public static VirtualProtectHandle Protect(IntPtr address, int size, MemProtection newProtection)
{
MemProtection oldProtection;
Kernel32.VirtualProtect(address, size, newProtection, out oldProtection);
return(new VirtualProtectHandle(address, size, oldProtection));
}
public static VirtualProtectHandle Protect(IntPtr address, int size, MemProtection newProtection)
{
MemProtection oldProtection;
if (!Kernel32.VirtualProtect(address, size, newProtection, out oldProtection))
{
throw new Win32Exception();
}
return(new VirtualProtectHandle(address, size, oldProtection));
}
public bool RemapViewBase(MemProtection newProtection = MemProtection.ExecuteWriteCopy)
{
var mbi = new MemoryBasicInformation();
if (VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0)
{
return(RemapView(mbi.BaseAddress, mbi.RegionSize.ToInt32(), newProtection));
}
return(false);
}
public void Write(IntPtr address, byte[] data, MemProtection newProtection = MemProtection.ExecuteReadWrite)
{
try
{
NativeWindows.VirtualProtectEx(ProcessHandle, address, (uint)data.Length, (uint)newProtection, out var oldProtect);
NativeWindows.WriteProcessMemory(ProcessHandle, address, data, data.Length, out var written);
NativeWindows.FlushInstructionCache(ProcessHandle, address, (uint)data.Length);
NativeWindows.VirtualProtectEx(ProcessHandle, address, (uint)data.Length, oldProtect, out oldProtect);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
public bool RemapView(IntPtr viewAddress, int viewSize, MemProtection newProtection = MemProtection.ExecuteWriteCopy)
{
// Suspend before remapping to prevent crashes.
NtSuspendProcess(ProcessHandle);
var viewBackup = Read(viewAddress, viewSize);
if (viewBackup != null)
{
var newViewHandle = IntPtr.Zero;
var maxSize = new LargeInteger {
Quad = viewSize
};
if (NtCreateSection(ref newViewHandle, 0xF001F, IntPtr.Zero, ref maxSize, 0x40u, 0x8000000, IntPtr.Zero) == NtStatus.Success &&
NtUnmapViewOfSection(ProcessHandle, viewAddress) == NtStatus.Success)
{
// Map the view with our new protection
var viewBase = viewAddress;
if (NtMapViewOfSection(newViewHandle, ProcessHandle, ref viewBase, IntPtr.Zero, (uint)viewSize, out var viewOffset,
out var newViewSize, 2, IntPtr.Zero, (int)newProtection) == NtStatus.Success &&
WriteProcessMemory(ProcessHandle, viewAddress, viewBackup, viewSize, out var dummy))
{
NtResumeProcess(ProcessHandle);
return(true);
}
Console.WriteLine("Error while mapping the view with the given protection.");
}
}
else
{
Console.WriteLine("Error while creating the view backup.");
}
NtResumeProcess(ProcessHandle);
return(false);
}
public static extern IntPtr VirtualAlloc(IntPtr Addr, int Size, AllocType AType = AllocType.Commit, MemProtection Prot = MemProtection.ReadWrite);
public static bool VirtualProtect(IntPtr Addr, uint Size, MemProtection NewProtect)
{
MemProtection Old;
return VirtualProtect(Addr, Size, NewProtect, out Old);
}
public static VirtualProtectHandle Protect(IntPtr address, int size, MemProtection newProtection)
{
MemProtection oldProtection;
Kernel32.VirtualProtect(address, size, newProtection, out oldProtection);
return new VirtualProtectHandle(address, size, oldProtection);
}
public static bool VirtualProtect(IntPtr Addr, int Size, MemProtection NewProtect)
{
return(VirtualProtect(Addr, (uint)Size, NewProtect));
}
private static extern bool VirtualProtectEx(IntPtr processHandle, IntPtr baseAddress, IntPtr protectionSize, MemProtection protectionType, out MemProtection oldProtectionType);
public static extern uint ZwAllocateVirtualMemory(IntPtr Proc, ref IntPtr Addr, int ZeroBits, ref IntPtr RegionSize, AllocType AType = AllocType.Commit | AllocType.Reserve, MemProtection Prot = MemProtection.ReadWrite);
public static extern bool VirtualProtect(IntPtr Addr, uint Size, MemProtection NewProtect, out MemProtection OldProtect);
public static extern IntPtr VirtualAlloc(IntPtr Addr, uint Size, AllocType AType, MemProtection Protect);
public MemProtection VirtualProtect(MemProtection P)
{
MemProtection Old;
if (!Native.VirtualProtect(Pointer, Size, P, out Old))
throw new Exception();
return Old;
}
public static extern bool VirtualProtect(IntPtr Addr, uint Size, MemProtection NewProtect, out MemProtection OldProtect);
public static bool VirtualProtect(IntPtr Addr, uint Size, MemProtection NewProtect)
{
MemProtection Old;
return(VirtualProtect(Addr, Size, NewProtect, out Old));
}
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, MemoryAllocationType flAllocationType, MemProtection flProtect);
public void Write(long address, byte[] data, MemProtection newProtection = MemProtection.ExecuteReadWrite) => Write(new IntPtr(address), data, newProtection);
public static bool VirtualProtectEx(Process p, IntPtr baseAddress, IntPtr dwSize, MemProtection protType, out MemProtection oldProtType)
{
if (!VirtualProtectEx(p.Handle, baseAddress, dwSize, protType, out oldProtType))
{
// Console.WriteLine($"Failed to protect a region of virtual memory {baseAddress.ToString("X")} + {dwSize.ToString("X")} in the remote process");
return(false);
}
return(true);
}
public static extern uint ZwAllocateVirtualMemory(IntPtr Proc, ref IntPtr Addr, int ZeroBits, ref IntPtr RegionSize,
AllocType AType = AllocType.Commit | AllocType.Reserve, MemProtection Prot = MemProtection.ReadWrite);
/// <summary>
/// Creates a new <see cref="VirtualProtectHandle"/> instance with the given parameters.
/// </summary>
/// <param name="address">The address of the first byte that had its protection changed.</param>
/// <param name="size">The size of the memory range with changed protection.</param>
/// <param name="oldProtection">The previous protection setting.</param>
public VirtualProtectHandle(IntPtr address, int size, MemProtection oldProtection)
{
Address = address;
Size = size;
OldProtection = oldProtection;
}
/// <summary>
/// Creates a new <see cref="VirtualProtectHandle"/> instance with the given parameters.
/// </summary>
/// <param name="address">The address of the first byte that had its protection changed.</param>
/// <param name="size">The size of the memory range with changed protection.</param>
/// <param name="oldProtection">The previous protection setting.</param>
public VirtualProtectHandle(IntPtr address, int size, MemProtection oldProtection)
{
Address = address;
Size = size;
OldProtection = oldProtection;
}
private static extern IntPtr CreateFileMappingW(IntPtr hFile, SECURITY_ATTRIBUTES lpAttributes, [In, MarshalAs(UnmanagedType.U4)] MemProtection flProtect, int dwMaximumSizeHi, int dwMaximumSizeLo, string lpName);
