How to access the memory space of a process In WIN32, each application can "see" 4GB linear address space, the first 4MB and the last 2GB reserved by the operating system, the remaining 2GB space is used for applications Private space. DETAILED allocated as follows: 0xFFFFFFFF-0xC0000000 of 1GB for the VxD, memory management and file system; 0xBFFFFFFF-0x80000000 WIN32 1GB of the DLL for sharing, and shared memory mapped file storage area; 0x7FFFFFFF-0x00400000 private addresses to each process WIN32 The 0x003FFFFF-0x00001000 is MS-DOS and WIN16 applications; 0x00000FFF-0x00000000 is 4,096 bytes of the empty pointer. The above is a logical address, that is, virtual memory. Virtual memory is usually implemented by a fixed size block, which is called "page" in Win32, with 4,096 bytes per page. In the Intel CPU structure, the paging is enabled by setting one bit in a control register. When the paging is enabled, the CPU cannot directly access the memory. For each address, you should pass a mapping process through a series of lookup tables called the "Page Table" to generate the virtual memory address into the actual memory address. By using hardware address mapping and page table Win32 enables virtual memory, good performance, and also provides protection. With the page mapping capability of the processor, the operating system provides a stand-alone mapping from the logical address to the physical address for each process so that the address space of each process is completely invisible. Some functions for accessing the process memory space are also available in Win32, but it is cautious when using it, and it is possible to destroy the accessed process. This article describes how to read another process, write memory and similar, and improve the memory modification tool such as a FPE. Ok, first prepare the programming tool Delphi and the reference manual MSDN, start! ReadProcessMemory read the memory of another process, the original shape is as follows: BOOL readProcessMemory (Handle HProcessMemory (handle of the process; lpcvoid lpbaseaddress, // Read Start address; LPVOID LPBUFFER, // Store read data buffer; dword nsize, // read the number of bytes; LPDWORD LPNUMBEROFBYTESREAD / / The number of bytes read;); HProcess process handle can be obtained by the OpenProcess function The original shape is as follows: Handle OpenProcess (DWord DwdesiredAccess, // Access Sign; Bool BinheritHandle, // Inheritance Sign; DWORD DWPROCESSID // Process ID;); of course, with the handle of turning the open with CloseHandle. Reading another process Dwdesired Dwdesired, must be specified as process_vm_read, write another process Dwdesired DwdesireDaccess must be specified as Process_VM_WRITE, inheritance flag does not matter, process ID can be obtained by Process32First and Process32next, these two functions can enumerate all open processes, so The information of the process is also obtained. Process32First and Process32Next are provided by the Tlhelp32 unit and need to add Tlhelp32 in Usees.
ToolsHelp32 encapsulates the function to access the stack, threads, processes, etc., apply only to Win9x, the following prototype: BOOL WINAPI Process32First (HANDLE hSnapshot // returned by the system snapshot handle CreateToolhelp32Snapshot; LPPROCESSENTRY32 lppe // pointer to a structure PROCESSENTRY32;); BOOL WINAPI Process32Next (hANDLE hSnapshot // returned by the system snapshot handle CreateToolhelp32Snapshot; LPPROCESSENTRY32 lppe // pointer to a structure PROCESSENTRY32;); hSnapshot CreateToolhelp32Snapshot returned by the system snapshot handle; CreateToolhelp32Snapshot prototype follows: hANDLE WINAPI CreateToolhelp32Snapshot (DWORD dwFlags, // snapshot flag ; DWORD th32ProcessID // process ID;); need now is information about the processes, it will be designated as the dwFlags TH32CS_SNAPPROCESS, th32ProcessID ignored; PROCESSENTRY32 structure is as follows: typedef struct tagPROCESSENTRY32 {DWORD dwSize; // size of the structure; DWORD cntUsage; // this Process reference count; DWORD TH32PROCESSID; // process ID; DWORD TH32DEFAULTHEAPID; // Process default pile ID; DWORD TH32ModuleID; // process module ID; dword cntthreads; // This process is turned on; DWORD TH32PARETPROCESSID; // Father Process ID; L ONG PCPRICLASSBASE; // Thread priority; dword dwflags; // reserved; char szexefile [max_path]; // process full name;} processry32; to this, the main function used is described, implementing reading memory as long as the memory is from below Call the above function in turn, specifically see the original code:
procedure TForm1.Button1Click (Sender: TObject); var FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; Ret: BOOL; ProcessID: integer; ProcessHndle: THandle; lpBuffer: pByte; nSize: DWORD; lpNumberOfBytesRead: DWORD; i: integer; s: string ; begin FSnapshotHandle: = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); // create a system snapshot FProcessEntry32.dwSize: = Sizeof (FProcessEntry32); // initialize FProcessEntry32 size Ret: = Process32First (FSnapshotHandle, FProcessEntry32); while Ret do begin s: = ExtractFileName (FProcessEntry32.szExeFile); if s = 'KERNEL32.DLL' then begin ProcessID: = FProcessEntry32.th32ProcessID; s: = ''; break; end; Ret: = Process32Next (FSnapshotHandle, FProcessEntry32); end; // cycle Enumerate all the processes on the system, find "kernel32.dll" closehandle (fsnapshothandle); memo1.lines.clear; memo1.lines.add ('process id' INTTOHEX (FPROCESSSENTRY32.TH32PROCESSID, 8)); MEMO1. LINES.ADD ('file name' fProcessentry32.szexefile); some information of the output process nsize: = 4; lpbuffer: = allocmem (nsize); Pro cessHndle: = OpenProcess (PROCESS_VM_READ, false, ProcessID); memo1.Lines.Add ( 'Process Handle' intTohex (ProcessHndle, 8)); for i: = $ 00800001 to $ 0080005f do begin ReadProcessMemory (ProcessHndle, Pointer (i), LPBUFFER, NSIZE, LPNUMBEROFBYTESREAD; S: = S INTTOHEX (LPBuffer ^, 2) ''; // Read Content IF (I MOD 16) = 0 Then Begin Memo1.Lines.Add (s); s: = '; End; // format the output end; freem (lpbuffer, nsize); CloseHandle (Processh "; // Close the handle, release the memory END;
The above procedures are progracted under Delphi4 Chinese Win98. (YPY@yeah.net)
