C# Writing values to addresses in external processes.

Ever wanted to write a trainer for a game in C#? Unfortunately this requires making use of P/invoke and WriteProcessMemory and ReadProcessMemory as no native method exists. This however still works well enough for most instances.
Or you can download the project files:
C# – WriteProcessMemory Trainer Project-file .

Add “using System.Runtime.InteropServices”.


//C# Signature for the FindWindow() API
public static extern IntPtr FindWindow(
string lpClassName,
string lpWindowName);

//C# Signature for the WriteProcessMemory() API
static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
UIntPtr nSize,
out IntPtr lpNumberOfBytesWritten

//C# Signature for the OpenProcess() API
public static extern IntPtr OpenProcess(
UInt32 dwDesiredAccess,
Int32 bInheritHandle,
UInt32 dwProcessId

//C# Signature for the GetWindowThreadProcessId() API
[DllImport(“user32.dll”, SetLastError = true)]
static extern uint GetWindowThreadProcessId(
IntPtr hWnd,
out uint lpdwProcessId

//C# Signature for the CloseHandle() API
public static extern Int32 CloseHandle(
IntPtr hObject


public void FindHandle()
//Window Class imported from textbox
string strClass = “BF2 WindowCLASS”;
//Window Name imported from textbox
string strName = “BF2 WindowNAME”;
UInt32 ProcID;s
//Find Window Handle
IntPtr WindowHandle = FindWindow(strClass, strName);
//Find Process ID
GetWindowThreadProcessId(WindowHandle, out ProcID);
//Find Process Handle
IntPtr ProcessHandle = OpenProcess(0x1F0FFF, 1, ProcID);

if (WindowHandle == IntPtr.Zero)
MessageBox.Show(“Cannot find target window!”);

//Continue with program…
if (
(WriteToMem(ProcessHandle) == true))
MessageBox.Show(“WriteProcessMemory Succeeded!”);
MessageBox.Show(“WriteProcessMemory Failed!”);
//Close Handle

public bool WriteToMem(IntPtr ProcessHandle)
IntPtr bytesout;
//Create Byte array containing a NOP (0x90 in Hexadecimal)
byte[] NewVal = { 0x90 };
//Write To Memory (0x05b9466) – which is, btw the address that controls the ammo
return WriteProcessMemory(ProcessHandle, (IntPtr)0x05b9466 , NewVal, (UIntPtr)NewVal.Length, out bytesout);

It must be noted that the Byte array “NewVal” can hold more than one byte, as it is an array, so it would be possible to do:

byte[] NewVal = { 0x90, 0x90, 0x90 };

or something of the sort…

So for minesweeper, we could have the following:

public void StartTimer()
byte[] NewVal = { 0xFF, 0x05, 0x9C, 0x57, 0x00,
IntPtr address;
IntPtr bytesout;
address = (IntPtr)0x1002ff5;
WriteProcessMemory(ProcessHandle, (IntPtr)address, NewVal, (UIntPtr)NewVal.Length, out bytesout);

public void StopTimer()
byte[] NewVal = {0x90, 0x90, 0x90, 0x90, 0x90,
IntPtr address;
IntPtr bytesout;
address = (IntPtr)0x01002ff5;
WriteProcessMemory(ProcessHandle, (IntPtr)address, NewVal, (UIntPtr)NewVal.Length, out bytesout);

Although for BF2, because the window name is dynamic you’ll have to get the PID from the process name. I’ll post a “how-to” on that sometime or other. Most likely in C++ though.


~ by Rhys Mossom on March 10, 2007.

4 Responses to “C# Writing values to addresses in external processes.”

  1. Thanks, works on unprotected processes.

  2. Thx it really works for me ;)!

  3. what does lpbaseaddress stand for?

  4. http://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: