/* 本源码由TC简单软件科技有限公司开源,功能可以自由修改、发布、 长沙简单软件科技有限公司对于源码不做后期维护,,请大家在使用过程中遵循开源协议 */ #include "StdAfx.h" #include "TSMemoryAPI.h" #include #include #include "TSRuntime.h" #include "TSMyUser32DllFuntion.h" #include "TSMyKernel32DllFuntion.h" //#include "TSVIPHookFuntion.h" #pragma comment ( lib, "psapi.lib" ) extern myOpenProcess my_OpenProcess; extern myGetWindowThreadProcessId my_GetWindowThreadProcessId; extern myReadProcessMemory my_ReadProcessMemory; extern myWriteProcessMemory my_WriteProcessMemory; extern myTerminateProcess my_TerminateProcess; extern myVirtualProtect my_VirtualProtect; extern myVirtualProtectEx my_VirtualProtectEx; extern myCreateRemoteThread my_CreateRemoteThread; extern myZwOpenProcess my_ZwOpenProcess; typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); PROCNTQSIP NtQueryInformationProcess; //NtReadVirtualMemory( // IN HANDLE ProcessHandle, // IN PVOID BaseAddress, // OUT PVOID Buffer, // IN ULONG NumberOfBytesToRead, // OUT PULONG NumberOfBytesReaded OPTIONAL ); extern DWORD Ntdll_ProtectVirtual; extern DWORD Ntdll_ProtectVirtualEax; extern DWORD ZwWriteVirtualMemoryRet; extern DWORD ZwWriteVirtualMemoryEax; DWORD GetWindowThreadProcessIdRet=0; __declspec(naked) DWORD WINAPI My_GetWindowThreadProcessId( HWND hWnd, LPDWORD lpdwProcessId ) { _asm { mov edi,edi push ebp mov ebp,esp jmp GetWindowThreadProcessIdRet; } } DWORD ZwOpenProcessRet=0; DWORD ZwOpenProcessEax=0; __declspec(naked) NTSTATUS WINAPI My_ZwOpenProcess( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PCLIENT_ID ClientId ) { _asm { //MOV EAX,0x23 //win7 mov eax,ZwOpenProcessEax; jmp ZwOpenProcessRet; } } HANDLE My_OpenProcess(int proid) { HANDLE ProcessHandle=(HANDLE)0; OBJECT_ATTRIBUTES ObjectAttribute={sizeof(OBJECT_ATTRIBUTES), 0,NULL,NULL}; ObjectAttribute.Attributes=0; CLIENT_ID ClientIds; ClientIds.UniqueProcess=(HANDLE)proid; ClientIds.UniqueThread=(HANDLE)0; My_ZwOpenProcess(&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttribute,&ClientIds); ProcessHandle; return ProcessHandle; } int GetProcessNumber()//获取CPU个数 ,CPU核数决定线程个数 { SYSTEM_INFO info; GetSystemInfo(&info); return (int)info.dwNumberOfProcessors; } TSMemoryAPI::TSMemoryAPI(void) { nPid=0; retstringlen=0; asmcodearry.clear(); memset(Asmcalladdr,0,MAX_PATH); allocatememory=NULL; int sysvion=TSRuntime::InitialWindowsVersion(); if(GetWindowThreadProcessIdRet==0) { DWORD addr=(DWORD)GetProcAddress(GetModuleHandle(L"user32.dll"),"GetWindowThreadProcessId"); GetWindowThreadProcessIdRet=addr+5; } if(ZwWriteVirtualMemoryRet==0) { DWORD addr=(DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"ZwWriteVirtualMemory"); ZwWriteVirtualMemoryRet=addr+5; if(sysvion==4&&TSRuntime::IsWin7X64)//win7X64 ZwWriteVirtualMemoryEax=0x37; else if(sysvion==4)//win7x86 ZwWriteVirtualMemoryEax=0x18F; else if(sysvion==1)//WINXP ZwWriteVirtualMemoryEax=0x115; else if(sysvion==2)//WIN2003 ZwWriteVirtualMemoryEax=0x11f; else if(sysvion==5&&TSRuntime::IsWin8X64) ZwWriteVirtualMemoryEax=0x38; else if(sysvion==5)//win8X86 ZwWriteVirtualMemoryEax=0x2; } if(Ntdll_ProtectVirtual==0) { DWORD addr=(DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"ZwProtectVirtualMemory"); Ntdll_ProtectVirtual=addr+5; if(sysvion==4&&TSRuntime::IsWin7X64)//win7X64 Ntdll_ProtectVirtualEax=0x4d; else if(sysvion==4)//win7x86 Ntdll_ProtectVirtualEax=0xd7; else if(sysvion==1)//WINXP Ntdll_ProtectVirtualEax=0x89; else if(sysvion==2)//WIN2003 Ntdll_ProtectVirtualEax=0x8f; else if(sysvion==5&&TSRuntime::IsWin8X64) Ntdll_ProtectVirtualEax=0x4e; else if(sysvion==5)//win8X86 Ntdll_ProtectVirtualEax=0xC3; } if(ZwOpenProcessRet==0) { DWORD addr=(DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"ZwOpenProcess"); ZwOpenProcessRet=addr+5; if(sysvion==4&&TSRuntime::IsWin7X64)//win7X64 ZwOpenProcessEax=0x23; else if(sysvion==4)//win7x86 ZwOpenProcessEax=0xBe; else if(sysvion==1)//WINXP ZwOpenProcessEax=0x7a; else if(sysvion==2)//WIN2003 ZwOpenProcessEax=0X80; else if(sysvion==5&&TSRuntime::IsWin8X64) ZwOpenProcessEax=0X24; else if(sysvion==5)//win8X86 ZwOpenProcessEax=0XDD; } // m_mutex=mm_mutex; } TSMemoryAPI::~TSMemoryAPI(void) { } void FindDataThread(void *para) { PFindDataInfo info=(PFindDataInfo)para; BYTE buffData[4096]={0}; int retstrlen=0; //DWORD count=0; DWORD dwRead=0; DWORD ibegin=0; if(info->FindDataType==FINDDATATYPE_FINDFLOATEX) //FindFloatEx { for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(info->dwbegin[n]),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { float *float_value=(float *)&buffData[i]; if(*float_value>=info->float_value_min&&*float_value<=info->float_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwend[n]&&info->dwend[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { float *float_value=(float *)&buffData[i]; if(*float_value>=info->float_value_min&&*float_value<=info->float_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } if(info->dwend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } else if(info->FindDataType==FINDDATATYPE_FINDDOUBLEEX) //FindDoubleEx { for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { double *double_value=(double *)&buffData[i]; if(*double_value>=info->double_value_min&&*double_value<=info->double_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwend[n]&&info->dwend[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { double *double_value=(double *)&buffData[i]; if(*double_value>=info->double_value_min&&*double_value<=info->double_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } if(info->dwend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } else