怎么搜索指定进程内存中是否含有某个字符串呢?
本帖最后由 netsmu 于 2010-12-2 20:27 编辑我想搜索一个进程,在内存中查找一下里面有没有包含这样的字符串www.*******.com就是查找有没有包含网址。 请问具体要怎么写呢,有没有前辈的帖子,帮忙找一下呢,谢谢啦。
贴出内存搜索字符串的函数代码。
谁能帮忙做个循环搜索内存,把含有www的字符串输出到文本文件中呢?
$Handle = _MemoryOpen(4024);4024 为进程ID号
$MEM = _MemoryRead(0x040BA7F0, $Handle,"byte");0x040BA7F0 为要搜索的地址, 这里怎么改成搜索整个进程的内存呢?然后能否做个循环,如果搜索到www则输出到文本中呢???
$bbb = BinaryToString($MEM)
_MemoryClose($Handle)
MsgBox(0,0,$bbb)
Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $if_InheritHandle = 1)
If Not ProcessExists($iv_Pid) Then
SetError(1)
Return 0
EndIf
Local $ah_Handle =
If @error Then
SetError(2)
Return 0
EndIf
Local $av_OpenProcess = DllCall($ah_Handle, 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $if_InheritHandle, 'int', $iv_Pid)
If @error Then
DllClose($ah_Handle)
SetError(3)
Return 0
EndIf
$ah_Handle = $av_OpenProcess
Return $ah_Handle
EndFunc ;==>_MemoryOpen
Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword')
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
Local $v_Buffer = DllStructCreate($sv_Type)
If @error Then
SetError(@error + 1)
Return 0
EndIf
DllCall($ah_Handle, 'int', 'ReadProcessMemory', 'int', $ah_Handle, 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
If Not @error Then
Local $v_Value = DllStructGetData($v_Buffer, 1)
Return $v_Value
Else
SetError(6)
Return 0
EndIf
EndFunc ;==>_MemoryRead
Func _MemoryClose($ah_Handle)
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
DllCall($ah_Handle, 'int', 'CloseHandle', 'int', $ah_Handle)
If Not @error Then
DllClose($ah_Handle)
Return 1
Else
DllClose($ah_Handle)
SetError(2)
Return 0
EndIf
EndFunc ;==>_MemoryClose
找到了一个PB语言的搜索的源代码,大家看看有没有什么帮助呢?
;======查找内存数据之N字节字符串型+结果列表
Procedure Find_StringOfResult()
;要搜索的数据初始化
OnErrorResume()
S$=(GetGadgetText(#Panf2Txt11))
ResultStr$=""
SubByte.l=0
For i = 1 To StringByteLength(S$)
M$=Mid(S$,i,1)
If Asc(M$)<$7B
ResultStr$=ResultStr$+M$ +"."
SubByte=SubByte+1
Else
ResultStr$=ResultStr$+M$
EndIf
Next
sCount.l=Len(S$)+SubByte
*MemString= AllocateMemory(sCount)
PokeS(*MemString, S$,sCount,#PB_Unicode)
ResultHex$ =""
For i = 0 To sCount-1
ResultHex$ = ResultHex$ + RSet(Hex(PeekC(*MemString + i)),2,"0") + " "
Next
StartAddress= $10000
EndAddress = $7FFEFFFF
*MemoryID = AllocateMemory(1000)
MyHandle= OpenProcess_($410, #False, SysProID) ; '取得进程句柄
LpBuffer.MEMORY_BASIC_INFORMATION
If MyHandle <= 0
ProcedureReturn -1
EndIf
cList.l=CountList(FindResults())
ClearList(FindResOfRes())
FirstElement(FindResults())
TypeCount = VirtualQueryEx_(MyHandle, StartAddress, @LpBuffer, SizeOf(LpBuffer))
Repeat
If (LpBuffer\AllocationProtect=$4) And (LpBuffer\State=$1000)
*MemoryID = ReAllocateMemory(*MemoryID, LpBuffer\RegionSize)
ReadProcessMemory_(MyHandle, StartAddress, *MemoryID, LpBuffer\RegionSize,0)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
While FindResults()<LpBuffer\BaseAddress
AddElement(FindResOfRes())
FindResOfRes()=0
NextElement(FindResults())
cList=cList-1
If cList<=0
Break 2
EndIf
Wend
While FindResults() >= LpBuffer\BaseAddress And FindResults()< LpBuffer\BaseAddress + LpBuffer\RegionSize
MyAdd=FindResults() - LpBuffer\BaseAddress
If CompareMemory(*MemoryID + MyAdd, *MemString, sCount)
AddElement(FindResOfRes())
FindResOfRes()=FindResults()
EndIf
cList=cList-1
If cList<=0
Break 2
EndIf
NextElement(FindResults())
Wend
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CurMemByte=CurMemByte + LpBuffer\RegionSize
EndIf
StartAddress = StartAddress + LpBuffer\RegionSize
TypeCount = VirtualQueryEx_(MyHandle, StartAddress, @LpBuffer, SizeOf(LpBuffer))
Until ((TypeCount <= 0) Or (StartAddress>= EndAddress))
FreeMemory(*MemoryID)
CloseHandle_(MyHandle)
EndProcedure
有没有高手帮忙看看呢。获取某个地址的字符串已经可以了,就是怎么做个循环,获取整个进程内存里面的字符串呢?
页:
[1]