# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Memory Editing > [Release] GreyMagic - The best of both worlds, and then some

## Apoc

Download: https://dl.dropbox.com/u/2068143/GreyMagic.7z

So, I wrote this a while back for our bots (Honorbuddy, Demonbuddy, BuddyWing, etc). It's a full-featured memory lib for both in and out of process memory handling. Performance tests show that it's barely a tick slower than calling ReadProcessMemory directly on simple data types, and slightly over a tick slower than reading structures. (Write speeds have not been tested, as writing is not done nearly as often)

The following are for perf tests over 1 million iterations:

Read<int>(addr, relative: true) - 4.57 ticks
ReadProcessMemory (direct) - 3.54 ticks
Deref on ReadBytes(addr, relative: true) - 3.90 ticks
Read<NonMarshalStruct>(addr, relative: true) - 5.06 ticks
Read<MarshalStruct>(addr, relative: true) - 6.48 ticks

The library itself implements a neat little trick to avoid using the marshaler wherever possible. MarshalCache<T> provides a way to cache certain data for types (size, typeof(), whether the type needs to be run through the marshaler, etc), as well as implements a way for C# to take a pointer to a generic type. (You can't do &T in C#... well... at least you couldn't)

The lib itself takes into account quite a few things, and should hopefully be plug-and-play ready. It includes a few other things that aren't really useful (but tossed in for the sake of tossing it in). I will be adding more features in the future (it lacks a pattern scanner). Feel free to use and abuse, please let me know of any bugs you run into.

In-process memory class: InProcessMemoryReader
OOP memory class: ExternalProcessMemoryReader

Enjoy folks!

----------


## z0m

Haha, thanks, as always!

----------


## QKdefus

thanks  !

----------


## hankerspace

Thanks a lot, again !

----------


## Jadd

Good job. Well done.  :Smile:

----------


## miceiken

Sweet, thanks for sharing.

----------


## ~Unknown~

ah sweet! I have been waiting since you mentioned it in the WhiteMagic thread. Thanks for the work as always!

----------


## greenegzofyoshi

Apoc I read a post a few months(maybe a year + ago? ) where you spoke about grey magic and possibly releasing it. Since that day I decided to halt my wow development... but since you just released this, I guess I can start again since I have an active account at the moment (:

Thank you so much!

----------


## z0m

> Haha, thanks, as always!


Working great. Thanks again, also for the info you gave in a PM some time ago.

----------


## Require

Thanks  :Big Grin:  starting to learn Memory Editing now!

----------


## Kanyle

Thanks for sharing!

----------


## xalcon

> The library itself implements a neat little trick to avoid using the marshaler wherever possible. MarshalCache<T> provides a way to cache certain data for types (size, typeof(), whether the type needs to be run through the marshaler, etc), as well as implements a way for C# to take a pointer to a generic type. (You can't do &T in C#... well... at least you couldn't)


I've downloaded this, because of this ^ and then I found some basic C# stuff I didn't even knew about like the double question mark operator or the fact that classes can have a static constructor ._. I feel realy noobish right now.

Thanks for sharing! It's realy instructive  :Smile: 

Edit:
Do you mind giving us a short example how to use the DetourManager?

----------


## Apoc

> I've downloaded this, because of this ^ and then I found some basic C# stuff I didn't even knew about like the double question mark operator or the fact that classes can have a static constructor ._. I feel realy noobish right now.
> 
> Thanks for sharing! It's realy instructive 
> 
> Edit:
> Do you mind giving us a short example how to use the DetourManager?




```
            if (_canTrackUnitOriginal == null)                _canTrackUnitOriginal = Memory.CreateFunction<PlayerCanTrack>((IntPtr)GlobalOffsets.CGPlayer_C__CanTrackUnit, true);


            if (_canTrackObjectOriginal == null)
                _canTrackObjectOriginal = Memory.CreateFunction<PlayerCanTrack>((IntPtr)GlobalOffsets.CGPlayer_C__CanTrackObject, true);


            if (_myCanTrackUnit == null)
                _myCanTrackUnit = CanTrackUnitDetour;


            if (_myCanTrackObject == null)
                _myCanTrackObject = CanTrackObjectDetour;


             Memory.Detours.CreateAndApply(_canTrackUnitOriginal, _myCanTrackUnit, "CanTrackUnitDetour");
             Memory.Detours.CreateAndApply(_canTrackObjectOriginal, _myCanTrackObject, "CanTrackObjectDetour");
```



```
        private bool CanTrackUnitDetour(IntPtr pUnit, IntPtr unk)
        {
            if (_trackedUnits.Count > 0)
            {
                var unit = new WoWUnit(pUnit);


                return unit.IsValid &&
                       (_trackedUnits.Contains(unit.Name.ToLower()) ||
                        _trackedUnits.Any(s => !string.IsNullOrEmpty(s) && unit.Name.ToLower().Contains(s.ToLower())));
            }


            return (bool)Memory.Detours["CanTrackUnitDetour"].CallOriginal(pUnit, unk);
        }
```

----------


## xalcon

@Apoc: awesome! It all makes sense now, thank you!

