以下是一个基于C语言和Win32API的内存扫描器的实现代码

首先定义一个结构体MEMBLOCK，用来存储内存块的信息

点击查看代码

typedef struct _MEMBLOCK
{
	HANDLE hProcess; //进程句柄
	PVOID addr;	 //内存块地址
	int size;	 //内存块大小
	char* buffer;	 //内存数据

	char* searchmask;//搜索标识符，标识每一字节的数据是否在搜索列表中
	int matches;	 //匹配的数据个数
	int data_size;   //数据大小(单位字节)
	struct _MEMBLOCK* next;
}MEMBLOCK;

再定义一个关于搜索方式的枚举SEARCH_CONDITION

点击查看代码

typedef enum
{
	COND_UNCONDITIONAL, //每个字节
	COND_EQUALS,		//数值为特定值的字节
	COND_INCREASE,		//数值增大的字节
	COND_DECREASE,		//数值减小的字节
}SEARCH_CONDITION;

之后我们实现对内存块的创建，释放及更新操作。内存块的创建及释放只涉及内存申请及释放，更新操作则是利用ReadProcessMemory API函数更新我们的内存块内容

点击查看代码

MEMBLOCK* create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size)
{
	MEMBLOCK* mb = (MEMBLOCK*)malloc(sizeof(MEMBLOCK));
	if (mb)
	{
		mb->hProcess = hProcess;
		mb->addr = meminfo->BaseAddress;
		mb->size = meminfo->RegionSize;
		mb->buffer = (char*)malloc(meminfo->RegionSize);

		//初始化搜索掩码为0xff，表示每一个字节都在搜索列表中
		mb->searchmask = (char*)malloc(meminfo->RegionSize / 8);
		memset(mb->searchmask, 0xff, meminfo->RegionSize / 8);

		mb->matches = meminfo->RegionSize;
		mb->data_size = data_size;
		mb->next = NULL;
	}

	return mb;
}

void free_memblock(MEMBLOCK* mb)
{
	if (mb)
	{
		if (mb->buffer)
		{
			free(mb->buffer);
		}
		if (mb->searchmask)
		{
			free(mb->searchmask);
		}
		free(mb);
	}
}

void update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val)
{
	static unsigned char tempbuf[128 * 1024];//0x20000
	unsigned int bytes_left;//当前未处理的字节数
	unsigned int total_read;//已经处理的字节数
	unsigned int bytes_to_read;
	SIZE_T bytes_read;

	if (mb->matches > 0)
	{
		bytes_left = mb->size;
		total_read = 0;

		mb->matches = 0;

		while (bytes_left)
		{
			bytes_to_read = (bytes_left > sizeof(tempbuf)) ? sizeof(tempbuf) : bytes_left;
			ReadProcessMemory(mb->hProcess, (LPCVOID)((SIZE_T)mb->addr + total_read), tempbuf, bytes_to_read, &bytes_read);
			//如果读失败了，则结束
			if (bytes_to_read != bytes_read) break;

			//条件搜索处
			if (condition == COND_UNCONDITIONAL)//无条件，则所有数据都匹配
			{
				memset(mb->searchmask + total_read / 8, 0xff, bytes_read / 8);
				mb->matches += bytes_read;
			}
			else//遍历临时buffer
			{
				for (int offset = 0; offset < bytes_read; offset += mb->data_size)
				{
					if (IS_IN_SEARCH(mb, (total_read + offset)))
					{
						BOOL is_match = FALSE;
						int temp_val;
						int prev_val;
						switch (mb->data_size)//获取临时数值的大小
						{
						case 1:
							temp_val = tempbuf[offset];
							prev_val = *((char*)&mb->buffer[total_read + offset]);
							break;
						case 2:
							temp_val = *((short*)&tempbuf[offset]);
							prev_val = *((short*)&mb->buffer[total_read + offset]);
							break;
						case 4:
						default:
							temp_val = *((int*)&tempbuf[offset]);
							prev_val = *((short*)&mb->buffer[total_read + offset]);
							break;
						}

						switch (condition)//根据不同搜索条件处理
						{
						case COND_EQUALS:
							is_match = (temp_val == val);
							break;
						case COND_INCREASE:
							is_match = (temp_val > prev_val);
							break;
						case COND_DECREA