init 

init
This commit is contained in:
DemonGan 2022-04-14 14:09:23 +00:00
parent f33d2a66bf
commit d652468116
24 changed files with 2019 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
HandleMemory.exe Normal file
View File

Binary file not shown.

119
源代码/ChooseProcessDlg.cpp Normal file
View File

@ -0,0 +1,119 @@
// ChooseProcessDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "ChooseProcessDlg.h"
#include "afxdialogex.h"
// CChooseProcessDlg 对话框
IMPLEMENT_DYNAMIC(CChooseProcessDlg, CDialogEx)
CChooseProcessDlg::CChooseProcessDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CChooseProcessDlg::IDD, pParent)
{
}
CChooseProcessDlg::~CChooseProcessDlg()
{
}
void CChooseProcessDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Control(pDX, IDC_LIST_PROCESS, m_ProcessList);
}
BEGIN_MESSAGE_MAP(CChooseProcessDlg, CDialogEx)
ON_BN_CLICKED(IDOK, &CChooseProcessDlg::OnBnClickedOk)
END_MESSAGE_MAP()
// CChooseProcessDlg 消息处理程序
BOOL CChooseProcessDlg::OnInitDialog()
{
CDialogEx::OnInitDialog();
// TODO: 在此添加额外的初始化
InitListControl();
return TRUE; // return TRUE unless you set the focus to a control
// 异常: OCX 属性页应返回 FALSE
}
void CChooseProcessDlg::OnBnClickedOk()
{
// TODO: 在此添加控件通知处理程序代码
DWORD dwIndex = m_ProcessList.GetSelectionMark();
if(0 > dwIndex)
{
::MessageBox(m_hWnd, "Please Choose a Item!", "Warn", MB_OK | MB_ICONWARNING);
return ;
}
// 获取名称
m_ProcessList.GetItemText(dwIndex, 0, m_szProcessName, MAX_PATH);
// 获取PID
char szTemp[MAX_PATH] = {0};
m_ProcessList.GetItemText(dwIndex, 1, szTemp, MAX_PATH);
m_dwID = atoi(szTemp);
CDialogEx::OnOK();
}
DWORD CChooseProcessDlg::GetProcessID()
{
return m_dwID;
}
char *CChooseProcessDlg::GetProcessName()
{
return m_szProcessName;
}
BOOL CChooseProcessDlg::InitListControl()
{
// 初始化列表控件
m_ProcessList.InsertColumn(0, "Name", 0, 180);
m_ProcessList.InsertColumn(1, "PID", 0, 60);
m_ProcessList.SetExtendedStyle(LVS_EX_GRIDLINES | LVS_EX_FULLROWSELECT);
m_ProcessList.SetTextColor(RGB(0,100,0));
// 获取进程信息
GetProcessInfo();
return TRUE;
}
BOOL CChooseProcessDlg::GetProcessInfo()
{
m_ProcessList.DeleteAllItems();
PROCESSENTRY32 pe32 = {0};
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(INVALID_HANDLE_VALUE == hProcessSnap)
{
::MessageBox(NULL, "Create Process Snapshot Error!", "Error", MB_OK);
return FALSE;
}
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
DWORD dwIndex = 0;
char szTemp[MAX_PATH] = {0};
while(bMore)
{
::wsprintf(szTemp, "%s", pe32.szExeFile);
m_ProcessList.InsertItem(dwIndex, szTemp);
::wsprintf(szTemp, "%d", pe32.th32ProcessID);
m_ProcessList.SetItemText(dwIndex, 1, szTemp);
bMore = ::Process32Next(hProcessSnap, &pe32);
}
return TRUE;
}

35
源代码/ChooseProcessDlg.h Normal file
View File

@ -0,0 +1,35 @@
#pragma once
#include "afxwin.h"
#include "afxcmn.h"
#include "TlHelp32.h"
// CChooseProcessDlg 对话框
class CChooseProcessDlg : public CDialogEx
{
DECLARE_DYNAMIC(CChooseProcessDlg)
private:
DWORD m_dwID;
char m_szProcessName[MAX_PATH];
public:
DWORD GetProcessID();
char* GetProcessName();
BOOL InitListControl();
BOOL GetProcessInfo();
public:
CChooseProcessDlg(CWnd* pParent = NULL); // 标准构造函数
virtual ~CChooseProcessDlg();
// 对话框数据
enum { IDD = IDD_DIALOG_CHOOSE_PROCESS };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
DECLARE_MESSAGE_MAP()
public:
afx_msg void OnBnClickedOk();
CListCtrl m_ProcessList;
virtual BOOL OnInitDialog();
};

BIN
源代码/HandleMemory.aps Normal file
View File

Binary file not shown.

108
源代码/HandleMemory.cpp Normal file
View File

@ -0,0 +1,108 @@
// HandleMemory.cpp : 定义应用程序的类行为。
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "HandleMemoryDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// CHandleMemoryApp
BEGIN_MESSAGE_MAP(CHandleMemoryApp, CWinApp)
ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
END_MESSAGE_MAP()
// CHandleMemoryApp 构造
CHandleMemoryApp::CHandleMemoryApp()
{
// 支持重新启动管理器
m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
// TODO: 在此处添加构造代码,
// 将所有重要的初始化放置在 InitInstance 中
}
// 唯一的一个 CHandleMemoryApp 对象
CHandleMemoryApp theApp;
// CHandleMemoryApp 初始化
BOOL CHandleMemoryApp::InitInstance()
{
// 如果一个运行在 Windows XP 上的应用程序清单指定要
// 使用 ComCtl32.dll 版本 6 或更高版本来启用可视化方式,
//则需要 InitCommonControlsEx()。否则,将无法创建窗口。
INITCOMMONCONTROLSEX InitCtrls;
InitCtrls.dwSize = sizeof(InitCtrls);
// 将它设置为包括所有要在应用程序中使用的
// 公共控件类。
InitCtrls.dwICC = ICC_WIN95_CLASSES;
InitCommonControlsEx(&InitCtrls);
CWinApp::InitInstance();
if (!AfxSocketInit())
{
AfxMessageBox(IDP_SOCKETS_INIT_FAILED);
return FALSE;
}
AfxEnableControlContainer();
// 创建 shell 管理器,以防对话框包含
// 任何 shell 树视图控件或 shell 列表视图控件。
CShellManager *pShellManager = new CShellManager;
// 激活“Windows Native”视觉管理器以便在 MFC 控件中启用主题
CMFCVisualManager::SetDefaultManager(RUNTIME_CLASS(CMFCVisualManagerWindows));
// 标准初始化
// 如果未使用这些功能并希望减小
// 最终可执行文件的大小,则应移除下列
// 不需要的特定初始化例程
// 更改用于存储设置的注册表项
// TODO: 应适当修改该字符串,
// 例如修改为公司或组织名
SetRegistryKey(_T("应用程序向导生成的本地应用程序"));
CHandleMemoryDlg dlg;
m_pMainWnd = &dlg;
INT_PTR nResponse = dlg.DoModal();
if (nResponse == IDOK)
{
// TODO: 在此放置处理何时用
// “确定”来关闭对话框的代码
}
else if (nResponse == IDCANCEL)
{
// TODO: 在此放置处理何时用
// “取消”来关闭对话框的代码
}
else if (nResponse == -1)
{
TRACE(traceAppMsg, 0, "警告: 对话框创建失败,应用程序将意外终止。\n");
TRACE(traceAppMsg, 0, "警告: 如果您在对话框上使用 MFC 控件,则无法 #define _AFX_NO_MFC_CONTROLS_IN_DIALOGS。\n");
}
// 删除上面创建的 shell 管理器。
if (pShellManager != NULL)
{
delete pShellManager;
}
// 由于对话框已关闭,所以将返回 FALSE 以便退出应用程序,
// 而不是启动应用程序的消息泵。
return FALSE;
}

32
源代码/HandleMemory.h Normal file
View File

@ -0,0 +1,32 @@
// HandleMemory.h : PROJECT_NAME 应用程序的主头文件
//
#pragma once
#ifndef __AFXWIN_H__
#error "在包含此文件之前包含“stdafx.h”以生成 PCH 文件"
#endif
#include "resource.h" // 主符号
// CHandleMemoryApp:
// 有关此类的实现,请参阅 HandleMemory.cpp
//
class CHandleMemoryApp : public CWinApp
{
public:
CHandleMemoryApp();
// 重写
public:
virtual BOOL InitInstance();
// 实现
DECLARE_MESSAGE_MAP()
};
extern CHandleMemoryApp theApp;

BIN
源代码/HandleMemory.rc Normal file
View File

Binary file not shown.

26
源代码/HandleMemory.sln Normal file
View File

@ -0,0 +1,26 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2012
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HandleMemory", "HandleMemory.vcxproj", "{DF1912F4-C02D-4508-A4AB-CB51D4207454}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Debug|Win32.ActiveCfg = Debug|Win32
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Debug|Win32.Build.0 = Debug|Win32
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Debug|x64.ActiveCfg = Debug|x64
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Debug|x64.Build.0 = Debug|x64
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Release|Win32.ActiveCfg = Release|Win32
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Release|Win32.Build.0 = Release|Win32
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Release|x64.ActiveCfg = Release|x64
{DF1912F4-C02D-4508-A4AB-CB51D4207454}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

BIN
源代码/HandleMemory.v11.suo Normal file
View File

Binary file not shown.

228
源代码/HandleMemory.vcxproj Normal file
View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{DF1912F4-C02D-4508-A4AB-CB51D4207454}</ProjectGuid>
<RootNamespace>HandleMemory</RootNamespace>
<Keyword>MFCProj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v110</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v110_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ChooseProcessDlg.h" />
<ClInclude Include="HandleMemory.h" />
<ClInclude Include="HandleMemoryDlg.h" />
<ClInclude Include="InjectDlg.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="ViewDlg.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="ChooseProcessDlg.cpp" />
<ClCompile Include="HandleMemory.cpp" />
<ClCompile Include="HandleMemoryDlg.cpp" />
<ClCompile Include="InjectDlg.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="ViewDlg.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="HandleMemory.rc" />
</ItemGroup>
<ItemGroup>
<None Include="res\HandleMemory.rc2" />
</ItemGroup>
<ItemGroup>
<Image Include="res\demon64X64.ico" />
<Image Include="res\HandleMemory.ico" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
<ProjectExtensions>
<VisualStudio>
<UserProperties RESOURCE_FILE="HandleMemory.rc" />
</VisualStudio>
</ProjectExtensions>
</Project>

84
源代码/HandleMemory.vcxproj.filters Normal file
View File

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="HandleMemory.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="HandleMemoryDlg.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="InjectDlg.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="ViewDlg.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="ChooseProcessDlg.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="HandleMemory.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="HandleMemoryDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="InjectDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="ViewDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="ChooseProcessDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="HandleMemory.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<None Include="res\HandleMemory.rc2">
<Filter>资源文件</Filter>
</None>
</ItemGroup>
<ItemGroup>
<Image Include="res\HandleMemory.ico">
<Filter>资源文件</Filter>
</Image>
<Image Include="res\demon64X64.ico">
<Filter>资源文件</Filter>
</Image>
</ItemGroup>
</Project>

277
源代码/HandleMemoryDlg.cpp Normal file
View File

@ -0,0 +1,277 @@
// HandleMemoryDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "HandleMemoryDlg.h"
#include "afxdialogex.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
class CAboutDlg : public CDialogEx
{
public:
CAboutDlg();
// 对话框数据
enum { IDD = IDD_ABOUTBOX };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()
// CHandleMemoryDlg 对话框
CHandleMemoryDlg::CHandleMemoryDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CHandleMemoryDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CHandleMemoryDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Control(pDX, IDC_TAB_MAIN, m_TabMain);
}
BEGIN_MESSAGE_MAP(CHandleMemoryDlg, CDialogEx)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_NOTIFY(TCN_SELCHANGE, IDC_TAB_MAIN, &CHandleMemoryDlg::OnSelchangeTabMain)
ON_COMMAND(ID_SYSTEM_VIEW, &CHandleMemoryDlg::OnSystemView)
ON_COMMAND(ID_SYSTEM_INJECT, &CHandleMemoryDlg::OnSystemInject)
ON_COMMAND(ID_HELP_ABOUT, &CHandleMemoryDlg::OnHelpAbout)
ON_COMMAND(ID_SYSTEM_EXIT, &CHandleMemoryDlg::OnSystemExit)
END_MESSAGE_MAP()
// CHandleMemoryDlg 消息处理程序
BOOL EnablePriv()
{
HANDLE hToken;
if(::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
TOKEN_PRIVILEGES tkp;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);//修改进程权限
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
::AdjustTokenPrivileges(hToken, FALSE,&tkp, sizeof tkp, NULL, NULL);//通知系统修改进程权限
return ((::GetLastError() == ERROR_SUCCESS));
}
return FALSE;
}
BOOL CHandleMemoryDlg::OnInitDialog()
{
CDialogEx::OnInitDialog();
// 将“关于...”菜单项添加到系统菜单中。
// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标
// TODO: 在此添加额外的初始化代码
// 提权 -- 必不可少、不可或缺
if(!EnablePriv())
{
::MessageBox(m_hWnd, "Please Enable Privilege!", "Warn", MB_OK | MB_ICONWARNING);
}
InitTabControl(); // 初始化TAB控件
return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}
void CHandleMemoryDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialogEx::OnSysCommand(nID, lParam);
}
}
// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。
void CHandleMemoryDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialogEx::OnPaint();
}
}
//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CHandleMemoryDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
void CHandleMemoryDlg::OnSystemView()
{
// TODO: 在此添加命令处理程序代码
NMHDR nmhdr;
nmhdr.code = TCN_SELCHANGE;
nmhdr.hwndFrom = ::GetDlgItem(m_hWnd, IDC_TAB_MAIN);
nmhdr.idFrom = IDC_TAB_MAIN;
m_TabMain.SetCurSel(0);
::SendMessage(m_hWnd, WM_NOTIFY, MAKELONG(TCN_SELCHANGE, 0), (LPARAM)(&nmhdr));
}
void CHandleMemoryDlg::OnSystemInject()
{
// TODO: 在此添加命令处理程序代码
NMHDR nmhdr;
nmhdr.code = TCN_SELCHANGE;
nmhdr.hwndFrom = ::GetDlgItem(m_hWnd, IDC_TAB_MAIN);
nmhdr.idFrom = IDC_TAB_MAIN;
m_TabMain.SetCurSel(1);
::SendMessage(m_hWnd, WM_NOTIFY, MAKELONG(TCN_SELCHANGE, 0), (LPARAM)(&nmhdr));
}
void CHandleMemoryDlg::OnHelpAbout()
{
// TODO: 在此添加命令处理程序代码
CAboutDlg dlg;
dlg.DoModal();
}
void CHandleMemoryDlg::OnSystemExit()
{
// TODO: 在此添加命令处理程序代码
if(IDYES == ::MessageBox(m_hWnd, "Are you sure exit ?", "Confirm", MB_YESNO | MB_ICONWARNING))
{
exit(0);
}
}
BOOL CHandleMemoryDlg::InitTabControl()
{
// 插入两个标签
m_TabMain.InsertItem(0, " View ");
m_TabMain.InsertItem(1, " Inject ");
// 创建两个对话框
m_ViewDlg.Create(IDD_DIALOG_VIEW, GetDlgItem(IDC_TAB_MAIN));
m_InjectDlg.Create(IDD_DIALOG_INJECT, GetDlgItem(IDC_TAB_MAIN));
// 获取IDC_TAB客户区的大小
CRect rc;
m_TabMain.GetClientRect(&rc);
// 调整子对话框在父对话框中的位置
rc.top+=20;
rc.bottom-=1;
rc.left+=1;
rc.right-=1;
// 移动子对话框到指定位置
m_ViewDlg.MoveWindow(&rc);
m_InjectDlg.MoveWindow(&rc);
// 分别设置隐藏和显示
m_ViewDlg.ShowWindow(SW_SHOW);
m_InjectDlg.ShowWindow(SW_HIDE);
// 设置默认的选项卡
m_TabMain.SetCurSel(0);
return TRUE;
}
void CHandleMemoryDlg::OnSelchangeTabMain(NMHDR *pNMHDR, LRESULT *pResult)
{
// TODO: 在此添加控件通知处理程序代码
int iCurSel = m_TabMain.GetCurSel();
switch(iCurSel)
{
case 0:
{
m_ViewDlg.ShowWindow(SW_SHOW);
m_InjectDlg.ShowWindow(SW_HIDE);
break;
}
case 1:
{
m_ViewDlg.ShowWindow(SW_HIDE);
m_InjectDlg.ShowWindow(SW_SHOW);
break;
}
default:
break;
}
*pResult = 0;
}

47
源代码/HandleMemoryDlg.h Normal file
View File

@ -0,0 +1,47 @@
// HandleMemoryDlg.h : 头文件
//
#pragma once
#include "afxcmn.h"
#include "ViewDlg.h"
#include "InjectDlg.h"
// CHandleMemoryDlg 对话框
class CHandleMemoryDlg : public CDialogEx
{
private:
CViewDlg m_ViewDlg;
CInjectDlg m_InjectDlg;
private:
BOOL InitTabControl(); // 初始化TAB控件
// 构造
public:
CHandleMemoryDlg(CWnd* pParent = NULL); // 标准构造函数
// 对话框数据
enum { IDD = IDD_HANDLEMEMORY_DIALOG };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
HICON m_hIcon;
// 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
public:
CTabCtrl m_TabMain;
afx_msg void OnSelchangeTabMain(NMHDR *pNMHDR, LRESULT *pResult);
afx_msg void OnSystemView();
afx_msg void OnSystemInject();
afx_msg void OnHelpAbout();
afx_msg void OnSystemExit();
};