if(info->FindDataType==FINDDATATYPE_FINDINTEX)//FindIntEx { for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(info->FindIntType==0)//0 : 32位 { int *value=(int *)&buffData[i]; if(*value>=info->int_value_min&&*value<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } else if(info->FindIntType==1) //1 : 16 位 { short *value=(short *)&buffData[i]; if(*value>=info->int_value_min&&*value<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } else if(info->FindIntType==2)//2 : 8位 { if(buffData[i]>=info->int_value_min&&buffData[i]<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwend[n]&&info->dwend[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(info->FindIntType==0)//0 : 32位 { int *value=(int *)&buffData[i]; if(*value>=info->int_value_min&&*value<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } else if(info->FindIntType==1) //1 : 16 位 { short *value=(short *)&buffData[i]; if(*value>=info->int_value_min&&*value<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } else if(info->FindIntType==2)//2 : 8位 { if(buffData[i]>=info->int_value_min&&buffData[i]<=info->int_value_max) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; LeaveCriticalSection(&info->m_mutex); } } } } if(info->dwend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } else if(info->FindDataType==FINDDATATYPE_FINDDATAEX) { int nindex=0; for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==info->Finddata[nindex]||info->Finddata[nindex]==256)// unknow=256;//标记??模糊查询 { if(info->FindIntType==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)-nindex); else swprintf(inx,L"|%X",(ibegin+i)-nindex); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)-nindex); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwend[n]&&info->dwend[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==info->Finddata[nindex]||info->Finddata[nindex]==256)// unknow=256;//标记??模糊查询 { if(info->FindIntType==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)-nindex); else swprintf(inx,L"|%X",(ibegin+i)-nindex); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)-nindex); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } if(info->dwend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } else if(info->FindDataType==FINDDATATYPE_FINDSTRINGEX) { int nindex=0; //////////////////0:ASCCII编码查找 1:Unicode编码查找////////////////////////////// if(info->FindIntType == 1) { USES_CONVERSION; int len=wcslen(info->Findstring); char chstr[MAX_PATH*2]={0}; strcpy(chstr,W2A(info->Findstring)); len=strlen(chstr);; for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==chstr[nindex]) { if(len==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)-nindex); else swprintf(inx,L"|%X",(ibegin+i)-nindex); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)-nindex); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwbegin[n]&&info->dwbegin[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==chstr[nindex]) { if(len==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)-nindex); else swprintf(inx,L"|%X",(ibegin+i)-nindex); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,(ibegin+i)-nindex); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } if(info->dwbegin[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwbegin[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } else if(info->FindIntType==0) { int len=wcslen(info->Findstring); for(int n=0;ndwncount;n++) { EnterCriticalSection(&info->m_mutex);//临界区保护多线程 for(int k=0;kdwncount;k++) { if(info->bfindindex[k]==true) n=k; else { info->bfindindex[k]=true; break; } } LeaveCriticalSection(&info->m_mutex);//临界区保护多线程 int size=info->dwend[n]-info->dwbegin[n]; if(size<=4096) { ibegin=info->dwbegin[n]; ::memset(buffData,0,size); if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,size,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==info->Findstring[nindex]) { if(len==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",ibegin+(i-nindex)*2); else swprintf(inx,L"|%X",ibegin+(i-nindex)*2); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,ibegin+(i-nindex)*2); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } } else { ibegin=info->dwbegin[n]; int sizen=4096; while(ibegindwend[n]&&info->dwend[n]>0) { if(ReadProcessMemory(info->hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==info->Findstring[nindex]) { if(len==(nindex+1)) //匹配成功 { EnterCriticalSection(&info->m_mutex);//临界区保护多线程对同一个字符串操作 if(info->count<=20000) //记录找到地址的上限为20000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(info->retstr); if(retstrlen==0) swprintf(inx,L"%X",ibegin+(i-nindex)*2); else swprintf(inx,L"|%X",ibegin+(i-nindex)*2); wcscat(info->retstr,inx); //swprintf(info->retstr,L"%s|%X",info->retstr,ibegin+(i-nindex)*2); } else { LeaveCriticalSection(&info->m_mutex); return; } info->count++; nindex=0; LeaveCriticalSection(&info->m_mutex); } nindex++; } else nindex=0; } } if(info->dwend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=info->dwend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } } } } bool TSMemoryAPI::TSFindInt(LONG hwnd,wchar_t * addr_range,wchar_t *retstr,LONG int_value_min, LONG int_value_max,LONG type,bool threadtype) { bool bret=false; LONG ibegin=0; LONG ipend=0; DWORD MaxAddrs[MAX_PATH*200]={0};//最大寻址的地址个数 int naddr=0; if(TSGetaddr_range(addr_range,ibegin,ipend,MaxAddrs,naddr)) { if(ibegin>=ipend&&naddr==0) return bret; DWORD Pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&Pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(Pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)Pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } int retstrlen=0; DWORD dwRead=0; int count=0; if(ibegin>=0&&naddr==0) { if(ibegin<0x400000) ibegin=0x400000; DWORD nbegin[MAX_PATH*10]={0}; DWORD npend[MAX_PATH*10]={0}; int naddr=0; GetFindaddr(hprocess,(LPVOID)ibegin,(LPVOID)ipend,nbegin,npend,naddr); if(naddr==0) return bret; if(threadtype)//是否多线程模式 { DWORD ncpu=GetProcessNumber();//获取CPU个数,决定多线程的个数 HANDLE threadhandle[MAX_PATH]={0}; //双核以下CPU双线程 if(ncpu<=2) ncpu=2; else if(ncpu>=8) ncpu=8; FindDataInfo info; info.FindDataType=FINDDATATYPE_FINDINTEX; info.hprocess=hprocess; info.int_value_min=int_value_min; info.int_value_max=int_value_max; info.FindIntType=type; info.retstr=retstr; info.dwncount=naddr; memcpy(info.dwbegin,nbegin,naddr*sizeof(DWORD)); memcpy(info.dwend,npend,naddr*sizeof(DWORD)); InitializeCriticalSection(&info.m_mutex); for(int i=0;i=int_value_min&&*value<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } else if(type==1) //1 : 16 位 { short *value=(short *)&buffData[i]; if(*value>=int_value_min&&*value<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } else if(type==2)//2 : 8位 { if(buffData[i]>=int_value_min&&buffData[i]<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } } } } else { ibegin=nbegin[n]; int sizen=4096; while(ibegin0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(type==0)//0 : 32位 { int *value=(int *)&buffData[i]; if(*value>=int_value_min&&*value<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } else if(type==1) //1 : 16 位 { short *value=(short *)&buffData[i]; if(*value>=int_value_min&&*value<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } else if(type==2)//2 : 8位 { if(buffData[i]>=int_value_min&&buffData[i]<=int_value_max) { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; bret=true; } } } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //BYTE buffData[4096]={0}; //while(ibegin0) // { // ::memset(buffData,0,4096); // if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,4096,&dwRead)) // { // int i=0; // for(;i<(int)dwRead;i++) // { // if(type==0)//0 : 32位 // { // int *value=(int *)&buffData[i]; // if(*value>=int_value_min&&*value<=int_value_max) // { // if(count<=20000) // { // if(retstrlen==0) // retstrlen=wcslen(retstr); // if(retstrlen==0) // swprintf(retstr,L"%X",(ibegin+i)); // else // swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); // } // count++; // bret=true; // } // } // else if(type==1) //1 : 16 位 // { // short *value=(short *)&buffData[i]; // if(*value>=int_value_min&&*value<=int_value_max) // { // if(count<=20000) // { // if(retstrlen==0) // retstrlen=wcslen(retstr); // if(retstrlen==0) // swprintf(retstr,L"%X",(ibegin+i)); // else // swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); // } // count++; // bret=true; // } // } // else if(type==2)//2 : 8位 // { // if(buffData[i]>=int_value_min&&buffData[i]<=int_value_max) // { // if(count<=20000) // { // if(retstrlen==0) // retstrlen=wcslen(retstr); // if(retstrlen==0) // swprintf(retstr,L"%X",(ibegin+i)); // else // swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); // } // count++; // bret=true; // } // } // } // } // ibegin=ibegin+4096; // } } else { if(type==0)//0 : 32位 { int value=0; for(int i=0;i=int_value_min&&value<=int_value_max) { if(count<=2000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",MaxAddrs[i]); else swprintf(inx,L"|%X",MaxAddrs[i]); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,MaxAddrs[i]); } bret=true; count++; } } } } else if(type==1) //1 : 16 位 { short value=0; for(int i=0;i=int_value_min&&value<=int_value_max) { if(count<=2000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",MaxAddrs[i]); else swprintf(inx,L"|%X",MaxAddrs[i]); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,MaxAddrs[i]); } bret=true; count++; } } } } else if(type==2)//2 : 8位 { BYTE value=0; for(int i=0;i=int_value_min&&value<=int_value_max) { if(count<=2000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",MaxAddrs[i]); else swprintf(inx,L"|%X",MaxAddrs[i]); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,MaxAddrs[i]); } bret=true; count++; } } } } } } return bret; } bool TSMemoryAPI::TSFindFloat(LONG hwnd,wchar_t * addr_range,wchar_t *retstr,FLOAT float_value_min, FLOAT float_value_max,bool threadtype) { // TSRuntime::newstr=NULL; bool bret=false; LONG ibegin=0; LONG ipend=0; DWORD MaxAddrs[MAX_PATH*200]={0};//最大寻址的地址个数 int naddr=0; int count=0; if(TSGetaddr_range(addr_range,ibegin,ipend,MaxAddrs,naddr)) { if(ibegin>=ipend&&naddr==0) return bret; DWORD Pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&Pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(Pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)Pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } int retstrlen=0; DWORD dwRead=0; if(ibegin>=0&&naddr==0) { if(ibegin<0x400000) ibegin=0x400000; DWORD nbegin[MAX_PATH*10]={0}; DWORD npend[MAX_PATH*10]={0}; int naddr=0; GetFindaddr(hprocess,(LPVOID)ibegin,(LPVOID)ipend,nbegin,npend,naddr); if(naddr==0) return bret; if(threadtype)//是否多线程模式 { memset(TSRuntime::membstr,0,MAX_PATH*200); DWORD ncpu=GetProcessNumber();//获取CPU个数,决定多线程的个数 HANDLE threadhandle[MAX_PATH]={0}; //双核以下CPU双线程 if(ncpu<=2) ncpu=2; else if(ncpu>=8) ncpu=8; FindDataInfo info; info.FindDataType=FINDDATATYPE_FINDFLOATEX; info.hprocess=hprocess; info.float_value_min=float_value_min; info.float_value_max=float_value_max; info.retstr=retstr; info.dwncount=naddr; memcpy(info.dwbegin,nbegin,naddr*sizeof(DWORD)); memcpy(info.dwend,npend,naddr*sizeof(DWORD)); InitializeCriticalSection(&info.m_mutex); for(int i=0;i=float_value_min&&*float_value<=float_value_max) { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; } } } } else { ibegin=nbegin[n]; int sizen=4096; while(ibegin0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { float *float_value=(float *)&buffData[i]; if(*float_value>=float_value_min&&*float_value<=float_value_max) { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; } } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //BYTE buffData[4096]={0}; //while(ibegin0) // { // ::memset(buffData,0,4096); // if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,4096,&dwRead)) // { // int i=0; // for(;i<(int)dwRead;i++) // { // float *float_value=(float *)&buffData[i]; // if(*float_value>=float_value_min&&*float_value<=float_value_max) // { // if(count<=10000) // { // if(retstrlen==0) // retstrlen=wcslen(retstr); // if(retstrlen==0) // swprintf(retstr,L"%X",(ibegin+i)); // else // swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); // } // count++; // bret=true; // } // } // } // ibegin=ibegin+4096; // } } else { float buffData=0; for(int i=0;i=float_value_min&&buffData<=float_value_max) { if(count<=10000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",MaxAddrs[i]); else swprintf(inx,L"|%X",MaxAddrs[i]); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,MaxAddrs[i]); } bret=true; count++; } } } } } //if(bret&&count>1600) // TSRuntime::newstr=::SysAllocString(retstr); return bret; } bool TSMemoryAPI::TSFindDouble(LONG hwnd,wchar_t * addr_range,wchar_t *retstr,double double_value_min,double double_value_max,bool threadtype) { bool bret=false; LONG ibegin=0; LONG ipend=0; DWORD MaxAddrs[MAX_PATH*200]={0};//最大寻址的地址个数 int naddr=0; if(TSGetaddr_range(addr_range,ibegin,ipend,MaxAddrs,naddr)) { if(ibegin>=ipend&&naddr==0) return bret; DWORD Pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&Pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(Pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)Pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } int retstrlen=0; DWORD dwRead=0; int count=0; if(ibegin>=0&&naddr==0) { if(ibegin<0x400000) ibegin=0x400000; DWORD nbegin[MAX_PATH*10]={0}; DWORD npend[MAX_PATH*10]={0}; int naddr=0; GetFindaddr(hprocess,(LPVOID)ibegin,(LPVOID)ipend,nbegin,npend,naddr); if(naddr==0) return bret; if(threadtype)//是否多线程模式 { memset(TSRuntime::membstr,0,MAX_PATH*200); DWORD ncpu=GetProcessNumber();//获取CPU个数,决定多线程的个数 HANDLE threadhandle[MAX_PATH]={0}; //双核以下CPU双线程 if(ncpu<=2) ncpu=2; else if(ncpu>=8) ncpu=8; FindDataInfo info; info.FindDataType=FINDDATATYPE_FINDDOUBLEEX; info.hprocess=hprocess; info.double_value_min=double_value_min; info.double_value_max=double_value_max; info.retstr=retstr; info.dwncount=naddr; memcpy(info.dwbegin,nbegin,naddr*sizeof(DWORD)); memcpy(info.dwend,npend,naddr*sizeof(DWORD)); InitializeCriticalSection(&info.m_mutex); for(int i=0;i=double_value_min&&*double_value<=double_value_max) { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; } } } } else { ibegin=nbegin[n]; int sizen=4096; while(ibegin0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { double *double_value=(double *)&buffData[i]; if(*double_value>=double_value_min&&*double_value<=double_value_max) { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)); else swprintf(inx,L"|%X",(ibegin+i)); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); } count++; } } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //BYTE buffData[4096]={0}; //while(ibegin0) // { // ::memset(buffData,0,4096); // if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,4096,&dwRead)) // { // int i=0; // for(;i<(int)dwRead;i++) // { // double *double_value=(double *)&buffData[i]; // if(*double_value>=double_value_min&&*double_value<=double_value_max) // { // if(count<=5000) //记录找到地址的上限为5000,防止溢出 // { // if(retstrlen==0) // retstrlen=wcslen(retstr); // if(retstrlen==0) // swprintf(retstr,L"%X",(ibegin+i)); // else // swprintf(retstr,L"%s|%X",retstr,(ibegin+i)); // } // count++; // } // } // } // ibegin=ibegin+4096; // } } else { double buffData=0; for(int i=0;i=double_value_min&&buffData<=double_value_max) { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",MaxAddrs[i]); else swprintf(inx,L"|%X",MaxAddrs[i]); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,MaxAddrs[i]); } count++; } } } } } return bret; } bool TSMemoryAPI::TSFindData(LONG hwnd,wchar_t * addr_range,wchar_t *data,wchar_t *retstr,bool threadtype) { bool bret=false; LONG ibegin=0; LONG ipend=0; DWORD MaxAddrs[MAX_PATH*200]={0};//最大寻址的地址个数 int naddr=0; if(wcslen(data)==0||wcslen(addr_range)==0) return false; if(TSGetaddr_range(addr_range,ibegin,ipend,MaxAddrs,naddr)) { if(ibegin>=ipend&&naddr==0) return bret; DWORD Pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&Pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(Pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)Pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwRead=0; int nindex=0; DWORD Finddata[MAX_PATH]={0}; int nconut=0;//返回 data的个数 TSGetDataValue(data,Finddata,nconut); int retstrlen=0; int count=0; if(ibegin>=0&&naddr==0) { if(ibegin<0x400000) ibegin=0x400000; DWORD nbegin[MAX_PATH*10]={0}; DWORD npend[MAX_PATH*10]={0}; int naddr=0; GetFindaddr(hprocess,(LPVOID)ibegin,(LPVOID)ipend,nbegin,npend,naddr); if(naddr==0) return bret; if(threadtype)//是否多线程模式 { DWORD ncpu=GetProcessNumber();//获取CPU个数,决定多线程的个数 HANDLE threadhandle[MAX_PATH]={0}; //双核以下CPU双线程 if(ncpu<=2) ncpu=2; else if(ncpu>=8) ncpu=8; FindDataInfo info; info.FindDataType=FINDDATATYPE_FINDDATAEX; info.hprocess=hprocess; memcpy(info.Finddata,Finddata,sizeof(DWORD)*nconut); info.FindIntType=nconut; info.retstr=retstr; info.dwncount=naddr; memcpy(info.dwbegin,nbegin,naddr*sizeof(DWORD)); memcpy(info.dwend,npend,naddr*sizeof(DWORD)); InitializeCriticalSection(&info.m_mutex); for(int i=0;i0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==Finddata[nindex]||Finddata[nindex]==256)// unknow=256;//标记??