Delphi内存读取修改(2)

时间：2011/9/3 15:20:59 点击：

这里用到
1：CreateToolhelp32Snapshot()创建系统快照句柄（hSnapShot是我们声明用来保存
创建的快照句柄）
2：Process32First、Process32Next是用来枚举进程
{=============================================}
{=============内存查找=========================}
{=============================================}
function TReadMemoryFrm.StartSearch: Boolean;
var
ProcHandle:Integer;
begin
Result:=False;
ReadMemoryProgress.Position:=0;
if Not CheckInput then Exit;

if FileName=TabSheet1.Caption then //-------------搜索次数>1次
begin
PParameter.FirstSearch:=False;
PParameter.Data:=StrToInt(EdtSearchData.Text);
end else
begin //------------------------------第一次搜索
PParameter.FirstSearch:=True;
if PParameter.ProcessHandle>0 then
CloseHandle(PParameter.ProcessHandle);
ProcHandle:=OpenProcess(PROCESS_ALL_ACCESS,false,StrToInt(EdtProcID.Text));
if ProcHandle>0 then
begin
PParameter.Data:=StrToInt(EdtSearchData.Text);
Case DataType.ItemIndex of
0:PParameter.DataType:=1;
1:PParameter.DataType:=2;
2:PParameter.DataType:=4;
end;
end else Exit;
FileName:=TabSheet1.Caption;
PParameter.ProcessHandle:=ProcHandle;
end;

SearchButton.Enabled:=False;
ToolSearchMemory.Enabled:=False;
MemoryAddrList.Clear;
PReadMemory.StartSearch;
Result:=True;
end;

1:
HANDLE OpenProcess(
DWORD dwDesiredAccess, // 希望获得的访问权限
BOOL bInheritHandle, // 指明是否希望所获得的句柄可以继承
DWORD dwProcessId // 要访问的进程ID
);

分析内存块
//----------------------------------------------------分析内存块
function TReadMemoryThread.GetMemoryRegion: Boolean;
var
TempStartAddress : DWord;
TempEndAddress : DWord;
I,J,k : Integer;
NewMemoryRegions : array [0..40000] of TmemoryRegion;
begin
Result:=False;
MemoryRegionsIndex := 0;
TempStartAddress := 1*1024*1024;
TempEndAddress := 2*1024*1024;
TempEndAddress := TempEndAddress*1024;
While (VirtualQueryEx(PParameter.ProcessHandle,
pointer(TempStartAddress),
MBI,
sizeof(MBI))>0) and (TempStartAddress<TempEndAddress) do
begin
if (MBI.State=MEM_COMMIT) then
begin
if (MBI.Protect=PAGE_READWRITE) or
(MBI.Protect=PAGE_WRITECOPY) or
(MBI.Protect=PAGE_EXECUTE_READWRITE) or
(MBI.Protect=PAGE_EXECUTE_WRITECOPY)
then
begin
PMemoryRegion[MemoryRegionsIndex].BaseAddress:=Dword(MBI.BaseAddress);
PMemoryRegion[MemoryRegionsIndex].MemorySize:=MBI.RegionSize;
Inc(MemoryRegionsIndex);
end;
end;
TempStartAddress:=Dword(MBI.BaseAddress)+MBI.RegionSize;
end;
if MemoryRegionsIndex=0 then Exit;
//---------------------------------------------判断内存块是否过大
J:=0;
for i:=0 to MemoryRegionsIndex-1 do
begin
if PMemoryRegion[i].MemorySize>$FFFF then
begin
for K:=0 to PMemoryRegion[i].MemorySize div $FFFF do
begin
if K=PMemoryRegion[i].MemorySize div $FFFF+1 then
begin
NewMemoryRegions[j].BaseAddress:=PMemoryRegion[i].BaseAddress+K*$FFFF;
NewMemoryRegions[j].MemorySize:=PMemoryRegion[i].MemorySize Mod $FFFF;
end else
begin
NewMemoryRegions[j].BaseAddress:=PMemoryRegion[i].BaseAddress+K*$FFFF;
NewMemoryRegions[j].MemorySize:=$FFFF;
end;
Inc(J);
end;
end else
begin
NewMemoryRegions[j].BaseAddress:=PMemoryRegion[i].BaseAddress;
NewMemoryRegions[j].MemorySize:=PMemoryRegion[i].MemorySize;
Inc(J);
end;
end;
//---------------------------------------------------数据转换
MemoryRegionsIndex:=j;
for i:=0 to MemoryRegionsIndex-1 do
begin
PMemoryRegion[i].MemorySize:=NewMemoryRegions[i].MemorySize;
PMemoryRegion[i].BaseAddress:=NewMemoryRegions[i].BaseAddress;
end;
Result:=True;
end;
1：查找的内存大小
TempStartAddress := 1*1024*1024;
TempEndAddress := 2*1024*1024;
TempEndAddress := TempEndAddress*1024;

2：VirtualQueryEx :查询地址空间中内存地址的信息。
参数:
hProcess 进程句柄。
LpAddress 查询内存的地址。
LpBuffer 指向MEMORY_BASIC_INFORMATION结构的指针，用于接收内存信息。
DwLength MEMORY_BASIC_INFORMATION结构的大小。