为什么将ReadProcessMemory()与当前进程的句柄一起使用?
[英]Why use ReadProcessMemory() with handle to current process?
问题描述
Using NtQueryInformationProcess , one can obtain the current process base address by reading the PebBaseAddress field in the returned struct of type PROCESS_BASIC_INFORMATION. 
使用NtQueryInformationProcess ,可以通过读取返回的PROCESS_BASIC_INFORMATION类型的结构中的PebBaseAddress字段来获取当前的进程基址。
I've seen code that uses ReadProcessMemory() to read memory with respect to the base address of the current process, as the first few bytes contain some pointers that reveal detailed process information. 我已经看到了使用ReadProcessMemory()相对于当前进程的基址读取内存的代码,因为前几个字节包含一些指针,这些指针揭示了详细的进程信息。 I also needed to obtain some of this information, and research showed me how to do so. 我还需要获取一些此类信息, 研究表明如何实现此目的。
I'm still confused, however, as to why ReadProcessMemory() is required when reading memory from the current process. 但是,对于为什么要从当前进程读取内存,为什么需要ReadProcessMemory() ,我仍然感到困惑。 Can't the pointer relative to process base just be dereferenced, or will/may it result in a segmentation fault? 不能仅取消引用相对于过程库的指针,还是会/可能导致分段错误? Are pointers held with respect to the process base? 是否持有关于流程基础的指针?
1 个解决方案
解决方案1
2 已采纳 2017-02-08 11:57:23
ReadProcessMemory will check for you that the address range in your own process is valid and return error (ERROR_PARTIAL_COPY) in the case of problem instead of crashing. ReadProcessMemory将检查您自己进程中的地址范围是否有效,并在出现问题而不是崩溃的情况下返回错误(ERROR_PARTIAL_COPY)。
Other than that I see no reason. 除此之外,我没有理由。 If you are sure that your pointer is correct, it is fine (and way faster) to use memcpy . 如果确定指针正确,则使用memcpy很好(并且速度更快)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.