ansaurus

Question

C#: Search a byte[] array in another process's memory.

Answer 1

A:

If it's possible, I don't think so. And I really really hope not because that would be a serious security risk.

Paw Baltzersen 2009-04-23 13:35:59

That can be done in C++,it's for native applications,not NET.

John 2009-04-23 13:36:25

Why would it be a security risk? How do you think debuggers work? :)

DrJokepu 2009-04-23 13:49:11

It isn't a security risk, you have to open the process and that means going through the other process's ACL. Non-admins can only open their own processes, admins (with elevation, including anyone with debug privilege) can open any process

Richard 2009-04-23 13:58:23

It's only a security risk if you can read the memory for a process at a higher isolation level than you.

Samuel 2009-04-23 14:43:31

Answer 2

A:

check this article on codeproject link

bassfriend 2009-04-23 13:46:44

Unfortunately,the addresses are given there. :(

John 2009-04-23 13:56:45

Answer 3

+3 A:

I guess you could use the ReadProcessMemory Windows API call. There's even a premade P/Invoke signature for it so you don't need to bother with manually crafting it. You page through the memory of the process, search through it for your pattern and you're done.

DrJokepu 2009-04-23 13:47:31

I need to specify the address where I have to call that(one of its parameters is address).Well my question is:How to get the address by searching into the memory.I thought searching through the whole image,but that will take much time.

John 2009-04-23 13:50:04

Supposing that you're doing that in a 32-bit environment, it makes sense to use 4096-bytes pages for your lookup, that's 1048576 total. ReadProcessMemory returns false if the address is not accessible which speeds up the loop considerably. I don't think it would take a lot of time to finish especially since it's very unlikely that your pattern will be over 1GB. And you don't really have any other choice either.

DrJokepu 2009-04-23 13:57:57

@John: you will need to use memory APIs to only read memory that is readable (checkout VMMap.exe with showing free memory enabled... most of the virtual memory map is unused).

Richard 2009-04-23 13:59:32

Answer 4

A:

Is it possible to be done in C#?

Yes. But very hard. It is hard from a native application where there is no impedance mismatched with the unmanaged view of processes and their memory maps you will need to use.

Considerations:

You will need permission to open the process to get a handle.
While the virtual memory space of a 32bit process is from two to four GB in size (depending on host OS and /3GB switch), much of this address range will not be allocated, and reading it will cause a page fault. You really need to find out what pages are allocated and for what to avoid lots of invalid page accesses.

Suggestions:

Do you really really need to do this? Seriously this will be hard.
Consider doing a native application, this will avoid working across the native/managed fence (this could include a native library with a managed driver application).
Do you really need to do this?
Consider doing the work inside the target process. This will require some cleverness (documented) to inject a thread, but should then be much faster.
Start by reading up on Windows how process memory works (start with Windows Internals and (can't recall its name in the latest edition) Jeffrey Richter's book on Win32 application development.
Do you really need to do this? There must be something simpler... could you automated a debugger?

Richard 2009-04-23 14:08:44

I can get the address in the debugger,the problem is that the application I'm doing this on is commercial and is being updated once a week.I guess I have to do this.

John 2009-04-23 14:13:57

@John: In that case, both VS and windbg have extensibility models (VS is .NET) which should avoid all the hard work.

Richard 2009-04-23 14:21:32

Could you give me more information about it?

John 2009-04-23 14:41:37

The VS extensibility model is covered on MSDN (under Visual Studio ... SDK). Not sure where to start with WinDBG off hand.

Richard 2009-04-23 15:38:49

Answer 5

A:

This may help you find the right way:

private static int GetMemoryAddressOfString(byte[] searchedBytes, Process p)
{
    //List<int> addrList = new List<int>();
    int addr = 0;
    int speed = 1024*64;
    for (int j = 0x400000; j < 0x7FFFFFFF; j+= speed)
    {
        ManagedWinapi.ProcessMemoryChunk mem = new ProcessMemoryChunk(p, (IntPtr)j, speed + searchedBytes.Length);

        byte[] bigMem = mem.Read();

        for (int k = 0; k < bigMem.Length - searchedBytes.Length; k++)
        {
            bool found = true;
            for (int l = 0; l < searchedBytes.Length; l++)
            {
                if(bigMem[k+l] != searchedBytes[l])
                {
                    found = false;
                    break;
                }
            }
            if(found)
            {
                addr = k+j;
                break;
            }
        }
        if (addr != 0)
        {
            //addrList.Add(addr);
            //addr = 0;
            break;
        }
    }
    //return addrList;
    return addr;
}

2009-09-21 22:32:16

ansaurus

tags:

views:

answers:

C#: Search a byte[] array in another process's memory.

related questions