----------


## Xelper

Very nice, thanks Apoc

----------


## xalcon

[InProcessMemoryReader.cs:107] The variable 'ex' is declared but never used


```
[...]
catch (AccessViolationException ex)
{
    Trace.WriteLine("Access Violation on " + address + " with type " + typeof (T).Name);
    return default(T);
}
[...]
```

Me do not like compiler warnings :< I've changed the line to _catch (AccessViolationException)_

----------


## Apoc

> [InProcessMemoryReader.cs:107] The variable 'ex' is declared but never used
> 
> 
> ```
> [...]
> catch (AccessViolationException ex)
> {
>     Trace.WriteLine("Access Violation on " + address + " with type " + typeof (T).Name);
>     return default(T);
> ...


Nitpicky huh?

I left that in from debugging. You can easily add in some extra messaging from it to help figure out where things are going wrong, etc. (If you don't need that, then sure, just remove it)

----------


## Shadowhunter12

Apoc,

Thank you again for sharing this. I really appreciate it.. I've learned a tremendous amount from following your posts!!!

Quick question... Do you think Pattern finding would be a good addition to your DLL? If not, what do you personally use for pattern finding? 

Thanks again!

-Shadowhunter

----------


## DrakeFish

This lib is very interesting, good job! I had to use an additional C++/CLI DLL only to get a pointer to my generic types which annoyed me, but the way you're doing it in your MarshalCache<T> class is so much better. I love the idea of caching the types information in such a simple way. I can finally stop looking for the most performant way to read structures.  :Roll Eyes (Sarcastic): 

Thanks!  :Big Grin:

----------


## PowerBoosting

Apoc is King. (period)

That makes me wander, 2 things:

1 - What would happen to all WoW bots if the king leaves the building?
2 - Why's that, Blizzard doesn't hire him, with a soccer player like contract offer?

----------


## jarjar1

How can I convert from BlackMagic?

This is the DoString im using. But I am not sure how to implement it in GreyMagic.



```
        public void LuaDoString(string command)
        {
            int nSize = command.Length + 0x100;
            uint codeCave = process.AllocateMemory(nSize);

            process.WriteASCIIString(codeCave, command);
            process.Asm.Clear();

            String[] asm = new String[] 
            {
                "mov eax, " + codeCave,
                "push 0",
                "push eax",
              
                "push eax",
                "mov eax, " + (moduleBase + Offsets.FunctionWow.FrameScript__ExecuteBuffer),
                
                "call eax",
                "add esp, 0xC",
                "retn",    
            };

            aHook.InjectAndExecute(asm);
            process.FreeMemory(codeCave);
        }
```

----------


## Shadowhunter12

Jarjar,

You would replace aHook references to the fasmdll_managed reference in GreyMagic.

Or (someone might have to correct me if I'm wrong), create a function delegate and call ExecuteBuffer directly?

----------


## Threk

> Jarjar,
> 
> You would replace aHook references to the fasmdll_managed reference in GreyMagic.
> 
> Or (someone might have to correct me if I'm wrong), create a function delegate and call ExecuteBuffer directly?


Depends on whether or not he is injected (directly in WoW)

@ jarjar1
It should still work (nearly) the same way.
So look at the API and replace your function calls with the new function names.

Shouldn't be too hard (really).

----------


## jarjar1

What is the difference between GetAbsolute and GetRelative for Read<T>? And when should I use which?

How can I go about calling something like ExecuteBuffer? Using greymagic. 


EDIT1: OK, thanks to ShadowHunter figured it out. The following code works.



```
    public partial class Class1
    {
        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate int EndSceneDelegate(IntPtr instance);
        private static EndSceneDelegate _EndSceneOriginal;
        private static GreyMagic.Internals.Detour _EndSceneHook;

        private static int EndSceneHook(IntPtr device)
        {
            // Pulse();
            Debug.WriteLine("EndScene");
            return (int)_EndSceneHook.CallOriginal(device);
        }

        public static void EndScene_ApplyHook()
        {
            uint pDevice = MemoryIn.Read<uint>((new IntPtr((uint)wfa.Objects.Direct3D.Direct3D9__Device)), true);
            uint pEnd = MemoryIn.Read<uint>(new IntPtr(pDevice + (uint)wfa.Objects.Direct3D.Direct3D9__Device__OffsetA));
            uint pScene = MemoryIn.Read<uint>(new IntPtr(pEnd));

            IntPtr endScenePtr = MemoryIn.Read<IntPtr>(new IntPtr(pScene + (uint)wfa.Objects.Direct3D.Direct3D9__Device__OffsetB));

            _EndSceneOriginal = MemoryIn.CreateFunction<EndSceneDelegate>(endScenePtr);
            _EndSceneHook = MemoryIn.Detours.CreateAndApply(_EndSceneOriginal, new EndSceneDelegate(EndSceneHook), "EndSceneHook");
        }
    }
```

EDIT2: Here is my attempt at detouring ExecuteBuffer. The problem is at CreateFunction.



```
    public partial class Class1
    {
        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate int LUAExecuteDelegate(IntPtr instance);
        private static LUAExecuteDelegate _LUA_ExecuteBufferOriginal;
        private static GreyMagic.Internals.Detour _LUA_ExecuteBufferHook;

        private static int LUA_ExecuteBufferHook(IntPtr device)
        {
            // Pulse();
            //Debug.WriteLine("LuaHook");
            return (int)_LUA_ExecuteBufferHook.CallOriginal(device);
        }

        public static void LUAExecuteBuffer_ApplyHook()
        {
          //  uint pExecuteBuffer = MemoryIn.Read<uint>((new IntPtr((uint)wfa.Objects.LUA.FrameScript__ExecuteBuffer)), true);

        //    IntPtr pExecuteBuffer = MemoryIn.Read<IntPtr>(new IntPtr((uint)wfa.Objects.LUA.FrameScript__ExecuteBuffer), true);

            _LUA_ExecuteBufferOriginal = MemoryIn.CreateFunction<LUAExecuteDelegate>((IntPtr)wfa.Objects.LUA.FrameScript__ExecuteBuffer, true);
            _LUA_ExecuteBufferHook = MemoryIn.Detours.CreateAndApply(_LUA_ExecuteBufferOriginal, new LUAExecuteDelegate(LUA_ExecuteBufferHook), "LUA_ExecuteBuffer");
        }
    }
```

EDIT3: Adding absolute address fixes the CreateFunction issue. But now after calling ExecuteBuffer the prog crashes. ex doing /script OpenAllBags() ingame manually. I am guessing need to detour further down?

EDIT4: I get it. I dont need to detour ExecuteScript, I need to call it. And to prevent threading conflicts I need to call it from EndSceneTick aka MainThread?
So the question now becomes how do you do that using GreyMagic without using BlackMagic?

----------


## jarjar1

How do you call ExecuteBuffer directly using GreyMagic?




> Jarjar,
> 
> You would replace aHook references to the fasmdll_managed reference in GreyMagic.
> 
> Or (someone might have to correct me if I'm wrong), create a function delegate and call ExecuteBuffer directly?

----------


## beanso

```
public delegate int LUAExecuteDelegate(IntPtr instance);
```

This is the wrong function signature for ExecuteBuffer. Look at it in a disassembler or search around on the forum and find the correct signature. How are you going to execute LUA if you don't provide any LUA to execute?



```
EDIT4: I get it. I dont need to detour ExecuteScript, I need to call it.
```

Yes. Call the delegate you created with CreateFunction<> (_LUA_ExecuteBufferOriginal).

----------


## jarjar1

How do you call the delegate with passing args? I have not been able to find an example. I only found the codecave examples with inlining asm in c#.




> Yes. Call the delegate you created with CreateFunction<> (_LUA_ExecuteBufferOriginal).

----------


## beanso

```
_LUA_ExecuteBufferOriginal(args);
```

Using Delegates (C#)

----------


## jarjar1

I get that part. What I dont get is how to call it properly. I cant just pass a string arg to it. I need to copy the memory and copy the correct calling convention. In BlackMagic this was done with inline ASM.

EDIT: Or maybe i can, hehe testing now.




> ```
> _LUA_ExecuteBufferOriginal(args);
> ```
> 
> Using Delegates (C#)

----------


## beanso

That's handled for you by GreyMagic and .NET. You specify the calling convention with [UnmanagedFunctionPointer(CallingConvention.StdCall)] and then make sure the function signature is the same as used in the client code. 

You're already doing the same thing with your EndScene hook. CallOriginal just calls the _EndSceneOriginal delegate you defined and passes the device pointer to it. All the memory manipulation is done for you, no asm required.

