Neuz.exe+0078A56C 偏移A 指针就是这个
怎么写到vb里面呢???
一开始以为是这样
WriteProcessMemory pHandle, Neuz.exe+&H0078A56C+&HA, 1127812301, 4, 0&
可是错了
谁能说下怎么弄
怎么写到vb里面呢???
一开始以为是这样
WriteProcessMemory pHandle, Neuz.exe+&H0078A56C+&HA, 1127812301, 4, 0&
可是错了
谁能说下怎么弄
解决方案 »
- 已把session有效期设置为1440,可是还是session 很快就过期了,请问这是什么问题
- coolbar在哪里弄出来?
- vb6.1 is back
- 求救!编译打包问题,在线等待
- 求教自动控制
- 请问谁能提供一些关于VB控件的使用的一些资料
- 急(如何在mshflexgrid控件中得到当前控件中多条被选定记录的参数)
- VB抽奖程序,求高手给个完整的程序,按人名抽,十分感谢
- 发个菜鸟问题,大家别笑我,编译完后没看到bin文件夹跟exe文件呀,如何指定呀?既然如果不生成,那如何读取本地上的.ini文件呢
- 请教微软专家:在Powerpoint设置放映方式中的放映方式有一个复选项为显示状态栏,这个功能的控制对应VBA是哪个函数?多谢!
- VB中如何实现断点续传?
- winscok中监听和侦听什么意思?
http://allapi.mentalis.org/apilist/WriteProcessMemory.shtml
http://allapi.mentalis.org/apilist/F307CAA2589BD8227FE5D6D4A27F5BDA.html
'You Need a button (Command1).
' MaRi� G. Serrano. 16/Abril/2002.-
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteString Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
'Private Declare Function WriteValue Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As LongPrivate Sub Command1_Click()
Dim str As String, MyString As String
MyString = "HELLO"
'in this case I read the memory of my own process
MsgBox "MyString= " & MyString
str = ReadMemory(Me.hWnd, StrPtr(MyString), LenB(MyString), "BYE!!")
MsgBox "Now, MyString=" & MyString & vbCr & "Old Value= " & str
End Sub
Private Function ReadMemory(hWnd As Long, Address As Long, Bytes As Long, Optional strReplaceWith As String) As String
'Runs For Not Unicode Strings (VB-Strings)
On Error Resume Next
Dim pId As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
Dim bytValue As Long 'Stores the value of a byte in the memory
Dim i As Long
Dim Text As String
' Get the ProcId of the Window
GetWindowThreadProcessId hWnd, pId ' use the pId to get a handle
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
If (pHandle = 0) Then
'MsgBox "Unable to open process!"
Exit Function
End If
If Address = 0 Then Exit Function
For i = 1 To Bytes Step 2
' Read Byte to Byte
ReadProcessMemory pHandle, Address + i - 1, bytValue, 1, 0&
'value now contains the long value of the byte located in [Address + i - 1] pos.
'ReadMemory is a string...
ReadMemory = ReadMemory & Chr$(bytValue)
Next
'to write numeric values you can ..(Must) use WriteValue API
If LenB(strReplaceWith) <> 0 Then
'No Unicode!!
WriteString pHandle, Address, StrPtr(strReplaceWith), LenB(strReplaceWith), 0&
End If
'Close the Handle
CloseHandle pHandle
End FunctionClose this window
哈哈
应该是 MyComputer+Neuz.exe+&H0078A56C+&HA
2.然后再 将该地址 偏移 0078A56C
我们的目的就是:找到内存中入口地址VERSION 5.00
Begin VB.Form Form1
Caption = "Form1"
ClientHeight = 3150
ClientLeft = 60
ClientTop = 390
ClientWidth = 4680
LinkTopic = "Form1"
ScaleHeight = 3150
ScaleWidth = 4680
StartUpPosition = 3 '窗口缺省
Begin VB.TextBox txtTest
Height = 495
Left = 1800
TabIndex = 0
Text = "Text1"
Top = 1320
Width = 1215
End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
2.然后生成 1.EXE,此时就需要借助一个工具来查看入口点了,对于一般没有加密,没有加壳,没有混淆的程式,PEID 查看足够了.我们用PEID打开1.exe,如果,很简单明了的告诉了你,入口:这个就是内存中的入口地址了吗?不是.
为什么呢?因为Window NT X86结构的操作系统为每个进程都分配了4G的虚拟内存,从00400000开始.
具体自己去GOOGLE,不再本楼范围内讨论.
还有关于PE文件格式的说明,可以查看该贴:
http://www.vckbase.com/document/viewdoc/?id=13343.为了找到内存的入口地址(其实不需要了,一般来说不经过混淆,加密,加壳的,其内存入口地址就等于
00400000 + 入口地址,我们测试所用的EXE的地址就为 00401128),我们用到Ollydbg,把EXE一打开就一目了然了:
OK,入口地址找到.4.关于如何取得txtTest1.txt的值,大家都很清楚,任意一款内存扫描工具都可以办到.这个我就不提了.
用 LONG 型 ,&H字符串&