[英]How can a program read its own image from memory via ReadProcessMemory?
我正在嘗試制作一個可執行文件,它可以使用 Windows 的ReadProcessMemory api 從內存中讀取自身。
然后,我將使用它來計算可執行文件的校驗和。
這是我的代碼:
#define PSAPI_VERSION 1
#include <string>
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <psapi.h>
#include <Wincrypt.h>
#define BUFSIZE 1024
#define MD5LEN 16
// To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS
#pragma comment(lib, "psapi.lib")
int main(void)
{
HWND hMyProcess = (HWND)(GetCurrentProcess());
HMODULE hModule = (HMODULE)GetModuleHandle(NULL);
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
MODULEINFO moduleInfo;
if(hModule != NULL && hMyProcess != NULL){
// if (GetModuleInformation())
GetModuleBaseName(hMyProcess, hModule, szProcessName, MAX_PATH);
printf("%s\n", szProcessName);
if (GetModuleInformation(hMyProcess, hModule, &moduleInfo, sizeof(moduleInfo))){
printf("lpBaseOfDLL : %x\n", moduleInfo.lpBaseOfDll);
printf("Entry Point : %x\n", moduleInfo.EntryPoint);
printf("SizeOfImage : %x\n", moduleInfo.SizeOfImage);
}
}
// Till here working fine, problem lies below
// read process memory
TCHAR *hexEXE;
SIZE_T *lpNumberOfBytesRead;
if(ReadProcessMemory(hMyProcess, moduleInfo.lpBaseOfDll,
hexEXE, moduleInfo.SizeOfImage, 0)){
//printf("%s\n", hexEXE);
printf("Read memory\n");
printf("%d \n",strlen(hexEXE));
}
// will be implemented later, taken from --> https://msdn.microsoft.com/en-us/library/aa382380(VS.85).aspx
DWORD dwStatus = 0;
BOOL bResult = FALSE;
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
/*if (!CryptAcquireContext(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT)){
dwStatus = GetLastError();
printf("CryptAcquireContext failed: %d\n", dwStatus);
//CloseHandle(hFile);
return dwStatus;
}
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)){
dwStatus = GetLastError();
printf("CryptAcquireContext failed: %d\n", dwStatus);
//CloseHandle(hFile);
CryptReleaseContext(hProv, 0);
return dwStatus;
}*/
return 0;
}
我無法讀取自己進程的內存,這是我第一次使用WinAPI ,所以也許我以某種錯誤的方式使用該函數。
該程序只是掛起並顯示“Windows遇到了一些問題......”
我認為我之前獲得的進程句柄( hMyProcess )沒有所需的權限( PROCESS_VM_READ ),我如何驗證它,如果不是,那么我如何獲得正確的權限。
TCHAR *hexEXE;
SIZE_T *lpNumberOfBytesRead;
hexEXE = malloc (moduleInfo.SizeOfImage);
if(ReadProcessMemory(hMyProcess, moduleInfo.lpBaseOfDll,
hexEXE, moduleInfo.SizeOfImage, 0)){
//printf("%s\n", hexEXE);
printf("Read memory\n");
//hexEXE is not a string. Don't use it in strlen.
//printf("%d \n",strlen(hexEXE));
print("%d \n", moduleInfo.SizeOfImage);
}
ReadProcessMemory 需要一個內存來存儲圖像。 因此,需要將“hexEXE”分配給內存緩沖區。
很抱歉進行了擴展討論,但我通過將代碼更改為而不是使用ReadProcessMemory直接通過這樣的for 循環遍歷內存來運行它:
long *baseAddress = (long *)moduleInfo.lpBaseOfDll;
printf("%d %x\n",baseAddress, baseAddress);
for (int i = 0; i < moduleInfo.SizeOfImage; ++i){
long *addressToRead = baseAddress+i;
printf("%x : %x\n", addressToRead, *addressToRead);
}
這是輸出:
但是,我不明白為什么我無法使用ReadProcessMemory獲得它。
我可以使用 ReadProcessMemory 在 Windows 中讀取進程的程序內存嗎?
[英]Can I use ReadProcessMemory to read program memory of a process in windows?
如何使用帶有向量的 winapi ReadProcessMemory 從另一個進程讀取緩沖區?
[英]How to use winapi ReadProcessMemory with vector to read buffer from another process?
C ReadProcessMemory-如何檢查與進程關聯的內存區域
[英]C ReadProcessMemory - how to examine the memory area associated with a process
為什么使用ddstream從管道中讀取“ dd”要比我自己的程序快?
[英]Why can 'dd' read from a pipe faster than my own program using ifstream?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.