在此之前,我们实现了内存扫描器(面向过程版)。为了使用的简洁性及可重用性,我们将其模块化,改写为C++类的形式,将用户用不到的成员私有化,对外隐藏,只为其提供类似于首次扫描、再次扫描、内存读写等的接口。
修改后的内存扫描器源码如下:
点击查看代码
#pragma once
#include<Windows.h>
#include<iostream>
#include<vector>
using namespace std;
#define IS_IN_SEARCH(mb,offset) (mb->searchmask[(offset)/8] & (1<<((offset)%8)))
#define REMOVE_FROM_SEARCH(mb,offset) mb->searchmask[(offset)/8]&=~(1<<((offset)%8));
typedef struct _MEMBLOCK
{
HANDLE hProcess;
PVOID addr;
int size;
char* buffer;
char* searchmask;//标志每一字节的数据是否在搜索列表中
int matches; //匹配的数据个数
int data_size; //数据大小(单位字节)
struct _MEMBLOCK* next;
}MEMBLOCK;
typedef struct _AddrValue
{
PVOID addr;
int val;
}AddrValue;
typedef enum
{
COND_UNCONDITIONAL, //every bytes
COND_EQUALS, //bytes particular value
COND_INCREASE, //bytes value increased
COND_DECREASE, //bytes value decreased
}SEARCH_CONDITION;
class Scanner
{
public:
~Scanner()
{
if (scan) free_scan();
}
/*扫描*/
bool first_scan(int pid, int data_size, int start_val, SEARCH_CONDITION start_cond = COND_EQUALS);
void next_scan(int val, SEARCH_CONDITION condition = COND_EQUALS);
/*内存读写*/
void poke(PVOID addr, int val);
int peek(PVOID addr);
/*统计内存数据*/
vector<AddrValue> get_data();//获取满足条件的内存地址及数值
void print_matches(); //打印内存数据 (UI的不需要)
int get_match_count();//获取满足条件的数据数量
private:
/*单个内存块*/
MEMBLOCK* create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size);
void update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val);
void free_memblock(MEMBLOCK* mb);
/*所有内存块*/
MEMBLOCK* create_scan(int pid, int data_size);
void update_scan(SEARCH_CONDITION condition, int val);
void dump_scan_info();
void free_scan();
private:
MEMBLOCK* scan = NULL;//扫描器
int data_size; //数据大小
HANDLE hProcess; //当前进程句柄
};
#include"scanner.h"
MEMBLOCK* Scanner::create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size)
{
MEMBLOCK* mb = (MEMBLOCK*)malloc(sizeof(MEMBLOCK));
if (mb)
{
mb->hProcess = hProcess;
mb->addr = meminfo->BaseAddress;
mb->size = meminfo->RegionSize;
mb->buffer = (char*)malloc(meminfo->RegionSize);
//初始化搜索掩码为0xff,表示每一个字节都在搜索列表中
mb->searchmask = (char*)malloc(meminfo->RegionSize / 8);
memset(mb->searchmask, 0xff, meminfo->RegionSize / 8);
mb->matches = meminfo->RegionSize;
mb->data_size = data_size;
mb->next = NULL;
}
return mb;
}
void Scanner::update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val)
{
static unsigned char tempbuf[128 * 1024];//0x20000
unsigned int bytes_left;//当前未处理的字节数
unsigned int total_read;//已经处理的字节数
unsigned int bytes_to_read;
SIZE_T bytes_read;
if (mb->matches > 0)
{
bytes_left = mb->size;
total_read = 0;
mb->matches = 0;
while (bytes_left)
{
bytes_to_read = (bytes_left > sizeof(tempbuf)) ? sizeof(tempbuf) : bytes_left;
ReadProcessMemory(mb->hProcess, (LPCVOID)((SIZE_T)mb->addr + total_read), tempbuf, bytes_to_read, &bytes_read);
//如果读失败了,则结束
if (bytes_to_read != bytes_read) break;
//条件搜索处
if (condition == COND_UNCO