C#在进程内存中搜索字节数组
我正在为一个特定的应用程序开发一个小型内存扫描仪。当我选择要扫描的进程时,我要做的第一件事是验证该进程是否是特定应用程序。。。要做到这一点,我必须找到一个签名,它可以在它的记忆中的任何地方 这是我的密码:C#在进程内存中搜索字节数组,c#,.net,pinvoke,readprocessmemory,C#,.net,Pinvoke,Readprocessmemory,我正在为一个特定的应用程序开发一个小型内存扫描仪。当我选择要扫描的进程时,我要做的第一件事是验证该进程是否是特定应用程序。。。要做到这一点,我必须找到一个签名,它可以在它的记忆中的任何地方 这是我的密码: [DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)] [
[DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern Boolean ReadProcessMemory([In] IntPtr processHandle, [In] IntPtr processAddress, [Out] Byte[] buffer, [In] UInt32 bytesToRead, [Out] out IntPtr bytesRead);
[DllImport("Kernel32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]
internal static extern UInt32 VirtualQueryEx([In] IntPtr processHandle, [In, Optional] IntPtr processAddress, [Out] out MEMORY_BASIC_INFORMATION buffer, [In] UInt32 bufferSize);
internal struct MEMORY_BASIC_INFORMATION
{
public static UInt32 Size = (UInt32)Marshal.SizeOf(typeof(MEMORY_BASIC_INFORMATION));
public IntPtr BaseAddress;
public IntPtr AllocationBase;
public AllocationProtect AllocationProtect;
public IntPtr RegionSize;
public StateEnum State;
public AllocationProtect Protect;
public TypeEnum lType;
}
public void Open()
{
Byte[] toFind = new Byte[] { 31, 55, 78, 33, 00, 00, 00, 37 };
UInt32 address = 0;
do
{
MEMORY_BASIC_INFORMATION info = new MEMORY_BASIC_INFORMATION();
if (NativeMethods.VirtualQueryEx(m_Process.Handle, (IntPtr)address, out info, NativeMethods.MemoryBasicInformation.Size) == 0)
break;
Byte[] buffer = new Byte[(UInt32)info.RegionSize];
IntPtr bytesRead;
if (NativeMethods.ReadProcessMemory(m_Process.Handle, info.BaseAddress, buffer, (UInt32)buffer.Length, out bytesRead))
{
if (buffer.Contains(toFind)) // Extension Method
{
m_IsValid = true;
break;
}
}
if (address == (UInt32)info.BaseAddress + (UInt32)info.RegionSize)
break;
address = (UInt32)info.BaseAddress + (UInt32)info.RegionSize;
}
while (address <= 0x7fffffff);
}
[DllImport(“Kernel32.dll”,CallingConvention=CallingConvention.StdCall,CharSet=CharSet.Unicode,ExactSpelling=true,SetLastError=true)]
[返回:Marshallas(UnmanagedType.Bool)]
内部静态外部布尔ReadProcessMemory([In]IntPtr processHandle,[In]IntPtr processAddress,[Out]Byte[]buffer,[In]UInt32 bytesToRead,[Out]Out IntPtr bytesRead);
[DllImport(“Kernel32.dll”,CallingConvention=CallingConvention.StdCall,CharSet=CharSet.Unicode,ExactSpelling=true,SetLastError=true)]
内部静态外部UInt32 VirtualQueryEx([In]IntPtr processHandle,[In,可选]IntPtr processAddress,[Out]Out MEMORY\u BASIC\u INFORMATION buffer,[In]UInt32 bufferSize);
内部结构内存基本信息
{
公共静态UInt32 Size=(UInt32)Marshal.SizeOf(typeof(内存基本信息));
公共IntPtr基址;
公共IntPtr分配库;
公共分配保护分配保护;
公共IntPtr区域大小;
公共国家列举国家;
公共分配保护;
公共类型枚举lType;
}
公开作废
{
字节[]toFind=新字节[]{31,55,78,33,00,00,00,37};
UInt32地址=0;
做
{
内存基本信息=新内存基本信息();
if(NativeMethods.VirtualQueryEx(m_Process.Handle,(IntPtr)地址、输出信息、NativeMethods.MemoryBasicInformation.Size)==0)
打破
字节[]缓冲区=新字节[(UInt32)info.RegionSize];
IntPtr字节读取;
if(NativeMethods.ReadProcessMemory(m_Process.Handle,info.BaseAddress,buffer,(UInt32)buffer.Length,out bytesRead))
{
if(buffer.Contains(toFind))//扩展方法
{
m_IsValid=true;
打破
}
}
如果(地址==(UInt32)info.BaseAddress+(UInt32)info.RegionSize)
打破
地址=(UInt32)info.BaseAddress+(UInt32)info.RegionSize;
}
而(addressoooook)我解决了它。问题是我试图在不使用VirtualQueryEx和检查内存区域保护的情况下读取它的方式