#include <windows.h>#include<tlhelp32.h>#include<tchar.h>#include<stdlib.h>#include<stdio.h>intSearchstr (Ptstr pszstring,intIstrlen, Ptstr pszsearchstr) { inti =0; intIsearchstrlen =_tcslen (PSZSEARCHSTR); while((i + Isearchstrlen) <=Istrlen) { intn =0; //Match first character of two string first if(pszsearchstr[0] ==Pszstring[i]) { //If equal, begins a character-by-word match for(intj =0; J <iSearchStrlen; J + +) { //same position character match if(Pszsearchstr[j] = = Pszstring[i +J]) {//if the same position character matches successfully, the counter adds 1n++; } Else //the same position character match failed { //source string position skipped matches the same n charactersi = i +N; //jump out of the current match loop to start a new position match Break; } } //If the match succeeds, the count and the target string are equal in length, the target is found if(Isearchstrlen = =N) {//I is the starting position of the target string found in the source string,//return here, where the target string found first appears returni; //find a target, move back one to keep looking,//If you want to continue looking, please note that the final return, the code needs to make a few minor changes//i++; } } Else //if the first character of two strings is different { //starts reverse lookup of source string whether the next character in the target string is within the target string for(intj = Isearchstrlen-1; J >=0; j--) { //find the character that is immediately behind if(Pszsearchstr[j] = = Pszstring[i +Isearchstrlen]) { //where the character appears in the target stringn =J; //just know the first place in the bottom line, jump out of the loop and start moving position Break; } } //move to position (a target string length minus the occurrence of matching characters in the target string),//that is, if the character is present, the same two characters are aligned and if not present, move the length of the target string directlyi = i + Isearchstrlen-N; } } return 0;}intReadmem (DWORD dwpid) {//signatures to search forTCHAR szsub[] = TEXT ("index?uin="); //where the signature appears intIPos =0; HANDLE hprocess= OpenProcess (Process_query_information | Process_vm_read,0, Dwpid); if(hprocess = =NULL) { return 0; } System_info Sisysinfo; GetSystemInfo (&sisysinfo); Memory_basic_information MBI; DWORD paddress=(DWORD) sisysinfo.lpminimumapplicationaddress; intCount =GetTickCount (); while(Paddress <(DWORD) sisysinfo.lpmaximumapplicationaddress) { if(VirtualQueryEx (hprocess, (LPVOID) paddress, &mbi,sizeof(MBI)) !=sizeof(MBI)) { return 0; } if(MBI. state = = Mem_commit) && (MBI. Protect = =page_readwrite)) {DWORD Base=paddress; intReadSize =MBI. Regionsize; if(ReadSize >=1024x768) {DWORD dwbytes=0; TCHAR*membuf = (TCHAR *)malloc(ReadSize *sizeof(TCHAR)); if(ReadProcessMemory (hprocess, (lpcvoid) Base, Membuf, ReadSize, &dwbytes)) { //Start searching for signaturesIPos =searchstr (Membuf, dwbytes, szsub); if(IPos) {_tprintf (TEXT (">>> address:0x%.8x\n"), Base + IPos *sizeof(TCHAR)); //the first character that points to the QQ numberTCHAR *ptsqq = &membuf[ipos +_tcslen (szsub)]; _tprintf (TEXT (">>> QQ:")); //use the pointer to print out the QQ number of the current QQ process,//the character after the QQ number is ' & ' for(; *PTSQQ! ='&'; *ptsqq++) { //Note Here is a loop to print out the QQ number for each character instead of the entire string_tprintf (TEXT ("%c"), *ptsqq); } _tprintf (TEXT ("\ n")); //Find 1, OK, remove break can continue to find Break; } } Free(MEMBUF); } } //keep looking from the next block of memory .Paddress = (DWORD) mbi. BaseAddress +MBI. Regionsize; } //calculate the time to find the QQ numberCount = GetTickCount ()-Count; _tprintf (TEXT (">>> Time:%d ms\n"), Count); returnIPos;} DWORD Findbypid (Ptstr Pszprocessname) {DWORD Dwprocessid=0; HANDLE Hprocesssnap; PROCESSENTRY32 pe32; Hprocesssnap= CreateToolhelp32Snapshot (th32cs_snapprocess,0); if(Hprocesssnap = =Invalid_handle_value) { return 0; } pe32.dwsize=sizeof(PROCESSENTRY32); if(! Process32First (Hprocesssnap, &pe32)) {CloseHandle (HPROCESSSNAP); return 0; } Do { //Find QQ Process if(WCSCMP (pszprocessname, pe32.szexefile) = =0) {Dwprocessid=Pe32.th32processid; wprintf (TEXT (">>>------PID =%d------\ n"), DWPROCESSID); //Start a memory searchReadmem (DWPROCESSID); wprintf (TEXT (">>>------------------------\ n"), DWPROCESSID); } } //keep looking for the next process . while(Process32Next (Hprocesssnap, &pe32)); CloseHandle (HPROCESSSNAP); //If there is a QQ process, return here is the last QQ process ID,//if it is not in the QQ process, return here is the initial value of Dwprocessid 0 returnDwprocessid;}intMain () {TCHAR pszp[]= TEXT ("QQ.exe"); DWORD Dwpid=findbypid (PSZP); if(!dwpid) {wprintf (TEXT (">>> do not found the qq.exe\n")); } return 0;}
"Turn" A in-memory search QQ number source, from the Snow Forum