How can I write on another process memory?

2019-01-17 18:12发布

问题:

I have an address that I would like to modify. I have the process. I have the new value. So now what?

// My Process
var p = Process.GetProcessesByName("ePSXe").FirstOrDefault();

// Address
var addr = 0x00A66E11;

// Value
var val = 0x63;

How can I write 0x63 (99) to this address on another process memory?

回答1:

@Harvey, from your answer I dug up and found a lot:

Open, Close and Write signatures:

[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);

[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hProcess);

Flags:

[Flags]
public enum ProcessAccessFlags : uint
{
    All = 0x001F0FFF,
    Terminate = 0x00000001,
    CreateThread = 0x00000002,
    VMOperation = 0x00000008,
    VMRead = 0x00000010,
    VMWrite = 0x00000020,
    DupHandle = 0x00000040,
    SetInformation = 0x00000200,
    QueryInformation = 0x00000400,
    Synchronize = 0x00100000
}

Make my life easier method:

public static void WriteMem(Process p, int address, long v)
{
    var hProc = OpenProcess(ProcessAccessFlags.All, false, (int)p.Id);
    var val = new byte[] { (byte)v };

    int wtf = 0;
    WriteProcessMemory(hProc, new IntPtr(address), val, (UInt32)val.LongLength, out wtf);

    CloseHandle(hProc);
}

Writing into another process memory:

static void Main(string[] args)
{
    var p = Process.GetProcessesByName("ePSXe").FirstOrDefault();

    WriteMem(p, 0x00A66DB9, 99);
}


回答2:

Check out WriteProcessMemory at pinvoke.net

Here is another similar post on StackOverflow but they are talking about C++. You can do the same using pinvoke.



回答3:

Despite P/Invoke native functions such as WriteProcessMemory works perfectly, libraries dedicated to memory editing exist and enables you to accomplish this task in an easier way.

Using the library MemorySharp, this can be summarized as:

using(var sharp = new MemorySharp(Process.GetProcessesByName("ePSXe").FirstOrDefault()))
{
   sharp[0x00A66E11, false].Write(0x63);
}

The previous code assumes the address where the value is written is not rebased.



回答4:

You can use WriteProcessMemory, but be aware that you need to turn on debug privileges, and that it won't work with lots of secured processes in Vista and later.

And that you'll probably shoot yourself in the foot and crash things a few times. I suggest you don't have any important programs running when you do this.

Good luck, you'll need it. :)