以下是一个基于C语言和Win32API的内存扫描器的实现代码
首先定义一个结构体MEMBLOCK,用来存储内存块的信息
点击查看代码
typedef struct _MEMBLOCK
{
HANDLE hProcess; //进程句柄
PVOID addr; //内存块地址
int size; //内存块大小
char* buffer; //内存数据
char* searchmask;//搜索标识符,标识每一字节的数据是否在搜索列表中
int matches; //匹配的数据个数
int data_size; //数据大小(单位字节)
struct _MEMBLOCK* next;
}MEMBLOCK;
点击查看代码
typedef enum
{
COND_UNCONDITIONAL, //每个字节
COND_EQUALS, //数值为特定值的字节
COND_INCREASE, //数值增大的字节
COND_DECREASE, //数值减小的字节
}SEARCH_CONDITION;
点击查看代码
MEMBLOCK* create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size)
{
MEMBLOCK* mb = (MEMBLOCK*)malloc(sizeof(MEMBLOCK));
if (mb)
{
mb->hProcess = hProcess;
mb->addr = meminfo->BaseAddress;
mb->size = meminfo->RegionSize;
mb->buffer = (char*)malloc(meminfo->RegionSize);
//初始化搜索掩码为0xff,表示每一个字节都在搜索列表中
mb->searchmask = (char*)malloc(meminfo->RegionSize / 8);
memset(mb->searchmask, 0xff, meminfo->RegionSize / 8);
mb->matches = meminfo->RegionSize;
mb->data_size = data_size;
mb->next = NULL;
}
return mb;
}
void free_memblock(MEMBLOCK* mb)
{
if (mb)
{
if (mb->buffer)
{
free(mb->buffer);
}
if (mb->searchmask)
{
free(mb->searchmask);
}
free(mb);
}
}
void update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val)
{
static unsigned char tempbuf[128 * 1024];//0x20000
unsigned int bytes_left;//当前未处理的字节数
unsigned int total_read;//已经处理的字节数
unsigned int bytes_to_read;
SIZE_T bytes_read;
if (mb->matches > 0)
{
bytes_left = mb->size;
total_read = 0;
mb->matches = 0;
while (bytes_left)
{
bytes_to_read = (bytes_left > sizeof(tempbuf)) ? sizeof(tempbuf) : bytes_left;
ReadProcessMemory(mb->hProcess, (LPCVOID)((SIZE_T)mb->addr + total_read), tempbuf, bytes_to_read, &bytes_read);
//如果读失败了,则结束
if (bytes_to_read != bytes_read) break;
//条件搜索处
if (condition == COND_UNCONDITIONAL)//无条件,则所有数据都匹配
{
memset(mb->searchmask + total_read / 8, 0xff, bytes_read / 8);
mb->matches += bytes_read;
}
else//遍历临时buffer
{
for (int offset = 0; offset < bytes_read; offset += mb->data_size)
{
if (IS_IN_SEARCH(mb, (total_read + offset)))
{
BOOL is_match = FALSE;
int temp_val;
int prev_val;
switch (mb->data_size)//获取临时数值的大小
{
case 1:
temp_val = tempbuf[offset];
prev_val = *((char*)&mb->buffer[total_read + offset]);
break;
case 2:
temp_val = *((short*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
case 4:
default:
temp_val = *((int*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
}
switch (condition)//根据不同搜索条件处理
{
case COND_EQUALS:
is_match = (temp_val == val);
break;
case COND_INCREASE:
is_match = (temp_val > prev_val);
break;
case COND_DECREA