[Help] VB.NET ReadProcessMemory

[spide112]

Based on abuckau907 posts about reading process memory (Part1 & Part2) i have created the following code :

Code:

 Structure OSVERSIONINFO
        Public dwOSVersionInfoSize As Long
        Public dwMajorVersion As Long
        Public dwMinorVersion As Long
        Public dwBuildNumber As Long
        Public dwPlatformId As Long
        Public szCSDVersion As String
    End Structure


    <StructLayout(LayoutKind.Sequential)> _
    Public Structure SYSTEM_INFO
        Dim dwOemID As Integer
        Dim dwPageSize As Integer
        Dim lpMinimumApplicationAddress As Integer
        Dim lpMaximumApplicationAddress As Integer
        Dim dwActiveProcessorMask As Integer
        Dim dwNumberOrfProcessors As Integer
        Dim dwProcessorType As Integer
        Dim dwAllocationGranularity As Integer
        Dim dwReserved As Integer
    End Structure
 Private Declare Function VirtualQueryEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As UInteger, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Integer) As Integer
    Public Declare Sub GetSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SYSTEM_INFO)
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal blnheritHandle As Boolean, ByVal dwAppProcessId As Integer) As IntPtr
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer() As Byte, ByVal iSize As Integer, ByRef lpNumberOfBytesRead As Integer) As Boolean
    Const GW_HWNDNEXT = 2
    Private Const PROCESS_VM_READ = (&H10)
    Private Const PROCESS_VM_OPERATION = (&H8)
    Private Const PROCESS_QUERY_INFORMATION = (&H400)
    Const PROCESS_READ_WRITE_QUERY = PROCESS_VM_READ + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION

 Dim searcher As New ManagementObjectSearcher("SELECT * FROM Win32_Process")
        Dim x2 As Integer
        For Each process As ManagementObject In searcher.Get()
            If process("Name") = "FlashPlayerPlugin_16_0_0_296.exe" Then
                x2 = Convert.ToInt32(process("ProcessId"))
            End If
        Next
        Dim hProcess As Integer
        Dim lpMem As UInt32, ret As UInt16, lLenMBI As Long
        Dim si As New SYSTEM_INFO
        Dim mbi As MEMORY_BASIC_INFORMATION
        hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, x2)
        lLenMBI = Len(mbi)
        Call GetSystemInfo(si)
        lpMem = si.lpMinimumApplicationAddress
        Do While lpMem < si.lpMaximumApplicationAddress
            mbi.RegionSize = 0
            ret = VirtualQueryEx(hProcess, lpMem, mbi, lLenMBI)
            If ret = lLenMBI Then
                If ((mbi.lType = &H20000) And (mbi.State = &H1000) And (mbi.RegionSize > 0)) Then
                    Dim mybytes(mbi.RegionSize) As Byte
                    ReadProcessMemory(hProcess, mbi.BaseAddress, mybytes, mbi.RegionSize, vbNull)
                    Debug.WriteLine("String : " & System.Text.Encoding.Unicode.GetString(mybytes))
                End If
                lpMem = mbi.BaseAddress + mbi.RegionSize
            Else
                Exit Do
            End If
        Loop
        CloseHandle(hProcess)

It works (thx to abuckau907 ) , but is really really slow, like 1-2 minute to complete. My question is : what can i do to make it faster? Am I reading to much at one ? Thanks in advance.

[R3DDOT]

Based on abuckau907 posts about reading process memory (Part1 & Part2) i have created the following code :

Code:

 Structure OSVERSIONINFO
        Public dwOSVersionInfoSize As Long
        Public dwMajorVersion As Long
        Public dwMinorVersion As Long
        Public dwBuildNumber As Long
        Public dwPlatformId As Long
        Public szCSDVersion As String
    End Structure


    <StructLayout(LayoutKind.Sequential)> _
    Public Structure SYSTEM_INFO
        Dim dwOemID As Integer
        Dim dwPageSize As Integer
        Dim lpMinimumApplicationAddress As Integer
        Dim lpMaximumApplicationAddress As Integer
        Dim dwActiveProcessorMask As Integer
        Dim dwNumberOrfProcessors As Integer
        Dim dwProcessorType As Integer
        Dim dwAllocationGranularity As Integer
        Dim dwReserved As Integer
    End Structure
 Private Declare Function VirtualQueryEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As UInteger, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Integer) As Integer
    Public Declare Sub GetSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SYSTEM_INFO)
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal blnheritHandle As Boolean, ByVal dwAppProcessId As Integer) As IntPtr
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer() As Byte, ByVal iSize As Integer, ByRef lpNumberOfBytesRead As Integer) As Boolean
    Const GW_HWNDNEXT = 2
    Private Const PROCESS_VM_READ = (&H10)
    Private Const PROCESS_VM_OPERATION = (&H8)
    Private Const PROCESS_QUERY_INFORMATION = (&H400)
    Const PROCESS_READ_WRITE_QUERY = PROCESS_VM_READ + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION

 Dim searcher As New ManagementObjectSearcher("SELECT * FROM Win32_Process")
        Dim x2 As Integer
        For Each process As ManagementObject In searcher.Get()
            If process("Name") = "FlashPlayerPlugin_16_0_0_296.exe" Then
                x2 = Convert.ToInt32(process("ProcessId"))
            End If
        Next
        Dim hProcess As Integer
        Dim lpMem As UInt32, ret As UInt16, lLenMBI As Long
        Dim si As New SYSTEM_INFO
        Dim mbi As MEMORY_BASIC_INFORMATION
        hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, x2)
        lLenMBI = Len(mbi)
        Call GetSystemInfo(si)
        lpMem = si.lpMinimumApplicationAddress
        Do While lpMem < si.lpMaximumApplicationAddress
            mbi.RegionSize = 0
            ret = VirtualQueryEx(hProcess, lpMem, mbi, lLenMBI)
            If ret = lLenMBI Then
                If ((mbi.lType = &H20000) And (mbi.State = &H1000) And (mbi.RegionSize > 0)) Then
                    Dim mybytes(mbi.RegionSize) As Byte
                    ReadProcessMemory(hProcess, mbi.BaseAddress, mybytes, mbi.RegionSize, vbNull)
                    Debug.WriteLine("String : " & System.Text.Encoding.Unicode.GetString(mybytes))
                End If
                lpMem = mbi.BaseAddress + mbi.RegionSize
            Else
                Exit Do
            End If
        Loop
        CloseHandle(hProcess)

It works (thx to abuckau907 ) , but is really really slow, like 1-2 minute to complete. My question is : what can i do to make it faster? Am I reading to much at one ? Thanks in advance.

What are you trying to do?

[abuckau907]

Code:

                    Dim mybytes(mbi.RegionSize) As Byte
                    ReadProcessMemory(hProcess, mbi.BaseAddress, mybytes, mbi.RegionSize, vbNull)
                    Debug.WriteLine("String : " & System.Text.Encoding.Unicode.GetString(mybytes))

1. you can re-use the same byte array (assuming it's large enough) - reallocating it so often isn't good, for obvious reasons.
2. don't make a string that long...if it actually gets drawn to the screen, it's going to take a while to create all those characters on screen.

[spide112]

R3DDOT ; i try to find code, and then type it in textbox.
the code is hidden in a html text "< input type=hidden" , and I can find it, but it takes too long.
abuckau907 ;
doing this is safe ?

Code:

Array.Clear(mybytes, mybytes.GetLowerBound(0), mybytes.Length)

Would you kindly help me please ?
I type it on screen for debug purpose , this job is done in a separated thred.

[R3DDOT]

Code:

                    Dim mybytes(mbi.RegionSize) As Byte
                    ReadProcessMemory(hProcess, mbi.BaseAddress, mybytes, mbi.RegionSize, vbNull)
                    Debug.WriteLine("String : " & System.Text.Encoding.Unicode.GetString(mybytes))

1. you can re-use the same byte array (assuming it's large enough) - reallocating it so often isn't good, for obvious reasons.
2. don't make a string that long...if it actually gets drawn to the screen, it's going to take a while to create all those characters on screen.

1. It's true, but, if I'm not mistaken, the region size of the may vary.
2. This is also true, and it's probably what makes this process so slow.

R3DDOT ; i try to find code, and then type it in textbox.
the code is hidden in a html text "< input type=hidden" , and I can find it, but it takes too long.
abuckau907 ;
doing this is safe ?

Code:

Array.Clear(mybytes, mybytes.GetLowerBound(0), mybytes.Length)

Would you kindly help me please ?
I type it on screen for debug purpose , this job is done in a separated thred.

I don't advise you to re-use the same array only because the region size may vary. But, you don't need to clean the array.
As long as you re-write the entire array, you shouldn't have any problems with

And what do you mean by "the code is hidden in a html text "< input type=hidden"" ?

[abuckau907]

1. It's true, but, if I'm not mistaken, the region size of the may vary.

1. That's why I said 'If the buffer is large enough'; does it being too large cause a problem?

Code:

  If (currentRegion.RegionSize > bufferSize) Then
    ''create larger buffer
 End If
  ReadProcessMemory(..,..,buffer,..,..)

-----------------------------

And what do you mean by "the code is hidden in a html text "< input type=hidden"" ?

He's attaching to a Web Browser..apparently trying to find some section of html via memory scanning?

Code:

 If process("Name") = "FlashPlayerPlugin_16_0_0_296.exe" Then

[spide112]

But does't this means that i create the buffer as large as the region size ?

Code:

Dim mybytes(mbi.RegionSize) As Byte

cause it's in a loop ? Or this is wrong ?