Question

下面是我用来读取内存的C＃代码（用于具有多个偏移的指针）。但是，我应该如何修改它，以便它可以用于访问指针＆＃34; THREADSTACK0＆＃34; -0000032C ＆＃39;作为基地址（而不是0x1002CAA70）？

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Diagnostics;

namespace ConsoleApplication1
{
    class Program
    {
        const int PROCESS_WM_READ = 0x0010;

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

        [DllImport("kernel32.dll")]
        public static extern bool ReadProcessMemory(int hProcess,
        Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

        static void Main(string[] args)
        {
            Process process = Process.GetProcessesByName("Tutorial-x86_64")[0];
            IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);

            int bytesRead = 0;
            byte[] buffer = new byte[4];

            //Byte[] buffer = new Byte[4];

            Int64 baseAddress = 0x1002CAA70;
            ReadProcessMemory((int)processHandle, baseAddress, buffer, buffer.Length, ref bytesRead);
            Int64 baseValue = BitConverter.ToInt32(buffer, 0);

            Int64 firstAddress = baseValue + 0x10;
            ReadProcessMemory((int)processHandle, firstAddress, buffer, buffer.Length, ref bytesRead);
            Int64 firstValue = BitConverter.ToInt32(buffer, 0);

            Int64 secondAddress = firstValue + 0x18;
            ReadProcessMemory((int)processHandle, secondAddress, buffer, buffer.Length, ref bytesRead);
            Int64 secondValue = BitConverter.ToInt32(buffer, 0);

            Int64 thirdAddress = secondValue + 0x0;
            ReadProcessMemory((int)processHandle, thirdAddress, buffer, buffer.Length, ref bytesRead);
            Int64 thirdValue = BitConverter.ToInt32(buffer, 0);

            Int64 fourthAddress = thirdValue + 0x18;
            ReadProcessMemory((int)processHandle, fourthAddress, buffer, buffer.Length, ref bytesRead);
            Int64 fourthValue = BitConverter.ToInt32(buffer, 0);

            ReadProcessMemory((int)processHandle, fourthValue, buffer, buffer.Length, ref bytesRead);
            Console.WriteLine(BitConverter.ToInt32(buffer, 0));
            Console.ReadLine();
        }
    }
}

我找到了这个帖子＆＃34; Using Pointers Found in Cheat Engine in C#＆＃34;，但我在实施它时遇到了麻烦。

Answer 1

要查找THREADSTACK的地址，您必须：

获取每个帖子的ID： 通过使用TH32CS_SNAPTHREAD参数调用ToolHelp32Snapshot()来获取进程中所有线程的快照。使用Thread32Next（）遍历THREADENTRY32结构并保存所有th32ThreadID成员变量。

获取线程的句柄 在每个threadID上使用OpenThread()来获取每个线程的句柄

使用句柄和ID武装，获取线程堆栈基地址 接下来，您需要导入NtQueryInformationThread，这是由ntdll.dll

导出的未记录的函数

然后使用第一个参数中的线程句柄调用NtQueryInformationThread()，将ThreadBasicInformation作为第二个参数调用。结果是THREAD_BASIC_INFORMATION结构，其成员变量为StackBase。

StackBase是THREADSTACK的地址，只是将它与正确的id匹配。

An excellent C++ source code showing this written by makemek

通常，您不想使用THREADSTACK指针。

c＃memory THREADSTACK0基地址

1 个答案: