英文解釋
原型
This function reads memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORD lpNumberOfBytesRead);
參數
(1)hProcess
[in] Handle to the process whose memory is being read.
In Windows CE, any call to OpenProcess returns a process handle with the proper access rights.
(2)lpBaseAddress
[in] Pointer to the base address in the specified process to be read.
Before data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If so, the function proceeds; otherwise, the function fails.
(3)lpBuffer
[out] Pointer to a buffer that receives the contents from the address space of the specified process.
(4)nSize
[in] Specifies the requested number of bytes to read from the specified process.
(5)lpNumberOfBytesRead
[out] Pointer to the number of bytes transferred into the specified buffer.
If lpNumberOfBytesRead is NULL, the parameter is ignored.
返回值
Nonzero indicates success.
Zero indicatesfailure.
To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies data in the specified address range from the address space of the specified process into the specified buffer of the current process. The process whose address space is read is typically, but not necessarily, being debugged.
The entire area to be read must be accessible. If it is not, the function fails.
要求
OS Versions: Windows CE 2.0 and later.
Header: Winbase.h.
Link Library: Coredll.lib, Nk.lib.
參考
OpenProcess | WriteProcessMemory
---------------------------------------------------------------------------------------
中文解釋
ReadProcessMemory
BOOL ReadProcessMemory(HANDLE hProcess,PVOID pvAddressRemote,PVOIDpvBufferLocal, DWORD dwSize, PDWORDpdwNumBytesRead);
實際套用
hProcess [in]遠程進程句柄。 被讀取者
pvAddressRemote [in]遠程進程中記憶體地址。 從具體何處讀取
pvBufferLocal [out]本地進程中記憶體地址. 函式將讀取的內容寫入此處
dwSize [in]要傳送的位元組數。要寫入多少
pdwNumBytesRead [out]實際傳送的位元組數. 函式返回時報告實際寫入多少
例子
C++
ReadProcessMemory讀出數據,許可權要大一些。下面這個打開進程的方式具備了 查詢 讀和寫的許可權
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, 0, ProcessId)
Delphi
var
hProcess:HWND;
wltId:DWord;
hProcess:=OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION+ PROCESS_VM_WRITE, FALSE, wltId);
然後就要結合上面的程式來搜尋了。只有當記憶體是處於被占用狀態時才去讀取其中的內容,而忽略空閒狀態的記憶體。程式我就不在這兒寫了,和上面那段差不多。只是把dwTotalCommit = dwTotalCommit + mi.RegionSize換成了讀取記憶體以及搜尋這一塊記憶體的函式而已。
2.通過GetWindowThreadProcessId讀取查找窗體句柄進程的PID值
var
nProcId:DWord;
nProcId:=GetWindowThreadProcessId(hFound, @nProcId);
3.用OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_OPERATION Or PROCESS_VM_READ Or PROCESS_VM_WRITE, 0, ProcessId)打開查到PID值的進程. 此打開具備讀取,寫入,查詢的許可權
4.ReadProcessMemory讀出指定的記憶體地址數據
BOOL ReadProcessMemory(HANDLE hProcess, // 被讀取進程的句柄;LPCVOID lpBaseAddress, // 讀的起始地址;LPVOID lpBuffer, // 存放讀取數據緩衝區;DWORD nSize, // 一次讀取的位元組數;LPDWORD lpNumberOfBytesRead // 實際讀取的位元組數;);
例題:
ReadProcessMemory(dwProcessId, (LPVOID)數據地址, szPassBuff, sizeof(szPassBuff), 0);
C#
/// <summary>/// 從指定記憶體中讀取位元組集數據/// </summary>/// <param name="handle">進程句柄</param>/// <param name="address">記憶體地址</param>/// <param name="data">數據存儲變數</param>/// <param name="size">長度</param>/// <param name="read">讀取長度</param>[DllImport("Kernel32.dll")]private static extern void ReadProcessMemory(IntPtr handle, uint address, [Out] byte[] data, int size, int read);