410
源代码/InjectDlg.cpp Normal file
View File

@ -0,0 +1,410 @@
// InjectDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "InjectDlg.h"
#include "afxdialogex.h"
// CInjectDlg 对话框
IMPLEMENT_DYNAMIC(CInjectDlg, CDialogEx)
CInjectDlg::CInjectDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CInjectDlg::IDD, pParent)
, m_strProcess(_T(""))
, m_strDll(_T(""))
{
m_dwID = 0;
::lstrcpy(m_szDllPath,"");
}
CInjectDlg::~CInjectDlg()
{
}
void CInjectDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT_PROCESS, m_strProcess);
DDX_Text(pDX, IDC_EDIT_DLL, m_strDll);
}
BEGIN_MESSAGE_MAP(CInjectDlg, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON_PROCESS, &CInjectDlg::OnBnClickedButtonProcess)
ON_BN_CLICKED(IDC_BUTTON_DLL, &CInjectDlg::OnBnClickedButtonDll)
ON_BN_CLICKED(IDC_BUTTON_INJECT, &CInjectDlg::OnBnClickedButtonInject)
END_MESSAGE_MAP()
// CInjectDlg 消息处理程序
void CInjectDlg::OnBnClickedButtonProcess()
{
// TODO: 在此添加控件通知处理程序代码
CChooseProcessDlg dlg;
DWORD dwID = 0;
char szProcessName[MAX_PATH] = {0};
if(IDOK == dlg.DoModal())
{
dwID = dlg.GetProcessID();
::lstrcat(szProcessName, dlg.GetProcessName());
}
m_dwID = dwID;
m_strProcess.Format("pid:%d exe file:%s", dwID, szProcessName);
UpdateData(FALSE);
}
void CInjectDlg::OnBnClickedButtonDll()
{
// TODO: 在此添加控件通知处理程序代码
OPENFILENAME stOF;
::RtlZeroMemory(&stOF, sizeof(stOF));
char szFilter[MAX_PATH] = "dll files(*.dll)\0*.dll\0all files(*.*)\0*.*\0\0";
char szFileName[MAX_PATH] = {0};
stOF.lStructSize = sizeof(stOF);
stOF.hwndOwner = m_hWnd;
stOF.lpstrFilter = szFilter;
stOF.lpstrFile = szFileName;
stOF.nMaxFile = MAX_PATH;
stOF.Flags = OFN_PATHMUSTEXIST;
::GetOpenFileName(&stOF);
m_strDll = szFileName;
::lstrcpy(m_szDllPath, szFileName);
UpdateData(FALSE);
}
void CInjectDlg::OnBnClickedButtonInject()
{
// TODO: 在此添加控件通知处理程序代码
if(0 >= m_dwID)
{
::MessageBox(m_hWnd, "Please Choose A Process!", "Warn", MB_OK | MB_ICONWARNING);
return ;
}
if(0 >= ::lstrlen(m_szDllPath))
{
::MessageBox(m_hWnd, "Please Choose A Dll!", "Warn", MB_OK | MB_ICONWARNING);
return ;
}
BOOL bRet = RemoteProcessInject(m_dwID, m_szDllPath);
char szMsg[MAX_PATH] = {0};
if(bRet)
{
::wsprintf(szMsg, "Inject dll:%s \nto process pid:%d\nDONE!!!",m_szDllPath, m_dwID);
::MessageBox(m_hWnd, szMsg, "DONE", MB_OK | MB_ICONWARNING);
}
else
{
::wsprintf(szMsg, "Inject dll:%s \nto process pid:%d\nFAIL!!!",m_szDllPath, m_dwID);
::MessageBox(m_hWnd, szMsg, "FAIL", MB_OK | MB_ICONWARNING);
}
}
BOOL CInjectDlg::RemoteProcessInject(DWORD dwID, char *lpszDllPath)
{
// 打开要注入DLL的进程
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// 判断是32位还是64位
BOOL b32 = FALSE;
::IsWow64Process(hProcess, &b32);
// 判断DLL是32位还是64位
BOOL bDll32 = JudgePE32Or64(lpszDllPath);
if(b32)
{
if(!bDll32)
{
::MessageBox(m_hWnd, "Process Is 32bits, Dll Is 64bits!\nPlease Choose 32bits Dll to Inject!\n", "Warn", MB_OK | MB_ICONWARNING);
return FALSE;
}
}
else
{
if(bDll32)
{
::MessageBox(m_hWnd, "Process Is 64bits, Dll Is 32bits!\nPlease Choose 64bits Dll to Inject!\n", "Warn", MB_OK | MB_ICONWARNING);
return FALSE;
}
}
// 申请一块内存
DWORD dwSize = 1 + ::lstrlen(lpszDllPath);
LPVOID lpAddr = ::VirtualAllocEx(hProcess, 0, dwSize, MEM_COMMIT, PAGE_READWRITE);
if(NULL == lpAddr)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Alloc Virtual Memory Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// 写入内存
if(!::WriteProcessMemory(hProcess, lpAddr, (LPCVOID)lpszDllPath, dwSize, NULL))
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Write Process Memory Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// 获取LoadLibraryA的内存地址
// 获取进程的基址
HMODULE hBaseAddress = NULL;
GetProcessBaseAddress(&hBaseAddress, hProcess);
DWORD64 dwDllBaseAddress = GetProcessDllBaseAddress(hProcess, hBaseAddress, "kernel32.dll", b32);
DWORD64 dwFuncAddress = GetFuncInDll(hProcess, dwDllBaseAddress, "LoadLibraryA", b32);
// 创建远程线程
HANDLE hThread = ::CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)dwFuncAddress, lpAddr, 0, NULL);
if(NULL == hThread)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create Remote Thread Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
return TRUE;
}
BOOL CInjectDlg::JudgePE32Or64(char *lpszDllPath)
{
// 内存映射文件
HANDLE hFile = ::CreateFile(lpszDllPath, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE, NULL);
if(INVALID_HANDLE_VALUE == hFile)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create File Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
