DemonMemory/源代码/ViewDlg.cpp

428 lines
14 KiB
C++
Raw Normal View History

init init
2022-04-14 14:09:23 +00:00
// ViewDlg.cpp : ʵ<><CAB5><EFBFBD>ļ<EFBFBD>
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "ViewDlg.h"
#include "afxdialogex.h"
// CViewDlg <20>Ի<EFBFBD><D4BB><EFBFBD>
IMPLEMENT_DYNAMIC(CViewDlg, CDialogEx)
CViewDlg::CViewDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CViewDlg::IDD, pParent)
, m_strProcess(_T(""))
, m_strDllName(_T(""))
, m_strFunc(_T(""))
{
m_dwID = 0;
}
CViewDlg::~CViewDlg()
{
}
void CViewDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT_PROCESS, m_strProcess);
DDX_Control(pDX, IDC_LIST_MEMORY_VIEW, m_ViewList);
DDX_Text(pDX, IDC_EDIT_DLL_NAME, m_strDllName);
DDX_Text(pDX, IDC_EDIT_FUNCTION, m_strFunc);
}
BEGIN_MESSAGE_MAP(CViewDlg, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON_PROCESS, &CViewDlg::OnBnClickedButtonProcess)
ON_BN_CLICKED(IDC_BUTTON_GET_API, &CViewDlg::OnBnClickedButtonGetApi)
END_MESSAGE_MAP()
// CViewDlg <20><>Ϣ<EFBFBD><CFA2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
void CViewDlg::OnBnClickedButtonProcess()
{
// TODO: <20>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD>ӿؼ<D3BF>֪ͨ<CDA8><D6AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
CChooseProcessDlg dlg;
DWORD dwID = 0;
char szProcessName[MAX_PATH] = {0};
if(IDOK == dlg.DoModal())
{
dwID = dlg.GetProcessID();
::lstrcat(szProcessName, dlg.GetProcessName());
m_strProcess.Format("pid:%d exe file:%s", dwID, szProcessName);
UpdateData(FALSE);
m_dwID = dwID;
// <20><>ȡ<EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
GetMemoryInfo(dwID);
}
}
BOOL CViewDlg::GetMemoryInfo(DWORD dwID)
{
HMODULE hBaseAddress = NULL;
char szDllNameArray[MAX_PATH][MAX_PATH] = {0};
DWORD dwDllNum = 0;
DWORD64 dwAddressArray[MAX_PATH] = {0};
DWORD dwIndex = 0;
BOOL b32 = FALSE;
// <20>򿪽<EFBFBD><F2BFAABD><EFBFBD>
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// <20>ж<EFBFBD><D0B6><EFBFBD>32λ<32><CEBB><EFBFBD><EFBFBD>64λ
::IsWow64Process(hProcess, &b32);
// <20><>ȡ<EFBFBD><C8A1><EFBFBD>̵Ļ<CCB5>ַ
GetProcessBaseAddress(&hBaseAddress, hProcess);
// <20>ӵ<EFBFBD><D3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>л<EFBFBD>ȡ<EFBFBD><C8A1><EFBFBD>ص<EFBFBD>DLLģ<4C><C4A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
GetProcessDllName(hProcess, hBaseAddress, szDllNameArray, dwDllNum, b32);
// <20><><EFBFBD>ݵ<EFBFBD><DDB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>͵<EFBFBD><CDB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ص<EFBFBD>DLL<4C><4C>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD>ַ
for(dwIndex = 0; dwIndex < dwDllNum; dwIndex++)
{
dwAddressArray[dwIndex] = GetProcessDllBaseAddress(hProcess, hBaseAddress, szDllNameArray[dwIndex], b32);
}
// <20><>ʾ
// <20><><EFBFBD><EFBFBD><EFBFBD>б<EFBFBD><D0B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
m_ViewList.ResetContent();
char szTemp[MAX_PATH] = {0};
::wsprintf(szTemp, "Process PID:%d", dwID);
m_ViewList.AddString(szTemp);
if(b32)
{
::wsprintf(szTemp, "32bits");
}
else
{
::wsprintf(szTemp, "64bits");
}
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
::wsprintf(szTemp, "Base Address:\n0x%016I64x", (DWORD64)hBaseAddress);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
for(dwIndex = 0; dwIndex < dwDllNum; dwIndex++)
{
::wsprintf(szTemp, "Dll Name:%s", szDllNameArray[dwIndex]);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Load Base Address:0x%016I64x", dwAddressArray[dwIndex]);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
