(二)内存扫描器(面向对象版)

小秦哥 · 2023-4-4 14:00:34

在此之前，我们实现了内存扫描器(面向过程版)。为了使用的简洁性及可重用性，我们将其模块化，改写为C++类的形式，将用户用不到的成员私有化，对外隐藏，只为其提供类似于首次扫描、再次扫描、内存读写等的接口。
修改后的内存扫描器源码如下：
点击查看代码

#pragma once
#include<Windows.h>
#include<iostream>
#include<vector>
using namespace std;
#define IS_IN_SEARCH(mb,offset) (mb->searchmask[(offset)/8] & (1<<((offset)%8)))
#define REMOVE_FROM_SEARCH(mb,offset) mb->searchmask[(offset)/8]&=~(1<<((offset)%8));
typedef struct _MEMBLOCK
{
HANDLE hProcess;
PVOID addr;
int size;
char* buffer;
char* searchmask;//标志每一字节的数据是否在搜索列表中
int matches; //匹配的数据个数
int data_size; //数据大小(单位字节)
struct _MEMBLOCK* next;
}MEMBLOCK;
typedef struct _AddrValue
{
PVOID addr;
int val;
}AddrValue;
typedef enum
{
COND_UNCONDITIONAL, //every bytes
COND_EQUALS, //bytes particular value
COND_INCREASE, //bytes value increased
COND_DECREASE, //bytes value decreased
}SEARCH_CONDITION;
class Scanner
{
public:
~Scanner()
{
if (scan) free_scan();
}
/*扫描*/
bool first_scan(int pid, int data_size, int start_val, SEARCH_CONDITION start_cond = COND_EQUALS);
void next_scan(int val, SEARCH_CONDITION condition = COND_EQUALS);
/*内存读写*/
void poke(PVOID addr, int val);
int peek(PVOID addr);
/*统计内存数据*/
vector<AddrValue> get_data();//获取满足条件的内存地址及数值
void print_matches(); //打印内存数据 (UI的不需要)
int get_match_count();//获取满足条件的数据数量
private:
/*单个内存块*/
MEMBLOCK* create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size);
void update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val);
void free_memblock(MEMBLOCK* mb);
/*所有内存块*/
MEMBLOCK* create_scan(int pid, int data_size);
void update_scan(SEARCH_CONDITION condition, int val);
void dump_scan_info();
void free_scan();
private:
MEMBLOCK* scan = NULL;//扫描器
int data_size; //数据大小
HANDLE hProcess; //当前进程句柄
};
#include"scanner.h"
MEMBLOCK* Scanner::create_memblock(HANDLE hProcess, MEMORY_BASIC_INFORMATION* meminfo, int data_size)
{
MEMBLOCK* mb = (MEMBLOCK*)malloc(sizeof(MEMBLOCK));
if (mb)
{
mb->hProcess = hProcess;
mb->addr = meminfo->BaseAddress;
mb->size = meminfo->RegionSize;
mb->buffer = (char*)malloc(meminfo->RegionSize);
//初始化搜索掩码为0xff，表示每一个字节都在搜索列表中
mb->searchmask = (char*)malloc(meminfo->RegionSize / 8);
memset(mb->searchmask, 0xff, meminfo->RegionSize / 8);
mb->matches = meminfo->RegionSize;
mb->data_size = data_size;
mb->next = NULL;
}
return mb;
}
void Scanner::update_memblock(MEMBLOCK* mb, SEARCH_CONDITION condition, int val)
{
static unsigned char tempbuf[128 * 1024];//0x20000
unsigned int bytes_left;//当前未处理的字节数
unsigned int total_read;//已经处理的字节数
unsigned int bytes_to_read;
SIZE_T bytes_read;
if (mb->matches > 0)
{
bytes_left = mb->size;
total_read = 0;
mb->matches = 0;
while (bytes_left)
{
bytes_to_read = (bytes_left > sizeof(tempbuf)) ? sizeof(tempbuf) : bytes_left;
ReadProcessMemory(mb->hProcess, (LPCVOID)((SIZE_T)mb->addr + total_read), tempbuf, bytes_to_read, &bytes_read);
//如果读失败了，则结束
if (bytes_to_read != bytes_read) break;
//条件搜索处
if (condition == COND_UNCONDITIONAL)//无条件，则所有数据都匹配
{
memset(mb->searchmask + total_read / 8, 0xff, bytes_read / 8);
mb->matches += bytes_read;
}
else//遍历临时buffer
{
for (int offset = 0; offset < bytes_read; offset += mb->data_size)
{
if (IS_IN_SEARCH(mb, (total_read + offset)))
{
BOOL is_match = FALSE;
int temp_val;
int prev_val;
switch (mb->data_size)//获取临时数值的大小
{
case 1:
temp_val = tempbuf[offset];
prev_val = *((char*)&mb->buffer[total_read + offset]);
break;
case 2:
temp_val = *((short*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
case 4:
