英文解釋
原型
This function reads memory in a specified process. The entire area to be read must be accessible or the operation fails.
參數
(1)hProcess
[in] Handle to the process whose memory is being read.
In Windows CE, any call to OpenProcess returns a process handle with the proper access rights.
(2)lpBaseAddress
[in] Pointer to the base address in the specified process to be read.
Before data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If so, the function proceeds; otherwise, the function fails.
(3)lpBuffer
[out] Pointer to a buffer that receives the contents from the address space of the specified process.
(4)nSize
[in] Specifies the requested number of bytes to read from the specified process.
(5)lpNumberOfBytesRead
[out] Pointer to the number of bytes transferred into the specified buffer.
If lpNumberOfBytesRead is NULL, the parameter is ignored.
返回值
Nonzero indicates success.
Zero indicates failure.
To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies data in the specified address range from the address space of the specified process into the specified buffer of the current process. The process whose address space is read is typically, but not necessarily, being debugged.
The entire area to be read must be accessible. If it is not, the function fails.
要求
OS Versions: Windows CE 2.0 and later.
Header: Winbase.h.
Link Library: Coredll.lib, Nk.lib.
參考
OpenProcess | WriteProcessMemory
---------------------------------------------------------------------------------------
中文解釋
ReadProcessMemory
實際套用
hProcess [in] 遠程進程 句柄。 被讀取者
pvAddressRemote [in] 遠程進程中記憶體 地址。 從具體何處讀取
pvBufferLocal [out] 本地進程中記憶體 地址. 函式將讀取的內容寫入此處
dwSize [in] 要傳送的 位元組數。要寫入多少
pdwNumBytesRead [out] 實際傳送的 位元組數. 函式返回時報告實際寫入多少
例子
C++
ReadProcessMemory讀出數據,許可權要大一些。下面這個打開進程的方式具備了 查詢 讀和寫的許可權
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, 0, ProcessId)
Delphi
var
hProcess:HWND;
wltId:DWord;
hProcess:=OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION+ PROCESS_VM_WRITE, FALSE, wltId);
然後就要結合上面的程式來搜尋了。只有當記憶體是處於被占用狀態時才去讀取其中的內容,而忽略空閒狀態的記憶體。程式我就不在這兒寫了,和上面那段差不多。只是把dwTotalCommit = dwTotalCommit + mi.RegionSize換成了讀取記憶體以及搜尋這一塊記憶體的函式而已。
1.通過FindWindow讀取窗體的句柄
2.通過GetWindowThreadProcessId讀取查找窗體句柄進程的PID值
var
nProcId:DWord;
nProcId:=GetWindowThreadProcessId(hFound, @nProcId);
3.用OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_OPERATION Or PROCESS_VM_READ Or PROCESS_VM_WRITE, 0, ProcessId)打開查到PID值的進程. 此打開具備讀取,寫入,查詢的許可權
4.ReadProcessMemory讀出指定的記憶體地址數據
例題:
ReadProcessMemory(dwProcessId, (LPVOID)數據地址, szPassBuff, sizeof(szPassBuff), 0);