-1

你能给我一个例子来说明如何获得 ReadProcessMemory 的输出(在 vb 中)

例如,我想为任何程序提取 ReadProcessMemory 的所有值..然后将其放入文本文件中。

4

1 回答 1

0

ReadProcessMemory 很少单独使用,因为内存地址必须来自某个地方。我也没有转储进程的代码,但这里有一个使用本机 API 读取进程命令行的示例ZwQueryInformationProcess

在本例中,GetProcessCommandLine用于ZwQueryInformationProcess检索给定进程的 PEB,然后在进程内存中查找命令行。

Option Explicit
Public Declare Function ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal InformationClass As PROCESSINFOCLASS, ByRef ProcessInformation As Any, ByVal ProcessInformationLength As Long, ByRef ReturnLenght As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Enum PROCESSINFOCLASS
      ProcessBasicInformation
      ProcessQuotaLimits
      ProcessIoCounters
      ProcessVmCounters
      ProcessTimes
      ProcessBasePriority
      ProcessRaisePriority
      ProcessDebugPort
      ProcessExceptionPort
      ProcessAccessToken
      ProcessLdtInformation
      ProcessLdtSize
      ProcessDefaultHardErrorMode
      ProcessIoPortHandlers         '// Note: this is kernel mode only
      ProcessPooledUsageAndLimits
      ProcessWorkingSetWatch
      ProcessUserModeIOPL
      ProcessEnableAlignmentFaultFixup
      ProcessPriorityClass
      ProcessWx86Information
      ProcessHandleCount
      ProcessAffinityMask
      ProcessPriorityBoost
      ProcessDeviceMap
      ProcessSessionInformation
      ProcessForegroundInformation
      ProcessWow64Information
      ProcessImageFileName
      ProcessLUIDDeviceMapsEnabled
      ProcessBreakOnTermination
      ProcessDebugObjectHandle
      ProcessDebugFlags
      ProcessHandleTracing
      ProcessIoPriority
      ProcessExecuteFlags
      ProcessResourceManagement
      ProcessCookie
      ProcessImageInformation
      MaxProcessInfoClass           '// MaxProcessInfoClass should always be the last enum
End Enum


Public Type PROCESS_BASIC_INFORMATION
    ExitStatus As Long
    PebBaseAddress As Long
    AffinityMask As Long
    BasePriority As Long
    UniqueProcessId As Long
    InheritedFromUniqueProcessId As Long
End Type

Public Function GetProcessCommandLine(ByVal hProcess As Long) As String
    Dim NTSTATUS As Long
    Dim objBasic As PROCESS_BASIC_INFORMATION
    Dim objBaseAddress As Long
    Dim bytName() As Byte
    Dim strModuleName As String
    Dim obj As Long
    Dim dwSize As Long

    If hProcess = 0 Then
        GetProcessCommandLine = ""
        Exit Function
    End If

    Dim lngRet As Long, lngReturn As Long

    NTSTATUS = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, objBasic, Len(objBasic), dwSize)
    If (NTSTATUS = 0) Then
        ReadProcessMemory hProcess, ByVal objBasic.PebBaseAddress + &H10, obj, 4, lngRet
        If lngRet <> 4 Then Exit Function
        ReadProcessMemory hProcess, ByVal obj + &H40, dwSize, 2, lngRet
        If lngRet <> 2 Then Exit Function
        ReadProcessMemory hProcess, ByVal obj + &H44, obj, 4, lngRet
        If lngRet <> 4 Then Exit Function
        ReDim bytName(dwSize - 1)
        ReadProcessMemory hProcess, ByVal obj, bytName(0), dwSize, lngRet
        If lngRet <> dwSize Then Exit Function
        GetProcessCommandLine = bytName
     End If
End Function
于 2016-07-24T15:27:16.063 回答