Option Explicit
'===================================================================================
'功能:按照8字节搜索指定PID某范围内的所有地址
'用法:Call FindMem64(4523,&H515C0020,&H30303251) '20005C5151323030
'===================================================================================
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function ReadProcessMemoryByAddr Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Public Sub FindMem64(ByVal pid As Long, ByVal dwHigh As Long, ByVal dwLow As Long)
Const STEPLEN = &H1000
Dim i As Long, j As Long
Dim dwRead As Long
Dim data4 As Long
Dim byData(-8 To STEPLEN) As Byte
Dim hProcess As Long
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If hProcess = 0 Then Exit Sub
For i = &H0 To &HFFFFFFF - STEPLEN Step STEPLEN
CopyMemory byData(-8), byData(STEPLEN), 8
If ReadProcessMemoryByAddr(hProcess, i, VarPtr(byData(0)), STEPLEN, dwRead) <> 0 And dwRead = STEPLEN Then
For j = -7 To STEPLEN - 8
CopyMemory data4, byData(j), 4
If data4 = dwHigh Then
CopyMemory data4, byData(j + 4), 4
If data4 = dwLow Then
Debug.Print i + j
End If
End If
Next
本内容试读结束,登录后可阅读更多
下载后可阅读完整内容,剩余1页未读,立即下载
