我已经用C ++编写了一个简单的内存扫描器,但是速度很慢,有人说读取内存块可以加快速度,但是如何获得每个正确的地址?
这里是示例源代码:
#include <iostream>
#include <Windows.h>
#include <string>
#define CHUNK_SIZE 0x80000
#define MAX_ADDRESS 0x7ffffff
using namespace std;
int main()
{
DWORD pid;
char buffer[CHUNK_SIZE];
std::cin >> pid;
int something;
int someValue = 0;
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
SIZE_T numberRead;
if (process)
printf("opened process.\n");
else
printf("could not open process.\n");
for (DWORD i = 0; i < MAX_ADDRESS; i += CHUNK_SIZE) {
if (ReadProcessMemory(process, (void*)i, &buffer, sizeof(buffer),
&numberRead)) {
for (int j = 0; j < sizeof(buffer); j++)
{
someValue = (int)buffer[i];
if (someValue == 220)
{
printf("found value %d at 0x%x.\n", someValue, i + j);
}
}
}
}
}
最好使用VirtualQueryEx遍历所有有效内存,避免在无效内存上调用ReadProcessMemory
while (VirtualQueryEx(hProc, addr, &mbi, sizeof(mbi)))
{
if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
{
delete[] buffer;
buffer = new char[mbi.RegionSize];
ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);
for (int j = 0; j < bytesRead; j++)
{
if ((int)buffer[j] == 220)
{
printf("found value %d at 0x%x.\n", someValue, mbi.BaseAddress + j);
}
}
}
}
addr += mbi.RegionSize;
}
return match;
请记住,这将返回内存区域,其中两个变量的部分在组合时具有与整数表示形式的值相同的位。意味着您可以得到误报]