0

我正在使用下面的方法来读取内存中的字节。我想读取彼此非常接近的内存地址中的值。以前,我一直在对内存中的每个字节进行单独调用,并使用 for 循环将结果添加到数组中。这变得非常低效,所以我想修改下面的代码来读取一大块内存,然后尝试对数组进行迭代以提取我想要的字节。我花了一些时间试图解决它,但真的很挣扎。仅供参考,此方法读取指针,然后如果该值是指针,则读取该指针,依此类推,直到到达静态地址,然后读取该地址处的字节值。

[DllImport("kernel32", EntryPoint = "ReadProcessMemory")]
private static extern byte ReadProcessMemoryByte(int Handle, int Address, ref byte Value, int Size, ref int BytesRead);


public static byte ReadPointerByte(string EXENAME, int Pointer, int[] Offset)
{
    byte Value = 0;
    checked
    {
        try
        {
            Process[] Proc = Process.GetProcessesByName(EXENAME);
            if (Proc.Length != 0)
            {
                int Bytes = 0;
                int Handle = OpenProcess(PROCESS_ALL_ACCESS, 0, Proc[0].Id);
                if (Handle != 0)
                {
                    foreach (int i in Offset)
                    {
                        ReadProcessMemoryInteger((int)Handle, Pointer, ref Pointer, 4, ref Bytes);
                        Pointer += i;
                    }
                    ReadProcessMemoryByte((int)Handle, Pointer, ref Value, 2, ref Bytes);
                    CloseHandle(Handle);
                }
            }
        }
        catch
        { }
    }
    return Value;
}

到目前为止我所拥有的:

 private void label1_Click(object sender, EventArgs e)
    {
        int[] valuesSeperated[200];
        List<byte> PreArray = new List<byte>();
        Process[] test = Process.GetProcessesByName("MyProcess"); //Get process handle 
        int baseAddress = test[0].MainModule.BaseAddress.ToInt32(); //Get base address
        byte ReadX  = MyClass.ReadPointerByte("MyProcess", BaseAddress, new int[] { 0xc, 0x0, 0x2 }); //call memory reading function (including memory offsets)
        PreArray.Add(ReadX);
                byte[] PreArrayToInt = PreArray.ToArray();
                int[] MYConvertedBytes = PreArray ToInt.Select(x => (int)x).ToArray();
                foreach (int i in MYConvertedBytes)
{
valuesSeperated // (don't really know what to do here, if the read was successful I would have a long number at [0], so now need to seperate these as if I had read each one in memory one at a time. 
}

string TestString = MYConvertedBytes[0].ToString();
                label1.Text = TestString;
    }

总结一下:我不知道如何使用上述方法读取更大的内存块(一次说 200 个地址)。我不知道如何最好地从结果数组中提取值以形成一个新数组,该数组现在已分离字节。请询问是否有任何不清楚的地方,我很新,真的很想学习,所以任何提示/帮助将不胜感激。

4

1 回答 1

1

您的互操作签名在我看来完全错误。

c签名是:

BOOL WINAPI ReadProcessMemory(
  __in   HANDLE hProcess,
  __in   LPCVOID lpBaseAddress,
  __out  LPVOID lpBuffer,
  __in   SIZE_T nSize,
  __out  SIZE_T *lpNumberOfBytesRead
);

它应该是这样的:

[DllImport("kernel32", EntryPoint = "ReadProcessMemory",SetLastError=true)]
private static extern unsafe bool NativeReadProcessMemory(IntPtr processHandle, IntPtr baseAddress, byte* buffer, IntPtr size, out IntPtr bytesRead);

static unsafe void ReadProcessMemory(IntPtr processHandle, IntPtr baseAddress, byte[] buffer,int start, int size)
{
    fixed(byte* pBuffer=buffer)
    {
        IntPtr bytesRead;
        if(!NativeReadProcessMemory(processHandle, baseAddress, pBuffer+start,(IntPtr)size, out bytesRead))
           throw new Win32Exception(Marshal.GetLastWin32Error());
        if((int)bytesRead!=size)
            throw new Exception("Incomplete read");//User better exception type here
    }
}
于 2012-06-29T09:48:31.437 回答