Cheat Engine

[Inject++]

I know how to deal with DMA for a normal executable by finding a variable that I would like to access in memory and tracing it back to a static address.

But what of .NET programs? The executable is only a container for bytecode and the program actually runs on the .NET Framework.

I naively tried a similar approach to a normal executable, I found what I wanted and then traced it back, but the static addresses are within modules belonging to the .NET framework installed on the system. These are different for each build of the Framework (each major Framework version has numerous builds). Since I require portability between systems with unknown Framework build version, it seems it is not possible to use this technique to get the address of a variable in memory.

My only hope is the Profiling API, according to the msdn docs, if you know a variable's token value, you can obtain its memory address (IMetaDataImport.GetRVA). I found that it was possible to identify the variable I needed using the Reflector dissassembly and was able to get its token value. I have some doubts over the Profiler so have not yet taken the plunge into making a Profiler COM server to test this out.

Has anyone had experience using the Profiler API to memory hack .NET programs and is this they only way to do it? Is it possible for the Profiler to be blocked? It looks like you have to enable the profiler with an environment variable at a global level, as it needs to be enabled before a target program is started. Are there any shortcomings to this?

Thanks for any help.