Fatal编程技术网
  • vb6/
  • Vb6 如何从ReadProcessMemory中获取任何程序的字符串-vb

Vb6 如何从ReadProcessMemory中获取任何程序的字符串-vb

vb6

Vb6 如何从ReadProcessMemory中获取任何程序的字符串-vb,vb6,readprocessmemory,Vb6,Readprocessmemory,你能给我一个例子,说明如何获得ReadProcessMemory(在vb中)的输出吗 例如,我想为任何程序提取ReadProcessMemory的所有值。。然后将其放入文本文件。ReadProcessMemory很少单独使用,因为内存地址必须来自某个地方。我也没有转储进程的代码,但下面是一个使用本机API读取进程命令行的示例ZwQueryInformationProcess 在本例中,GetProcessCommandLine使用ZwQueryInformationProcess检索给定进程的P

你能给我一个例子,说明如何获得ReadProcessMemory(在vb中)的输出吗

例如,我想为任何程序提取ReadProcessMemory的所有值。。然后将其放入文本文件。

ReadProcessMemory很少单独使用,因为内存地址必须来自某个地方。我也没有转储进程的代码,但下面是一个使用本机API读取进程命令行的示例
ZwQueryInformationProcess

在本例中,
GetProcessCommandLine
使用
ZwQueryInformationProcess
检索给定进程的PEB,然后在进程内存中查找命令行

Option Explicit
Public Declare Function ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal InformationClass As PROCESSINFOCLASS, ByRef ProcessInformation As Any, ByVal ProcessInformationLength As Long, ByRef ReturnLenght As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Enum PROCESSINFOCLASS
      ProcessBasicInformation
      ProcessQuotaLimits
      ProcessIoCounters
      ProcessVmCounters
      ProcessTimes
      ProcessBasePriority
      ProcessRaisePriority
      ProcessDebugPort
      ProcessExceptionPort
      ProcessAccessToken
      ProcessLdtInformation
      ProcessLdtSize
      ProcessDefaultHardErrorMode
      ProcessIoPortHandlers         '// Note: this is kernel mode only
      ProcessPooledUsageAndLimits
      ProcessWorkingSetWatch
      ProcessUserModeIOPL
      ProcessEnableAlignmentFaultFixup
      ProcessPriorityClass
      ProcessWx86Information
      ProcessHandleCount
      ProcessAffinityMask
      ProcessPriorityBoost
      ProcessDeviceMap
      ProcessSessionInformation
      ProcessForegroundInformation
      ProcessWow64Information
      ProcessImageFileName
      ProcessLUIDDeviceMapsEnabled
      ProcessBreakOnTermination
      ProcessDebugObjectHandle
      ProcessDebugFlags
      ProcessHandleTracing
      ProcessIoPriority
      ProcessExecuteFlags
      ProcessResourceManagement
      ProcessCookie
      ProcessImageInformation
      MaxProcessInfoClass           '// MaxProcessInfoClass should always be the last enum
End Enum


Public Type PROCESS_BASIC_INFORMATION
    ExitStatus As Long
    PebBaseAddress As Long
    AffinityMask As Long
    BasePriority As Long
    UniqueProcessId As Long
    InheritedFromUniqueProcessId As Long
End Type

Public Function GetProcessCommandLine(ByVal hProcess As Long) As String
    Dim NTSTATUS As Long
    Dim objBasic As PROCESS_BASIC_INFORMATION
    Dim objBaseAddress As Long
    Dim bytName() As Byte
    Dim strModuleName As String
    Dim obj As Long
    Dim dwSize As Long

    If hProcess = 0 Then
        GetProcessCommandLine = ""
        Exit Function
    End If

    Dim lngRet As Long, lngReturn As Long

    NTSTATUS = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, objBasic, Len(objBasic), dwSize)
    If (NTSTATUS = 0) Then
        ReadProcessMemory hProcess, ByVal objBasic.PebBaseAddress + &H10, obj, 4, lngRet
        If lngRet <> 4 Then Exit Function
        ReadProcessMemory hProcess, ByVal obj + &H40, dwSize, 2, lngRet
        If lngRet <> 2 Then Exit Function
        ReadProcessMemory hProcess, ByVal obj + &H44, obj, 4, lngRet
        If lngRet <> 4 Then Exit Function
        ReDim bytName(dwSize - 1)
        ReadProcessMemory hProcess, ByVal obj, bytName(0), dwSize, lngRet
        If lngRet <> dwSize Then Exit Function
        GetProcessCommandLine = bytName
     End If
End Function

选项显式
公共声明函数ZwQueryInformationProcess Lib“NTDLL.DLL”(ByVal ProcessHandle尽可能长,ByVal InformationClass尽可能长,ByRef ProcessInformation尽可能长,ByVal ProcessInformationLength尽可能长)尽可能长
公共声明函数ReadProcessMemory Lib“kernel32”(ByVal hProcess尽可能长,lpBaseAddress尽可能长,lpBuffer尽可能长,ByVal nSize尽可能长,LPNumberOfBytesWrite尽可能长)尽可能长
公共枚举PROCESSINFOCLASS
工艺基础信息
加工品
进程计数器
ProcessVmCounters
处理时间
ProcessBasePriority
进程优先级
ProcessDebugPort
进程例外端口
ProcessAccessToken
工艺信息
进程大小
ProcessDefaultHardErrorMode
ProcessIOPerHandler'//注意:这只是内核模式
ProcessPooledUsageAndLimits
ProcessWorkingSetWatch
ProcessUserModeIOPL
ProcessEnableAlignmentFaultFixup
过程优先类
ProcessWx86信息
进程句柄计数
进程亲和性掩码
进程优先级提升
ProcessDeviceMap
进程会话信息
ProcessForegroundInformation
ProcessWOW64信息
ProcessImageFileName
ProcessLuidDeviceMapEnabled
工艺分离
ProcessDebugObjectHandle
ProcessDebugFlags
手摇赛车
过程优先性
ProcessExecuteFlags
流程资源管理
ProcessCookie
处理图像信息
MaxProcessInfoClass'//MaxProcessInfoClass应始终是最后一个枚举
结束枚举
公共类型进程\u基本信息\u
长期存在
PebBaseAddress尽可能长
亲缘关系尽可能长
基本优先权
同长的唯一进程ID
继承自UniqueProcessId,长度为
端型
公共函数GetProcessCommandLine(ByVal HPProcess尽可能长)作为字符串
将状态设置为“长”
作为过程基本信息的Dim objBasic
Dim OBJBASE地址尽可能长
Dim bytName()作为字节
将strModuleName设置为字符串
暗淡的物体像长的一样
尺寸和长度一样大
如果hproces=0,则
GetProcessCommandLine=“”
退出功能
如果结束
变暗变长,变长变长
NTSTATUS=ZwQueryInformationProcess(HPProcess、ProcessBasicInformation、objBasic、Len(objBasic)、dwSize)
如果(NTSTATUS=0),则
ReadProcessMemory hProcess,ByVal objBasic.PebBaseAddress+&H10,obj,4,lngRet
如果输入4,则退出功能
ReadProcessMemory hProcess,ByVal obj+&H40,dwSize,2,lngRet
如果输入2,则退出功能
ReadProcessMemory hProcess,ByVal obj+&H44,obj,4,lngRet
如果输入4,则退出功能
重拨字节名(dwSize-1)
ReadProcessMemory hProcess,ByVal obj,bytName(0),dwSize,lngRet
如果lngRet dwSize,则退出函数
GetProcessCommandLine=bytName
如果结束
端函数