|
te_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val);
void free_memblock(MEMBLOCK* mb);
MEMBLOCK* create_scan(int pid, int data_size);
void update_scan(MEMBLOCK* mb_list, SEARCH_CONDITION condition, int val);
void free_scan(MEMBLOCK* mb_list);
void dump_scan_info(MEMBLOCK* mb_list);
void poke(HANDLE hProcess, int data_size, PVOID addr, int val);
int peek(HANDLE hProcess, int data_size, PVOID addr);
void print_matches(MEMBLOCK* mb_list);
int get_match_count(MEMBLOCK* mb_list);
int str2int(char* s);
//ui
MEMBLOCK* ui_new_scan(void);
void ui_poke(HANDLE hProcess, int data_size);
void ui_run_scan();
#include"memoryScanner.h"
using namespace std;
#define IS_IN_SEARCH(mb,offset) (mb->searchmask[(offset)/8] & (1<<((offset)%8)))
#define REMOVE_FROM_SEARCH(mb,offset) mb->searchmask[(offset)/8]&=~(1<<((offset)%8));
int main()
{
ui_run_scan();
return 0;
}
MEMBLOCK* create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size)
{
MEMBLOCK* mb = (MEMBLOCK*)malloc(sizeof(MEMBLOCK));
if (mb)
{
mb->hProcess = hProcess;
mb->addr = meminfo->BaseAddress;
mb->size = meminfo->RegionSize;
mb->buffer = (char*)malloc(meminfo->RegionSize);
//初始化搜索掩码为0xff,表示每一个字节都在搜索列表中
mb->searchmask = (char*)malloc(meminfo->RegionSize / 8);
memset(mb->searchmask, 0xff, meminfo->RegionSize / 8);
mb->matches = meminfo->RegionSize;
mb->data_size = data_size;
mb->next = NULL;
}
return mb;
}
void update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val)
{
static unsigned char tempbuf[128 * 1024];//0x20000
unsigned int bytes_left;//当前未处理的字节数
unsigned int total_read;//已经处理的字节数
unsigned int bytes_to_read;
SIZE_T bytes_read;
if (mb->matches > 0)
{
bytes_left = mb->size;
total_read = 0;
mb->matches = 0;
while (bytes_left)
{
bytes_to_read = (bytes_left > sizeof(tempbuf)) ? sizeof(tempbuf) : bytes_left;
ReadProcessMemory(mb->hProcess, (LPCVOID)((SIZE_T)mb->addr + total_read), tempbuf, bytes_to_read, &bytes_read);
//如果读失败了,则结束
if (bytes_to_read != bytes_read) break;
//条件搜索处
if (condition == COND_UNCONDITIONAL)//无条件,则所有数据都匹配
{
memset(mb->searchmask + total_read / 8, 0xff, bytes_read / 8);
mb->matches += bytes_read;
}
else//遍历临时buffer
{
for (int offset = 0; offset < bytes_read; offset += mb->data_size)
{
if (IS_IN_SEARCH(mb, (total_read + offset)))
{
BOOL is_match = FALSE;
int temp_val;
int prev_val;
switch (mb->data_size)//获取临时数值的大小
{
case 1:
temp_val = tempbuf[offset];
prev_val = *((char*)&mb->buffer[total_read + offset]);
break;
case 2:
temp_val = *((short*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
case 4:
default:
temp_val = *((int*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
}
switch (condition)//根据不同搜索条件处理
{
case COND_EQUALS:
is_match = (temp_val == val);
|