堆栈内存溢出
  简体   繁体   English

从另一个进程的内存中找不到匹配的字节数组

[英]Can't find an array of bytes match from another process' memory

 原文  2019-02-01 23:14:49       c++/ winapi/ search/ memory/ readprocessmemory

问题描述

I'm currently trying to verify whether or not a code I wrote using this as reference works. 我目前正在尝试验证我以此为参考编写的代码是否有效。 I've managed to get it to run without crashing, but once I began checking whether or not the code actually does what I want it to do, I ran into a problem. 我设法使其运行而不会崩溃,但是一旦我开始检查代码是否确实按照我的意愿执行了操作,便遇到了问题。

While I think that the code goes through all the memory regions belonging to the process I'm trying to search, it probably isn't doing that? 虽然我认为代码遍历了我尝试搜索的进程的所有内存区域,但可能不是这样吗?

I'm honestly not sure where the problem lies here, am I searching for my array of bytes in the memory buffer incorrectly, or am I actually reading the wrong memory? 老实说,我不确定问题出在哪里,我是在错误地在内存缓冲区中搜索字节数组,还是我实际上在读取错误的内存?

When checking whether or not my code finds an array of bytes match from the process, I used cheat engine to scan beforehand and then compare the results with what my program returned. 当检查我的代码是否从进程中找到一个字节数组匹配时,我使用了作弊引擎进行了事先扫描,然后将结果与程序返回的结果进行了比较。 I used an array of bytes I knew from beforehand will always exist at least once in the program I'm scanning. 我使用了一个事先知道的字节数组,该字节数组在我正在扫描的程序中将至少存在一次。

Now comparing the results I got from cheat engine: 现在比较我从作弊引擎获得的结果: 成绩

And the ones I got from my program, which is 0 results. 我从程序中得到的结果为0。 That doesn't seem quite right. 这似乎不太正确。

I open the process which I want to read the memory from with the following flags: 我使用以下标志打开要从中读取内存的进程:

PROCESS_VM_READ | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION PROCESS_QUERY_INFORMATION

And the way I call my pattern matching function: 以及我调用模式匹配函数的方式: 

testy.patternMatch("000000000000000001000000000000001CC80600");

As for my current code: 至于我当前的代码:

The function I'm calling (m_localprocess is an open handle to the process I got beforehand) 我正在调用的函数(m_localprocess是我之前获得的进程的打开句柄) 

void process_wrapper::patternMatch(std::string pattern)
{
    MEMORY_BASIC_INFORMATION sys_info;

    std::vector<char> pattern_conv(pattern.begin(), pattern.end());


    for (unsigned char * pointer = NULL;
        VirtualQueryEx(m_localprocess, pointer, &sys_info, sizeof(sys_info)) == sizeof(sys_info);
        pointer += sys_info.RegionSize) {

        std::vector<char> mem_buffer;

        if (sys_info.State == MEM_COMMIT && (sys_info.Type == MEM_MAPPED || sys_info.Type == MEM_PRIVATE)) {

            SIZE_T bytes_read;
            mem_buffer.resize(sys_info.RegionSize);

            ReadProcessMemory(m_localprocess, pointer, &mem_buffer[0], sys_info.RegionSize, &bytes_read);
            if (GetLastError() != 0) {
                std::cout << "Error: " << GetLastError();
                SetLastError(0);
            }

            mem_buffer.resize(bytes_read);


            std::cout << "\nSize: "<< mem_buffer.size() << "\n";
            if (mem_buffer.size() != 0) {
                find_all(mem_buffer.begin(), mem_buffer.end(), pattern_conv.begin(), pattern_conv.end(), pointer);
            }
        }

    }

    std::cout << "Results: " << results.size() << "\n";
    for (void* x : results) {
        std::cout << x << "\n";
    }

}

And this function calls find_all function, which looks like this: 此函数调用find_all函数,如下所示: 

void find_all(std::vector<char>::iterator beg, std::vector<char>::iterator end,
    std::vector<char>::iterator beg_pattern, std::vector<char>::iterator end_pattern, 
    const unsigned char * baseAddr) {

    std::vector<char>::iterator walk = beg;

    while (walk != end) {
        walk = std::search(walk, end, beg_pattern, end_pattern);

        if (walk != end) {
            std::cout << (void*)(baseAddr + (walk - beg)) << "\n";
            results.emplace_back((void*)(baseAddr + (walk - beg)));
            ++walk;
        }
    }
}

Any suggestions on other ways of implementing what I'm trying to do are more than welcome. 我们欢迎任何其他有关实现我正在尝试实现的方式的建议。

1 个解决方案

解决方案1
 0 已采纳  2019-02-02 00:09:18

Thanks to the comment left by Jonathan pointing out I was actually comparing ASCII values instead of actual hex values. 感谢乔纳森(Jonathan)留下的评论,我实际上是在比较ASCII值而不是实际的十六进制值。

The code works now: 该代码现在可以工作: 工作的

The change I did to my code (got it from here ): 我对代码所做的更改(从此处获取 ): 

void process_wrapper::patternMatch(std::string patternOrig)
{
    MEMORY_BASIC_INFORMATION sys_info;

    int len = patternOrig.length();
    std::string pattern;
    for (int i = 0; i < len; i += 2)
    {
        std::string byte = patternOrig.substr(i, 2);
        char chr = (char)(int)strtol(byte.c_str(), NULL, 16);
        pattern.push_back(chr);
    }
    //...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 “私人字节”没有反映出来。 如何找到进程分配的确切内存? - “Private Bytes” doesn't reflect it. How to find exact memory allocated by process? 一个进程可以覆盖另一个进程的内存吗? - Can one process overwrite the memory of another process? 从另一个进程获取内存 - Grabbing memory from another process 在另一个进程中从内存执行进程? - Execute a process from memory within another process? C++ - 分叉进程无法从共享内存中读取 - C++ - Forked Process Can't Read from Shared Memory 如何扫描另一个过程存储器以查找特定字符串之后的内容? - How can I scan another process memory to find what follows a specific string? 无法从另一个进程 C++ 打开现有信号量 - Can't open existing semaphore from another process C++ 找不到内存泄漏 - Can't find memory leak 从另一个进程访问mmap内存 - Access mmap memory from another process 用来自另一个进程的数据填充分配的 memory - Fill allocated memory with data from another process
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM