9,506
社区成员
发帖
与我相关
我的任务
分享怎样读取一个进程的内存数据。
/*
两个关键函数 ReadProcessMemory和VirtualQueryEx 理解得不透彻,所以可能有点小问题,但大体流程应该是这样,希望对你有帮助。另外,好多地方没有作错误检查,不保证在你的环境下一定能用。
请各路大神指正。
*/
#include<iostream>
#include <fstream>
#include<windows.h>
#include<tlhelp32.h>
using namespace std;
int main()
{
char app[1024];
cout<<"请输入映像名(含.exe)\n如: ctfmon.exe\n:";
cin>>app;
fstream fp("dump.txt",ios::binary|ios::out);
BOOL flag=0;
HANDLE htoken;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&htoken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(htoken,0,&tkp,NULL,NULL,0);
CloseHandle(htoken);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hprosnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hprosnap==INVALID_HANDLE_VALUE)
{
cout<<"Snapshot failed!"<<endl;
}
if(Process32First(hprosnap,&pe32))
{
do
{
if(!strcasecmp(app,pe32.szExeFile))
{
cout<<"Program is dumping..."<<endl;
flag=true;
break;
}
}
while(::Process32Next(hprosnap,&pe32));
}
CloseHandle(hprosnap);
if(!flag)
{
cout<<"Process not found!\n";
system("pause");
return 1;
}
SYSTEM_INFO si;
GetSystemInfo(&si);
HANDLE htarget=OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(htarget==NULL)
{
cout<<"Open Process Error!\n";
return 2;
}
MEMORY_BASIC_INFORMATION mbi;
char *onepagebuf=new char [si.dwPageSize];
for(DWORD start=(DWORD)si.lpMinimumApplicationAddress; start<(DWORD)si.lpMaximumApplicationAddress-si.dwPageSize; start+=si.dwPageSize)
{
if(!VirtualQueryEx(htarget,(void *)start,&mbi,sizeof(mbi))==sizeof(mbi))
break;
if(mbi.State==MEM_COMMIT)
{
ReadProcessMemory(htarget,(void *)start,onepagebuf,si.dwPageSize,NULL);
fp.write(onepagebuf,si.dwPageSize);
}
}
cout<<"done\n";
CloseHandle(htarget);
fp.close();
delete []onepagebuf;
system("pause");
return 0;
}
很实用的程序 期待您的评价!
两个关键函数 ReadProcessMemory和VirtualQueryEx 理解得不透彻,所以可能有点小问题,但大体流程应该是这样,希望对你有帮助。另外,好多地方没有作错误检查,不保证在你的环境下一定能用。
请各路大神指正。
*/
#include<iostream>
#include <fstream>
#include<windows.h>
#include<tlhelp32.h>
using namespace std;
int main()
{
char app[1024];
cout<<"请输入映像名(含.exe)\n如: ctfmon.exe\n:";
cin>>app;
fstream fp("dump.txt",ios::binary|ios::out);
BOOL flag=0;
HANDLE htoken;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&htoken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(htoken,0,&tkp,NULL,NULL,0);
CloseHandle(htoken);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hprosnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hprosnap==INVALID_HANDLE_VALUE)
{
cout<<"Snapshot failed!"<<endl;
}
if(Process32First(hprosnap,&pe32))
{
do
{
if(!strcasecmp(app,pe32.szExeFile))
{
cout<<"Program is dumping..."<<endl;
flag=true;
break;
}
}
while(::Process32Next(hprosnap,&pe32));
}
CloseHandle(hprosnap);
if(!flag)
{
cout<<"Process not found!\n";
system("pause");
return 1;
}
SYSTEM_INFO si;
GetSystemInfo(&si);
HANDLE htarget=OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(htarget==NULL)
{
cout<<"Open Process Error!\n";
return 2;
}
MEMORY_BASIC_INFORMATION mbi;
char *onepagebuf=new char [si.dwPageSize];
for(DWORD start=(DWORD)si.lpMinimumApplicationAddress; start<(DWORD)si.lpMaximumApplicationAddress-si.dwPageSize; start+=si.dwPageSize)
{
if(!VirtualQueryEx(htarget,(void *)start,&mbi,sizeof(mbi))==sizeof(mbi))
break;
if(mbi.State==MEM_COMMIT)
{
ReadProcessMemory(htarget,(void *)start,onepagebuf,si.dwPageSize,NULL);
fp.write(onepagebuf,si.dwPageSize);
}
}
cout<<"done\n";
CloseHandle(htarget);
fp.close();
delete []onepagebuf;
system("pause");
return 0;
}
很实用的程序 期待您的评价!
...全文
请发表友善的回复…
发表回复
「已注销」 2013-10-28
- 打赏
- 举报
ReadProcessMemory,
youaremy菜 2013-03-14
- 打赏
- 举报
非常谢谢!已解决
赵4老师 2012-06-29
- 打赏
- 举报
MSDN98中的例子walker又名pwalk。完整列出指定进程的内存使用情况,显示进程地址空间内容,装载哪些DLL,代码、数据、堆栈段分配在何处,可以用来检测内存泄漏,监测内存使用。
http://download.csdn.net/detail/zhao4zhong1/3667896
http://download.csdn.net/detail/zhao4zhong1/3667896
s11ss 2012-06-29
- 打赏
- 举报
ReadProcessMemory就可以读取了
