Jo, stimmt. Ich hab halt mal Delphi "unterrichtet", das eignet sich für die "Lehre" imo besser als C. Prima, dass du mir hilfst. Danke. Ich versuche momentan mal wenigsten etwas aus dem Speicher zu lesen und verwende dazu:
Delphi-Quellcode:
procedure SearchInMemory(PID: Cardinal; sSearchString: WideString);
var
hProcess : Cardinal;
MemBasicInfo : TMemoryBasicInformation;
SysInfo : TSystemInfo;
lpMinAddr: Pointer;
ret : DWORD;
sBuffer : WideString;
lpReadBytes : DWORD;
lPos : Integer;
CalcAddress : DWORD;
ByteContent : array of Byte;
lpOldProtect: Cardinal;
i : Integer;
cmpstring : widestring;
begin
hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, PID);
GetSystemInfo(SysInfo);
lpMinAddr := SysInfo.lpMinimumApplicationAddress;
while Cardinal(lpMinAddr) < Cardinal(SysInfo.lpMaximumApplicationAddress) do
begin
Application.ProcessMessages;
ret := VirtualQueryEx(hProcess, lpMinAddr, MemBasicInfo, SizeOf(MemBasicInfo));
VirtualProtectEx(hProcess,lpMinAddr,MemBasicInfo.RegionSize, PAGE_READWRITE, lpOldProtect);
SetLength(sBuffer, MemBasicInfo.RegionSize);
if ret = SizeOf(MemBasicInfo) then
if ((MemBasicInfo.Type_9 = MEM_PRIVATE) Or
(MemBasicInfo.Type_9 = MEM_MAPPED) OR
(MemBasicInfo.Type_9 = MEM_IMAGE)) AND
(MemBasicInfo.State = MEM_COMMIT) THEN
begin
ReadProcessMemory(hProcess, lpMinAddr,@sBuffer[1],MemBasicInfo.RegionSize, lpReadBytes);
if pos(sBuffer,sSearchString) > 0 then
begin
CalcAddress := Cardinal(lpMinAddr) + pos(sBuffer,sSearchString);
Form1.Memo1.Lines.Add(inttohex(CalcAddress,8));
end;
end;
VirtualProtectEx(hProcess,lpMinAddr,MemBasicInfo.RegionSize, lpOldProtect, lpOldProtect);
lpMinAddr := Ptr(Cardinal(MemBasicInfo.BaseAddress)+MemBasicInfo.RegionSize);
end;
CloseHandle(hProcess);
end;
Lasse ich das laufen, kommt eine
Exception: EOutOfMenory, Zu wenig Arbeitsspeicher. Zumindest kann ich schon mal "Zeichen" aus dem Speicher lesen, allerdings nicht die, die ich eigentlich suche.