-1

我正在尝试通过其“签名”来搜索功能。

但是我不知道我应该搜索什么地址范围?

我看过 VirtualQuery() 和 GetNativeSystemInfo() 但我不是在正确的道路上。

编辑:问题重新尝试。

使用 Win32 API,我试图找出如何获取我的代码正在执行的进程的可执行页面的开始和结束地址。

这是我尝试过的:

        SYSTEM_INFO info;
    ZeroMemory( &info, sizeof( SYSTEM_INFO ) );
    GetNativeSystemInfo( &info ); // GetSystemInfo() might be wrong on WOW64.

    info.lpMinimumApplicationAddress;
    info.lpMaximumApplicationAddress;

    HANDLE thisProcess = GetCurrentProcess();

    MEMORY_BASIC_INFORMATION memInfo;
    ZeroMemory( &memInfo, sizeof( memInfo )  );
    DWORD addr = (DWORD)info.lpMinimumApplicationAddress;
    do
    {
        if ( VirtualQueryEx( thisProcess, (LPVOID)addr, &memInfo, sizeof( memInfo ) ) == 0 )
        {
            DWORD gle = GetLastError();
            if ( gle != ERROR_INVALID_PARAMETER )
            {
                std::stringstream str;
                str << "VirtualQueryEx failed with: " << gle;
                MessageBoxA( NULL, str.str().c_str(), "Error", MB_OK );
            }
            break;
        }

        if ( memInfo.Type == MEM_IMAGE  )
        {
            // TODO: Scan this memory block for the the sigature
        }

        addr += info.dwPageSize;
    }
    while ( addr < (DWORD)info.lpMaximumApplicationAddress );

这样做的原因是我正在寻找一个未导出的函数,如下所示:

在 Windows DLL 中通过它的签名查找函数

请参阅有关“代码签名扫描”的答案。

While this is enumerating an address range I don't know if this is correct or not since I don't know what the expected range should be. Its just the best I could come up with from looking around MSDN.

4

1 回答 1

2

the address range when signature scanning a module is from the start of the code section to the start + the section size. the start of the code section and its size are in the PE. most tools take the lazy route and scan the entire module (again using the PE to get the size, but with the module handle as the start address).

于 2012-05-27T08:37:43.827 回答