如何从Windows应用程序内存中读取一些数据?

发布于 2024-09-24 09:22:16 字数 261 浏览 11 评论 0原文

我有一个应用程序,它向我显示一些数据。我需要附加到这个应用程序的进程,在内存中找到我需要的数据(实际上是一个数字),并将其保存在某个地方。该应用程序似乎没有使用标准的 Windows 控件,因此事情不会像使用 AutoIt 或类似的东西读取控件数据那么简单。

目前,我是一名自学数据库的人,对 Windows 应用程序调试的了解相当肤浅。甚至不确定我的问题是否足够正确。

那么,您能否给我一些入门指南,比如我应该首先阅读什么,以及我应该努力的一般方向?

谢谢。

I have an application, which displays me some data. I need to attach to this app's process, find the data I need in memory (one single number, actually), and save it somewhere. This application doesn't seem to use standard windows controls, so things aren't going to be as simple as reading controls data using AutoIt or something similar.

Currently I'm a self-learner database guy and have quite shallow knowledge about windows apps debugging. Not even sure if I asked my question correctly enough.

So, can you give me some starter guidelines about, say, what should I read first, and general directions I should work on?

Thanks.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

╰つ倒转 2024-10-01 09:22:16

要读取其他应用程序的内存,您需要打开 OpenProcess 至少具有 PROCESS_VM_READ 访问权限,然后使用 ReadProcessMemory 从进程中读取任何内存地址。如果您是管理员或具有调试权限,您将能够以最大访问权限打开任何进程,您只需在之前启用 SeDebugPrivilege (请参阅例如 http://support.microsoft.com/kb/131065)。

如果您不太了解目标进程的内存,您可以枚举有关 VirtualQueryEx(请参阅如何使用 VirtualAllocEx 为代码洞腾出空间? 作为我检查程序代码的示例。您可以以相同的方式检查程序数据)。

我看到的最实际的问题是你问问题的方式太笼统。如果您更多地解释您正在寻找什么样的数据,我可能会建议您更好的方法。例如,如果您可以在某处看到数据,则可以检查 Spy++(Visual Studio 工具的一部分)的相应窗口和控件。最重要的是窗口(或控件)的类以及在显示最感兴趣的窗口时发送的消息。您还可以使用进程监视器来跟踪所有文件和注册表访问显示感兴趣信息的窗口的时间。至少在开始时,您应该使用 ReadProcessMemory 当您要查找的数据显示在窗口上时。

如果您的调查没有成功,我建议您在问题中插入更多信息。

To read memory of other application you need to open the process with respect of OpenProcess with at least PROCESS_VM_READ access rights and then use ReadProcessMemory to read any memory address from the process. If you are an administrator or have debug privilege you will be able to open any process with maximal access rights, you need only to enable SeDebugPrivilege before (see for example http://support.microsoft.com/kb/131065).

If you don't know a much about the memory of the destination process you can just enumerate the memory blocks with respect of VirtualQueryEx (see How does one use VirtualAllocEx do make room for a code cave? as an example where I examine the program code. The program data you can examine in the same way).

The most practical problem which I see is that you ask your question in too general way. If you explain more what kind of the data you are looking for I could probably suggest you a better way. For example if you could see the data somewhere you could examine the corresponding windows and controls with respect of Spy++ (a part of Visual Studio Tools). The most important are the class of windows (or controls) and the messages which will be send at the moment when the most interesting window are displayed. You can also use Process Monitor to trace all file and registry access at the time when the windows with the interesting information will be displayed. At least at the beginning you should examine the memory of the process with ReadProcessMemory at the moment when the data which you are looking for are displayed on the window.

If you will have no success in your investigations I'd recommend you to insert in your question more information.

脸赞 2024-10-01 09:22:16

我的主要建议是:尝试寻找除此之外的任何其他集成方法。即使您成功了,您也将受到目标进程(甚至可能是 Windows 操作系统)中任何类型更改的影响。您所描述的是大多数病毒扫描程序应该标记和阻止的行为:如果不是现在,那么将来也是如此。

也就是说,您可以查看 DLL 注入。然而,听起来好像您必须在反汇编级别调试目标进程:否则,您如何知道要读取哪个内存地址?

