Edit Memory Address via c#

问题

i want to edit an active app (edit a memory address),

on address 00498D45 i want to edit its value

currect value :

MOV BYTE PTR SS:[EBP-423],7

to

updated value:

 MOV BYTE PTR SS:[EBP-423],8

what i got till now is this (searched about it on the net and this how far i got):

thanks in advance!

using System.Runtime.InteropServices;

    [Flags]

        public enum ProcessAccessFlags : uint

{
    All = 0x001F0FFF,
    Terminate = 0x00000001,
    CreateThread = 0x00000002,
    VMOperation = 0x00000008,
    VMRead = 0x00000010,
    VMWrite = 0x00000020,
    DupHandle = 0x00000040,
    SetInformation = 0x00000200,
    QueryInformation = 0x00000400,
    Synchronize = 0x00100000
}

[DllImport("kernel32.dll")]
private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);

[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hProcess);

Process process = Process.GetProcessesByName("My Apps Name").FirstOrDefault();

public static bool WriteMemory(Process process, int address, long value, out int bytesWritten)
{
    IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);

    byte[] val = BitConverter.GetBytes(value);

    bool worked = WriteProcessMemory(hProc, new IntPtr(address), val, (UInt32) val.LongLength, out bytesWritten);

    CloseHandle(hProc);

    return worked;
}

回答1:

From your other question:

WriteMemory(Process process,00498D45 , MOV BYTE PTR SS:[EBP-423],8)

There are so many problems with this, I don't know where to begin. First of all, that's not anywhere near correct C# syntax.

1. You're calling a function, but you have Process there like it's a signature.
2. 00498D45 is not a valid constant in any base. If you mean hex, (which you probably do since you're dealing with addresses) then like all other C-like languages, that should be expressed as 0x00498D45.
3. That's x86 assembly code in ASCII (but it's not in a string, you just have a mess). You can't just plop ASCII assembly code into another process's address space!

Perhaps you should do a little more research on how compilation, and assembly work when building a program, and the guts of what your CPU is actually doing when it's executing a program. Also, I recommend reading through the sample code you've very obviously taken from somewhere and try to understand it. You'll be way better off learning what's going on, than asking everyone to help fix the stuff you've cobbled together. </rant>

Anyway, after you assemble your code, it looks like this (re dis-assembled):

C68559FEFFFF08    mov byte [ebp-0x1a7],0x8

That means that your instruction is actually the string of bytes C6 85 59 FE FF FF 08. So that is what you need to write into your target application.

This is the basis of what you're trying to do:

byte[] new_instr = new byte[] {0xC6, 0x85, 0x59, 0xFE, 0xFF, 0xFF, 0x08};
IntPtr target_addr = (IntPtr)0x00498D45;

int bytesWritten;
WriteProcessMemory(hProcess, target_addr, new_instr, (UInt32)new_instr.Length, out bytesWritten);

The WriteMemory memory function you've copy-and-pasted won't help you here. The problem is, it only writes a long which is 4 bytes. You need to write 7 bytes. So you'll either have to modify that function to use a byte[] parameter, or do it yourself.

---

I admire your ambition, but you should really start a bit lower. Write some C# code to get yourself familiar with programming in a C-like language. Then write some C to get familiar with crashing when you don't do things perfectly. Then try dabbling in assembly - perhaps writing small inline pieces into your C code. Finally then, you'll be ready to go hacking around the instructions of other running processes.

回答2:

You can use an injection library like MemorySharp (I'm the author). All these functions are wrapped within a handy API, integrating an assembler (FASM syntax). Thus this piece of code perform what you want :

using (var m = new MemorySharp(ApplicationFinder.FromProcessName("My App").First()))
{
    m.Assembly.Inject("MOV BYTE [EBP-423],8", new IntPtr(0x00498D45));
}

来源：https://stackoverflow.com/questions/16308744/edit-memory-address-via-c-sharp