/// <summary> /// Set the RSA key. Different from WriteString because must overcome protection. /// </summary> /// <param name="handle"></param> /// <param name="address"></param> /// <param name="newKey"></param> /// <returns></returns> public static bool WriteRSA(IntPtr handle, long address, string newKey) { IntPtr bytesWritten; int result; WinAPI.MemoryProtection oldProtection = 0; System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding(); byte[] bytes = enc.GetBytes(newKey); // Make it so we can write to the memory block WinAPI.VirtualProtectEx( handle, new IntPtr(address), new IntPtr(bytes.Length), WinAPI.MemoryProtection.ExecuteReadWrite, ref oldProtection); // Write to memory result = WinAPI.WriteProcessMemory(handle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten); // Put the protection back on the memory block WinAPI.VirtualProtectEx(handle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection); return(result != 0); }
ulong CreateSection(WinAPI.MemoryProtection memoryProtection, long size) { var result = WinAPI.NtCreateSection(out ulong sectionHandle, WinAPI.ACCESS_MASK.GENERIC_ALL, 0, out size, memoryProtection, 0x8000000 /*SEC_COMMIT*/, 0); if (result != 0) { log.Log(LogType.Failure, $"CreateSection - NtCreateSection() failed - {result.ToString("x2")}"); return(0); } return(sectionHandle); }
ulong MapSection(IntPtr procHandle, ulong sectionHandle, WinAPI.MemoryProtection memoryProtection) { ulong memoryPointer = 0; var result = WinAPI.NtMapViewOfSection(sectionHandle, procHandle, ref memoryPointer, 0, 0, 0, out uint viewSize, 2, 0, memoryProtection); if (result != 0) { log.Log(LogType.Failure, $"MapSection - NtMapViewOfSection() failed - {result.ToString("x2")}"); return(0); } return(memoryPointer); }
public static bool WriteRsa(IntPtr processHandle, long address, string value) { IntPtr bytesWritten; WinAPI.MemoryProtection oldProtection = 0; var enc = new ASCIIEncoding(); var bytes = enc.GetBytes(value); WinAPI.VirtualProtectEx(processHandle, new IntPtr(address), new IntPtr(bytes.Length), WinAPI.MemoryProtection.ExecuteReadWrite, ref oldProtection); var result = WinAPI.WriteProcessMemory(processHandle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten); WinAPI.VirtualProtectEx(processHandle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection); return(result != 0); }
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, WinAPI.AllocationType flAllocationType, WinAPI.MemoryProtection flProtect);
/// <summary> /// Sets the protection mode /// </summary> /// <param name="mode">The protection mode</param> public void SetProtectionMode(WinAPI.MemoryProtection mode) { WinAPI.VirtualProtect(this.start, (uint)this.size, mode, out var old); }
public bool WriteOnGetNextPacketCode() { oldCallBytes = client.Memory.ReadBytes( Pokemon.Addresses.Client.GetNextPacketCall, 5); #region opcodes byte[] opCodes = new byte[] { //fSendingToClient @ flagAddress 0x00, 0x00, 0x00, 0x00, //mov eax,dword ptr ds:[flagAddress] 0xA1, 0x00, 0x00, 0x00, 0x00, //cmp eax,1 0x83, 0xF8, 0x01, //JNZ SHORT~ -> mov eax,origAddress 0x75, 0x26, //mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] //dwSize 0xA1, 0x00, 0x00, 0x00, 0x00, //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] //dwPos 0x8B, 0x1D, 0x00, 0x00, 0x00, 0x00, //cmp ebx,eax 0x39, 0xC3, //JGE SHORT~ -> //mov eax,-1 0x7D, 0x11, //add ebx,dword ptr ds:[ADDR_RECV_STREAM] 0x03, 0x1D, 0x00, 0x00, 0x00, 0x00, //mov al,byte ptr ds:[ebx] 0x8A, 0x03, //mov ebx,ADDR_RECV_STREAM+8 0xBB, 0x00, 0x00, 0x00, 0x00, //add dword ptr ds:[ebx],1 0x83, 0x03, 0x01, //retn 0xC3, //mov eax,-1 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, //retn, 0xC3, //mov eax,oldAddress 0xB8, 0x00, 0x00, 0x00, 0x00, //call eax 0xFF, 0xD0, //retn 0xC3 }; #endregion #region fixing opcodes Array.Copy( BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 4), 0, opCodes, 15, 4);//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] Array.Copy( BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 8), 0, opCodes, 21, 4); //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] Array.Copy( BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream), 0, opCodes, 31, 4);//add ebx,dword ptr ds:[ADDR_RECV_STREAM] Array.Copy( BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 8), 0, opCodes, 38, 4);//mov ebx,ADDR_RECV_STREAM+8 #endregion pSendToClient = WinAPI.VirtualAllocEx( client.Handle, IntPtr.Zero, (uint)opCodes.Length, WinAPI.AllocationType.Commit | WinAPI.AllocationType.Reserve, WinAPI.MemoryProtection.ExecuteReadWrite); if (pSendToClient != IntPtr.Zero) { Array.Copy(BitConverter.GetBytes(pSendToClient.ToInt32()), 0, opCodes, 5, 4); //Begin HookCall WinAPI.MemoryProtection oldProtect = WinAPI.MemoryProtection.NoAccess; WinAPI.MemoryProtection newProtect = WinAPI.MemoryProtection.NoAccess; uint newCall, oldCall; byte[] call = new byte[] { 0xE8, 0x00, 0x00, 0x00, 0x00 }; newCall = (uint)(pSendToClient.ToInt32() + 4) - Pokemon.Addresses.Client.GetNextPacketCall - 5; Array.Copy(BitConverter.GetBytes(newCall), 0, call, 1, 4); if (WinAPI.VirtualProtectEx(client.Handle, new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall), new IntPtr(5), WinAPI.MemoryProtection.ReadWrite, ref oldProtect)) { oldCall = BitConverter.ToUInt32( client.Memory.ReadBytes(Pokemon.Addresses.Client.GetNextPacketCall + 1, 4), 0); int oldAddress = (int)(Pokemon.Addresses.Client.GetNextPacketCall + oldCall + 5); Array.Copy( BitConverter.GetBytes(oldAddress), 0, opCodes, 53, 4);//mov eax,oldAddress if (client.Memory.WriteBytes(pSendToClient.ToInt64(), opCodes, (uint)opCodes.Length)) { if (client.Memory.WriteBytes(Pokemon.Addresses.Client.GetNextPacketCall, call, 5)) { WinAPI.VirtualProtectEx(client.Handle, new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall), new IntPtr(5), oldProtect, ref newProtect); sendToClientCodeWritten = true; return(true); } } WinAPI.VirtualProtectEx(client.Handle, new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall), new IntPtr(5), oldProtect, ref newProtect); } } if (pSendToClient == IntPtr.Zero) { WinAPI.VirtualFreeEx( client.Handle, pSendToClient, (uint)opCodes.Length, WinAPI.AllocationType.Release); } sendToClientCodeWritten = false; return(false); }