C#•3y ago

❔ Reading Memory comes out backwards?

I'm learning assembly / how to read and write from it and having an issue reading memory as hex values... it for some reason comes out backwards?
The program I'm reading from is 64-bit

const int PROCESS_WM_READ = 0x0010;
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(int hProcess, Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

Process P = Process.GetProcessesByName(ProcessName)[0];    // Process
IntPtr PH = OpenProcess(PROCESS_WM_READ, false, P.Id);    // ProcessHandle
IntPTr BA = P.MainModule.BaseAddress;                     // BaseAddress

int bytesRead = 0;                      // Keep track of how many bytes we've read
byte[] buffer = new byte[4];            // Prepare a byte array which we'll populate as we read
ReadProcessMemory((int) this.PH , 0x2445BC56E00, buffer, buffer.Length, ref bytesRead);
Console.WriteLine(BitConverter.ToString(buffer));

>>
54-B1-01-00

const int PROCESS_WM_READ = 0x0010;
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(int hProcess, Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

Process P = Process.GetProcessesByName(ProcessName)[0];    // Process
IntPtr PH = OpenProcess(PROCESS_WM_READ, false, P.Id);    // ProcessHandle
IntPTr BA = P.MainModule.BaseAddress;                     // BaseAddress

int bytesRead = 0;                      // Keep track of how many bytes we've read
byte[] buffer = new byte[4];            // Prepare a byte array which we'll populate as we read
ReadProcessMemory((int) this.PH , 0x2445BC56E00, buffer, buffer.Length, ref bytesRead);
Console.WriteLine(BitConverter.ToString(buffer));

>>
54-B1-01-00

It should be 1B154, as that's what Decimel 110932 is in Hex.
110932 is the decimal value I'm trying to read from memory.

Whats going on here?

mtreit•5/22/23, 7:58 PM

Endian-ness

mtreit•5/22/23, 7:58 PM

https://en.wikipedia.org/wiki/Endianness

Endianness

In computing, endianness is the order or sequence of bytes of a word of digital data in computer memory. Endianness is primarily expressed as big-endian (BE) or little-endian (LE). A big-endian system stores the most significant byte of a word at the smallest memory address and the least significant byte at the largest.
A little-endian system, ...

PopziOP•5/22/23, 7:59 PM

Interesting, is the TL;DR to just reverse the buffer after reading it?

mtreit•5/22/23, 7:59 PM

https://learn.microsoft.com/en-us/dotnet/api/system.buffers.binary.binaryprimitives.reverseendianness?view=net-8.0#system-buffers-binary-binaryprimitives-reverseendianness(system-int64)

BinaryPrimitives.ReverseEndianness Method (System.Buffers.Binary)

Learn more about the System.Buffers.Binary.BinaryPrimitives.ReverseEndianness in the System.Buffers.Binary namespace.

mtreit•5/22/23, 7:59 PM

You can use that

mtreit•5/22/23, 8:00 PM

Also in theory the code could run on both big endian and little endian machines so you might want to check and only reverse if it doesn't match what you want.

mtreit•5/22/23, 8:02 PM

https://learn.microsoft.com/en-us/dotnet/api/system.bitconverter.islittleendian?view=net-7.0

PopziOP•5/22/23, 8:04 PM

Popzi.exe has crashed.

PopziOP•5/22/23, 8:05 PM

Erm, yes. Information, thank you. I appreciate it.
So like, basically, I need to do something to not have it do that

PopziOP•5/22/23, 8:05 PM

Surely I'm not the first person to run into this and there's a simple answer?

mtreit•5/22/23, 8:06 PM

Simple answer to what exactly?

mtreit•5/22/23, 8:07 PM

I pointed to the method you can use to reverse the endianness if for some reason you want to treat the value as a different endianness from the system you are currently running on.

PopziOP•5/22/23, 8:08 PM

Right, thank you! I've just gotta figure out how to use this method

mtreit•5/22/23, 8:09 PM

There are also a lot of helper methods that you can use if you are trying to read a buffer directly into a numeric variable:
https://learn.microsoft.com/en-us/dotnet/api/system.buffers.binary.binaryprimitives?view=net-7.0

BinaryPrimitives Class (System.Buffers.Binary)

Reads bytes as primitives with specific endianness.

MODiX•5/22/23, 8:13 PM

mtreit#6470

REPL Result: Success

Console Output

Compile: 619.415ms | Execution: 67.695ms | React with ❌ to remove this embed.

PopziOP•5/22/23, 8:14 PM

Well there we go, I was just about to ask how to actually use it, granted the MS docs are.......... the most helpful unhelpful documentation to put it nicely

mtreit•5/22/23, 8:16 PM

If you are starting with a buffer you would use the inverse methods: for instance.

MODiX•5/22/23, 8:19 PM

mtreit#6470

REPL Result: Success

Console Output

Compile: 711.954ms | Execution: 121.206ms | React with ❌ to remove this embed.

