为什么WriteProcessMemory需要传入的句柄值,而不是目标进程的ID?
在Windows系统中,我们可以跨进程修改另一个进程的内存。例如,如果进程A想要修改进程B的内存,A可以调用系统函数 WriteProcessMemory。大致形式如下:
BOOL flag = WriteProcessMemory(handler, p_B_addr, &p_A_buff, write_size); ...
该函数返回一个布尔值,代表写操作是否成功。它需要传递四个参数,我们来看看这四个参数:
handler。这是一个进程句柄,可以用来查找B进程。
p_B_地址。进程B中要写入内存的地址偏移量。
p_A_buff。在进程A中,指向写数据缓冲区的指针。
写入大小。要写入的字节数。
我对第一个参数处理程序感到困惑,它是 HANDLE 类型的变量。比如我们的程序实际运行的时候,进程B的ID是2680,然后我想给进程B写内存,首先需要在进程A中通过这个2680来获取进程B的句柄。具体形式就是handler=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2680),然后就可以用这个handler陷入内核修改进程B的内存了。
由于都是被困在内核函数中跨修改内存的为什么WriteProcessMemory函数没有设计成WriteProcessMemory(B_procID, p_B_addr, &p_A_buff, write_size)的形式?
其中,B_procID是B进程的ID,因为每个进程都有唯一的ID。难道系统内核就找不到B进程的虚拟地址通过这个B_procID可以映射的物理地址吗?为什么一定要传入A进程中B进程的进程句柄索引呢?
In the Windows system, we can modify the memory of another process across processes. For example, if process A wants to modify the memory of process B, A can call the system function WriteProcessMemory. The approximate form is as follows:
BOOL flag = WriteProcessMemory(handler, p_B_addr, &p_A_buff, write_size); ...
This function return a Boolean value, which represents whether the write operation is successful. It needs to pass four parameters, let's take a look at these four parameters:
handler. This is a process handle, and it can be used to find B process.
p_B_addr. In process B, the address offset to be written into memory.
p_A_buff. In process A, the pointer to the write data buffer.
write_size. The number of bytes to write.
I am confused about the first parameter handler, which is a variable of type HANDLE. For example, when our program is actually running, the ID of process B is 2680, and then I want to write memory to process B. First I need to use this 2680 to get the handle of process B in process A. The specific form is handler=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2680), and then you can use this handler to fall into the kernel to modify the memory of process B.
Since they are all trapped in kernel functions to modify memory across processes, why is the WriteProcessMemory function not designed to be in the form of WriteProcessMemory(B_procID, p_B_addr, &p_A_buff, write_size)?
Among them, B_procID is the ID of the B process, since each process they all have unique IDs. Can the system kernel not find the physical address that the virtual address of the B process can map through this B_procID? Why must the process handle index of the B process in the A process be passed in?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
原因有很多,评论中都提到了。
OpenProcess+WriteProcessMemory+CloseHandle的WriteProcessMemoryById函数,但这会鼓励次优设计,如以及向您开放与第 1 点相关的竞争条件。这同样适用于“为什么没有WriteFileByFilename函数”(以及所有其他读/写函数)。There are multiple reasons, all touched on in the comments.
ExitProcess. Windows tries to not re-use the id for a new process right away but it will happen some time in the future given enough time.WriteProcessMemoryByIdfunction that callsOpenProcess+WriteProcessMemory+CloseHandlebut this encourages sub optimal design as well as opening you up to race conditions related to point 1. The same applies to "why is there noWriteFileByFilenamefunction" (and all other Read/Write functions).