模糊查询 { if(nconut==(nindex+1)) //匹配成功 { if(count<=20000) //记录找到地址的上限为5000,防止溢出 { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",(ibegin+i)-nindex); else swprintf(inx,L"|%X",(ibegin+i)-nindex); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,(ibegin+i)-nindex); } count++; nindex=0; } nindex++; } else nindex=0; } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //byte buffData[4096]={0}; //while(ibegin0) // { // ::memset(buffData,4096,sizeof(byte)*4096); // if(ReadProcessMemory(hprocess,LPVOID(ibegin),&buffData,4096,&dwRead)) // { // for(int i=0;i10)//非法地址 return false; fistrfind=true; wcscpy(strend,&strs[i+1]); break; } else if(strs[i]=='|') { if(index>=(MAX_PATH*200)-1) return false; if(n<=10)//判断是否是非法地址 { addr_range[index]=wcstol(strbegin,0,16); index++; bret=true; } memset(strbegin,0,n); n=-1; m=i; } } if(fistrfind) { begin=wcstol(strbegin,0,16); end=wcstol(strend,0,16); bret=true; } else { addr_range[index]=wcstol(&strs[m+1],0,16); //拷贝最后一个地址 nconut=index+1; } return bret; } bool TSMemoryAPI::TSValueTypeToData(int type,wchar_t *retstr,double dvalue,float fvalue,int ivalue,wchar_t *svalue,int type1) { bool bret=false; if(type==0)//DoubleToData { BYTE bdouble[8]={0}; memcpy(bdouble,&dvalue,8); for(int i=0;i<8;i++) { if(i==0) { if(bdouble[i]<0x10) swprintf(retstr,L"0%x",bdouble[i]); else swprintf(retstr,L"%x",bdouble[i]); } else { if(bdouble[i]<0x10) swprintf(retstr,L"%s 0%x",retstr,bdouble[i]); else swprintf(retstr,L"%s %x",retstr,bdouble[i]); } } } else if(type==1) //FloatToData { BYTE bfolat[4]={0}; memcpy(bfolat,&fvalue,4); for(int i=0;i<4;i++) { if(i==0) { if(bfolat[i]<0x10) swprintf(retstr,L"0%x",bfolat[i]); else swprintf(retstr,L"%x",bfolat[i]); } else { if(bfolat[i]<0x10) swprintf(retstr,L"%s 0%x",retstr,bfolat[i]); else swprintf(retstr,L"%s %x",retstr,bfolat[i]); } } bret=true; } else if(type==2)//IntToData { //0: 4字节整形数 (一般都选这个) //1: 2字节整形数 //2: 1字节整形数 int n=0; BYTE bint[4]={0}; if(type1==0) { memcpy(bint,&ivalue,4); n=4; } else if(type1==1) { memcpy(bint,&ivalue,2); n=2; } else if(type1==2) { memcpy(bint,&ivalue,1); n=1; } if(n==0) return bret; for(int i=0;i0) { if(strs[i]=='>') { moduleindex=-1; } else if(strs[i+1]!='>') { module[moduleindex]=strs[i+1]; moduleindex++; } } if(strs[i]=='>'&&moduleindex==0) { longAdd=-1; return longAdd; } if(strs[i]=='[') nindex++;//记录指针个数 else if(((strs[i]=='+'||index>0)||(strs[i]=='-'||index>0)||moduleindex==0)) { if(strs[i]=='-')//记录-号的下标 subindex[noffset]=true; if(strs[i]==']') { index=0; noffset++; } else if(strs[i]!=']'&&(strs[i]=='+'||strs[i]=='-')) { offsetaddrstr[noffset][index]=strs[i+1]; index++; i++; } else if(strs[i]!=']') { offsetaddrstr[noffset][index]=strs[i]; index++; } } else if((noffset==nindex))//记录最后一个偏移地址 { if(strs[i]=='-')//记录-号的下标 subindex[noffset]=true; if(strs[i]=='+'||strs[i]=='-') { offsetaddrstr[noffset][index]=strs[i+1]; index++; } else if(index>0) { offsetaddrstr[noffset][index]=strs[i+1]; index++; } } } DWORD Baseaddr=0; if(moduleindex==-1)//说明有传入 { HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); MODULEENTRY32 modEntry; modEntry.dwSize = sizeof(MODULEENTRY32); Module32First(tlh, &modEntry); do { if(!wcsicmp(module, modEntry.szModule)) { Baseaddr=(DWORD)modEntry.modBaseAddr; DWORD handle=modEntry.th32ModuleID; break; } } while(Module32Next(tlh, &modEntry)); CloseHandle(tlh); if(Baseaddr==0) { longAdd=-1; return longAdd; } } if(nindex>0) //说明不是一级指针 { TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return longAdd; } for(int i=0;i0) readaddr=Baseaddr+offsetaddr[i]; else if(i==0) readaddr=offsetaddr[i]; else if(readaddr!=0) { if(subindex[i]) readaddr=longAdd-offsetaddr[i]; else readaddr=longAdd+offsetaddr[i]; } longAdd=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess,(void*)readaddr,&longAdd,sizeof(longAdd),long(0)); else ::ReadProcessMemory(hprocess,(void*)readaddr,&longAdd,sizeof(longAdd),long(0)); if(longAdd<=0)//说明读取错误地址 { longAdd=-1; return longAdd; } } offsetaddr[nindex]=wcstol(offsetaddrstr[nindex],0,16); if(subindex[nindex]) longAdd=longAdd-offsetaddr[nindex]; else longAdd=longAdd+offsetaddr[nindex]; CloseHandle(hprocess); } else if(moduleindex!