C# .net内存特征码搜索和内存修改

wtujoxk

.net的内存特征码搜索
功能：
1、内存特征码搜索（支持跨进程，堆栈搜索，半码F？、全码??，编写自己的搜索工具）
2、程序集dll、C/C++模块的获取基址和映像大小
3、内存修改（可以带??，如：5F ?? 6E 7D ?? 8A）

部分实现代码：
获取程序集模块的基址

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13

public static ulong Get_Assembly_Module_BaseAddress(string assemblyName) {     try     {         if (string.IsNullOrEmpty(assemblyName)) return 0;         return (ulong)Marshal.GetHINSTANCE(             AppDomain.CurrentDomain.GetAssemblies()             .SelectMany(m => m.GetModules()             .Where(n => n.Name.Contains(assemblyName)))             .FirstOrDefault());     }     catch { return 0; } }

获取模块的映像大小，.net和C/C++的通用

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11

public static ulong Get_Moule_SizeOfImage(ulong baseAddress) {     try     {         IMAGE_DOS_HEADER dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure((IntPtr)baseAddress, typeof(IMAGE_DOS_HEADER));         IMAGE_NT_HEADERS ntHeader = (IMAGE_NT_HEADERS)Marshal.PtrToStructure((IntPtr)(baseAddress + (ulong)dosHeader.e_lfanew),                 typeof(IMAGE_NT_HEADERS));         return (ulong)ntHeader.OptionalHeader.SizeOfImage;     }     catch { return 0; } }

获取C/C++模块的基址

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12

public static ulong Get_C_Module_BaseAddress(string cModuleName) {     try     {         if (string.IsNullOrEmpty(cModuleName)) return 0;         return (ulong)Process.GetCurrentProcess()             .Modules.Cast<ProcessModule>()             .Where(m => m.ModuleName.Contains(cModuleName))             .ToArray().FirstOrDefault().BaseAddress;     }     catch { return 0; } }

获取C/C++模块的映像大小

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12

public static ulong Get_C_Module_SizeOfImage(string cModuleName) {     try     {         if (string.IsNullOrEmpty(cModuleName)) return 0;         return (ulong)Process.GetCurrentProcess()             .Modules.Cast<ProcessModule>()             .Where(m => m.ModuleName.Contains(cModuleName))             .ToArray().FirstOrDefault().ModuleMemorySize;     }     catch { return 0; } }

修改内存数据

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

public static bool WriteMemoryData(ulong baseAddress, string data) {     try     {         if (string.IsNullOrEmpty(data)) return false;         data = data.Replace(" ", "");         if ((data.Length & 1) != 0) return false;    // 不能为单数         uint len = (uint)data.Length / 2;            // 计算特征码长度         uint oldProtect;         if (VirtualProtect((IntPtr)baseAddress, len, PAGE_EXECUTE_READWRITE, out oldProtect))         {             for (uint i = 0; i < len; i++)             {                 string tempStr = data.Substring((int)i * 2, 2);                 if (tempStr != "??")                     Marshal.WriteByte((IntPtr)(baseAddress + i), Convert.ToByte(tempStr, 16));             }             VirtualProtect((IntPtr)baseAddress, len, oldProtect, out oldProtect);             return true;         }     }     catch { return false; }     return false; }

Sunday算法搜索特征码 x86/x64

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13

/// <summary> /// Sunday算法搜索特征码 x86/x64 /// </summary> /// <param name="hProcess">进程句柄</param> /// <param name="startAddress">搜索的起始地址</param> /// <param name="endAddress">搜索的结束地址</param> /// <param name="pattern">特征码支持半码?F、全码??</param> /// <param name="searchNum">搜索数量，0表示无限制</param> /// <returns>返回搜索到的特征码地址列表</returns> public static List<ulong> SundayPatternFind(IntPtr hProcess, ulong startAddress, ulong endAddress, string pattern, int searchNum) { ……略…… }

