0

使用 JNA,我已经弄清楚如何读取/写入地址,但我不确定如何弄清楚它是什么类型的数据,例如

                                  D0 D1 D2 D3 D4 D5 D6 D7
someProgram.exe + "0x755A523D0" : 20 00 00 00 02 00 00 00
                                  D8 D9 DA DA DB DC DE DF
someProgram.exe + "0x755A523D8" : 14 00 00 00 04 00 00 00

我正在使用第三方内存查看器来查找这些值,以便我可以针对我的程序测试结果。

上面的两个地址包含 4 个整数,易于搜索,只需扫描每 4 个字节并将其转换为整数,但如果我有以下地址,则变得更加棘手

                                  D0 D1 D2 D3 D4 D5 D6 D7
someProgram.exe + "0x755A523D0" : 20 00 00 00 02 00 00 00
                                  D8 D9 DA DA DB DC DE DF
someProgram.exe + "0x755A523D8" : 14 00 00 00 04 00 00 00

只是为了证明我的观点,它们与上述地址完全相同,但它们不是整数,它们是多头

它也可以存储 4 个短 8 个字节或类型的组合。

是否可以检测到值类型是什么并使用 JNA 读取正确的值?

读取内存的代码片段

public static int[] ReadMyProcessMemory(Pointer ProcessToReadFrom, int AdressToReadFrom, int NumberOfBytesToRead)
    {
        //Make the Desired Functions available
        Kernel32 Kernel32dll = Kernel32.INSTANCE;

        int offset = AdressToReadFrom;
        IntByReference baseAddress = new IntByReference();
        baseAddress.setValue(offset);
        Memory outputBuffer = new Memory(NumberOfBytesToRead);

        boolean reader = Kernel32dll.ReadProcessMemory(ProcessToReadFrom, offset, outputBuffer, NumberOfBytesToRead, null);

        if (reader)
        {
            //Process the received Data
            byte[] bufferBytes = outputBuffer.getByteArray(0, NumberOfBytesToRead);

            //Who wants signed byte? NOONE ! Lets convert it to a nice int !

            int[] realvalues = new int[bufferBytes.length];

            for (int i = 0; i < bufferBytes.length; i++)
            {
                if (bufferBytes[i] < 0)
                {
                    realvalues[i] = 256 + bufferBytes[i];
                }
                else
                {
                    realvalues[i] = bufferBytes[i];
                }
            }
            //Conversion done ! lets Return the data (Remember its integer not hex)
            return realvalues;

        }
        else
        {
            //Reading went wrong - SHIT
            return null;
        }
    }

public interface Kernel32 extends StdCallLibrary
    {
        Kernel32 INSTANCE = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);

        boolean ReadProcessMemory(Pointer hProcess, int inBaseAddress, Pointer outputBuffer, int nSize, IntByReference outNumberOfBytesRead);

        public Pointer OpenProcess(int dwDesiredAccess, boolean bInheritHandle, int dwProcessId);

        boolean WriteProcessMemory(Pointer hProcess, int AdressToChange, Pointer ValuesToWrite, int nSize, IntByReference irgendwas);

        int GetLastError();

        //Needed for some Windows 7 Versions
        boolean EnumProcesses(int[] ProcessIDsOut, int size, int[] BytesReturned);

        int GetProcessImageFileNameW(Pointer Process, char[] outputname, int lenght);
    }
4

1 回答 1

0

不,如果没有关于类型的更多信息(内存中的某处),这是不可能的

于 2013-12-27T19:46:35.137 回答