6A906}.Release|x86.Build.0 = Release|x86 28 | {80948843-A691-4A55-8300-264DCA6AF71E}.Debug|x64.ActiveCfg = Debug|x64 29 | {80948843-A691-4A55-8300-264DCA6AF71E}.Debug|x64.Build.0 = Debug|x64 30 | {80948843-A691-4A55-8300-264DCA6AF71E}.Debug|x86.ActiveCfg = Debug|x86 31 | {80948843-A691-4A55-8300-264DCA6AF71E}.Debug|x86.Build.0 = Debug|x86 32 | {80948843-A691-4A55-8300-264DCA6AF71E}.Release|x64.ActiveCfg = Release|x64 33 | {80948843-A691-4A55-8300-264DCA6AF71E}.Release|x64.Build.0 = Release|x64 34 | {80948843-A691-4A55-8300-264DCA6AF71E}.Release|x86.ActiveCfg = Release|x86 35 | {80948843-A691-4A55-8300-264DCA6AF71E}.Release|x86.Build.0 = Release|x86 36 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Debug|x64.ActiveCfg = Debug|x64 37 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Debug|x64.Build.0 = Debug|x64 38 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Debug|x86.ActiveCfg = Debug|x86 39 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Debug|x86.Build.0 = Debug|x86 40 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Release|x64.ActiveCfg = Release|x64 41 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Release|x64.Build.0 = Release|x64 42 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Release|x86.ActiveCfg = Release|x86 43 | {8AFA6731-3960-456F-893E-D0792CB6ED64}.Release|x86.Build.0 = Release|x86 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {94B2BC77-0EDC-45DD-8864-6494E05CB5CB} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /dotNetMemoryScan/EnablePrivileges.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Text; 4 | using System.IO; 5 | using System.Runtime.InteropServices; 6 | 7 | 8 | public class EnablePrivileges 9 | { 10 | [DllImport("advapi32.dll", SetLastError = true)] 11 | [return: MarshalAs(UnmanagedType.Bool)] 12 | static extern bool OpenProcessToken(IntPtr ProcessHandle, 13 | UInt32 DesiredAccess, out IntPtr TokenHandle); 14 | 15 | private static uint STANDARD_RIGHTS_REQUIRED = 0x000F0000; 16 | private static uint STANDARD_RIGHTS_READ = 0x00020000; 17 | private static uint TOKEN_ASSIGN_PRIMARY = 0x0001; 18 | private static uint TOKEN_DUPLICATE = 0x0002; 19 | private static uint TOKEN_IMPERSONATE = 0x0004; 20 | private static uint TOKEN_QUERY = 0x0008; 21 | private static uint TOKEN_QUERY_SOURCE = 0x0010; 22 | private static uint TOKEN_ADJUST_PRIVILEGES = 0x0020; 23 | private static uint TOKEN_ADJUST_GROUPS = 0x0040; 24 | private static uint TOKEN_ADJUST_DEFAULT = 0x0080; 25 | private static uint TOKEN_ADJUST_SESSIONID = 0x0100; 26 | private static uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY); 27 | private static uint TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | 28 | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | 29 | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | 30 | TOKEN_ADJUST_SESSIONID); 31 | 32 | [DllImport("kernel32.dll", SetLastError = true)] 33 | static extern IntPtr GetCurrentProcess(); 34 | 35 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] 36 | [return: MarshalAs(UnmanagedType.Bool)] 37 | static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, 38 | out LUID lpLuid); 39 | 40 | public const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege"; 41 | public const string SE_AUDIT_NAME = "SeAuditPrivilege"; 42 | 43 | public const string SE_BACKUP_NAME = "SeBackupPrivilege"; 44 | 45 | public const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege"; 46 | 47 | public const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege"; 48 | 49 | public const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege"; 50 | 51 | public const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege"; 52 | 53 | public const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege"; 54 | 55 | public const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege"; 56 | 57 | public const string SE_DEBUG_NAME = "SeDebugPrivilege"; 58 | 59 | public const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege"; 60 | 61 | public const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege"; 62 | 63 | public const string SE_INC_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege"; 64 | 65 | public const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege"; 66 | 67 | public const string SE_INC_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege"; 68 | 69 | public const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege"; 70 | 71 | public const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege"; 72 | 73 | public const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege"; 74 | 75 | public const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege"; 76 | 77 | public const string SE_PROF_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege"; 78 | 79 | public const string SE_RELABEL_NAME = "SeRelabelPrivilege"; 80 | 81 | public const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege"; 82 | 83 | public const string SE_RESTORE_NAME = "SeRestorePrivilege"; 84 | 85 | public const string SE_SECURITY_NAME = "SeSecurityPrivilege"; 86 | 87 | public const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege"; 88 | 89 | public const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege"; 90 | 91 | public const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege"; 92 | 93 | public const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege"; 94 | 95 | public const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege"; 