Jump to content

Most Liked Content


#63 WriteBytes Protected?

Posted by Prodian on 14 November 2013 - 08:24 PM

Hello,

 

Keep getting an error saying these are inaccessible.

 

Binarysharp.MemoryManagement.MemorySharp.ReadBytes(System.IntPtr, int, [bool])

Binarysharp.MemoryManagement.MemorySharp.WriteBytes(System.IntPtr, byte[], [bool])

 

In the Object Browser they are showing as "Protected" access.

 

 

protected void WriteBytes(System.IntPtr address, byte[] byteArray, [bool isRelative = true])

    Member of Binarysharp.MemoryManagement.MemorySharp
 
Summary:
Write an array of bytes in the remote process.
 
Parameters:
address: The address where the array is written.
byteArray: The array of bytes to write.
isRelative: [Optional] State if the address is relative to the main module.

 

Any idea?

 

Thanks for the help.




  • #61 Bugs report

    Posted by CreateAndInject on 30 October 2013 - 01:02 PM

    I report here, https://github.com/Z...ySharp/issues/1, but no reply.

     

     

    1.window.Mouse.MoveTo(0, 0);
    If the "window" is a child control, mouse can not move correctly!

    2.If an application has 2+ top level windows, WindowFactory.RemoteWindows can not collect all!
    Maybe should support "TopLevelWindows" property, and "MainWindow" is just the first visible one in collections.

    3.Why don't support a "Parent" property in RemoteWindow?

    4.
    public string ReadString(IntPtr address, Encoding encoding, bool isRelative = true, int maxLength = 0x200)
    {
    string str = encoding.GetString(this.ReadBytes(address, maxLength, isRelative));
    int index = str.IndexOf('\0');
    return str.Substring(0, index);

    ==>


    return index==-1?str:str.Substring(0,index);//If don't find "\0" in maxLength, just return it.
    }

    5.
    var sharp = new MemorySharp(Process.GetCurrentProcess());
    sharp["kernel32"]["MessageBoxW"].Execute(0, "Hey", "Title", 0);
    this code contains so many errors
    (1) kernel32 => user32
    (2)sharp["user32"]["MessageBoxW"].Execute(0, "Hey", "Title", 0);
    will throw an exception.
    should: sharp["user32"]["MessageBoxW"].Execute(CallingConventions.Stdcall,0, "Hey", "Title", 0);
    (3)MessageBoxW can not work normally, MessageBoxA can.
    (4)sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall,0, "汉字", "Title", 0);
    If the string contains non-latin character, such as Chinese, this code can not work correctly.
    I must do it like this:

    //my process
    (1).sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall, 0, Marshal.StringToHGlobalAnsi("汉字"), "Title", 0);
    (2).sharp["user32"]["MessageBoxW"].Execute(CallingConventions.Stdcall, 0, Marshal.StringToHGlobalUni("汉字"), Marshal.StringToHGlobalUni("Title"), 0);

    //remote process
    (3).
    var bytes = Encoding.GetEncoding("gb2312").GetBytes("汉字");
    Array.Resize(ref bytes, bytes.Length + 1);
    RemoteAllocation ra = ms.Memory.Allocate(bytes.Length);
    ra.Write(bytes);
    sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall, 0, ra.BaseAddress, "Title", 1);

    I think MemorySharp should support:
    RemoteAllocation/Inptr Write/WriteString (data)
    {
    }
    not need pass in address as paramter and the method will alloc proper size and return the address.(like Marshal.StringToHGlobalAnsi)




  • #66 WriteBytes Protected?

    Posted by ZenLulz on 14 November 2013 - 10:28 PM

    Hello,

     

    Yes, your instruction seems to be fine.

    If your goal is to write a string, you can also use the method WriteString. Thus, you won't need to manually convert your string into a char array.

    sharp.WriteString(DoStringArg_Codecave.BaseAddress, Command, Encoding.UTF8, false);

    Cheers,

    ZenLulz




  • #60 DLL ejection even with mustBeDisposed flag to false

    Posted by ZenLulz on 28 October 2013 - 04:54 PM

    Hi there,

     

    SKU, a member from another board reported to me an issue when a DLL is injected with the flag mustBeDisposed set to false.

    In this case, the DLL must stay alive within the remote process, even if the instance of MemorySharp that injected the library is disposed, but it appears this is not the case.

     

    The issue occurs here, where the parameter is never used.

     

    public InjectedModule Inject(string path, bool mustBeDisposed = true)
    {
    // Injects the module
    var module = InjectedModule.InternalInject(MemorySharp, path);
    // Add the module in the list
    InternalInjectedModules.Add(module);
    // Return the module
    return module;
    }

     

    I will fix this issue as soon as possible.

     

    Cheers,

    ZenLulz




  • #57 DLL Error

    Posted by Abystus on 22 October 2013 - 04:54 AM

    I wanted to let you know that I was successful in implementing safe type read/write wrappers around your methods.  While testing them I noticed this line was causing a severe delay in my application's ability to read/write memory:

    address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64()

    Apparently referencing the BaseAddress through MemorySharp, or the act of converting it to Int64 causes a huge delay.  If I create my own IntPtr to house the BaseAddress when I reference the process initially before passing it to MemorySharp (already had this setup before your library), and reference it instead like the following method has then everything is speedy once again:

     

            public static T Read<T>(IntPtr address, bool isRelative = true)
            {
                try
                {
                    if (address == IntPtr.Zero || address.ToInt64() < BaseAddress.ToInt64())
                        return default(T);
    
                    return MemSharp.Read<T>(address, isRelative);
                }
                catch (Exception ex) { return default(T); }
            }

    Is there some intense operation going on when your resolving the base address, or when it is converted?  I believe I remember someone saying there was a delay on retrieving the relative address (which has to reference the base address), and this may be part of that issue.  Link here:

     

    http://www.ownedcore...tml#post2867864

     

    You have a very nice library here.  I hope to see some optimizations here and there, but so far it's a blast to work with.  Thanks again for the tips and code examples.




  • #56 DLL Error

    Posted by Abystus on 21 October 2013 - 07:20 PM

    Hi Abystus,

     

    This exception usually occurs when the address passed to MemorySharp is invalid. If you don't want to write all these checks, you can remove all your conditions and the exception will be caught by the try...catch statement. Else you can write your own extension methods that return the default value of the type. For example:

     

    public static class MemorySharpExtensions
    {
        public static T SafeRead<T>(this MemorySharp memory, IntPtr address, bool isRelative = true)
        {
            if (address == IntPtr.Zero || address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64())
            {
                return default(T);
            }
            return memory.Read<T>(address, isRelative);
        }
    }

     

    I did not provide a way to bypass the exceptions because it can be misleading if functions have different behaviors. I also chose to return void when writing data in order to standardize how the library works.

     

    Cheers,

    ZenLulz

     

    Thanks for the quick reply ZenLulz.  Your "SafeRead" example seem to be the best solution (similar to what I considered creating) to this issue, and it will also allow me to do some logging on invalid addresses when they occur so I can address them.  The code up there has so many checks as I was under the impression that the dll threw an error that was not handled by the Try/Catch setup, but it may have been due to me telling Visual Studio to always break on the "ArguementException" (even when in a Try/Catch setup) initially when I posted this error.  I appreciate the example, and look forward to implementing something similar when I arrive home.  Thanks for your time, and the helpful support of your library.




  • #55 DLL Error

    Posted by ZenLulz on 21 October 2013 - 05:25 PM

    Hi Abystus,

     

    This exception usually occurs when the address passed to MemorySharp is invalid. If you don't want to write all these checks, you can remove all your conditions and the exception will be caught by the try...catch statement. Else you can write your own extension methods that return the default value of the type. For example:

     

    public static class MemorySharpExtensions
    {
        public static T SafeRead<T>(this MemorySharp memory, IntPtr address, bool isRelative = true)
        {
            if (address == IntPtr.Zero || address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64())
            {
                return default(T);
            }
            return memory.Read<T>(address, isRelative);
        }
    }

     

    I did not provide a way to bypass the exceptions because it can be misleading if functions have different behaviors. I also chose to return void when writing data in order to standardize how the library works.

     

    Cheers,

    ZenLulz




  • #5137 How to call a function by its name from a remote executable.

    Posted by tungusa on 23 September 2016 - 01:38 AM

    one of the examples on memorysharp product page shown as fallows:

     

    Inject/eject Modules

    Here a module is injected and ejected using the `IDisposable` interface :

    string path = [..];
    var sharp = new MemorySharp(Process.GetCurrentProcess());

    using (var module = sharp.Modules.Inject(path))
    {
    module.FindFunction("MessageBoxW").Execute(0, "Hey", "Title", 0);
    }

     

     

     

    Question 1:  Is it possible to call a function by its name with this way (provided number and type of parameters also known) from a remote executable?

