内存修改器实现源码

时间:2021-07-20 04:50:43
 #include "stdafx.h"  
#include <windows.h>  
#include<Tlhelp32.h>
 #include <tchar.h>  
#include<iostream>

using namespace std;
 DWORD g_arList[1024];  
 int g_nListCnt;  
 HANDLE g_hProcess;  
 BOOL WriteMemory(DWORD dwAddr, DWORD dwValue);  
 void ShowList(void);  
 BOOL CompareAPage(DWORD dwBaseAddr, DWORD dwValue);  
 BOOL FindNext(DWORD dwValue);  
 BOOL FindFirst(DWORD dwValue);  
 BOOL FindFirst(DWORD dwValue)  
{  
    const DWORD dwOneGB = 1024 * 1024 * 1024;  
    const DWORD dwOnePage = 4 * 1024;  
   if (NULL == g_hProcess)  
    {  
        return FALSE;  
     }  
   DWORD dwBase;  
   OSVERSIONINFO vi = {sizeof(vi)};  
   ::GetVersionEx(&vi);  
   if (VER_PLATFORM_WIN32_WINDOWS == vi.dwPlatformId)  
   {  
       dwBase = 4 * 1024 * 1024;  
   }  
  else  
   {  
        dwBase = 640 * 1024;  
    }  
    for (; dwBase < 2 * dwOneGB; dwBase += dwOnePage)  
     {  
        CompareAPage(dwBase, dwValue);  
    }  
    return TRUE;  
 }  
 BOOL CompareAPage(DWORD dwBaseAddr, DWORD dwValue)  
{  
    BYTE arBytes[4096];  
    if (!::ReadProcessMemory(g_hProcess, (LPVOID)dwBaseAddr, arBytes, 4096, NULL))  
    {  
        return FALSE;  
    }  
    DWORD* pdw = NULL;  
    int i = 0;  
    for (i = 0;i < (int)4 * 1024 -3; i++)  
    {  
        pdw = (DWORD*)&arBytes[i];  
       if (pdw[0] == dwValue)  
        {  
            if (g_nListCnt >= 1024)  
            {  
                return FALSE;  
            }  
            g_arList[g_nListCnt++] = dwBaseAddr + i;  
        }  
    }  
    return TRUE;  
 }  
 void ShowList(void)  
 {  
    int i;  
    for (i = 0; i < g_nListCnt; i++)  
    {  
         printf("%08lX\n", g_arList[i]);  
    }  
 }  
 BOOL FindNext(DWORD dwValue)  
 {  
    int nOrgCnt = g_nListCnt;  
   g_nListCnt = 0;  
    BOOL bRet = FALSE;  
     DWORD dwReadValue;  
    int i;  
    for (i = 0; i < nOrgCnt; i++)  
    {  
        if (::ReadProcessMemory(g_hProcess, (LPVOID)g_arList[i], &dwReadValue, sizeof(DWORD), NULL))  
        {  
            if (dwReadValue == dwValue)  
            {  
                g_arList[g_nListCnt++] = g_arList[i];  
               bRet = TRUE;  
          }  
        }  
    }  
    return bRet;  
 }  
 BOOL WriteMemory(DWORD dwAddr, DWORD dwValue)  
 {  
    return ::WriteProcessMemory(g_hProcess, (LPVOID)dwAddr, &dwValue, sizeof(DWORD), NULL);  
 } 
 BOOL GetDebugPriv()
{
 HANDLE hToken;
 LUID sedebugnameValue;
 TOKEN_PRIVILEGES tkp;

 if ( ! OpenProcessToken( GetCurrentProcess(),
  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
    {
  return FALSE;
    }
 

 if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
 {
  CloseHandle( hToken );
  return FALSE;
 }

 tkp.PrivilegeCount = 1;
 tkp.Privileges[0].Luid = sedebugnameValue;
 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

 if (!AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
    {
        CloseHandle( hToken );
        return FALSE;
    }

    return TRUE;
}
int main(int argc, char* argv[])  
 {
	 int iValue = 1234567;
  HANDLE hProcessSnap;
  HANDLE hProcess;
  PROCESSENTRY32 pe32;
  DWORD dwPriorityClass;
	GetDebugPriv();
  // Take a snapshot of all processes in the system.
  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
  if( hProcessSnap == INVALID_HANDLE_VALUE )
  {
    printf( TEXT("CreateToolhelp32Snapshot (of processes)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  pe32.dwSize = sizeof( PROCESSENTRY32 );

  // Retrieve information about the first process,
  // and exit if unsuccessful
  if( !Process32First( hProcessSnap, &pe32 ) )
  {
    printf( TEXT("Process32First") ); // show cause of failure
    CloseHandle( hProcessSnap );          // clean the snapshot object
    return( FALSE );
  }
  char proName[] = "memtest.exe";
  // Now walk the snapshot of processes, and
  // display information about each process in turn
  while( Process32Next( hProcessSnap, &pe32 ) )
  {
    printf( "\n\n=====================================================" );
    _tprintf( TEXT("\nPROCESS NAME:  %s"), pe32.szExeFile );
    printf( "\n-----------------------------------------------------" );
	
    // Retrieve the priority class.
    dwPriorityClass = 0;
    hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
    if( hProcess == NULL )
	{	
		printf( TEXT("OpenProcess error") );
		continue;
	}
	if(strcmp(proName,pe32.szExeFile) != 0)
	{
		CloseHandle( hProcess );
	}
	else
	{
		break;
	}
		
    //else
    //{
    //  dwPriorityClass = GetPriorityClass( hProcess );
    //  if( !dwPriorityClass )
    //    printf( TEXT("GetPriorityClass") );
    //  CloseHandle( hProcess );
    //}

    //printf( "\n  Process ID        = 0x%08X", pe32.th32ProcessID );
    //printf( "\n  Thread count      = %d",   pe32.cntThreads );
    //printf( "\n  Parent process ID = 0x%08X", pe32.th32ParentProcessID );
    //printf( "\n  Priority base     = %d", pe32.pcPriClassBase );
    //if( dwPriorityClass )
    //  printf( "\n  Priority class    = %d", dwPriorityClass );

    //// List the modules and threads associated with this process

  }
  //TerminateProcess(hProcess, 0); 
  g_hProcess = hProcess;
  DWORD dwV = iValue;
  FindFirst(dwV);
  DWORD dwAddr = g_arList[0];
  DWORD dwValue = 1000;
  for (int i = 1; i < g_nListCnt; i++)  
  {  
	  dwAddr = g_arList[i];
	  WriteMemory(dwAddr,dwValue);
	  cout<<endl<<iValue<<endl;
	  //printf("%08lX\n", g_arList[i]);  
  } 
 
  CloseHandle(hProcess);
  CloseHandle( hProcessSnap );

	
	 getchar();
	 return 1;
  }  

程序流程,首先是提高操作权限,然后遍历所有的进程找到要操作的进程,然后在该进程中搜寻要修改的变量的值,得到包含该值的所有内存地址,
根据需要修改相应内存的值即可


标签:

相关文章