折叠 编辑本段 英文解释
折叠 原型
This function reads memory in a specified process. The entire area to be read must be access360百科ible or the op艺革液屋曾危查食消不抗eration fails.
折叠 参数
(1)hProcess
[in] Handle to the process whose memory is being read.
In Window确游世于额消长记s CE, any call to OpenProcess returns a process handle with the proper a弦ccess rig甲附商率翻束盟hts.
进程句柄
(2)lpBaseAddress
[in] Pointer to the base address in the specified proce员直章雨太稳ss to be read.
Before data transfer occurs, 南兰矛the system verifies that all data in the base address and memory of the specified s背尔议早烈富会ize is acc本由煤essible for re散名校次角杂ad access. If so, the function proceeds; otherwise, the function fails.
内存地址
(3)lpB策uffer
[out] Pointer to a buffer that receives the contents from the address space of the specified process.
接收的内容,缓冲区指针
(4)nSize
[in] Specifies the requested number of bytes to read from the specified pro沙始名裂划易参率cess.
读取字节数
(5)lp扩判的州无动令苗NumberOfBytesRead
[out] Pointer to the number of bytes transferred into the specified buffer.
If lpNumberOfBytesRead is NULL, the parameter is ignored.
指向传输到指定缓冲区的字节数的指针。
如果lpNumberOfBytesRead为空,则忽略该参数
折叠 返回值
Nonzero indicates success.
Zero indicatesfailure.
To get extended e研山就德关物巴围便rror information, call GetLastError.
The function fails if the requested read 供副州任米找轴operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies data in the specified address 了选稳升效range from the 于若address s朝案怀杀华尽二星责买绝pace of the specified process into the specified buffer of the current process. The process whose address space is read is typically, but not necess现社但干审磁arily, being deb批突群六宁ugged.
The entire area to be rea洋互参d must be accessible. If it is not, the function fails.
折叠 要求
OS Ver绝孔sions: Windows CE 2.0 and late本之婷激r.
Header: Winbase.h.
Link Librar件乙容和样y: Coredll.lib, Nk.lib.
折叠 参考资料
Ope景易衣nProcess | Wri干类些用海课类探teProcessMemory
---------------------------------------------------------------------------------------
折叠 编辑本段 中文解释
ReadProcessMemory
实际应用
hProcess [in]远程进程句柄际沉盟达板农给态只协她。 被读取者
pvAddressRemo慢除仍te [in]远程进程中内存地址。 从具体何处读取
pvBufferLocal [out]本地进程中内存地址. 函数将读取的内容写入此处
dwSize [in]要传送的字节数。要写入多少
pdwNumBytesRead [out]实际传送的字节数. 函数返回时报告实际写入多少
折叠 编辑本段 例子
折叠 C++
ReadProcessMemory读出数运死余杨据,权限要大一些。下面这个打热践剂队听学投督章时开进程的方式具备了 查刑粉在打扬询 读和写的权限
hProcess = Ope还低谁nProcess(PRO七剂CESS_QUERY_INFORMATION | PROCESS_VM_OPERATIO蛋失长N | PROCESS_VM_烟杆省未己厂搞刻松治READ | PROCESS_VM_WRITE, 0, ProcessId)
折叠 Delphi
var
hProce轮老离女ss:HWND;
wltId:DWord;
hProce般和括始是ss:=OpenProces调丰跳边算s(PROCESS_CREATE_THREAD + PROCESS_VM_OP级的经掉件代解式我大ERATION+ PROCESS_VM_WRITE, FALSE, wltId);
然后就要结合上面的程序来搜索了。只有当内存是处于被占用状态时才去读取迅入威娘其中的内容,而忽略际地更伟空闲状态的内存。程序我就不在这同调儿写了,和上面那段差不受画煤参电级书多。只是把dwTotalCommit = dwTotalCommit + mi.RegionSize换成了读取内存以及搜索既包罪绿卫湖什这一块内存的函数而已。
1.通过FindWindow读取窗体的句柄
2.通过Get站了讨告角松WindowThreadProcessId读取查找窗体句柄进程的PID值
var
nProcId:DWord;
nProcId:=GetWindowThreadProcessId(hFound, @nProcId);
3.用OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_OPERATION Or PROCESS_VM_READ Or PROCESS_VM_WRITE, 0, ProcessId)打开查到PID值的进程. 此打开具备读取,写入,查询的权限
4.ReadProcessMemory读出指定的内存地址数据
例题:
ReadProcessMemory(dwProcessId, (LPVOID)数据地址, szPassBuff, sizeof(szPassBuff), 0);
