Jump to content

Most Liked Content


#66 WriteBytes Protected?

Posted by ZenLulz on 14 November 2013 - 10:28 PM

Hello,

 

Yes, your instruction seems to be fine.

If your goal is to write a string, you can also use the method WriteString. Thus, you won't need to manually convert your string into a char array.

sharp.WriteString(DoStringArg_Codecave.BaseAddress, Command, Encoding.UTF8, false);

Cheers,

ZenLulz




  • #63 WriteBytes Protected?

    Posted by Prodian on 14 November 2013 - 08:24 PM

    Hello,

     

    Keep getting an error saying these are inaccessible.

     

    Binarysharp.MemoryManagement.MemorySharp.ReadBytes(System.IntPtr, int, [bool])

    Binarysharp.MemoryManagement.MemorySharp.WriteBytes(System.IntPtr, byte[], [bool])

     

    In the Object Browser they are showing as "Protected" access.

     

     

    protected void WriteBytes(System.IntPtr address, byte[] byteArray, [bool isRelative = true])

        Member of Binarysharp.MemoryManagement.MemorySharp
     
    Summary:
    Write an array of bytes in the remote process.
     
    Parameters:
    address: The address where the array is written.
    byteArray: The array of bytes to write.
    isRelative: [Optional] State if the address is relative to the main module.

     

    Any idea?

     

    Thanks for the help.




  • #61 Bugs report

    Posted by CreateAndInject on 30 October 2013 - 01:02 PM

    I report here, https://github.com/Z...ySharp/issues/1, but no reply.

     

     

    1.window.Mouse.MoveTo(0, 0);
    If the "window" is a child control, mouse can not move correctly!

    2.If an application has 2+ top level windows, WindowFactory.RemoteWindows can not collect all!
    Maybe should support "TopLevelWindows" property, and "MainWindow" is just the first visible one in collections.

    3.Why don't support a "Parent" property in RemoteWindow?

    4.
    public string ReadString(IntPtr address, Encoding encoding, bool isRelative = true, int maxLength = 0x200)
    {
    string str = encoding.GetString(this.ReadBytes(address, maxLength, isRelative));
    int index = str.IndexOf('\0');
    return str.Substring(0, index);

    ==>


    return index==-1?str:str.Substring(0,index);//If don't find "\0" in maxLength, just return it.
    }

    5.
    var sharp = new MemorySharp(Process.GetCurrentProcess());
    sharp["kernel32"]["MessageBoxW"].Execute(0, "Hey", "Title", 0);
    this code contains so many errors
    (1) kernel32 => user32
    (2)sharp["user32"]["MessageBoxW"].Execute(0, "Hey", "Title", 0);
    will throw an exception.
    should: sharp["user32"]["MessageBoxW"].Execute(CallingConventions.Stdcall,0, "Hey", "Title", 0);
    (3)MessageBoxW can not work normally, MessageBoxA can.
    (4)sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall,0, "汉字", "Title", 0);
    If the string contains non-latin character, such as Chinese, this code can not work correctly.
    I must do it like this:

    //my process
    (1).sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall, 0, Marshal.StringToHGlobalAnsi("汉字"), "Title", 0);
    (2).sharp["user32"]["MessageBoxW"].Execute(CallingConventions.Stdcall, 0, Marshal.StringToHGlobalUni("汉字"), Marshal.StringToHGlobalUni("Title"), 0);

    //remote process
    (3).
    var bytes = Encoding.GetEncoding("gb2312").GetBytes("汉字");
    Array.Resize(ref bytes, bytes.Length + 1);
    RemoteAllocation ra = ms.Memory.Allocate(bytes.Length);
    ra.Write(bytes);
    sharp["user32"]["MessageBoxA"].Execute(CallingConventions.Stdcall, 0, ra.BaseAddress, "Title", 1);

    I think MemorySharp should support:
    RemoteAllocation/Inptr Write/WriteString (data)
    {
    }
    not need pass in address as paramter and the method will alloc proper size and return the address.(like Marshal.StringToHGlobalAnsi)




  • #58 DLL Error

    Posted by ZenLulz on 23 October 2013 - 06:20 PM

    Thanks for your report. You are right, RivalFr reported the issue you are encountering.