     

    Question 2 : what  string path = [..]; represents the path of?

     

    Thank you.




  • #5130 .NET 4.0 Build

    Posted by Cyrem on 23 June 2016 - 04:48 AM

    Hey,

     

    I have a problem where I need to build my memory editor launcher under .NET 4.0 to be compatible with XP, however I can't build it as MemorySharp relies on FASM which was built against 4.5.

     

    Is there any chance the framework could be lowered to 4.0 and still function as normal?

     

    Thanks.




  • #50 Getting Started (Porting)

    Posted by Abystus on 19 October 2013 - 08:26 PM

    I suggest to set up a breakpoint of this line :

     

    Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag
    

     

    Thus, you can debug each time you are reading a new address and you will be able to detect the issue.

     

    Well see the first function returns an address to read from, not a value at that address.  So say we have a pointer with 1 offset, then it would read the static pointer, then add the offset to that address and return meaning not reading the address + offset.  This function is designed just to return the pointers base address, not whats at that base address.  I've taken a look at the new code, and it appears I need to somehow make it through all the offsets without reading whats at the final one and instead return the address +final offset.  Not sure this makes sense, but coming from a non library depending setup I had to resolve the address of pointers before I could read them elsewhere, so that's why the function exists.  I am currently working with it to see if I can get that kind of functionality out of this, or if I even need to do this anymore due to how your library works.  Thanks for the quick responses!

     

    Edit:

     

    Looks like this works:

     

            public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
            {
                try
                {
                    IntPtr Address = BaseAddress + (int)StaticPointer; //Similar to before with the base + static pointer
                    foreach (int Offset in Offsets)
                        Address = MemSharp.Read<IntPtr>(Address, false) + Offset; //This should not be re-based because of 'false' flag
                    return Address;
                }
                catch (Exception ex) { return IntPtr.Zero; }
            }

    Though, I feel there may be a simpler way to do that, but it should work for now.  If you have an suggestions on how to optimize that then it would be appreciated.




  • #47 Getting Started (Porting)

    Posted by ZenLulz on 19 October 2013 - 08:02 PM

    Hi Abystus and welcome on the board.

     

    Your functions are correctly written and do the same work. I tested the first one with this code.

     

    var staticAddress = IntPtr.Zero;
    var offsets = new[] { 0x10 };

    var finalAddress = FindAddress(staticAddress, offsets);

    Console.WriteLine(MemSharp.ReadString(finalAddress, false));
               
    Console.Read();

     

    I altered the memory of my notepad++ to be like that.

     

    Attached File  multi-level pointer.png   5.22KB   0 downloads

     

    So, my static address is 0x400000, or 0x0 rebased. The value at this location is 0x400010, where I add an offset of 0x10, so the final destination is 0x400020. The function returns the value stored at this location, 0x400030. In my case, I perform a ReadString(...) on this address and I can read the string Hello!.

     

    Be sure your address/offsets are right. :)

     

    Cheers,

    ZenLulz




  • #46 Getting Started (Porting)

    Posted by Abystus on 19 October 2013 - 06:53 AM

    So I've decided to try and port some functions I created to this library.  I am running into some issues converting a particular function shown below:

            public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
            {
                try
                {
                    byte[] tmp = new byte[4];
                    IntPtr Address = BaseAddress + StaticPointer;
                    foreach (int Offset in Offsets)
                    {
                        ReadProcessMemory(WowGameHandle, Address, tmp, tmp.Length, 0);
                        Address = (IntPtr)BitConverter.ToInt32(tmp, 0) + Offset;
                        Array.Clear(tmp, 0, tmp.Length);
                    }
                    return Address;
                }
                catch (Exception ex) { return IntPtr.Zero; }
            }

    That piece of code is used to resolve the correct address from pointers for several other functions which in-turn read/write, and works fine on it's own with no problems what so ever.  Now when I convert that to the following I get a few errors at run time about not being able to read 4 bytes from said address:

     

            public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
            {
                try
                {
                    IntPtr Address = MemSharp.Read<IntPtr>(StaticPointer); //From my understanding this is re-based, so no need for adding base address
                    foreach (int Offset in Offsets)
                        Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag
                    return Address;
                }
                catch (Exception ex) { return IntPtr.Zero; }
            }
    

    The said address is usually an invalid read which returns 0 + Offset which is not a valid address, and errors on the next read.  I'm unsure if the other method below is any different, or just an alternate way to do things but it also has the same issue:

            public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
            {
                try
                {
                    IntPtr Address = MemSharp[StaticPointer].Read<IntPtr>(); //From my understanding this is re-based, so no need for adding base address
                    foreach (int Offset in Offsets)
                        Address = MemSharp[Address + Offset, false].Read<IntPtr>(); //This should not be re-based because of 'false' flag
                    return Address;
                }
                catch (Exception ex) { return IntPtr.Zero; }
            }
    

    I've searched and found these informative posts on stack overflow, but they did not seem to resolve my issue:

    http://stackoverflow...ess-not-working

    http://stackoverflow...urning-anything

     

    MemSharp is definitely being set to the correct process id, as all of the processes information is listed on hover over of the variable during a break point:

     

    0wHtLtV.png

     

     

    I can already see the potential in making the switch (chose this over blackmagic and some others), but it's just getting these little things ironed out before I can actually commit :).  Any help is appreciated in resolving the issue.




  • #24 Error when attaching to a process

    Posted by redcatH on 04 October 2013 - 12:53 PM

    Yes it is, DLL compiler platform Any CPU, it should be x86.
    Thanks for your help zenlulz



  • #22 Error when attaching to a process

    Posted by master131 on 03 October 2013 - 03:17 PM

    -1073741820 = 0xC0000004 (STATUS_INFO_LENGTH_MISMATCH)

     

    Most likely an error thrown by a call to NtQueryInformationProcess.




  • #17 Error when attaching to a process

    Posted by redcatH on 01 October 2013 - 06:42 PM

    admin run vs2012  open wow.error msg Couldn't get the information from the process, error code '-1073741820'.

                Process[] processs = Process.GetProcesses();
                Process wow=null;
                foreach (var item in processs)
                {
                    if (item.ProcessName.ToLower()=="wow")
                    {
                        wow = item;
                    }
                }
                var sharp = new MemorySharp(wow.Id);
    



  • #112 Reading a pointer with multiple offsets.

    Posted by Zac on 24 March 2014 - 12:24 AM

    You can read to a pointer address using the Write methods in your MemorySharp instance.

     

    Best,

    ZenLulz

     

    I assume you mean write to a pointer.. been playing around with it for a bit and can't get it working.
     

    public class LolMemory2 : IDisposable
        {
            private readonly MemorySharp _mem;
            public LolMemory2()
            {
                _mem = new MemorySharp(ApplicationFinder.FromProcessName("LolClient").First());
            }
            public string Value
            {
                get
                {
                    var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                    var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                    foreach (var offset in offsets)
                    {
                        ptr = _mem[ptr + offset, false].Read<IntPtr>();
                        
                    }
                    _mem[ptr].Write<Int32>(1);
                    return null;
                }
            }
            public void Dispose()
            {
                _mem.Dispose();
            }
        }
    

    Tried the above but clearly I am doing something wrong, on a side note is there a way to donate to you directly? I want to throw you a few $ when I get the chance for the help you have given me.




  • #106 Reading a pointer with multiple offsets.

    Posted by Zac on 13 March 2014 - 09:02 PM

    In your case, you have to assign the variable ptr with this ling, extracted from your first post.

     

    var ptr = memory["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
    

     

    If it's doesn't work, try to set a breakpoint and analyse how the memory is read.

     

    Best,

    ZenLulz

    That worked! Thank you:)
    Here is the finished bit below.
    Also, How would I go about writing to that address now?

     public string Value
            {
                get
                {
                    var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                    var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                    foreach (var offset in offsets)
                    {
                        ptr = _mem[ptr + offset, false].Read<IntPtr>();
                    }
                    return ptr.ToString();
                }
            }
    



  • #104 ThisCall Convention

    Posted by ZenLulz on 13 March 2014 - 01:34 PM

    Hello iifuzz,

     

    In fact, InjectAndExecute methods allow you to write your own assembly code and then calling it. By design, the injected code must not receive any parameter in order to work.

     

    Maybe you'd rather want to execute existing code in the remote process ? For that, you can use the Execute methods, those allow you to specify parameters.

     

    Best,

    ZenLulz