----------


## jarjar1

haha very nice.

orig
00CFF810 012E2FDA RETURN to Wow.012E2FDA from Wow.00DF5350
00CFF814 18E93F24 ASCII "OpenAllBags()"
00CFF818 18E93F24 ASCII "OpenAllBags()"
00CFF81C 0166FDE7 Wow.0166FDE7

mycall
1316AADC 13175EC5 RETURN to 13175EC5
1316AAE0 00000000
1316AAE4 2A632328 ASCII "OpenAllBags()"
1316AAE8 2A632328 ASCII "OpenAllBags()"
1316AAEC 5CAE923E
1316AAF0 647C5D60 clr.647C5D60

EDIT2: Not sure why. Especially because the first call after reading the ASCII inside the func should have Arg3 as 0, but calling it this way sets the arg to D.
mycallthat Mysteriously works
1316AADC 13175EC5 RETURN to 13175EC5
1316AAE4 2A632328 ASCII "OpenAllBags()"
1316AAE8 2A632328 ASCII "OpenAllBags()"
1316AAE0 00000000
1316AAEC 5CAE923E
1316AAF0 647C5D60 clr.647C5D60

Just gotta fix it up abit!
EDIT1: not sure where the 5CAE923E is coming from. Tried both StdCall and Cdecl.

BTW, I am having trouble with olly1.11, whenever it loads the .UDD if I reload the program, it locks all the threads and does not resume them until I delete the wow.UDD and restart olly. Anyone experience this? I like to use Olly because its fast on the binary search. IDA seems to take forever.

----------


## jarjar1

```
  
                "call " + (moduleBase + Offsets.FunctionWow.ClntObjMgrGetActivePlayerObj),
                "mov ecx, eax",
                "push -1",
                "mov edx, " + codeCave,
                "push edx",
                "call " + (moduleBase + Offsets.FunctionWow.Lua_GetLocalizedText),
                "retn",
```

What about working with registers. EX: I need clntObjMgr to get called before calling GetLocalizedText. How could this work using GreyMagic and delegates?

----------


## beanso

Make a delegate for the ClntObjMgrGetActivePlayerObj function and call that to get the pointer. That asm just moves the result from the function call into ecx (which is used by GetLocalizedText as it's __thiscall - to use thiscall in c# you just specify the calling convention as thiscall and pass the pointer as the first arg).

If you have an object manager set up you can compare guids to the local player guid (there's a static address for it) and find the pointer that way, but calling the function is the easiest and most direct way to do it.

----------


## jarjar1

How would I need to call GetClientObjMgrActivePlayer? No matter how I try it always returns 0.



```
        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate int ClntObjMgrGetActivePlayerObjDelegate(
        IntPtr instance);
        private static ClntObjMgrGetActivePlayerObjDelegate GetClntObjMgrActPlayer;
        private static IntPtr pActPlayer;

GetClntObjMgrActPlayer(pActPlayer);

GetClntObjMgrActPlayer = MemoryIn.CreateFunction<ClntObjMgrGetActivePlayerObjDelegate>((IntPtr)wfa.Objects.WowObjects.ClntObjMgrGetActivePlayerObj, true);
```

EDIT2: It seems pActPlayer = GetClntObjMgrActPlayer(); returns something non-zero. Hard to debug because can use either olly or VS debugger.




> Make a delegate for the ClntObjMgrGetActivePlayerObj function and call that to get the pointer. That asm just moves the result from the function call into ecx (which is used by GetLocalizedText as it's __thiscall - to use thiscall in c# you just specify the calling convention as thiscall and pass the pointer as the first arg).
> 
> If you have an object manager set up you can compare guids to the local player guid (there's a static address for it) and find the pointer that way, but calling the function is the easiest and most direct way to do it.

----------


## _Mike

Look up the correct function signatures..

CGPlayer_C* __cdecl ClntObjMgrGetActivePlayerObj()

----------


## Apoc

```
        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
        private delegate IntPtr ClntObjMgrGetActivePlayerObjDelegate();

        private static ClntObjMgrGetActivePlayerObjDelegate ClntObjMgrGetActivePlayerObj;

        static IntPtr InProcGetActivePlayer()
        {
            if (ClntObjMgrGetActivePlayerObj == null)
                ClntObjMgrGetActivePlayerObj = Memory.CreateFunction<ClntObjMgrGetActivePlayerObjDelegate>((IntPtr) 0xDEADBEEF);

            return ClntObjMgrGetActivePlayerObj();
        }
```

----------


## jarjar1

Hum. Then there is a problem elsewhere. Also what is the difference between Absolute and Relative? Is it relative to the function starting point vs Absolute relative to the module base?

The value returned by Bytes being read from the wrong memory location. 

EDIT2: byte[] bytes = MemoryIn.ReadBytes(memory, 0x04, true); // Is instant C# crash.
EDIT3: Still dont get how it works. The value I need is pointed to by EAX 'ASCII "15"'. The final call before ending the GetLocalizedText sets EAX. If I set the Delegate to type string (was worth a try) it crashes upon registering the callback. 

EDIT4: No matter how I arrange it.. always crash on byte[] bytes = MemoryIn.ReadBytes(memory, 0x50, true);
EDIT5: I basically just need to extract the value from EAX before it returns. How to do?
EX:


```
        [UnmanagedFunctionPointer(CallingConvention.ThisCall)]
        private delegate void LuaGetTextDelegate(
        IntPtr @this, out IntPtr instance, int minone);
        private static LuaGetTextDelegate GetLocalizedText;

                Marshal.Copy(data, 0, memory, data.Length);
                Marshal.WriteByte(memory + data.Length, 0);

                GetLocalizedText(InProcGetActivePlayer(), out memory, -1);
                byte[] bytes = MemoryIn.ReadBytes(memory, 0x50, true);
```



```
       
        [UnmanagedFunctionPointer(CallingConvention.ThisCall)]
        private delegate int LuaGetTextDelegate(
        IntPtr @instance2, IntPtr instance, int minone);
        private static LuaGetTextDelegate GetLocalizedText;

 public static string LUA_GetLocalizedText(string query)
        {
            string sResult;

            var data = Encoding.ASCII.GetBytes(query);
            var memory = Marshal.AllocHGlobal(data.Length + 1);
            try
            {
                Marshal.Copy(data, 0, memory, data.Length);
                Marshal.WriteByte(memory + data.Length, 0);

                GetLocalizedText(InProcGetActivePlayer(), memory, -1);
                byte[] bytes = MemoryIn.ReadBytes(memory, 0x50); //problem here
                sResult = Encoding.ASCII.GetString(bytes, 0, bytes.Length + 1);
            }
            finally
            {
                Marshal.FreeHGlobal(memory);
            }
            return sResult;
        }
```



```
//Must be incorrectly passing ECX? probably the first @IntPtr as an arg is wrong?
//Not Working Stack :(
07BEA818     0FE55F06  RETURN to 0FE55F06
07BEA81C     2885FD38  ASCII "freeslots"
07BEA820     FFFFFFFF
07BEA824     5A5537F6  //This was not a problem before. 
07BEA828     647C5D60  clr.647C5D60
07BEA82C     07BEA9DC

//Working Stack
006BFAB4     0CDF0014  RETURN to 0CDF0014 from Wow.012BD7F0
006BFAB8     0CCA0000  ASCII "freeslots"
006BFABC     FFFFFFFF
006BFAC0     0CCB0017  RETURN to 0CCB0017
006BFAC4     00000000
006BFAC8     03A28678
006BFACC     006BFAE8
```



D3 Easter Egg? :P. I believe that's sometimes seen as a value in AnimPreplayData?




> ```
>       
>                0xDEADBEEF
> ```

----------


## Apoc

I'd suggest you pick up a book before going any further, you've shown that you lack the understanding to be dealing with this kind of stuff.

----------


## jarjar1

I dont read. Sorry.




> I'd suggest you pick up a book before going any further, you've shown that you lack the understanding to be dealing with this kind of stuff.

----------


## Apoc

> I dont read. Sorry.


Then nobody here will provide you any help.

----------


## jarjar1

*books/code manuscripts :P. I rather learn by doing, just my learning style. And you must admit its not your basic stuff in books. I am sure I would need to read a whole library to find out why this line says 'must be non-nullable value'. 



```
MemoryIn.Read<string>((IntPtr)pointer);
```


PS: Got it to work. Just had to move some things around because I am not 100% on the syntax. And no, I will not go read a 600+ page C# book just because of a misunderstanding of correct C# syntax.



```
                var pointer = GetLocalizedText(aPlayer, memory, -1);
                
                sResult = wfa.Objects.Memory.ReadString((IntPtr)pointer, 0x50);
```





> Then nobody here will provide you any help.

----------


## Apoc

> *books/code manuscripts :P. I rather learn by doing, just my learning style. And you must admit its not your basic stuff in books. I am sure I would need to read a whole library to find out why this line says 'must be non-nullable value'. 
> 
> 
> 
> ```
> MemoryIn.Read<string>((IntPtr)pointer);
> ```
> 
> 
> ...


What you're misunderstanding is basic C# syntax. If you're going to work in the language, at least get a solid grasp on the syntax used in it. If you have programming knowledge in other languages, then it won't be a real problem. But "shotgun" coding will get you nowhere in the long run.

