我正在尝试实时检查记事本的内存,因此我可以检测到特定字符串何时写入那里。我想第 1 步是找出该进程的内存范围。这是我到目前为止所拥有的:
int main()
{
MEMORY_BASIC_INFORMATION meminfo;
unsigned char *addr = 0;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,7280);
VirtualQueryEx(hProcess,addr,&meminfo,sizeof(meminfo));
CloseHandle(hProcess);
}
我想我需要以某种方式操纵 meminfo 以从那里获取信息。我需要找到完整的地址范围,以便可以遍历地址并搜索字符串。
任何帮助将不胜感激,如果这是一个愚蠢的问题,我提前道歉,但我只是从 C 开始。
谢谢
要获取所有已分配的有效内存区域的列表,您可以在 while 循环中使用 VirtualQueryEx,如下所示:
#include <iostream>
#include <windows.h>
#include <TlHelp32.h>
#include <tchar.h>
DWORD GetProcId(const TCHAR* procName)
{
DWORD procId = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(procEntry);
if (Process32First(hSnap, &procEntry))
{
do
{
if (!_tcsicmp(procEntry.szExeFile, procName))
{
procId = procEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnap, &procEntry));
}
}
CloseHandle(hSnap);
return procId;
}
int main()
{
DWORD procid = GetProcId("ac_client.exe");
MEMORY_BASIC_INFORMATION meminfo;
unsigned char* addr = 0;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
MEMORY_BASIC_INFORMATION mbi;
while (VirtualQueryEx(hProc, addr, &mbi, sizeof(mbi)))
{
if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS)
{
std::cout << "base : 0x" << std::hex << mbi.BaseAddress << " end : 0x" << std::hex << (uintptr_t)mbi.BaseAddress + mbi.RegionSize << "\n";
}
addr += mbi.RegionSize;
}
CloseHandle(hProc);
}