我有一个程序用PID扫描某个程序的内存。它适用于Windows XP和Windows 7,但突然间它不适用于Windows 10。
我甚至启用了进程权限。它无法检查Windows 10中notepad.exe的内存是什么原因?它甚至不是一个SYSTEM过程。
这是一个基本相同的例子:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Learning PHP</title>
<link rel="stylesheet" type="text/css" href="style.css"/>
<script type="text/javascript" src="script.js"></script>
</head>
<body>
<form action="welcome.php" method="post" name="myForm" target="_blank" onsubmit="">
<label for="first-name">First Name: </label>
<input type="text" name="first-name" placeholder="John" id="first-name"/>
<label for="last-name">Last Name: </label>
<input type="text" name="last-name" placeholder="Doe" id="last-name"/>
<input type="submit"/>
</form>
</body>
在该示例中,程序在输入PID时不输出notepad.exe的内存转储。 有没有什么有用的解决方案让我的程序在Windows 10中运行良好?提前谢谢。
答案 0 :(得分:1)
示例程序专为32位进程而设计。它尝试创建一个过程内存的文件,该文件对于64位来说太大了。如果您注释掉写入文件的尝试,请修复for循环以迭代更大的进程空间,并编译64位它将起作用。进行这些更改:
for(std::uint64_t address = 0;;) // remove exit condition
{
MEMORY_BASIC_INFORMATION mbi;
zero_struct(mbi);
auto bytes = VirtualQueryEx(proc, (LPCVOID)address, &mbi, sizeof(mbi));
if (!bytes){
break; // break loop when address exceeds maximum supported
}
if (mbi.State == MEM_COMMIT && (mbi.Protect & PAGE_GUARD) != PAGE_GUARD)
regions.push_back(memory_region{ (std::uint64_t)mbi.BaseAddress, mbi.RegionSize, mbi });
address += mbi.RegionSize;
}
注释文件写作。需要重新评估。
//std::ofstream file("dump.bin", std::ios::binary);
...
//file.seekp(region.start);
//file.write(&buffer[0], buffer.size());
记事本的输出。请注意,平面大小(尝试写入的文件大小)为140TB。
Flat size: 140728080994304
Packed size: 106180608
Warning: region starting at 0x00007df600fe8000 has size 552960, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f5d23000 has size 6721536, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f638e000 has size 3747840, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f672d000 has size 77824, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6748000 has size 147456, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6777000 has size 786432, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f683a000 has size 16384, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f683f000 has size 774144, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6902000 has size 4096, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6906000 has size 163840, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f692f000 has size 8192, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6938000 has size 331776, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f698c000 has size 32768, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f699a000 has size 319488, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f69ea000 has size 4096, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f69ee000 has size 32768, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f69fe000 has size 8192, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6a35000 has size 4096, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6a8e000 has size 77824, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6aad000 has size 32768, but only 0 bytes could be read by ReadProcessMemory().
Warning: region starting at 0x00007ff5f6ac7000 has size 20480, but only 0 bytes could be read by ReadProcessMemory().