如何在另一个进程的内存中搜索字符串

How can I search for a string in the memory of another process?

本文关键字:内存 搜索 字符串 进程 另一个      更新时间:2023-10-16

目前我正在使用这个函数,这是我通过阅读互联网上几个松散相关的问题拼凑而成的。我遇到的问题是我第一次运行它时它返回了一个错误,但不幸的是我无法重现它。现在当我运行它时,它每次都只返回 0。

DWORD GetAddressOfString(char *input)
{
    unsigned char *p = NULL;
    MEMORY_BASIC_INFORMATION info;
    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, _processID);
    for (p = NULL; VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info); p += info.RegionSize)
    {
        if (info.State == MEM_COMMIT && (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
        {
            char *buffer = new char[info.RegionSize];
            SIZE_T bytesRead;
            ReadProcessMemory(process, p, &buffer, info.RegionSize, &bytesRead);
            for (int i = 0; i <= (info.RegionSize - sizeof(input)); i++)
            {
                if (memcmp(input, &buffer[i], sizeof(input)) == 0)
                {
                    return i;
                }
            }
        }
    }
}

这是一个快速而肮脏的版本,可以搜索数据本身。 如果您打开记事本++,键入"SomeDataToFind",将 pid 替换为正确的值并运行它,它也应该找到数据。 它可能会给你一些开始和修饰以满足你的需求的东西。

您的代码搜索了错误的长度,返回了

错误的偏移量,像筛子一样泄漏了内存,并且并不总是返回未定义行为的值。

#include <Windows.h>
#include <iostream>
#include <string>
#include <vector>
char* GetAddressOfData(DWORD pid, const char *data, size_t len)
{
    HANDLE process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
    if(process)
    {
        SYSTEM_INFO si;
        GetSystemInfo(&si);
        MEMORY_BASIC_INFORMATION info;
        std::vector<char> chunk;
        char* p = 0;
        while(p < si.lpMaximumApplicationAddress)
        {
            if(VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info))
            {
                p = (char*)info.BaseAddress;
                chunk.resize(info.RegionSize);
                SIZE_T bytesRead;
                if(ReadProcessMemory(process, p, &chunk[0], info.RegionSize, &bytesRead))
                {
                    for(size_t i = 0; i < (bytesRead - len); ++i)
                    {
                        if(memcmp(data, &chunk[i], len) == 0)
                        {
                            return (char*)p + i;
                        }
                    }
                }
                p += info.RegionSize;
            }
        }
    }
    return 0;
}
int main()
{
    const char someData[] = "SomeDataToFind";
    std::cout << "Local data address: " << (void*)someData << "n";
    //Pass whatever process id you like here instead.
    DWORD pid = GetCurrentProcessId();
    char* ret = GetAddressOfData(pid, someData, sizeof(someData));
    if(ret)
    {
        std::cout << "Found: " << (void*)ret << "n";
    }
    else
    {
        std::cout << "Not foundn";
    }
    return 0;
}
相关文章: