Beispiel #1
0
        private unsafe void InitMemoryRegionInfo()
        {
            SYSTEM_INFO sys_info;

            //Get the maximum and minimum addresses of the process.
            GetSystemInfo(out sys_info);
            IntPtr proc_min_address = sys_info.minimumApplicationAddress;
            IntPtr proc_max_address = sys_info.maximumApplicationAddress;

            byte *current_address   = (byte *)proc_min_address.ToPointer();
            byte *lproc_max_address = (byte *)proc_max_address.ToPointer();

            IntPtr handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ, false, m_vProcess.Id);

            if (handle == IntPtr.Zero)
            {
                Logger.Error($"Error Code:0x{Marshal.GetLastWin32Error():X8}");
                return;
            }

            MemoryBasicInformation mem_basic_info = new MemoryBasicInformation();

            while (current_address < lproc_max_address)
            {
                //Query the current memory page information.
                bool ok = QueryMemoryBasicInformation(handle, (IntPtr)current_address, ref mem_basic_info);

                if (!ok)
                {
                    Logger.Error($"Error Code:0x{Marshal.GetLastWin32Error():X8}");
                    break;
                }

                //Dump JIT code
                if ((mem_basic_info.Protect & AllocationProtect.PAGE_EXECUTE_READWRITE) > 0 && mem_basic_info.State == MEM_COMMIT)
                {
                    var region = new MemoryRegion()
                    {
                        BaseAddress    = mem_basic_info.BaseAddress,
                        AllocationBase = mem_basic_info.AllocationBase,
                        RegionSize     = mem_basic_info.RegionSize
                    };
                    m_memoryRegionList.Add(region);
                }

                //if (Setting.DebugMode)
                //{
                //    LogHelper.EncryptLog($"BaseAddress: 0x{mem_basic_info.BaseAddress:X8} RegionSize: 0x{mem_basic_info.RegionSize:X8} AllocationBase: 0x{mem_basic_info.AllocationBase:X8} Protect: {mem_basic_info.Protect} Commit: {mem_basic_info.State==MEM_COMMIT}(0x{mem_basic_info.State:X8})");
                //}

                current_address += mem_basic_info.RegionSize;
            }

            CloseHandle(handle);

            if (m_memoryRegionList.Count == 0)
            {
                Logger.Error($"Error:List is Empty");
            }
        }
Beispiel #2
0
        public void ReadRegions()
        {
            MemoryBasicInformation memInfo = new MemoryBasicInformation();
            IntPtr current = IntPtr.Zero;

            while (current.ToInt64() < m_maxAddress.ToInt64() &&
                   Kernel32.VirtualQueryEx(m_handle, current, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
            {
                if ((int)memInfo.State == 4096 && (int)memInfo.Protect == 4 && (uint)memInfo.RegionSize != 0)
                {
                    byte[] regionData = new byte[(int)memInfo.RegionSize];
                    ulong  bytesRead  = 0;

                    if (!Kernel32.ReadProcessMemory(m_handle, memInfo.BaseAddress, regionData,
                                                    (ulong)memInfo.RegionSize, ref bytesRead))
                    {
                        throw new Exception("Failed to read process memory at " + memInfo.BaseAddress +
                                            ". Error code: " + Marshal.GetLastWin32Error());
                    }

                    m_regions.Add(memInfo.BaseAddress, regionData);
                }

                current = PointerUtils.Add(memInfo.BaseAddress, memInfo.RegionSize);
            }

            Console.WriteLine("Regions: {0}", m_regions.Count);
        }
Beispiel #3
0
        /// <summary>
        /// </summary>
        /// <param name="handle">
        /// </param>
        /// <param name="search">
        /// </param>
        /// <param name="mbi">
        /// </param>
        /// <returns>
        /// </returns>
        private static IntPtr FindKey(SafeMemoryHandle handle, string search, MemoryBasicInformation mbi)
        {
            byte[] memCopy = ReadBytes(handle, mbi.BaseAddress, mbi.RegionSize);
            int    len     = ASCIIEncoding.ASCII.GetByteCount(search);

            byte[] src = ASCIIEncoding.ASCII.GetBytes(search);

