上期講到了,遊戲外掛內存基址中含有模塊名的情況該怎麼解決,並剖析了模塊名的基地址的原理。
今天教大家怎麼用編程寫出這個功能!
還是以內存的方式獲取本機登錄QQ號為例:
獲取到的內存基址為:AudioVideo.dll+5D96DC。
我們可以看到:AudioVideo.dll+5D96DC=5E5396DC。
然後讀取5E5396DC這個內存地址的值=81644996,也就是本機登錄的QQ號。
下面直接上代碼,這裡以VB6.0為例!
模塊中的代碼:
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function NtUnmapViewOfSection Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szexeFile As String * 1024
End Type
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Long
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 1024
End Type
Public Type THREADENTRY32
dwSize As Long
cntUsage As Long
th32ThreadID As Long
th32OwnerProcessID As Long
tpBasePri As Long
tpDeltaPri As Long
dwFlags As Long
End Type
Private Const TH32CS_SNAPPROCESS = &H2
Private Const TH32CS_SNAPmodule = &H8
Public Function GetProcessModuleHandleA(pid As Long, ModuleName As String) As Long
Dim pr As PROCESSENTRY32
Dim lp As Long
Dim mo As MODULEENTRY32
Dim LM As Long
Dim i As Long
Dim Temp As Variant
If ModuleName = "" Then GetProcessModuleHandleA = 0: Exit Function
pr.dwSize = Len(pr)
LM = CreateToolhelp32Snapshot(TH32CS_SNAPmodule, pid)
If LM > 0 Then
mo.dwSize = Len(mo)
If Module32First(LM, mo) Then
Do
Temp = Left(mo.szExePath, InStr(mo.szExePath, Chr(0)) - 1)
Temp = Mid(Temp, InStrRev(Temp, "") + 1)
If UCase(Temp) = UCase(ModuleName) Then
GetProcessModuleHandleA = mo.modBaseAddr
Exit Function
End If
i = i + 1
Loop Until Module32Next(LM, mo) = 0
End If
CloseHandle (LM)
End If
End Function
調用代碼:
Private Sub Command1_Click()
Dim result As String
result = Hex(GetProcessModuleHandleA(4396, "AudioVideo.dll") + Val(&H5D96DC))
MsgBox result
End Sub
'''''GetProcessModuleHandleA 子過程的參數是:PID,模塊名
運行程序,看下效果:
看!我們獲取到了正確的內存地址,剩下的就簡單了吧?用ReadProcessMemory 這個API,讀取內存的數值即可!
有喜歡編程技術的可以關注我哦,想加群的可以點擊我的頭條主頁加群哦!
閱讀更多 技術小成 的文章
