Можете ли вы дать мне пример того, как получить выход ReadProcessMemory (в VB)Как получить строку из ReadProcessMemory для любых проножек - В.Б
Например, я хочу, чтобы извлечь все значения ReadProcessMemory для любого программа .. затем поместите его в текстовый файл.
ReadProcessMemory редко используется один, так как адрес памяти должен быть откуда-то. У меня нет коды для сброса процесса либо, но вот пример для чтения командной строки процесса, используя нативный API ZwQueryInformationProcess
В этом примере GetProcessCommandLine использует ZwQueryInformationProcess для извлечения PEB данного процесса, а затем ищет командную строку в памяти процесса.
Option Explicit
Public Declare Function ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal InformationClass As PROCESSINFOCLASS, ByRef ProcessInformation As Any, ByVal ProcessInformationLength As Long, ByRef ReturnLenght As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Enum PROCESSINFOCLASS
ProcessBasicInformation
ProcessQuotaLimits
ProcessIoCounters
ProcessVmCounters
ProcessTimes
ProcessBasePriority
ProcessRaisePriority
ProcessDebugPort
ProcessExceptionPort
ProcessAccessToken
ProcessLdtInformation
ProcessLdtSize
ProcessDefaultHardErrorMode
ProcessIoPortHandlers '// Note: this is kernel mode only
ProcessPooledUsageAndLimits
ProcessWorkingSetWatch
ProcessUserModeIOPL
ProcessEnableAlignmentFaultFixup
ProcessPriorityClass
ProcessWx86Information
ProcessHandleCount
ProcessAffinityMask
ProcessPriorityBoost
ProcessDeviceMap
ProcessSessionInformation
ProcessForegroundInformation
ProcessWow64Information
ProcessImageFileName
ProcessLUIDDeviceMapsEnabled
ProcessBreakOnTermination
ProcessDebugObjectHandle
ProcessDebugFlags
ProcessHandleTracing
ProcessIoPriority
ProcessExecuteFlags
ProcessResourceManagement
ProcessCookie
ProcessImageInformation
MaxProcessInfoClass '// MaxProcessInfoClass should always be the last enum
End Enum
Public Type PROCESS_BASIC_INFORMATION
ExitStatus As Long
PebBaseAddress As Long
AffinityMask As Long
BasePriority As Long
UniqueProcessId As Long
InheritedFromUniqueProcessId As Long
End Type
Public Function GetProcessCommandLine(ByVal hProcess As Long) As String
Dim NTSTATUS As Long
Dim objBasic As PROCESS_BASIC_INFORMATION
Dim objBaseAddress As Long
Dim bytName() As Byte
Dim strModuleName As String
Dim obj As Long
Dim dwSize As Long
If hProcess = 0 Then
GetProcessCommandLine = ""
Exit Function
End If
Dim lngRet As Long, lngReturn As Long
NTSTATUS = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, objBasic, Len(objBasic), dwSize)
If (NTSTATUS = 0) Then
ReadProcessMemory hProcess, ByVal objBasic.PebBaseAddress + &H10, obj, 4, lngRet
If lngRet <> 4 Then Exit Function
ReadProcessMemory hProcess, ByVal obj + &H40, dwSize, 2, lngRet
If lngRet <> 2 Then Exit Function
ReadProcessMemory hProcess, ByVal obj + &H44, obj, 4, lngRet
If lngRet <> 4 Then Exit Function
ReDim bytName(dwSize - 1)
ReadProcessMemory hProcess, ByVal obj, bytName(0), dwSize, lngRet
If lngRet <> dwSize Then Exit Function
GetProcessCommandLine = bytName
End If
End Function