使用反射在C＃中查找字段的指针

Question

This question is for educational purposes only.
I am aware of how a native program is working. The compiler takes each primitive and gives it an address, then uses that address in the program. For structures, it simply stacks the address together (with some padding) - but basically, a structure doesn't really "exist".

The native program doesn't tell me which fields and variables it has. It only accesses different addresses - and if I look at the assembly, I can name each address if I want to, but the program won't give me that information. So assuming I am looking for a specific variable, I cannot do it without either examining the executing of the program, or it's assembly.

The .NET environment does tell me which variables it has and which fields it has. Using the Assembly class and Reflection namespace, I can load up a file and see which fields and classes it has.
Then, using a program which searches memory (whether its native or not) I can find the physical location of the field (by using it value, filtering out etc) - like Cheat Engine does. It will give me the actual address of the field in the memory, which is accessed by the assembly made by the JIT .
I know that the MSIL does not contain information about the desired location of a specific field. I am also almost certain that the JIT will never optimize the code by removing any class.

I know that the .NET debugger is an actual class in the program which allows Visual Studio to interact with the internal information of an application. When the debugger is missing, Visual Studio cannot read or write to fields, nor can it inspect the application in any way.

Is there any way, without the use of Cheat Engine or similar tools to find the physical location of a field in a static (or of a specific instance) class in a running .NET process ? Will the address be the same after each executing (such as in native program) ? May it differ only on different platforms or machines? How does the JIT decide where to place a field?

If I was unclear, I wish to do it without access to the code of the program, ie externally by another process (like a debugger, but for programs compiled under release).

Answer 1

Next code inject Injector method in Paint.net and get MainForm fields.

NInject.exe

public static int Injector(string parameter)
{
  try
  {
    var mainForm = Application.OpenForms.OfType<Form>().FirstOrDefault(form => form.GetType().FullName.EndsWith("MainForm"));

    var builder = new StringBuilder();
    builder.AppendFormat("process: {0}\r\n\r\n", Application.ExecutablePath);
    builder.AppendFormat("type: {0}\r\n", mainForm.GetType().FullName);
    foreach (var field in mainForm.GetType().GetFields(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic))
    {
      builder.AppendFormat("field {0}: {1}\r\n", field.Name, field.GetValue(mainForm));
    }


    new Form()
    {
      Controls = 
      {
        new TextBox
        {
          Text = builder.ToString(),
          Multiline = true,
          Dock = DockStyle.Fill
        }
      }
    }
    .ShowDialog();
  }
  catch (Exception exc)
  {
    MessageBox.Show(exc.ToString());
  }
  return 0;      
}

static void Main(string[] args)
{
  var process = System.Diagnostics.Process.GetProcessesByName("PaintDotNet").FirstOrDefault();

  var processHandle = OpenProcess(ProcessAccessFlags.All, false, process.Id);

  var proxyPath = System.IO.Path.Combine(System.Windows.Forms.Application.StartupPath, "NInjector.dll");

  var pathBytes = System.Text.Encoding.ASCII.GetBytes(proxyPath);

  var remoteBuffer = VirtualAllocEx(processHandle, IntPtr.Zero, (uint)pathBytes.Length, AllocationType.Commit, MemoryProtection.ReadWrite);
  WriteProcessMemory(process.Handle, remoteBuffer, pathBytes, (uint)pathBytes.Length, IntPtr.Zero);


  var remoteThread = CreateRemoteThread(processHandle, IntPtr.Zero, 0, GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA") , remoteBuffer, 0, IntPtr.Zero);

  WaitForSingleObject(remoteThread, unchecked((uint)-1)); 

  CloseHandle(remoteThread);

}

NInjector.dll (native)

#include "MSCorEE.h"
#pragma comment  (lib, "MSCorEE")

void StartTheDotNetRuntime()
{
    MessageBox(0, L"Started", L"proxy", 0);

    ICLRRuntimeHost *pClrHost = NULL;
    HRESULT hr = CorBindToRuntimeEx(
        NULL, L"wks", 0, CLSID_CLRRuntimeHost,
        IID_ICLRRuntimeHost, (PVOID*)&pClrHost);


    hr = pClrHost->Start();


    DWORD dwRet = 0;
    hr = pClrHost->ExecuteInDefaultAppDomain(
        L"bla-bla\\NInject.exe",
        L"NInject.NInject_Program", L"Injector", L"MyParameter", &dwRet);



    hr = pClrHost->Stop();

    pClrHost->Release();
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    StartTheDotNetRuntime();
    break;
    case DLL_THREAD_ATTACH:
    break;
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:


        break;
    }
    return TRUE;
}

Output:

process: C:\Program Files\Paint.NET\PaintDotNet.exe

type: PaintDotNet.Dialogs.MainForm
field appWorkspace: PaintDotNet.Controls.AppWorkspace
field defaultButton: System.Windows.Forms.Button, Text: 
field floaters: PaintDotNet.Dialogs.FloatingToolForm[]
field floaterOpacityTimer:  [System.Windows.Forms.Timer], Interval: 25
field deferredInitializationTimer: 
field components: System.ComponentModel.Container
field killAfterInit: False
field singleInstanceManager: PaintDotNet.SystemLayer.SingleInstanceManager
field queuedInstanceMessages: System.Collections.Generic.List`1[System.String]
field processingOpen: False
field scrollPosition: {X=0,Y=0}