如何获得一个进程使用的所有内存地址空间？ [英] How to get all memory address space used by a process?

问题描述

我需要知道一个进程使用的所有内存地址空间。存储空间将在稍后进行扫描，以查找过程中的价值，并确定它们的位置/地址。我对这个当前进程是通过其（基址+内存大小）采取每个模块的基本地址。

我与一个已知值上的进程测试这个一个已知的地址。当我仰望的具体地址，我得到我所期望的价值。然而，当我扫描（我认为是）该进程所使用的所有地址空间，我找不到任何地方的价值。

我知道一个数值4143000在存在的 0x0CF8DC38 的和的 0x0CF8DDDC 的。当我打电话的 ReadMemoryBytes（模块，module.BaseAddress，4，（IntPtr的）（0x0CF8DC38））的我回来字节（152，55，63，0）。当我打电话BitConverter.GetBytes（4143000）我回到同一组的字节。当我使用一个不同的内存扫描仪的过程中，我发现这些地址的值。

然而，当我扫描着称的地址，我没有找到这个数值的任何地方。它看起来并不像我的代码，甚至是由使用过程中发现这些地址。

正是如此，我的问题是双重的：

• 我怎样才能找到这些地址这个过程中？


• 我担心我可能会处理在系统内存与进程中的相对地址的绝对地址。我这样做对吗？

  //（在调用方法）
的foreach（在process.Modules ProcessModule模块）{
 ParameterizedThreadStart PST =新ParameterizedThreadStart（p => SearchModule（模块，值））; 
线程t =新主题（PST）; 
 t.Start（）; } 
 
私人不安全无效SearchModule（ProcessModule模块，字符串值）
 {
工艺过程= getProcess; 
 INT IVAL; 
双DVAL; 
 int.TryParse（价值，走出IVAL）; 
 double.TryParse（价值，走出DVAL）; 
为（Int64的地址=（Int64的）module.BaseAddress;地址+ value.Length≤（Int64的）module.BaseAddress + module.ModuleMemorySize;地址++）
 {
 //比较整数
如果（IVAL大于0）
 {
字节[] = ExpectedBytes BitConverter.GetBytes（IVAL）; 
字节[] = ActualBytes ReadMemoryBytes（模块（IntPtr的）地址，（UINT）ExpectedBytes.Length，（IntPtr的）地址）; 
 
布尔isMatch = TRUE; 
的for（int i = 0; I< ExpectedBytes.Length;我++）
如果（ExpectedBytes [I] = ActualBytes [I]！）
 isMatch = FALSE; 
如果（isMatch）
 PossibleAddresses.Add（（IntPtr的）地址）; 
} 
} 
 
私人字节[] ReadMemoryBytes（ProcessModule MOD，IntPtr的memAddress，UINT大小，IntPtr的BaseAddress）
 {
字节[]缓冲=新的字节[大小] 
 IntPtr的读取动作; 
不安全
 {
 ReadProcessMemory（processPointer，BaseAddress，缓冲区大小，进行读取动作）; 
返回的缓冲区; 
} 
} 
 
函数[DllImport（KERNEL32.DLL）] 
公共静态外部的IntPtr调用OpenProcess（UInt32的dwDesiredAccess，的Int32 bInheritHandle，UInt32的dwProcessId）; 
函数[DllImport（KERNEL32.DLL）] 
公共静态外部的Int32 CloseHandle的（IntPtr的hObject）; 
函数[DllImport（KERNEL32.DLL）] 
公共静态外部的Int32 ReadProcessMemory（IntPtr的hProcess，IntPtr的lpBaseAddress，[输入，输出]字节[]缓冲区，UInt32的大小，出的IntPtr lpNumberOfBytesRead）; 
  

解决方案

你得到的地址是指向托管（CLR）堆。他们一般不会映射到绝对内存地址，他们可以从移动电话拨打为GC决定运行。

如果您使用不安全的代码，你可以获得相对指针以及管理自己的内存空间。它仍然在堆中，但至少你保证GC不会修改你的地址空间。

不要指望能够访问堆从东西非CLR代码没有广泛的包装。有办法CLR管理进程之间做IPC，但你​​必须访问代理写入到外面的世界，如果你想有一个非CLR过程让你的记忆。

I need to know all memory address space used by a process. The memory space will later be scanned to locate values within the process and identify their locations / addresses. My current process for this is to take each module's base address through its (base address + memory size).

I'm testing this on a process with a known value at a known address. When I look up that specific address, I get the value I expect. However, when I scan (what I believe to be) all address space used by the process, I can't find the value anywhere.

I know that a numeric value "4143000" exists at 0x0CF8DC38 and 0x0CF8DDDC. When I call ReadMemoryBytes(module, module.BaseAddress, 4, (IntPtr)(0x0CF8DC38)) I get back bytes (152, 55, 63, 0). When I call BitConverter.GetBytes(4143000) I get back the same set of bytes. When I use a different memory scanner on that process, I find that value at those addresses.

However, when I scan the "known addresses", I don't find this value anywhere. It doesn't look like my code is even finding those addresses in use by the process.

Thusly, my question is twofold:

• How can I find these addresses within this process?
• I'm concerned I may be dealing with absolute addresses in system memory versus relative addresses within a process. Am I doing this right?

.

// (in the calling method)
foreach (ProcessModule module in process.Modules) {
    ParameterizedThreadStart pst = new ParameterizedThreadStart(p => SearchModule(module, value));
    Thread t = new Thread(pst);
    t.Start(); }

private unsafe void SearchModule(ProcessModule module, string value)
{
Process process = getProcess;
int iVal;
double dVal;
int.TryParse(value, out iVal);
double.TryParse(value, out dVal);
for (Int64 addr = (Int64)module.BaseAddress; addr + value.Length < (Int64)module.BaseAddress + module.ModuleMemorySize; addr++)
{
    // Compare ints
    if (iVal > 0)
    {
        byte[] ExpectedBytes = BitConverter.GetBytes(iVal);
        byte[] ActualBytes = ReadMemoryBytes(module, (IntPtr)addr, (uint)ExpectedBytes.Length, (IntPtr)addr);

        bool isMatch = true;
        for (int i = 0; i < ExpectedBytes.Length; i++)
            if (ExpectedBytes[i] != ActualBytes[i])
                isMatch = false;
        if (isMatch)
            PossibleAddresses.Add((IntPtr)addr);
    }
}

private byte[] ReadMemoryBytes(ProcessModule mod, IntPtr memAddress, uint size, IntPtr BaseAddress)
{
    byte[] buffer = new byte[size];
    IntPtr bytesRead;
    unsafe
    {
        ReadProcessMemory(processPointer, BaseAddress, buffer, size, out bytesRead);
        return buffer;
    }
}

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll")]
public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);

解决方案

The addresses you're getting are pointers to the managed (CLR) heap. They won't generally map to absolute memory addresses and they can move from call to call as the GC decides to run.

If you use "unsafe" code, you can get relative pointers as well as managing your own memory space. It's still on the heap but at least you're guaranteed the GC won't modify your address space.

Do not expect to be able to access things on the heap from non-CLR code without extensive wrapping. There are ways to do IPC between CLR-managed processes but you'd have to write access proxies to the "outside world" if you want a non-CLR process to get to your memory.

这篇关于如何获得一个进程使用的所有内存地址空间？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！