BOOL ReadProcessMemory(
HANDLE hProcess, // 游戏句柄
LPCVOID lpBaseAddress, // 内存地址
LPVOID lpBuffer, // ??????????
SIZE_T nSize, // ?????
SIZE_T * lpNumberOfBytesRead // ????
);请问第三个,第四个,还有第五个参数是干什么用的!我用金山游侠查出来内存是02DE865C,
那我想读该地址,那么第二个参数该添什么?是类似(LPCVOID)Ox02DE865C的吗?此外,我想把这个地址的数值用变量读出来!但是这个函数是bool型的,我怎么读啊!!
HANDLE hProcess, // 游戏句柄
LPCVOID lpBaseAddress, // 内存地址
LPVOID lpBuffer, // ??????????
SIZE_T nSize, // ?????
SIZE_T * lpNumberOfBytesRead // ????
);请问第三个,第四个,还有第五个参数是干什么用的!我用金山游侠查出来内存是02DE865C,
那我想读该地址,那么第二个参数该添什么?是类似(LPCVOID)Ox02DE865C的吗?此外,我想把这个地址的数值用变量读出来!但是这个函数是bool型的,我怎么读啊!!
解决方案 »
- [救助]GDI绘制文字占用CPU高~~~~~~~~~~~~
- 读文件,后面多一些重复串,,大家给看看是那里问题???
- 想用vc做dll在.net中调用
- 在 VC++ 中使用 DataGrid 的问题
- CWnd::FromHandle问题
- 请问大家是怎么实现类XP风格界面的,都用第三方类库吗?
- 有关DB_Base m_Info[TFNUMMAX];和DB_Base *m_Info;区别的问题?
- 一个access数据库能够同时被打开两次?
- 高手指点:VC的ListBox控件文本颜色问题!!!请进
- 在VC6.0中怎样将编辑框中的文本保存在一个文本文件中??
- 如何使Static背景透明,但是文字不透明?
- 请大虾指点MFC!来者有分。
你不能簡單的用這個函數來讀取其它進程的內存.這涉及跨越進程邊界.
必須用遠程注入dll或是其它跨越進程邊界的方法.
可參考jeffery richter的Windows高級編程的 "打開進程邊界"
#include <stdlib.h>
#include "shlwapi.h" #pragma comment(lib, "shlwapi.lib") typedef struct
{
LPVOID lpAddr;
BYTE byData;
DWORD nCount;
} BPDATA; BPDATA g_bpData[10] = {0};
BOOL SetBreakPoint(HANDLE hProcess, LPVOID lpAddr, UINT nNum)
{
if (nNum >= sizeof(g_bpData) / sizeof(BPDATA)) return FALSE; BYTE byTemp;
DWORD dwNewProt, dwOldProt; VirtualProtectEx(hProcess, lpAddr, 1, PAGE_EXECUTE_READWRITE, &dwOldProt);
BOOL bOK = ReadProcessMemory(hProcess, lpAddr, &byTemp, 1, NULL);
if (!bOK) goto End; g_bpData[nNum].lpAddr = lpAddr;
g_bpData[nNum].byData = byTemp;
g_bpData[nNum].nCount = 0; byTemp = 0xcc;
bOK = WriteProcessMemory(hProcess, lpAddr, &byTemp, 1, NULL);
End:
VirtualProtectEx(hProcess, lpAddr, 1, dwOldProt, &dwNewProt);
return bOK;
} BOOL RemoveBreakPoint(HANDLE hProcess, UINT nNum)
{
if (nNum >= sizeof(g_bpData) / sizeof(BPDATA)) return FALSE; BYTE byTemp;
DWORD dwNewProt, dwOldProt;
LPVOID lpAddr = g_bpData[nNum].lpAddr; VirtualProtectEx(hProcess, lpAddr, 1, PAGE_EXECUTE_READWRITE, &dwOldProt);
BOOL bOK = ReadProcessMemory(hProcess, lpAddr, &byTemp, 1, NULL);
bOK = (byTemp == 0xcc);
if (!bOK) goto End; bOK = WriteProcessMemory(hProcess, lpAddr, &g_bpData[nNum].byData, 1, NULL);
if (bOK) ZeroMemory(g_bpData + nNum, sizeof(BPDATA));
End:
VirtualProtectEx(hProcess, lpAddr, 1, dwOldProt, &dwNewProt);
return bOK;
} BOOL GetDllName(HANDLE hProcess, LPLOAD_DLL_DEBUG_INFO lddi, LPSTR dll_name, int nSize)
{
LPVOID ptr = 0;
ReadProcessMemory(hProcess, lddi->lpImageName, &ptr, sizeof(ptr), NULL);
if( ptr == 0 ) return FALSE; WCHAR dll_name_u[MAX_PATH + 1] = {0};
ReadProcessMemory(hProcess, ptr, dll_name_u, sizeof(dll_name_u), NULL);
if( dll_name_u[0] == 0 ) return FALSE; if( lddi->fUnicode )
wcstombs(dll_name, dll_name_u, nSize);
else
lstrcpyn(dll_name, (LPSTR)dll_name_u, nSize);
return TRUE;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0}; // Start the child process.
if( !CreateProcess( NULL, // No module name (use command line).