=-1)//1367DBC longAdd=wcstol(strs,0,16); else if(moduleindex==-1) //+1367DBC { longAdd=wcstol(offsetaddrstr[0],0,16); longAdd=Baseaddr+longAdd; } return longAdd; } bool TSMemoryAPI::TSFindString(LONG hwnd,wchar_t * addr_range,wchar_t *retstr,wchar_t*string_value,LONG type,bool threadtype) { bool bret=false; LONG ibegin=0; LONG ipend=0; DWORD MaxAddrs[MAX_PATH*200]={0};//最大寻址的地址个数 int naddr=0; if(TSGetaddr_range(addr_range,ibegin,ipend,MaxAddrs,naddr)) { if(ibegin>=ipend&&naddr==0) return bret; DWORD Pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&Pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(Pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)Pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } int retstrlen=0; DWORD dwRead=0; int count=0; int nindex=0; if(ibegin>=0&&naddr==0) { if(ibegin<0x400000) ibegin=0x400000; DWORD nbegin[MAX_PATH*10]={0}; DWORD npend[MAX_PATH*10]={0}; int naddr=0; GetFindaddr(hprocess,(LPVOID)ibegin,(LPVOID)ipend,nbegin,npend,naddr); if(naddr==0) return bret; if(threadtype)//是否多线程模式 { DWORD ncpu=GetProcessNumber();//获取CPU个数,决定多线程的个数 HANDLE threadhandle[MAX_PATH]={0}; //双核以下CPU双线程 if(ncpu<=2) ncpu=2; else if(ncpu>=8) ncpu=8; int len=wcslen(string_value); if(len>=MAX_PATH||len==0) return bret; FindDataInfo info; info.FindDataType=FINDDATATYPE_FINDSTRINGEX; info.hprocess=hprocess; wcscpy(info.Findstring,string_value); info.FindIntType=type; ////0:ASCCII编码查找 1:Unicode编码查找 info.retstr=retstr; info.dwncount=naddr; memcpy(info.dwbegin,nbegin,naddr*sizeof(DWORD)); memcpy(info.dwend,npend,naddr*sizeof(DWORD)); InitializeCriticalSection(&info.m_mutex); for(int i=0;iMAX_PATH||len==0) return bret; char chstr[MAX_PATH*2]={0}; strcpy(chstr,W2A(string_value)); len=strlen(chstr);; BYTE buffData[4096]={0}; for(int n=0;n0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==chstr[nindex]) { if(len==(nindex+1)) //匹配成功 { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",ibegin+(i-nindex)*2); else swprintf(inx,L"|%X",ibegin+(i-nindex)*2); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,ibegin+i-nindex); } bret=true; count++; nindex=0; } nindex++; } else nindex=0; } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //while(ibegin0) // { // memset(buffData,0,4096); // if(ReadProcessMemory(hprocess,(PVOID)ibegin,buffData,4096,&dwRead)) // { // for(int i=0;iMAX_PATH||len==0) return bret; //BYTE buffData[4096]={0}; for(int n=0;n0) { if(ReadProcessMemory(hprocess,LPVOID(ibegin),buffData,sizen,&dwRead)) { int i=0; for(;i<(int)dwRead;i++) { if(buffData[i]==string_value[nindex]) { if(len==(nindex+1)) //匹配成功 { if(count<=20000) { wchar_t inx[10]={0}; if(retstrlen==0) retstrlen=wcslen(retstr); if(retstrlen==0) swprintf(inx,L"%X",ibegin+(i-nindex)*2); else swprintf(inx,L"|%X",ibegin+(i-nindex)*2); wcscat(retstr,inx); //swprintf(retstr,L"%s|%X",retstr,ibegin+(i-nindex)*2); } bret=true; count++; nindex=0; } nindex++; } else nindex=0; } } if(npend[n]>=ibegin+4096) ibegin=ibegin+4096; else { sizen=npend[n]-ibegin; ibegin=ibegin+4096; ::memset(buffData,0,sizen); } } } } //while(ibegin0) // { // dwRead=0; // memset(buffData,0,2048*sizeof(wchar_t)); // if(ReadProcessMemory(hprocess,(PVOID)ibegin,buffData,2048*sizeof(wchar_t),&dwRead)) // { // for(int i=0;iMAX_PATH) return bret; char value[MAX_PATH*2]={0}; strcpy(value,W2A(string_value)); len=strlen(value); for(int i=0;iMAX_PATH) return bret; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } BYTE finddata[MAX_PATH]={0}; DWORD dwread=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,finddata,len,&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,finddata,len,&dwread); if(dwread>0) { for(int i=0;i=0) swprintf(retstr,L"%s 0%X",retstr,finddata[i]); else { LONG val=finddata[i]-0xffffff00; swprintf(retstr,L"%s %X",retstr,val); } } else swprintf(retstr,L"%X",finddata[i]); bret=true; } else { if(finddata[i]<0x10) { if(finddata[i]>=0) swprintf(retstr,L"%s 0%X",retstr,finddata[i]); else { LONG val=finddata[i]-0xffffff00; swprintf(retstr,L"%s %X",retstr,val); } } else swprintf(retstr,L"%s %X",retstr,finddata[i]); bret=true; } } } CloseHandle(hprocess); return bret; } bool TSMemoryAPI::TSReadDouble(LONG hwnd,wchar_t*addr,double &dvalue,float &fvalue,int type) { bool bret=false; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwread=0; if(type==0)//type0:DOUBLE,1:FLOAT { double readdouble=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,&readdouble,sizeof(double),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,&readdouble,sizeof(double),&dwread); dvalue=readdouble; } else if(type==1) { float readfloat=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,&readfloat,sizeof(float),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,&readfloat,sizeof(float),&dwread); fvalue=readfloat; } CloseHandle(hprocess); if(dwread!=0) bret=true; return bret; } bool TSMemoryAPI::TSReadInt(LONG hwnd,wchar_t*addr,int &ivalue,short &svalue,BYTE &bvalue,int type) { bool bret=false; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwread=0; //0 : 32位 //1 : 16 位 //2 : 8位 if(type==0) { int value=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(int),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(int),&dwread); ivalue=value; } else if(type==1) { short value=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(short),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(short),&dwread); svalue=value; } else if(type==2) { BYTE value=0; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(BYTE),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,&value,sizeof(BYTE),&dwread); bvalue=value; } CloseHandle(hprocess); if(dwread!=0) bret=true; return bret; } bool TSMemoryAPI::TSReadString(LONG hwnd,wchar_t*addr,wchar_t *retstr,LONG len,int type) { bool bret=false; if(len>MAX_PATH) return bret; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwread=0; ////0 : GBK字符串 ////1 :Unicode字符串 if(type==0) { char strvalue[MAX_PATH]={0}; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,strvalue,len,&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,strvalue,len,&dwread); USES_CONVERSION; wcscpy(retstr,A2W(strvalue)); } else if(type==1) { wchar_t wstrvlue[MAX_PATH]={0}; if(my_ReadProcessMemory) my_ReadProcessMemory(hprocess, (LPCVOID)findaddr,wstrvlue,len*sizeof(wchar_t),&dwread); else ::ReadProcessMemory(hprocess, (LPCVOID)findaddr,wstrvlue,len*sizeof(wchar_t),&dwread); wcscpy(retstr,wstrvlue); } CloseHandle(hprocess); if(dwread!