My primary advice is: try to find any other method of integration than this. Even if you succeed, you'll be hostage to any kinds of changes in the target process, and possibly in the Windows O/S. What you are describing is behaviour most virus scanners should flag and hinder: if not now, then in the future.

That said, you can take a look at DLL injection. However, it sounds as if you're going to have to debug the heck out of the target process at the disassembly level: otherwise, how are you going to know what memory address to read?

叹沉浮 2024-10-01 09:22:16

我曾经了解Windows调试API,但早已忘记了。如何使用 ollydbg:

http://www.ollydbg.de/

并使用 ollydbg 脚本和自动?

I used to know the windows debugging API but it's long lost memory. How about using ollydbg:

http://www.ollydbg.de/

And controlling that with both ollydbg script and autoit?

玉环 2024-10-01 09:22:16

听起来很有趣……但非常困难。既然你说这是“一次性”,那么像这样的事情呢?

  • 截取此应用程序的屏幕截图。
  • 通过 OCR 程序运行屏幕截图
  • 如果您能够以可预测的方式阅读您要查找的文本,那么您就成功了一半!

因此,现在如果您可以读取应用程序的 OCR 屏幕截图,那么只需编写一个执行以下操作的程序即可:

  • 编写脚本以获取屏幕上的数据的步骤
  • 创建相关数据的屏幕截图
  • 运行它像 Microsoft Office Document Imaging 这样的 OCR 程序
  • 提取相关文本并执行“任何操作” ' 与它。

我以前做过类似的事情,取得了很好的结果,但我想说这是一个脆弱的解决方案。如果应用程序发生更改,它将停止工作。如果 OCR 无法读取文本,它将停止工作。如果 OCR 读取了错误的文本,它可能会做比停止工作更糟糕的事情......

正如其他海报所说,进入内存并提取数据是一个非常高级的主题......如果你能找出一个这样做的方法!

Sounds interesting... but very difficult. Since you say this is a 'one-off', what about something like this instead?

  • Take a screenshot of this application.
  • Run the screenshot through an OCR program
  • If you are able to read the text you are looking for in a predictable way, you're halfway there!

So now if you can read a OCR'd screenshot of your application, it is a simple matter of writing a program that does the following:

  • Scripts the steps to get the data on the screen
  • Creates a screenshot of the data in question
  • Runs it through an OCR program like Microsoft Office Document Imaging
  • Extracts the relevant text and does 'whatever' with it.

I have done something like this before with pretty good results, but I would say it is a fragile solution. If the application changes, it stops working. If the OCR can't read the text, it stops working. If the OCR reads the wrong text, it might do worse things than stop working...

As the other posters have said, reaching into memory and pulling out data is a pretty advanced topic... kudos to you if you can figure out a way to do that!

可是我不能没有你 2024-10-01 09:22:16

我知道由于该软件用途的性质,这可能不是一个受欢迎的答案,但是像 CheatEngine 和 ArtMoney 允许您搜索进程为给定值保留的所有内存,然后优化结果直到找到您要查找的值的地址。

我最初是在遇到其中一个游戏的培训师后尝试学习如何更好地保护我的游戏时学到这一点的,但发现该技术在调试时偶尔有用。

以下是上述技术的使用示例:https://www.youtube .com/watch?v=Nv04gYx2jMw&t=265

I know this may not be a popular answer, due to the nature of what this software is used for, but programs like CheatEngine and ArtMoney allow you to search through all the memory reserved by a process for a given value, then refine the results till you find the address of the value you're looking for.

I learned this initially while trying to learn how to better protect my games after coming across a trainer for one of them, but have found the technique occasionally useful when debugging.

Here is an example of the technique described above in use: https://www.youtube.com/watch?v=Nv04gYx2jMw&t=265

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文