2

I found a code that works perfectly for static addresses.

However, how would I change this code so it works for pointers? I need to get value from this pointer: 0x1002CAA70 + 0x10 + 0x18 + 0x0 + 0x18.

It is for 64 bit application.

public class Program
{
    private const int PROCESS_WM_READ = 0x0010;

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll")]
    public static extern bool ReadProcessMemory(int hProcess,
    Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

    static void Main(string[] args)
    {
        Process process      = Process.GetProcessesByName("Tutorial-x86_64")[0];
        IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);

        int bytesRead = 0;
        var buffer = new byte[4];

        ReadProcessMemory((int)processHandle, 0x0011D598, buffer, buffer.Length, ref bytesRead);
        Console.WriteLine(BitConverter.ToInt32(buffer, 0));
        Console.ReadLine();
    }
}

image 1 image 2

AustinWBryan
  • 3,249
  • 3
  • 24
  • 42
shiny
  • 171
  • 4
  • 13
  • What does it mean "modify it and add offsets"? – Tommaso Belluzzo Nov 25 '17 at 01:12
  • I can't find working example for pointers – shiny Nov 25 '17 at 01:38
  • 0x1002CAA70 + 0x10 + 0x18 + 0x0 + 0x18 = 1002CAAB0? You want to read that value? Or you want to traverse with consecutive values? – Tommaso Belluzzo Nov 25 '17 at 01:41
  • Sorry, for not being able to explain my problem correctly. Please see the attached image. I have found pointer with static address "1002CAA70" and 4 offsets (10,18,0,18). I want my program to return this pointer's value. Basically, i'm trying to get a value in memory using my pointer – shiny Nov 25 '17 at 01:52
  • Actually I see 4 different pointers with 4 different adresses, you need them all? – Tommaso Belluzzo Nov 25 '17 at 02:01
  • it is a pointer, addresses may change. However, base address and offsets stay the same. see image 2 – shiny Nov 25 '17 at 02:14
  • Ok I think I got it, see my reply. – Tommaso Belluzzo Nov 25 '17 at 02:18
  • It looks like you have an array of objects (structure) where each structure is 18 bytes. So the start address is 0x1002CAA70 + (0x18 * x) where x is the index number of the array. – jdweng Nov 25 '17 at 02:30

2 Answers2

5
Byte[] buffer = new Byte[4];
Int32 bytesRead = 0;
Int32 processHandle = (Int32)process.Handle;

Int32 baseAddress = process.MainModule.BaseAddress.ToInt32() + 0x1002CAA70;
ReadProcessMemory(processHandle, baseAddress, buffer, buffer.Length, ref bytesRead);
Int32 baseValue = BitConverter.ToInt32(buffer, 0));

Int32 firstAddress = baseValue + 0x10;
ReadProcessMemory(processHandle, firstAddress, buffer, buffer.Length, ref bytesRead);
Int32 firstValue = BitConverter.ToInt32(buffer, 0));

Int32 secondAddress = firstValue + 0x18;
ReadProcessMemory(processHandle, secondAddress, buffer, buffer.Length, ref bytesRead);
Int32 secondValue = BitConverter.ToInt32(buffer, 0));

Int32 thirdAddress = secondValue + 0x00;
ReadProcessMemory(processHandle, thirdAddress, buffer, buffer.Length, ref bytesRead);
Int32 thirdValue = BitConverter.ToInt32(buffer, 0));

Int32 fourthAddress = thirdValue + 0x18;
ReadProcessMemory(processHandle, fourthAddress, buffer, buffer.Length, ref bytesRead);
Int32 fourthValue = BitConverter.ToInt32(buffer, 0));
Tommaso Belluzzo
  • 23,232
  • 8
  • 74
  • 98
2

Thank you Tommaso Belluzzo!!

my final code for those who interested:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace ConsoleApplication1
{
    class Program
    {
        const int PROCESS_WM_READ = 0x0010;

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

        [DllImport("kernel32.dll")]
        public static extern bool ReadProcessMemory(int hProcess,
        Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

        static void Main(string[] args)
        {
            Process process = Process.GetProcessesByName("Tutorial-x86_64")[0];
            IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);

            int bytesRead = 0;
            byte[] buffer = new byte[4];


            //Byte[] buffer = new Byte[4];

            Int64 baseAddress = 0x1002CAA70;
            ReadProcessMemory((int)processHandle, baseAddress, buffer, buffer.Length, ref bytesRead);
            Int64 baseValue = BitConverter.ToInt32(buffer, 0);

            Int64 firstAddress = baseValue + 0x10;
            ReadProcessMemory((int)processHandle, firstAddress, buffer, buffer.Length, ref bytesRead);
            Int64 firstValue = BitConverter.ToInt32(buffer, 0);

            Int64 secondAddress = firstValue + 0x18;
            ReadProcessMemory((int)processHandle, secondAddress, buffer, buffer.Length, ref bytesRead);
            Int64 secondValue = BitConverter.ToInt32(buffer, 0);

            Int64 thirdAddress = secondValue + 0x0;
            ReadProcessMemory((int)processHandle, thirdAddress, buffer, buffer.Length, ref bytesRead);
            Int64 thirdValue = BitConverter.ToInt32(buffer, 0);

            Int64 fourthAddress = thirdValue + 0x18;
            ReadProcessMemory((int)processHandle, fourthAddress, buffer, buffer.Length, ref bytesRead);
            Int64 fourthValue = BitConverter.ToInt32(buffer, 0);

            ReadProcessMemory((int)processHandle, fourthValue, buffer, buffer.Length, ref bytesRead);
            Console.WriteLine(BitConverter.ToInt32(buffer, 0));
            Console.ReadLine();
        }
    }
}
shiny
  • 171
  • 4
  • 13