            int iPointer = 0;

            while (iPointer < memCopy.Length - len)
            {
                int dPointer = 0;
                while (dPointer < len)
                {
                    if (src[dPointer] != memCopy[iPointer + dPointer])
                    {
                        break;
                    }

                    dPointer++;
                    if (dPointer == len)
                    {
                        return((IntPtr)((int)mbi.BaseAddress + iPointer));
                    }
                }

                iPointer++;
            }

            return((IntPtr)0);
        }
Beispiel #4
0
        public static UIntPtr VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress,
                                             out MemoryBasicInformation lpBuffer)
        {
            UIntPtr retVal;

            if (Is64Bit())
            {
                var tmp64 = new MemoryBasicInformation64();
                retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp64, new UIntPtr((uint)Marshal.SizeOf(tmp64)));

                lpBuffer.BaseAddress       = tmp64.BaseAddress;
                lpBuffer.AllocationBase    = tmp64.AllocationBase;
                lpBuffer.AllocationProtect = tmp64.AllocationProtect;
                lpBuffer.RegionSize        = (long)tmp64.RegionSize;
                lpBuffer.State             = tmp64.State;
                lpBuffer.Protect           = tmp64.Protect;
                lpBuffer.Type = tmp64.Type;

                return(retVal);
            }

            var tmp32 = new MemoryBasicInformation32();

            retVal = Native_VirtualQueryEx(hProcess, lpAddress, out tmp32, new UIntPtr((uint)Marshal.SizeOf(tmp32)));

            lpBuffer.BaseAddress       = tmp32.BaseAddress;
            lpBuffer.AllocationBase    = tmp32.AllocationBase;
            lpBuffer.AllocationProtect = tmp32.AllocationProtect;
            lpBuffer.RegionSize        = tmp32.RegionSize;
            lpBuffer.State             = tmp32.State;
            lpBuffer.Protect           = tmp32.Protect;
            lpBuffer.Type = tmp32.Type;

            return(retVal);
        }
Beispiel #5
0
        private void listResults_DoubleClick(object sender, EventArgs e)
        {
            this.Cursor = Cursors.WaitCursor;

            try
            {
                long s_a = (long)BaseConverter.ToNumberParse(_so.Searcher.Results[listResults.SelectedIndices[0]][0]) +
                           (long)BaseConverter.ToNumberParse(_so.Searcher.Results[listResults.SelectedIndices[0]][1]);

                var           lastInfo = new MemoryBasicInformation();
                ProcessHandle phandle;

                try
                {
                    phandle = new ProcessHandle(_pid, ProcessAccess.QueryInformation);
                }
                catch
                {
                    this.Cursor = Cursors.Default;
                    return;
                }

                phandle.EnumMemory((info) =>
                {
                    if (info.BaseAddress.ToInt64() > s_a)
                    {
                        long selectlength =
                            (long)BaseConverter.ToNumberParse(_so.Searcher.Results[listResults.SelectedIndices[0]][2]);

                        MemoryEditor ed = Program.GetMemoryEditor(_pid,
                                                                  lastInfo.BaseAddress,
                                                                  lastInfo.RegionSize.ToInt64(),
                                                                  new Program.MemoryEditorInvokeAction(delegate(MemoryEditor f)
                        {
                            try
                            {
                                f.ReadOnly = false;
                                f.Activate();
                                f.Select(s_a - lastInfo.BaseAddress.ToInt64(), selectlength);
                            }
                            catch
                            { }
                        }));

                        return(false);
                    }

                    lastInfo = info;

                    return(true);
                });
            }
            catch { }

            this.Cursor = Cursors.Default;
        }
Beispiel #6
0
 internal MemoryInformation(MemoryBasicInformation basic_info, string mapped_image_path)
 {
     BaseAddress       = basic_info.BaseAddress.ToInt64();
     AllocationBase    = basic_info.AllocationBase.ToInt64();
     AllocationProtect = basic_info.AllocationProtect;
     RegionSize        = basic_info.RegionSize.ToInt64();
     State             = basic_info.State;
     Protect           = basic_info.Protect;
     Type            = basic_info.Type;
     MappedImagePath = mapped_image_path ?? string.Empty;
 }
Beispiel #7
0
        public bool RemapViewBase(MemProtection newProtection = MemProtection.ExecuteWriteCopy)
        {
            var mbi = new MemoryBasicInformation();

