我对内存管理不熟悉。 我要做的就是要读取内存地址中的数据。我搜索如何获取进程的内存地址并获取基地址。
获取进程的pid
def get_pid(process_name):
for proc in psutil.process_iter():
if process_name in str(proc.name):
print ("target: {}, pid: {}".format(process_name, proc.pid))
return proc.pid
查找进程的基地址
process = ctypes.windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, pid)
modules = win32process.EnumProcessModules(process)
print(hex(modules))
结果:
0x140000000 0x7ff972560000 0x7ff96b650000 0x7ff971d90000 0x7ff96eb70000 0x7ff96cb60000 0x7ff950ee0000 0x7ff971e50000 0x7ff971fd0000 0x7ff970f30000 0x7ff9721f0000 0x7ff972500000 0x7ff96f0e0000 0x7ff96f040000 0x7ff96edf0000 0x7ff9718d0000 0x7ff96f020000 0x7ff9724d0000 0x7ff96cb30000 0x7ff96cad0000 0x7ff96e930000 0x7ff96efa0000 0x7ff9723a0000 0x7ff9715a0000 0x7ff9720e0000 0x7ff970ed0000 0x7ff96fa90000 0x7ff96f2e0000 0x7ff96e8f0000 0x7ff96e8d0000 0x7ff96e870000 0x7ff96e8c0000 0x7ff9713e0000 0x7ff971f00000 ...
在这一步中,我将获得一个模块列表,模块的len是137,我假设这是动态内存地址,有没有办法证明它是动态内存?
读取地址中的数据
for module in modules:
print(hexlify(ctypes.string_at(id(addr), sys.getsizeof(addr))))
结果: b'0100000000000000902c806c000000000b00000000000000ffffffffffffffffe4323038380000000000000000000000307831343030303030303000' b'0100000000000000902c806c000000000e00000000000000ffffffffffffffffe4000000000000000000000000000000307837666639373235363030303000' b'0100000000000000902c806c000000000e00000000000000ffffffffffffffffe4323038380000000000000000000000307837666639366236353030303000' ...
如何获取可读数据?非常感谢。