转自:http://www.cnblogs.com/hbb0b0/archive/2013/02/06/2907707.html
本文说明已知其它进程变量所在地址,如何读取此进程变量地址所保存的信息 Win32ReadMemTest的代码如下 #include "stdafx.h" #include "windows.h" int add(int a,int b); typedef int (*func)(int,int); int _tmain(int argc, _TCHAR* argv[]) { DWORD number=10000; DWORD *ptr=&number; func myfunc=NULL; myfunc=add; printf("%p: %d\n",ptr,*ptr); printf("func address:%p\n",myfunc); system("pause"); return 0; } int add(int a,int b) { return a+b; } 运行Win32ReadMemTest 就会显示ptr的地址:0x002df914 /************************************************************ FileName:win32SystemInfo Version : Date:2013.01.30 Description: //本模块说明 已知其它进程变量所在地址,如何读取其它进程变量地址所保存的信息 <author> hbb0b0@163.com </author> ***********************************************************/ #include "stdafx.h" #include "windows.h" #include "stdlib.h" //typedef int (*func)(int,int); int _tmain(int argc, _TCHAR* argv[]) { //窗口句柄 HWND hwnd=NULL; //线程pid DWORD pId; //进程句柄 HANDLE hProcess; //其他程序的变量基地址 LPVOID lpBaseAddress=(LPVOID)0x002df914; //LPVOID lpFunctBaseAddres=(LPVOID)0x0108109B; DWORD lpbuffer; //func funAdd=NULL; DWORD dwordResult; BOOL boolResult; int funcResult=0; //获取一个窗口句柄 hwnd=FindWindowA("ConsoleWindowClass","E:\\Hbb0b0\\Program\\vs2012\\sqlite3\\Debug\\Win32ReadMemTest.exe"); if(!hwnd) { printf("%s\n","can't find thread hwnd!"); return 0; } dwordResult= GetWindowThreadProcessId(hwnd,&pId); if(!dwordResult) { printf("%s\n","can't find thread pId!"); return 0; } hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pId); if(!hProcess) { printf("%s\n","can't find processId!"); return 0; } //读取指定进程某个地址的信息 ReadProcessMemory(hProcess,lpBaseAddress,(void*)&lpbuffer,sizeof(DWORD),0 ); printf("%d",lpbuffer); //ReadProcessMemory(hProcess,lpFunctBaseAddres,(void*)funAdd,sizeof(func),0 ); //funcResult= funAdd(10,5); //printf("%d",funcResult); return 0; }