I'm pretty new to C++, and I decided to make a simple "scanner" that will scan all the addresses of a process and print the values. I'm starting with the calculator appliaction, and this is my code
Edit: I changed my code to this
int main()
{
HWND h_wnd = FindWindow("Calculator", 0);
DWORD pid;
GetWindowThreadProcessId(h_wnd, &pid);
HANDLE h_calc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
int someValue;
for(int i = 0; i < 1000; i++) {
void *address = (void*)i;
ReadProcessMemory(h_calc, address, &someValue, 4, 0);
cout << "Address: " <&开发者_高级运维lt; address << " " << someValue << endl;
}
system("pause");
return EXIT_SUCCESS;
}
And this is what I get for every address
Address: 000003DB -858993460
Address: 000003DC -858993460
Address: 000003DD -858993460
Address: 000003DE -858993460
Address: 000003DF -858993460
Address: 000003E0 -858993460
Address: 000003E1 -858993460
Address: 000003E2 -858993460
Address: 000003E3 -858993460
Address: 000003E4 -858993460
Address: 000003E5 -858993460
Address: 000003E6 -858993460
Address: 000003E7 -858993460
What am I doing wrong?
but what I want it to do, is find ALL the addresses, and print out their values. I realize this could be a lot to print out, but I just want to see it for the results.
Any help is greatly appreciated, thanks!
Instead of,
int addr = 0xFFFFFF;
Can't you choose,
void *addr = 0;
For address purpose.
You're not really doing anything wrong, it's just that your results aren't that interesting (data-wise... not meant to sound insulting).
The value -858993460
is just 0xcccccccc
, which Microsoft compilers use to detect memory overruns. Often times memory outside of your allocated values is initialized to a special value so that if you get it, you'll know right away that you're accessing some place that you didn't mean to (or aren't supposed to). Another pattern that many folks use is 0xDEADBEEF
, just because it's an odd value that spells something out when printed in hex.
OpenProcess and ReadProcessMemeory is only available for processes in debug mode:
See manual here http://msdn.microsoft.com/en-us/library/ms684320(v=vs.85).aspx for more info
Check the return values of those two calls and see what you get.
Since no process use their entire virtual adress space, what you first have to do is determine which pages can and can't be read.
Windows provides the VirtualQueryEx function which allows you to scan a processe's memory in order to get the state of an address range. So what you'll be doing is calling this function in a loop and print the content of the ranges with the MEM_COMMIT
attribute. The details are left out as homework :)
You may also find the EnumProcessModules function useful. It enumerates every executables that are loaded in the process along with their base address. Again, details are left out as homework.
Also, if you only want to use the ReadProcessMemory function, then I believe you only need to pass PROCESS_VM_READ
and maybe PROCESS_QUERY_INFORMATION
to OpenProcess. This should avoid having to set the target process in debug mode as Soren mentionned.
Your problem is arising because you are casting i
to an address, but with i being less than 1kb, its never going to be in the processes address space. What you need to do is get the HANDLE/HMODULE for the process, then get the base process memory address from that(depending on the memory you want to scan, this can be gotten from the PE, for code, data, text sections etc, or via psapi for reserved system memory), then from you do void* address = (void*)((UINT_PTR)base + i);
. it would also be a good idea to bound i to the size of the memory section, optionally rounded to a page boundery.
精彩评论