HANDLE hFileMap = ::CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(!hFileMap)
{
::CloseHandle(hFile);
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create File Mapping Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
LPVOID lpMemory = ::MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if(!lpMemory)
{
::CloseHandle(hFileMap);
::CloseHandle(hFile);
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Map View Of File Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// PE结构
PIMAGE_DOS_HEADER pDosHead = (PIMAGE_DOS_HEADER)lpMemory;
if(IMAGE_DOS_SIGNATURE == pDosHead->e_magic)
{
DWORD dwlfanew = pDosHead->e_lfanew;
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD64)pDosHead + dwlfanew);
if(IMAGE_NT_SIGNATURE == pNtHeaders->Signature)
{
if(IMAGE_FILE_MACHINE_AMD64 == pNtHeaders->FileHeader.Machine ||
IMAGE_FILE_MACHINE_IA64 == pNtHeaders->FileHeader.Machine)
{
return FALSE;
}
}
}
return TRUE;
}
BOOL CInjectDlg::GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess)
{
::EnumProcessModules(hProcess, lpBaseAddress, sizeof(HMODULE), NULL);
return TRUE;
}
DWORD64 CInjectDlg::GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32)
{
DWORD dwlfanew = 0;
DWORD dwFuncNameLen = ::lstrlen(lpszFuncName) + 1;
char szTemp[MAX_PATH] = {0};
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + 0x003c), &dwlfanew, 4, NULL);
DWORD dwExportRVA = 0;
// 根据32位和64位的区别分别读取内存
// 32位
if(b32)
{
// 从PE头文件目录获取导出表
// 获取导出表的起始偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 96), &dwExportRVA, 4, NULL);
}
// 64位
else
{
// 从PE头文件目录获取导出表
// 获取导出表的起始偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 112), &dwExportRVA, 4, NULL);
}
// 获取NumberOfNames
DWORD dwNumberOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 24), &dwNumberOfNames, 4, NULL);
// 获取AddressOfNames
DWORD dwAddressOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 32), &dwAddressOfNames, 4, NULL);
// 遍历API函数名称并匹配
DWORD dwNameRVA = 0;
for(DWORD i = 0; i < dwNumberOfNames; i++)
{
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNames + 4*i), &dwNameRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwNameRVA), szTemp, dwFuncNameLen, NULL);
if(0 == ::lstrcmpi(lpszFuncName, szTemp)) // 不区分大小写
{
// AddressOfNameOrdinals
DWORD dwAddressOfNameOrdinals = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 36), &dwAddressOfNameOrdinals, 4, NULL);
WORD wHint = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNameOrdinals + 2*i), &wHint, 2, NULL);
// AddressOfFunctions
DWORD dwAddressOfFunctions = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 28), &dwAddressOfFunctions, 4, NULL);
DWORD dwFuncRVA = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfFunctions + 4*wHint), &dwFuncRVA, 4, NULL);
DWORD64 dwRet = dwDllBaseAddress + dwFuncRVA;
return dwRet;
}
}
return 0;
}
DWORD64 CInjectDlg::GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
DWORD dwlfanew = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, NULL);
// 根据32位和64位的区别分别读取内存
// 32位
if(b32)
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // 不区分大小写
{
DWORD dwFunctionAddress = 0;
// 读取DLL中的函数地址
// 获取DLL中的函数的偏移地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// 读取DLL中的函数的地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 4, NULL);
// 根据DLL中的函数地址暴力搜索出DLL的加载基址
// 原理是文件是对齐64k(0x10000)装载进内存的DLL是一个PE结构文件
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
// 64位
else
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // 不区分大小写
{
DWORD64 dwFunctionAddress = 0;
// 读取DLL中的函数地址
// 获取DLL中的函数的偏移地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// 读取DLL中的函数的地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 8, NULL);
// 根据DLL中的函数地址暴力搜索出DLL的加载基址
// 原理是文件是对齐64k(0x10000)装载进内存的DLL是一个PE结构文件
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
return 0;
}
DWORD64 CInjectDlg::GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32)
{
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
if(b32)
{
dwFunctionAddress = dwFunctionAddress & 0xFFFF0000;
}
else
{
dwFunctionAddress = dwFunctionAddress & 0xFFFFFFFFFFFF0000;
}
do
{
::ReadProcessMemory(hProcess, (LPCVOID)dwFunctionAddress, &MZ, 2, NULL);
if(IMAGE_DOS_SIGNATURE == MZ)
{
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + 0x003c), &dwlfanew, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + dwlfanew), &PE00, 4, NULL);
if(IMAGE_NT_SIGNATURE == PE00)
{
return dwFunctionAddress;
}
}
dwFunctionAddress = dwFunctionAddress - 0x10000;
}while(dwFunctionAddress >= 0x10000000);
return 0;
}