}
return TRUE;
}
BOOL CViewDlg::GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess)
{
::EnumProcessModules(hProcess, lpBaseAddress, sizeof(HMODULE), NULL);
return TRUE;
}
BOOL CViewDlg::GetProcessDllName(HANDLE hProcess, HMODULE hBaseAddress, char szDllNameArray[MAX_PATH][MAX_PATH], DWORD &dwDllNum, BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
DWORD64 dwTemp = 0;
// <20>ж<EFBFBD>PE<50>
::ReadProcessMemory(hProcess, (LPCVOID)dwBaseAddress, &MZ, 2, &dwTemp);
if(2 != dwTemp)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Read Process Memory Error!\nError Code:%d", ::GetLastError());
::MessageBox(m_hWnd, szErr, NULL, MB_OK | MB_ICONWARNING);
return FALSE;
}
if(MZ != IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, &dwTemp);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew), &PE00, 4, &dwTemp);
if(4 != dwTemp)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Read Process Memory Error!\nError Code:%d", ::GetLastError());
::MessageBox(m_hWnd, szErr, NULL, MB_OK | MB_ICONWARNING);
return FALSE;
}
if(PE00 != IMAGE_NT_SIGNATURE)
{
return FALSE;
}
// <20><><EFBFBD><EFBFBD>32λ<32><CEBB>64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>𣬷ֱ<F0A3ACB7><D6B1><EFBFBD>ȡ<EFBFBD>ڴ<EFBFBD>
// 32λ
if(b32)
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
dwDllNum = dwIndex;
DWORD dwOffsetDllName = 0;
char szTemp[50] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, 50, NULL);
::lstrcpy(szDllNameArray[i], szTemp);
}
}
// 64λ
else
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
dwDllNum = dwIndex;
DWORD dwOffsetDllName = 0;
char szTemp[50] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, 50, NULL);
::lstrcpy(szDllNameArray[i], szTemp);
}
}
return TRUE;
}
DWORD64 CViewDlg::GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
DWORD dwlfanew = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, NULL);
// <20><><EFBFBD><EFBFBD>32λ<32><CEBB>64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>𣬷ֱ<F0A3ACB7><D6B1><EFBFBD>ȡ<EFBFBD>ڴ<EFBFBD>
// 32λ
if(b32)
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
DWORD dwFunctionAddress = 0;
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DLL<4C>ļ<EFBFBD><C4BC>ػ<EFBFBD>ַ
// ԭ<><D4AD><EFBFBD>ǣ<EFBFBD><C7A3>ļ<EFBFBD><C4BC>Ƕ<EFBFBD><C7B6><EFBFBD>64k(0x10000)װ<>ؽ<EFBFBD><D8BD>ڴ<EFBFBD><DAB4>ģ<EFBFBD>DLL<4C><4C>һ<EFBFBD><D2BB>PE<50><EFBFBD>ļ<EFBFBD>
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
// 64λ
else
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
DWORD64 dwFunctionAddress = 0;
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 8, NULL);
// <20><><EFBFBD><EFBFBD>DLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DLL<4C>ļ<EFBFBD><C4BC>ػ<EFBFBD>ַ
// ԭ<><D4AD><EFBFBD>ǣ<EFBFBD><C7A3>ļ<EFBFBD><C4BC>Ƕ<EFBFBD><C7B6><EFBFBD>64k(0x10000)װ<>ؽ<EFBFBD><D8BD>ڴ<EFBFBD><DAB4>ģ<EFBFBD>DLL<4C><4C>һ<EFBFBD><D2BB>PE<50><EFBFBD>ļ<EFBFBD>
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
return 0;
}
DWORD64 CViewDlg::GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32)
{
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
if(b32)
{
dwFunctionAddress = dwFunctionAddress & 0xFFFF0000;
}
else
{
dwFunctionAddress = dwFunctionAddress & 0xFFFFFFFFFFFF0000;
}
do
{
::ReadProcessMemory(hProcess, (LPCVOID)dwFunctionAddress, &MZ, 2, NULL);
if(IMAGE_DOS_SIGNATURE == MZ)
{
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + 0x003c), &dwlfanew, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + dwlfanew), &PE00, 4, NULL);
if(IMAGE_NT_SIGNATURE == PE00)
{
