我还没用过,不过可以试试:
EnumProcesses 得到Process的ID的数组,再使用OpenProcess使用以上ID得到Process的名称进行判断,同时该函数返回Process Handle (hProcess).
再使用ReadProcessMemory和WriteProcessMemory读、写进程的内存。
进程的Page Access属性有关系(PAGE_ACCESS_READ)。
EnumProcesses 得到Process的ID的数组,再使用OpenProcess使用以上ID得到Process的名称进行判断,同时该函数返回Process Handle (hProcess).
再使用ReadProcessMemory和WriteProcessMemory读、写进程的内存。
进程的Page Access属性有关系(PAGE_ACCESS_READ)。
能提供函数具体使用例子吗?ReadProcessMemory函数读出的内存数据是什么形式
的?
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function EnumProcesses Lib "psapi.dll" (lpidProcess As Any, ByVal cb As Long, cbNeeded As Long) As Boolean
Private Declare Function EnumProcessModules Lib "psapi.dll" (ByVal hProcess As Long, lphModule As Any, ByVal cb As Long, lpcbNeeded) As Boolean
Private Declare Function GetModuleBaseName Lib "psapi.dll" Alias "GetModuleBaseNameA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpBaseName As String, ByVal nSize As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const SYNCHRONIZE = &H100000
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const PROCESS_TERMINATE = &H1
Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_SET_SESSIONID = &H4
Private Const PROCESS_VM_OPERATION = &H8
Private Const PROCESS_VM_READ = &H10
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_DUP_HANDLE = &H40
Private Const PROCESS_CREATE_PROCESS = &H80
Private Const PROCESS_SET_QUOTA = &H100
Private Const PROCESS_SET_INFORMATION = &H200
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or 92sub ReadMemory()
Dim blnReturn As Boolean
Dim lProcessID(1023) As Long
Dim hModuleHandle As Long
Dim lModuleNeed As Long
Dim lProcessNum As Long
Dim I As Integer
Dim hProcess As Long
Dim lReturn As Long
Dim strModName As String
Dim lAddress As Long
Dim bytBuffer() As Byte
Dim lReadCount As Long
blnReturn = EnumProcesses(lProcessID(0), UBound(lProcessID) + 1, lProcessNum)
If blnReturn Then
For I = 0 To UBound(lProcessID)
strModName = ""
If lProcessID(I) <> 0 Then
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ Or PROCESS_VM_WRITE, 0, lProcessID(I))
If hProcess <> 0 Then
If EnumProcessModules(hProcess, hModuleHandle, Len(hModuleHandle), lModuleNeed) Then
strModName = String(127, Chr(0))
lReturn = GetModuleBaseName(hProcess, hModuleHandle, strModName, Len(strModName))
If lReturn > 0 Then
strModName = Mid(strModName, 1, lReturn)
MsgBox "Module Name:" & strModName
End If
CloseHandle hModuleHandle
End If
If strModName <> "" Then
lAddress = 0
ReDim bytBuffer(1023)
lReturn = ReadProcessMemory(hProcess, lAddress, bytBuffer(0), UBound(bytBuffer), lReadCount)
Do Until lReadCount < UBound(bytBuffer) Or lReturn = 0
'do yourself
ReDim bytBuffer(1023)
lReturn = ReadProcessMemory(hProcess, lAddress, bytBuffer(0), UBound(bytBuffer), lReadCount)
lAddress = lAddress + UBound(bytBuffer)
Loop
End If
End If
CloseHandle hProcess
End If
Next I
End If
End Sub
多谢你辛勤帮忙,提供一个朋友的方法(C++程序),望能启发你。我没测试,
你帮我测试一下好吗!我需要在内存中查找一个8位数值(如11223344),查到
后改为我想要的8位数字(如88994455)。望你能帮忙解决!
************************************************************************
API函数,ReadProcessMemory,和WriteProcessMemory 读内存从400000到6a000000。 /*中间还要用VirtualQuery检查内存是否合法*/unsigned int aa,bb; /* aa: 要查找值,bb:欲替换值 */
for (i=400000;i<6a000000;i++)
{
ReadProcessMemory(进程Handle,(void *)i,&aa,4,&dw);
if(aa==bb)
WriteProcessMemory(进程Handle,(void *)i,&aa,4,&dw);
}