優秀文章: https://blog.csdn.net/Simon798/article/details/101431160
#include <windows.h>
//OpenProcess需要提權,因為代碼常用摳出來的所有沒有提權.
BOOL iteratorMemory(DWORD dwPid)
{
if (dwPid == 0 || dwPid == 4)
return FALSE;
HANDLE hProcess = 0;
DWORD dwTempSize = 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if (!hProcess)
{
return FALSE;
}
PMEMORY_BASIC_INFORMATION pMemInfo = new MEMORY_BASIC_INFORMATION();
DWORD dwErrorCode;
dwErrorCode = VirtualQueryEx(hProcess, 0, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if (0 == dwErrorCode)
{
return FALSE;
}
// pMeminfo->Regionsize 代表當前遍歷出的內存大小
for (__int64 i = pMemInfo->RegionSize; i < (i + pMemInfo->RegionSize); i += pMemInfo->RegionSize)
{
dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if (0 == dwErrorCode)
break;
if (pMemInfo->State != MEM_COMMIT) //判斷提交狀態
continue;
if (pMemInfo->Protect != PAGE_READWRITE) //判斷內存屬性
{
continue;
}
if (pMemInfo->Type != MEM_PRIVATE) //判斷類型 映射 私有 xxx
{
continue;
}
continue;
}
return FALSE;
}
原理:
原理主要是 使用
** VirtualQueryEx ** 函數. 函數遍歷之后會將內存信息反饋到一個Buf中.這個Buf是個結構體
** PMEMORY_BASIC_INFORMATION **
常見完整代碼
#include <Windows.h>
#include <string>
#include <Tlhelp32.h>
#include <algorithm>
#define _SHOWLOG
BOOL EnumAllMemory(HANDLE hProcess)
{
if (NULL == hProcess)
return FALSE;
SYSTEM_INFO sysInfo = { 0 };
GetSystemInfo(&sysInfo);
MEMORY_BASIC_INFORMATION pMemInfo = { 0 };
DWORD dwErrorCode;
// pMeminfo->Regionsize 代表當前遍歷出的內存大小
DWORD AllSize = 0;
for (DWORD i = (DWORD)0; i < (DWORD)sysInfo.lpMaximumApplicationAddress; i += pMemInfo.RegionSize)
{
dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, &pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if (0 == dwErrorCode)
break;
//if (pMemInfo->State != MEM_COMMIT) //判斷提交狀態
//if (pMemInfo.Type != MEM_PRIVATE) //判斷類型 映射 私有 xxx
// continue;
//if (pMemInfo.Protect != PAGE_READWRITE) //判斷內存屬性
// continue;
//if (pMemInfo.State != MEM_COMMIT)
// continue;
//if (pMemInfo.AllocationProtect != PAGE_READWRITE)
// continue;
/* if (pMemInfo->RegionSize < 0x100000)
continue;*/
printf("地址=%p endaddr = %x 大小=%x\r\n", pMemInfo.BaseAddress, (DWORD)pMemInfo.BaseAddress + pMemInfo.RegionSize, pMemInfo.RegionSize);
}
return TRUE;
}
DWORD PsGetProcessIdByProcessName(LPTSTR ProcessName)
{
#ifdef UNICODE
std::wstring ChekName;
std::wstring tempChekName;
#else
std::string ChekName;
std::string tempChekName;
#endif
tempChekName = ProcessName;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
return FALSE;
}
PROCESSENTRY32 pi;
pi.dwSize = sizeof(PROCESSENTRY32); //第一次使用必須初始化成員
BOOL bRet = Process32First(hSnapshot, &pi);
transform(tempChekName.begin(), tempChekName.end(), tempChekName.begin(), ::tolower);
while (bRet)
{
ChekName = pi.szExeFile;
transform(ChekName.begin(), ChekName.end(), ChekName.begin(), ::tolower);
//大寫轉小寫進行配置
if (ChekName.find(tempChekName) != ChekName.npos)
{
//找到了
return pi.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pi);
}
return FALSE;
}
bool AdjustPrivileges() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tp;
TOKEN_PRIVILEGES oldtp;
DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
LUID luid;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
CloseHandle(hToken);
OutputDebugString(TEXT("提升權限失敗,LookupPrivilegeValue"));
return false;
}
ZeroMemory(&tp, sizeof(tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token Privileges */
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize)) {
CloseHandle(hToken);
OutputDebugString(TEXT("提升權限失敗 AdjustTokenPrivileges"));
return false;
}
// close handles
CloseHandle(hToken);
return true;
}
int main(int argc, char** argv)
{
AdjustPrivileges();
DWORD dwPid = PsGetProcessIdByProcessName((LPTSTR)L"xx.exe");
EnumAllMemory(OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid));
system("pause");
return 0;
}