掃描內存分頁情況:
#include <iostream>
#include <windows.h>
VOID ScanMemory(HANDLE hProc)
{
SIZE_T stSize = 0;
PBYTE pAddress = (PBYTE)0;
SYSTEM_INFO sysinfo;
MEMORY_BASIC_INFORMATION mbi = { 0 };
//獲取頁的大小
ZeroMemory(&sysinfo, sizeof(SYSTEM_INFO));
GetSystemInfo(&sysinfo);
// 得到的鏡像基地址
pAddress = (PBYTE)sysinfo.lpMinimumApplicationAddress;
// 判斷只要當前地址小於最大地址就循環
while (pAddress < (PBYTE)sysinfo.lpMaximumApplicationAddress)
{
ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
stSize = VirtualQueryEx(hProc, pAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
if (stSize == 0)
{
pAddress += sysinfo.dwPageSize;
continue;
}
printf("開始地址: 0x%08X \t 結束地址: 0x%08X \t 大小: %10d K \t 狀態: ", mbi.BaseAddress,
((DWORD)mbi.BaseAddress + (DWORD)mbi.RegionSize),mbi.RegionSize>>10);
switch (mbi.State)
{
case MEM_FREE: printf("空閑 \n"); break;
case MEM_RESERVE: printf("保留 \n"); break;
case MEM_COMMIT: printf("提交 \n"); break;
default: printf("未知 \n"); break;
}
// 每次循環累加內存塊的位置
pAddress = (PBYTE)mbi.BaseAddress + mbi.RegionSize;
}
}
int main(int argc, char* argv[])
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
ScanMemory(hProc);
return 0;
}
枚舉自身進程內存權限: 枚舉出自身內存的內存分配權限.
#include <stdio.h>
#include <ShlObj.h>
#include <Windows.h>
void ScanMemoryAttribute()
{
DWORD Addres = 0, Size = 0;
MEMORY_BASIC_INFORMATION Basicinfo = {};
// 遍歷進程所有分頁, 輸出內容
while (VirtualQuery((LPCVOID)Addres, &Basicinfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
Size = Basicinfo.RegionSize;
printf("地址: %08p 類型: %7d 大小: %7d 狀態: ", Basicinfo.BaseAddress,Basicinfo.Type,Basicinfo.RegionSize);
switch (Basicinfo.State)
{
case MEM_FREE: printf("空閑 \n"); break;
case MEM_RESERVE: printf("保留 \n"); break;
case MEM_COMMIT: printf("提交 \n"); break;
default: printf("未知 \n"); break;
}
// 如果是提交狀態的內存區域,那么遍歷所有塊中的信息
if (Basicinfo.State == MEM_COMMIT)
{
// 遍歷所有基址是 Address
LPVOID BaseBlockAddress = (LPVOID)Addres;
DWORD BlockAddress = Addres;
DWORD dwBlockSize = 0;
// 遍歷大內存塊中的小內存塊
while (VirtualQuery((LPVOID)BlockAddress, &Basicinfo, sizeof(Basicinfo)))
{
if (BaseBlockAddress != Basicinfo.AllocationBase)
{
break;
}
printf("--> %08X", BlockAddress);
// 查看內存狀態,映射方式
switch (Basicinfo.Type)
{
case MEM_PRIVATE: printf("私有 "); break;
case MEM_MAPPED: printf("映射 "); break;
case MEM_IMAGE: printf("鏡像 "); break;
default: printf("未知 "); break;
}
if (Basicinfo.Protect == 0)
printf("---");
else if (Basicinfo.Protect & PAGE_EXECUTE)
printf("E--");
else if (Basicinfo.Protect & PAGE_EXECUTE_READ)
printf("ER-");
else if (Basicinfo.Protect & PAGE_EXECUTE_READWRITE)
printf("ERW");
else if (Basicinfo.Protect & PAGE_READONLY)
printf("-R-");
else if (Basicinfo.Protect & PAGE_READWRITE)
printf("-RW");
else if (Basicinfo.Protect & PAGE_WRITECOPY)
printf("WCOPY");
else if (Basicinfo.Protect & PAGE_EXECUTE_WRITECOPY)
printf("EWCOPY");
printf("\n");
// 計算所有相同塊大小
dwBlockSize += Basicinfo.RegionSize;
// 累加內存塊的位置
BlockAddress += Basicinfo.RegionSize;
}
// 內有可能大小位空
Size = dwBlockSize ? dwBlockSize : Basicinfo.RegionSize;
}
// 下一個區域內存信息
Addres += Size;
}
}
int main(int argc, char * argv[])
{
ScanMemoryAttribute();
system("pause");
return 0;
}
枚舉大內存塊:
#include <iostream>
#include <windows.h>
#include <Psapi.h>
#pragma comment(lib,"psapi.lib")
VOID ScanProcessMemory(HANDLE hProc)
{
SIZE_T stSize = 0;
PBYTE pAddress = (PBYTE)0;
SYSTEM_INFO sysinfo;
MEMORY_BASIC_INFORMATION mbi = { 0 };
//獲取頁的大小
ZeroMemory(&sysinfo, sizeof(SYSTEM_INFO));
GetSystemInfo(&sysinfo);
// 得到的鏡像基地址
pAddress = (PBYTE)sysinfo.lpMinimumApplicationAddress;
printf("------------------------------------------------------------------------ \n");
printf("開始地址 \t 結束地址 \t\t 大小 \t 狀態 \t 內存類型 \n");
printf("------------------------------------------------------------------------ \n");