//"D:\\Program Files\\Lantalk XP\\LanTalk.exe", // Command line.
"LanTalk.exe", // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
TRUE, // Set handle inheritance to FALSE.
DEBUG_ONLY_THIS_PROCESS, // creation flags.
NULL, // Use parent's environment block.
//"D:\\Program Files\\Lantalk XP\\",
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi ) // Pointer to PROCESS_INFORMATION structure.
)
{
MessageBox(NULL, "CreateProcess failed.", "Error", MB_OK);
return 0;
} LPVOID lpBase[] = {
0, // kernel32.GetVersion
0, // kernel32.GetCommandLineA
LPBYTE(0x0099f8c0), // get clsid string
0, // advapi32.RegCreateKeyExA
LPBYTE(0x00402255), // jnz xxx (75 15) --- change to jmp xxx (eb 15)
};
// 设置前两个断点的目的是为了跳过ASProtect 1.2x的解密过程,
// 第三个断点获得注册表键值
// 最后一个断点作了一个内存补丁 HMODULE hModule = LoadLibrary("kernel32.dll");
lpBase[0] = GetProcAddress(hModule, "GetVersion");
lpBase[1] = GetProcAddress(hModule, "GetCommandLineA");
FreeLibrary(hModule);
hModule = LoadLibrary("advapi32.dll");
lpBase[3] = GetProcAddress(hModule, "RegCreateKeyExA");
FreeLibrary(hModule); DEBUG_EVENT dbg = {0};
CONTEXT context = {0}; while (WaitForDebugEvent(&dbg, INFINITE))
{
if (dbg.dwDebugEventCode == LOAD_DLL_DEBUG_EVENT)
{
char dll_name[MAX_PATH] = {0};
if (GetDllName(pi.hProcess, &dbg.u.LoadDll, dll_name, sizeof(dll_name)))
{
if (*dll_name)
{
char *p = strrchr(dll_name, '\\');
if (p && lstrcmpi(p + 1, "kernel32.dll") == 0)
SetBreakPoint(pi.hProcess, lpBase[0], 0);
}
}
}
else if (dbg.dwDebugEventCode == EXCEPTION_DEBUG_EVENT)
{
if (dbg.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
{
LPVOID lpAddr = dbg.u.Exception.ExceptionRecord.ExceptionAddress;
if (lpAddr == lpBase[0] || lpAddr == lpBase[1])
{
context.ContextFlags = CONTEXT_CONTROL;
if (GetThreadContext(pi.hThread, &context))
{
RemoveBreakPoint(pi.hProcess, 0);
context.Eip--;
SetThreadContext(pi.hThread, &context);
if (lpAddr == lpBase[0])
SetBreakPoint(pi.hProcess, lpBase[1], 0);
else
SetBreakPoint(pi.hProcess, lpBase[2], 1);
}
}
else if (lpAddr == lpBase[2])
{
context.ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER;
if (GetThreadContext(pi.hThread, &context))
{
RemoveBreakPoint(pi.hProcess, 1);
context.Eip--;
SetThreadContext(pi.hThread, &context);
LPVOID ptr = NULL;
if (ReadProcessMemory(pi.hProcess, (LPVOID)context.Ebx, &ptr, sizeof(ptr), NULL))
{
char szClsid[45] = {0};
if (ReadProcessMemory(pi.hProcess, ptr, szClsid, sizeof(szClsid), NULL))
SHDeleteKey(HKEY_CLASSES_ROOT, szClsid);
}
SetBreakPoint(pi.hProcess, lpBase[3], 0);
}
}
else if (lpAddr == lpBase[3])
{
context.ContextFlags = CONTEXT_CONTROL;
if (GetThreadContext(pi.hThread, &context))
{
RemoveBreakPoint(pi.hProcess, 0);
context.Eip--;
SetThreadContext(pi.hThread, &context);
DWORD dwTemp = 0;
ReadProcessMemory(pi.hProcess, lpBase[4], &dwTemp, 4, NULL);
if (dwTemp == 0xbe391575)
{
dwTemp = 0xeb;
WriteProcessMemory(pi.hProcess, lpBase[4], &dwTemp, 1, NULL);
}
}
}
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
}
}
else if (dbg.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT)
break;
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
} CloseHandle(pi.hProcess);
CloseHandle(pi.hThread); return 0;
}