学习目标:
认识进程句柄HANDLE
GetWindowThreadProcessId //返回线程TID和进程PID
OpenProcess //获取进程句柄的函数
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess, //渴望得到的访问权限(标志)
[in] BOOL bInheritHandle, // 是否继承句柄 0
[in] DWORD dwProcessId // 进程标示符PID
);
/*
[in] dwDesiredAccess
The access to the process object. This access right is checked against the security descriptor for the process. This parameter can be one or more of the process access rights.
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
[in] bInheritHandle
If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
[in] dwProcessId
The identifier of the local process to be opened.
If the specified process is the System Idle Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the System process or one of the Client Server Run-Time Subsystem (CSRSS) processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.
If you are using GetCurrentProcessId as an argument to this function, consider using GetCurrentProcess instead of OpenProcess, for improved performance.
Return value
If the function succeeds, the return value is an open handle to the specified process.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
Remarks
To open a handle to another local process and obtain full access rights, you must enable the SeDebugPrivilege privilege. For more information, see Changing Privileges in a Token.
The handle returned by the OpenProcess function can be used in any function that requires a handle to a process, such as the wait functions, provided the appropriate access rights were requested.
When you are finished with the handle, be sure to close it using the CloseHandle function.
dwDesiredAccess [1] :获取的权限,可分为以下几种
PROCESS_ALL_ACCESS:获取所有权限
PROCESS_CREATE_PROCESS:创建进程
PROCESS_CREATE_THREAD:创建线程
PROCESS_DUP_HANDLE:使用DuplicateHandle()函数复制一个新句柄
PROCESS_QUERY_INFORMATION:获取进程的令牌、退出码和优先级等信息
PROCESS_QUERY_LIMITED_INFORMATION:获取进程特定的某个信息
PROCESS_SET_INFORMATION:设置进程的某种信息
PROCESS_SET_QUOTA:使用SetProcessWorkingSetSize函数设置内存限制
PROCESS_SUSPEND_RESUME:暂停或者恢复一个进程
PROCESS_TERMINATE:使用Terminate函数终止进程
PROCESS_VM_OPERATION:在进程的地址空间执行操作
PROCESS_VM_READ:使用ReadProcessMemory函数在进程中读取内存
PROCESS_VM_WRITE:使用WriteProcessMemory函数在进程中写入内存
SYNCHRONIZE:使用wait函数等待进程终止
*/
ReadProcessMemory
BOOL ReadProcessMemory(
[in] HANDLE hProcess, //进程句柄 一般由OpenProcess返回
[in] LPCVOID lpBaseAddress, //游戏数据地址 160D98A0
[out] LPVOID lpBuffer, //用于存放数据的地址 存放阳光的地址 3333
[in] SIZE_T nSize, //表示从lpBaseAddress地址开始 读取nSize字节 4
[out] SIZE_T *lpNumberOfBytesRead
);
/*
参数
[in] hProcess
正在读取内存的进程句柄。 句柄必须具有对进程的PROCESS_VM_READ访问权限。
[in] lpBaseAddress
指向要从中读取的指定进程中基址的指针。 在发生任何数据传输之前,系统会验证指定大小的基址和内存中的所有数据都可供读取访问,如果无法访问,则函数将失败。
[out] lpBuffer
指向从指定进程的地址空间接收内容的缓冲区的指针。
[in] nSize
要从指定进程读取的字节数。
[out] lpNumberOfBytesRead
指向接收传输到指定缓冲区的字节数的变量的指针。 如果 lpNumberOfBytesRead 为 NULL,则忽略参数。
返回值
如果该函数成功,则返回值为非零值。
如果函数失败,则返回值为 0 (零) 。 要获得更多的错误信息,请调用 GetLastError。
如果请求的读取操作跨入无法访问的进程区域,该函数将失败。
注解
ReadProcessMemory 将指定地址范围中的数据从指定进程的地址空间复制到当前进程的指定缓冲区。 具有具有PROCESS_VM_READ访问权限的句柄的任何进程都可以调用函数。
要读取的整个区域必须可访问,如果无法访问,该函数将失败。
*/#include <iostream>
#include<Windows.h>
int main()
{
//1 通过窗口标题或者类名 获取目标窗口句柄
//2 通过窗口句柄获取进程的PID,TID
HWND 窗口句柄 = FindWindowA("MainWindow", "植物大战僵尸中文版");
printf("窗口句柄 h=%p\r\n", 窗口句柄);
DWORD pid = 0, tid = 0;
printf("&pid=%p\r\n", &pid);
// int 和long是等价
//DWORD 等价于 unsigned long
//DWORD* 等价于 LPDWORD
tid = GetWindowThreadProcessId(窗口句柄, &pid); // a&b
printf("tid=%d pid=%d 16进制tid=%X 16进制pid=%X\r\n", tid, pid, tid, pid);
//获取 进程 权限 句柄
HANDLE 进程句柄 = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);//HWND
printf("进程句柄=%p \r\n", 进程句柄);
unsigned int 返回值 = 0;
ReadProcessMemory(进程句柄,(LPCVOID)0x0BE9C028/*要读取的地址*/, &返回值/*存放数据的地址*/, 4, 0);
printf("返回值=%X 返回值=%d 返回值=%u\r\n", 返回值, 返回值, 返回值);// GetLastError();
}
3356
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