38
源代码/InjectDlg.h Normal file
View File

@ -0,0 +1,38 @@
#pragma once
#include "ChooseProcessDlg.h"
#include <psapi.h>
#pragma comment(lib, "psapi.lib")
// CInjectDlg 对话框
class CInjectDlg : public CDialogEx
{
DECLARE_DYNAMIC(CInjectDlg)
private:
DWORD m_dwID;
char m_szDllPath[MAX_PATH];
BOOL RemoteProcessInject(DWORD dwID, char *lpszDllPath);
BOOL JudgePE32Or64(char *lpszDllPath);
DWORD64 GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32);
BOOL GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess);
DWORD64 GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32);
DWORD64 GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32);
public:
CInjectDlg(CWnd* pParent = NULL); // 标准构造函数
virtual ~CInjectDlg();
// 对话框数据
enum { IDD = IDD_DIALOG_INJECT };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
DECLARE_MESSAGE_MAP()
public:
afx_msg void OnBnClickedButtonProcess();
CString m_strProcess;
CString m_strDll;
afx_msg void OnBnClickedButtonDll();
afx_msg void OnBnClickedButtonInject();
};

70
源代码/ReadMe.txt Normal file
View File

@ -0,0 +1,70 @@
================================================================================
MICROSOFT 基础类库 : HandleMemory 项目概述
===============================================================================
应用程序向导已为您创建了此 HandleMemory 应用程序。此应用程序不仅演示 Microsoft 基础类的基本使用方法,还可作为您编写应用程序的起点。
本文件概要介绍组成 HandleMemory 应用程序的每个文件的内容。
HandleMemory.vcxproj
这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
HandleMemory.vcxproj.filters
这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
HandleMemory.h
这是应用程序的主头文件。
其中包括其他项目特定的标头(包括 Resource.h并声明 CHandleMemoryApp 应用程序类。
HandleMemory.cpp
这是包含应用程序类 CHandleMemoryApp 的主应用程序源文件。
HandleMemory.rc
这是程序使用的所有 Microsoft Windows 资源的列表。它包括 RES 子目录中存储的图标、位图和光标。此文件可以直接在 Microsoft Visual C++ 中进行编辑。项目资源包含在 2052 中。
res\HandleMemory.ico
这是用作应用程序图标的图标文件。此图标包括在主资源文件 HandleMemory.rc 中。
res\HandleMemory.rc2
此文件包含不在 Microsoft Visual C++ 中进行编辑的资源。您应该将不可由资源编辑器编辑的所有资源放在此文件中。
/////////////////////////////////////////////////////////////////////////////
应用程序向导创建一个对话框类:
HandleMemoryDlg.h、HandleMemoryDlg.cpp - 对话框
这些文件包含 CHandleMemoryDlg 类。此类定义应用程序的主对话框的行为。对话框模板包含在 HandleMemory.rc 中,该文件可以在 Microsoft Visual C++ 中编辑。
/////////////////////////////////////////////////////////////////////////////
其他功能:
ActiveX 控件
该应用程序包含对使用 ActiveX 控件的支持。
Windows 套接字
应用程序包含对通过 TCP/IP 网络建立通信的支持。
/////////////////////////////////////////////////////////////////////////////
其他标准文件:
StdAfx.h, StdAfx.cpp
这些文件用于生成名为 HandleMemory.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
Resource.h
这是标准头文件,可用于定义新的资源 ID。Microsoft Visual C++ 将读取并更新此文件。
HandleMemory.manifest
Windows XP 使用应用程序清单文件来描述特定版本的并行程序集的应用程序依赖项。加载程序使用这些信息来从程序集缓存中加载相应的程序集,并保护其不被应用程序访问。应用程序清单可能会包含在内,以作为与应用程序可执行文件安装在同一文件夹中的外部 .manifest 文件进行重新分发,它还可能以资源的形式包含在可执行文件中。
/////////////////////////////////////////////////////////////////////////////
其他注释:
应用程序向导使用“TODO:”来指示应添加或自定义的源代码部分。
如果应用程序使用共享 DLL 中的 MFC您将需要重新分发 MFC DLL。如果应用程序所使用的语言与操作系统的区域设置不同则还需要重新分发相应的本地化资源 mfc110XXX.DLL。
有关上述话题的更多信息,请参见 MSDN 文档中有关重新分发 Visual C++ 应用程序的部分。
/////////////////////////////////////////////////////////////////////////////

