什么是ReadProcessMemory最快的方法是什么？ [英] What's the fastest way to ReadProcessMemory?

问题描述

我试图寻找一个空值终止字符串进程的内存的所有实例。我enumed全部用VirtualQueryEx的alloced存储区，然后我看了他们ReadProcessMemory字节数组和搜索使用此算法中（我发现这里的作者声称是最快的）

I'm trying to search for all instances of a null-terminated string the memory of a process. I enumed all the alloced memory areas with VirtualQueryEx, then I read them with ReadProcessMemory to a byte array and search using this algo (which I found here and the author claims to be the fastest)

    public static unsafe List<long> IndexesOf(byte[] Haystack, byte[] Needle) {
        List<long> Indexes = new List<long>();
        fixed (byte* H = Haystack) fixed (byte* N = Needle) {
            long i = 0;
            for (byte* hNext = H, hEnd = H + Haystack.LongLength; hNext < hEnd; i++, hNext++) {
                bool Found = true;
                for (byte* hInc = hNext, nInc = N, nEnd = N + Needle.LongLength; Found && nInc < nEnd; Found = *nInc == *hInc, nInc++, hInc++) ;
                if (Found) Indexes.Add(i);
            }
            return Indexes;
        }
    }

它的工作原理，但它的速度太慢。有没有一种方法来存储映射的过程中或以某种方式寻找更快的内存？

It works, but it's too slow. Is there a way to memory map the process or somehow search faster in its memory?

推荐答案

从外部进程，您pretty的多少有正确的做法。不过，如果你正在寻找一个字符串，你可能不关心某些区域（如可执行内存），这样你就可以从搜索区域中排除。最有可能你真的只关心 PAGE_READONLY 和 PAGE_READWRITE 。

From an external process, you pretty much have the correct approach. However, if you're looking for a string you probably don't care about certain regions (eg. executable memory) so you can exclude them from your search region. Most likely you are really only interested in PAGE_READONLY and PAGE_READWRITE.

您应该阅读的大块地记忆与ReadProcessMemory（）。主要的瓶颈将是磁盘IO（从交换），并没有太多可以做的真的。多线程它会加速这一过程，因为这样你就可以缓冲读，而处理读取previous。

You should read the memory in as big blocks as possible with ReadProcessMemory(). The main bottleneck will be disk IO (from swapping) and there's not much you can do about that really. Multi-threading it will speed it up because then you'll be 'buffering a read' whilst processing the previous read.

如果你确实需要的速度，通过一个外部的过程中做了正确的方法是不是你现在正在这样做。所以你可以直接访问进程的虚拟内存空间，你应该注入一个DLL。

If you really need speed, the correct way to do it is not via an external process as you are doing right now. You should inject a DLL so you have direct access to the process' virtual memory space.

在你的搜索算法，你也可以做小动作。例如，如果你知道这个字符串总是被分配在一个4字节对齐，那么你可以只搜索那些。你会得到最大的加速比是多线程和/或DLL注入。

In your search algorithm, you can also do little tricks. For example if you know the string is always allocated on a 4 byte alignment then you can just search those. The biggest speedup you'll get is from multi-threading and/or DLL injection.

这篇关于什么是ReadProcessMemory最快的方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！