zoukankan      html  css  js  c++  java

  • 如何获取 程序加载后的内存起始地址

    Public Function GetProcessPath(ByVal dwProcessId As Long) As String 
        Dim ntStatus As Long 
        Dim objBasic As PROCESS_BASIC_INFORMATION 
        Dim objFlink As Long 
        Dim objPEB As Long, objLdr As Long 
        Dim objBaseAddress As Long 
        Dim bytName(260 * 2 - 1) As Byte 
        Dim strModuleName As String, objName As Long 
        Dim objCid As CLIENT_ID 
        Dim objOa As OBJECT_ATTRIBUTES 
        Dim i As Integer 
        Dim hProcess As Long 
        objOa.Length = Len(objOa) 
        objCid.UniqueProcess = dwProcessId 
        ntStatus = NtOpenProcess(hProcess, PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, objOa, objCid) 
        If hProcess = 0 Then 
            hProcess = GetHandleByProcessId(dwProcessId) 
            If hProcess = 0 Then 
                GetProcessPath = "" 
                Exit Function 
            End If 
        End If 
        Dim lngRet As Long, lngReturn As Long 
        ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, VarPtr(objBasic), Len(objBasic), ByVal 0&) 
        If (NT_SUCCESS(ntStatus)) Then 
            objPEB = objBasic.PebBaseAddress 
            lngRet = ReadProcessMemory(hProcess, ByVal objPEB + &HC, objLdr, 4, ByVal 0&) 
            lngRet = ReadProcessMemory(hProcess, ByVal objLdr + &HC, objFlink, 4, ByVal 0&) 
            lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H18, objBaseAddress, 4, ByVal 0&) 
            If objBaseAddress > 0 Then 
                lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H28, objName, 4, ByVal 0&) 
                lngRet = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2, ByVal 0&) 
                If ERROR_PARTIAL_COPY = lngRet Then 
    Start: 
                    i = i + 1 
                    If ERROR_PARTIAL_COPY = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2 - i, ByVal 0&) Then 
                        GoTo Start 
                    End If 
                End If 
                strModuleName = bytName 
                strModuleName = Left(strModuleName & Chr(0), InStr(strModuleName & Chr(0), Chr(0)) - 1) 
                GetProcessPath = strModuleName 
            End If 
        End If 
        NtClose hProcess 
    End Function 

    看这里objBaseAddress 这个就是你要的东西
  • 相关阅读:
    python路径相关
    python之json
    python之正则表达式备忘
    MD5 SHA1 HMAC HMAC_SHA1区别
    微信根据openid给用户发送图文消息
    最近做的几个小程序
    5000万pv小程序,高并发及缓存优化,入坑
    小程序 后台发送模板消息
    mysql 组合索引
    php 拆分txt小说章节保存到数据库
  • 原文地址:https://www.cnblogs.com/yulei126/p/6790282.html
Copyright © 2011-2022 走看看