            if (VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0)
            {
                return(RemapView(mbi.BaseAddress, mbi.RegionSize.ToInt32(), newProtection));
            }

            return(false);
        }
Beispiel #8
0
        public bool RemapAndPatch(Dictionary <string, Tuple <long, byte[]> > patches)
        {
            var mbi = new MemoryBasicInformation();

            if (NativeWindows.VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0)
            {
                return(RemapAndPatch(mbi.BaseAddress, mbi.RegionSize.ToInt32(), patches));
            }

            return(false);
        }
Beispiel #9
0
        public static bool VirtualQueryEx(Process p, IntPtr baseAddress, out MemoryBasicInformation memoryBasicInformation)
        {
            SafeProcessHandle handle = new SafeProcessHandle(p.Handle, false);

            if (!VirtualQueryEx(handle, baseAddress, out memoryBasicInformation, Marshal.SizeOf <MemoryBasicInformation>()))
            {
                Console.WriteLine("Failed to query a region of virtual memory in the remote process");
                return(false);
            }

            return(true);
        }
Beispiel #10
0
        /// <summary>
        /// Gets the memory region information of a 64 bits process.
        /// </summary>
        /// <param name="Address">The address.</param>
        /// <exception cref="ArgumentException">Address is equal to zero</exception>
        public bool TryGetMemoryRegionInfo(ulong Address, out MemoryBasicInformation RegionInfo)
        {
            if (Address == 0)
            {
                throw new ArgumentException("Address is equal to zero");
            }

            var Size    = (uint)Marshal.SizeOf <MemoryBasicInformation>();
            var Success = VirtualQueryEx(this.Handle, Address, out RegionInfo, Size) > 0;

            if (!Success)
            {
                return(false);
            }

            return(true);
        }
Beispiel #11
0
        protected void MemInfo(IntPtr pHandle)
        {
            var addy = new IntPtr();

            while (true)
            {
                var memInfo = new MemoryBasicInformation();
                var memDump = VirtualQueryEx(pHandle, addy, out memInfo, Marshal.SizeOf(memInfo));
                if (memDump == 0)
                {
                    break;
                }
                if ((memInfo.State & 0x1000) != 0 && (memInfo.Protect & 0x100) == 0)
                {
                    MemoryRegion.Add(memInfo);
                }
                addy = new IntPtr(memInfo.BaseAddress.ToInt32() + (int)memInfo.RegionSize);
            }
        }
Beispiel #12
0
        /// <summary>
        ///     Retrieves information about a range of pages within the virtual address space of a specified process.
        /// </summary>
        /// <param name="processHandle">A handle to the process whose memory information is queried.</param>
        /// <param name="baseAddress">A pointer to the base address of the region of pages to be queried.</param>
        /// <param name="query">The original return value from the native API</param>
        /// <returns>
        ///     A <see cref="MemoryBasicInformation64" /> structures in which information about the specified page range is
        ///     returned.
        /// </returns>
        public static MemoryBasicInformation Query(ASafeMemoryHandle processHandle, IntPtr baseAddress, out IntPtr query)
        {
            var ret = new MemoryBasicInformation();

            if (Environment.Is64BitProcess)
            {
                var sz = MarshalType <MemoryBasicInformation64> .Size;
                query = Kernel32.VirtualQueryEx(processHandle, baseAddress, out MemoryBasicInformation64 memoryInfo,
                                                (IntPtr)sz);
                if (query == IntPtr.Zero)
                {
                    return(ret);
                }
                ret.BaseAddress       = memoryInfo.BaseAddress;
                ret.AllocationBase    = memoryInfo.AllocationBase;
                ret.AllocationProtect = memoryInfo.AllocationProtect;
                ret.Protect           = memoryInfo.Protect;
                ret.RegionSize        = (Int64)memoryInfo.RegionSize;
                ret.State             = memoryInfo.State;
                ret.Type = memoryInfo.Type;
            }
            else
            {
                var sz = MarshalType <MemoryBasicInformation32> .Size;
                query = Kernel32.VirtualQueryEx(processHandle, baseAddress, out MemoryBasicInformation32 memoryInfo,
                                                (IntPtr)sz);
                if (query == IntPtr.Zero)
                {
                    return(ret);
                }
                ret.BaseAddress       = memoryInfo.BaseAddress;
                ret.AllocationBase    = memoryInfo.AllocationBase;
                ret.AllocationProtect = memoryInfo.AllocationProtect;
                ret.Protect           = memoryInfo.Protect;
                ret.RegionSize        = memoryInfo.RegionSize;
                ret.State             = memoryInfo.State;
                ret.Type = memoryInfo.Type;
            }
            return(ret);
        }
Beispiel #13
0
        public unsafe static void GetModules(IntPtr ProcessHandle, string dllName)
        {
            MemoryBasicInformation mbi           = new MemoryBasicInformation();
            MEMORY_SECTION_NAME    usSectionName = new MEMORY_SECTION_NAME();
            int dwStartAddr = 0x00000000;

            do
            {
                int rt1 = 0;
                if (ZwQueryVirtualMemory(ProcessHandle, dwStartAddr, MemoryInformationClass.MemoryBasicInformation, &mbi, Marshal.SizeOf(mbi), out rt1) >= 0)
                {
                    if (mbi.lType == (int)MbiType.MEM_IMAGE)
                    {
                        byte[] bt     = new byte[260 * 2];
                        int    rt     = 0;
                        int    result = ZwQueryVirtualMemory(ProcessHandle, dwStartAddr, MemoryInformationClass.MemorySectionName, out usSectionName, bt.Length, out rt);

                        if (result >= 0)
                        {
                            UnicodeEncoding une  = new UnicodeEncoding();
                            string          path = une.GetString(usSectionName.bt).TrimEnd('\0');
                            if (path.Trim().ToLower().LastIndexOf(dllName) != -1)
                            {
                                dllBaseInfo.BaseAddress = mbi.AllocationBase;
                                dllBaseInfo.path        = path;
                                break;
                            }
                        }
                        else
                        {
                            break;
                        }
                        dwStartAddr += (int)mbi.RegionSize;
                        dwStartAddr -= ((int)mbi.RegionSize % 0x10000);
                    }
                }
                dwStartAddr += 0x10000;
            } while (dwStartAddr < 0x7FFEFFFF);
        }
Beispiel #14
0
        private void MapView()
        {
            var ptr = MapViewOfFile(_sharedMemoryHandle.GetHandle(),
                                    FileMapAccess.FileMapRead | FileMapAccess.FileMapWrite,
                                    0,
                                    0,
                                    Size);

            if (ptr == IntPtr.Zero)
            {
                throw new InvalidOperationException("File map not valid!");
            }
            if (Size == 0)
            {
                var info = new MemoryBasicInformation();

                VirtualQuery(ref ptr, ref info, Marshal.SizeOf(info));
                Size = info.RegionSize;
            }

            ShareMemoryStream = new SharedMemoryStream(ptr, Size);
        }
 internal static extern int VirtualQuery(ref IntPtr lpAddress,
                     ref MemoryBasicInformation lpBuffer,
                     int dwLength);
        private void MapView()
        {
            var ptr = MapViewOfFile(_sharedMemoryHandle.GetHandle(),
                                    FileMapAccess.FileMapRead | FileMapAccess.FileMapWrite,
                                    0,
                                    0,
                                    Size);
            if (ptr == IntPtr.Zero)
            {
                throw new InvalidOperationException("File map not valid!");
            }
            if (Size == 0)
            {
                var info = new MemoryBasicInformation();

                VirtualQuery(ref ptr, ref info, Marshal.SizeOf(info));
                Size = info.RegionSize;
            }

            ShareMemoryStream = new SharedMemoryStream(ptr, Size);
        }
 public static extern int VirtualQueryEx(IntPtr hProcess, uint lpAddress, out MemoryBasicInformation lpBuffer, uint dwLength);
Beispiel #18
0
        public bool RemapAndPatch(IntPtr viewAddress, int viewSize, Dictionary <string, Tuple <long, byte[]> > patches)
        {
            // Suspend before remapping to prevent crashes.
            NativeWindows.NtSuspendProcess(ProcessHandle);

