使用鉤子函數:
BOOL WINAPI hkReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
{
if (GetCurrentProcess() == hProcess) {
// your process
}
return oReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
}
的typedef功能:
typedef BOOL (WINAPI* _NtReadProcessMemory)(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead);
聲明老功能:
_NtReadProcessMemory oReadProcessMemory = (_NtReadProcessMemory)
GetProcAddress(GetModuleHandle(L"ntdll"), "NtReadProcessMemory");
安裝彎路:
BOOL bHook = Mhook_SetHook((PVOID*)&oReadProcessMemory,
hkReadProcessMemory));
很明顯,您需要將此DLL注入到系統上運行的所有進程中。
Mhook:(彎路庫)http://codefromthe70s.org/mhook22.aspx
應當注意的是,如果你認爲你的控制之外的所有的東西,將/可以閱讀你的記憶,'ReadProcessMemory'將他們的過小的分數察覺。 DMA可能發生;你的頁面可以交換到磁盤,各種第三方代碼從你的進程中運行,等等等等。 –