zoukankan      html  css  js  c++  java

  • 如何获取 程序加载后的内存起始地址

    Public Function GetProcessPath(ByVal dwProcessId As Long) As String
        Dim ntStatus As Long
        Dim objBasic As PROCESS_BASIC_INFORMATION
        Dim objFlink As Long
        Dim objPEB As Long, objLdr As Long
        Dim objBaseAddress As Long
        Dim bytName(260 * 2 - 1) As Byte
        Dim strModuleName As String, objName As Long
        Dim objCid As CLIENT_ID
        Dim objOa As OBJECT_ATTRIBUTES
        Dim i As Integer
        Dim hProcess As Long
        objOa.Length = Len(objOa)
        objCid.UniqueProcess = dwProcessId
        ntStatus = NtOpenProcess(hProcess, PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, objOa, objCid)
        If hProcess = 0 Then
            hProcess = GetHandleByProcessId(dwProcessId)
            If hProcess = 0 Then
                GetProcessPath = ""
                Exit Function
            End If
        End If
        Dim lngRet As Long, lngReturn As Long
        ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, VarPtr(objBasic), Len(objBasic), ByVal 0&)
        If (NT_SUCCESS(ntStatus)) Then
            objPEB = objBasic.PebBaseAddress
            lngRet = ReadProcessMemory(hProcess, ByVal objPEB + &HC, objLdr, 4, ByVal 0&)
            lngRet = ReadProcessMemory(hProcess, ByVal objLdr + &HC, objFlink, 4, ByVal 0&)
            lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H18, objBaseAddress, 4, ByVal 0&)
            If objBaseAddress > 0 Then
                lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H28, objName, 4, ByVal 0&)
                lngRet = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2, ByVal 0&)
                If ERROR_PARTIAL_COPY = lngRet Then
    Start:
                    i = i + 1
                    If ERROR_PARTIAL_COPY = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2 - i, ByVal 0&) Then
                        GoTo Start
                    End If
                End If
                strModuleName = bytName
                strModuleName = Left(strModuleName & Chr(0), InStr(strModuleName & Chr(0), Chr(0)) - 1)
                GetProcessPath = strModuleName
            End If
        End If
        NtClose hProcess
    End Function

    看这里objBaseAddress 这个就是你要的东西
  • 相关阅读:
    Android开发——Activity启动模式详解
    Spring核心技术(十一)——基于Java的容器配置(一)
    【数学】控制论
    【Mongo】聚合函数
    【Deeplearning】blog
    【Python】添加注册表信息脚本
    【数据库】备份与恢复
    【MongoDB】数组长度查询
    【Mysql】修改最大连接数
    【Python】多线程2
  • 原文地址:https://www.cnblogs.com/moodlxs/p/2345431.html
Copyright © 2011-2022 走看看