/// <summary> /// A patch can be used to change byte(s) starting at the defined address. /// </summary> /// <param name="addressToPatch">The address of the byte where we want our patch to start.</param> public MemoryPatch(IMemoryAddress addressToPatch, byte[] newBytes) { PatchAddress = addressToPatch; NewBytes = newBytes; OriginalBytes = PatchAddress.Read(NewBytes.Length); MemoryPatches.Add(this); }
private void ValidateDbgBreakPoint() { IMemoryModule ntdll = Process.Modules["ntdll.dll"]; IMemoryAddress dbgBreakPointPtr = ntdll.GetProcAddress("DbgBreakPoint"); byte dbgBreakPointByte = dbgBreakPointPtr.Read <byte>(); if (dbgBreakPointByte == 0xC3) { MemoryPatches.Add(new MemoryPatch(dbgBreakPointPtr, new byte[] { 0xCC })); } }
private static void NtQueryInformationProcess(int flag, string flagName) { NtQueryInformationProcess ntQueryInformationProcess = new NtQueryInformationProcess(); using (IMemoryAddress result = GameSharpProcess.Instance.AllocateManagedMemory(IntPtr.Size)) { int queryState = ntQueryInformationProcess.Call <int>(GameSharpProcess.Instance.Handle, flag, result.Address, (uint)4, null); // STATUS_SUCCESS = 0, so if API call was successful queryState should contain 0. if (queryState == 0) { if (!result.Read <bool>()) { LoggingService.Info($"{flagName} => We're being debugged!"); } } } }
/// <summary> /// Initializes a new instance of the <see cref="MemoryScanner" /> class. /// </summary> /// <param name="module"><see cref="ProcessModule"/> which we are going to scan.</param> public MemoryScanner(IMemoryModule module) { ModuleBase = module.MemoryAddress; Bytes = ModuleBase.Read(module.ModuleMemorySize); }