查找正在运行的进程的基址 [英] Finding the baseaddress of a running process
问题描述
我得到了以下代码:
从ctypes import *
$ b $导入子过程
b#部分,我在其中获得PID并声明所有变量-#
OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
processHandle = OpenProcess(PROCESS_ALL_ACCESS,False,PID)
ReadProcessMemory(processHandle,地址,缓冲区,bufferSize,byref(bytesRead))
所有这些都可以正常工作,但是由于某些进程使用了所谓的 BaseAddress 或 StartAddress 。在我的情况下,此BaseAddress的大小有时是随机的。
如建议在此处我尝试使用以下代码:
BaseAddress = win32api.GetModuleHandle(None)
它所做的就是一次又一次地给出相同的十六进制值,即使我确定我的BaseAddress已经更改。
来自链接线程的屏幕快照,显示了我正在寻找的内容(其中左侧为基地址):
我确实设法找到了适用于python 3.5 32位的解决方案和64位。
对于32位,我使用了psutil和pymem(正如该问题所建议的那样)。
导入psutil
导入pymem
my_pid =无
pids = psutil.pids()
表示pid中的pid:
ps = psutil。 Process(pid)
#通过.exe名称查找进程,但不是e如果 solitaire.exe包含更多的solitaire.exe
实例,在ps.name()中:
my_pid = ps.pid
print(%s与pid一起运行:%d%(ps.name(),ps.pid))
base_address = pymem.process.base_address(pid)
对于64位pymem无效。我发现使用win32api.GetModuleHandle(fileName)的建议,但它需要的是win32api.LoadLibrary(fileName),它不使用已在运行的进程。整个可能性列表:
import win32process
import win32api
#首先获取pid,请参阅32-位解决方案
PROCESS_ALL_ACCESS = 0x1F0FFF
processHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS,False,my_pid)
modules = win32process.EnumProcessModules(processHandle)
processHandle.close()
base_addr = modules [0]#对我来说,它可以选择列表中的第一项...
Ive got the following code:
import subprocess
from ctypes import *
#-Part where I get the PID and declare all variables-#
OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID)
ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead))
All this is working flawless, but since some processes uses a so called BaseAddress or StartAddress. And in my case the size of this BaseAddress is random from time to time.
As suggested here I tried using the following code:
BaseAddress = win32api.GetModuleHandle(None)
All it does is giving the same hex value over and over again, even though I for sure know that my BaseAddress have changed.
Screenshot from the linked thread showing what Im looking for (where the left part is the baseaddress):
I did manage to find a solution for python 3.5 32-bit and 64 bit.
For 32 bit I used psutil and pymem (as already suggested on this question).:
import psutil
import pymem
my_pid = None
pids = psutil.pids()
for pid in pids:
ps = psutil.Process(pid)
# find process by .exe name, but note that there might be more instances of solitaire.exe
if "solitaire.exe" in ps.name():
my_pid = ps.pid
print( "%s running with pid: %d" % (ps.name(), ps.pid) )
base_address = pymem.process.base_address(pid)
For 64 bit pymem was not working. I found suggestions using win32api.GetModuleHandle(fileName) but it required win32api.LoadLibrary(fileName) which was not using an already running process.
Therefore I found this suboptimal solution, since this returns a whole list of possibilities:
import win32process
import win32api
# first get pid, see the 32-bit solution
PROCESS_ALL_ACCESS = 0x1F0FFF
processHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, my_pid)
modules = win32process.EnumProcessModules(processHandle)
processHandle.close()
base_addr = modules[0] # for me it worked to select the first item in list...
这篇关于查找正在运行的进程的基址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