调用：

[C#] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74

using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Runtime.InteropServices; using System.Text;   namespace Net内存特征码搜索 {     internal class Program     {         private static void Main(string[] args)         {             // 获取所有已加载的模块信息             //IntPtr ptr = PatchPattern.Get_Process_Handle("进程名");  // 进程名为exe文件名，需要填写             //List<PatchPattern.ModuleInfo> moduleInfos = PatchPattern.Get_Process_All_Module_Info(ptr);             //// 打印模块信息             //moduleInfos.ForEach(x => Console.WriteLine("模块名称：" + x.ModuleName + "----模块基址：0x" + x.BaseAddress.ToString("X") + "----模块大小：0x" + x.SizeOfImage.ToString("X")));               Console.WriteLine("程序最小地址：0x" + PatchPattern.Get_Application_MinAddress().ToString("X"));             Console.WriteLine("程序最大地址：0x" + PatchPattern.Get_Application_MaxAddress().ToString("X"));               // System.dll是.NET Framework的核心程序集，ntdll.dll是Windows系统的核心模块             var systemAssembly = PatchPattern.Get_Assembly_Module_BaseAddress("System.dll");             Console.WriteLine("System模块基址：0x" + systemAssembly.ToString("X"));             Console.WriteLine("System模块大小：0x" + PatchPattern.Get_Moule_SizeOfImage(systemAssembly).ToString("X"));             Console.WriteLine("ntdll模块基址：0x" + PatchPattern.Get_C_Module_BaseAddress("ntdll.dll").ToString("X"));             Console.WriteLine("ntdll模块大小：0x" + PatchPattern.Get_C_Module_SizeOfImage("ntdll.dll").ToString("X"));               // Hello World! 的特征码为 48 00 65 00 6C 00 6C 00 6F 00 20 00 57 00 6F 00 72 00 6C 00 64 00 21 00             string testStr = "Hello World!";             string patternStr = "48 00 65 00 6C 00 6C ?? 6F 00 20 00 ?7 00 6F ?? 72 00 6C 00 64 00 21 00";               IntPtr hProcess = PatchPattern.Get_Process_Handle();             // 获取主模块基址和大小             ulong baseAddress = (ulong)Process.GetCurrentProcess().MainModule.BaseAddress;             ulong size = (ulong)Process.GetCurrentProcess().MainModule.ModuleMemorySize;             Console.WriteLine("模块基址：0x" + baseAddress.ToString("X") + "----模块大小：0x" + size.ToString("X"));               Stopwatch stopwatch = new Stopwatch();             stopwatch.Start();             // 遍历内存，搜索特征码             // 注意：搜索前确保程序集或者dll已加载             // 指定搜索范围             //List<ulong> result = PatchPattern.SundayPatternFind(hProcess, baseAddress, baseAddress + size, patternStr, 0);             // 整个进程搜索             //List<ulong> result = PatchPattern.SundayPatternFind(hProcess, PatchPattern.Get_Application_MinAddress(), PatchPattern.Get_Application_MaxAddress(), patternStr);             //通用搜索             List<ulong> result = PatchPattern.PatternFind(hProcess, "MainModule", patternStr);             //通用搜索（可跨进程）             //List<ulong> result = PatchPattern.PatternFindEx(hProcess, "模块名带后缀", patternStr);             stopwatch.Stop();               Console.WriteLine("搜索用时: " + stopwatch.ElapsedMilliseconds + " 毫秒");             Console.WriteLine("搜索到特征码：" + result.Count + "个");             result.ForEach(x => Console.WriteLine("特征码地址：0x" + x.ToString("X")));               // 你好，世界！的unicode编码为 60 4F 7D 59 0C FF 16 4E 4C 75 01 FF             Encoding.Unicode.GetBytes("你好，世界！").ToList().ForEach(x => Console.Write(x.ToString("X2") + " "));             Console.WriteLine();             // 修改搜索到的内存数据             if (result.Count > 0)                 // 将特征码替换为你好，世界！的unicode编码，并添加截断0000字节                 if (PatchPattern.WriteMemoryData(result[0], "60 4F 7D 59 0C FF 16 4E 4C 75 01 FF" + "0000"))                 {                     Console.WriteLine("修改内存数据成功");                     Console.WriteLine("修改为：" + Marshal.PtrToStringAuto((IntPtr)result[0]));                 }                 else Console.WriteLine("修改内存数据失败");               Console.ReadKey();         }     } }

Net内存特征码搜索.zip (67.39 KB, 下载次数: 3, 售价: 15 CB吾爱币)

2025-4-17 10:28 上传

点击文件名下载附件
阅读权限: 25

实战：.net 劫持 使用特征码一补丁通杀某标签软件所有版本

pizazzboy

大佬优秀！

ycs

大佬优秀！

mobanche

大佬优秀！

枫叶物语

c#教程越来越多了

殇。默语

大佬，优秀

没完了

学习了，通过添加配置文件加载dll

gdzhou

Sunday算法搜索特征码 x86/x64
这个算法为   ...略...

woaipojie2014

大佬优秀