c / c ++我如何获得.exe运行进程的基址?

时间:2017-10-19 00:16:24

标签: c++ windows winapi cheat-engine

我正在寻找一种方法/功能,我可以用它来获得"program.exe"+03262C08 -> B4895A0的基地址。此地址来自Cheat Engine,并且已在指针扫描程序中找到基址。在指针扫描仪中,我可以按show module list,地址program.exe的地址为00400000 program.exe。扫描指针扫描器的地址09c3000(我希望在基址+多个偏移[最终地址]后到达的地址)。此地址是某些对象的基础,但我无法到达该地址。我只能在00400000获得exe文件的基址。我正在尝试添加指针03262C08(和其他人)的偏移量,但我仍然无法到达地址。我不能使用函数FindWindow()。因为该计划的名称将会发生变化,坚持下去将是多余的。我正在使用OpenProcess(), EnumProcessModulesEx(), GetModuleFileNameEx()个函数。我也尝试了其他类似GetModuleInformation(),...的结果。 GetModuleHandle()以结果0x126 [ERROR_MOD_NOT_FOUND]结束。我正在使用64位操作系统,而我正在尝试获取另一个进程的基址。 我可以看到本地机器上的所有进程和“程序”进程的模块。

if (!K32EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded)) {
    return 1;
}

cProcesses = cbNeeded / sizeof(DWORD);

cout << setw(15) << left << "Process ID" << setw(10) << left << "Modules";
cout << setw(30) << left << "Process Name" << endl;
for (i = 0; i < cProcesses; i++) {
    if (aProcesses[i] != 0) {
        ProcessView::GetProccesses(aProcesses[i], modules, sizeModules, &cModules, &hCurrProcess);
        if (hCurrProcess != NULL) {
            cout << endl << setw(15) << left << aProcesses[i] << setw(10) << left << cModules;
            ProcessView::PrintModuleName(hCurrProcess, modules);
            CloseHandle(hCurrProcess);
        }

    }
}
ProcessView::GetProccesses(cProcesses, modules, sizeModules, &cModules, &hCurrProcess);

system("cls");
ProcessView::PrintModuleNameAll(hCurrProcess, modules, cModules);

我在这里添加了我创建的ProcessView.h文件中函数的定义。

static void GetProccesses(_In_ DWORD processID, _Inout_ HMODULE ahModules[], _In_ int sizeModules, _Out_ DWORD* cModules, _Out_ HANDLE* hProcess);
static void PrintModuleName(_In_ HANDLE processID, _In_ HMODULE* modules);
static void PrintModuleNameAll(_In_ HANDLE hProcess, _In_ HMODULE * modules, _In_ DWORD cModules);

2 个答案:

答案 0 :(得分:1)

Windows现在已经使用地址空间布局随机化大约十年了,但是EXE的模块基础远远超过了它。简单地忽略它,它现在毫无意义。

不要忘记:每个进程都有自己的地址空间。一个过程中的指针在另一个过程中没有意义。

答案 1 :(得分:0)

要在通过进程上的指针链找到的地址上使用ReadProcessMemoryWriteProcessMemory并在运行时动态获取模块基地址,您需要完成以下步骤:

  • 使用ToolHelp32Snapshot
    • 查找流程
  • 使用ToolHelp32Snapsho查找模块
  • 获取具有正确权限的流程的句柄
  • 遍历指针链,取消引用并添加偏移量
  • 然后您可以调用ReadProcessMemory或WriteProcessMemory
  • 您必须以管理员身份运行

在此示例中,我将使用我制作的简单的攻击立方体作弊

#include <iostream>
#include <vector>
#include <Windows.h>
#include "proc.h"

int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"ac_client.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"ac_client.exe");

    //Get Handle to Process
    HANDLE hProcess = 0;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x10f4f4;

    std::cout << "DynamicPtrBaseAddr = " << "0x" << std::hex << dynamicPtrBaseAddr << std::endl;

    //Resolve our ammo pointer chain
    std::vector<unsigned int> ammoOffsets = { 0x374, 0x14, 0x0 };
    uintptr_t ammoAddr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, ammoOffsets);

    std::cout << "ammoAddr = " << "0x" << std::hex << ammoAddr << std::endl;

    //Read Ammo value
    int ammoValue = 0;

    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);
    std::cout << "Curent ammo = " << std::dec << ammoValue << std::endl;

    //Write to it
    int newAmmo = 1337;
    WriteProcessMemory(hProcess, (BYTE*)ammoAddr, &newAmmo, sizeof(newAmmo), nullptr);

    //Read out again
    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);

    std::cout << "New ammo = " << std::dec << ammoValue << std::endl;

    getchar();
    return 0;
}

头文件proc.cpp:

DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    uintptr_t modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}
相关问题
最新问题