=0) bret=true; return bret; } bool TSMemoryAPI::TSTerminateProcess(LONG pid) { bool bret=false; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } if(my_TerminateProcess) bret=my_TerminateProcess(hprocess,0); else bret=::TerminateProcess(hprocess,0); CloseHandle(hprocess); return bret; } bool TSMemoryAPI::TSVirtualAllocEx(LONG hwnd,LONG &addr,LONG size,LONG type) { bool bret=false; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwtype=0; if(type==0)//可读可写可执行 { dwtype=PAGE_EXECUTE_READWRITE; } else//1 : 可读可执行,不可写 { dwtype=PAGE_EXECUTE_READ; } LPVOID retaddr=NULL; if(dwtype!=0) retaddr=::VirtualAllocEx(hprocess,(void*)addr,size,MEM_COMMIT,dwtype); CloseHandle(hprocess); addr=(DWORD)retaddr; return bret; } bool TSMemoryAPI::TSVirtualFreeEx(LONG hwnd,LONG addr) { bool bret=false; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } bret=::VirtualFreeEx(hprocess,(void*)addr,0,MEM_RELEASE); CloseHandle(hprocess); return bret; } bool TSMemoryAPI::TSWriteData(LONG hwnd,wchar_t * addr,wchar_t *data) { bool bret=false; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwwrite=0; DWORD Finddata[MAX_PATH]={0}; int nconut=0;//返回 data的个数 TSGetDataValue(data,Finddata,nconut); if(nconut<=0) return bret; BYTE strvalue[MAX_PATH*10]={0}; for(int i=0;iMAX_PATH) return bret; DWORD pid=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&pid); DWORD findaddr=TSGetFindDataAddr(addr,pid); if(findaddr==-1) return bret; TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(pid); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)pid; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } DWORD dwwrite=0; DWORD dwback; if(my_VirtualProtectEx) my_VirtualProtectEx(hprocess,(void*)findaddr, len, PAGE_EXECUTE_READWRITE, &dwback); else ::VirtualProtectEx(hprocess,(void*)findaddr, len, PAGE_EXECUTE_READWRITE, &dwback); if(type==0)//Ascii字符串 { USES_CONVERSION; char strchar[MAX_PATH*2]={0}; strcpy(strchar,W2A(strvalue)); int len=strlen(strchar); if(my_ReadProcessMemory) my_WriteProcessMemory(hprocess, (void*)findaddr,strchar,len,&dwwrite); else ::WriteProcessMemory(hprocess, (void*)findaddr,strchar,len,&dwwrite); } else if(type==1) { if(my_ReadProcessMemory) bret= my_WriteProcessMemory(hprocess, (void*)findaddr,strvalue,len,&dwwrite); else bret= ::WriteProcessMemory(hprocess, (void*)findaddr,strvalue,len,&dwwrite); } if(my_VirtualProtectEx) bret=my_VirtualProtectEx(hprocess,(void*)findaddr, len, dwback, &dwback); else bret= ::VirtualProtectEx(hprocess,(void*)findaddr, len, dwback, &dwback); CloseHandle(hprocess); return bret; } bool TSMemoryAPI::GetFindaddr(HANDLE hprocess,PVOID lpbegin,PVOID lpend,DWORD *ibegin,DWORD *ipend,int &ncount) { bool bret=false; int index=0; SYSTEM_INFO si_info; MEMORY_BASIC_INFORMATION mbi; DWORD rett; GetSystemInfo(&si_info); DWORD len = sizeof(MEMORY_BASIC_INFORMATION); PVOID addr = si_info.lpMinimumApplicationAddress; bool bfind=false; do { rett =VirtualQueryEx(hprocess,addr,&mbi,len); if(mbi.Type==MEM_IMAGE||mbi.Type==MEM_PRIVATE) //找到了块 { //MessageBox(0,L"找到了块",0,0); if(lpbegin==0) lpbegin=LPVOID(mbi.AllocationBase); else if(bfind==false) lpbegin=addr; if(lpend==0) { lpend=si_info.lpMaximumApplicationAddress; } ibegin[index]=int(lpbegin); ipend[index]=int(lpend); bfind=true; //break; } else { if(ibegin!=0&&bfind==true) { ipend[index]=(DWORD)mbi.BaseAddress + mbi.RegionSize; bfind=false; index++; bret=true; } } addr= ((PBYTE)mbi.BaseAddress + mbi.RegionSize); }while(rett==len); ncount=index; for(int i=0;i0xF00000) { DWORD end=ipend[i]; ipend[i]=ibegin[i]+0xF00000; DWORD iend=ipend[i]; while((end-(DWORD)iend)>0xF00000) { ibegin[ncount]=iend; ipend[ncount]=ibegin[ncount]+0xF00000; ncount++; iend=iend+0xF00000; } ibegin[ncount]=iend; ipend[ncount]=end; ncount++; } } return bret; } bool TSMemoryAPI::TSGetCmdLine(LONG hwnd,wchar_t *retstr) { bool bret=false; DWORD dwPID=0; //if(my_GetWindowThreadProcessId) // my_GetWindowThreadProcessId((HWND)hwnd,&Pid); //else My_GetWindowThreadProcessId((HWND)hwnd,&dwPID); TSRuntime::EnablePrivilege(L"SeDebugPrivilege",true); HANDLE hprocess=NULL; //if(my_OpenProcess) // hprocess=my_OpenProcess(PROCESS_ALL_ACCESS,false,Pid); //else // hprocess=::OpenProcess(PROCESS_ALL_ACCESS,false,Pid); hprocess=My_OpenProcess(dwPID); if(hprocess==NULL) { if(my_ZwOpenProcess) { CLIENT_ID Cileid; Cileid.UniqueProcess=(HANDLE)dwPID; my_ZwOpenProcess(&hprocess,PROCESS_ALL_ACCESS,false,&Cileid); } if(hprocess==NULL) return bret; } NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(GetModuleHandle(L"ntdll"),"NtQueryInformationProcess"); PROCESS_BASIC_INFORMATION pbis; PEB pebs; PROCESS_PARAMETERS ppms; TCHAR *text = 0; NtQueryInformationProcess(hprocess, 0, &pbis, sizeof(PROCESS_BASIC_INFORMATION),0); ReadProcessMemory(hprocess, pbis.PebBaseAddress, &pebs, sizeof(PEB), 0); ReadProcessMemory(hprocess, pebs.ProcessParameters, &ppms, sizeof(PROCESS_PARAMETERS), 0); text = (TCHAR *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ppms.CommandLine.MaximumLength); ReadProcessMemory(hprocess, ppms.CommandLine.Buffer, text, ppms.CommandLine.Length, 0); if(text) { wcscpy(retstr,text); bret=true; } ::HeapFree(GetProcessHeap(),HEAP_NO_SERIALIZE,text); return bret; } bool TSMemoryAPI::TSAsmAdd(wchar_t*asm_ins) { bool bret=false; char asmcode[MAX_PATH]={0}; USES_CONVERSION; strcpy(asmcode,W2A(asm_ins)); char erro[MAX_PATH]={0}; int len=-1; char *charcall=strstr(::CharLowerA(asmcode),"call"); if(charcall!