写入另一个过程'使用WriteProcessMemory和指针的内存

时间:2016-03-25 16:22:01

标签: c++ pointers memory process windows-ce

可能有几个帖子以多种方式解释我的问题...但我一直在谷歌和stackoverflow搜索框中搜索,我没有找到任何东西。所以我走了。

我想在进程内存中写一个字符串在c ++中更改它,但我甚至不清楚它是如何工作的......

我有这个指针: Image of the pointer 拜托,有人可以帮我做吗?

我已经尝试过,但它没有工作......

#include <windows.h> 
#include <iostream> 

int main() {
    HWND hWnd = FindWindow(0, "WindowName");
    if (hWnd == 0) {
        std::cout << "Cannot find window." << std::endl;
    }
    DWORD pId;
    GetWindowThreadProcessId(hWnd, &pId);
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
    DWORD baseAddress = 0x009B03D0;
    DWORD offset = 0xA7;
    DWORD ptrAddress;
    char *newString = "newvalue";
    ReadProcessMemory(hProc, (void*)baseAddress, &ptrAddress, sizeof(DWORD), 0);
    WriteProcessMemory(hProc, (void*)(ptrAddress + offset), newString, strlen(newString), 0);
    std::cout << "Done. " << &ptrAddress << std::endl;
    std::getchar();
}

我应该得到指针并跳到最后一个,因为我只有一个偏移..但我没有得到正确的..

编辑:

这是我的新代码,它一直工作到WriteProcessMemory函数..什么可能出错?

实际运作的代码:

int main()
{
    unsigned long Pointer;   /* to hold the final value */
    unsigned long temp;      /* hold the temp values    */
    unsigned long address = 0x009B03D0;
    unsigned long offset = 0xA7;
    unsigned long newString = 0;
    DWORD pid;
    HWND hwnd;
    hwnd = FindWindow(0, TEXT("NewWindow"));
    if (!hwnd)
    {
        cout << "No!\n";
        cin.get();
    }
    else
    {
        GetWindowThreadProcessId(hwnd, &pid);
        HANDLE phandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
        if (!phandle)
        {
            cout << "None!\n";
            cin.get();
        }
        else
        {
            while (1)
            {

                ReadProcessMemory(phandle, reinterpret_cast<LPVOID>(address), &temp, sizeof(temp), 0);
                Pointer = temp + offset;
                //Good
                ReadProcessMemory(phandle, reinterpret_cast<LPVOID>(Pointer), &newString, 16, 0);
                cout << reinterpret_cast<LPVOID>(Pointer) << " en " << newString;
                Sleep(1000);
            }
            return 0;
        }
    }
}

不起作用的代码:

int main()
{
    unsigned int Pointer;   /* to hold the final value */
    unsigned int temp;      /* hold the temp values    */
    unsigned int address = 0x009B03D0;
    unsigned int offset = 0xA7;
    unsigned int newString = 1768060259;
    DWORD pid;
    HWND hwnd;
    hwnd = FindWindow(0, TEXT("NewWindow"));
    if (!hwnd)
    {
        cout << "NO\n";
        cin.get();
    }
    else
    {
        GetWindowThreadProcessId(hwnd, &pid);
        HANDLE phandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
        if (!phandle)
        {
            cout << "NONE\n";
            cin.get();
        }
        else
        {
            while (1)
            {

                ReadProcessMemory(phandle, reinterpret_cast<LPVOID>(address), &temp, sizeof(temp), 0);
                Pointer = temp + offset;
                //Good
                if (!WriteProcessMemory(phandle, reinterpret_cast<LPVOID>(Pointer), &newString, sizeof(newString), 0))
                    std::cerr << "Couldn't write process memory:" << GetLastError() << std::endl;
                cout << reinterpret_cast<LPVOID>(Pointer) << " en " << newString;
                Sleep(1000);
            }
            return 0;
        }
    }
}

1 个答案:

答案 0 :(得分:1)

每个进程都有自己的内存和地址空间。因此ReadProcessMemory()和WriteProcessMemory()使用中间缓冲区来完成访问另一个进程的内存的工作。

很遗憾,您的from BaseTestCase import BaseTestCase from pages.BasePage import BasePage from login.TALogin_Test import TALogin import nose class TALogout_Test(TALogin): def setUp(self): super(TALogout_Test, self).setUp() def test(self): super(TALogout_Test, self).test() base_obj = BasePage(self.driver) base_obj.do_logout() def tearDown(self): super(TALogout_Test, self).tearDown() if __name__ == "__main__": nose.run(defaultTest=__name__) 电话存在问题:

  • 您没有初始化ReadProcessMemory()以指向缓冲区
  • 您传递ptrAddress的地址,而不是其应指向有效缓冲区的值
  • 传递0(即nullptr)而不是传递应该包含可以读取的字节数的zie变量的地址。

另请注意,您使用ptrAddress LPCVOID管理目标流程中的地址。第一个总是32位,而后者取决于您的编译选项(32位代码或64位代码)。

如果失败,您还应验证DWORD。几乎可以肯定,在不同的过程中需要特殊的特权来读/写。

这里是一个经过调整的代码,带有一些诊断信息可以帮助您进一步。

HWND hWnd = FindWindow(0, TEXT("WindowName") );
if (hWnd == 0) {
    std::cerr << "Cannot find window." << std::endl;
}
else {
    DWORD pId;
    GetWindowThreadProcessId(hWnd, &pId);
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
    if (hProc) {
        char *newString = "newvalue";
        size_t sz = strlen(newString) + 1; 
        LPVOID baseAddress = (LPVOID)0x009B03D0;
        DWORD offset = 0xA7;
        LPVOID ptrAddress = new char[sz];
        SIZE_T bytes_read = 0, bytes_written=0;
        if (ReadProcessMemory(hProc, baseAddress, ptrAddress, sz, &bytes_read) || GetLastError()== ERROR_PARTIAL_COPY) {
            if (bytes_read == 0)
                std::cerr << "Houston, we have a problem..." << std::endl; 
            if(!WriteProcessMemory(hProc, baseAddress, (LPCVOID)newString, sz, &bytes_written)) 
                std::cerr << "Couldn't write process memory:" << GetLastError() << std::endl;
            std::cout << "Done. " << bytes_read <<" bytes read and "<<bytes_written<<" bytes written"<< std::endl;
        }
        else {
            std::cerr<< "Couldn't read process memory:" << GetLastError() << std::endl;
        }
        delete[] ptrAddress; 
    }
    else {
        std::cerr << "Couldn't open process " << pId << ": " << GetLastError() << std::endl; 
    }
}
std::getchar();