----------


## DarkLinux

@jarjar1 
You will never learn by a simple copy and paste... And you dont read? You will never get anywhere like that. You will only be able to create what others have already.. I know many people start by asking for hand outs, and never get anywhere so they try to learn... Anyways.. learn c++ XD .... , @Apoc srry for the high-jacked thread...

----------


## Empted

> I dont read. Sorry.


The more theory you know, the more ideas/solutions you can produce.

----------


## eracer

@Apoc, is it possible to make this skip entering debug mode when using InProcessMemoryReader? I can comment out "Process.EnterDebugMode();" in MemoryBase.cs but I'm sure there has to be a better way.

Thanks  :Smile:

----------


## Valediction

> @Apoc, is it possible to make this skip entering debug mode when using InProcessMemoryReader? I can comment out "Process.EnterDebugMode();" in MemoryBase.cs but I'm sure there has to be a better way.
> 
> Thanks


Funny that today I have come with exactly the same need you're describing. Since I'm mostly using InProcessMemoryReader for pointer-like reading/writing while injected in the process, those privileges (at least for now) aren't needed. In fact, I'm not sure I can get debug privileges when injected, at least with WoW launched in regular mode... for the time being I just added a flag to the constructor (of MemoryBase) that skips all the part that requires privileges and I set it when building an InProcessMemoryReader, but doesn't seem elegant at all.

----------


## TOM_RUS

I'm not even sure why you even need debug privileges for reading memory. Everything should work without them.

----------


## Valediction

> I'm not even sure why you even need debug privileges for reading memory. Everything should work without them.



That's the point, since debug privileges are needed starting right from the base class, maybe that part should be moved somewhere else (if I'm not missing anything which actually requires those privileges throughout the whole class hierarchy).

----------


## GRB

Kinda stupid question, but after 4+ hours of search i cant find it.

Is there anyway to open a process using this greymagic? or it must be done using System.Diagnostics?

Ex: for blackmagic u just go


```
blackmagic somename = new blackmagic();
somename.open bla bla bla
```

i know grey dont use the **** *** = new *****();
and ofc i could open the process normal way, but the question is, if theres anyway to do it using greymagic.

i noticed that hbrelogger have a import.cs file on greymagic source code, and have the open process through the safememoryhandle, but after compiling grey, that functions is not there, as all other imports.

Whats the diference from MemoryBase.ReadByte and the ExternalProcess one?

----------


## Apoc

> I'm not even sure why you even need debug privileges for reading memory. Everything should work without them.


Debug privs are mostly for... well... debugging. If you don't need them, you can comment them out. It's mostly useful for out of proc stuff where RPM will throw random errors because you're reading on page boundaries and the like.

----------


## Hyru

GreyMagic.MemoryBase:



```
public IntPtr GetRelative(IntPtr absolute) {
    return ImageBase - (int) absolute;
}
```

If your absolute address is 0x1040 and your ImageBase is 0x1000, your relative address to the image base would be 0x40 or absolute minus ImageBase.

----------


## xalcon

He asked for the difference between MemoryBase.ReadByte() and ExternalProcessReader.ReadByte(), not what the MemoryBase might be...
The MemoryBase.ReadByte() is a abstract method, just a prototype which then gets overridden by the ExternalProcessReader... so... no difference :P the first "just can't be used" :P

----------


## Apoc

I've made some slight changes recently to this lib.

Firstly, you can now create generic structures. (AKA; templated types. Mostly useful for STL containers and the like)

