windows-遍历另一进程内存根据进程PID

IBinary

发布于 2019-12-26 17:19:42

1.2K0

发布于 2019-12-26 17:19:42

文章被收录于专栏：逆向技术

#include <windows.h>
//OpenProcess需要提权,因为代码常用抠出来的所有没有提权.
BOOL iteratorMemory(DWORD dwPid)
{
    if (dwPid == 0 || dwPid == 4)
        return FALSE;

    
    HANDLE hProcess = 0;
    DWORD dwTempSize = 0;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
    if (!hProcess)
    {

        return FALSE;
    }

    PMEMORY_BASIC_INFORMATION pMemInfo = new MEMORY_BASIC_INFORMATION();
    DWORD dwErrorCode;
    dwErrorCode = VirtualQueryEx(hProcess, 0, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
    if (0 == dwErrorCode)
    {
        return FALSE;
    }


    // pMeminfo->Regionsize 代表当前遍历出的内存大小
    for (__int64 i = pMemInfo->RegionSize; i < (i + pMemInfo->RegionSize); i += pMemInfo->RegionSize)
    {

        dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
        if (0 == dwErrorCode)
            break;

        if (pMemInfo->State != MEM_COMMIT)      //判断提交状态
            continue;

        if (pMemInfo->Protect != PAGE_READWRITE) //判断内存属性
        {
            continue;
        }

        

        if (pMemInfo->Type != MEM_PRIVATE)      //判断类型 映射 私有 xxx
        {
            continue;
        }


        continue;

    }

    return FALSE;

}

原理: 原理主要是使用 ** VirtualQueryEx ** 函数. 函数遍历之后会将内存信息反馈到一个Buf中.这个Buf是个结构体 ** PMEMORY_BASIC_INFORMATION **

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

如有侵权请联系 cloudcommunity@tencent.com 删除

遍历