Read Memory Data

Readprocessmemory:
Bool readprocessmemory (
Handle hprocess, // the handle of the read process;
Lpcvoid lpbaseaddress, // start address of the read;
Lpvoid lpbuffer, // store the read data buffer;
DWORD nsize, // number of bytes read at a time;
Lpdword lpnumberofbytesread // number of bytes actually read;
);
The hprocess handle can be obtained by the OpenProcess function. Its prototype is as follows:
Handle OpenProcess (
DWORD dwdesiredaccess, // access flag;
Bool binherithandle, // inherits the flag;
DWORD dwprocessid // process ID;
);

---- Of course, do not forget to use closehandle to close the opened handle. Dwdesiredaccess in the memory of another process must be specified as process_vm_read, and dwdesiredaccess in the memory of another process must be specified as process_vm_write. The Inheritance mark does not matter. The process ID can be obtained by process32first and process32next, the two functions can enumerate all enabled processes, so that the process information is obtained. Process32first and process32next are provided by tlhelp32 units and must be added to uses. Toolshelp32 encapsulates some functions to access the heap, thread, process, and so on. It is only applicable to Win9x, and its prototype is as follows:

Bool winapi process32first (
Handle hsnapshot //
Returned by createconlhelp32snapshot
System Snapshot handle;
Lpprocessentry32 lppe // point to a processentry32 structure;
);
Bool winapi process32next (
Handle hsnapshot // returned by createconlhelp32snapshot
System Snapshot handle;
Lpprocessentry32 lppe // point to a processentry32 structure;
);
The System Snapshot handle returned by createconlhelp32snapshot;
The original form of createconlhelp32snapshot is as follows:
Handle winapi createconlhelp32snapshot (
DWORD dwflags, // snapshot flag;
DWORD th32processid // process ID;
);
Now we need process information, so we need dwflags
Th32cs_snapprocess,
Th32processid is ignored; the structure of processentry32 is as follows:
Typedef struct tagprocessentry32 {
DWORD dwsize; // structure size;
DWORD cntusage; // reference count of this process;
DWORD th32processid; // process ID;
DWORD th32defaultheapid; // The default heap ID of the process;
DWORD th32moduleid; // Process Module ID;
DWORD cntthreads; // The number of threads enabled by this process;
DWORD th32parentprocessid; // parent process ID;
Long pcpriclassbase; // thread priority;
DWORD dwflags; // reserved;
Char szexefile [max_path]; // process full name;
} Processentry32;

---- At this point, the main functions used have been described. To implement READ memory, you only need to call the above functions from bottom to top. For details, see the original code:

Handle hprocess;
Handle hsnapshot;
 
Processentry32 fprocessentry32;
DWORD th32processid;

Hsnapshot = createconlhelp32snapshot (th32cs_snapprocess, 0 );
Fprocessentry32.dwsize = sizeof (fprocessentry32 );
Int flag = 0;
If (process32first (hsnapshot, & fprocessentry32 ))
{
Do
{
If (cstring) fprocessentry32.szexefile = "file encryption. EXE ")
{
Flag = 1;
Break;
}
} While (process32next (hsnapshot, & fprocessentry32 ));

If (flag = 1)
{
This-> MessageBox (fprocessentry32.szexefile );
Th32processid = fprocessentry32.th32processid;
DWORD nsize;
Nsize = 4;
Char * Buff;

Buff = (char *) globalalloc (gmem_fixed | gmem_zeroinit, nsize );
Hprocess = OpenProcess (process_vm_read, false, th32processid );

DWORD dwread;
Readprocessmemory (hprocess, (lpcvoid) 0x000283a2, buff, nsize, & dwread );//??
This-> MessageBox (cstring) buff );

Globalfree (buff );
}

}

Closehandle (hsnapshot );

// 2 types

1. Read the form handle through findwindow

2. Read the pid value of the form handle process through getwindowthreadprocessid

3. Use OpenProcess (process_query_information or process_vm_operation or process_vm_read or process_vm_write, 0, processid) to open the process for checking the PID value. This enables read, write, and query permissions.

4. readprocessmemory reads the specified memory address data