我正在尝试读取和写入外部进程的数据,但ReadProcessMemory()函数有很多我不熟悉的输入:
BOOL WINAPI ReadProcessMemory(
_In_ HANDLE hProcess,
_In_ LPCVOID lpBaseAddress,
_Out_ LPVOID lpBuffer,
_In_ SIZE_T nSize,
_Out_ SIZE_T *lpNumberOfBytesRead
);
我想出了如何使用OpenProcess()获取句柄,但我怎么知道lpBaseAddress是什么?我想转储整个事情,所以应该运行以{4}间隔调用for的{{1}}循环,但是从什么到什么?我不知道进程在RAM中的位置,或者进程有多大(知道for循环何时结束)。我应该使用哪些函数来提取数据?
答案 0 :(得分:1)
您可以在ReadProcessMemory()上阅读MSDN的文档,该文档将为您解释每个参数。
lpBaseAddress = a pointer to the address where you want to begin reading
lpbuffer = a pointer to a buffer you create to store the data you read
nSize = the size of your buffer, use sizeof(buffer)
lpNumberOfBytesRead = a pointer to another buffer which will store the number
of bytes which were successfully read, this is good for error checking
这里有一些代码可以有效地将所有内存迭代读取到缓冲区中,然后您可以对缓冲区中的数据进行任何操作。
#include <iostream>
#include <windows.h>
int main()
{
MEMORY_BASIC_INFORMATION meminfo;
char* addr = 0;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
MEMORY_BASIC_INFORMATION mbi;
char buffer[0x1000];
while (VirtualQueryEx(hProc, addr, &mbi, sizeof(mbi)))
{
if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS)
{
char* buffer = new char[mbi.RegionSize];
ReadProcessMemory(hProc, addr, buffer, mbi.RegionSize, nullptr);
}
addr += mbi.RegionSize;
}
CloseHandle(hProc);
}
这不是一个完美的方法,但是对于大多数用途来说已经足够了。