没有修改本进程的权限,所以有时候无法读取calc.exe进程内存中的数据。
#include "windows.h"
#include "string"
#include "iostream"
#include "tlhelp32.h"
using namespace std;
int main()
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
string Process_stop = "calc.exe";
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00401000;
BYTE rDate[1000];
LPVOID lpBuff=LPVOID(&rDate);
ReadProcessMemory(hprocess,lpAddBase,lpBuff,1000,&rByte);
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=::Process32Next(hpro,&pe32);
}
}
参考
http://www.dreamincode.net/code/snippet3214.htm
修改版本:
#include "windows.h"
#include "string"
#include "iostream"
#include "tlhelp32.h"
using namespace std;
int main()
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00401000;
BYTE rDate[1000];
LPVOID lpBuff=LPVOID(&rDate);
BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,1000,&rByte);
int errorcode=GetLastError();
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
}
/*
参考:
http://www.cnblogs.com/feiyucq/archive/2009/10/22/1588122.html
http://blog.sina.com.cn/s/blog_4b3c1f950100hsp5.html
*/
继续修改版:增加查询内存信息功能
#include "windows.h"
#include "string"
#include "iostream"
#include "tlhelp32.h"
using namespace std;
int main()
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
// string Process_stop = "4e8786c.exe";
string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00400000;
// BYTE rDate[4096];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte);
// int errorcode_read=GetLastError();
BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
int errorcode_query=GetLastError();
// BYTE rDate[8192];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte);
// int errorcode_read=GetLastError();
// BYTE rDate[&mbi.RegionSize];
// DWORD * iIntMalloc=malloc(&mbi.RegionSize);
// BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
BYTE * iNew= new BYTE [mbi.RegionSize];
// LPVOID lpBuff1=LPVOID(&iIntMalloc);
// LPVOID lpBuff1=LPVOID(&iNew);
// BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
LPVOID lpBuff1=LPVOID(iNew);
BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte);
int errorcode_read1=GetLastError();
delete [] iNew;
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
}
/*
参考:
http://www.cnblogs.com/feiyucq/archive/2009/10/22/1588122.html
http://blog.sina.com.cn/s/blog_4b3c1f950100hsp5.html
*/
参考:C++内存分配秘籍—new,malloc,GlobalAlloc详解
http://www.cnblogs.com/gaochaooo/archive/2009/09/03/1559764.html
输出内存信息到文件:(有一点小问题,输出的信息和原信息有点对不上,多了几个回车键)
问题原因:说出了原因
http://www.529it.com/bianchengmianfeijiaocheng/10515.html
当按照文本体式格局向文件中写入数值时,一朝碰到换行字符(asc 10)则会转换为"回车-换行"(asc 10 13),在读取文件时,一朝碰到"回车-换行"的组合,则会转换为换行字符。当按照二进制体式格局向文件中写入数值时,则会将数值在内存中的储存情势原样输出到文件中。
#include "windows.h"
#include "string"
#include "iostream"
#include "tlhelp32.h"
using namespace std;
int main()
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
// string Process_stop = "4e8786c.exe";
string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00400000;
// BYTE rDate[4096];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte);
// int errorcode_read=GetLastError();
BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
int errorcode_query=GetLastError();
// BYTE rDate[8192];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte);
// int errorcode_read=GetLastError();
// BYTE rDate[&mbi.RegionSize];
// DWORD * iIntMalloc=malloc(&mbi.RegionSize);
// BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
BYTE * iNew= new BYTE [mbi.RegionSize];
// LPVOID lpBuff1=LPVOID(&iIntMalloc);
// LPVOID lpBuff1=LPVOID(&iNew);
// BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
LPVOID lpBuff1=LPVOID(iNew);
BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte);
int errorcode_read1=GetLastError();
char file[] = "test.log";
FILE *fp;
if ((fp = fopen(file, "a")))
{
fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
int errorcode_read2=GetLastError();
}
else
{
printf("error!!\n");
return 1;
}
delete [] iNew;
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
}
/*
参考:
http://www.cnblogs.com/feiyucq/archive/2009/10/22/1588122.html
http://blog.sina.com.cn/s/blog_4b3c1f950100hsp5.html
http://hi.baidu.com/laona/blog/item/13c154e7345b0e2eb93820d3.html
http://www.loveunix.net/viewthread.php?tid=46301
*/
ASCII码表参考:
http://www.96yx.com/tool/ASC2.htm
http://blog.csdn.net/lilinjian2001/article/details/2543903
修改上一版本:(以二进制打开即可)
#include "windows.h"
#include "string"
#include "iostream"
#include "tlhelp32.h"
using namespace std;
int main()
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
// string Process_stop = "4e8786c.exe";
string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00400000;
// BYTE rDate[4096];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte);
// int errorcode_read=GetLastError();
BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
int errorcode_query=GetLastError();
// BYTE rDate[8192];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte);
// int errorcode_read=GetLastError();
// BYTE rDate[&mbi.RegionSize];
// DWORD * iIntMalloc=malloc(&mbi.RegionSize);
// BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
BYTE * iNew= new BYTE [mbi.RegionSize];
// LPVOID lpBuff1=LPVOID(&iIntMalloc);
// LPVOID lpBuff1=LPVOID(&iNew);
// BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
LPVOID lpBuff1=LPVOID(iNew);
BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte);
int errorcode_read1=GetLastError();
char file[] = "test.log";
FILE *fp;
// if ((fp = fopen(file, "a"))) //此处改掉
if ((fp = fopen(file, "ab")))
{
fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
// fwrite(iNew,mbi.RegionSize,mbi.RegionSize,fp); //这样是不可以的
// fwrite(iNew,mbi.RegionSize*sizeof(BYTE),mbi.RegionSize,fp); //这样也是不可以的
int errorcode_read2=GetLastError();
fclose(fp); //想着关闭fp
}
else
{
printf("error!!\n");
return 1;
}
delete [] iNew;
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
}
/*
参考:
http://www.cnblogs.com/feiyucq/archive/2009/10/22/1588122.html
http://blog.sina.com.cn/s/blog_4b3c1f950100hsp5.html
http://hi.baidu.com/laona/blog/item/13c154e7345b0e2eb93820d3.html
http://www.loveunix.net/viewthread.php?tid=46301
说出了原因
http://www.529it.com/bianchengmianfeijiaocheng/10515.html
*/
参考: