I would like to write an simple application able to retrieve some certain data from another process(application)'s allocated memory.
我想编写一个简单的应用程序,能够从另一个进程(应用程序)的已分配内存中检索某些特定数据。
Say I already know a process' id and I would like to obtain a value in this process' memory always from a fixed offset (like 0x523F1C), is this doable in the user-mode, or it has to be in kernel-mode?
假设我已经知道进程'id并且我想在此进程中获取一个值'内存总是来自固定偏移量(如0x523F1C),这在用户模式下是可行的,还是必须在内核模式下?
Any hints or info are highly appreciated.
任何提示或信息都非常感谢。
My environment is Windows XP, and I am using Visual C++ and Qt for GUI.
我的环境是Windows XP,我使用Visual C ++和Qt进行GUI。
Thanks in advance :)
提前致谢 :)
EDIT:
(a) thanks guys. basically it's working (when setting a break point and hook over the value it's correct), but when doing a normal release build the value obtained is always the initialized :(
(a)谢谢你们。基本上它正在工作(当设置一个断点并挂钩它正确的值),但在进行正常发布时,获得的值始终是初始化的:(
will have to work more to figure it out...
必须更加努力才能弄明白......
(b) Since the application I am trying to obtain value from isn't written by me, can I still do the interprocess communications / shared memory techniques?
(b)由于我试图获取价值的应用程序不是由我编写的,我还可以进行进程间通信/共享内存技术吗?
EDIT 2:
thanks again for the quick response! :D
再次感谢您的快速反应! :d
3 个解决方案
#1
Use ReadProcessMemory - you'll need a handle with PROCESS_VM_READ access to the other process[1], but if you're an administrator (or possibly, if you have SE_DEBUG privs) it should be straightforward.
使用ReadProcessMemory - 你需要一个具有PROCESS_VM_READ访问权限的句柄来访问另一个进程[1],但是如果你是管理员(或者如果你有SE_DEBUG privs),它应该是直截了当的。
BOOL WINAPI ReadProcessMemory(
__in HANDLE hProcess,
__in LPCVOID lpBaseAddress,
__out LPVOID lpBuffer,
__in SIZE_T nSize,
__out SIZE_T* lpNumberOfBytesRead
);
[1]
HANDLE hProc = OpenProcess(PROCESS_VM_READ, false, pid);
Edit: b) No, unless you use CreateRemoteThread - but you normally need to have shimmed your own DLL into the remote process before you can meaningfully create threads in that process. This is advanced, fun and dangerous :)
编辑:b)不,除非您使用CreateRemoteThread - 但您通常需要将自己的DLL填充到远程进程中,然后才能在该进程中有意义地创建线程。这是先进的,有趣的和危险的:)
#2
If you're doing interprocess communications / shared memory, I would suggest using Boost::Interprocess instead as it will make life much easier.
如果你正在进行进程间通信/共享内存,我建议使用Boost :: Interprocess,因为它会让生活更轻松。
#3
There is a ReadProcessMemory() function, but you'll have to find the requirements for using it yourself. I think you might need to set yourself as a debugger for that process.
有一个ReadProcessMemory()函数,但您必须自己找到使用它的要求。我认为您可能需要将自己设置为该过程的调试器。
#1
Use ReadProcessMemory - you'll need a handle with PROCESS_VM_READ access to the other process[1], but if you're an administrator (or possibly, if you have SE_DEBUG privs) it should be straightforward.
使用ReadProcessMemory - 你需要一个具有PROCESS_VM_READ访问权限的句柄来访问另一个进程[1],但是如果你是管理员(或者如果你有SE_DEBUG privs),它应该是直截了当的。
BOOL WINAPI ReadProcessMemory(
__in HANDLE hProcess,
__in LPCVOID lpBaseAddress,
__out LPVOID lpBuffer,
__in SIZE_T nSize,
__out SIZE_T* lpNumberOfBytesRead
);
[1]
HANDLE hProc = OpenProcess(PROCESS_VM_READ, false, pid);
Edit: b) No, unless you use CreateRemoteThread - but you normally need to have shimmed your own DLL into the remote process before you can meaningfully create threads in that process. This is advanced, fun and dangerous :)
编辑:b)不,除非您使用CreateRemoteThread - 但您通常需要将自己的DLL填充到远程进程中,然后才能在该进程中有意义地创建线程。这是先进的,有趣的和危险的:)
#2
If you're doing interprocess communications / shared memory, I would suggest using Boost::Interprocess instead as it will make life much easier.
如果你正在进行进程间通信/共享内存,我建议使用Boost :: Interprocess,因为它会让生活更轻松。
#3
There is a ReadProcessMemory() function, but you'll have to find the requirements for using it yourself. I think you might need to set yourself as a debugger for that process.
有一个ReadProcessMemory()函数,但您必须自己找到使用它的要求。我认为您可能需要将自己设置为该过程的调试器。