#include<windows.h>
#include<stdio.h>
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
// private
typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
MemoryMappedFilenameInformation, // UNICODE_STRING
MemoryRegionInformation, // MEMORY_REGION_INFORMATION
MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
MemoryImageInformation // MEMORY_IMAGE_INFORMATION
} MEMORY_INFORMATION_CLASS;
typedef
NTSTATUS
(NTAPI*NTQUERYVIRTUALMEMORY) (
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
_In_ SIZE_T MemoryInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
NTQUERYVIRTUALMEMORY NtQueryVirtualMemory = NULL;
int main()
{
BOOLEAN querySucceeded;
PVOID64 baseAddress;
MEMORY_BASIC_INFORMATION basicInfo;
HMODULE hModule = LoadLibrary(L"ntdll.dll");
NtQueryVirtualMemory = (NTQUERYVIRTUALMEMORY)GetProcAddress(hModule, "NtQueryVirtualMemory");
FreeLibrary(hModule);
baseAddress = (PVOID)0;
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,0,4588);
if (NULL== processHandle)
{
processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, 0, 4588);
if (NULL == processHandle)
{
return -1;
}
}
while (NT_SUCCESS(NtQueryVirtualMemory(
processHandle,
baseAddress,
MemoryBasicInformation,
&basicInfo,
sizeof(MEMORY_BASIC_INFORMATION),
NULL
)))
{
do
{
if ((basicInfo.State& MEM_FREE) == MEM_FREE)
{
break;
}
printf("base addr :%I64x RegionSize: %x", baseAddress, basicInfo.RegionSize);
if ((ULONG)baseAddress==0x60000)
{
DebugBreak();
}
if ((basicInfo.AllocationProtect&PAGE_EXECUTE_WRITECOPY) == PAGE_EXECUTE_WRITECOPY)
{
printf(" PAGE_EXECUTE_WRITECOPY ");
}
if ((basicInfo.AllocationProtect&PAGE_NOACCESS) == PAGE_NOACCESS)
{
printf(" PAGE_NOACCESS ");
}
if ((basicInfo.AllocationProtect&PAGE_EXECUTE) == PAGE_EXECUTE)
{
printf(" PAGE_EXECUTE ");
}
if ((basicInfo.AllocationProtect&PAGE_READONLY) == PAGE_READONLY)
{
printf(" PAGE_READONLY ");
}
if ((basicInfo.AllocationProtect&PAGE_READWRITE) == PAGE_READWRITE)
{
printf(" PAGE_READWRITE ");
}
if ((basicInfo.AllocationProtect&PAGE_NOACCESS) == PAGE_NOACCESS)
{
printf(" PAGE_NOACCESS ");
}
if ((basicInfo.State& MEM_COMMIT) == MEM_COMMIT)
{
printf(" MEM_COMMIT ");
}
if ((basicInfo.State& MEM_RESERVE) == MEM_RESERVE)
{
printf(" MEM_RESERVE ");
}
if ((basicInfo.Type& MEM_PRIVATE) == MEM_PRIVATE)
{
printf(" MEM_PRIVATE ");
}
if ((basicInfo.Type& MEM_MAPPED) == MEM_MAPPED)
{
printf(" MEM_MAPPED ");
}
if ((basicInfo.Type& MEM_MAPPED) == MEM_MAPPED)
{
printf(" MEM_IMAGE ");
}
printf("\n\n");
} while (0);
baseAddress = (PVOID64)((ULONG64)baseAddress+ basicInfo.RegionSize);
}
getchar();
return 0;
}
遍历进程内存
最新推荐文章于 2023-12-19 00:22:26 发布