default:
temp_val = *((int*)&tempbuf[offset]);
prev_val = *((short*)&mb->buffer[total_read + offset]);
break;
}
switch (condition)//根据不同搜索条件处理
{
case COND_EQUALS:
is_match = (temp_val == val);
break;
case COND_INCREASE:
is_match = (temp_val > prev_val);
break;
case COND_DECREASE:
is_match = (temp_val < prev_val);
break;
default:
break;
}
if (is_match)
{
mb->matches++;
}
else
{
REMOVE_FROM_SEARCH(mb, (total_read + offset));
}
}
}
}
memcpy(mb->buffer + total_read, tempbuf, bytes_read);
bytes_left -= bytes_read;
total_read += bytes_read;
}
mb->size = total_read;
}
}
void Scanner::free_memblock(MEMBLOCK* mb)
{
if (mb)
{
if (mb->buffer)
{
free(mb->buffer);
}
if (mb->searchmask)
{
free(mb->searchmask);
}
free(mb);
}
}
MEMBLOCK* Scanner::create_scan(int pid, int data_size)
{
MEMBLOCK* mb_list = NULL;
MEMORY_BASIC_INFORMATION meminfo;
PVOID addr = 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess)
{
while (1)
{
//查询失败，返回
if (!VirtualQueryEx(hProcess, addr, &meminfo, sizeof(meminfo)))
{
break;
}
#define WRITABLE (PAGE_READWRITE|PAGE_WRITECOPY|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY)
if ((meminfo.State & MEM_COMMIT) && (meminfo.Protect & WRITABLE))
{
MEMBLOCK* mb = create_memblock(hProcess, &meminfo, data_size);
//头插法将扫描的内存块存入内存块列表中
if (mb)
{
//update_memblock(mb);
mb->next = mb_list;
mb_list = mb;
}
}
addr = (LPVOID)((SIZE_T)meminfo.BaseAddress + meminfo.RegionSize);
}
}
return mb_list;
}
void Scanner::update_scan(SEARCH_CONDITION condition, int val)
{
MEMBLOCK* mb = scan;
while (mb)
{
update_memblock(mb, condition, val);
mb = mb->next;
}
}
void Scanner::dump_scan_info()
{
MEMBLOCK* mb = scan;
while (mb)
{
//打印内存块
printf("0x%08x 0x%08x\r\n", mb->addr, mb->size);
mb = mb->next;
//打印内存块中数据
for (int i = 0; i < mb->size; i++)
{
printf("%02x ", mb->buffer[i]);
if (i % 16 == 0) printf("\r\n");
}
printf("\r\n");
}
}
void Scanner::free_scan()
{
CloseHandle(scan->hProcess);
while (scan)
{
MEMBLOCK* mb = scan;
scan = scan->next;
free_memblock(mb);
}
}
int Scanner::peek(PVOID addr)
{
int val = 0;
if (!ReadProcessMemory(hProcess, addr, &val, data_size, NULL))
{
printf("peek failed\r\n");
}
return val;
}
void Scanner::poke(PVOID addr, int val)//写内存
{
if (!WriteProcessMemory(hProcess, addr, &val, data_size, NULL))
{
printf("poke failed\r\n");
}
}
void Scanner::print_matches()
{
vector<AddrValue> data = get_data();
for (int i = 0; i < data.size(); i++)
{
printf("0x%08x : %d\r\n", data[i].addr, data[i].val);
}
}
vector<AddrValue> Scanner::get_data()
{
vector<AddrValue> data;
MEMBLOCK* mb = scan;
while (mb)
{
for (int offset = 0; offset < mb->size; offset += mb->data_size)
{
if (IS_IN_SEARCH(mb, offset))
{
int val = peek((PVOID)((SIZE_T)mb->addr + offset));
AddrValue temp;
temp.addr = (PVOID)((SIZE_T)mb->addr + offset);
temp.val = val;
data.push_back(temp);
}
}
mb = mb->next;
}
return data;
}
int Scanner::get_match_count()
{
MEMBLOCK* mb = scan;
int count = 0;
while (mb)
{
count += mb->matches;
mb = mb->next;
}
return count;
}
bool Scanner::first_scan(int pid, int _data_size, int start_val, SEARCH_CONDITION start_cond)
{
data_size = _data_size;
if (scan)
{
free_scan();
}
scan = create_scan(pid, data_size);
if (scan)
{
update_scan(start_cond, start_val);
return true;
}
else
return false;
}
void Scanner::next_scan(int val, SEARCH_CONDITION condition)
{
update_scan(condition, val);
}

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

		自动登录	找回密码
密码			立即注册

(二)内存扫描器(面向对象版)

0 个回复

快速回复

楼主热帖

标签云