Code
}
}Toolhelp32ReadProcessMemory
The Toolhelp32ReadProcessMemory function copies memory allocated to another process into an application-supplied buffer.
//函数 Toolhelp32ReadProcessMemory 读取另外一个进程的内存带应用程序指定的缓冲区
BOOL WINAPI Toolhelp32ReadProcessMemory( DWORD th32ProcessID, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T cbRead, SIZE_T lpNumberOfBytesRead);
BOOL WINAPI Toolhelp32ReadProcessMemory( DWORD th32ProcessID, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T cbRead, SIZE_T lpNumberOfBytesRead);
Parameters
th32ProcessID
[in] Identifier of the process whose memory is being copied. This parameter can be zero to copy the memory of the current process.//将要读取的进程的表示,这个参数可为0,为0读取当前进程
lpBaseAddress
[in] Base address in the specified process to read. Before transferring any data, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds. Otherwise, the function fails.//将要在制定的进程的哪个基地址读取.在传输任何数据前,系统将会验证在所有在基地址中的数据和指定的内存大小是否可读,如果可读方法运行,否则方法失败
lpBuffer
[out] Pointer to a buffer that receives the contents of the address space of the specified process.//用于存储指定进程的地址空间内容的缓存区
cbRead
[in] Number of bytes to read from the specified process.//要读取的bytes数
lpNumberOfBytesRead
[out] Number of bytes copied to the specified buffer. If this parameter is NULL, it is ignored.//指定缓存区的大小,如果为Null则不限制大小
IMAGE_NT_HEADERS
The IMAGE_NT_HEADERS structure represents the PE header format.
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;} IMAGE_NT_HEADERS,
*PIMAGE_NT_HEADERS;
Members
Signature
A 4-byte signature identifying the file as a PE image. The bytes are "PE\0\0".
FileHeader
An IMAGE_FILE_HEADER structure that specifies the file header.
OptionalHeader
An IMAGE_OPTIONAL_HEADER structure that specifies the optional file header.
posted on
