C# Writing values to addresses in external processes.

Ever wanted to write a trainer for a game in C#? Unfortunately this requires making use of P/invoke and WriteProcessMemory and ReadProcessMemory as no native method exists. This however still works well enough for most instances.
Or you can download the project files:
C# – WriteProcessMemory Trainer Project-file .

NOTE:
Add “using System.Runtime.InteropServices”.

DLL IMPORTS:

//C# Signature for the FindWindow() API
[DllImport(“USER32.DLL”)]
public static extern IntPtr FindWindow(
string lpClassName,
string lpWindowName);

//C# Signature for the WriteProcessMemory() API
[DllImport(“kernel32.dll”)]
static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
UIntPtr nSize,
out IntPtr lpNumberOfBytesWritten
);

//C# Signature for the OpenProcess() API
[DllImport(“kernel32.dll”)]
public static extern IntPtr OpenProcess(
UInt32 dwDesiredAccess,
Int32 bInheritHandle,
UInt32 dwProcessId
);

//C# Signature for the GetWindowThreadProcessId() API
[DllImport(“user32.dll”, SetLastError = true)]
static extern uint GetWindowThreadProcessId(
IntPtr hWnd,
out uint lpdwProcessId
);

//C# Signature for the CloseHandle() API
[DllImport(“kernel32.dll”)]
public static extern Int32 CloseHandle(
IntPtr hObject
);

THE REST OF THE PROGRAM:…

public void FindHandle()
{
//Window Class imported from textbox
string strClass = “BF2 WindowCLASS”;
//Window Name imported from textbox
string strName = “BF2 WindowNAME”;
UInt32 ProcID;s
//Find Window Handle
IntPtr WindowHandle = FindWindow(strClass, strName);
//Find Process ID
GetWindowThreadProcessId(WindowHandle, out ProcID);
//Find Process Handle
IntPtr ProcessHandle = OpenProcess(0x1F0FFF, 1, ProcID);

if (WindowHandle == IntPtr.Zero)
{
MessageBox.Show(“Cannot find target window!”);
return;
}

//Continue with program…
if (
(WriteToMem(ProcessHandle) == true))
{
MessageBox.Show(“WriteProcessMemory Succeeded!”);
}
else
{
MessageBox.Show(“WriteProcessMemory Failed!”);
}
//Close Handle
CloseHandle(ProcessHandle);
}

public bool WriteToMem(IntPtr ProcessHandle)
{
IntPtr bytesout;
//Create Byte array containing a NOP (0x90 in Hexadecimal)
byte[] NewVal = { 0x90 };
//Write To Memory (0x05b9466) – which is, btw the address that controls the ammo
return WriteProcessMemory(ProcessHandle, (IntPtr)0x05b9466 , NewVal, (UIntPtr)NewVal.Length, out bytesout);
}

It must be noted that the Byte array “NewVal” can hold more than one byte, as it is an array, so it would be possible to do:

byte[] NewVal = { 0x90, 0x90, 0x90 };

or something of the sort…

So for minesweeper, we could have the following:

public void StartTimer()
{
byte[] NewVal = { 0xFF, 0x05, 0x9C, 0x57, 0x00,
0x01};
IntPtr address;
IntPtr bytesout;
address = (IntPtr)0x1002ff5;
WriteProcessMemory(ProcessHandle, (IntPtr)address, NewVal, (UIntPtr)NewVal.Length, out bytesout);
}

public void StopTimer()
{
byte[] NewVal = {0x90, 0x90, 0x90, 0x90, 0x90,
0x90};
IntPtr address;
IntPtr bytesout;
address = (IntPtr)0x01002ff5;
WriteProcessMemory(ProcessHandle, (IntPtr)address, NewVal, (UIntPtr)NewVal.Length, out bytesout);
}

Although for BF2, because the window name is dynamic you’ll have to get the PID from the process name. I’ll post a “how-to” on that sometime or other. Most likely in C++ though.

Advertisements

~ by Rhys Mossom on March 10, 2007.

4 Responses to “C# Writing values to addresses in external processes.”

  1. Thanks, works on unprotected processes.

  2. Thx it really works for me ;)!

  3. what does lpbaseaddress stand for?

  4. http://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: