-
-
[讨论]VB读写内存问题
-
发表于:
2015-4-11 14:58
7450
-
今天突然想用VB往自身进程里头写点东西,编了一段代码如下:
Option Explicit
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Sub Command1_Click()
Dim hProcess As Long, pid As Long, bb1 As String
GetWindowThreadProcessId Form1.hwnd, pid
hProcess = OpenProcess(&H1F0FFF, True, pid)
MsgBox hProcess & " " & pid & " " & WriteProcessMemory(hProcess, &H401000, &HF1234512, 4, 0&) '写内存API,加个MSG检测前两部的结果
End Sub
按理说应该可以向401000写入F1234512的,可是经过检测发现401000的数据并没有被修改。
于是就用OD调试了一下程序
BP WriteProcessMemory,程序断下后的堆栈窗口:
0012F3B0 00401CD8 /CALL 到 WriteProcessMemory 来自 111.00401CD3
0012F3B4 00000334 |hProcess = 00000334 (window)
0012F3B8 0012F3F0 |Address = 12F3F0
0012F3BC 0012F3EC |Buffer = 0012F3EC
0012F3C0 00000004 |BytesToWrite = 4
0012F3C4 0012F3E8 \pBytesWritten = 0012F3E8
Address = 12F3F0
这个地址保存的数据是:00 10 40 00
同样后面的pBytesWritten中保存的为0,buffer(0012F3EC)中是12 45 23 F1
F9运行起来之后,发现0X401000中的内存没变,但是
12F3F0中的00 10 40 00变成了12 45 23 F1!
到这里我真的不知道是什么原因了,是操作系统处理错误么(虽然不太可能)。。。
之前做过一个VB的扫雷读写内存的实例,代码丢了,但是的确可以读写成功,大家帮忙看看是什么原因
[课程]FART 脱壳王!加量不加价!FART作者讲授!