windows-遍历另一进程内存根据进程PID

优秀文章： https://blog.csdn.net/Simon798/article/details/101431160

#include <windows.h>
//OpenProcess需要提权,因为代码常用抠出来的所有没有提权.
BOOL iteratorMemory(DWORD dwPid)
{
	if (dwPid == 0 || dwPid == 4)
		return FALSE;

	
	HANDLE hProcess = 0;
	DWORD dwTempSize = 0;
	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
	if (!hProcess)
	{

		return FALSE;
	}

	PMEMORY_BASIC_INFORMATION pMemInfo = new MEMORY_BASIC_INFORMATION();
	DWORD dwErrorCode;
	dwErrorCode = VirtualQueryEx(hProcess, 0, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
	if (0 == dwErrorCode)
	{
		return FALSE;
	}


	// pMeminfo->Regionsize 代表当前遍历出的内存大小
	for (__int64 i = pMemInfo->RegionSize; i < (i + pMemInfo->RegionSize); i += pMemInfo->RegionSize)
	{

		dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
		if (0 == dwErrorCode)
			break;

		if (pMemInfo->State != MEM_COMMIT)      //判断提交状态
			continue;

		if (pMemInfo->Protect != PAGE_READWRITE) //判断内存属性
		{
			continue;
		}

		

		if (pMemInfo->Type != MEM_PRIVATE)		//判断类型 映射 私有 xxx
		{
			continue;
		}


		continue;

	}

	return FALSE;

}

原理:
原理主要是 使用
** VirtualQueryEx ** 函数. 函数遍历之后会将内存信息反馈到一个Buf中.这个Buf是个结构体
** PMEMORY_BASIC_INFORMATION **

常见完整代码

#include <Windows.h>
#include <string>
#include <Tlhelp32.h>
#include <algorithm>
#define _SHOWLOG
BOOL EnumAllMemory(HANDLE hProcess)
{
	if (NULL == hProcess)
		return FALSE;
	SYSTEM_INFO sysInfo = { 0 };
	GetSystemInfo(&sysInfo);
	MEMORY_BASIC_INFORMATION pMemInfo = { 0 };
	DWORD dwErrorCode;


	// pMeminfo->Regionsize 代表当前遍历出的内存大小
	DWORD AllSize = 0;
	for (DWORD i = (DWORD)0; i < (DWORD)sysInfo.lpMaximumApplicationAddress; i += pMemInfo.RegionSize)
	{
		dwErrorCode = VirtualQueryEx(hProcess, (LPVOID)i, &pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
		if (0 == dwErrorCode)
			break;
		//if (pMemInfo->State != MEM_COMMIT)      //判断提交状态

		//if (pMemInfo.Type != MEM_PRIVATE)		//判断类型 映射 私有 xxx
		//	continue;
		//if (pMemInfo.Protect != PAGE_READWRITE) //判断内存属性
		//	continue;
		//if (pMemInfo.State != MEM_COMMIT)
		//	continue;
		//if (pMemInfo.AllocationProtect != PAGE_READWRITE)
		//	continue;
		/*  if (pMemInfo->RegionSize < 0x100000)
			  continue;*/
		
		printf("地址=%p endaddr = %x 大小=%x\r\n", pMemInfo.BaseAddress, (DWORD)pMemInfo.BaseAddress + pMemInfo.RegionSize, pMemInfo.RegionSize);
		
	}

	return TRUE;
}


DWORD PsGetProcessIdByProcessName(LPTSTR ProcessName)
{
#ifdef UNICODE
	std::wstring ChekName;
	std::wstring tempChekName;
#else
	std::string  ChekName;
	std::string tempChekName;
#endif
	tempChekName = ProcessName;
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hSnapshot)
	{
		return FALSE;
	}
	PROCESSENTRY32 pi;
	pi.dwSize = sizeof(PROCESSENTRY32); //第一次使用必须初始化成员
	BOOL bRet = Process32First(hSnapshot, &pi);

	transform(tempChekName.begin(), tempChekName.end(), tempChekName.begin(), ::tolower);

	while (bRet)
	{

		ChekName = pi.szExeFile;
		transform(ChekName.begin(), ChekName.end(), ChekName.begin(), ::tolower);

		//大写转小写进行配置
		if (ChekName.find(tempChekName) != ChekName.npos)
		{
			//找到了
			return pi.th32ProcessID;
		}
		bRet = Process32Next(hSnapshot, &pi);
	}
	return FALSE;

}

bool AdjustPrivileges() {
	HANDLE hToken = NULL;
	TOKEN_PRIVILEGES tp;
	TOKEN_PRIVILEGES oldtp;
	DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
	LUID luid;

	OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);


	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
		CloseHandle(hToken);
		OutputDebugString(TEXT("提升权限失败,LookupPrivilegeValue"));
		return false;
	}
	ZeroMemory(&tp, sizeof(tp));
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	/* Adjust Token Privileges */
	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize)) {
		CloseHandle(hToken);
		OutputDebugString(TEXT("提升权限失败 AdjustTokenPrivileges"));
		return false;
	}
	// close handles
	CloseHandle(hToken);
	return true;
}


int main(int argc, char** argv)
{
	AdjustPrivileges();
	DWORD dwPid = PsGetProcessIdByProcessName((LPTSTR)L"xx.exe");
	EnumAllMemory(OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid));
	system("pause");
	return 0;
}