在ProcessMemory中搜索字符串

时间:2017-03-07 18:09:31

标签: c++ windows string-search readprocessmemory

下面是我拼凑的一些代码,它应该检索你输入的游戏/应用程序的processID。就我而言,我的世界。有没有办法我现在可以使用像ReadProcessMemory这样的东西在内存中搜索字符串?也许是一个字符串列表,如果匹配某些东西,它将返回类似“Found:(string)”

的内容 
#include <iostream>
#include <Windows.h>
using namespace std;

DWORD pID;

int main()

{
    HWND hwnd = FindWindowA(NULL, "Minecraft 1.7.10");
    if (!hwnd)
    {
        system("cls");
        cerr << "[+] Please open Minecraft 1.7.10 [+]" << endl;
        Sleep(3000);
        exit(-1);
    }
    else
    {
        DWORD procID;
        GetWindowThreadProcessId(hwnd, &procID);
        HANDLE  pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
        if (!pHandle) cerr << "ERROR" << endl;
        cout << "[+] Found Minecraft with PID: #" << procID << "[+]\n\n"; 
        Sleep(1000);

        if (procID = NULL)
        {
             cerr << "[+] INTERNAL ERROR: Cannot obtain PID [+]" << endl;
            Sleep(2000);
            exit(-1);
        }
        system("pause");
    }

1 个答案:

答案 0 :(得分:0)

要在内存中查找内容,请使用所谓的模式扫描功能。在内部和外部,它基本上是相同的过程,但是在外部项目中,您使用ReadProcessMemory()对目标进程的内存区域进行本地复制,然后扫描该缓冲区。

您使用VirtualQueryEx查找有效的内存区域,然后仅扫描这些区域。

以下是可以成功完成此操作的代码:

char* ScanInternal(char* pattern, char* mask, char* begin, intptr_t size)
{
    char* match{ nullptr };

    for (char* curr = begin; curr < begin + size; curr += mbi.RegionSize)
    {
        match = ScanBasic(pattern, mask, curr, mbi.RegionSize);

        if (match != nullptr)
        {
            break;
        }
    }
    return match;
}

char* ScanEx(char* pattern, char* mask, char* begin, intptr_t size, HANDLE hProc)
{
    char* match{ nullptr };
    SIZE_T bytesRead;
    DWORD oldprotect;
    char* buffer{ nullptr };
    MEMORY_BASIC_INFORMATION mbi;
    mbi.RegionSize = 0x1000;//

    VirtualQueryEx(hProc, (LPCVOID)begin, &mbi, sizeof(mbi));

    for (char* curr = begin; curr < begin + size; curr += mbi.RegionSize)
    {
        if (!VirtualQueryEx(hProc, curr, &mbi, sizeof(mbi))) continue;
        if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) continue;

        delete[] buffer;
        buffer = new char[mbi.RegionSize];

        if (VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &oldprotect))
        {
            ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);
            VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, oldprotect, &oldprotect);

            char* internalAddr = ScanBasic(pattern, mask, buffer, (intptr_t)bytesRead);

            if (internalAddr != nullptr)
            {
                //calculate from internal to external
                match = curr + (internalAddr - buffer);
                break;
            }
        }
    }
    delete[] buffer;
    return match;
}

这样称呼:

char* result = ScanEx("pattern", "xxxxxxx", (char*)0, 0xFFFFFFFF, hProc);

这将扫描整个进程的内存中的单词模式,并返回包含它的第一个地址。这只是一个解释概念的示例,您将希望通过查找字符串所在模块的基地址和大小来将搜索范围缩小到模块的地址范围。

相关问题
最新问题