return dwFunctionAddress;
}
}
dwFunctionAddress = dwFunctionAddress - 0x10000;
}while(dwFunctionAddress >= 0x10000000);
return 0;
}
void CViewDlg::OnBnClickedButtonGetApi()
{
// TODO: <20>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD>ӿؼ<D3BF>֪ͨ<CDA8><D6AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
UpdateData(TRUE);
char szDllName[MAX_PATH] = {0};
char szFuncName[MAX_PATH] = {0};
::lstrcpy(szDllName, m_strDllName.GetBuffer(0));
::lstrcpy(szFuncName, m_strFunc.GetBuffer(0));
HMODULE hBaseAddress = NULL;
BOOL b32 = FALSE;
// <20>򿪽<EFBFBD><F2BFAABD><EFBFBD>
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return ;
}
// <20>ж<EFBFBD><D0B6><EFBFBD>32λ<32><CEBB><EFBFBD><EFBFBD>64λ
::IsWow64Process(hProcess, &b32);
// <20><>ȡ<EFBFBD><C8A1><EFBFBD>̵Ļ<CCB5>ַ
GetProcessBaseAddress(&hBaseAddress, hProcess);
// <20><><EFBFBD>ݵ<EFBFBD><DDB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>͵<EFBFBD><CDB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ص<EFBFBD>DLL<4C><4C>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD>ַ
DWORD64 dwDllBaseAddress = GetProcessDllBaseAddress(hProcess, hBaseAddress, szDllName, b32);
// <20><>ȡAPI<50><49><EFBFBD><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
DWORD64 dwDllFuncAddress = GetFuncInDll(hProcess, dwDllBaseAddress, szFuncName, b32);
// <20><>ʾ
char szTemp[MAX_PATH] = {0};
::wsprintf(szTemp, "Dll:%s", szDllName);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Function:%s", szFuncName);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Image Address:0x%016I64x", dwDllFuncAddress);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
}
DWORD64 CViewDlg::GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32)
{
DWORD dwlfanew = 0;
DWORD dwFuncNameLen = ::lstrlen(lpszFuncName) + 1;
char szTemp[MAX_PATH] = {0};
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + 0x003c), &dwlfanew, 4, NULL);
DWORD dwExportRVA = 0;
// <20><><EFBFBD><EFBFBD>32λ<32><CEBB>64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>𣬷ֱ<F0A3ACB7><D6B1><EFBFBD>ȡ<EFBFBD>ڴ<EFBFBD>
// 32λ
if(b32)
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 96), &dwExportRVA, 4, NULL);
}
// 64λ
else
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 112), &dwExportRVA, 4, NULL);
}
// <20><>ȡNumberOfNames
DWORD dwNumberOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 24), &dwNumberOfNames, 4, NULL);
// <20><>ȡAddressOfNames
DWORD dwAddressOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 32), &dwAddressOfNames, 4, NULL);
// <20><><EFBFBD><EFBFBD>API<50><49><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ʋ<EFBFBD>ƥ<EFBFBD><C6A5>
DWORD dwNameRVA = 0;
for(DWORD i = 0; i < dwNumberOfNames; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNames + 4*i), &dwNameRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwNameRVA), szTemp, dwFuncNameLen, NULL);
if(0 == ::lstrcmpi(lpszFuncName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
// AddressOfNameOrdinals
DWORD dwAddressOfNameOrdinals = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 36), &dwAddressOfNameOrdinals, 4, NULL);
WORD wHint = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNameOrdinals + 2*i), &wHint, 2, NULL);
// AddressOfFunctions
DWORD dwAddressOfFunctions = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 28), &dwAddressOfFunctions, 4, NULL);
DWORD dwFuncRVA = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfFunctions + 4*wHint), &dwFuncRVA, 4, NULL);
DWORD64 dwRet = dwDllBaseAddress + dwFuncRVA;
return dwRet;
}
}
return 0;
}