问题
i want to edit an active app (edit a memory address),
on address 00498D45 i want to edit its value
currect value :
MOV BYTE PTR SS:[EBP-423],7
to
updated value:
MOV BYTE PTR SS:[EBP-423],8
what i got till now is this (searched about it on the net and this how far i got):
thanks in advance!
now using this code:
how it should be look like?
WriteMemory(Process process,00498D45 , MOV BYTE PTR SS:[EBP-423],8)
but i cannot compile / debug it that way, how i need to set it up?
thanks in advance,
here is the Code:
using System.Runtime.InteropServices;
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VMOperation = 0x00000008,
VMRead = 0x00000010,
VMWrite = 0x00000020,
DupHandle = 0x00000040,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
Synchronize = 0x00100000
}
[DllImport("kernel32.dll")]
private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hProcess);
Process process = Process.GetProcessesByName("My Apps Name").FirstOrDefault();
public static bool WriteMemory(Process process, int address, long value, out int bytesWritten)
{
IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);
byte[] val = BitConverter.GetBytes(value);
bool worked = WriteProcessMemory(hProc, new IntPtr(address), val, (UInt32) val.LongLength, out bytesWritten);
CloseHandle(hProc);
return worked;
}
回答1:
WriteMemory(Process process,00498D45 , MOV BYTE PTR SS:[EBP-423],8)
There are so many problems with this, I don't know where to begin. First of all, that's not anywhere near correct C# syntax.
- You're calling a function, but you have
Processthere like it's a signature. 00498D45is not a valid constant in any base. If you mean hex, (which you probably do since you're dealing with addresses) then like all other C-like languages, that should be expressed as0x00498D45.- That's x86 assembly code in ASCII (but it's not in a string, you just have a mess). You can't just plop ASCII assembly code into another process's address space!
Perhaps you should do a little more research on how compilation, and assembly work when building a program, and the guts of what your CPU is actually doing when it's executing a program. Also, I recommend reading through the sample code you've very obviously taken from somewhere and try to understand it. You'll be way better off learning what's going on, than asking everyone to help fix the stuff you've cobbled together. </rant>
Anyway, after you assemble your code, it looks like this (re dis-assembled):
C68559FEFFFF08 mov byte [ebp-0x1a7],0x8
That means that your instruction is actually the string of bytes C6 85 59 FE FF FF 08. So that is what you need to write into your target application.
This is the basis of what you're trying to do:
byte[] new_instr = new byte[] {0xC6, 0x85, 0x59, 0xFE, 0xFF, 0xFF, 0x08};
IntPtr target_addr = (IntPtr)0x00498D45;
int bytesWritten;
WriteProcessMemory(hProcess, target_addr, new_instr, (UInt32)new_instr.Length, out bytesWritten);
The WriteMemory memory function you've copy-and-pasted won't help you here. The problem is, it only writes a long which is 4 bytes. You need to write 7 bytes. So you'll either have to modify that function to use a byte[] parameter, or do it yourself.
来源:https://stackoverflow.com/questions/16313756/edit-memory-address-via-c-how-to-set-the-statement