As far as I know, C# doesn’t have the
capability to read/write memory
process, so it must call the win32 API
dlls via P/Invoke.

Correct, and you’ve found the right Win32 APIs to do so.

I would normally have two vars
either separate or within an array:

private string original = "d0 d0 66 ae 0b 68 b9 0a";
private string replace = "d0 02 02 24 00 68 b9 0a";

For ReadProcessMemory and WriteProcessMemory, you won’t use strings, you’ll use actual arrays of bytes (byte[]) as seen in the P/Invoke function signatures you listed. Your UI or command-line tool can take strings, but you’ll need to convert them into byte arrays.

If you haven’t yet, you should read the MSDN documentation for ReadProcessMemory and WriteProcessMemory. They give a good description of what’s expected for each parameter, what happens, and what’s returned.

In the ReadProcessMemory call, I’m not
understanding why lpBaseAddress is
necessary. The OpenHandle I would
normally place the string of the
application, since I am directly
editing it.

First, the OpenHandle parameter expects a handle to a process, not the file name, which is what I think you’re referring to. You can get the handle to a running process by using the Win32 OpenProcess API (P/Invoke signature can be found here). To read and write memory in the process, you’ll need at least PROCESS_VM_READ and PROCESS_VM_WRITE access.

lpBuffer I assume is the
actual array of bytes to read/write.
The size I am not so sure about, and
the lpNumberOfBytesRead is the number
to read? Reciprocal questioning for
WriteProcessMemory as well.

For ReadProcessMemory, lpBaseAddress specifies where in the target process’ memory you want to read from. lpBuffer gets filled with the memory contents of the target process. size specifies how many bytes to read. lpNumberOfBytesRead is an output argument telling you how many bytes were actually read as part of the operation. In success cases, this should match the size of the buffer you specify.

Given that, you should be able to figure out what all the parameters to WriteProcessMemory do.

More to the point of how to achieve what you’re trying to do: you’re trying to do a search-and-replace operation. The search portion is going to be the toughest. There are two major approaches I can think of:

1. You can do a full scan on the process’ memory (literally from address zero up to the 2/3GB limit (for 32-bit processes)) looking for your bytes. This is the slowest but easiest way.

2. Using heap information, you can limit your scan to known allocated addresses. This is a faster but much more complicated approach. Since you’re running on Windows, the process you’re targeting is likely going to be using the Windows heap for memory management. Windows provides an API, HeapWalk, to walk the heaps (and objects) that are allocated in a process. Unfortunately, this requires a handle to a heap, and the GetProcessHeap/GetProcessHeaps methods only return a handle to the calling process’ heaps (they don’t work for remote processes). So, if you wanted heap information for a remote process, you’d need to inject a thread into the remote process to gather this information for you (i.e. by using CreateRemoteThread). Once you have the valid heap addresses, you could just scan those from your search-and-replace app.