96 | 97 | public const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege"; 98 | 99 | public const string SE_TCB_NAME = "SeTcbPrivilege"; 100 | 101 | public const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege"; 102 | 103 | public const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege"; 104 | 105 | public const string SE_UNDOCK_NAME = "SeUndockPrivilege"; 106 | 107 | public const string SE_UNSOLICITED_INPUT_NAME = "SeUnsolicitedInputPrivilege"; 108 | 109 | [StructLayout(LayoutKind.Sequential)] 110 | public struct LUID 111 | { 112 | public UInt32 LowPart; 113 | public Int32 HighPart; 114 | } 115 | 116 | [DllImport("kernel32.dll", SetLastError = true)] 117 | static extern bool CloseHandle(IntPtr hHandle); 118 | 119 | public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001; 120 | public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002; 121 | public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004; 122 | public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000; 123 | 124 | [StructLayout(LayoutKind.Sequential)] 125 | public struct TOKEN_PRIVILEGES 126 | { 127 | public UInt32 PrivilegeCount; 128 | public LUID Luid; 129 | public UInt32 Attributes; 130 | } 131 | 132 | [StructLayout(LayoutKind.Sequential)] 133 | public struct LUID_AND_ATTRIBUTES 134 | { 135 | public LUID Luid; 136 | public UInt32 Attributes; 137 | } 138 | 139 | // Use this signature if you do not want the previous state 140 | [DllImport("advapi32.dll", SetLastError = true)] 141 | [return: MarshalAs(UnmanagedType.Bool)] 142 | static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, 143 | [MarshalAs(UnmanagedType.Bool)]bool DisableAllPrivileges, 144 | ref TOKEN_PRIVILEGES NewState, 145 | UInt32 Zero, 146 | IntPtr Null1, 147 | IntPtr Null2); 148 | 149 | public static void GoDebugPriv() 150 | { 151 | IntPtr hToken; 152 | LUID luidSEDebugNameValue; 153 | TOKEN_PRIVILEGES tkpPrivileges; 154 | 155 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken)) 156 | { 157 | return; 158 | } 159 | if (!LookupPrivilegeValue(null, SE_DEBUG_NAME, out luidSEDebugNameValue)) 160 | { 161 | CloseHandle(hToken); 162 | return; 163 | } 164 | tkpPrivileges.PrivilegeCount = 1; 165 | tkpPrivileges.Luid = luidSEDebugNameValue; 166 | tkpPrivileges.Attributes = SE_PRIVILEGE_ENABLED; 167 | AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero); 168 | CloseHandle(hToken); 169 | } 170 | } 171 | -------------------------------------------------------------------------------- /dotNetMemoryScan/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // As informações gerais sobre um assembly são controladas por 6 | // conjunto de atributos. Altere estes valores de atributo para modificar as informações 7 | // associada a um assembly. 8 | [assembly: AssemblyTitle("dotNetMemoryScan")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("dotNetMemoryScan")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Definir ComVisible como false torna os tipos neste assembly invisíveis 18 | // para componentes COM. Caso precise acessar um tipo neste assembly de 19 | // COM, defina o atributo ComVisible como true nesse tipo. 20 | [assembly: ComVisible(false)] 21 | 22 | // O GUID a seguir será destinado à ID de typelib se este projeto for exposto para COM 23 | [assembly: Guid("87d0e88e-aada-4391-9297-45310cd6a906")] 24 | 25 | // As informações da versão de um assembly consistem nos quatro valores a seguir: 26 | // 27 | // Versão Principal 28 | // Versão Secundária 29 | // Número da Versão 30 | // Revisão 31 | // 32 | // É possível especificar todos os valores ou usar como padrão os Números de Build e da Revisão 33 | // usando o "*" como mostrado abaixo: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /dotNetMemoryScan/ScanMemory.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | using System.Diagnostics; 8 | using System.IO; 9 | using Microsoft.Win32.SafeHandles; 10 | using System.Windows.Forms; 11 | using System.Text.RegularExpressions; 12 | using System.Runtime.ConstrainedExecution; 13 | using System.Security; 14 | using System.Security.Principal; 15 | 16 | public class dotNetMemoryScan 17 | { 18 | 19 | [DllImport("kernel32.dll")] 20 | public static extern uint GetLastError(); 21 | [DllImport("kernel32.dll", SetLastError = true)] 22 | static extern void SetLastError(uint dwErrorCode); 23 | [DllImport("kernel32.dll")] 24 | public static extern int OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId); 25 | [DllImport("kernel32.dll")] 26 | protected static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, out uint lpNumberOfBytesRead); 27 | 28 | [DllImport("kernel32.dll")] 29 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, uint lpNumberOfBytesWritten); 30 | 31 | [DllImport("kernel32.dll", SetLastError = true)] 32 | protected static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); 33 | 34 | [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)] 35 | [return: MarshalAs(UnmanagedType.Bool)] 36 | public static extern bool IsWow64Process([In] IntPtr processHandle, 37 | [Out, MarshalAs(UnmanagedType.Bool)] out bool wow64Process); 38 | [DllImport("kernel32.dll", EntryPoint = "GetProcessId", CharSet = CharSet.Auto)] 39 | static extern int GetProcessId(IntPtr handle); 40 | [DllImport("kernel32.dll")] 41 | static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, 42 | UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 43 | public dotNetMemoryScan() 