如何获取进程使用的所有内存地址空间?
【腾讯云】亏本大甩卖,服务器4核16G 1年370元(带宽12M,系统盘120GB SSD盘,月流量2000GB)!!!!!!
云产品 配置 价格
服务器 1核2G,带宽5M,系统盘50GB SSD盘,月流量500GB 38元/年
MySQL 1核1G 19元/年
服务器 16核32G,带宽18M,系统盘250GB SSD盘,月流量5000GB 1197元/年
点我进入腾讯云,查看更多详情

I need to know all memory address space used by a process. The memory space will later be scanned to locate values within the process and identify their locations / addresses. My current process for this is to take each module's base address through its (base address + memory size).

I'm testing this on a process with a known value at a known address. When I look up that specific address, I get the value I expect. However, when I scan (what I believe to be) all address space used by the process, I can't find the value anywhere.

I know that a numeric value "4143000" exists at 0x0CF8DC38 and 0x0CF8DDDC. When I call ReadMemoryBytes(module, module.BaseAddress, 4, (IntPtr)(0x0CF8DC38)) I get back bytes (152, 55, 63, 0). When I call BitConverter.GetBytes(4143000) I get back the same set of bytes. When I use a different memory scanner on that process, I find that value at those addresses.

However, when I scan the "known addresses", I don't find this value anywhere. It doesn't look like my code is even finding those addresses in use by the process.

Thusly, my question is twofold:

  • How can I find these addresses within this process?
  • I'm concerned I may be dealing with absolute addresses in system memory versus relative addresses within a process. Am I doing this right?

.

// (in the calling method)
foreach (ProcessModule module in process.Modules) {
    ParameterizedThreadStart pst = new ParameterizedThreadStart(p => SearchModule(module, value));
    Thread t = new Thread(pst);
    t.Start(); }

private unsafe void SearchModule(ProcessModule module, string value)
{
Process process = getProcess;
int iVal;
double dVal;
int.TryParse(value, out iVal);
double.TryParse(value, out dVal);
for (Int64 addr = (Int64)module.BaseAddress; addr + value.Length < (Int64)module.BaseAddress + module.ModuleMemorySize; addr++)
{
    // Compare ints
    if (iVal > 0)
    {
        byte[] ExpectedBytes = BitConverter.GetBytes(iVal);
        byte[] ActualBytes = ReadMemoryBytes(module, (IntPtr)addr, (uint)ExpectedBytes.Length, (IntPtr)addr);

        bool isMatch = true;
        for (int i = 0; i < ExpectedBytes.Length; i++)
            if (ExpectedBytes[i] != ActualBytes[i])
                isMatch = false;
        if (isMatch)
            PossibleAddresses.Add((IntPtr)addr);
    }
}

private byte[] ReadMemoryBytes(ProcessModule mod, IntPtr memAddress, uint size, IntPtr BaseAddress)
{
    byte[] buffer = new byte[size];
    IntPtr bytesRead;
    unsafe
    {
        ReadProcessMemory(processPointer, BaseAddress, buffer, size, out bytesRead);
        return buffer;
    }
}

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll")]
public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);

#0

The addresses you're getting are pointers to the managed (CLR) heap. They won't generally map to absolute memory addresses and they can move from call to call as the GC decides to run.

If you use "unsafe" code, you can get relative pointers as well as managing your own memory space. It's still on the heap but at least you're guaranteed the GC won't modify your address space.

Do not expect to be able to access things on the heap from non-CLR code without extensive wrapping. There are ways to do IPC between CLR-managed processes but you'd have to write access proxies to the "outside world" if you want a non-CLR process to get to your memory.

推荐文章

将值从Java操作类传递到ejb?

将值从Java操作类传递到ejb?

推荐文章

如何插入带有Vim的ERB标签?

如何插入带有Vim的ERB标签?

推荐文章

如何用ASP.NET、Javascript解决方案实现表式布局

如何用ASP.NET、Javascript解决方案实现表式布局

推荐文章

哈希签名后获取请求部分

哈希签名后获取请求部分

推荐文章

同步两个ListView位置

同步两个ListView位置

推荐文章

Excel或文本文件,使用哪一个?

Excel或文本文件,使用哪一个?

推荐文章

PDO返回以逗号作为小数分隔符的浮点数

PDO返回以逗号作为小数分隔符的浮点数

推荐文章

以编程方式从图像中删除带水印的文本

以编程方式从图像中删除带水印的文本

推荐文章

Emacs中工作目录中文件的版本与git repo中先前提交的版本之间的差异

Emacs中工作目录中文件的版本与git repo中先前提交的版本之间的差异

推荐文章

Solo.call和Solo.endcall在使用robotium的android测试中的使用

Solo.call和Solo.endcall在使用robotium的android测试中的使用

推荐文章

将javascript变量转换为html表单文本框

将javascript变量转换为html表单文本框

推荐文章

带jQuery的动态导航栏

带jQuery的动态导航栏

推荐文章

通过jquery.post传递表单变量

通过jquery.post传递表单变量

推荐文章

委托、Lambdas、Action、Func、匿名函数

委托、Lambdas、Action、Func、匿名函数

推荐文章

使用消息队列在进程之间传递消息

使用消息队列在进程之间传递消息

推荐文章

命名关系表而不变得可笑

命名关系表而不变得可笑