=NULL)//判断是否是Call指令,记住Call地址 { if(strlen(Asmcalladdr)==0) strcpy(Asmcalladdr,charcall); return true; } else len= tsasm.Assemble(asmcode,NULL,&am,0,0,erro); //将汇编指令转为机器码 if(len<0) return bret; else bret=true; for(int i=0;i=0x10) sprintf(asmcodes,"%X",am.code[i]); else sprintf(asmcodes,"0%X",am.code[i]); if(am.code[i]!=0) asmcodearry=asmcodearry+asmcodes;//这里做拼接 else { int serlen=asmcodearry.length(); serlen=serlen+1; asmcodearry.resize(serlen); } } //int charlen=strlen(asmcode); //int serlen=asmcodearry.length(); //if(charlen0) { LONG val=::strtol(&asmcodearry.c_str()[i],0,16); if(val>=0x10) { if(val<=0xff) { if(retstrlen==0) retstrlen=strlen(retstring); if(retstrlen==0) sprintf(retstring,"%s",&asmcodearry.c_str()[i]); else sprintf(retstring,"%s %s",retstring,&asmcodearry.c_str()[i]); } else { int len=strlen(&asmcodearry.c_str()[i]); char str[16]={0}; strcpy(str,&asmcodearry.c_str()[i]); for(int n=0;n=0x10) sprintf(retstring,"%X",strn); else sprintf(retstring,"0%X",strn); } else { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } } else { if(len%2==0) { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } else { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } } } } } else sprintf(retstring,"%s 0%s",retstring,&asmcodearry.c_str()[i]); i=i+stringlen-1; } else sprintf(retstring,"%s 00",retstring); } } } DWORD datas[MAX_PATH*10]={0}; int count=0; int lenth=0; if(strlen(retstring)>0) { DWORD data[10]={0}; int len=GetCallstartData((DWORD)allocatememory,data); for (int i=0;i0) { memcpy(&helpByte[count+lenth],am.code,calllen); calllen=calllen+count+lenth; if(count!=0) { BYTE CallendData[]={0x8b,0x1c,0x24,0x64,0x89,0x1d,0x0,0x0,0x0,0x0,0x81,0xc4,0x08,0x0,0x0,0x0,0xc2,0x04,0x0}; //CallendData存储的机器码对应汇编指令 //mov ebx,dword ptr ss:[esp] //mov dword ptr fs:[0],ebx //add esp,0x8 //retn 0x4; memcpy(&helpByte[calllen],CallendData,sizeof(CallendData)); calllen=calllen+sizeof(CallendData)+1; } if(my_WriteProcessMemory) bret=my_WriteProcessMemory(hprocess, (void*)allocatememory,(void*)helpByte,calllen,0); else bret=::WriteProcessMemory(hprocess, (void*)allocatememory,(void*)helpByte,calllen,0); HANDLE hthread=NULL; ////判断是否DX绑定窗口 //char pszMapName[MAX_PATH]={0}; //DWORD Pid=0; //My_GetWindowThreadProcessId((HWND)hwnd,&Pid); //sprintf( pszMapName,"%s%d",TS_MAPVIEW_NAME,Pid); //HANDLE hFileMap = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, pszMapName); //////如果hFileMap句柄不为空说明DLL绑定注入 //if(hFileMap!=NULL) //说明已经DX绑定 // hthread=(HANDLE)::SendMessage((HWND)hwnd,TS_ASMCALL,(WPARAM)allocatememory,0); //else hthread=::CreateRemoteThread(hprocess,NULL,0,(LPTHREAD_START_ROUTINE)(allocatememory),0,0,&treadid); //CloseHandle(hFileMap); if(hthread!=NULL) bret=true; DWORD ExitCode=0; //Sleep(50);//等待50毫秒,等待线程执行完毕 ::GetExitCodeThread(hthread,&ExitCode); if(ExitCode!=STILL_ACTIVE)//判断线程是否退出 if(allocatememory) { ::VirtualFreeEx(hprocess,allocatememory,0,MEM_RELEASE); allocatememory=NULL; } } } asmcodearry.clear(); memset(Asmcalladdr,0,MAX_PATH); return bret; } bool TSMemoryAPI::TSAsmClear() { asmcodearry.clear(); memset(Asmcalladdr,0,MAX_PATH); return true; } bool TSMemoryAPI::TSAsmCode(LONG base_addr,wchar_t *retstr) { bool bret=false; int len=asmcodearry.length(); char retstring[MAX_PATH*10]={0}; int retstrlen=0; for(int i=0;i0) { LONG val=::strtol(&asmcodearry.c_str()[i],0,16); if(val>=0x10) { if(val<=0xff) { if(retstrlen==0) retstrlen=strlen(retstring); if(retstrlen==0) sprintf(retstring,"%s",&asmcodearry.c_str()[i]); else sprintf(retstring,"%s %s",retstring,&asmcodearry.c_str()[i]); } else { int len=strlen(&asmcodearry.c_str()[i]); char str[MAX_PATH]={0}; strcpy(str,&asmcodearry.c_str()[i]); for(int n=0;n=0x10) sprintf(retstring,"%X",strn); else sprintf(retstring,"0%X",strn); } else { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } } else { if(len%2==0) { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } else { if(strn>=0x10) sprintf(retstring,"%s %X",retstring,strn); else sprintf(retstring,"%s 0%X",retstring,strn); } } } } } else sprintf(retstring,"%s 0%s",retstring,&asmcodearry.c_str()[i]); i=i+stringlen-1; } else sprintf(retstring,"%s 00",retstring); } bret=true; } if(strlen(Asmcalladdr)!=0) { char erro[MAX_PATH]={0}; int calllen=tsasm.Assemble(Asmcalladdr,base_addr,&am,0,0,erro); //将汇编指令转为机器码 for(int i=0;i=0) if(am.code[i]>=0x10) sprintf(retstring,"%X",am.code[i]); else sprintf(retstring,"%s 0%X",retstring,am.code[i]); else { LONG val=am.code[i]-0xffffff00; if(val>=0x10) sprintf(retstring,"%s %X",retstring,val); else sprintf(retstring,"%s 0%X",retstring,val); } } else { if(am.code[i]>=0) if(am.code[i]>=0x10) sprintf(retstring,"%s %X",retstring,am.code[i]); else sprintf(retstring,"%s 0%X",retstring,am.code[i]); else { LONG val=am.code[i]-0xffffff00; if(val>=0x10) sprintf(retstring,"%s %X",retstring,val); else sprintf(retstring,"%s 0%X",retstring,val); } }; bret=true; } } USES_CONVERSION; wcscpy(retstr,A2W(retstring)); return bret; } bool TSMemoryAPI::TSAssemble(wchar_t * asm_code,LONG base_addr,LONG is_upper,wchar_t *retstr) { bool bret=false; if(wcslen(asm_code)<=0) return bret; CMgDisasmBase::t_disasm da; tsdsm.m_nIDEAL=0; tsdsm.m_nLowercase=is_upper; tsdsm.m_nPutDefSeg=0; DWORD datas[MAX_PATH*10]={0}; int count=0; TSGetDataValue(asm_code,datas,count); if(count<=0) return bret; BYTE helpByte[MAX_PATH*10] = {0}; for (int i=0;i