     

    I'm taking at heart the optimisation of the performance of my libraries. This is why I'm currently developing BenchShark, a library to benchmark functions in .NET applications. I firstly chose to make it to improve MemorySharp speed, but it can be used with any other applications.

     

    I will publish an official news when the library will be ready.  :)

     

    Cheers,

    ZenLulz




  • #57 DLL Error

    Posted by Abystus on 22 October 2013 - 04:54 AM

    I wanted to let you know that I was successful in implementing safe type read/write wrappers around your methods.  While testing them I noticed this line was causing a severe delay in my application's ability to read/write memory:

    address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64()

    Apparently referencing the BaseAddress through MemorySharp, or the act of converting it to Int64 causes a huge delay.  If I create my own IntPtr to house the BaseAddress when I reference the process initially before passing it to MemorySharp (already had this setup before your library), and reference it instead like the following method has then everything is speedy once again:

     

            public static T Read<T>(IntPtr address, bool isRelative = true)
            {
                try
                {
                    if (address == IntPtr.Zero || address.ToInt64() < BaseAddress.ToInt64())
                        return default(T);
    
                    return MemSharp.Read<T>(address, isRelative);
                }
                catch (Exception ex) { return default(T); }
            }

    Is there some intense operation going on when your resolving the base address, or when it is converted?  I believe I remember someone saying there was a delay on retrieving the relative address (which has to reference the base address), and this may be part of that issue.  Link here:

     

    http://www.ownedcore...tml#post2867864

     

    You have a very nice library here.  I hope to see some optimizations here and there, but so far it's a blast to work with.  Thanks again for the tips and code examples.




  • #56 DLL Error

    Posted by Abystus on 21 October 2013 - 07:20 PM

    Hi Abystus,

     

    This exception usually occurs when the address passed to MemorySharp is invalid. If you don't want to write all these checks, you can remove all your conditions and the exception will be caught by the try...catch statement. Else you can write your own extension methods that return the default value of the type. For example:

     

    public static class MemorySharpExtensions
    {
        public static T SafeRead<T>(this MemorySharp memory, IntPtr address, bool isRelative = true)
        {
            if (address == IntPtr.Zero || address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64())
            {
                return default(T);
            }
            return memory.Read<T>(address, isRelative);
        }
    }

     

    I did not provide a way to bypass the exceptions because it can be misleading if functions have different behaviors. I also chose to return void when writing data in order to standardize how the library works.

     

    Cheers,

    ZenLulz

     

    Thanks for the quick reply ZenLulz.  Your "SafeRead" example seem to be the best solution (similar to what I considered creating) to this issue, and it will also allow me to do some logging on invalid addresses when they occur so I can address them.  The code up there has so many checks as I was under the impression that the dll threw an error that was not handled by the Try/Catch setup, but it may have been due to me telling Visual Studio to always break on the "ArguementException" (even when in a Try/Catch setup) initially when I posted this error.  I appreciate the example, and look forward to implementing something similar when I arrive home.  Thanks for your time, and the helpful support of your library.




  • #55 DLL Error

    Posted by ZenLulz on 21 October 2013 - 05:25 PM

    Hi Abystus,

     

    This exception usually occurs when the address passed to MemorySharp is invalid. If you don't want to write all these checks, you can remove all your conditions and the exception will be caught by the try...catch statement. Else you can write your own extension methods that return the default value of the type. For example:

     

    public static class MemorySharpExtensions
    {
        public static T SafeRead<T>(this MemorySharp memory, IntPtr address, bool isRelative = true)
        {
            if (address == IntPtr.Zero || address.ToInt64() < memory.Modules.MainModule.BaseAddress.ToInt64())
            {
                return default(T);
            }
            return memory.Read<T>(address, isRelative);
        }
    }

     

    I did not provide a way to bypass the exceptions because it can be misleading if functions have different behaviors. I also chose to return void when writing data in order to standardize how the library works.

     

    Cheers,

    ZenLulz




  • #52 Getting Started (Porting)

    Posted by ZenLulz on 19 October 2013 - 08:43 PM

    Ah yeah, I now understand the difference between the function with and without MemorySharp. In this case, I prefer not include the last offset in the array and use the functions you wrote for MemorySharp. I add the last offset directly into my code then.

     

    If you want the same function you wrote but using MemorySharp, this one do the job.

    public static IntPtr FindAddress2(IntPtr staticPointer, int[] offsets)
    {
        try
        {
            // Read the static address
            var address = MemSharp.Read<IntPtr>(staticPointer);
            // Find the destination address by using the offsets but the last one
            for (var i = 0; i < offsets.Length - 1; i++)
            {
                address = MemSharp.Read<IntPtr>(address + offsets[i], false);
            }
            // Return the destination address with the lst offset
            return address + offsets[offsets.Length - 1];
        }
        catch (Exception) { return IntPtr.Zero; }
    }

    The address 0x7FFDE000 is the base address of the PEB (this is the name of the property where this value is shown). You can retrieve the base address of the application like that.

     

    var baseAddress = MemSharp.Modules.MainModule.BaseAddress;
    




  • #5137 How to call a function by its name from a remote executable.

    Posted by tungusa on 23 September 2016 - 01:38 AM

    one of the examples on memorysharp product page shown as fallows:

     

    Inject/eject Modules

    Here a module is injected and ejected using the `IDisposable` interface :

    string path = [..];
    var sharp = new MemorySharp(Process.GetCurrentProcess());

    using (var module = sharp.Modules.Inject(path))
    {
    module.FindFunction("MessageBoxW").Execute(0, "Hey", "Title", 0);
    }

     

     

     

    Question 1:  Is it possible to call a function by its name with this way (provided number and type of parameters also known) from a remote executable?

     

    Question 2 : what  string path = [..]; represents the path of?

     

    Thank you.




  • #5130 .NET 4.0 Build

    Posted by Cyrem on 23 June 2016 - 04:48 AM

    Hey,

     

    I have a problem where I need to build my memory editor launcher under .NET 4.0 to be compatible with XP, however I can't build it as MemorySharp relies on FASM which was built against 4.5.

     

    Is there any chance the framework could be lowered to 4.0 and still function as normal?

     

    Thanks.




  • #5108 Pattern Scanning?

    Posted by Cyrem on 14 January 2015 - 07:19 AM

    Hey,

     

    Well thats great to hear and I look forward to when it arrives. :)




  • #50 Getting Started (Porting)

    Posted by Abystus on 19 October 2013 - 08:26 PM

    I suggest to set up a breakpoint of this line :

     

    Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag
    

     

    Thus, you can debug each time you are reading a new address and you will be able to detect the issue.

     

    Well see the first function returns an address to read from, not a value at that address.  So say we have a pointer with 1 offset, then it would read the static pointer, then add the offset to that address and return meaning not reading the address + offset.  This function is designed just to return the pointers base address, not whats at that base address.  I've taken a look at the new code, and it appears I need to somehow make it through all the offsets without reading whats at the final one and instead return the address +final offset.  Not sure this makes sense, but coming from a non library depending setup I had to resolve the address of pointers before I could read them elsewhere, so that's why the function exists.  I am currently working with it to see if I can get that kind of functionality out of this, or if I even need to do this anymore due to how your library works.  Thanks for the quick responses!

     

    Edit:

     

    Looks like this works:

     

            public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
            {
                try
                {
                    IntPtr Address = BaseAddress + (int)StaticPointer; //Similar to before with the base + static pointer
                    foreach (int Offset in Offsets)
                        Address = MemSharp.Read<IntPtr>(Address, false) + Offset; //This should not be re-based because of 'false' flag
                    return Address;
                }
                catch (Exception ex) { return IntPtr.Zero; }
            }

    Though, I feel there may be a simpler way to do that, but it should work for now.  If you have an suggestions on how to optimize that then it would be appreciated.




  • #47 Getting Started (Porting)

    Posted by ZenLulz on 19 October 2013 - 08:02 PM

    Hi Abystus and welcome on the board.

     

    Your functions are correctly written and do the same work. I tested the first one with this code.

     

    var staticAddress = IntPtr.Zero;
    var offsets = new[] { 0x10 };

    var finalAddress = FindAddress(staticAddress, offsets);

    Console.WriteLine(MemSharp.ReadString(finalAddress, false));
               
    Console.Read();

     

    I altered the memory of my notepad++ to be like that.

     

    Attached File  multi-level pointer.png   5.22KB   0 downloads

     

    So, my static address is 0x400000, or 0x0 rebased. The value at this location is 0x400010, where I add an offset of 0x10, so the final destination is 0x400020. The function returns the value stored at this location, 0x400030. In my case, I perform a ReadString(...) on this address and I can read the string Hello!.

