今天突发感觉,想通过内存查找来获得clientkey,通过多次查询,发现这个key位置不固定,于是全部在内存查,结果是,95%能找到,但能查到一堆,其中只有一个可以用,其它都不能用。
郁闷了一下午。。。。。。
使用的主要代码贴出来。。
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ToolsDll
{
public class ProcessMemoryReaderApi
{
[Flags]
public enum ProcessAccessType
{
PROCESS_TERMINATE = (0x0001),
PROCESS_CREATE_THREAD = (0x0002),
PROCESS_SET_SESSIONID = (0x0004),
PROCESS_VM_OPERATION = (0x0008),
PROCESS_VM_READ = (0x0010),
PROCESS_VM_WRITE = (0x0020),
PROCESS_DUP_HANDLE = (0x0040),
PROCESS_CREATE_PROCESS = (0x0080),
PROCESS_SET_QUOTA = (0x0100),
PROCESS_SET_INFORMATION = (0x0200),
PROCESS_QUERY_INFORMATION = (0x0400)
}
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll")]
public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, int size, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, int size, out IntPtr lpNumberOfBytesWritten);
}
public class ProcessMemoryReader
{
public ProcessMemoryReader()
{
}
public Process ReadProcess
{
get
{
return m_ReadProcess;
}
set
{
m_ReadProcess = value;
}
}
private Process m_ReadProcess = null;
private IntPtr m_hProcess = IntPtr.Zero;
public void OpenProcess()
{
// m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id);
ProcessMemoryReaderApi.ProcessAccessType access;
access = ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_READ
| ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_WRITE
| ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_OPERATION;
m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
}
public void CloseHandle()
{
int iRetValue;
iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess);
if (iRetValue == 0)
throw new Exception("CloseHandle failed");
}
public byte[] ReadProcessMemory(IntPtr MemoryAddress, int bytesToRead, out int bytesRead)
{
byte[] buffer = new byte[bytesToRead];
IntPtr ptrBytesRead;
ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, MemoryAddress, buffer, bytesToRead, out ptrBytesRead);
bytesRead = ptrBytesRead.ToInt32();
return buffer;
}
public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten)
{
IntPtr ptrBytesWritten;
ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, bytesToWrite.Length, out ptrBytesWritten);
bytesWritten = ptrBytesWritten.ToInt32();
}
}
}
static void Scaner(Process p, int StartAddress, int EndAddress)
{
IntPtr baseAddress = (IntPtr)StartAddress;
IntPtr lastAddress = (IntPtr)EndAddress;
int ReadStackSize = 20480;
int arraysDifference = 256/8 - 1;
ProcessMemoryReader reader = new ProcessMemoryReader();
reader.ReadProcess = p;
//Open the pocess to read the memory.
reader.OpenProcess();
//Calculate the size of memory to scan.
int memorySize = (int)((int)lastAddress - (int)baseAddress);
//If more that one block of memory is requered to be read,
if (memorySize >= ReadStackSize)
{
//Count of loops to read the memory blocks.
int loopsCount = memorySize / ReadStackSize;
//Look to see if there is any other bytes let after the loops.
int outOfBounds = memorySize % ReadStackSize;
//Set the currentAddress to first address.
int currentAddress = (int)baseAddress;
//This will be used to check if any bytes have been read from the memory.
int bytesReadSize;
//Set the size of the bytes blocks.
int bytesToRead = ReadStackSize;
//An array to hold the bytes read from the memory.
byte[] array;
//Progress percentage.
int progress;
for (int i = 0; i < loopsCount; i++)
{
Console.WriteLine (i.ToString ());
//Read the bytes from the memory.
array = reader.ReadProcessMemory((IntPtr)currentAddress, bytesToRead, out bytesReadSize);
//If any byte is read from the memory (there has been any bytes in the memory block),
if (bytesReadSize > 0)
{
join(array);
}
//Move currentAddress after the block already scaned, but
//move it back some steps backward (as much as arraysDifference)
//to avoid loosing any values at the end of the array.
currentAddress += array.Length - arraysDifference;
//Set the size of the read block, bigger, to the steps backward.
//Set the size of the read block, to fit the back steps.
bytesToRead = ReadStackSize + arraysDifference;
}
//If there is any more bytes than the loops read,
if (outOfBounds > 0)
{
//Read the additional bytes.
byte[] outOfBoundsBytes = reader.ReadProcessMemory((IntPtr)currentAddress, ((int)lastAddress - currentAddress), out bytesReadSize);
//If any byte is read from the memory (there has been any bytes in the memory block),
if (bytesReadSize > 0)
{
join(outOfBoundsBytes);
}
}
}
//If the block could be read in just one read,
else
{
//Calculate the memory block's size.
int blockSize = memorySize % ReadStackSize;
//Set the currentAddress to first address.
int currentAddress = (int)baseAddress;
//Holds the count of bytes read from the memory.
int bytesReadSize;
//If the memory block can contain at least one 16 bit variable.
if (blockSize > 256/8)
{
//Read the bytes to the array.
byte[] array = reader.ReadProcessMemory((IntPtr)currentAddress, blockSize, out bytesReadSize);
//If any byte is read,
if (bytesReadSize > 0)
{
join(array);
}
}
}
//Close the handle to the process to avoid process errors.
reader.CloseHandle();
} static void join(byte[] b1)
{
if (re == null)
{
re = b1;
}
else
{
byte[] b0 = new byte[re.Length];
re.CopyTo(b0, 0);
re = new byte[b0.Length + b1.Length];
b0.CopyTo(re, 0);
b1.CopyTo(re, b0.Length);
}
}
以下调用
//Process[] ps = Process.GetProcesses();
//Process pqq = null;
//foreach (Process p in ps)
//{
// if (p.ProcessName=="QQ" && p.MainModule.FileName.Contains ("QQ.exe"))
// {
// pqq = p;
// break;
// }
//}
//int firstAddress = int.Parse("06000000", System.Globalization.NumberStyles.HexNumber);
//int lastAddress = int.Parse("09F00000", System.Globalization.NumberStyles.HexNumber);
//Scaner(pqq, firstAddress, lastAddress);
浙公网安备 33010602011771号