当注入程序的内存空间时,如何读取从0到0xFFFFFFFFF的每个字节?我正在创建图案扫描仪

我正在尝试创建一个模式扫描器,以查找程序存储器中以“ MZ”(4d5a)开头的每个字节序列。为此,我将DLL注入目标程序。

我尝试寻找“ MZ”模式,因为我看到一些偷偷摸摸的模块正在与模块列表断开链接。

从程序的内存空间中,我希望从0迭代到0xFFFFFFFFF并检查字节模式。通过简单地做这样的事情:

unsigned i = 0;
while (i < 0xFFFFFFFFF) {
    if ((BYTE*) i != NULL) {
        std::cout << "Print byte: " << ConvertToHexString( (BYTE*) i) << std::endl;
    }
    i++;
} 

ConvertToHexString successfully converts (BYTE*) to std::string.

I thought it was that easy, even if I hit memory I wasn't allowed to read. I thought my NULL check was sufficient. Seemed it was not. However, if I start from the modulebase (uintptr_t pModuleBase = (uintptr_t)GetModuleHandle(NULL)), I can actually see the bytes.

下面是我的代码:

DllMain:

BOOL APIENTRY DllMain(

        ...snip...
        CloseHandle(CreateThread(0, 0, (LPTHREAD_START_ROUTINE)SignatureScanner, moduleHandle, 0, 0));
        ...snip...
} 

SignatureScanner:

DWORD WINAPI SignatureScanner(HMODULE moduleHandle)
{
    // Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    // Get module base
    uintptr_t pModuleBase = (uintptr_t)GetModuleHandle(NULL);

    while (true)
    {
        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
        {
             unsigned i = 0;
             while (i < 0xFFFFFFFFF) {
                if ((BYTE*) i != NULL) {
                   std::cout << "Print byte: " << ConvertToHexString( (BYTE*) i) << std::endl;
                }
                i++;
             } 
        }

        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            break;
        }

        Sleep(100);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(moduleHandle, 0);
    return 0;
}
评论