     

    Be sure your address/offsets are right. :)

     

    Cheers,

    ZenLulz




  • #26 Sending MouseClicks & KeyStrokes to Multiple Applications at Once?

    Posted by Vitium on 07 October 2013 - 01:43 AM

            private void Form1_Load(object sender, EventArgs e)
            {
                Process[] p = Process.GetProcessesByName("APPLICATION");
                foreach (Process proc in p)
                { nsComboBox1.Items.Add(proc.Id); }
            }
    
            private void nsButton1_Click(object sender, EventArgs e)
            {
                nsComboBox1.Items.Clear();
                Process[] p = Process.GetProcessesByName("APPLICATION");
                foreach (Process proc in p) 
                { nsComboBox1.Items.Add(proc.Id); }
            }
    
            private void nsButton2_Click(object sender, EventArgs e)
            {
    
                int PID = Int32.Parse(nsComboBox1.SelectedItem.ToString());
    
                using (var memory = new MemorySharp(Process.GetProcessById(PID)))
                {
                    memory.Windows.MainWindow.Mouse.MoveTo(189, 636);
                    memory.Windows.MainWindow.Mouse.DoubleClickLeft();
                }
    
            }
    

    So I'm trying to send MouseClicks & KeyStrokes to a specific application, I want to be able to have 2-3 of that application running, and 2-3 of the application I'm trying to make.

    Then I'd choose which PID I want each one to "attach" to and hit a Start Button which would then start sending these MouseClicks and KeyStrokes to that specific application and at a certain point start over/loop, while also still allowing the same to happen with the other 2-3.

     

    The issue is, I can get the PID, and I can send the Clicks and Keys, however it requires the window to be in focus which prevents me from being able to send it to multiple applications, or use my computer for anything else while it runs.

     

    Any and all help is greatly appreciated, I'm really new to this type of thing and looking to learn.




  • #24 Error when attaching to a process

    Posted by redcatH on 04 October 2013 - 12:53 PM

    Yes it is, DLL compiler platform Any CPU, it should be x86.
    Thanks for your help zenlulz



  • #22 Error when attaching to a process

    Posted by master131 on 03 October 2013 - 03:17 PM

    -1073741820 = 0xC0000004 (STATUS_INFO_LENGTH_MISMATCH)

     

    Most likely an error thrown by a call to NtQueryInformationProcess.




  • #13 RemoteModule and Structures.

    Posted by master131 on 22 September 2013 - 04:04 AM

    I came across BinarySharp today and its VERY impressive. It's like an all-in-one library for memory/process related operations and I'm amazed at how extensive it is.

     

    I was interested in how the addresses of remote functions were being found and it seems that it attempts to call LoadLibrary on the target module instead of manually reading it remotely from the Portable Executable structure in memory. I did notice that you said that you were currently working on a "PE Format Analysis" feature which will probably allow this to happen without having to load the module but its just a suggestion if you didn't think of it.

     

    I have written my own extensive portable executable class but I didn't add any abstraction for it to work with memory (only works with images on disk) so it'd be nice to see someone else's approach on it.

     

    The following only applies when you decide to add both 32-bit and 64-bit support to your library (as far as I know it's 32-bit only right now).

     

    Also, I've had a look at the ManagedTeb and ManagedPeb classes and it seems they're using Enums to obtain the field offsets. Due to the varying in sizes of the pointer type in 32-bit and 64-bit applications, wouldn't those offsets break? From looking at your enums, it seems like you've assumed that all pointer types are 4 bytes long. Also, in the TebStructure enum, you've called one of the fields "WoW64Reserved" when the correct name is actually "Wow32Reserved".

     

    Another thing is that in WoW64 processes, there are actually 2 PEBs and 2 TEBs. One is the 32-bit version and the other one is the 64-bit version. The 64-bit TEB and PEB structure actually vary, that being the pointer sizes are different. Also, in the 64-bit PEB, the GdiHandleBuffer field only has 30 values as opposed to 34. If you require a detailed reference, you can look here.

