今天突发感觉,想通过内存查找来获得clientkey,通过多次查询,发现这个key位置不固定,于是全部在内存查,结果是,95%能找到,但能查到一堆,其中只有一个可以用,其它都不能用。
郁闷了一下午。。。。。。
使用的主要代码贴出来。。
using System; using System.Diagnostics; using System.Runtime.InteropServices; namespace ToolsDll { public class ProcessMemoryReaderApi { [Flags] public enum ProcessAccessType { PROCESS_TERMINATE = (0x0001), PROCESS_CREATE_THREAD = (0x0002), PROCESS_SET_SESSIONID = (0x0004), PROCESS_VM_OPERATION = (0x0008), PROCESS_VM_READ = (0x0010), PROCESS_VM_WRITE = (0x0020), PROCESS_DUP_HANDLE = (0x0040), PROCESS_CREATE_PROCESS = (0x0080), PROCESS_SET_QUOTA = (0x0100), PROCESS_SET_INFORMATION = (0x0200), PROCESS_QUERY_INFORMATION = (0x0400) } [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId); [DllImport("kernel32.dll")] public static extern Int32 CloseHandle(IntPtr hObject); [DllImport("kernel32.dll")] public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, int size, out IntPtr lpNumberOfBytesRead); [DllImport("kernel32.dll")] public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, int size, out IntPtr lpNumberOfBytesWritten); } public class ProcessMemoryReader { public ProcessMemoryReader() { } public Process ReadProcess { get { return m_ReadProcess; } set { m_ReadProcess = value; } } private Process m_ReadProcess = null; private IntPtr m_hProcess = IntPtr.Zero; public void OpenProcess() { // m_hProcess = ProcessMemoryReaderApi.OpenProcess(ProcessMemoryReaderApi.PROCESS_VM_READ, 1, (uint)m_ReadProcess.Id); ProcessMemoryReaderApi.ProcessAccessType access; access = ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_READ | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_WRITE | ProcessMemoryReaderApi.ProcessAccessType.PROCESS_VM_OPERATION; m_hProcess = ProcessMemoryReaderApi.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id); } public void CloseHandle() { int iRetValue; iRetValue = ProcessMemoryReaderApi.CloseHandle(m_hProcess); if (iRetValue == 0) throw new Exception("CloseHandle failed"); } public byte[] ReadProcessMemory(IntPtr MemoryAddress, int bytesToRead, out int bytesRead) { byte[] buffer = new byte[bytesToRead]; IntPtr ptrBytesRead; ProcessMemoryReaderApi.ReadProcessMemory(m_hProcess, MemoryAddress, buffer, bytesToRead, out ptrBytesRead); bytesRead = ptrBytesRead.ToInt32(); return buffer; } public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite, out int bytesWritten) { IntPtr ptrBytesWritten; ProcessMemoryReaderApi.WriteProcessMemory(m_hProcess, MemoryAddress, bytesToWrite, bytesToWrite.Length, out ptrBytesWritten); bytesWritten = ptrBytesWritten.ToInt32(); } } }
static void Scaner(Process p, int StartAddress, int EndAddress) { IntPtr baseAddress = (IntPtr)StartAddress; IntPtr lastAddress = (IntPtr)EndAddress; int ReadStackSize = 20480; int arraysDifference = 256/8 - 1; ProcessMemoryReader reader = new ProcessMemoryReader(); reader.ReadProcess = p; //Open the pocess to read the memory. reader.OpenProcess(); //Calculate the size of memory to scan. int memorySize = (int)((int)lastAddress - (int)baseAddress); //If more that one block of memory is requered to be read, if (memorySize >= ReadStackSize) { //Count of loops to read the memory blocks. int loopsCount = memorySize / ReadStackSize; //Look to see if there is any other bytes let after the loops. int outOfBounds = memorySize % ReadStackSize; //Set the currentAddress to first address. int currentAddress = (int)baseAddress; //This will be used to check if any bytes have been read from the memory. int bytesReadSize; //Set the size of the bytes blocks. int bytesToRead = ReadStackSize; //An array to hold the bytes read from the memory. byte[] array; //Progress percentage. int progress; for (int i = 0; i < loopsCount; i++) { Console.WriteLine (i.ToString ()); //Read the bytes from the memory. array = reader.ReadProcessMemory((IntPtr)currentAddress, bytesToRead, out bytesReadSize); //If any byte is read from the memory (there has been any bytes in the memory block), if (bytesReadSize > 0) { join(array); } //Move currentAddress after the block already scaned, but //move it back some steps backward (as much as arraysDifference) //to avoid loosing any values at the end of the array. currentAddress += array.Length - arraysDifference; //Set the size of the read block, bigger, to the steps backward. //Set the size of the read block, to fit the back steps. bytesToRead = ReadStackSize + arraysDifference; } //If there is any more bytes than the loops read, if (outOfBounds > 0) { //Read the additional bytes. byte[] outOfBoundsBytes = reader.ReadProcessMemory((IntPtr)currentAddress, ((int)lastAddress - currentAddress), out bytesReadSize); //If any byte is read from the memory (there has been any bytes in the memory block), if (bytesReadSize > 0) { join(outOfBoundsBytes); } } } //If the block could be read in just one read, else { //Calculate the memory block's size. int blockSize = memorySize % ReadStackSize; //Set the currentAddress to first address. int currentAddress = (int)baseAddress; //Holds the count of bytes read from the memory. int bytesReadSize; //If the memory block can contain at least one 16 bit variable. if (blockSize > 256/8) { //Read the bytes to the array. byte[] array = reader.ReadProcessMemory((IntPtr)currentAddress, blockSize, out bytesReadSize); //If any byte is read, if (bytesReadSize > 0) { join(array); } } } //Close the handle to the process to avoid process errors. reader.CloseHandle(); }
static void join(byte[] b1) { if (re == null) { re = b1; } else { byte[] b0 = new byte[re.Length]; re.CopyTo(b0, 0); re = new byte[b0.Length + b1.Length]; b0.CopyTo(re, 0); b1.CopyTo(re, b0.Length); } } 以下调用 //Process[] ps = Process.GetProcesses(); //Process pqq = null; //foreach (Process p in ps) //{ // if (p.ProcessName=="QQ" && p.MainModule.FileName.Contains ("QQ.exe")) // { // pqq = p; // break; // } //} //int firstAddress = int.Parse("06000000", System.Globalization.NumberStyles.HexNumber); //int lastAddress = int.Parse("09F00000", System.Globalization.NumberStyles.HexNumber); //Scaner(pqq, firstAddress, lastAddress);