ReadProcessMemory:
BOOL WINAPI ReadProcessMemory( _In_ HANDLE hProcess, _In_ LPCVOID lpBaseAddress, _Out_ LPVOID lpBuffer, _In_ SIZE_T nSize, _Out_ SIZE_T *lpNumberOfBytesRead );
Parameters hProcess [in] A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process. lpBaseAddress [in] A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails. lpBuffer [out] A pointer to a buffer that receives the contents from the address space of the specified process. nSize [in] The number of bytes to be read from the specified process. lpNumberOfBytesRead [out] A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
步骤一:Windbg确定数据在内存中的位置
使用64位Windbg查看下内从中的数据:
我们来看看浏览器中的数据保存在哪个位置,比如某个网页新闻中有数据:
我们Attach附加一下Chrome浏览器:
我们看到这里有多个chrome.exe:
我们逐个attach直到attach之后我们无法Alt+Tab切换到Chrome为止,就是加载准确了。
我们搜索下几个关键字,例如“女排”:
可以返回几个位置,查看下这几个为止的数据:
这里的5973、6392、65e5、672c等很像是汉字的Unicode码,我们借助Unicode码速查表:
http://www.cnblogs.com/del/archive/2009/03/06/1404959.html
查询下这几个汉字
、
、
、
发现这些字符确实是汉字的Unicode码,且是这条新闻当中的内容。
步骤二:编写程序读取内存中的内容
被调试的进程ID是1064
我们利用进程ID获取进程句柄,然后读取内存数据:
#include <windows.h> #include <TlHelp32.h> #include <iostream> #include <tchar.h> #include <locale> using namespace std; locale loc("chs"); int main() { DWORD dwChromeID = 1064; HANDLE hChrome; wchar_t szBuffer[100]; DWORD dwSize = 100; DWORD dwByteOfRead; hChrome = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE, false, dwChromeID); ReadProcessMemory(hChrome, (LPCVOID)0x13cd5d4, szBuffer, dwSize, &dwByteOfRead);
//表示使用中文区域语言 wcout.imbue(locale("chs")); for (int i = 0; i < 100; i++) { wcout << *(szBuffer+i); } system("pause"); return 0; }
输出结果:
扫一扫
510
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
