0

使用作弊引擎,我在地址 0x10456554 处找到了一个字节数组。我想在 C# 中找到字节数组,所以我首先使用权限 0x1F0FFF(所有访问权限)打开游戏进程,然后我从 0x00000000 - 0x7FFFFFFF(整个进程)和那部分字节(0x10000000 等)执行 ReadProcessMemory() .) 都是空的。

所以我尝试遍历每个模块并将数据转储到单独的转储文件中。然而,该地址部分(0x10000000)从未被转储,几乎就像它被跳过一样。甚至作弊引擎都说这部分内存不属于特定模块。所以我不知道它来自哪里。

public IntPtr pHandle = OpenProcess(0x1F0FFF, 1, id);
public Process procs = Process.GetProcessById(id);

//dump main module first
byte[] test = new byte[procs.MainModule.ModuleMemorySize];
ReadProcessMemory(pHandle, (UIntPtr)((int)procs.MainModule.BaseAddress), test, (UIntPtr)procs.MainModule.ModuleMemorySize, IntPtr.Zero);
File.WriteAllBytes(procs.MainModule.BaseAddress.ToString("x8") + " " + procs.MainModule.ModuleName + ".dmp", test);

//now dump all other modules
foreach (ProcessModule p in procs.Modules)
{
    byte[] test2 = new byte[p.ModuleMemorySize];
    ReadProcessMemory(pHandle, (UIntPtr)((int)p.BaseAddress), test2, (UIntPtr)p.ModuleMemorySize, IntPtr.Zero);
    File.WriteAllBytes(p.BaseAddress.ToString("x8") + " " + p.ModuleName + ".dmp", test2);
}
4

1 回答 1

0

谢谢@Tamas Hegedus 的回答。我通过使用带有 MEMORY_BASIC_INFORMATION 的 VirtualQueryEx 找到了一个很好的解决方案。

我在https://www.codeproject.com/Articles/716227/Csharp-How-to-Scan-a-Process-Memory找到了这段代码

long proc_min_address_l = (long)procs.MainModule.BaseAddress;
long proc_max_address_l = (long)procs.VirtualMemorySize64;

MEMORY_BASIC_INFORMATION mem_basic_info = new MEMORY_BASIC_INFORMATION();
while (proc_min_address_l < proc_max_address_l)
{
    VirtualQueryEx(pHandle, proc_min_address, out mem_basic_info, Marshal.SizeOf(mem_basic_info));
    byte[] buffer = new byte[(int)mem_basic_info.RegionSize];
    UIntPtr test = (UIntPtr)((int)mem_basic_info.RegionSize);
    UIntPtr test2 = (UIntPtr)((int)mem_basic_info.BaseAddress);

    ReadProcessMemory(pHandle, test2, buffer, test, IntPtr.Zero);
    proc_min_address_l += (int)mem_basic_info.RegionSize;
    proc_min_address = new IntPtr(proc_min_address_l);
}
于 2017-08-04T12:36:45.850 回答