            Data = Read(viewAddress, viewSize);

            if (Data != null)
            {
                var newViewHandle = IntPtr.Zero;
                var maxSize       = new LargeInteger {
                    Quad = viewSize
                };

                if (NativeWindows.NtCreateSection(ref newViewHandle, 0xF001F, IntPtr.Zero, ref maxSize, 0x40u, 0x8000000, IntPtr.Zero) == NtStatus.Success &&
                    NativeWindows.NtUnmapViewOfSection(ProcessHandle, viewAddress) == NtStatus.Success)
                {
                    var viewBase = viewAddress;

                    // Map the view with original protections.
                    var result = NativeWindows.NtMapViewOfSection(newViewHandle, ProcessHandle, ref viewBase, IntPtr.Zero, (ulong)viewSize, out var viewOffset,
                                                                  out var newViewSize, 2, IntPtr.Zero, (int)MemProtection.ExecuteRead);

                    if (result == NtStatus.Success)
                    {
                        // Apply our patches.
                        foreach (var p in patches)
                        {
                            var address = p.Value.Item1;
                            var patch   = p.Value.Item2;

                            // We are in a different section here.
                            if (address > Data.Length)
                            {
                                if (address < BaseAddress.ToInt64())
                                {
                                    address += BaseAddress.ToInt64();
                                }

                                Write(address, patch, MemProtection.ReadWrite);
                                continue;
                            }

                            for (var i = 0; i < patch.Length; i++)
                            {
                                Data[address + i] = patch[i];
                            }
                        }

                        var viewBase2 = IntPtr.Zero;

                        // Create a writable view to write our patches through to preserve the original protections.
                        result = NativeWindows.NtMapViewOfSection(newViewHandle, ProcessHandle, ref viewBase2, IntPtr.Zero, (uint)viewSize, out var viewOffset2,
                                                                  out var newViewSize2, 2, IntPtr.Zero, (int)MemProtection.ReadWrite);


                        if (result == NtStatus.Success)
                        {
                            // Write our patched data trough the writable view to the memory.
                            if (NativeWindows.WriteProcessMemory(ProcessHandle, viewBase2, Data, viewSize, out var dummy))
                            {
                                // Unmap them writeable view, it's not longer needed.
                                NativeWindows.NtUnmapViewOfSection(ProcessHandle, viewBase2);

                                var mbi = new MemoryBasicInformation();

                                // Check if the allocation protections is the right one.
                                if (NativeWindows.VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0 && mbi.AllocationProtect == MemProtection.ExecuteRead)
                                {
                                    // Also check if we can change the page protection.
                                    if (!NativeWindows.VirtualProtectEx(ProcessHandle, BaseAddress, 0x4000, (uint)MemProtection.ReadWrite, out var oldProtect))
                                    {
                                        NativeWindows.NtResumeProcess(ProcessHandle);
                                    }

                                    return(true);
                                }
                            }
                        }
                    }

                    Console.WriteLine("Error while mapping the view with the given protection.");
                }
            }
            else
            {
                Console.WriteLine("Error while creating the view backup.");
            }

            NativeWindows.NtResumeProcess(ProcessHandle);

            return(false);
        }
Beispiel #19
0
        private bool QueryMemoryBasicInformation(IntPtr handle, IntPtr current_address, ref MemoryBasicInformation memoryBasicInformation)
        {
            if (isX64())
            {
                MEMORY_BASIC_INFORMATION_X64 mem_basic_info = new MEMORY_BASIC_INFORMATION_X64();
                int mem_info_size = Marshal.SizeOf <MEMORY_BASIC_INFORMATION_X64>();
                int size          = VirtualQueryEx_X64(handle, current_address, out mem_basic_info, (uint)mem_info_size);

                if (size != mem_info_size)
                {
                    Logger.Error($"(X64)Error Code:0x{Marshal.GetLastWin32Error():X8}");
                    return(false);
                }