44 | { 45 | EnablePrivileges.GoDebugPriv(); 46 | } 47 | 48 | public static string GetSystemMessage(uint errorCode) 49 | { 50 | var exception = new System.ComponentModel.Win32Exception((int)errorCode); 51 | return exception.Message; 52 | } 53 | [StructLayout(LayoutKind.Sequential)] 54 | protected struct MEMORY_BASIC_INFORMATION 55 | { 56 | public IntPtr BaseAddress; 57 | public IntPtr AllocationBase; 58 | public uint AllocationProtect; 59 | public UIntPtr RegionSize; 60 | public uint State; 61 | public uint Protect; 62 | public uint Type; 63 | } 64 | //uint PROCESS_ALL_ACCESS = 0x1F0FF; 65 | //Memory Protect 66 | //https://msdn.microsoft.com/en-us/library/windows/hardware/dn957515(v=vs.85).aspx 67 | private enum AllocationProtectEnum : uint 68 | { 69 | PAGE_EXECUTE = 0x00000010, 70 | PAGE_EXECUTE_READ = 0x00000020, 71 | PAGE_EXECUTE_READWRITE = 0x00000040, 72 | PAGE_EXECUTE_WRITECOPY = 0x00000080, 73 | PAGE_NOACCESS = 0x00000001, 74 | PAGE_READONLY = 0x00000002, 75 | PAGE_READWRITE = 0x00000004, 76 | PAGE_WRITECOPY = 0x00000008, 77 | PAGE_GUARD = 0x00000100, 78 | PAGE_NOCACHE = 0x00000200, 79 | PAGE_WRITECOMBINE = 0x00000400 80 | } 81 | //Memory State 82 | //https://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx 83 | private enum StateEnum : uint 84 | { 85 | MEM_COMMIT = 0x1000, 86 | MEM_FREE = 0x10000, 87 | MEM_RESERVE = 0x2000 88 | } 89 | private enum TypeEnum : uint 90 | { 91 | MEM_IMAGE = 0x1000000, 92 | MEM_MAPPED = 0x40000, 93 | MEM_PRIVATE = 0x20000 94 | } 95 | byte[] current_aob = null; 96 | string mask = ""; 97 | IntPtr handle = IntPtr.Zero; 98 | int pid = 0; 99 | bool is_valid_hex_array(string text) 100 | { 101 | var regex = new Regex(@"^([a-fA-F0-9]{2}?(.*\?)?\s?)+$"); 102 | var match = regex.Match(text); 103 | return (match.Success); 104 | } 105 | bool is_valid_pattern_mask(string text) 106 | { 107 | var regex = new Regex(@"^([\\*][x][a-fA-F0-9]{2})+$"); 108 | var match = regex.Match(text); 109 | return (match.Success); 110 | } 111 | bool is_valid_mask(string text) 112 | { 113 | var regex = new Regex(@"^([xX]?(.*\?)?)+$"); 114 | var match = regex.Match(text); 115 | return (match.Success); 116 | } 117 | int str_array_to_aob(string inputed_str) 118 | { 119 | var trated_str = inputed_str.Replace(" ", ""); 120 | trated_str = (trated_str[0] == ' ') ? trated_str.Substring(1, trated_str.Length - 1) : trated_str; 121 | trated_str = (trated_str.Substring(trated_str.Length - 1, 1) == " ") ? trated_str.Substring(0, trated_str.Length - 1) : trated_str; 122 | 123 | if (!is_valid_hex_array(trated_str)) 124 | { 125 | MessageBox.Show("not valid hex array {x1F0}", "by dotNetMemoryScan"); 126 | return 0; 127 | } 128 | 129 | mask = ""; 130 | var part_hex = inputed_str.Split(' '); 131 | current_aob = new byte[part_hex.Count()]; 132 | for (var i = 0; i < part_hex.Count(); ++i) 133 | { 134 | if (part_hex[i].Contains("?")) 135 | { 136 | current_aob[i] = 0xCC; 137 | mask += "?"; 138 | } else { 139 | current_aob[i] = Convert.ToByte(part_hex[i], 16); 140 | mask += "x"; 141 | } 142 | } 143 | return part_hex.Count(); 144 | } 145 | int pattern_to_aob(string inputed_str, string i_mask) 146 | { 147 | if (!is_valid_mask(i_mask)) 148 | return 0; 149 | var trated_str = inputed_str.Replace(" ", ""); 150 | if (!is_valid_pattern_mask(trated_str)) 151 | { 152 | MessageBox.Show("not valid pattern {x1F0}", "by dotNetMemoryScan"); 153 | return 0; 154 | } 155 | 156 | var part_hex = inputed_str.Split(new[] { @"\x" }, StringSplitOptions.None); 157 | if ((part_hex.Count() - 1) != i_mask.Length) 158 | return 0; 159 | mask = i_mask; 160 | current_aob = new byte[part_hex.Count()-1]; 161 | for (var i = 1; i < part_hex.Count(); ++i) 162 | { 163 | var l = i - 1; 164 | if (i_mask[l] == '?') 165 | current_aob[l] = 0xCC; 166 | else 167 | current_aob[l] = Convert.ToByte(part_hex[i], 16); 168 | } 169 | return part_hex.Count(); 170 | } 171 | 172 | int pattern_to_aob(string inputed_str) 173 | { 174 | var trated_str = inputed_str.Replace(" ", ""); 175 | if (!is_valid_pattern_mask(trated_str)) 176 | { 177 | MessageBox.Show("not valid pattern {x1F1}", "by dotNetMemoryScan"); 178 | return 0; 179 | } 180 | var part_hex = inputed_str.Split(new[] { @"\x" }, StringSplitOptions.None); 181 | current_aob = new byte[part_hex.Count() - 1]; 182 | for (var i = 1; i < part_hex.Count(); ++i) 183 | current_aob[i - 1] = Convert.ToByte(part_hex[i], 16); 184 | return part_hex.Count(); 185 | } 186 | public static bool IsAdministrator() 187 | { 188 | return (new WindowsPrincipal(WindowsIdentity.GetCurrent())) 189 | .IsInRole(WindowsBuiltInRole.Administrator); 190 | } 191 | IntPtr get_handle(Process p) 192 | { 193 | if (p == null) 194 | return IntPtr.Zero; 195 | try 196 | { return p.Handle; } 197 | catch(Exception ex) 198 | { 199 | if (!IsAdministrator()) 200 | MessageBox.Show("Run the program as an administrator.", "by dotNetMemoryScan"); 201 | else 202 | MessageBox.Show("error: " + ex.Message); 203 | } 204 | return IntPtr.Zero; 205 | } 206 | //=================================================================================================================================== 207 | //=================================================================================================================================== 208 | //=================================================================================================================================== 209 | public IntPtr scan_all(IntPtr handle, string