内存修改原理

#include<windows.h>

#include<iostream.h>

#include<stdio.h>

HANDLE g_hProcess;

DWORD dwGoalAddr[1024],count;

int CompareAPage(DWORD dwBase,DWORD goal)

{

    DWORD i;

    BYTE arBytes[4096];

    if(!::ReadProcessMemory(g_hProcess,(LPVOID)dwBase,arBytes,4096,NULL))

    {

        return FALSE;

    }

    DWORD * lpDw;

    for(i=0;i<4096-3;i++)

    {

        lpDw=(DWORD*)&arBytes[i];

        if(count>=1024) return FALSE;

        if(*lpDw==goal) 

            dwGoalAddr[count++]=dwBase+i;

    }

    return count;

}

int FirstFind(DWORD goal)

{

    const DWORD dwOneGB=1024*1024*1024;

    const DWORD dwOnePage=4*1024;

    DWORD dwBaseAddr;

    OSVERSIONINFO vi;

    ::GetVersionEx(&vi);



    if(vi.dwPlatformId==VER_PLATFORM_WIN32_WINDOWS)

        dwBaseAddr=4*1024*1024;

    else

        dwBaseAddr=64*1024;

    count=0;

    for(;dwBaseAddr<2*dwOneGB;dwBaseAddr+=dwOnePage)

    {

        CompareAPage(dwBaseAddr,goal);

    }

    return 0;

}

int ShowAddr(int k)

{

    int i;

    for(i=0;i<k;i++)

        printf("%08lX\n",dwGoalAddr[i]);

        return 1;

}

int FindNext(DWORD goal)

{

    int i,k=0;

    LPVOID lpAddr;

    DWORD gValue;

    for(i=0;i<(int)count;i++)

    {

        lpAddr=(LPVOID)dwGoalAddr[i];

        ::ReadProcessMemory(g_hProcess,(LPVOID*) dwGoalAddr[i],&gValue,sizeof(DWORD),NULL);

        if(gValue==goal) dwGoalAddr[k++]=dwGoalAddr[i];

    }

    return k;

}

int main()

{

    DWORD goal;

    char fileName[]="D:\\VC\\02testor\\Debug\\main.exe";

    STARTUPINFO si={sizeof(STARTUPINFO)};

    PROCESS_INFORMATION ps;



    if(!::CreateProcess(NULL,fileName,NULL,NULL,FALSE,CREATE_NEW_CONSOLE,NULL,NULL,&si,&ps))

    {

        printf("创建进程失败！\n");

        return 0;

    }

    ::CloseHandle(ps.hThread);

    g_hProcess=ps.hProcess;



        if(g_hProcess==INVALID_HANDLE_VALUE)

    {

        printf("进程创建失败！\n");

        return 0;

    }

    printf("请输入你要查找的值：");

    scanf("%ld",&goal);

        FirstFind(goal);



    //ShowAddr(count);

    while(count>1)

    {

        printf("本次查找有%d个目标，请输入下一次要查找的值：",count);

        scanf("%ld",&goal);

        count=FindNext(goal);

    }

    if(count==0)

    {

        printf("没有查找到目标！\n");

        return FALSE;

    }

    else

    {

        printf("请输入你要修改的值：");

        scanf("%ld",&goal);

    }

    if(!::WriteProcessMemory(g_hProcess,(LPVOID)dwGoalAddr[0],&goal,sizeof(DWORD),NULL))

    {

        printf("修改内存失败！\n");

        return FALSE;

    }

        ::ReadProcessMemory(g_hProcess,(LPVOID)dwGoalAddr[0],&goal,sizeof(DWORD),NULL);

    printf("最种修改为：%ld\n",goal);

    //DWORD exitCode;

    //GetExitCodeProcess(g_hProcess,&exitCode);

    //TerminateProcess(g_hProcess,exitCode);

    ::CloseHandle(g_hProcess);

        return 0;

}

以上程序需要调用以下代码生成的的可执行文件，从而产生另一个进程，然后修改g_nNum的内存

CloseHandle(),TerminateThread(),ExitThread()的区别 看以下博客：

http://blog.csdn.net/anye3000/article/details/7470674

#include<iostream>

#include<windows.h>

int g_nNum;

int main()

{

    int i;

    g_nNum=1003; i=0;

    while(1)

    {

        printf("i=%d,  &i=0X%08lX,  g_nNum=%d,  &g_nNum=0X%08lX\n",i++,&i,++g_nNum,&g_nNum);

        getchar();

    }

    return 0;

}