首页 > 技术文章 > 内存扫描及编辑

内存扫描及编辑

2009年9月8日 发表评论 156 views 阅读评论

内存扫描及编辑
详细代码如下:

#include

char szText[] = "Hello world.",
szTitle[] = "Information";

main()
{
while(TRUE)
MessageBox(NULL, szText, szTitle, MB_ICONINFORMATION);
return EXIT_SUCCESS;
}

#include
#include
#include
#define PROC_NAME "n00b.exe"
#define MAX_READ 128

int fMatchCheck (char *mainstr, int mainstrLen, char *checkstr, int checkstrLen)
{
BOOL fmcret=TRUE;
int x,y;

for (x=0; x fmcret=TRUE;

for (y=0; y if (checkstr[y]!=mainstr[x+y]) {
fmcret=FALSE;
break;
}
}

if (fmcret)
return x+checkstrLen;
}
return -1;
}

char *getMem(char *buff, size_t buffLen, int from, int to)
{
size_t ourSize = buffLen*2;
char *ret = (char*)malloc(ourSize);

memset(ret, 0, ourSize);

memcpy(ret, &buff[from], buffLen-from);
memset(&ret[to-from], 0, to-from);

return ret;
}

char *delMem(char *buff, size_t buffLen, int from, int to)
{
size_t ourSize = buffLen*2;
char *ret = (char*)malloc(ourSize);
int i,x=0;

memset(ret, 0, ourSize);

for (i=0; i if (!(i>=from&&i ret[x]=buff[i];
x++;
}
}

return ret;
}

char *addMem(char *buff, size_t buffLen, char *buffToAdd, size_t addLen, int addFrom)
{
size_t ourSize = (buffLen+addLen)*2;
char *ret = (char*)malloc(ourSize);
int i,x=0;

memset(ret, 0, ourSize);

memcpy(ret, getMem(buff, buffLen, 0, addFrom), addFrom);

x=0;
for (i=addFrom; i ret[i]=buffToAdd[x];
x++;
}

x=0;
for (i; i ret[i]=buff[addFrom+x];
x++;
}

return ret;
}

char *replaceMem(char *buff, size_t buffLen, int from, int to, char *replaceBuff, size_t replaceLen)
{
size_t ourSize = (buffLen)*2;
char *ret = (char*)malloc(ourSize);

memset(ret, 0, ourSize);

memcpy(ret, buff, buffLen); // copy 'buff' into 'ret'

ret = delMem(ret, buffLen, from, to); // delete all memory from 'ret' betwen 'from' and 'to'
ret = addMem(ret, buffLen-to+from, replaceBuff, replaceLen, from);

return ret;
}

DWORD fGetPID( char *szProcessName )
{
PROCESSENTRY32 pe = {sizeof(PROCESSENTRY32)};
HANDLE ss;
DWORD dwRet = 0;

ss = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);

if (ss) {
if (Process32First(ss, &pe))
while (Process32Next(ss, &pe)) {
if (!strcmp(pe.szExeFile, szProcessName)) {
dwRet = pe.th32ProcessID;
break;
}
} CloseHandle( ss );
}
return dwRet;
}

main()
{
/*** VARIABLES ***/
HANDLE hProc;

DWORD dwAddrStart=0x00400000, // min. addr.
dwAddrEnd=0x00FFFFFF, // max. addr.
dwRead=0;

char *lpData = (VOID*)GlobalAlloc(GMEM_FIXED, MAX_READ),
lpOrig[] = "Information", // original replaced with:
lpReplacement[] = "I kill you!"; // <-- this

int x,at;
/*****************/

if (!lpData)
return -1;

ZeroMemory(lpData, MAX_READ);

// open process
do {
hProc = OpenProcess (PROCESS_ALL_ACCESS,
FALSE,
fGetPID(PROC_NAME));
if (!hProc) {
Sleep(500);
puts ("Cant open process!\n"
"Press any key to retry.\n");
getch();
}
} while(!hProc);

puts ("Process opened sucessfully\n"
"Scanning memory...\n");

for (dwAddrStart;
dwAddrStart<=dwAddrEnd;
dwAddrStart+=0x00000100) {

dwRead=0;
if (ReadProcessMemory (hProc,
(LPCVOID)dwAddrStart,
lpData,
MAX_READ,
&dwRead) == TRUE) {
if (fMatchCheck(lpData, dwRead, lpOrig, sizeof(lpOrig)-1)!=-1) {
printf ("MEMORY ADDRESS: 0x00%x\n"
"DATA:\n", dwAddrStart);
for (x=0;x printf("%c", lpData[x]);
} puts("\n");

at = fMatchCheck (lpData,
dwRead,
lpOrig,
sizeof(lpOrig)-1);

if (at!=-1) {
at-=sizeof(lpOrig)-1;

lpData = replaceMem (lpData,
dwRead,
at,
at+sizeof(lpOrig)-1,
lpReplacement,
/*sizeof(lpReplacement)-1*/sizeof(lpOrig)-1);

puts("REPLACEMENT DATA:");
for (x=0;x printf("%c", lpData[x]);
} puts("\n");

puts("Replacing memory...");
if (WriteProcessMemory (hProc,
(LPVOID)dwAddrStart,
lpData,
/*dwRead-sizeof(lpOrig)-1+sizeof(lpReplacement)-1*/dwRead,
&dwRead)) {
puts("Success.\n");
} else puts("Error.\n");
} else puts("Error.\n");

}

}
}

// // // // //
// Cleanup
if (hProc)
CloseHandle(hProc);
if (lpData)
GlobalFree(lpData);
///////////////

puts ("Done. Press any key to quit...");
return getch();
}

相关文章

分类: 技术文章 标签:
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.