16,471
社区成员
发帖
与我相关
我的任务
分享问一个关于扫描内存查找指定内容的问题
一个程序A,该程序只有一个变量m_edt,由TEXT控件生成的一个值变量.
另外一个程序,执行的操作如下:先找到程序A的进程ID,然后打开进程读取进程那的每一个字节的值,并和m_edt的值进行比较,如果相等,则显示该字节的地址.
产生的问题
一:扫描的字节太多,反映时间太长
二:得到的结果和预期不一样,可能是我的代码的问题,或者我的理解有问题,代码如下:
void CStarCraftDlg::OnButton1()
{
// TODO: Add your control notification handler code here
CString tstr;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
HANDLE hProcess = NULL;
DWORD dwRead = 0;
DWORD pId = 0;
DWORD ret;
tstr.Format("%d",m_edt);
AfxMessageBox(tstr);
HWND hWnd = ::FindWindow(NULL,_T("testWindow"));
if(hWnd)
{
//AfxMessageBox(_T("window has been found!"));
::GetWindowThreadProcessId(hWnd,&pId);
tstr.Format("%d",pId);
//AfxMessageBox(tstr);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pId);
if(hProcess != NULL)
{
//AfxMessageBox("Open Process OK");
GetSystemInfo(&si);
DWORD len = sizeof(MEMORY_BASIC_INFORMATION);
PVOID addr = si.lpMinimumApplicationAddress;
for(int i = 0; i < m_lst.GetCount(); i ++)
m_lst.DeleteString(i);
do
{
memset(&mbi,0,len);
ret = VirtualQueryEx(hProcess,addr,&mbi,len);
if(mbi.State == MEM_COMMIT)
{
BYTE *pBuf = (BYTE*)malloc(mbi.RegionSize);
if(ReadProcessMemory(hProcess,mbi.BaseAddress,pBuf,mbi.RegionSize,&dwRead))
{
for(unsigned int k = 0; k < dwRead; k++)
{
if ((unsigned char)((BYTE)(*pBuf)) == m_edt)
{
tstr.Format("0X%08X",(DWORD)mbi.BaseAddress + k);
m_lst.AddString(tstr);
}
pBuf++;
}
}
free(pBuf);
}
addr = (PVOID)((PBYTE)addr + mbi.RegionSize);
//AfxMessageBox("here");
}while(ret == len);
AfxMessageBox("Complete OK");
}
//CloseHandle(hProcess);
}
}
有问题吗?
谢谢!!!
另外一个程序,执行的操作如下:先找到程序A的进程ID,然后打开进程读取进程那的每一个字节的值,并和m_edt的值进行比较,如果相等,则显示该字节的地址.
产生的问题
一:扫描的字节太多,反映时间太长
二:得到的结果和预期不一样,可能是我的代码的问题,或者我的理解有问题,代码如下:
void CStarCraftDlg::OnButton1()
{
// TODO: Add your control notification handler code here
CString tstr;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
HANDLE hProcess = NULL;
DWORD dwRead = 0;
DWORD pId = 0;
DWORD ret;
tstr.Format("%d",m_edt);
AfxMessageBox(tstr);
HWND hWnd = ::FindWindow(NULL,_T("testWindow"));
if(hWnd)
{
//AfxMessageBox(_T("window has been found!"));
::GetWindowThreadProcessId(hWnd,&pId);
tstr.Format("%d",pId);
//AfxMessageBox(tstr);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pId);
if(hProcess != NULL)
{
//AfxMessageBox("Open Process OK");
GetSystemInfo(&si);
DWORD len = sizeof(MEMORY_BASIC_INFORMATION);
PVOID addr = si.lpMinimumApplicationAddress;
for(int i = 0; i < m_lst.GetCount(); i ++)
m_lst.DeleteString(i);
do
{
memset(&mbi,0,len);
ret = VirtualQueryEx(hProcess,addr,&mbi,len);
if(mbi.State == MEM_COMMIT)
{
BYTE *pBuf = (BYTE*)malloc(mbi.RegionSize);
if(ReadProcessMemory(hProcess,mbi.BaseAddress,pBuf,mbi.RegionSize,&dwRead))
{
for(unsigned int k = 0; k < dwRead; k++)
{
if ((unsigned char)((BYTE)(*pBuf)) == m_edt)
{
tstr.Format("0X%08X",(DWORD)mbi.BaseAddress + k);
m_lst.AddString(tstr);
}
pBuf++;
}
}
free(pBuf);
}
addr = (PVOID)((PBYTE)addr + mbi.RegionSize);
//AfxMessageBox("here");
}while(ret == len);
AfxMessageBox("Complete OK");
}
//CloseHandle(hProcess);
}
}
有问题吗?
谢谢!!!
...全文
请发表友善的回复…
发表回复
mrh123 2003-11-29
- 打赏
- 举报
呼呼~~~~~
