我想要一个函数来读取另一个进程的内存。
我在想这样的事情(伪代码):

staticAddress = 0x026E0DC4
processId = GetProcessIdByName(processName)
processHandle = GetProcessHandle(processId)
processBaseAddress = GetBaseAddress(processHandle)
addressToRead = processBaseAddress+staticAddress
readValueAsInt = ReadMemoryInt(processHandle, addressToRead)
readValueAsFloat = ReadMemoryFloat(processHandle, addressToRead)
readValueAsString = ReadMemoryString(processHandle, addressToRead)

这甚至可能吗?
这是我到目前为止所得到的:
#include <Windows.h>
#include <conio.h>
#include <tlhelp32.h>
#include <string>
#include <psapi.h>
#pragma comment( lib, "psapi" )

int GetProcessId(char* ProcName) {
    PROCESSENTRY32 pe32;
    HANDLE hSnapshot = NULL;
    pe32.dwSize = sizeof( PROCESSENTRY32 );
    hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

    if( Process32First( hSnapshot, &pe32 ) ) {
        do {
            if( strcmp( pe32.szExeFile, ProcName ) == 0 )
                break;
        } while( Process32Next( hSnapshot, &pe32 ) );
    }

    if( hSnapshot != INVALID_HANDLE_VALUE )
        CloseHandle( hSnapshot );

    return pe32.th32ProcessID;
}

int GetModuleBase(HANDLE processHandle, string &sModuleName)
{
   HMODULE *hModules;
   char szBuf[50];
   DWORD cModules;
   DWORD dwBase = -1;
   //------

   EnumProcessModules(processHandle, hModules, 0, &cModules);
   hModules = new HMODULE[cModules/sizeof(HMODULE)];

   if(EnumProcessModules(processHandle, hModules, cModules/sizeof(HMODULE), &cModules)) {
      for(int i = 0; i < cModules/sizeof(HMODULE); i++) {
         if(GetModuleBaseName(processHandle, hModules[i], szBuf, sizeof(szBuf))) {
            if(sModuleName.compare(szBuf) == 0) {
               dwBase = (DWORD)hModules[i];
               break;
            }
         }
      }
   }

   delete[] hModules;

   return dwBase;
}


int ReadMemoryInt(HANDLE processHandle, LPCVOID address) {
    //LPVOID buffer = ??;
    //SIZE_T size = ??;
    SIZE_T NumberOfBytesToRead = 4; //??
    ReadProcessMemory(processHandle, address, buffer, size, NumberOfBytesToRead)
    return buffer; //??
}

int ReadMemoryFloat(HANDLE processHandle, LPCVOID address) {
    //LPVOID buffer = ??;
    //SIZE_T size = ??;
    SIZE_T NumberOfBytesToRead = 8; //??
    ReadProcessMemory(processHandle, address, buffer, size, NumberOfBytesToRead)
    return buffer; //??
}

int ReadMemoryString(HANDLE processHandle, LPCVOID address) {
    //LPVOID buffer = ??;
    //SIZE_T size = ??;
    SIZE_T NumberOfBytesToRead = 999; //??
    ReadProcessMemory(processHandle, address, buffer, size, NumberOfBytesToRead)
    return buffer; //??
}

int main()
{
    //read an integer from "Program.exe"+0x05D8A3C4
    int address = 0x05D8A3C4;
    char* processName = "Program.exe";
    int processId = GetProcessId(processName);
    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, false, processId);
    int processBaseAddress = GetModuleBase(processHandle, (string)"Program.exe";
    LPCVOID actualAddress = processBaseAddress+address;
    int readValue = ReadMemory(processHandle, actualAddress);
    std::cout << readValue << std::endl;
    CloseHandle(processHandle);
    return 0;
}

从代码中的问号可以看出,我真的不确定 ReadProcessMemory 的“缓冲区”和“大小”参数。如果有人能帮我解决这个问题,我真的很感激。

最佳答案

以下是 ReadMemoryInt() 函数的示例:

int ReadMemoryInt(HANDLE processHandle, LPCVOID address) {
    int buffer = 0;
    SIZE_T NumberOfBytesToRead = sizeof(buffer); //this is equal to 4
    SIZE_T NumberOfBytesActuallyRead;
    BOOL err = ReadProcessMemory(processHandle, address, &buffer, NumberOfBytesToRead, &NumberOfBytesActuallyRead);
    if (err || NumberOfBytesActuallyRead != NumberOfBytesToRead)
      /*an error occured*/ ;
    return buffer;
}
& 意味着传递的是变量的地址而不是它的值。

ReadMemoryString() 中,您无法知道需要读取的实际大小,您可以读取一个大块(大小为 999)或读取许多小块,直到得到一个包含\0 的块。

如果您想知道它是否有效,您可以在调试器中启动它并查看是否返回了您期望的值。

关于C++:读取另一个进程的内存,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/19606159/

10-11 22:46
查看更多