// 判斷只要當前地址小於最大地址就循環
while (pAddress < (PBYTE)sysinfo.lpMaximumApplicationAddress)
{
ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
stSize = VirtualQueryEx(hProc, pAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
if (stSize == 0)
{
pAddress += sysinfo.dwPageSize;
continue;
}
printf("0x%08X \t 0x%08X \t %8d K \t ", mbi.BaseAddress,
((DWORD)mbi.BaseAddress + (DWORD)mbi.RegionSize),mbi.RegionSize>>10);
switch (mbi.State)
{
case MEM_FREE: printf("空閑 \t"); break;
case MEM_RESERVE: printf("保留 \t"); break;
case MEM_COMMIT: printf("提交 \t"); break;
default: printf("未知 \t"); break;
}
switch (mbi.Type)
{
case MEM_PRIVATE: printf("私有 \t"); break;
case MEM_MAPPED: printf("映射 \t"); break;
case MEM_IMAGE: printf("鏡像 \t"); break;
default: printf("未知 \t"); break;
}
if (mbi.Protect == 0)
printf("---");
else if (mbi.Protect & PAGE_EXECUTE)
printf("E--");
else if (mbi.Protect & PAGE_EXECUTE_READ)
printf("ER-");
else if (mbi.Protect & PAGE_EXECUTE_READWRITE)
printf("ERW");
else if (mbi.Protect & PAGE_READONLY)
printf("-R-");
else if (mbi.Protect & PAGE_READWRITE)
printf("-RW");
else if (mbi.Protect & PAGE_WRITECOPY)
printf("WCOPY");
else if (mbi.Protect & PAGE_EXECUTE_WRITECOPY)
printf("EWCOPY");
printf("\n");
// 每次循環累加內存塊的位置
pAddress = (PBYTE)mbi.BaseAddress + mbi.RegionSize;
}
}
int main(int argc, char* argv[])
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
ScanProcessMemory(hProc);
CloseHandle(hProc);
system("pause");
return 0;
}
另一種掃描方式: 以下這段代碼來源於網絡,僅用於收藏。
#include <iostream>
#include <windows.h>
#include <TCHAR.H>
// 顯示一個進程的內存狀態 dwPID為進程ID
BOOL ShowProcMemInfo(DWORD dwPID)
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwPID);
if (hProcess == NULL)
return FALSE;
MEMORY_BASIC_INFORMATION mbi;
PBYTE pAddress = NULL;
TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");
_tprintf(szInfo);
while (TRUE)
{
if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))
break;
if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))
_stprintf(szInfo, _T(" %08X %8dK "),mbi.BaseAddress,mbi.RegionSize >> 10);
else
_stprintf(szInfo, _T("%08X %8dK "),mbi.BaseAddress,mbi.RegionSize >> 10);
LPCTSTR pStr = _T("");
switch (mbi.Type)
{
case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;
case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;
case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;
default: pStr = _T("-----------"); break;
}
_tcscat(szInfo, pStr);
_tcscat(szInfo, _T(" "));
switch (mbi.State)
{
case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;
case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;
case MEM_FREE: pStr = _T("MEM_FREE "); break;
default: pStr = _T("-----------"); break;
}
_tcscat(szInfo, pStr);
_tcscat(szInfo, _T(" "));
switch (mbi.AllocationProtect)
{
case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;
case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;
case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;
case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;
case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;
case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;
case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;
case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;
case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;
case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;
default: pStr = _T("----------------------"); break;
}
_tcscat(szInfo, pStr);
_tcscat(szInfo, _T("\n"));
_tprintf(szInfo);
pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);
}
CloseHandle(hProcess);
return TRUE;
}
int main(int argc, char* argv[])
{
ShowProcMemInfo(3620);
system("pause");
return 0;
}