                memoryBasicInformation.RegionSize        = mem_basic_info.RegionSize;
                memoryBasicInformation.BaseAddress       = mem_basic_info.BaseAddress;
                memoryBasicInformation.AllocationProtect = mem_basic_info.AllocationProtect;
                memoryBasicInformation.AllocationBase    = mem_basic_info.AllocationBase;
                memoryBasicInformation.Type    = mem_basic_info.Type;
                memoryBasicInformation.State   = mem_basic_info.State;
                memoryBasicInformation.Protect = mem_basic_info.Protect;
                return(true);
            }
            else
            {
                MEMORY_BASIC_INFORMATION_X86 mem_basic_info = new MEMORY_BASIC_INFORMATION_X86();
                int mem_info_size = Marshal.SizeOf <MEMORY_BASIC_INFORMATION_X86>();
                int size          = VirtualQueryEx_X86(handle, current_address, out mem_basic_info, (uint)mem_info_size);

                if (size != mem_info_size)
                {
                    Logger.Error($"(X86)Error Code:0x{Marshal.GetLastWin32Error():X8}");
                    return(false);
                }

                memoryBasicInformation.RegionSize        = mem_basic_info.RegionSize;
                memoryBasicInformation.BaseAddress       = mem_basic_info.BaseAddress;
                memoryBasicInformation.AllocationProtect = mem_basic_info.AllocationProtect;
                memoryBasicInformation.AllocationBase    = mem_basic_info.AllocationBase;
                memoryBasicInformation.Type    = mem_basic_info.Type;
                memoryBasicInformation.State   = mem_basic_info.State;
                memoryBasicInformation.Protect = mem_basic_info.Protect;
                return(true);
            }
        }
Beispiel #20
0
 static public extern System.IntPtr VirtualQuery(System.IntPtr address, out MemoryBasicInformation buffer, System.IntPtr length);
Beispiel #21
0
 private static extern bool VirtualQueryEx(SafeProcessHandle processHandle, IntPtr baseAddress, out MemoryBasicInformation memoryInformation, int length);
Beispiel #22
0
 public static IntPtr VQueryEx(IntPtr hProcess, IntPtr lpAddress, out MemoryBasicInformation lpBuffer, IntPtr dwLength)
 {
     return(VirtualQueryEx(hProcess, lpAddress, out lpBuffer, dwLength));
 }
Beispiel #23
0
 private static extern int VirtualQueryEx(IntPtr Handle, ulong Address, out MemoryBasicInformation Buffer, uint Length);
 private static extern int VirtualQuery(IntPtr lpAddress, out MemoryBasicInformation lpBuffer, uint dwLength);
Beispiel #25
0
 private static extern int UnmanagedVirtualQueryEx(IntPtr hProcess, UIntPtr lpAddress,
                                                   out MemoryBasicInformation lpBuffer, uint dwLength);
Beispiel #26
0
 internal static extern bool VirtualQueryEx(SafeHandle processHandle, IntPtr address, out MemoryBasicInformation mbi, int length);
Beispiel #27
0
 internal static extern bool VirtualQueryEx(SafeProcessHandle processHandle, IntPtr baseAddress, out MemoryBasicInformation buffer, int length);
Beispiel #28
0
        private bool Start(string appPath)
        {
            var startupInfo = new StartupInfo();
            var processInfo = new ProcessInformation();

            try
            {
                Logger.Instance.WriteLine($"Starting WoW ....", LogLevel.Debug);

                // Start process with suspend flags.
                if (NativeWindows.CreateProcess(null, $"{appPath}", IntPtr.Zero, IntPtr.Zero, false, 4U, IntPtr.Zero, null, ref startupInfo, out processInfo))
                {
                    var memory        = new WinMemory(processInfo.ProcessHandle);
                    var modulusOffset = IntPtr.Zero;

                    // Get RSA modulus offset from file.
                    modulusOffset = File.ReadAllBytes(appPath).FindPattern(Patterns.Common.Modulus, memory.BaseAddress.ToInt64()).ToIntPtr();
                    var sectionOffset = memory.Read(modulusOffset, 0x2000).FindPattern(Patterns.Common.Modulus);

                    modulusOffset = (modulusOffset.ToInt64() + sectionOffset).ToIntPtr();

