阅读流程'记忆

时间:2015-09-24 17:44:34

标签: c winapi memory windows-10

所以我有这个用C写的功能,它应该扫描一个过程'记忆。我在记事本上运行它,但由于它失败了,我们尝试了更多的进程。它永远不会正常工作,输出总是如下:

0x00010000
0x7FFE0000
0x7FFE1000

当我使用Windows 7时,该功能运行正常。这是:

int ScanProcess(int pid)
{
    HANDLE hProc;
    SYSTEM_INFO si;
    MEMORY_BASIC_INFORMATION mbi;
    LPVOID *minAddress, *maxAddress;

    GetSystemInfo(&si);
    minAddress = si.lpMinimumApplicationAddress;
    maxAddress = si.lpMaximumApplicationAddress;

    hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);

    if (!hProc) {
        printf("[-] OpenProcess() failed.\n");
        return 0;}

    while (minAddress < maxAddress)
    {
        printf("0x%08X\n", minAddress);
        if(!VirtualQueryEx(hProc, minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
        if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
        {
            printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
        }
        minAddress = (LPVOID)((long)mbi.BaseAddress + mbi.RegionSize);
    }

    return 0;
}

有人能解决问题吗?谢谢:))

@Harry Johnston,这是我到目前为止所得到的。

int ScanProcess(int pid)
{
HANDLE hProc;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
DWORD64 minAddress, maxAddress;

GetSystemInfo(&si);
minAddress = (DWORD64)si.lpMinimumApplicationAddress;
maxAddress = (DWORD64)si.lpMaximumApplicationAddress;

hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);

if (!hProc) {
    printf("[-] OpenProcess() failed.\n");
    return 0;}

while (minAddress < maxAddress)
{
    printf("0x%08X\n", minAddress);
    if(!VirtualQueryEx(hProc, (LPCVOID)minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
    if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
    {
        printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
    }
    minAddress = (DWORD64)mbi.BaseAddress + mbi.RegionSize;
}

return 0;
}

1 个答案:

答案 0 :(得分:3)

试试这个版本:

int ScanProcess(int pid)
{
    HANDLE hProc;
    SYSTEM_INFO si;
    MEMORY_BASIC_INFORMATION mbi;
    LPVOID minAddress, maxAddress;

    GetSystemInfo(&si);
    minAddress = si.lpMinimumApplicationAddress;
    maxAddress = si.lpMaximumApplicationAddress;

    hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);

    if (!hProc) {
        printf("[-] OpenProcess() failed.\n");
        return 0;}

    while (minAddress < maxAddress)
    {
        printf("0x%p\n", minAddress);
        if(!VirtualQueryEx(hProc, minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
        if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
        {
            printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
        }
        minAddress = (LPBYTE)mbi.BaseAddress + mbi.RegionSize;
    }

    return 0;
}

它使用LPVOID作为指针类型适用于此应用程序,唯一真正的改变是使用强制转换为LPBYTE完成指针算法(因为您无法添加void指针) )。

另一个更改是使用%p作为printf格式化字符串,因为这可以使用64位指针正常工作。