Sub SearchMem(hProcess As Long, bSearch() As Byte)
Const PAGE_READWRITE = 4, MEM_COMMIT = &H1000
Dim i As Long, j As Long, count As Long
Dim r As Long, mbi As MEMORY_BASIC_INFORMATION
Dim lpAddress As Long: lpAddress = &H400000 '以 400000 作为起点
Dim ubs As Long: ubs = UBound(bSearch)
bSearching = True
cmdSearch.Caption = "停止"
nCount = 0
以下某个地方不是很明白=======================================================
r = VirtualQueryEx(hProcess, lpAddress, mbi, Len(mbi)) '将7F000000作为搜索结束地址
Do While (r And (lpAddress < &H7F000000) And bSearching) '只搜索可读取的已提交的内存区域
If (mbi.Protect And PAGE_READWRITE) And (mbi.State = MEM_COMMIT) Then
Dim lpBuffer() As Byte
ReDim lpBuffer(mbi.RegionSize - 1) ReadProcessMemory hProcess, mbi.BaseAddress, lpBuffer(0), mbi.RegionSize, 0 For i = 0 To mbi.RegionSize - 1 - ubs '防止越界 '逐个字节比较,如果有任何一个不相等,则不再比较其它
For j = 0 To ubs
If bSearch(j) <> lpBuffer(i + j) Then GoTo 10
Next
nCount = nCount + 1
If lstResult.ListCount < 100 Then '只列出前100个结果
lstResult.AddItem Hex(i + lpAddress)
End If
10:
Next
End If
lpAddress = lpAddress + mbi.RegionSize
r = VirtualQueryEx(hProcess, lpAddress, mbi, Len(mbi))
Loop 以上=====================================================================bSearching = False
cmdSearch.Caption = "搜索"
If nCount = 0 Then
MsgBox "搜索不到任何结果", vbExclamation
Else
MsgBox "此次共搜索到 " & nCount & " 个结果", vbInformation
End If
End Sub
Private Sub Form_Load()
Call cmdRef_Click
txtValue2Search = GetSetting("xSoft", "内存搜索", "搜索数值", 0)
End Sub Private Sub Form_Unload(Cancel As Integer)
If Len(txtValue2Search) Then
SaveSetting "xSoft", "内存搜索", "搜索数值", txtValue2Search
End If
End Sub
'=================================================================
'以下内容在模块
'================================================================
Option Explicit Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetVersion Lib "kernel32" () As Long Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 1024
End Type Const TH32CS_SNAPPROCESS = &H2
Public Sub GetProcess(cb As ComboBox)
Dim h As Long, pe32 As PROCESSENTRY32, szExeFile As String
'建立一个进程快照
h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
If h Then
Dim r As Long, WinVer As Long
WinVer = GetVersion
pe32.dwSize = Len(pe32)
r = Process32First(h, pe32)
Do While (r)
szExeFile = Trim(pe32.szExeFile)
If WinVer > 0 Then 'NT中只是文件名
cb.AddItem szExeFile
Else '在9x中,文件名是带路径的,我们只要文件名
cb.AddItem Mid(szExeFile, InStrRev(szExeFile, "\") + 1)
End If
cb.ItemData(cb.NewIndex) = pe32.th32ProcessID
r = Process32Next(h, pe32)
Loop
'关闭进程快照的句柄
CloseHandle h
End If
End Sub
Const PAGE_READWRITE = 4, MEM_COMMIT = &H1000
Dim i As Long, j As Long, count As Long
Dim r As Long, mbi As MEMORY_BASIC_INFORMATION
Dim lpAddress As Long: lpAddress = &H400000 '以 400000 作为起点
Dim ubs As Long: ubs = UBound(bSearch)
bSearching = True
cmdSearch.Caption = "停止"
nCount = 0
以下某个地方不是很明白=======================================================
r = VirtualQueryEx(hProcess, lpAddress, mbi, Len(mbi)) '将7F000000作为搜索结束地址
Do While (r And (lpAddress < &H7F000000) And bSearching) '只搜索可读取的已提交的内存区域
If (mbi.Protect And PAGE_READWRITE) And (mbi.State = MEM_COMMIT) Then
Dim lpBuffer() As Byte
ReDim lpBuffer(mbi.RegionSize - 1) ReadProcessMemory hProcess, mbi.BaseAddress, lpBuffer(0), mbi.RegionSize, 0 For i = 0 To mbi.RegionSize - 1 - ubs '防止越界 '逐个字节比较,如果有任何一个不相等,则不再比较其它
For j = 0 To ubs
If bSearch(j) <> lpBuffer(i + j) Then GoTo 10
Next
nCount = nCount + 1
If lstResult.ListCount < 100 Then '只列出前100个结果
lstResult.AddItem Hex(i + lpAddress)
End If
10:
Next
End If
lpAddress = lpAddress + mbi.RegionSize
r = VirtualQueryEx(hProcess, lpAddress, mbi, Len(mbi))
Loop 以上=====================================================================bSearching = False
cmdSearch.Caption = "搜索"
If nCount = 0 Then
MsgBox "搜索不到任何结果", vbExclamation
Else
MsgBox "此次共搜索到 " & nCount & " 个结果", vbInformation
End If
End Sub
Private Sub Form_Load()
Call cmdRef_Click
txtValue2Search = GetSetting("xSoft", "内存搜索", "搜索数值", 0)
End Sub Private Sub Form_Unload(Cancel As Integer)
If Len(txtValue2Search) Then
SaveSetting "xSoft", "内存搜索", "搜索数值", txtValue2Search
End If
End Sub
'=================================================================
'以下内容在模块
'================================================================
Option Explicit Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetVersion Lib "kernel32" () As Long Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 1024
End Type Const TH32CS_SNAPPROCESS = &H2
Public Sub GetProcess(cb As ComboBox)
Dim h As Long, pe32 As PROCESSENTRY32, szExeFile As String
'建立一个进程快照
h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
If h Then
Dim r As Long, WinVer As Long
WinVer = GetVersion
pe32.dwSize = Len(pe32)
r = Process32First(h, pe32)
Do While (r)
szExeFile = Trim(pe32.szExeFile)
If WinVer > 0 Then 'NT中只是文件名
cb.AddItem szExeFile
Else '在9x中,文件名是带路径的,我们只要文件名
cb.AddItem Mid(szExeFile, InStrRev(szExeFile, "\") + 1)
End If
cb.ItemData(cb.NewIndex) = pe32.th32ProcessID
r = Process32Next(h, pe32)
Loop
'关闭进程快照的句柄
CloseHandle h
End If
End Sub
http://tzwsoho.cniiblog.com