Reading or Writing to Another Processes Memory in C#



public enum ProcessAccessFlags : uint
    All = 0x001F0FFF,
    Terminate = 0x00000001,
    CreateThread = 0x00000002,
    VMOperation = 0x00000008,
    VMRead = 0x00000010,
    VMWrite = 0x00000020,
    DupHandle = 0x00000040,
    SetInformation = 0x00000200,
    QueryInformation = 0x00000400,
    Synchronize = 0x00100000
private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);
public static extern Int32 CloseHandle(IntPtr hProcess);

Reading from another processes Memory

public static byte[] ReadMemory(Process process, int address, int numOfBytes, out int bytesRead)
    IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);
    byte[] buffer = new byte[numOfBytes];
    ReadProcessMemory(hProc, new IntPtr(address), buffer, numOfBytes, out bytesRead);
    return buffer;

Here is an example of a call to this function:

Process process = Process.GetProcessesByName("My Apps Name").FirstOrDefault();           
int address = 0x02ED2910;
int bytesRead;
byte[] value = ReadMemory(process, address, 4, out bytesRead);

Writing to another processes memory

public static bool WriteMemory(Process process, int address, long value, out int bytesWritten)
    IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);
    byte[] val = BitConverter.GetBytes(value);
    bool worked = WriteProcessMemory(hProc, new IntPtr(address), val, (UInt32) val.LongLength, out bytesWritten);
    return worked;

Here is an example of a call to this function:

Process process = Process.GetProcessesByName("My Apps Name").FirstOrDefault();          
int address = 0x02ED2910;
int bytesWritten;
bool worked = WriteMemory(process, address, value, out bytesWritten);



函数原型:BOOL ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORD lpNumberOfBytesRead);















  1. using System.Runtime.InteropServices;  



然后写API引用部分的代码,放入 class 内部


  1. [DllImport("kernel32.dll ")]  
  2. static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress,out int lpBuffer, int nSize, out int lpNumberOfBytesRead);   


这个函数有五个参数,第一个参数是 进程句柄,由OpenProcess函数获取;第二个参数是要读出数据的地址,使用CE等辅助工具可取得;第三个参数是用于存放读取数据的地址;第四个参数是 要读出的数据大小;第五个参数是读出数据的实际大小。例如:

  1. IntPtr hwnd = FindWindow(null"计算器");  
  2. const int PROCESS_ALL_ACCESS = 0x1F0FFF;  
  3. const int PROCESS_VM_READ = 0x0010;  
  4. const int PROCESS_VM_WRITE = 0x0020;  
  5. if (hwnd != IntPtr.Zero)  
  6. {  
  7.     int calcID;  
  8.     int calcProcess;  
  9.     int dataAddress;  
  10.     int readByte;  
  11.     GetWindowThreadProcessId(hwnd, out calcID);  
  12.     calcProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE, false, calcID);  
  13.     //假设地址0X0047C9D4存在信息  
  14.     ReadProcessMemory(calcProcess, 0X0047C9D4, out dataAddress, 4, out readByte);  
  15.     MessageBox.Show(dataAddress.ToString());  
  16. }  
  17. else  
  18. {  
  19.     MessageBox.Show("没有找到窗口");  
  20. }  


  1. //二维数组  
  2. [DllImport("kernel32.dll ")]  
  3. static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[,] lpBuffer, int nSize, out int lpNumberOfBytesRead);  
  4. //一维数组  
  5. [DllImport("kernel32.dll ")]  
  6. static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, out int lpNumberOfBytesRead);   


