匿名用户
1级
2011-03-09 回答
使用ctypes模块调用WriteProcessMemory函数,在创建程序进程后,就可以修改该程序指定内存地址。WriteProcessMemory的函数原型如下所示。
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPCVOID lpBuffer,
SIZE_T nSize,
SIZE_T* lpNumberOfBytesWritten
);
其参数含义如下。
· hProcess:要写内存的进程句柄。
· lpBaseAddress:要写的内存起始地址。
· lpBuffer:写入值的地址。
· nSize:写入值的大小。
· lpNumberOfBytesWritten :实际写入的大小。
python代码示例如下:
from ctypes import *
# 定义_PROCESS_INFORMATION结构体
class _PROCESS_INFORMATION(Structure):
_fields_ = [('hProcess', c_void_p),
('hThread', c_void_p),
('dwProcessId', c_ulong),
('dwThreadId', c_ulong)]
# 定义_STARTUPINFO结构体
class _STARTUPINFO(Structure):
_fields_ = [('cb',c_ulong),
('lpReserved', c_char_p),
('lpDesktop', c_char_p),
('lpTitle', c_char_p),
('dwX', c_ulong),
('dwY', c_ulong),
('dwXSize', c_ulong),
('dwYSize', c_ulong),
('dwXCountChars', c_ulong),
('dwYCountChars', c_ulong),
('dwFillAttribute', c_ulong),
('dwFlags', c_ulong),
('wShowWindow', c_ushort),
('cbReserved2', c_ushort),
('lpReserved2', c_char_p),
('hStdInput', c_ulong),
('hStdOutput', c_ulong),
('hStdError', c_ulong)]
NORMAL_PRIORITY_CLASS = 0x00000020 # 定义NORMAL_PRIORITY_CLASS
kernel32 = ("") # 加载
CreateProcess = # 获得CreateProcess函数地址
ReadProcessMemory = # 获得ReadProcessMemory函数地址
WriteProcessMemory = # 获得WriteProcessMemory函数地址
TerminateProcess =
# 声明结构体
ProcessInfo = _PROCESS_INFORMATION()
StartupInfo = _STARTUPINFO()
file = '' # 要进行修改的文件
address = 0x0040103c # 要修改的内存地址
buffer = c_char_p("_") # 缓冲区地址
bytesRead = c_ulong(0) # 读入的字节数
bufferSize = len() # 缓冲区大小
# 创建进程
if CreateProcess(file, 0, 0, 0, 0, NORMAL_PRIORITY_CLASS, 0, 0, byref(StartupInfo), byref(ProcessInfo)):
# 读取要修改的内存地址,以判断是否是要修改的文件
if ReadProcessMemory(, address, buffer, bufferSize, byref(bytesRead)):
if == '\x74':
= '\x75' # 修改缓冲区内的值,将其写入内存
# 修改内存
if WriteProcessMemory(, address, buffer, bufferSize, byref(bytesRead)):
print '成功改写内存!'
else:
print '写内存错误!'
else:
print '打开了错误的文件!'
TerminateProcess(,0) # 如果不是要修改的文件,则终止进程
else:
print '读内存错误!'
else:
print '不能创建进程!'