pattern) 210 | { 211 | if (str_array_to_aob(pattern) == 0) 212 | return IntPtr.Zero; 213 | this.handle = handle; 214 | this.pid = GetProcessId(this.handle); 215 | return scan_all_regions(); 216 | } 217 | public IntPtr scan_all(Process p, string pattern) 218 | { 219 | var by_handle = get_handle(p); 220 | if (by_handle != IntPtr.Zero) 221 | return scan_all(by_handle, pattern); 222 | return IntPtr.Zero; 223 | } 224 | public IntPtr scan_all(string p_name, string pattern) 225 | { 226 | var by_handle = get_handle(GetPID(p_name.Replace(".exe", ""))); 227 | if (by_handle != IntPtr.Zero) 228 | return scan_all(by_handle, pattern); 229 | return IntPtr.Zero; 230 | } 231 | public IntPtr scan_all(int pid, string pattern) 232 | { 233 | var by_handle = get_handle(Process.GetProcessById(pid)); 234 | if (by_handle != IntPtr.Zero) 235 | return scan_all(by_handle, pattern); 236 | return IntPtr.Zero; 237 | } 238 | //=================================================================================================================================== 239 | //=================================================================================================================================== 240 | //=================================================================================================================================== 241 | public IntPtr scan_all(IntPtr handle, string pattern, string mask) 242 | { 243 | if (pattern_to_aob(pattern, mask) == 0) 244 | return IntPtr.Zero; 245 | this.handle = handle; 246 | return scan_all_regions(); 247 | } 248 | public IntPtr scan_all(Process p, string pattern, string mask) 249 | { 250 | var by_handle = get_handle(p); 251 | if (by_handle != IntPtr.Zero) 252 | return scan_all(by_handle, pattern, mask); 253 | return IntPtr.Zero; 254 | } 255 | public IntPtr scan_all(string p_name, string pattern, string mask) 256 | { 257 | var by_handle = get_handle(GetPID(p_name.Replace(".exe", ""))); 258 | if (by_handle != IntPtr.Zero) 259 | return scan_all(by_handle, pattern, mask); 260 | return IntPtr.Zero; 261 | } 262 | public IntPtr scan_all(int pid, string pattern, string mask) 263 | { 264 | var by_handle = get_handle(Process.GetProcessById(pid)); 265 | if (by_handle != IntPtr.Zero) 266 | return scan_all(by_handle, pattern, mask); 267 | return IntPtr.Zero; 268 | } 269 | //=================================================================================================================================== 270 | //=================================================================================================================================== 271 | //=================================================================================================================================== 272 | public IntPtr scan_module(Process p, string module_name, string pattern) 273 | { 274 | this.handle = get_handle(p); 275 | if (this.handle == IntPtr.Zero) 276 | return IntPtr.Zero; 277 | if (str_array_to_aob(pattern) == 0) 278 | return IntPtr.Zero; 279 | return module_region(p, module_name); 280 | } 281 | public IntPtr scan_module(int pid, string module_name, string pattern) 282 | { 283 | var p = Process.GetProcessById(pid); 284 | if (p != null) 285 | return scan_module(p, module_name, pattern); 286 | return IntPtr.Zero; 287 | } 288 | public IntPtr scan_module(string p_name, string module_name, string pattern) 289 | { 290 | var p = GetPID(p_name.Replace(".exe", "")); 291 | if (p != null) 292 | return scan_module(p, module_name, pattern); 293 | return IntPtr.Zero; 294 | } 295 | public IntPtr scan_module(IntPtr handle, string module_name, string pattern) 296 | { 297 | int pid = GetProcessId(handle); 298 | if (pid == 0) 299 | return IntPtr.Zero; 300 | return scan_module(pid, module_name, pattern); 301 | } 302 | //=================================================================================================================================== 303 | //=================================================================================================================================== 304 | //=================================================================================================================================== 305 | public IntPtr scan_module(Process p, string module_name, string pattern, string mask) 306 | { 307 | this.handle = get_handle(p); 308 | if (this.handle == IntPtr.Zero) 309 | return IntPtr.Zero; 310 | if (pattern_to_aob(pattern, mask) == 0) 311 | return IntPtr.Zero; 312 | return module_region(p, module_name); 313 | } 314 | public IntPtr scan_module(int pid, string module_name, string pattern, string mask) 315 | { 316 | var p = Process.GetProcessById(pid); 317 | if (p != null) 318 | return scan_module(p, module_name, pattern, mask); 319 | return IntPtr.Zero; 320 | } 321 | public IntPtr scan_module(string p_name, string module_name, string pattern, string mask) 322 | { 323 | var p = GetPID(p_name.Replace(".exe", "")); 324 | if (p != null) 325 | return scan_module(p, module_name, pattern, mask); 326 | return IntPtr.Zero; 327 | } 328 | public IntPtr scan_module(IntPtr handle, string module_name, string pattern, string mask) 329 | { 330 | int pid = GetProcessId(handle); 331 | if (pid == 0) 332 | return IntPtr.Zero; 333 | return scan_module(pid, module_name, pattern, mask); 334 | } 335 | //=================================================================================================================================== 336 | //=================================================================================================================================== 337 | //=================================================================================================================================== 338 | protected bool map_process_memory(IntPtr pHandle, List mapped_memory) 339 | { 340 | IntPtr address = new IntPtr(); 341 | MEMORY_BASIC_INFORMATION MBI = new MEMORY_BASIC_INFORMATION(); 342 | 343 | var found = VirtualQueryEx(pHandle, address, out MBI, (uint)Marshal.SizeOf(MBI)); 344 | while ( found != 0) 345 | { 346 | if ((MBI.State & (uint)StateEnum.MEM_COMMIT) != 0 && (MBI.Protect & (uint)AllocationProtectEnum.PAGE_GUARD) != (uint)AllocationProtectEnum.PAGE_GUARD) 347 | mapped_memory.Add(MBI); 348 | address = new IntPtr(MBI.BaseAddress.ToInt64() + (uint)MBI.RegionSize); 349 | } 350 | return (mapped_memory.Count() > 0); 351 | } 352 | int is_x64_process(IntPtr by_handle) 353 | { 354 | var is_64 = false; 355 | if (!IsWow64Process(by_handle, out is_64)) 356 | return -1; 357 | return Convert.ToInt32(!is_64); 358 | } 359 | int search_pattern(byte[] buffer, int init_index) 360 | { 361 | for (var i = init_index; i < buffer.Count(); ++i) 362 | { 363 | for (var x = 0; x < current_aob.Count(); x++) 364 | { 365 | if (current_aob[x] != buffer[i + x] && mask[x] != '?') 366 | goto end; 367 | } 368 | return i; 369 | end:; 370 | } 371 | return 0; 372 | } 373 | IntPtr module_region(Process p, string module_str) 374 | { 375 | if (is_x64_process(Process.GetCurrentProcess().Handle) != is_x64_process(this.handle)) 376 | { 377 | MessageBox.Show("Problems with retaining information or architectural incompatibility with the target process.", "by dotNetMemoryScan"); 378 | return IntPtr.Zero; 379 | } 380 | var mod = find_module(p, module_str); 381 | if (mod == null) 382 | return IntPtr.Zero; 383 | byte[] buffer = new byte[mod.ModuleMemorySize]; 384 | uint NumberOfBytesRead; 385 | if (ReadProcessMemory(handle, mod.BaseAddress, buffer, (uint)mod.ModuleMemorySize, out NumberOfBytesRead) && NumberOfBytesRead > 0) 386 | { 387 | var ret = search_pattern(buffer, 0); 388 | if (ret != 0) 389 | return (IntPtr)(mod.BaseAddress.ToInt64() + ret); 390 | } 391 | 392 | return IntPtr.Zero; 393 | } 394 | IntPtr scan_all_regions() 395 | { 396 | if (is_x64_process(Process.GetCurrentProcess().Handle) != is_x64_process(this.handle)) 397 | { 398 | MessageBox.Show("Problems with retaining information or architectural incompatibility with the target process.", "by dotNetMemoryScan"); 399 | return IntPtr.Zero; 400 | } 401 | var mapped_memory = new List(); 402 | if (!map_process_memory(handle, mapped_memory)) 403 | return IntPtr.Zero; 404 | 405 | for (int i = 0; i < mapped_memory.Count(); i++) 406 | { 407 | byte[] buffer = new byte[(uint)mapped_memory[i].RegionSize]; 408 | uint NumberOfBytesRead; 409 | if (ReadProcessMemory(handle, mapped_memory[i].BaseAddress, buffer, (uint)mapped_memory[i].RegionSize, out NumberOfBytesRead) && NumberOfBytesRead > 0) 410 | { 411 | var ret = search_pattern(buffer, 0); 412 | if (ret != 0) 413 | return (IntPtr)(mapped_memory[i].BaseAddress.ToInt64() + ret); 414 | } 415 | var error_code = GetLastError(); 416 | if (error_code == 6)//sometimes .net closes the handle. 417 | { 418 | var p = Process.GetProcessById(pid); 419 | if (p != null) 420 | this.handle = p.Handle; 421 | } 422 | } 423 | return IntPtr.Zero; 424 | } 425 | public Process GetPID(string ProcessName) 426 | { 427 | try 428 | { return Process.GetProcessesByName(ProcessName)[0]; } 429 | catch { } 430 | return null; 431 | } 432 | bool write_mem(IntPtr address, string pattern) 433 | { 434 | var size = 0; 435 | if (pattern.Contains(@"\x")) 436 | size = pattern_to_aob(pattern); 437 | else 438 | size = str_array_to_aob(pattern); 439 | if (size == 0) 440 | return false; 441 | uint old_p = 0; 442 | if (!VirtualProtectEx(handle, address, (UIntPtr)size, (uint)AllocationProtectEnum.PAGE_EXECUTE_READWRITE, out old_p)) 443 | return false; 444 | var ret = WriteProcessMemory(handle, address, current_aob, (uint)size, 0); 445 | VirtualProtectEx(handle, address, (UIntPtr)size, old_p, out old_p); 446 | return ret; 447 | } 448 | public bool write_mem(IntPtr handle, IntPtr address, string pattern) 449 | { 450 | if (address == null) 451 | return false; 452 | this.handle = handle; 453 | return write_mem(address, pattern); 454 | } 455 | public bool write_mem(Process p, IntPtr address, string pattern) 456 | { 457 | var by_handle = get_handle(p); 458 | if (by_handle == IntPtr.Zero) 459 | return false; 460 | return write_mem(by_handle, address, pattern); 461 | } 462 | public bool write_mem(string p_name, IntPtr address, string pattern) 463 | { 464 | var by_handle = get_handle(GetPID(p_name.Replace(".exe", ""))); 465 | if (by_handle == IntPtr.Zero) 466 | return false; 467 | return write_mem(by_handle, address, pattern); 468 | } 469 | public bool write_mem(int pid, IntPtr address, string pattern) 470 | { 471 | var by_handle = get_handle(Process.GetProcessById(pid)); 472 | if (by_handle == IntPtr.Zero) 473 | return false; 474 | return write_mem(by_handle, address, pattern); 475 | 476 | } 477 | public ProcessModule find_module(Process p, string module_str) 478 | { 479 | foreach (ProcessModule modu in p.Modules) 480 | { 481 | if (modu.FileName.ToLower().Contains(module_str.ToLower())) 482 | return modu; 483 | } 484 | return null; 485 | } 486 | public Process get_chrome_flashplayer_process() 487 | { 488 | foreach (Process proc in Process.GetProcessesByName("chrome")) 489 | { 490 | if (find_module(proc, "pepflashplayer.dll") != null) 491 | return proc; 492 | } 493 | return null; 494 | } 495 | } 496 | 497 | -------------------------------------------------------------------------------- /dotNetMemoryScan/dotNetMemoryScan.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {87D0E88E-AADA-4391-9297-45310CD6A906} 8 | Library 9 | Properties 10 | dotNetMemoryScan 11 | dotNetMemoryScan 12 | v4.5 13 | 512 14 | true 15 | 16 | 17 | 18 | 19 | 20 | true 21 | bin\x64\Debug\ 22 | DEBUG;TRACE 23 | full 24 | x64 25 | prompt 26 | MinimumRecommendedRules.ruleset 27 | 28 | 29 | bin\x64\Release\ 30 | TRACE 31 | true 32 | pdbonly 33 | x64 34 | prompt 35 | MinimumRecommendedRules.ruleset 36 | 37 | 38 | true 39 | bin\x86\Debug\ 40 | DEBUG;TRACE 41 | full 42 | x86 43 | prompt 44 | MinimumRecommendedRules.ruleset 45 | 46 | 47 | bin\x86\Release\ 48 | TRACE 49 | true 50 | pdbonly 51 | x86 52 | prompt 53 | MinimumRecommendedRules.ruleset 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /example/csharp_console/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /example/csharp_console/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Diagnostics; 7 | namespace csharp_console 8 | { 9 | class Program 10 | { 11 | 12 | //83 05 ?? ?? ?? ?? 0A A1 13 | //\x83\x05\x00\x00\x00\x00\x0A\xA1 14 | //xx????xx 15 | //0045B072 16 | static void use_example() 17 | { 18 | dotNetMemoryScan find_aob = new dotNetMemoryScan(); 19 | // scan_all: will scan all process memory, from static and dynamic. 20 | var test1 = IntPtr.Zero; 21 | var test2 = IntPtr.Zero; 22 | 23 | // with simple array 24 | test2 = find_aob.scan_all("test.exe", "83 05 ?? ?? ?? ?? 0A A1"); 25 | 26 | // with pattern and mask 27 | test1 = find_aob.scan_all("test.exe", @"\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx"); 28 | 29 | Console.WriteLine("result 0x{0:X16}, 0x{0:X16}", test1.ToInt64(), test2.ToInt64()); 30 | var p = Process.GetProcessesByName("test"); 31 | if (p != null && p.Count() > 0) 32 | { 33 | // can be used by passing the process handle directly. 34 | test1 = find_aob.scan_all(p[0].Handle, "83 05 ?? ?? ?? ?? 0A A1"); 35 | Console.WriteLine("[handle] result 0x{0:X16}", test1.ToInt64()); 36 | 37 | // can be used by passing the process. 38 | test1 = find_aob.scan_all(p[0], "83 05 ?? ?? ?? ?? 0A A1"); 39 | Console.WriteLine("[process] result 0x{0:X16}", test1.ToInt64()); 40 | 41 | // can be used by passing the process id. 42 | test1 = find_aob.scan_all(p[0].Id, "83 05 ?? ?? ?? ?? 0A A1"); 43 | Console.WriteLine("[pid] result 0x{0:X16}", test1.ToInt64()); 44 | } 45 | 46 | // scan_module: scans only the static part of the module 47 | test2 = find_aob.scan_module("test.exe", "test.exe", "83 05 ?? ?? ?? ?? 0A A1"); 48 | Console.WriteLine("[module 1] result 0x{0:X16}", test2.ToInt64()); 49 | 50 | // with pattern and mask 51 | test1 = find_aob.scan_module("test.exe", "name.dll", @"\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx"); 52 | Console.WriteLine("[module 2] result 0x{0:X16}", test1.ToInt64()); 53 | 54 | // Writing in memory. 55 | find_aob.write_mem("test.exe", test1, "90 90 90 90 90 90 90"); 56 | 57 | // or 58 | find_aob.write_mem("test.exe", test1, @"\x90\x90\x90\x90\x90\x90\x90"); 59 | } 60 | static void Main(string[] args) 61 | { 62 | use_example(); 63 | Console.ReadKey(); 64 | } 65 | } 66 | } -------------------------------------------------------------------------------- /example/csharp_console/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // As informações gerais sobre um assembly são controladas por 6 | // conjunto de atributos. Altere estes valores de atributo para modificar as informações 7 | // associadas a um assembly. 8 | [assembly: AssemblyTitle("csharp_console")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("csharp_console")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Definir ComVisible como false torna os tipos neste assembly invisíveis 18 | // para componentes COM. Caso precise acessar um tipo neste assembly de 19 | // COM, defina o atributo ComVisible como true nesse tipo. 20 | [assembly: ComVisible(false)] 21 | 22 | // O GUID a seguir será destinado à ID de typelib se este projeto for exposto para COM 23 | [assembly: Guid("80948843-a691-4a55-8300-264dca6af71e")] 24 | 25 | // As informações da versão de um assembly consistem nos quatro valores a seguir: 26 | // 27 | // Versão Principal 28 | // Versão Secundária 29 | // Número da Versão 30 | // Revisão 31 | // 32 | // É possível especificar todos os valores ou usar como padrão os Números de Build e da Revisão 33 | // usando o "*" como mostrado abaixo: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /example/csharp_console/csharp_console.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {80948843-A691-4A55-8300-264DCA6AF71E} 8 | Exe 9 | csharp_console 10 | csharp_console 11 | v4.5 12 | 512 13 | true 14 | 15 | 16 | 17 | true 18 | bin\x64\Debug\ 19 | DEBUG;TRACE 20 | full 21 | x64 22 | prompt 23 | MinimumRecommendedRules.ruleset 24 | true 25 | 26 | 27 | bin\x64\Release\ 28 | TRACE 29 | true 30 | pdbonly 31 | x64 32 | prompt 33 | MinimumRecommendedRules.ruleset 34 | true 35 | 36 | 37 | true 38 | bin\x86\Debug\ 39 | DEBUG;TRACE 40 | full 41 | x86 42 | prompt 43 | MinimumRecommendedRules.ruleset 44 | true 45 | 46 | 47 | bin\x86\Release\ 48 | TRACE 49 | true 50 | pdbonly 51 | x86 52 | prompt 53 | MinimumRecommendedRules.ruleset 54 | true 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | {87d0e88e-aada-4391-9297-45310cd6a906} 76 | dotNetMemoryScan 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /example/vb_console/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /example/vb_console/Module1.vb: -------------------------------------------------------------------------------- 1 | Module Module1 2 | 3 | 4 | '83 05 ?? ?? ?? ?? 