windows-遍历另一进程内存根据进程PID

• 2019 年 12 月 26 日
• 笔记

#include <windows.h>  //OpenProcess需要提权,因为代码常用抠出来的所有没有提权.  BOOL iteratorMemory(DWORD dwPid)  {      if (dwPid == 0 || dwPid == 4)          return FALSE;          HANDLE hProcess = 0;      DWORD dwTempSize = 0;      hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);      if (!hProcess)      {            return FALSE;      }        PMEMORY_BASIC_INFORMATION pMemInfo = new MEMORY_BASIC_INFORMATION();      DWORD dwErrorCode;      dwErrorCode = VirtualQueryEx(hProcess, 0, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));      if (0 == dwErrorCode)      {          return FALSE;      }          // pMeminfo->Regionsize 代表当前遍历出的内存大小      for (__int64 i = pMemInfo->RegionSize; i < (i + pMemInfo->RegionSize); i += pMemInfo->RegionSize)      {            dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));          if (0 == dwErrorCode)              break;            if (pMemInfo->State != MEM_COMMIT)      //判断提交状态              continue;            if (pMemInfo->Protect != PAGE_READWRITE) //判断内存属性          {              continue;          }                if (pMemInfo->Type != MEM_PRIVATE)      //判断类型 映射 私有 xxx          {              continue;          }              continue;        }        return FALSE;    }

原理: 原理主要是 使用 ** VirtualQueryEx ** 函数. 函数遍历之后会将内存信息反馈到一个Buf中.这个Buf是个结构体 ** PMEMORY_BASIC_INFORMATION **