                    // Be sure that the modulus is written before the client is initialized.
                    while (memory.Read(modulusOffset, 1)[0] != Patches.Common.Modulus[0])
                    {
                        memory.Write(modulusOffset, Patches.Common.Modulus);
                    }

                    // Resume the process to initialize it.
                    NativeWindows.NtResumeProcess(processInfo.ProcessHandle);

                    var mbi = new MemoryBasicInformation();

                    // Wait for the memory region to be initialized.
                    while (NativeWindows.VirtualQueryEx(processInfo.ProcessHandle, memory.BaseAddress, out mbi, mbi.Size) == 0 || mbi.RegionSize.ToInt32() <= 0x1000)
                    {
                    }

                    if (mbi.BaseAddress != IntPtr.Zero)
                    {
                        // Get the memory content.
                        var binary = new byte[0];

                        // Wait for client initialization.
                        var initOffset = memory?.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32())?.FindPattern(Store.InitializePattern) ?? 0;

                        while (initOffset == 0)
                        {
                            initOffset = memory?.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32())?.FindPattern(Store.InitializePattern) ?? 0;

                            Logger.Instance.WriteLine($"Waiting initialization ...", LogLevel.Debug);
                        }

                        initOffset += BitConverter.ToUInt32(memory.Read((long)initOffset + memory.BaseAddress.ToInt64() + 2, 4), 0) + 10;

                        while (memory?.Read((long)initOffset + memory.BaseAddress.ToInt64(), 1)?[0] == null ||
                               memory?.Read((long)initOffset + memory.BaseAddress.ToInt64(), 1)?[0] == 0)
                        {
                            binary = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32());
                        }

                        // Suspend the process and handle the patches.
                        NativeWindows.NtSuspendProcess(processInfo.ProcessHandle);

                        //! Re-read the memory region for each pattern search.
                        var certBundleOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(Store.CertificateBundle);
                        var signatureOffset  = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(Store.SignatureBundle);

                        if (certBundleOffset == 0 || signatureOffset == 0)
                        {
                            Logger.Instance.WriteLine("Can't find all patterns.", LogLevel.Error);
                            Logger.Instance.WriteLine($"CertBundle: {certBundleOffset == 0}", LogLevel.Error);
                            Logger.Instance.WriteLine($"Signature: {signatureOffset == 0}", LogLevel.Error);
                        }

                        // Add the patches to the patch list.
                        PatchList.Add("CertBundle", Tuple.Create(certBundleOffset, Store.CertificatePatch));
                        PatchList.Add("Signature", Tuple.Create(signatureOffset, Store.SignaturePatch));

                        NativeWindows.NtResumeProcess(processInfo.ProcessHandle);

                        if (memory.RemapAndPatch(PatchList))
                        {
                            Logger.Instance.WriteLine($"Executeable successfully patched!", LogLevel.Debug);

                            binary = null;

                            return(true);
                        }
                        else
                        {
                            binary = null;

                            Logger.Instance.WriteLine("Error while launching the client.", LogLevel.Error);

                            NativeWindows.TerminateProcess(processInfo.ProcessHandle, 0);

                            return(false);
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Logger.Instance.WriteLine(ex.ToString(), LogLevel.Error);

                NativeWindows.TerminateProcess(processInfo.ProcessHandle, 0);

                return(false);
            }

            return(false);
        }
        protected override void Update()
        {
            if (_processHandle == null)
            {
                return;
            }

            var modules = new Dictionary <IntPtr, ProcessModule>();

            try
            {
                foreach (var m in _processHandle.GetModules())
                {
                    modules.Add(m.BaseAddress, m);
                }
            }
            catch
            { }

            var memoryInfo    = new Dictionary <IntPtr, MemoryBasicInformation>();
            var newdictionary = new Dictionary <IntPtr, MemoryItem>(this.Dictionary);

            _processHandle.EnumMemory(info =>
            {
                if ((this.IgnoreFreeRegions && info.State != MemoryState.Free) || !this.IgnoreFreeRegions)
                {
                    memoryInfo.Add(info.BaseAddress, info);
                }

                return(true);
            });

            // look for freed memory regions
            foreach (IntPtr address in Dictionary.Keys)
            {
                if (!memoryInfo.ContainsKey(address))
                {
                    this.OnDictionaryRemoved(this.Dictionary[address]);
                    newdictionary.Remove(address);
                }
            }

            string lastModuleName    = null;
            IntPtr lastModuleAddress = IntPtr.Zero;
            int    lastModuleSize    = 0;

            foreach (IntPtr address in memoryInfo.Keys)
            {
                MemoryBasicInformation info = memoryInfo[address];

                if (!this.Dictionary.ContainsKey(address))
                {
                    MemoryItem item = new MemoryItem
                    {
                        RunId      = this.RunCount,
                        Address    = address,
                        Size       = info.RegionSize.ToInt64(),
                        Type       = info.Type,
                        State      = info.State,
                        Protection = info.Protect
                    };

                    if (modules.ContainsKey(item.Address))
                    {
                        lastModuleName    = modules[item.Address].BaseName;
                        lastModuleAddress = modules[item.Address].BaseAddress;
                        lastModuleSize    = modules[item.Address].Size;
                    }

                    if (
                        item.Address.IsGreaterThanOrEqualTo(lastModuleAddress) &&
                        item.Address.CompareTo(lastModuleAddress.Increment(lastModuleSize)) == -1
                        )
                    {
                        item.ModuleName = lastModuleName;
                    }
                    else
                    {
                        item.ModuleName = null;
                    }

                    newdictionary.Add(address, item);
                    this.OnDictionaryAdded(item);
                }
                else
                {
                    MemoryItem item = this.Dictionary[address];

                    if (
                        info.RegionSize.ToInt64() != item.Size ||
                        info.Type != item.Type ||
                        info.State != item.State ||
                        info.Protect != item.Protection
                        )
                    {
                        MemoryItem newitem = item.Clone() as MemoryItem;

                        newitem.Size       = info.RegionSize.ToInt64();
                        newitem.Type       = info.Type;
                        newitem.State      = info.State;
                        newitem.Protection = info.Protect;

                        newdictionary[address] = newitem;
                        this.OnDictionaryModified(item, newitem);
                    }
                }
            }

            this.Dictionary = newdictionary;
        }
Beispiel #30
0
 internal static extern IntPtr VirtualQuery(IntPtr address,
                                            ref MemoryBasicInformation buffer,
                                            int length);
Beispiel #31
0
 public static extern int VirtualQueryEx(SafeMemoryHandle hProcess, IntPtr lpAddress,
     out MemoryBasicInformation lpBuffer, int dwLength);
Beispiel #32
0
 public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpBaseAddress, out MemoryBasicInformation mbi, int dwSize);
Beispiel #33
0
 internal static extern int VirtualQuery(ref IntPtr lpAddress,
                                         ref MemoryBasicInformation lpBuffer,
                                         int dwLength);
Beispiel #34
0
 public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MemoryBasicInformation lpBuffer, int dwLength);
        /// <summary>
        /// </summary>
        /// <param name="handle">
        /// </param>
        /// <param name="search">
        /// </param>
        /// <param name="mbi">
        /// </param>
        /// <returns>
        /// </returns>
        private static IntPtr FindKey(SafeMemoryHandle handle, string search, MemoryBasicInformation mbi)
        {
            byte[] memCopy = ReadBytes(handle, mbi.BaseAddress, mbi.RegionSize);
            int len = ASCIIEncoding.ASCII.GetByteCount(search);
            byte[] src = ASCIIEncoding.ASCII.GetBytes(search);

            int iPointer = 0;
            while (iPointer < memCopy.Length - len)
            {
                int dPointer = 0;
                while (dPointer < len)
                {
                    if (src[dPointer] != memCopy[iPointer + dPointer])
                    {
                        break;
                    }

                    dPointer++;
                    if (dPointer == len)
                    {
                        return (IntPtr)((int)mbi.BaseAddress + iPointer);
                    }
                }

                iPointer++;
            }

            return (IntPtr)0;
        }