请问如何获取特定进程中特定模块的映像基址与映像大小?
解决方案 »
- 非阻塞套接字的几个小问题,求帮助
- 我在一个现有active控件上进行修改,我想改变控件的CLASSID,我在odl文件里改了uuid,但是还是不行,一调用还是调用原来的控件
- 学MFC看什么例子好啊 我想做几个例子我MFC就入门了 API已经会了
- 怎样使用命令行方式来进行文件打印?
- 为什么在对话框上加一个DBGrid只有两行两列而且不能输入数据(按键之后没有)
- 关于dao访问数据库的问题
- 哪里有C++ Buildr 6下载?
- 有谁见过Jeffery Richter写的Programing Server-side Application for Windows2000(MS Press 2000/3出版)?
- 可否使属性页相对话框一样课调整大小
- 请问怎么改变一个控件的字体????多谢
- 在IE地址输入www.sina.com.cn 到看到返回的网页,其中包含哪些TCP/IP协议过程?
- 菜鸟级问题,哪位大侠帮帮忙
//得到内存镜像大小
__asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;主要是想知道ebx为什么要+0x3c和取指针lea eax,[ebx+eax+0x50];为什么是ebx+eax+0x50请说明一下+0x3c 和ebx+eax+0x50都是些什么 为什么要这样写可执行文件内存映象基址+0x3c = PE头部偏移
PE头部偏移 + 可执行文件内存映象基址 =PE基址mov PE头部偏移,[ebx+0x3c];
lea eax,[可执行文件内存映象基址+PE头部偏移+0x50];首先获取内存映像大小。
其值在PE文件头0x50偏移处存放。#include <iostream>
#include <windows.h>using namespace std;void main()
{
HINSTANCE module=GetModuleHandle(NULL);
DWORD imagesize=0;
__asm
{
push eax
push ebx
mov ebx,dword ptr module
mov eax,[ebx+0x3c]
lea eax,[ebx+eax+0x50]
mov eax,[eax]
mov dword ptr imagesize,eax
pop ebx
pop eax
}
cout<<hex<<imagesize<<endl;
}
http://blog.csdn.net/angelkernel/archive/2010/05/29/5633473.aspx
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <psapi.h>
#pragma comment(lib, "PSAPI.lib")void PrintModules( DWORD processID )
{
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i; // Print the process identifier. printf( "\nProcess ID: %u\n", processID ); // Get a list of all the modules in this process. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, processID );
if (NULL == hProcess)
return; if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
{
for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ )
{
TCHAR szModName[MAX_PATH]; // Get the full path to the module's file. if ( GetModuleFileNameEx(hProcess, hMods[i], szModName,
sizeof(szModName)/sizeof(TCHAR)))
{
// Print the module name and handle value. _tprintf(TEXT("\t%s (0x%08X)\n"),
szModName, hMods[i]);
}
}
} CloseHandle( hProcess );
}void main( )
{
// Get the list of process identifiers. DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i; if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return; // Calculate how many process identifiers were returned. cProcesses = cbNeeded / sizeof(DWORD); // Print the name of the modules for each process. for ( i = 0; i < cProcesses; i++ )
PrintModules( aProcesses[i] );
}
MEMORY_BASIC_INFORMATION mi;VirtualQueryEx(hProcess,hMods[i],&mi,sizeof(mi));大小就是 mi.RegionSize;
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
printError( "CreateToolhelp32Snapshot (of modules)" );
return( FALSE );
} // Set the size of the structure before using it.
me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module,
// and exit if unsuccessful
if( !Module32First( hModuleSnap, &me32 ) )
{
printError( "Module32First" ); // Show cause of failure
CloseHandle( hModuleSnap ); // Must clean up the
// snapshot object!
return( FALSE );
} // Now walk the module list of the process,
// and display information about each module
do
{
printf( "\n\n MODULE NAME: %s",
me32.szModule );
printf( "\n executable = %s",
me32.szExePath );
printf( "\n process ID = 0x%08X",
me32.th32ProcessID );
printf( "\n ref count (g) = 0x%04X",
me32.GlblcntUsage );
printf( "\n ref count (p) = 0x%04X",
me32.ProccntUsage );
printf( "\n base address = 0x%08X",
(DWORD) me32.modBaseAddr );
printf( "\n base size = %d",
me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap );
return( TRUE );
}
整个模块 是一个区,其中包含多个块mi.AllocationBase //这个是区的地址,一个区内的各个块的这个属性都指向这个区
mi.RegionSize //这个是块的大小
mi.BaseAddress // 这个是块的首地址
要获取整个区的大小,可以读取区中每个块的大小,计算他们的和类似代码MEMORY_BASIC_INFORMATION mi;
int Size = 0;
VirtualQueryEx(hProcess,hMods[i],&mi,sizeof(mi));
PVOID BaseAddress = mi.AllocationBase;while(mi.AllocationBase == BaseAddress)
{
Size += mi.RegionSize;
VirtualQueryEx(hProcess,(PBYTE)hMods[i] + Size,&mi,sizeof(mi));
}
Size 是模块大小
ReadProcessMemory PEB