堆栈内存溢出
  简体   繁体   English

如何访问另一个进程的内存并调用其函数?

[英]How can you access memory of another process and call its functions?

 原文  2010-10-24 04:47:53       c++/ windows

问题描述

I want to learn how to read other processes memory and have my program call the other processes functions and what not with my own parameters and stuff. 我想学习如何读取其他进程内存并让我的程序调用其他进程函数,而不是我自己的参数和东西。 I've googled it and it seems like you need to use things like ReadProcessMemory but I haven't been able to find any good tutorials explaining how to use them. 我用谷歌搜索它,似乎你需要使用像ReadProcessMemory这样的东西,但我找不到任何好的教程来解释如何使用它们。 Could anyone point me in the right direction to learn things like this? 谁能指出我正确的方向来学习这样的事情? I want to do it in C++ (or java if possible) on Windows (7 and 64bit if that matters). 我希望在Windows上使用C ++(或者如果可能的话)使用Java(如果重要的话,可以使用7和64位)。

Also, I know this sounds subjective and could be used for malicious purposes, but I guarantee that I will not use any knowledge gained from this for any harmful reasons. 另外,我知道这听起来很主观,可以用于恶意目的,但我保证不会因为任何有害的原因而使用从中获得的任何知识。 I purely want to learn this for fun and to teach myself something new. 我纯粹想要学习这个以获得乐趣并自学一些新东西。

3 个解决方案

解决方案1
 7  2010-10-24 05:09:57

You can't directly call functions in other processes, because your process and the other process have different address spaces. 您无法直接调用其他进程中的函数,因为您的进程和其他进程具有不同的地址空间。 One way to get around this is by creating a remote thread in the process (using CreateRemoteThread or RtlCreateUserThread), but that only allows you to pass in one parameter to the function. 解决此问题的一种方法是在进程中创建一个远程线程(使用CreateRemoteThread或RtlCreateUserThread),但这只允许您将一个参数传递给该函数。 You could try creating a remote thread, writing the parameters to its stack and changing its registers using SetThreadContext. 您可以尝试创建远程线程,将参数写入其堆栈并使用SetThreadContext更改其寄存器。 Another way is to inject your own DLL which calls the function. 另一种方法是注入自己的DLL来调用该函数。

Another problem is locating the function to call. 另一个问题是找到要调用的函数。 You would probably need to load symbols for EXEs or DLLs where the function you need isn't exported. 您可能需要为不导出所需功能的EXE或DLL加载符号。

For general questions about Windows internals, try asking on Sysinternals Forums . 有关Windows内部的一般问题,请尝试询问Sysinternals论坛

EDIT: What you've stated (reading a string which the process checks against user input) is very difficult to do in a program without knowing the layout of the instructions and data in the image file beforehand. 编辑:在事先不知道图像文件中的指令和数据布局的情况下,在程序中很难做到你所说的(读取进程检查用户输入的字符串)。 If for example you have a crackme program, you would either use a static analysis tool like IDA Pro or run the program under a debugger. 例如,如果你有一个crackme程序,你可以使用像IDA Pro这样的静态分析工具,也可以在调试器下运行程序。 Either way, these things usually require human input and are difficult to do automatically. 无论哪种方式,这些东西通常需要人为输入,并且很难自动完成。

解决方案2
 1  2010-10-24 07:02:02

Processes , by design and by definition, are isolated from each other. 过程 ,通过设计和根据定义,彼此隔离。 They have separate address space. 他们有独立的地址空间。

The operating system keeps its processes separated and allocates the resources they need so that they are less likely to interfere with each other ... 操作系统将其进程分开并分配所需的资源,以便它们不太可能相互干扰......

They can certainly communicate, but only if they choose to, through some form of inter-process communication . 他们当然可以通过某种形式的进程间通信进行通信,但只有在他们选择时才进行通信

However, threads , sometimes known as lightweight process, share their address space and can read each others' data structures. 但是, 线程 (有时称为轻量级进程)共享其地址空间并可以读取彼此的数据结构。

Not sure, what you meant by 不确定,你的意思是什么

call the other processes functions 调用其他进程函数

A function f() can be compiled into multiple processes' executable code. 函数f()可以编译成多个进程的可执行代码。 Process A and process B can call f() independently in their context. 进程A和进程B可以在其上下文中独立调用f()

Otherwise, process A can "communicate" to process B to perform some action, which for example may be implemented in function g() in B. B can execute it in its context and "communicate" the result back to A. 否则,进程A可以“通信”到进程B以执行某些动作,例如可以在B中的函数g()中实现.B可以在其上下文中执行它并且将结果“通信”回到A.

解决方案3
 0  2010-10-24 07:30:19

I cannot see any beneficial use of this, but anyway. 我无法看到任何有益的用途,但无论如何。 There are at least two ways to make another process call something: 至少有两种方法可以让另一个进程调用一些东西:

1) CreateRemoteThread() , will create a thread in a process. 1) CreateRemoteThread() ,将在进程中创建一个线程。

2) QueueUserAPC() will make an existing thread in that process call a callback function. 2) QueueUserAPC()将使该进程中的现有线程调用回调函数。

If ASLR is disabled, then it's enough to call a function without parameters. 如果禁用ASLR,那么调用不带参数的函数就足够了。 Else you'll also need VirtualQueryEx() , ReadProcessMemory() and WriteProcessMemory() . 否则,您还需要VirtualQueryEx()ReadProcessMemory()WriteProcessMemory()

Yes, and it's not something to do in java :) 是的,这不是在java :)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 一个进程可以覆盖另一个进程的内存吗? - Can one process overwrite the memory of another process? 我可以将对象传递给另一个进程,只需将其指针传递给共享内存吗? - Can I pass an object to another process just passing its' pointer to a shared memory? 从另一个进程访问mmap内存 - Access mmap memory from another process 如何在另一个进程的内存中搜索字符串? - How can I search for a string in the memory of another process? 如何在另一个进程的内存中通过正则表达式搜索字符串? - How can I search for a string by regex in the memory of another process? 如何使用函数指针从其内存地址调用成员函数? - How to use function pointers to call member functions from its memory address? 自Windows 95以来,为什么不能访问另一个进程的地址空间? - Why can't you access the address space of another process since Windows 95? 如何以这种方式从另一个文件访问方法/功能? - How can I access methods/functions from another file in this way? 如何在循环中调用另一个函数内部的函数,同时通过函数传递数组? - How do you call a function inside of another functions for loop, while passing an array through the function? 调试器如何窥视另一个进程的内存? - How does a debugger peek into another process' memory?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM