Friday, December 14, 2012

[C#] Read and write process memory in Windows

Disclaimer: I take no moral standpoint or legal responsibility of what you do with this information, just be aware of the consequences of your actions before you commit to them. (Tip: read license agreements)

Here is the code for this post:

Today we will manipulate a simple application, Notepad, through memory reading, writing and C# code.

Process in the System.Diagnostics namespace holds the GetProcessByName method, which returns a list of all processes with that name.
Process[] p = Process.GetProcessesByName("notepad");
We must now define a method which interacts with the Windows native libraries to read data from a process. Available through the System.Runtime.InteropServices lies OpenProcess in Kernel32, which gives us a handle we need later to both read and write in the memory allocated to the process.
public static extern int OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId);
We must set our desired level of Access Rights for our handle in the dwDesiredAccess parameter. This is not entirely simple. In essence, we create a flag depending on what we want to do, combining all the parameters into one. The following will give us full access.
uint DELETE = 0x00010000;
uint READ_CONTROL = 0x00020000;
uint WRITE_DAC = 0x00040000;
uint WRITE_OWNER = 0x00080000;
uint SYNCHRONIZE = 0x00100000;
uint END = 0xFFF; //if you have Windows XP or Windows Server 2003 you must change this to 0xFFFF
Let's assume you only have one Notepad process for simplicity. Since we have the Notepad process, get can get it's ID or dwProcessId. You can now get the handle like this.
int processHandle = OpenProcess(PROCESS_ALL_ACCESS, false, p[0].Id); 
The handle is required to call the two methods we use for memory reading and writing within Kernel32. Define them as the following:
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] buffer, int size, int lpNumberOfBytesRead);

public static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] buffer, int size, int lpNumberOfBytesWritten);
To simplify things:
public byte[] ReadMemory(int adress, int processSize, int processHandle) {
    byte[] buffer = new byte[processSize];
    ReadProcessMemory(processHandle, adress, buffer, processSize, 0);
    return buffer;

public void WriteMemory(int adress, byte[] processBytes, int processHandle) {
    WriteProcessMemory(processHandle, adress, processBytes, processBytes.Length, 0);
Let's try reading first. We have the processHandle parameter, but not the adress or size of the allocated memory we are going to read from the adress position. You can get these by a number of simple or advanced methods depending on what process you want to look at. The simplest way is to use Cheat Engine.

Open notepad and find the memory location with Cheat Engine (be sure to set it to Unicode).

On my computer the string "Hello!" has been located on (0x)0026D3F0. But how big is it in memory? This is not simple in most cases. For this case, we can send the string "Hello!" to memory and read how big it is though with the following:
public int GetObjectSize(object TestObject) {
    BinaryFormatter bf = new BinaryFormatter();
    MemoryStream ms = new MemoryStream();
    byte[] Array;
    bf.Serialize(ms, TestObject);
    Array = ms.ToArray();
    return Array.Length;

int processSize = GetObjectSize("Hello!");
Now we can finally read from the Notepad process!
Console.WriteLine((Encoding.Unicode.GetString(ReadMemory(0x0026D3F0, processSize, processHandle))));

Writing is easy too.
WriteMemory(0x0026D3F0, Encoding.Unicode.GetBytes("Wow!" + "\0"), processHandle);

The reason we get a trailing "!" is because it still lingers in memory. We did not overwrite the entire allocated memory for "Hello!" with our "Wow!" string.

Wednesday, December 12, 2012

[C#] Polymorphism: Exploring upcast references retaining data from child upon downcast

class Parent {}

class Child1: Parent {
    public int childInt;

class Child2: Parent {}

class Child3: Parent {
    public int childInt;

static void Main(string[] args) {
    var p = new Parent();
    var c1 = new Child1();

    c1.childInt = 5;
    p = c1; //Upcast
    c1 = (Child1) p; //Downcast
    //p.childInt not possible
    Console.WriteLine(c1.childInt); //5       

    var c2 = new Child2();
    //c2 = (Child2)p; this is legal but fails at runtime

    var c3 = new Child3();
    //c3 = (Child3)p; this is legal but fails at runtime

    c3 = p as Child3;
    if(c3 == null) //true
It would seem logical if the Parent instance lost the data from the Child upon conversion, but there is actually no conversion going on. It's only a reference.
Since we deal with a reference, p simply points to c1 - but p is not exposing the childInt field.

Now, c1 = p forces a cast since we may have other child-classes, say Child2, and Child2 might not have the fields we require. It could potentially fail at runtime (where p = c1 will never fail because upcasts cannot).

And, as we see in the commented code, c1 will have retained it's value. Makes sense when you think about it, since it's all references, but it may not seem obvious at first.

Interesting to note is that if we cast p to an identical class to Child1 with the same fields, Child3, it also fails.

If you really wanted to do an unsafe downcast, you can use the as operator. But if the conversion fails, it will default to null. This is because as has no idea how to convert our objects.

Thursday, December 6, 2012

[C#] Generics: Testing what default(T) returns

default(T) seems to accept all types which originate from object.
It's said that it returns null for all reference types, and 0 for all value types. Let's see about that.

Reference Types
Value Types

Some code to get you started (Visual Studio):

Let's make about the simplest class possible to get the result of default(T) to a Console.WriteLine()
public class Test<T>
    private T defaultData;

    public Test()
        defaultData = default(T);
    public String GetDefaultData()
        return ((bool)object.Equals(defaultData, null) ? "null" : defaultData.ToString());
The GetDefaultData method exists because defaultData will result to null in some cases, and we want to print the result to the Console (which only takes strings / char-arrays).
As we cannot call ToString() on null because it's not a real object, we have to use object.Equal, which is a static method of the static class object. It compares two objects to see if they are equal.
(Technically null is an object, but it refers to to the location of no object, so no methods can be called upon it.)

If you are confused about the code after, it's called the "if else shorthand" or "conditional operator". You read it as the following:

condition ? condition_is_true : condition_is_false

Thus we return the string "null" if the defaultData is equal to the object null, so we can print it to the console. Otherwise, we can safely use ToString since the result is not null.

We can then test our class.
struct TestStruct {
    int x;

enum TestEnum {
    x = 1, y = 2

delegate void TestDelegate();

interface TestInterface {}

static void Main(string[] args) {

    var structT = new Test < TestStruct > ();
    var enumT = new Test < TestEnum > ();
    var longT = new Test < long > ();
    var intT = new Test < int > ();
    var boolT = new Test < bool > ();
    var stringT = new Test < String > ();
    var classT = new Test < Class1 > ();
    var dynamicT = new Test < dynamic > ();
    var objectT = new Test < object > ();
    var delegateT = new Test < TestDelegate > ();
    var interfaceT = new Test < TestInterface > ();

    Console.WriteLine("default data for the following types");
    Console.WriteLine("value types");
    Console.WriteLine("struct: " + structT.GetDefaultData());
    Console.WriteLine("enum: " + enumT.GetDefaultData());
    Console.WriteLine("long: " + longT.GetDefaultData());
    Console.WriteLine("int: " + intT.GetDefaultData());
    Console.WriteLine("bool: " + boolT.GetDefaultData());
    Console.WriteLine("reference types");
    Console.WriteLine("string: " + stringT.GetDefaultData());
    Console.WriteLine("class: " + classT.GetDefaultData());
    Console.WriteLine("dynamic: " + dynamicT.GetDefaultData());
    Console.WriteLine("object: " + objectT.GetDefaultData());
    Console.WriteLine("delegate: " + delegateT.GetDefaultData());
    Console.WriteLine("interface: " + interfaceT.GetDefaultData());


I'm not testing all the variations of int, float and decimal value types, because I'm fairly certain of that they all return 0.
And the results are:

We see now that bool, which is a value type, returns False instead of 0 (makes sense...). And struct returns something weird (Main() lies in Program.cs in the ConsoleApplication1 namespace.)

If you are dissatisfied with the results, I have bad news. It is impossible to override default(T).

Sunday, December 2, 2012

[C#] Minimizing and optimizing .js in .NET (pre-4.5) - Google Closure API

Google Closure helps you minimize and optimize multiple .JS files into one file.

You can turn this code

function hello(name) {
  alert('Hello, ' + name);
hello('New user');

Into this code

function hello(a){alert("Hello, "+a)}hello("New user");

To be noted: If you're using ASP.NET 4.5 we already have this functionality out of the box:

But I made a simple library for interacting with the Google Closure API

Source paste
Project and test


using GoogleClosureHelper;

ClosureHelper.InputFolder = "JSFolder";
ClosureHelper.OutputFile = "Compiled.js";
ClosureHelper.CompileToOutputPath("SIMPLE_OPTIMIZATIONS", "text", "compiled_code");

Look here for the parameters:

Web interface: