c#内存THREADSTACK0基地址
c# memory THREADSTACK0 base address
下面是我用来读取内存的 C# 代码(对于具有多个偏移量的指针)。但是,我应该如何修改它以便它可以用于访问以“THREADSTACK0”-0000032C' 作为基地址(而不是 0x1002CAA70)的指针?
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ConsoleApplication1
{
class Program
{
const int PROCESS_WM_READ = 0x0010;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess,
Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
static void Main(string[] args)
{
Process process = Process.GetProcessesByName("Tutorial-x86_64")[0];
IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
int bytesRead = 0;
byte[] buffer = new byte[4];
//Byte[] buffer = new Byte[4];
Int64 baseAddress = 0x1002CAA70;
ReadProcessMemory((int)processHandle, baseAddress, buffer, buffer.Length, ref bytesRead);
Int64 baseValue = BitConverter.ToInt32(buffer, 0);
Int64 firstAddress = baseValue + 0x10;
ReadProcessMemory((int)processHandle, firstAddress, buffer, buffer.Length, ref bytesRead);
Int64 firstValue = BitConverter.ToInt32(buffer, 0);
Int64 secondAddress = firstValue + 0x18;
ReadProcessMemory((int)processHandle, secondAddress, buffer, buffer.Length, ref bytesRead);
Int64 secondValue = BitConverter.ToInt32(buffer, 0);
Int64 thirdAddress = secondValue + 0x0;
ReadProcessMemory((int)processHandle, thirdAddress, buffer, buffer.Length, ref bytesRead);
Int64 thirdValue = BitConverter.ToInt32(buffer, 0);
Int64 fourthAddress = thirdValue + 0x18;
ReadProcessMemory((int)processHandle, fourthAddress, buffer, buffer.Length, ref bytesRead);
Int64 fourthValue = BitConverter.ToInt32(buffer, 0);
ReadProcessMemory((int)processHandle, fourthValue, buffer, buffer.Length, ref bytesRead);
Console.WriteLine(BitConverter.ToInt32(buffer, 0));
Console.ReadLine();
}
}
}
我找到了这个线程“Using Pointers Found in Cheat Engine in C#”,但我在实现它时遇到了问题。
要查找 THREADSTACK 的地址,您必须:
获取每个线程的id:
通过使用 TH32CS_SNAPTHREAD 参数调用 ToolHelp32Snapshot() 来获取进程中所有线程的快照。使用 Thread32Next() 遍历 THREADENTRY32 结构并保存所有 th32ThreadID 成员变量。
获取线程句柄:
在每个 threadID 上使用 OpenThread() 来获取每个线程的句柄
带句柄和ID,获取线程栈基址:
接下来你需要导入 NtQueryInformationThread 这是一个由 ntdll.dll
导出的未记录的函数
然后你用成员变量StackBase调用NtQueryInformationThread() with the thread handle in the first argument and ThreadBasicInformation as the second. The result is a THREAD_BASIC_INFORMATION结构
StackBase是THREADSTACK的地址,匹配正确的id即可。
An excellent C++ source code showing this written by makemek
通常您不想使用 THREADSTACK 指针,因为它们非常易变。它们存在于一个线程的上下文中,进程可能有多个线程,它们会处于不同的执行状态,您使用的线程堆栈指针可能并不总是正确的。
您应该使用常规指针,而不是使用线程堆栈指针。您可以做的最好的事情是使用模式扫描来获取访问所需地址的指令。然后即使进程收到更新,它也会动态获取正确的地址。
下面是我用来读取内存的 C# 代码(对于具有多个偏移量的指针)。但是,我应该如何修改它以便它可以用于访问以“THREADSTACK0”-0000032C' 作为基地址(而不是 0x1002CAA70)的指针?
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ConsoleApplication1
{
class Program
{
const int PROCESS_WM_READ = 0x0010;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess,
Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
static void Main(string[] args)
{
Process process = Process.GetProcessesByName("Tutorial-x86_64")[0];
IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
int bytesRead = 0;
byte[] buffer = new byte[4];
//Byte[] buffer = new Byte[4];
Int64 baseAddress = 0x1002CAA70;
ReadProcessMemory((int)processHandle, baseAddress, buffer, buffer.Length, ref bytesRead);
Int64 baseValue = BitConverter.ToInt32(buffer, 0);
Int64 firstAddress = baseValue + 0x10;
ReadProcessMemory((int)processHandle, firstAddress, buffer, buffer.Length, ref bytesRead);
Int64 firstValue = BitConverter.ToInt32(buffer, 0);
Int64 secondAddress = firstValue + 0x18;
ReadProcessMemory((int)processHandle, secondAddress, buffer, buffer.Length, ref bytesRead);
Int64 secondValue = BitConverter.ToInt32(buffer, 0);
Int64 thirdAddress = secondValue + 0x0;
ReadProcessMemory((int)processHandle, thirdAddress, buffer, buffer.Length, ref bytesRead);
Int64 thirdValue = BitConverter.ToInt32(buffer, 0);
Int64 fourthAddress = thirdValue + 0x18;
ReadProcessMemory((int)processHandle, fourthAddress, buffer, buffer.Length, ref bytesRead);
Int64 fourthValue = BitConverter.ToInt32(buffer, 0);
ReadProcessMemory((int)processHandle, fourthValue, buffer, buffer.Length, ref bytesRead);
Console.WriteLine(BitConverter.ToInt32(buffer, 0));
Console.ReadLine();
}
}
}
我找到了这个线程“Using Pointers Found in Cheat Engine in C#”,但我在实现它时遇到了问题。
要查找 THREADSTACK 的地址,您必须:
获取每个线程的id: 通过使用 TH32CS_SNAPTHREAD 参数调用 ToolHelp32Snapshot() 来获取进程中所有线程的快照。使用 Thread32Next() 遍历 THREADENTRY32 结构并保存所有 th32ThreadID 成员变量。
获取线程句柄: 在每个 threadID 上使用 OpenThread() 来获取每个线程的句柄
带句柄和ID,获取线程栈基址: 接下来你需要导入 NtQueryInformationThread 这是一个由 ntdll.dll
导出的未记录的函数然后你用成员变量StackBase调用NtQueryInformationThread() with the thread handle in the first argument and ThreadBasicInformation as the second. The result is a THREAD_BASIC_INFORMATION结构
StackBase是THREADSTACK的地址,匹配正确的id即可。
An excellent C++ source code showing this written by makemek
通常您不想使用 THREADSTACK 指针,因为它们非常易变。它们存在于一个线程的上下文中,进程可能有多个线程,它们会处于不同的执行状态,您使用的线程堆栈指针可能并不总是正确的。
您应该使用常规指针,而不是使用线程堆栈指针。您可以做的最好的事情是使用模式扫描来获取访问所需地址的指令。然后即使进程收到更新,它也会动态获取正确的地址。