Modify the memory value (for Windows Programming)

ProgramDesign Concept:

One test program + SEARCH memory & modify memory

 

Define two variables to change the content of the two variables (changing the value of the same memory), so that the unique one is determined when the memory is searched. Just as there can be a lot of straight lines after a point, plus a point to completely determine this line. This idea is used here. Of course, it may not be confirmed twice. First, based on the first value, find all memory that meets the value in the memory of the process, and save the memory that meets the conditions.

Test procedure:

# Include <stdio. h> </P> <p> int g_nnum; </P> <p> int main (INT argc, char * argv []) <br/> {<br/> int I = 198; <br/> g_nnum = 1003; </P> <p> while (1) <br/> {<br/> printf ("I = % d, ADDR = % 081x; g_nnum = % d, ADDR = % 081x/N", ++ I, & I, -- g_nnum, & g_nnum); <br/> getchar (); <br/>}< br/> return 0; <br/>}

First, find different starting points based on different OS versions, and search for 2 GB memory from this starting point.

// Find the kind of the operate system, to decide the start address <br/> DWORD dwbase; <br/> osversioninfo Vi = {sizeof (vi )}; <br/>: getversionex (& VI); <br/> If (VI. dwplatformid = ver_platform_win32_windows) <br/>{< br/> dwbase = 4*1024*1024; // Windows 98 4 MB <br/>}< br/> else <br/>{< br/> dwbase = 64*1024; // Windows NT 64kb <br/>}

Based on Windows's paging mechanism, memory is managed. The size of each page is 4 kb. We also use pages to improve search efficiency.

For (dwbase has been determined by the above program; dwbase <= 2 * dwonegb; dwbase + = dwonepage ))

Read a page of memory using readprocessmemory (), and then perform matching once on this page to check whether the page is equal.

If findfirst () gets more than one memory, we continue to change the value of the memory to be searched in the obtained memory and continue the findnext () Search and filtering. The memory to be saved is gradually reduced every time you search for it. Only one memory is left until the memory to be searched is obtained, and then writeprocessmemory () is used () change the value of the memory to the value you want.

Findfirst (), findnext (), writeprocessmemory () is as follows:

Bool compareapage (DWORD dwbaseaddr, DWORD dwvalue) <br/>{< br/> // read one page of memory <br/> byte arbytes [4096]; <br/> If (!: Readprocessmemory (g_hprocess, (lpvoid) dwbaseaddr, arbytes, 4096, null) <br/>{< br/> return false; <br/>}< br/> // search for the memory on this page <br/> DWORD * PDW; <br/> for (INT I = 0; I <(INT) 4*1024-3; I ++) <br/> {<br/> PDW = (DWORD *) & arbytes [I]; <br/> If (PDW [0] = dwvalue) <br/>{< br/> If (g_nlistcnt >=1024) <br/> return false; </P> <p> g_arlist [g_nlistcnt ++] = dwbaseaddr + I; <br/>}< br/> return true; <br/>}</P> <p> bool findfirst (DWORD dwvalue) <br/> {<br/> const DWORD dwonegb = 1024*1024*1024; <br/> const DWORD dwonepage = 4*1024; </P> <p> If (g_hprocess = NULL) // be careful "=" <br/>{< br/> return false; <br/>}</P> <p> // find the kind of the operate system, to decide the start address <br/> DWORD dwbase; <br/> osversioninfo Vi = {sizeof (vi) }; <br/>: getversionex (& VI); <br/> If (VI. dwplatformid = ver_platform_win32_windows) <br/>{< br/> dwbase = 4*1024*1024; // Windows 98 4 MB <br/>}< br/> else <br/>{< br/> dwbase = 64*1024; // Windows NT 64kb <br/>}</P> <p> // start to find from the dwbase ADDR to 2 GB <br/> (; dwbase <= 2 * dwonegb; dwbase + = dwonepage) <br/>{< br/> compareapage (dwbase, dwvalue); <br/>}< br/> return true; <br/>}</P> <p> void showlist () <br/> {<br/> for (INT I = 0; I <g_nlistcnt; I ++) <br/>{< br/> printf ("% 081x/N", g_arlist [I]); <br/>}</P> <p> bool findnext (DWORD dwvalue) <br/>{< br/> int norgcnt = g_nlistcnt; <br/> g_nlistcnt = 0; </P> <p> bool Bret = false; <br/> DWORD dwreadvalue; <br/> for (INT I = 0; I <norgcnt; I ++) <br/>{< br/> If (: readprocessmemory (g_hprocess, (lpvoid) g_arlist [I], & dwreadvalue, sizeof (DWORD), null) <br/>{< br/> If (dwreadvalue = dwvalue) <br/>{< br/> g_arlist [g_nlistcnt ++] = g_arlist [I]; <br/> Bret = true; <br/>}< br/> return Bret; <br/>}</P> <p> bool writememory (DWORD dwaddr, DWORD dwvalue) <br/>{< br/> return: writeprocessmemory (g_hprocess, (lpvoid) dwaddr, & dwvalue, sizeof (DWORD), null ); <br/>}< br/>

 

Attached to the main function:

Int main (INT argc, char * argv []) <br/>{< br/> // start the process "02 testor" <br/> char szfilename [] = "F: // steel // windows Programme // 02 testor // debug // 02testor.exe "; <br/> startupinfo Si = {sizeof (SI) }; <br/> process_information PI; <br/>: CreateProcess (null, szfilename, null, null, false, create_new_console, null, null, & Si, & PI); <br/> :: closehandle (Pi. hthread); </P> <p> g_hprocess = pi. Hprocess; </P> <p> int ival; <br/> printf ("input ival ="); <br/> scanf ("% d", & ival ); </P> <p> // find for the first time <br/> findfirst (ival ); </P> <p> printf ("g_nlistcnt = % d/N", g_nlistcnt ); </P> <p> // show the result <br/> showlist (); </P> <p> while (g_nlistcnt> 1) <br/>{< br/> printf ("input ival ="); <br/> scanf ("% d", & ival ); </P> <p> // find for the first time <br/> findnext (ival); </P> <p> // show the result <Br/> showlist (); </P> <p >}</P> <p> // get the new value <br/> printf ("input the new value = "); <br/> scanf ("% d", & ival); </P> <p> If (writememory (g_arlist [0], ival )) <br/>{< br/> printf ("write new value success! /N "); <br/>}</P> <p>: closehandle (g_hprocess); </P> <p> return 0; </P> <p>}