PopziOP•5/22/23, 8:22 PM

Blah, this is messy lol ,Int64 Int32, Int, UsInt64, IntPtr which are all the same but totally not the same things and now big and small edians that go back to front

Does C# know how to read memory? I just wanna say read this address here and be given the hex value of the address

PopziOP•5/22/23, 8:22 PM

I wonder if I'm better off doing this in C++, which is something I'd have never thought I'd say

mtreit•5/22/23, 8:28 PM

Memory is memory, the issues you are having with Endianness won't change if you switch how you read that memory.

PopziOP•5/22/23, 8:33 PM

I see, am just learning more now... Big Endian is already superior to everything else since it makes the most sense xd... Down the rabbit hole I go

mtreit•5/22/23, 8:40 PM

Aa an aside, the original note that coined the term endian for how bytes are ordered is kind of a fun read:
https://www.rfc-editor.org/ien/ien137.txt

PPopzi Blah, this is messy lol ,Int64 Int32, Int, UsInt64, IntPtr which are all the sam...

DKMK100•5/22/23, 8:42 PM

I think you're misunderstanding the problem

DKMK100•5/22/23, 8:45 PM

The problem isn't really related to the coding language
Both C# and c++ can only abstract this away by the type system which prevents reading bytes on their own.

If you're gonna read plain bytes as useful info, you need to know what info they represent
Including stuff like endianness
No coding language can fix that except by doing what c# is ALREADY doing: remember that for you via type system

You're the one choosing to interact with the bytes without it, and this problem is a natural concequence of that. Someone even showed you a helpful function to remove the busywork of choosing to interpret these yourself, so you only have the actual problem left to deal with

DDKMK100 The problem isn't really related to the coding language Both C# and c++ can onl...

PopziOP•5/22/23, 8:48 PM

Understood and yeah, I was just getting a little overwhelmed, went from the basics of reading memory to a PHD in physical memory and their real-world quirks very fast lol - I understand why it is the way it is now and am continuing to understand it

PopziOP•5/22/23, 8:48 PM

and thank you both for your help also! I appreciate it

DKMK100•5/22/23, 8:49 PM

Hope you manage to get it working! Good luck!

PopziOP•5/22/23, 8:49 PM

Ty!

PopziOP•5/22/23, 9:47 PM

So I managed to get it to read memory and spit out Hex in the right Endian, which is fantastic

I'm just now looking at Writing back to memory and wonder if there's any Endians to worry about, or if C# takes care of that for us?

The hex I'm trying to write, is just what was read + 2, so

mtreit•5/22/23, 9:52 PM

Bytes are written in exactly the order you pass them in as.

mtreit•5/22/23, 9:53 PM

There is no automatic conversion from one order to another when you are dealing with actual byte arrays / buffers.

PopziOP•5/22/23, 9:54 PM

Perfect, understood - So my error must lie somewhere within my handling of it seems

granted it's not writing the buffer

mtreit•5/22/23, 9:55 PM

Is WriteProcessMemory returning false?

PopziOP•5/22/23, 9:55 PM

Yes

mtreit•5/22/23, 9:55 PM

If so you need to call GetLastError and see what error is happening...

mtreit•5/22/23, 9:56 PM

Writing directly to process memory is...the kind of thing I would not expect to work in many cases.

i love cat(mull-rom splines)•5/22/23, 9:58 PM

invalid access to memory location time

PopziOP•5/22/23, 10:02 PM

Which is success according to MS docs, so I'm assuming I've done it wrong

PopziOP•5/22/23, 10:05 PM

also throwing 0

i love cat(mull-rom splines)•5/22/23, 10:06 PM

check your openprocess flags

PopziOP•5/22/23, 10:07 PM

Ah, it has to be called literally right after the call - Now showing error 5

Let's see!

PopziOP•5/22/23, 10:07 PM

Access is denied.

being ran as admin

i love cat(mull-rom splines)•5/22/23, 10:09 PM

all the subsequent functions that call setlasterror will clear all the previous error codes so yes, getlasterror will only return the last function's results

PPopzi Access is denied. 😎 being ran as admin

mtreit•5/22/23, 10:12 PM

Being admin doesn't matter if you opened the process handle without the necessary flags that allow writing to memory

PopziOP•5/22/23, 10:13 PM

Aha, so that's what this does

Ty!

PopziOP•5/22/23, 10:16 PM

Gave it full access (0x1F0FFF) - We're writing bytes! Awesome!!

i love cat(mull-rom splines)•5/22/23, 10:22 PM

you should really be using a source gen wrapper

i love cat(mull-rom splines)•5/22/23, 10:22 PM

cswin32 is fine

Accord•5/23/23, 10:23 PM

Was this issue resolved? If so, run

/close

/close

otherwise I will mark this as stale and this post will be archived until there is new activity.