How to write a Memory Scanner using C#

First of all, thanks a lot for this nice source code.

I read your code and all seems to logical to me. But I don't know how to search for string in a game, like "Charactername" and such things.

Can you give me a hint?

I'd like a similar feature but for searching an array of bytes.

You'll need to convert the string you're searching for into a byte array using an Encoder, then search for a matching byte array:

string search = "CharacterName";
byte[] sBytes = Encoding.ASCII.GetBytes(search);

This assumes your game stores the character's name in ASCII - it might also be Unicode, in which case you'll have to change the encoder on your end to match it. The only way to know though is to try different options and see which one picks up the right values.

Good luck =)

PS: This is what part of the alphabet would look like if the letters Q and R were removed.

Sojaner... OOO biggest Sojaner x) Thos source code is the BEST Smile | :)

But i need this source code in VB.NET, or VB9... Can you rewrite this code into VB(because i'am noob in C#), ooooo most powerfull Sojaner? Big Grin | :-D

Please

and sorry for my bad english x) 5/5

VB, VB.NET, C#

These should help you.

C# to VB.net Convertor Program[^]

C# to VB.net Convertor Web Application[^]

Good luck.

Sojaner!

Hi, I'm trying to use your article to build my own memory scanner / hex editor / game cheat thing etc. I already have such a tool but I wanted a challenge.

However I have run into a problem and after checking your code it appears your program would suffer from the same problem, although you don't even check for an error.

The problem is this: large areas of a processes memory are protected. ReadProcessMemory will fail when trying to read from such a place.

I will show an example of various desired and undesired results, and what both your code and my code do.

Here is my relevant VB code for reference, which I think improves on yours a bit, although the calling function has to do more checks on the returned data (ie IsNot Nothing, or != null):

        Public Function ReadMemory(ByVal start As UInteger, ByVal length As UInteger) As Byte()<br />
            Dim read As UInteger = 0<br />
            Dim buffer(length - 1) As Byte<br />
            WinAPI.ReadProcessMemory(_handle, start, buffer, length, read)<br />
            <br />
            If read = 0 Then<br />
                Return Nothing<br />
            End If<br />
<br />
            If read <> length Then<br />
                Array.Resize(Of Byte)(buffer, read)<br />
            End If<br />
            Return buffer<br />
        End Function

Let's say we have a chunk of memory that looks like this starting at 0x00000000, where the Xs are protected:

01 23 45 67 89 AB CD EF XX XX XX XX XX 01 23 45 67 89 AB CD EF

We ReadProcessMemory the first three, everything is OK:

Your function: 01 23 45
Mine: 01 23 45

We read 10 bytes, and the last two get cut off. This is ok because we still get all the data we can access:

Your function: 01 23 45 67 89 AB CD EF 00 00
Mine: 01 23 45 67 89 AB CD EF

Now we read bytes at 0x8 for 5 bytes...

Your function: 00 00 00 00 00
Mine: null

Still acceptable behavior. Now this is where it gets ugly.

Let's read 10 bytes from the same place:

Your function: 00 00 00 00 00 00 00 00 00 00
Mine: null

Where we would really like to convey the actual contents of XX XX XX XX XX 01 23 45 67 89 somehow...

To summarize, if the starting address is protected, the ENTIRE read fails, even if later parts of the specified address range are unprotected!

A visual demonstration... the pictured control does one ReadProcessMemory operation on the entire pictured block of memory... here is a result with an entirely non-protected block:

http://x.mzzt.net/0039.jpg

Now if we scroll up one line, we have the top line as a protected block. The whole read operation is blank:

http://x.mzzt.net/0040.jpg

Now my problem is, how do I determine where a protected area ends? If I have a condition like 40.jpg, I can't tell unless I read every single protected byte one at a time until I find the first unprotected one... and that is SLOW.

I know there must be a Windows API function to get the addresses of these protected areas, because the program I use for memory scanning can show me those ranges in a list.

So my question is... what is it? I've been looking through the API docs and I can't see anything relevant.

I figure it's my lack of expertise in this area that's responsible... the term "memory pages" keeps popping in my head but I don't remember enough about OS-level memory management to know if this is what I'm running into. Not that I saw any API functions relating to pages either.

I'm also curious if it's possible to do this a lazy way... like, can I count on a certain boundary for these areas (ie I'd only need to check once every 0xXXXX bytes instead of checking every protected byte to find the end of the protected area).

PS: I think you should consider splitting your article into two articles, one on basics of memory and another on your actual program. This way those of us who were expecting just an article on the program don't have to go past a bunch of stuff we already know... you can have it in a separate article for those of us who don't know. Also you should expand more on the actual program and how it operates... right now most of your article about that is just theory and not how you actually implemented it.

BTW I assume when you are referring to *-bit OSs you mean the maximum number of bits used to access memory, and thus the limit on how much memory the OS supports. Nowadays that's what the *-bit means in modern OSs, but when you are talking about the *-bit of microprocessors there are a few different metrics that can be used... it's all very confusing but I will just say there has never been an 8-bit OS as far as memory usage. 8 bits is only enough to fit 256 bytes, you can't do ANYTHING in that. And I know for a fact DOS was 16-bit, with the exception of extenders like DOS4GW and Windows 386 Enhanced mode which enabled some 32-bit functionality in supported programs.

I finally found VirtualQueryEx, which can be used for this exact purpose.

Here is my full solution... I will use VB.NET code, but you can get C#.NET equivilants of all my Windows API function declarations at pinvoke.net.

STEP 1: We determine which areas of a virtual memory block an application can reside in. Going outside that block can result in VirtualQueryEx throwing errors if we query a kernel area. This is easy enough to fix.

Public Declare Sub GetSystemInfo Lib "kernel32.dll" (ByRef lpSystemInfo As SYSTEM_INFO)

We use this function to get this information, and the following one wraps it up nicely.

<br />
    Public Shared Function GetAppMemoryRange() As MZZT.MemoryRange<br />
        If _appmem Is Nothing Then<br />
            Dim si As SYSTEM_INFO<br />
            GetSystemInfo(si)<br />
            _appmem = New MZZT.MemoryRange(si.lpMinimumApplicationAddress, _<br />
                 si.lpMaximumApplicationAddress)<br />
        End If<br />
<br />
        Return _appmem<br />
    End Function<br />
    Private Shared _appmem As MZZT.MemoryRange = Nothing

You will notice an MZZT.MemoryRange class. It is simple enough that I don't think I need to explain it here, but I designed it to hold a 32-bit memory range (a start, and an end) which you can see I use to store the maximum range it is safe to use VirtualQueryEx on.

You can get the MemoryRange class at the end of this post if you really really want it.

Next we need some declarations for VirtualQueryEx and helper structures and enumerations:

    Public Declare Function VirtualQueryEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, _<br />
        ByVal lpAddress As UIntPtr, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal _<br />
        dwLength As UInteger) As UInteger<br />
 <br />
<Runtime.InteropServices.StructLayout(Runtime.InteropServices.LayoutKind.Sequential)> _<br />
    Public Structure MEMORY_BASIC_INFORMATION<br />
        Public BaseAddress As UIntPtr<br />
        Public AllocationBase As UIntPtr<br />
        Public AllocationProtect As PAGE<br />
        Public RegionSize As UInteger<br />
        Public State As MEM<br />
        Public Protect As PAGE<br />
        Public Type As Integer<br />
    End Structure<br />
<br />
    Public Enum PAGE As Integer<br />
        EXECUTE = &H10<br />
        EXECUTE_READ = &H20<br />
        EXECUTE_READWRITE = &H40<br />
        EXECUTE_WRITECOPY = &H80<br />
        NOACCESS = &H1<br />
        [READONLY] = &H2<br />
        READWRITE = &H4<br />
        WRITECOPY = &H8<br />
<br />
        GUARD = &H100<br />
        NOCACHE = &H200<br />
        WRITECOMBINE = &H400<br />
<br />
        ANYREAD = &H66<br />
        ANYWRITE = &HCC<br />
    End Enum<br />
<br />
    Public Enum MEM As Integer<br />
        COMMIT = &H1000<br />
        FREE = &H10000<br />
        RESERVE = &H2000<br />
    End Enum

Now we will make a few small helper functions:

<br />
        Private Function CanRead(ByVal mbi As WinAPI.MEMORY_BASIC_INFORMATION) As Boolean<br />
            If mbi.Protect And WinAPI.PAGE.GUARD Then<br />
                Return False<br />
            End If<br />
<br />
            If mbi.State <> WinAPI.MEM.COMMIT Then<br />
                Return False<br />
            End If<br />
<br />
            Return True<br />
        End Function<br />
<br />
        Private Function CanWrite(ByVal mbi As WinAPI.MEMORY_BASIC_INFORMATION) As Boolean<br />
            If mbi.Protect And WinAPI.PAGE.GUARD Then<br />
                Return False<br />
            End If<br />
<br />
            If mbi.State <> WinAPI.MEM.COMMIT Then<br />
                Return False<br />
            End If<br />
<br />
            Return True<br />
        End Function<br />
<br />
        Private Function GetMBIRange(ByVal mbi As WinAPI.MEMORY_BASIC_INFORMATION) As _<br />
            MemoryRange<br />
<br />
            Return New MemoryRange(mbi.BaseAddress, CDec(mbi.BaseAddress) + _<br />
                CDec(mbi.RegionSize) - 1)<br />
        End Function

More use of my secret class. Wink | ;)

CanRead determines from the information obtained through VirtualQueryEx (which is an mbi struct) whether or not we will be able to read it with ReadProcessMemory. CanWrite will do the same for WriteProcesMemory... right now I haven't made CanWrite work since I'm not concerned with writing memory at the moment. It will likely need a flag check for a WRITE attribute. GetMBIRange turns the mbi into a MemoryRange object.

Now the main function, which takes a MemoryRange and returns an array of MemoryRanges which are not protected. So we would pass the Range we want to read, and then iterate through the resulting array and read each MemoryRange one at a time.

        Public Function FindUnprotectedMemory(ByVal range As MemoryRange, ByVal writable As _<br />
            Boolean) As MemoryRange()<br />
<br />
            range = range.Intersect(WinAPI.GetAppMemoryRange)

My MemoryRange class has an intersect function which works like the one on rectangle.. it returns the area the two MemoryRanges share in common. In this case, it clips of areas in range which do not belong to the application, since we already know we can't read those.

If range Is Nothing Then<br />
    Return Nothing<br />
End If

Intersect returns null if the MemoryRanges have nothing in common.

            Dim a As New ArrayList<br />
            Dim mbi As WinAPI.MEMORY_BASIC_INFORMATION<br />
            Dim pos As UInteger = range.RangeStart<br />
            Dim applies As MemoryRange<br />
            Dim access As Boolean<br />
<br />
            While pos <= range.RangeEnd

pos records the current memory address we are inspecting with VirtualQueryEx. Once we pass range we are done and can quit.

                If Not WinAPI.VirtualQueryEx(_handle, pos, mbi, _<br />
                    Runtime.InteropServices.Marshal.SizeOf(mbi)) Then<br />
<br />
                    Dim ex As New System.ComponentModel.Win32Exception<br />
                    If ex.NativeErrorCode <> 0 Then<br />
                        Throw ex<br />
                    End If<br />
                End If

Oddly, VirtualQueryEx returns 0 all the time, even though the MSDN docs say it should only do so on error. I put in an extra error check.

applies = GetMBIRange(mbi).Intersect(range)

It's possible for VirtualQueryEx to return an area which extends before or after our block. This clips it to the block we are interested in.

If writable Then<br />
    access = CanWrite(mbi)<br />
Else<br />
    access = CanRead(mbi)<br />
End If

The actual test to see if we can read/write.

If access Then<br />
    a.Add(applies)<br />
End If

Add it to our master list of addresses that are not protected.

    pos = applies.RangeEnd + 1<br />
End While

Move on to the next memory page/block.

            If a.Count = 0 Then<br />
                Return Nothing<br />
            End If<br />
<br />
            Return a.ToArray(GetType(MemoryRange))<br />
        End Function

Return our array, or null if the entire thing is protected.

PS: Now that ReadProcessMemory should no longer be returning protected memory errors, I altered my function accordingly:

<br />
        Public Function ReadMemory(ByVal range As MemoryRange) As Byte()<br />
            Dim read As UInteger = 0<br />
            Dim buffer(range.RangeSize - 1) As Byte<br />
            If Not WinAPI.ReadProcessMemory(_handle, range.RangeStart, buffer, _<br />
                range.RangeSize, read) Then<br />
<br />
                Throw New System.ComponentModel.Win32Exception<br />
            End If<br />
<br />
            If read = 0 Then<br />
                Return Nothing<br />
            End If<br />
<br />
            If read <> range.RangeSize Then<br />
                Array.Resize(Of Byte)(buffer, read)<br />
            End If<br />
            Return buffer<br />
        End Function

I did not make much changes apart from the exception. I was going to integrate VirtualQueryEx right into ReadMemory, but then I realized my calling function would still need the array of unprotected addresses. So I let the calling function handle the masking out of protected addresses and kept ReadMemory simple.