0A A1 5 | '\x83\x05\x00\x00\x00\x00\x0A\xA1 6 | 'xx????xx 7 | '0045B072 8 | 9 | Sub use_example() 10 | 11 | Dim find_aob As New dotNetMemoryScan() 12 | ' scan_all: will scan all process memory, from Static And dynamic. 13 | Dim test1 = IntPtr.Zero 14 | Dim test2 = IntPtr.Zero 15 | 16 | ' with simple array 17 | test2 = find_aob.scan_all("test.exe", "83 05 ?? ?? ?? ?? 0A A1") 18 | 19 | ' with pattern And mask 20 | test1 = find_aob.scan_all("test.exe", "\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx") 21 | 22 | Console.WriteLine("result 0x{0:X16}, 0x{0:X16}", test1.ToInt64(), test2.ToInt64()) 23 | Dim p = Process.GetProcessesByName("test") 24 | If Not IsNothing(p) And p.Count() > 0 Then 25 | 26 | ' can be used by passing the process handle directly. 27 | test1 = find_aob.scan_all(p(0).Handle, "83 05 ?? ?? ?? ?? 0A A1") 28 | Console.WriteLine("[handle] result 0x{0:X16}", test1.ToInt64()) 29 | 30 | ' can be used by passing the process. 31 | test1 = find_aob.scan_all(p(0), "83 05 ?? ?? ?? ?? 0A A1") 32 | Console.WriteLine("[process] result 0x{0:X16}", test1.ToInt64()) 33 | 34 | ' can be used by passing the process id. 35 | test1 = find_aob.scan_all(p(0).Id, "83 05 ?? ?? ?? ?? 0A A1") 36 | Console.WriteLine("[pid] result 0x{0:X16}", test1.ToInt64()) 37 | End If 38 | 39 | ' scan_module: scans only the Static part Of the Module 40 | test2 = find_aob.scan_module("test.exe", "test.exe", "83 05 ?? ?? ?? ?? 0A A1") 41 | Console.WriteLine("[module 1] result 0x{0:X16}", test1.ToInt64()) 42 | 43 | ' with pattern And mask 44 | test1 = find_aob.scan_module("test.exe", "name.dll", "\x83\x05\x00\x00\x00\x00\x0A\xA1", "xx????xx") 45 | Console.WriteLine("[module 2] result 0x{0:X16}", test1.ToInt64()) 46 | 47 | ' Writing in memory. 48 | find_aob.write_mem("test.exe", test1, "90 90 90 90 90 90 90") 49 | 50 | ' or 51 | find_aob.write_mem("test.exe", test1, "\x90\x90\x90\x90\x90\x90\x90") 52 | End Sub 53 | Sub Main() 54 | use_example() 55 | Console.ReadKey() 56 | End Sub 57 | 58 | End Module 59 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Application.Designer.vb: -------------------------------------------------------------------------------- 1 | '------------------------------------------------------------------------------ 2 | ' 3 | ' This code was generated by a tool. 4 | ' Runtime Version:4.0.30319.42000 5 | ' 6 | ' Changes to this file may cause incorrect behavior and will be lost if 7 | ' the code is regenerated. 8 | ' 9 | '------------------------------------------------------------------------------ 10 | 11 | Option Strict On 12 | Option Explicit On 13 | 14 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Application.myapp: -------------------------------------------------------------------------------- 1 |  2 | 3 | false 4 | false 5 | 0 6 | true 7 | 0 8 | 2 9 | true 10 | 11 | -------------------------------------------------------------------------------- /example/vb_console/My Project/AssemblyInfo.vb: -------------------------------------------------------------------------------- 1 | Imports System 2 | Imports System.Reflection 3 | Imports System.Runtime.InteropServices 4 | 5 | ' As informações gerais sobre um assembly são controladas por 6 | ' conjunto de atributos. Altere estes valores de atributo para modificar as informações 7 | ' associadas a um assembly. 8 | 9 | ' Revise os valores dos atributos do assembly 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 'O GUID a seguir será destinado à ID de typelib se este projeto for exposto para COM 21 | 22 | 23 | ' As informações da versão de um assembly consistem nos quatro valores a seguir: 24 | ' 25 | ' Versão Principal 26 | ' Versão Secundária 27 | ' Número da Versão 28 | ' Revisão 29 | ' 30 | ' É possível especificar todos os valores ou usar como padrão os Números de Build e da Revisão 31 | ' usando o "*" como mostrado abaixo: 32 | ' 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Resources.Designer.vb: -------------------------------------------------------------------------------- 1 | '------------------------------------------------------------------------------ 2 | ' 3 | ' This code was generated by a tool. 4 | ' Runtime Version:4.0.30319.42000 5 | ' 6 | ' Changes to this file may cause incorrect behavior and will be lost if 7 | ' the code is regenerated. 8 | ' 9 | '------------------------------------------------------------------------------ 10 | 11 | Option Strict On 12 | Option Explicit On 13 | 14 | 15 | Namespace My.Resources 16 | 17 | 'This class was auto-generated by the StronglyTypedResourceBuilder 18 | 'class via a tool like ResGen or Visual Studio. 19 | 'To add or remove a member, edit your .ResX file then rerun ResGen 20 | 'with the /str option, or rebuild your VS project. 21 | ''' 22 | ''' A strongly-typed resource class, for looking up localized strings, etc. 23 | ''' 24 | _ 28 | Friend Module Resources 29 | 30 | Private resourceMan As Global.System.Resources.ResourceManager 31 | 32 | Private resourceCulture As Global.System.Globalization.CultureInfo 33 | 34 | ''' 35 | ''' Returns the cached ResourceManager instance used by this class. 