zoukankan      html  css  js  c++  java

  • 如何获取 程序加载后的内存起始地址

    Public Function GetProcessPath(ByVal dwProcessId As Long) As String
        Dim ntStatus As Long
        Dim objBasic As PROCESS_BASIC_INFORMATION
        Dim objFlink As Long
        Dim objPEB As Long, objLdr As Long
        Dim objBaseAddress As Long
        Dim bytName(260 * 2 - 1) As Byte
        Dim strModuleName As String, objName As Long
        Dim objCid As CLIENT_ID
        Dim objOa As OBJECT_ATTRIBUTES
        Dim i As Integer
        Dim hProcess As Long
        objOa.Length = Len(objOa)
        objCid.UniqueProcess = dwProcessId
        ntStatus = NtOpenProcess(hProcess, PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, objOa, objCid)
        If hProcess = 0 Then
            hProcess = GetHandleByProcessId(dwProcessId)
            If hProcess = 0 Then
                GetProcessPath = ""
                Exit Function
            End If
        End If
        Dim lngRet As Long, lngReturn As Long
        ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, VarPtr(objBasic), Len(objBasic), ByVal 0&)
        If (NT_SUCCESS(ntStatus)) Then
            objPEB = objBasic.PebBaseAddress
            lngRet = ReadProcessMemory(hProcess, ByVal objPEB + &HC, objLdr, 4, ByVal 0&)
            lngRet = ReadProcessMemory(hProcess, ByVal objLdr + &HC, objFlink, 4, ByVal 0&)
            lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H18, objBaseAddress, 4, ByVal 0&)
            If objBaseAddress > 0 Then
                lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H28, objName, 4, ByVal 0&)
                lngRet = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2, ByVal 0&)
                If ERROR_PARTIAL_COPY = lngRet Then
    Start:
                    i = i + 1
                    If ERROR_PARTIAL_COPY = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2 - i, ByVal 0&) Then
                        GoTo Start
                    End If
                End If
                strModuleName = bytName
                strModuleName = Left(strModuleName & Chr(0), InStr(strModuleName & Chr(0), Chr(0)) - 1)
                GetProcessPath = strModuleName
            End If
        End If
        NtClose hProcess
    End Function

    看这里objBaseAddress 这个就是你要的东西
  • 相关阅读:
    python进阶之装饰器之3利用装饰器强制函数上的类型检查
    python进阶之装饰器之6.装饰器为被包装函数增加参数,如何实现装饰器对类进行打补丁或者说对类的功能进行扩充
    python进阶之装饰器之5把装饰器作用到类和静态方法上
    python进阶之装饰器之4在类中定义装饰器,将装饰器定义为类,两者的区别与联系
    AOP的使用
    使用Maven搭建SSM框架
    js判断字符串是否有重复
    纯js实现复制功能
    关于Log文本的操作
    jquery往textarea鼠标光标选中的地方插入值
  • 原文地址:https://www.cnblogs.com/moodlxs/p/2345431.html
Copyright © 2011-2022 走看看