DLLImport of the origin function in the DLL

If only kernel32.dll is being changed you could call ntdll.dll!NtReadVirtualMemory (ReadProcessMemory itself calls this function).

If ntdll.dll is also seems to be changed by 3rd party process you could copy ntdll.dll to another temporary file (ntdll_copy.dll), and use it:

[DllImport("ntdll_copy.dll", EntryPoint = "NtReadVirtualMemory")]
private static extern bool NtReadVirtualMemory(IntPtr hProcess, UIntPtr lpBaseAddress, [Out] byte[] lpBuffer, UIntPtr nSize, IntPtr lpNumberOfBytesRead);

Browse More Popular Posts

Leave a Comment