如何读取进程内存地址 [英] How to read a process memory address

问题描述

我正在尝试读取在c ++中运行的其他应用程序中的值，如何在内存中找到其他应用程序变量的地址？因为每次应用程序启动变量的地址都会发生变化。

这是一个示例代码：

Hi,
I''m trying to read a value in other application which is running in c++, how can I find the address of the variable of the other app in memory? because every time the app starts the address of the variable changes.
this is a sample code :

#include<iostream>
#include<Windows.h>
using namespace std;

int main()
{
	int address = 0x100579C; // this address is kind of problem
	int value=0;
	DWORD processid;
	HWND hwnd;

	hwnd = FindWindow(NULL,"appname");
	if(!hwnd)
		cout<<"Not found"<<endl;

	GetWindowThreadProcessId(hwnd,&processid);
	HANDLE processhandle = OpenProcess(PROCESS_ALL_ACCESS,0,processid);
	if(!processhandle)
		cout<<"Could not get handle"<<endl;

	ReadProcessMemory(processhandle,address,&value,sizeof(value),0);
	cout<<value;
	system("PAUSE");
	return 0;
}

推荐答案

在大多数情况下，程序从堆中动态分配对象，这些对象使用指针相互引用。也许您正在搜索的是由另一个指针指向的指针指向的等等。您必须找到根指针才能取消引用其他指针。查找根指针可能很棘手。如果你很幸运，那么在某个地方有一个包含根指针的全局变量。在这种情况下，您应该使用 EnumProcessModules查询exe或dll的基址。 （） [ ^ ]或类似的函数，您将找到相对于其中一个已加载模块的全局变量。在最坏的情况下，根指针例如在 main（）函数的堆栈上，在这种情况下你必须枚举进程的线程，你必须找到主要的线程以某种方式，您必须查询主线程的上下文（ GetThreadContext（） [ ^ ]：寄存器，包括esp堆栈指针）然后以某种方式你必须在堆栈中找到指针（例如通过searchgin在堆栈周围的某种模式）。但是这样的指针可以存储在很多地方，例如TLS，或者如果我隐藏我的根指针，例如通过将指针传递给SetWindowLongPtr之类的系统调用，以后我用GetWindowLongPtr查询指针???在这种情况下，您可能必须将代码注入应用程序并在那里提取ptr ...此任务可能非常复杂，有时解决方案非常脏。

In most cases programs allocate objects dynamically from the heap and these objects reference each other with pointers. Maybe what you are searching for is pointed by a pointer that is pointed by another pointer and so on. You have to find the root pointer in order to dereference the other pointers. Finding the root pointer can be tricky. If you are lucky then there is a global variable somewhere that contains the root pointer. in this case you should query the base address of the exe or dll for example with EnumProcessModules()[^] or a similar function and you will find the global variable relative to one of the loaded modules. In worst case the root pointer is for example on the stack of the main() function in which case you have to enumerate the threads of the process, you have to find the main thread somehow, you have to query the context of the main thread (GetThreadContext()[^]: registers, including esp the stack pointer ) and then somehow you have to find the pointer in the stack (for example by searchgin some kind of patterns around the stack). But such a pointer can be stored in a lot of places, for example TLS, or what if I "hide" my root pointer for example by passing the pointer to a system call like SetWindowLongPtr and later I query the pointer with GetWindowLongPtr??? In this case you may have to inject code into the app and extract the ptr there... This task can be quite complicated and sometimes the solution is very dirty.

这篇关于如何读取进程内存地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！