Replace MarshalCache.cs with:



```
using System;using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Reflection.Emit;
using System.Runtime.InteropServices;
using System.Text;


namespace Loki.MemoryManagement
{
    public static class MarshalCache<T>
    {
        /// <summary> The size of the Type </summary>
        public static int Size;


        /// <summary> The real, underlying type. </summary>
        public static Type RealType;


        /// <summary> The type code </summary>
        public static TypeCode TypeCode;


        /// <summary> True if this type requires the Marshaler to map variables. (No direct pointer dereferencing) </summary>
        public static bool TypeRequiresMarshal;


        private static int GetSizeOf(Type t)
        {
            if (!t.IsGenericType)
                return Marshal.SizeOf(t);
            
            // So, chances are, we're using generic sub-types.
            // This is a good, and bad thing.
            // Good for STL implementations, bad for most everything else.
            // But for the sake of completeness, lets make this work.


            int totalSize = 0;


            foreach (var field in t.GetFields(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance))
            {
                // Recursive. We want to allow ourselves to dive back into this function if we need to!
                totalSize += GetSizeOf(field.FieldType);
            }
            return totalSize;
        }


        static MarshalCache()
        {
            TypeCode = Type.GetTypeCode(typeof(T));


            // Bools = 1 char.
            if (typeof(T) == typeof(bool))
            {
                Size = 1;
                RealType = typeof(T);
            }
            else if (typeof(T).IsEnum)
            {
                var underlying = typeof(T).GetEnumUnderlyingType();
                Size = GetSizeOf(underlying);
                RealType = underlying;
                TypeCode = Type.GetTypeCode(underlying);
            }
            else
            {
                Size = GetSizeOf(typeof (T));
                RealType = typeof(T);
            }


            // Basically, if any members of the type have a MarshalAs attrib, then we can't just pointer deref. :(
            // This literally means any kind of MarshalAs. Strings, arrays, custom type sizes, etc.
            // Ideally, we want to avoid the Marshaler as much as possible. It causes a lot of overhead, and for a memory reading
            // lib where we need the best speed possible, we do things manually when possible!
            TypeRequiresMarshal = RealType.GetFields(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic).Any(m => m.GetCustomAttributes(typeof(MarshalAsAttribute), true).Any());


            // Generate a method to get the address of a generic type. We'll be using this for RtlMoveMemory later for much faster structure reads.
            var method = new DynamicMethod(
                string.Format("GetPinnedPtr<{0}>", typeof(T).FullName.Replace(".", "<>")), typeof(void*), new[] { typeof(T).MakeByRefType() },
                typeof(MarshalCache<>).Module);
            ILGenerator generator = method.GetILGenerator();
            generator.Emit(OpCodes.Ldarg_0);
            generator.Emit(OpCodes.Conv_U);
            generator.Emit(OpCodes.Ret);
            GetUnsafePtr = (GetUnsafePtrDelegate)method.CreateDelegate(typeof(GetUnsafePtrDelegate));
        }




        internal unsafe delegate void* GetUnsafePtrDelegate(ref T value);


        internal static readonly GetUnsafePtrDelegate GetUnsafePtr;
    }
}
```

----------


## dms51

Thx Apoc ! Seems to be a very useful lib you share with us!

----------


## Hyru

Converted over from WhiteMagic and my home grown out-of-process memory manager to a GreyMagic refactor about a week ago. Happy with the results so far.

----------


## Hyru

> He asked for the difference between MemoryBase.ReadByte() and ExternalProcessReader.ReadByte(), not what the MemoryBase might be...
> The MemoryBase.ReadByte() is a abstract method, just a prototype which then gets overridden by the ExternalProcessReader... so... no difference :P the first "just can't be used" :P


I wasn't responding to GRB. I was stating that the method implementation for getting the relative address given the absolute was incorrect. Not a big deal as it'll be obvious the first time you call it.

----------


## Apoc

More changes!