36 | ''' 37 | _ 38 | Friend ReadOnly Property ResourceManager() As Global.System.Resources.ResourceManager 39 | Get 40 | If Object.ReferenceEquals(resourceMan, Nothing) Then 41 | Dim temp As Global.System.Resources.ResourceManager = New Global.System.Resources.ResourceManager("vb_console.Resources", GetType(Resources).Assembly) 42 | resourceMan = temp 43 | End If 44 | Return resourceMan 45 | End Get 46 | End Property 47 | 48 | ''' 49 | ''' Overrides the current thread's CurrentUICulture property for all 50 | ''' resource lookups using this strongly typed resource class. 51 | ''' 52 | _ 53 | Friend Property Culture() As Global.System.Globalization.CultureInfo 54 | Get 55 | Return resourceCulture 56 | End Get 57 | Set(ByVal value As Global.System.Globalization.CultureInfo) 58 | resourceCulture = value 59 | End Set 60 | End Property 61 | End Module 62 | End Namespace 63 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Resources.resx: -------------------------------------------------------------------------------- 1 |  2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | text/microsoft-resx 107 | 108 | 109 | 2.0 110 | 111 | 112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 113 | 114 | 115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Settings.Designer.vb: -------------------------------------------------------------------------------- 1 | '------------------------------------------------------------------------------ 2 | ' 3 | ' This code was generated by a tool. 4 | ' Runtime Version:4.0.30319.42000 5 | ' 6 | ' Changes to this file may cause incorrect behavior and will be lost if 7 | ' the code is regenerated. 8 | ' 9 | '------------------------------------------------------------------------------ 10 | 11 | Option Strict On 12 | Option Explicit On 13 | 14 | 15 | Namespace My 16 | 17 | _ 20 | Partial Friend NotInheritable Class MySettings 21 | Inherits Global.System.Configuration.ApplicationSettingsBase 22 | 23 | Private Shared defaultInstance As MySettings = CType(Global.System.Configuration.ApplicationSettingsBase.Synchronized(New MySettings), MySettings) 24 | 25 | #Region "My.Settings Auto-Save Functionality" 26 | #If _MyType = "WindowsForms" Then 27 | Private Shared addedHandler As Boolean 28 | 29 | Private Shared addedHandlerLockObject As New Object 30 | 31 | _ 32 | Private Shared Sub AutoSaveSettings(ByVal sender As Global.System.Object, ByVal e As Global.System.EventArgs) 33 | If My.Application.SaveMySettingsOnExit Then 34 | My.Settings.Save() 35 | End If 36 | End Sub 37 | #End If 38 | #End Region 39 | 40 | Public Shared ReadOnly Property [Default]() As MySettings 41 | Get 42 | 43 | #If _MyType = "WindowsForms" Then 44 | If Not addedHandler Then 45 | SyncLock addedHandlerLockObject 46 | If Not addedHandler Then 47 | AddHandler My.Application.Shutdown, AddressOf AutoSaveSettings 48 | addedHandler = True 49 | End If 50 | End SyncLock 51 | End If 52 | #End If 53 | Return defaultInstance 54 | End Get 55 | End Property 56 | End Class 57 | End Namespace 58 | 59 | Namespace My 60 | 61 | _ 64 | Friend Module MySettingsProperty 65 | 66 | _ 67 | Friend ReadOnly Property Settings() As Global.vb_console.My.MySettings 68 | Get 69 | Return Global.vb_console.My.MySettings.Default 70 | End Get 71 | End Property 72 | End Module 73 | End Namespace 74 | -------------------------------------------------------------------------------- /example/vb_console/My Project/Settings.settings: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /example/vb_console/vb_console.vbproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {8AFA6731-3960-456F-893E-D0792CB6ED64} 8 | Exe 9 | vb_console.Module1 10 | vb_console 11 | vb_console 12 | 512 13 | Console 14 | v4.5 15 | true 16 | 17 | 18 | On 19 | 20 | 21 | Binary 22 | 23 | 24 | Off 25 | 26 | 27 | On 28 | 29 | 30 | true 31 | true 32 | true 33 | bin\x64\Debug\ 34 | vb_console.xml 35 | 42016,41999,42017,42018,42019,42032,42036,42020,42021,42022 36 | full 37 | x64 38 | MinimumRecommendedRules.ruleset 39 | true 40 | 41 | 42 | true 43 | bin\x64\Release\ 44 | vb_console.xml 45 | true 46 | 42016,41999,42017,42018,42019,42032,42036,42020,42021,42022 47 | pdbonly 48 | x64 49 | MinimumRecommendedRules.ruleset 50 | true 51 | 52 | 53 | true 54 | true 55 | true 56 | bin\x86\Debug\ 57 | vb_console.xml 58 | 42016,41999,42017,42018,42019,42032,42036,42020,42021,42022 59 | full 60 | x86 61 | MinimumRecommendedRules.ruleset 62 | true 63 | 64 | 65 | true 66 | bin\x86\Release\ 67 | vb_console.xml 68 | true 69 | 42016,41999,42017,42018,42019,42032,42036,42020,42021,42022 70 | pdbonly 71 | x86 72 | MinimumRecommendedRules.ruleset 73 | true 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | True 101 | Application.myapp 102 | 103 | 104 | True 105 | True 106 | Resources.resx 107 | 108 | 109 | True 110 | Settings.settings 111 | True 112 | 113 | 114 | 115 | 116 | VbMyResourcesResXFileCodeGenerator 117 | Resources.Designer.vb 118 | My.Resources 119 | Designer 120 | 121 | 122 | 123 | 124 | MyApplicationCodeGenerator 125 | Application.Designer.vb 126 | 127 | 128 | SettingsSingleFileGenerator 129 | My 130 | Settings.Designer.vb 131 | 132 | 133 | 134 | 135 | 136 | {87d0e88e-aada-4391-9297-45310cd6a906} 137 | dotNetMemoryScan 138 | 139 | 140 | 141 | --------------------------------------------------------------------------------