427
源代码/ViewDlg.cpp Normal file
View File

@ -0,0 +1,427 @@
// ViewDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "ViewDlg.h"
#include "afxdialogex.h"
// CViewDlg 对话框
IMPLEMENT_DYNAMIC(CViewDlg, CDialogEx)
CViewDlg::CViewDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CViewDlg::IDD, pParent)
, m_strProcess(_T(""))
, m_strDllName(_T(""))
, m_strFunc(_T(""))
{
m_dwID = 0;
}
CViewDlg::~CViewDlg()
{
}
void CViewDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT_PROCESS, m_strProcess);
DDX_Control(pDX, IDC_LIST_MEMORY_VIEW, m_ViewList);
DDX_Text(pDX, IDC_EDIT_DLL_NAME, m_strDllName);
DDX_Text(pDX, IDC_EDIT_FUNCTION, m_strFunc);
}
BEGIN_MESSAGE_MAP(CViewDlg, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON_PROCESS, &CViewDlg::OnBnClickedButtonProcess)
ON_BN_CLICKED(IDC_BUTTON_GET_API, &CViewDlg::OnBnClickedButtonGetApi)
END_MESSAGE_MAP()
// CViewDlg 消息处理程序
void CViewDlg::OnBnClickedButtonProcess()
{
// TODO: 在此添加控件通知处理程序代码
CChooseProcessDlg dlg;
DWORD dwID = 0;
char szProcessName[MAX_PATH] = {0};
if(IDOK == dlg.DoModal())
{
dwID = dlg.GetProcessID();
::lstrcat(szProcessName, dlg.GetProcessName());
m_strProcess.Format("pid:%d exe file:%s", dwID, szProcessName);
UpdateData(FALSE);
m_dwID = dwID;
// 获取内存的详情信息
GetMemoryInfo(dwID);
}
}
BOOL CViewDlg::GetMemoryInfo(DWORD dwID)
{
HMODULE hBaseAddress = NULL;
char szDllNameArray[MAX_PATH][MAX_PATH] = {0};
DWORD dwDllNum = 0;
DWORD64 dwAddressArray[MAX_PATH] = {0};
DWORD dwIndex = 0;
BOOL b32 = FALSE;
// 打开进程
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// 判断是32位还是64位
::IsWow64Process(hProcess, &b32);
// 获取进程的基址
GetProcessBaseAddress(&hBaseAddress, hProcess);
// 从导入表中获取加载的DLL模块名称
GetProcessDllName(hProcess, hBaseAddress, szDllNameArray, dwDllNum, b32);
// 根据导入表和导入表中的函数地址暴力遍历出加载的DLL的模块基址
for(dwIndex = 0; dwIndex < dwDllNum; dwIndex++)
{
dwAddressArray[dwIndex] = GetProcessDllBaseAddress(hProcess, hBaseAddress, szDllNameArray[dwIndex], b32);
}
// 显示
// 清空列表框内容
m_ViewList.ResetContent();
char szTemp[MAX_PATH] = {0};
::wsprintf(szTemp, "Process PID:%d", dwID);
m_ViewList.AddString(szTemp);
if(b32)
{
::wsprintf(szTemp, "32bits");
}
else
{
::wsprintf(szTemp, "64bits");
}
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
::wsprintf(szTemp, "Base Address:\n0x%016I64x", (DWORD64)hBaseAddress);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
for(dwIndex = 0; dwIndex < dwDllNum; dwIndex++)
{
::wsprintf(szTemp, "Dll Name:%s", szDllNameArray[dwIndex]);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Load Base Address:0x%016I64x", dwAddressArray[dwIndex]);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
}
return TRUE;
}
BOOL CViewDlg::GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess)
{
::EnumProcessModules(hProcess, lpBaseAddress, sizeof(HMODULE), NULL);
return TRUE;
}
BOOL CViewDlg::GetProcessDllName(HANDLE hProcess, HMODULE hBaseAddress, char szDllNameArray[MAX_PATH][MAX_PATH], DWORD &dwDllNum, BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
DWORD64 dwTemp = 0;
// 判断PE结构
::ReadProcessMemory(hProcess, (LPCVOID)dwBaseAddress, &MZ, 2, &dwTemp);
if(2 != dwTemp)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Read Process Memory Error!\nError Code:%d", ::GetLastError());
::MessageBox(m_hWnd, szErr, NULL, MB_OK | MB_ICONWARNING);
return FALSE;
}
if(MZ != IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, &dwTemp);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew), &PE00, 4, &dwTemp);
if(4 != dwTemp)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Read Process Memory Error!\nError Code:%d", ::GetLastError());
::MessageBox(m_hWnd, szErr, NULL, MB_OK | MB_ICONWARNING);
return FALSE;
}
if(PE00 != IMAGE_NT_SIGNATURE)
{
return FALSE;
}
// 根据32位和64位的区别分别读取内存
// 32位
if(b32)
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
dwDllNum = dwIndex;
DWORD dwOffsetDllName = 0;
char szTemp[50] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, 50, NULL);
::lstrcpy(szDllNameArray[i], szTemp);
}
}
// 64位
else
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
dwDllNum = dwIndex;
DWORD dwOffsetDllName = 0;
char szTemp[50] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, 50, NULL);
::lstrcpy(szDllNameArray[i], szTemp);
}
}
return TRUE;
}
DWORD64 CViewDlg::GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
DWORD dwlfanew = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, NULL);
// 根据32位和64位的区别分别读取内存
// 32位
if(b32)
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // 不区分大小写
{
DWORD dwFunctionAddress = 0;
// 读取DLL中的函数地址
// 获取DLL中的函数的偏移地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// 读取DLL中的函数的地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 4, NULL);
// 根据DLL中的函数地址暴力搜索出DLL的加载基址
// 原理是文件是对齐64k(0x10000)装载进内存的DLL是一个PE结构文件
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
// 64位
else
{
// 从PE头文件目录获取导入表
// 获取导入表的起始偏移和大小
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// 遍历DLL全称
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// 获取DLL名称的偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // 不区分大小写
{
DWORD64 dwFunctionAddress = 0;
// 读取DLL中的函数地址
// 获取DLL中的函数的偏移地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// 读取DLL中的函数的地址
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 8, NULL);
// 根据DLL中的函数地址暴力搜索出DLL的加载基址
// 原理是文件是对齐64k(0x10000)装载进内存的DLL是一个PE结构文件
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
return 0;
}
DWORD64 CViewDlg::GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32)
{
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
if(b32)
{
dwFunctionAddress = dwFunctionAddress & 0xFFFF0000;
}
else
{
dwFunctionAddress = dwFunctionAddress & 0xFFFFFFFFFFFF0000;
}
do
{
::ReadProcessMemory(hProcess, (LPCVOID)dwFunctionAddress, &MZ, 2, NULL);
if(IMAGE_DOS_SIGNATURE == MZ)
{
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + 0x003c), &dwlfanew, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + dwlfanew), &PE00, 4, NULL);
if(IMAGE_NT_SIGNATURE == PE00)
{
return dwFunctionAddress;
}
}
dwFunctionAddress = dwFunctionAddress - 0x10000;
}while(dwFunctionAddress >= 0x10000000);
return 0;
}
void CViewDlg::OnBnClickedButtonGetApi()
{
// TODO: 在此添加控件通知处理程序代码
UpdateData(TRUE);
char szDllName[MAX_PATH] = {0};
char szFuncName[MAX_PATH] = {0};
::lstrcpy(szDllName, m_strDllName.GetBuffer(0));
::lstrcpy(szFuncName, m_strFunc.GetBuffer(0));
HMODULE hBaseAddress = NULL;
BOOL b32 = FALSE;
// 打开进程
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return ;
}
// 判断是32位还是64位
::IsWow64Process(hProcess, &b32);
// 获取进程的基址
GetProcessBaseAddress(&hBaseAddress, hProcess);
// 根据导入表和导入表中的函数地址暴力遍历出加载的DLL的模块基址
DWORD64 dwDllBaseAddress = GetProcessDllBaseAddress(hProcess, hBaseAddress, szDllName, b32);
// 获取API函数的地址
DWORD64 dwDllFuncAddress = GetFuncInDll(hProcess, dwDllBaseAddress, szFuncName, b32);
// 显示
char szTemp[MAX_PATH] = {0};
::wsprintf(szTemp, "Dll:%s", szDllName);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Function:%s", szFuncName);
m_ViewList.AddString(szTemp);
::wsprintf(szTemp, "Image Address:0x%016I64x", dwDllFuncAddress);
m_ViewList.AddString(szTemp);
m_ViewList.AddString("");
}
DWORD64 CViewDlg::GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32)
{
DWORD dwlfanew = 0;
DWORD dwFuncNameLen = ::lstrlen(lpszFuncName) + 1;
char szTemp[MAX_PATH] = {0};
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + 0x003c), &dwlfanew, 4, NULL);
DWORD dwExportRVA = 0;
// 根据32位和64位的区别分别读取内存
// 32位
if(b32)
{
// 从PE头文件目录获取导出表
// 获取导出表的起始偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 96), &dwExportRVA, 4, NULL);
}
// 64位
else
{
// 从PE头文件目录获取导出表
// 获取导出表的起始偏移
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 112), &dwExportRVA, 4, NULL);
}
// 获取NumberOfNames
DWORD dwNumberOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 24), &dwNumberOfNames, 4, NULL);
// 获取AddressOfNames
DWORD dwAddressOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 32), &dwAddressOfNames, 4, NULL);
// 遍历API函数名称并匹配
DWORD dwNameRVA = 0;
for(DWORD i = 0; i < dwNumberOfNames; i++)
{
// 获取DLL名称的地址并读取
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNames + 4*i), &dwNameRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwNameRVA), szTemp, dwFuncNameLen, NULL);
if(0 == ::lstrcmpi(lpszFuncName, szTemp)) // 不区分大小写
{
// AddressOfNameOrdinals
DWORD dwAddressOfNameOrdinals = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 36), &dwAddressOfNameOrdinals, 4, NULL);
WORD wHint = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNameOrdinals + 2*i), &wHint, 2, NULL);
// AddressOfFunctions
DWORD dwAddressOfFunctions = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 28), &dwAddressOfFunctions, 4, NULL);
DWORD dwFuncRVA = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfFunctions + 4*wHint), &dwFuncRVA, 4, NULL);
DWORD64 dwRet = dwDllBaseAddress + dwFuncRVA;
return dwRet;
}
}
return 0;
}

47
源代码/ViewDlg.h Normal file
View File

@ -0,0 +1,47 @@
#pragma once
#include "afxwin.h"
#include "ChooseProcessDlg.h"
#include <psapi.h>
#pragma comment(lib, "psapi.lib")
// CViewDlg 对话框
class CViewDlg : public CDialogEx
{
DECLARE_DYNAMIC(CViewDlg)
private:
DWORD m_dwID;
BOOL GetMemoryInfo(DWORD dwID);
// 获取进程的基址
BOOL GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess);
// 从导入表中获取加载的DLL模块名称
BOOL GetProcessDllName(HANDLE hProcess, HMODULE hBaseAddress, char szDllNameArray[MAX_PATH][MAX_PATH], DWORD &dwDllNum, BOOL b32);
// 根据导入表和导入表中的函数地址暴力遍历出加载的DLL的模块基址
DWORD64 GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32);
// 根据DLL中的函数地址暴力搜索出DLL的加载基址
// 原理是文件是对齐64k(0x10000)装载进内存的DLL是一个PE结构文件
DWORD64 GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32);
// 获取使用到的加载的DLL中的导出函数的地址
DWORD64 GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32);
public:
CViewDlg(CWnd* pParent = NULL); // 标准构造函数
virtual ~CViewDlg();
// 对话框数据
enum { IDD = IDD_DIALOG_VIEW };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
DECLARE_MESSAGE_MAP()
public:
afx_msg void OnBnClickedButtonProcess();
CString m_strProcess;
CListBox m_ViewList;
CString m_strDllName;
CString m_strFunc;
afx_msg void OnBnClickedButtonGetApi();
};

BIN
源代码/res/HandleMemory.rc2 Normal file
View File

Binary file not shown.

BIN
源代码/res/demon64X64.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
源代码/resource.h Normal file
View File

Binary file not shown.

8
源代码/stdafx.cpp Normal file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : 只包括标准包含文件的源文件
// HandleMemory.pch 将作为预编译头
// stdafx.obj 将包含预编译类型信息
#include "stdafx.h"

55
源代码/stdafx.h Normal file
View File

@ -0,0 +1,55 @@
// stdafx.h : 标准系统包含文件的包含文件,
// 或是经常使用但不常更改的
// 特定于项目的包含文件
#pragma once
#ifndef VC_EXTRALEAN
#define VC_EXTRALEAN // 从 Windows 头中排除极少使用的资料
#endif
#include "targetver.h"
#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // 某些 CString 构造函数将是显式的
// 关闭 MFC 对某些常见但经常可放心忽略的警告消息的隐藏
#define _AFX_ALL_WARNINGS
#include <afxwin.h> // MFC 核心组件和标准组件
#include <afxext.h> // MFC 扩展
#include <afxdisp.h> // MFC 自动化类
#ifndef _AFX_NO_OLE_SUPPORT
#include <afxdtctl.h> // MFC 对 Internet Explorer 4 公共控件的支持
#endif
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC 对 Windows 公共控件的支持
#endif // _AFX_NO_AFXCMN_SUPPORT
#include <afxcontrolbars.h> // 功能区和控件条的 MFC 支持
#include <afxsock.h> // MFC 套接字扩展
#ifdef _UNICODE
#if defined _M_IX86
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
#elif defined _M_X64
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
#else
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
#endif
#endif

8
源代码/targetver.h Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// 包括 SDKDDKVer.h 将定义最高版本的可用 Windows 平台。
// 如果要为以前的 Windows 平台生成应用程序,请包括 WinSDKVer.h并将
// WIN32_WINNT 宏设置为要支持的平台,然后再包括 SDKDDKVer.h。
#include <SDKDDKVer.h>