关于ReadProcessMemory的问题
用C32Asm打开本进程的exe文件后,IMAGE_DOS_HEADER显示如下:
0 1 2 3 4 5 6 7 8 9 A B C D E F
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00
在程序中的代码:
DWORD buff = 0;
ReadProcessMemory(GetCurrentProcess(),GetModuleHandle(0),&buff,sizeof(DWORD),NULL);
//这样buff = 00905A4D,也就是0x0---0x3的值
ReadProcessMemory(GetCurrentProcess(),GetModuleHandle(0)+0x1,&buff,sizeof(DWORD),NULL);
//这样buff = 00000003,也就是0x4---0x7的值
ReadProcessMemory(GetCurrentProcess(),GetModuleHandle(0)+0x2,&buff,sizeof(DWORD),NULL);
//这样buff = 00000004,也就是0x8---0xB的值
ReadProcessMemory(GetCurrentProcess(),GetModuleHandle(0)+0x3,&buff,sizeof(DWORD),NULL);
//这样buff = 0000FFFF,也就是0xC---0xF的值
为什么从程序的基址开始,每加上0x1就会移动4个字节?
如果我只想移动1个字节,应该加上多少?比如说我想读取0x1到0x4的值,也就是0300905A,应该怎么做?
[解决办法]
ReadProcessMemory
The ReadProcessMemory function reads memory in a specified process. The entire area to be read must be accessible, or the operation fails.
BOOL ReadProcessMemory(
HANDLE hProcess, // handle to the process whose memory is read
LPCVOID lpBaseAddress,
// address to start reading
LPVOID lpBuffer, // address of buffer to place read data
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead
// address of number of bytes read
);
Parameters
hProcess
Handle to the process whose memory is being read. The handle must have PROCESS_VM_READ access to the process.
lpBaseAddress
Pointer to the base address in the specified process to be read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails.
lpBuffer
Pointer to a buffer that receives the contents from the address space of the specified process.
nSize
Specifies the requested number of bytes to read from the specified process.
lpNumberOfBytesRead
Pointer to the actual number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
Return Values
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process. Any process that has a handle with PROCESS_VM_READ access can call the function. The process whose address space is read is typically, but not necessarily, being debugged.
The entire area to be read must be accessible. If it is not, the function fails as noted previously.
[解决办法]
(char*)GetModuleHandle(0)+0x1