This one is to fix the "TypeRequiresMarshal" issue where a sub-struct requires marshaling, but the main struct doesn't. It'll now just iterate over the sub-structs and see if something needs to be marshaled, then mark the parent type as requiring marshaling.



```
    public static class MarshalCache<T>    {
        /// <summary> The size of the Type </summary>
        public static int Size;


        /// <summary> The real, underlying type. </summary>
        public static Type RealType;


        /// <summary> The type code </summary>
        public static TypeCode TypeCode;


        /// <summary> True if this type requires the Marshaler to map variables. (No direct pointer dereferencing) </summary>
        public static bool TypeRequiresMarshal;


        private static int GetSizeOf(Type t)
        {
            try
            {
                // Note: This is in a try/catch for a reason.


                // A structure doesn't have to be marked as generic, to have generic types INSIDE of it.
                // Marshal.SizeOf will toss an exception when it can't find a size due to a generic type inside it.
                // Also... this just makes sure we can handle any other shenanigans the marshaler does.
                return Marshal.SizeOf(t);
            }
            catch
            {
                // So, chances are, we're using generic sub-types.
                // This is a good, and bad thing.
                // Good for STL implementations, bad for most everything else.
                // But for the sake of completeness, lets make this work.


                int totalSize = 0;


                foreach (var field in t.GetFields(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance))
                {
                    // Check if its a fixed-size-buffer. Eg; fixed byte Pad[50];
                    var attr = field.GetCustomAttributes(typeof (FixedBufferAttribute), false);
                    if (attr.Length > 0)
                    {
                        var fba = attr[0] as FixedBufferAttribute;
                        totalSize += GetSizeOf(fba.ElementType) * fba.Length;
                    }
                    


                    // Recursive. We want to allow ourselves to dive back into this function if we need to!
                    totalSize += GetSizeOf(field.FieldType);
                }
                return totalSize;
            }
        }


        static bool RequiresMarshal(Type t)
        {
            foreach (var fieldInfo in t.GetFields(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic))
            {
                var requires = fieldInfo.GetCustomAttributes(typeof (MarshalAsAttribute), true).Any();


                if (requires)
                {
                    Debug.WriteLine(fieldInfo.FieldType.Name + " requires marshaling.");
                    return true;
                }


                // Nope
                if (t == typeof (IntPtr) || t == typeof (string))
                    continue;


                // If it's a custom object, then check it separately for marshaling requirements.
                if (Type.GetTypeCode(t) == TypeCode.Object)
                    requires |= RequiresMarshal(fieldInfo.FieldType);


                // if anything requires a marshal, period, no matter where/what it is.
                // just return true. Hop out of this func as early as possible.
                if (requires)
                {
                    Debug.WriteLine(fieldInfo.FieldType.Name + " requires marshaling.");
                    return true;
                }
            }
            return false;
        }


        static MarshalCache()
        {
            TypeCode = Type.GetTypeCode(typeof(T));


            // Bools = 1 char.
            if (typeof(T) == typeof(bool))
            {
                Size = 1;
                RealType = typeof(T);
            }
            else if (typeof(T).IsEnum)
            {
                var underlying = typeof(T).GetEnumUnderlyingType();
                Size = GetSizeOf(underlying);
                RealType = underlying;
                TypeCode = Type.GetTypeCode(underlying);
            }
            else
            {
                Size = GetSizeOf(typeof (T));
                RealType = typeof(T);
            }


            // Basically, if any members of the type have a MarshalAs attrib, then we can't just pointer deref. :(
            // This literally means any kind of MarshalAs. Strings, arrays, custom type sizes, etc.
            // Ideally, we want to avoid the Marshaler as much as possible. It causes a lot of overhead, and for a memory reading
            // lib where we need the best speed possible, we do things manually when possible!
            TypeRequiresMarshal = RequiresMarshal(RealType);
            //Debug.WriteLine("Type " + typeof(T).Name + " requires marshaling: " + TypeRequiresMarshal);


            // Generate a method to get the address of a generic type. We'll be using this for RtlMoveMemory later for much faster structure reads.
            var method = new DynamicMethod(
                string.Format("GetPinnedPtr<{0}>", typeof(T).FullName.Replace(".", "<>")), typeof(void*), new[] { typeof(T).MakeByRefType() },
                typeof(MarshalCache<>).Module);
            ILGenerator generator = method.GetILGenerator();
            generator.Emit(OpCodes.Ldarg_0);
            generator.Emit(OpCodes.Conv_U);
            generator.Emit(OpCodes.Ret);
            GetUnsafePtr = (GetUnsafePtrDelegate)method.CreateDelegate(typeof(GetUnsafePtrDelegate));
        }




        internal unsafe delegate void* GetUnsafePtrDelegate(ref T value);


        internal static readonly GetUnsafePtrDelegate GetUnsafePtr;
    }
```

Edit; another fix for fixed size buffers in structs.

You can now do *anything* with your structures (generics included) and be able to read them! (Writing... not so much  :Frown: )

----------


## GRB

With lastest apoc changes im getting the follow error.

"The type or namespace name 'FixedBufferAttribute' could not be found (are you missing a using directive or an assembly reference?)"

----------


## TOM_RUS

> With lastest apoc changes im getting the follow error.
> 
> "The type or namespace name 'FixedBufferAttribute' could not be found (are you missing a using directive or an assembly reference?)"


How about adding missing using statement?

----------


## GRB

> How about adding missing using statement?


lol, im sleeping here.. +rep for you  :Smile:

----------


## Holico

This maybe a stupid question, but for what you have fasm in Gray Magic?
You declare a Object names asm, you initilize it and you dispose it. Thats all i found working with fasm.
The reason i ask is following:
ive used to use blackMagic, but because i can and it was oversized i switched to Jadds Memory Interacting "Lib".
But ive got a heavy memor leak with it.
So i switched back to the "modern" gray magic.
Today i got a wierd bug that i send my project compiled to a friend of mine and he got an error that the fasm_managed.dll was missing, dispite it is in the same folder.
So i just delteted it from grayMagic and recompiled.

----------


## Shenlok

The download link in the OP is 404ing, and I didn't see a mirror posted anywhere else in the thread. Anyone got a copy of GreyMagic.7z that they could throw up somewhere? Lost mine after a HDD reformat. It'd be much appreciated!

----------


## Valediction

> The download link in the OP is 404ing, and I didn't see a mirror posted anywhere else in the thread. Anyone got a copy of GreyMagic.7z that they could throw up somewhere? Lost mine after a HDD reformat. It'd be much appreciated!


This should be it: GreyMagic

----------


## Shenlok

> This should be it: GreyMagic


Awesome, thanks!

----------