PPS: Here is my MemoryRange class:

Namespace MZZT<br />
    Public Class MemoryRange<br />
        Implements ICloneable<br />
<br />
        Public Sub New(ByVal address As UInteger)<br />
            _start = address<br />
            _end = address<br />
        End Sub<br />
<br />
        Public Sub New(ByVal rangestart As UInteger, ByVal rangeend As UInteger)<br />
            _start = rangestart<br />
            _end = rangeend<br />
        End Sub<br />
<br />
        Public Property RangeStart() As UInteger<br />
            Get<br />
                Return _start<br />
            End Get<br />
            Set(ByVal value As UInteger)<br />
                _start = value<br />
            End Set<br />
        End Property<br />
        Private _start As UInteger<br />
<br />
        Public Property RangeEnd() As UInteger<br />
            Get<br />
                Return _end<br />
            End Get<br />
            Set(ByVal value As UInteger)<br />
                _end = value<br />
            End Set<br />
        End Property<br />
        Private _end As UInteger<br />
<br />
        Public ReadOnly Property RangeSize() As UInteger<br />
            Get<br />
                Return _end - _start + 1<br />
            End Get<br />
        End Property<br />
<br />
        Public Function Intersect(ByVal r As MemoryRange) As MemoryRange<br />
            If _start > r.RangeEnd OrElse r.RangeStart > _end Then<br />
                Return Nothing<br />
            End If<br />
<br />
            If _start >= r.RangeStart Then<br />
                If _end <= r.RangeEnd Then<br />
                    Return Clone()<br />
                Else<br />
                    Return New MemoryRange(_start, r.RangeEnd)<br />
                End If<br />
            Else<br />
                If r.RangeEnd <= _end Then<br />
                    Return r.Clone<br />
                Else<br />
                    Return New MemoryRange(r.RangeStart, _end)<br />
                End If<br />
            End If<br />
        End Function<br />
<br />
        Public Function Clone() As Object Implements System.ICloneable.Clone<br />
            Return New MemoryRange(_start, _end)<br />
        End Function<br />
    End Class<br />
End Namespace

-- modified at 21:13 Saturday 17th November, 2007

I seem to have problems with this code, as in 9 out of 10 trys I cant finde a specific value in a process memory. My debugger is finding the value without any problems, and I just cant find the problem with my (and your sample) code.

The value I try to find is 0x50, 0x00, 0x14, 0x00; => 1310800.

Why is your memory scanner only showing the address sometimes, and not all the time?

I'm so happy that you liked it.
I'm looking forwad for you program.
I hope I can help you. Smile | :)

Thank you my friend. Rose | [Rose]

Sojaner!

check this one. its free

http://bnf-soft.com

look for link to memory scanner there

I like this article very much. Good job!

:I have learned a lot from your article

Just: WOW...
Thank you man.... Thats one of the best Tuts i've ever read!... For sure you get an Excelent (5) from me =)

I'm so glade that you liked it man. Smile | :)

Sojaner!

I use it to try scan game memory,and i have some problem.
1.many game(MapleStory) is not show process id
2.many game(MapleStory) detect your program.

How to write/read these game's memory ?
PS:Sorry, My english is poor.

1) This is a Memory Scanner, not a game trainer!
2) The game could detect it because it invokes the platform API, so any other program that invokes the platform API to read an write the memory would be detected by this game! They have done this to stop GAME CHEATERS, are you? Hmmm | :|

Sojaner!

i'm able to compile the source, and run it.
selecting process is successful.
selecting data type, and entering value as well.
but after i start scanning...
the progress bar will run until 99% and fails with a closehandle error.

i'm currently using vista.
i've traced thru the code and arrive at the location where it passes the information into the winapi for openprocess, but it return a 0 pid.

pls advise.

It seems that the Vista API is different from the XP API! I have not used Vista yet and I will wait for the final release!;)

Sojaner!

yeah.. i've somewhat found a solution to it (under very rough testing)
the reason to why it doesnt work is due to UAC (Vista)
so all u need is to raise the user level to administrator when using the program. and it'll be fine.

part of the reason behind it, is unless u r the admin/similar level else vista would not allow u to man-handle the thread.

P.S vista was officially launch for sometime now Blush | :O

do get your copy soon! it's pretty! (resource wasting tho :x)

P.S.S mind exchanging msn with me? got a few questions to ask, as i'd like to get a more comprehensive memory scanner to work on vista! ^^
(i've already redid the whole program into a single screen version, i could share it with u if u want it Big Grin | :-D

)

I have try to use this function in my software, but when i use the ReadProcessMemory i have returned a Error 299, How i can fix that?

The error 299 is: "Only part of a ReadProcessMemory or WriteProcessMemory request was completed. "

The part of my code is:

<br />
            int StartAdress = Convert.ToInt32( textBox2.Text, 16 );<br />
            int EndAdress = Convert.ToInt32( textBox3.Text, 16 );<br />
            System.IntPtr ptrBytesRead;<br />
            <br />
            int SF = Convert.ToInt32( textBox1.Text );<br />
            int BytesRead = 4;<br />
            while( ( ++StartAdress <= EndAdress ) && ( BytesRead == 4 ) )<br />
            {<br />
                    ProcessMemoryReaderAPI.ReadProcessMemory(SelectedProcessHandle, (IntPtr)StartAdress, BufferInt32, 4, out ptrBytesRead ));<br />
                BytesRead = ptrBytesRead.ToInt32(  );<br />
                if( BytesRead == 4 )<br />
                {<br />
                    int mBuffer32 = BitConverter.ToInt32( BufferInt32, 0 );<br />
                    if (mBuffer32 == SF)<br />
                    {<br />
                        listBox2.Items.Add(Convert.ToString(mBuffer32, 16));<br />
                    }<br />
                }<br />
                StartAdress++;<br />
            }

Maybe the process you are trying to read its memory does not allow you to read it!
Or there could be some P/Invoke in your code!

Sojaner!

This problem occurs because part or all of the memory addresses you are trying to read are protected. Try another range.

0x400000 is a good starting point.

[Edit: If you are interested in coding routines which can determine if an address is protected before you try to read it, see my "Solution!" post above.]

Thanks, I like this article very much, this can really apply to many aspects of a program - SMC (Self Modifying Code) this will really come in handy. Roll eyes | :rolleyes:

I'm really happy and glad that you liked my work.
You and others made me enhance the abilities of the code.
But as I'm a little busy now, it may takes some time. Smile | :)

Sojaner!

I liked you work. I do a lot of pattern finding in my work.
I have a somewhat different approach.

Suppose you needed to find a number , as you did, in a byte array recieved over a UDP socket.
Call it _framebuff.
You need to find a pattern: synch which is a byte array of {250,243,64,40}.

1. look for the first item, 250
use Array.IndexOf to find it
loop through _framebuff.
2. Next walk through the _framebuff again using the indexes from 1.
look to see if the value 3 away from the index is the last item, 40

The idea is look for the bounds to be what you want before checking more.

3. If the bounds match, look at the other internal value.
I pull those and check the vales like you do but only by byte values.
The pulling is done by walking the bounds matched indexes and using the
Buffer.BlockCopy function to get the byte array at the index.
Then the two array are compared.

ie:public int Findframes(byte[] _frame_buff)
{
int pg1 = 0;
int pstp = 0;
int check = 0;
byte[] synch=new byte[4]{ 64, 40, 107, 254 };
ArrayList _possiblesubframes=new ArrayList(30);
while (pg1 != -1)
{
pg1 = Array.IndexOf(_frame_buff, _synch[0], pstp);
int pg2 = Array.IndexOf(_frame_buff, _synch[3], pg1 + 1, 4);
if (pg2 == pg1 + 3)
{
byte[] tempcomp = new Byte[4];
Buffer.BlockCopy(_frame_buff, pg1, tempcomp, 0, 4);
if (CompareByteArrays(tempcomp, _synch) == true)
{
_possiblesubframes.Add(pg1);
}
}
pstp = pg1 + 1;
}

How to write a Memory Scanner using C#

Introduction

The Question and the Answer

Step 1: Where to begin?

Step 2: What to look for?

Step 3: Where to find it?

Step 4: Let's do the final job

Comments on my classes

That's all

License

Comments and Discussions