     

    Also, obtaining the PEB/TEB of another process is abit troublesome too. If you are a 64-bit process and wish to obtain the 32-bit PEB of a Wow64 process (which is the default one if you were that Wow64 process), you need to use ProcessWow64Information with NtQueryInformationProcess instead of ProcessBasicInformation otherwise it'll return the 64-bit PEB (use IsWow64Process along with a GetProcAddress check to determine if a process is running under WoW64). When using NtQueryInformationProcess with ProcessWow64Information, it takes a reference to a pointer-sized integer (aka, IntPtr) instead of a PROCESS_BASIC_INFORMATION structure and puts the address of the PEB in this pointer-sized integer.

    [DllImport("ntdll.dll", SetLastError=true)]
    public static extern int NtQueryInformationProcess(IntPtr hProcess, PROCESSINFOCLASS pic, ref IntPtr pbi, int cb, out int pSize);

     

    If you are a 64-bit process and wish to obtain the 32-bit TEB of a Wow64 process, you use the same usual method of obtaining the TEB using NtQueryInformationThread (which in this case will return the 64-bit TEB) and then add 0x2000 because the 64-bit TEB always preceeds the 32-bit TEB by 2 pages (reference: here, check Side Notes, you can see the offset is hardcoded in Wow64cpu!CpuThreadInit).

     

    Once you've made all the necessary fixes for 32-bit/64-bit TEB/PEB structures, you could easily add a feature that allows you to unlink/hide a module from the PEB. (example: here)

     

    Another thing is the .NET Process suffers from a problem where if you are running as a 64-bit process and are trying to list the modules of a Wow64 process, it will only list the 64-bit modules (the target's main module, ntdll.dll, wow64.dll, wow64win.dll and wow64cpu.dll). The workaround is to use EnumProcessModulesEx with the LIST_MODULES_ALL filter flag (note that this function only exists in Vista and higher). Then you have you use the populated module handle array with the corresponding functions to obtain the module name, path, size, etc (GetModuleBaseName, GetModuleFileNameEx and GetModuleInformation respectively). The only problem with this is that you cannot create an instance of the ProcessModule class unless you use some hackery with Reflection and populate the internal ModuleInfo class and call the ProcessModule internal constructor.

     

    Hope this helps. If you require me to explain me to explain anything, then let me know. :)




  • #112 Reading a pointer with multiple offsets.

    Posted by Zac on 24 March 2014 - 12:24 AM

    You can read to a pointer address using the Write methods in your MemorySharp instance.

     

    Best,

    ZenLulz

     

    I assume you mean write to a pointer.. been playing around with it for a bit and can't get it working.
     

    public class LolMemory2 : IDisposable
        {
            private readonly MemorySharp _mem;
            public LolMemory2()
            {
                _mem = new MemorySharp(ApplicationFinder.FromProcessName("LolClient").First());
            }
            public string Value
            {
                get
                {
                    var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                    var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                    foreach (var offset in offsets)
                    {
                        ptr = _mem[ptr + offset, false].Read<IntPtr>();
                        
                    }
                    _mem[ptr].Write<Int32>(1);
                    return null;
                }
            }
            public void Dispose()
            {
                _mem.Dispose();
            }
        }
    

    Tried the above but clearly I am doing something wrong, on a side note is there a way to donate to you directly? I want to throw you a few $ when I get the chance for the help you have given me.




  • #106 Reading a pointer with multiple offsets.

    Posted by Zac on 13 March 2014 - 09:02 PM

    In your case, you have to assign the variable ptr with this ling, extracted from your first post.

     

    var ptr = memory["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
    

     

    If it's doesn't work, try to set a breakpoint and analyse how the memory is read.

     

    Best,

    ZenLulz

    That worked! Thank you:)
    Here is the finished bit below.
    Also, How would I go about writing to that address now?

     public string Value
            {
                get
                {
                    var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                    var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                    foreach (var offset in offsets)
                    {
                        ptr = _mem[ptr + offset, false].Read<IntPtr>();
                    }
                    return ptr.ToString();
                }
            }
    



  • #104 ThisCall Convention

    Posted by ZenLulz on 13 March 2014 - 01:34 PM

    Hello iifuzz,

     

    In fact, InjectAndExecute methods allow you to write your own assembly code and then calling it. By design, the injected code must not receive any parameter in order to work.

     

    Maybe you'd rather want to execute existing code in the remote process ? For that, you can use the Execute methods, those allow you to specify parameters.

     

    Best,

    ZenLulz