从另一个进程内存读取指针
Reading a pointer from another process memory
我正在尝试从另一个进程读取指针。我可以读取指针的内容,并且我实际上收到了一个地址,但我想做的是更进一步并获取接收到的地址中的值。我认为我做错了,或者我猜我这样做是不可能的?
这是我的代码:
#include <iostream>
#include <windows.h>
using namespace std;
int main() {
DWORD pid;
int **buffer = NULL;
cout << "Current PID: " << GetCurrentProcessId();
cout << "\nTarget PID: ";
cin >> pid;
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (handle == NULL) {
cout << "\nCant open process. Error Code: " << GetLastError();
return EXIT_FAILURE;
}
else {
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, &buffer, sizeof(buffer), NULL); // &*buffer maybe?
if (ReadProcessMemory == 0) {
cout << "\nRPM failed, ERROR_CODE: " << GetLastError();
return EXIT_FAILURE;
}
}
cout << "\nBuffer: " << buffer << endl;
//cout << "Buffer 1st hop: " << *buffer << endl; // Wont execute. Crashed maybe?
//cout << "Buffer 2nd hop: " << **buffer << endl;
CloseHandle(handle);
if (CloseHandle != 0){
cout << "Handle to process destroyed successfully.\n";
}
system("pause");
return 0;
}
您必须预留space来放置阅读内容:
char buffer[1024];
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), NULL);
你应该在最后一个参数中得到读取计数:
int r = 0;
char buffer[1024];
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), &r);
这样你就知道你读取了多少数据。
并且您必须从调用中获取结果:
int r = 0;
char buffer[1024];
int ok = ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), &r);
if (! ok)
// do something
之后您可以阅读内容buffer[0]是第一个字符。
不知道是不是我理解错了,你可能有这样的过程:
#include <windows.h>
#include <iostream>
int main()
{
int data = 10;
int* p = &data;
int** pp = &p;
printf("pid = %d\n", GetCurrentProcessId());
printf("p = %x\n",p);
printf("pp = %x\n", pp);
printf("address of pp = %x\n", &pp);
return 0;
}
您有pp的地址,想获取data的值?
除非共享,否则每个进程的地址 space 都是私有的。你刚才通过地址读取局部变量pp的值,还需要再次读取地址pp得到p的值,最后读取[=的地址16=] 得到 data:
#include <windows.h>
#include <iostream>
int main()
{
DWORD pid;
int** buffer = NULL;
cout << "Current PID: " << GetCurrentProcessId();
cout << "\nTarget PID: ";
cin >> pid;
HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, pid);
if (hProcess == NULL)
{
int error = GetLastError();
cout << "OpenProcess error: " << error << endl;
return EXIT_FAILURE;
}
int** pp = NULL;
BOOL ret = 0;
LPCVOID address = (LPCVOID)0xd3fe20;
ret = ReadProcessMemory(hProcess, address, &pp, sizeof(int**), 0);
printf("pp = %x\n", pp);
int* p = NULL;
ret = ReadProcessMemory(hProcess, pp, &p, sizeof(int*), 0);
printf("p = %x\n", p);
int data = 0;
ret = ReadProcessMemory(hProcess, (LPCVOID)p, &data, sizeof(int), 0);
printf("data = %d\n", data);
CloseHandle(hProcess);
return 0;
}
结果:
我正在尝试从另一个进程读取指针。我可以读取指针的内容,并且我实际上收到了一个地址,但我想做的是更进一步并获取接收到的地址中的值。我认为我做错了,或者我猜我这样做是不可能的?
这是我的代码:
#include <iostream>
#include <windows.h>
using namespace std;
int main() {
DWORD pid;
int **buffer = NULL;
cout << "Current PID: " << GetCurrentProcessId();
cout << "\nTarget PID: ";
cin >> pid;
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (handle == NULL) {
cout << "\nCant open process. Error Code: " << GetLastError();
return EXIT_FAILURE;
}
else {
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, &buffer, sizeof(buffer), NULL); // &*buffer maybe?
if (ReadProcessMemory == 0) {
cout << "\nRPM failed, ERROR_CODE: " << GetLastError();
return EXIT_FAILURE;
}
}
cout << "\nBuffer: " << buffer << endl;
//cout << "Buffer 1st hop: " << *buffer << endl; // Wont execute. Crashed maybe?
//cout << "Buffer 2nd hop: " << **buffer << endl;
CloseHandle(handle);
if (CloseHandle != 0){
cout << "Handle to process destroyed successfully.\n";
}
system("pause");
return 0;
}
您必须预留space来放置阅读内容:
char buffer[1024];
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), NULL);
你应该在最后一个参数中得到读取计数:
int r = 0;
char buffer[1024];
ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), &r);
这样你就知道你读取了多少数据。
并且您必须从调用中获取结果:
int r = 0;
char buffer[1024];
int ok = ReadProcessMemory(handle, (LPCVOID)0x5BF9A4, buffer, sizeof(buffer), &r);
if (! ok)
// do something
之后您可以阅读内容buffer[0]是第一个字符。
不知道是不是我理解错了,你可能有这样的过程:
#include <windows.h>
#include <iostream>
int main()
{
int data = 10;
int* p = &data;
int** pp = &p;
printf("pid = %d\n", GetCurrentProcessId());
printf("p = %x\n",p);
printf("pp = %x\n", pp);
printf("address of pp = %x\n", &pp);
return 0;
}
您有pp的地址,想获取data的值?
除非共享,否则每个进程的地址 space 都是私有的。你刚才通过地址读取局部变量pp的值,还需要再次读取地址pp得到p的值,最后读取[=的地址16=] 得到 data:
#include <windows.h>
#include <iostream>
int main()
{
DWORD pid;
int** buffer = NULL;
cout << "Current PID: " << GetCurrentProcessId();
cout << "\nTarget PID: ";
cin >> pid;
HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, pid);
if (hProcess == NULL)
{
int error = GetLastError();
cout << "OpenProcess error: " << error << endl;
return EXIT_FAILURE;
}
int** pp = NULL;
BOOL ret = 0;
LPCVOID address = (LPCVOID)0xd3fe20;
ret = ReadProcessMemory(hProcess, address, &pp, sizeof(int**), 0);
printf("pp = %x\n", pp);
int* p = NULL;
ret = ReadProcessMemory(hProcess, pp, &p, sizeof(int*), 0);
printf("p = %x\n", p);
int data = 0;
ret = ReadProcessMemory(hProcess, (LPCVOID)p, &data, sizeof(int), 0);
printf("data = %d\n", data);
CloseHandle(hProcess);
return 0;
}
结果: