- 注册时间
- 2021-4-16
- 最后登录
- 2023-6-21
- 在线时间
- 2 小时
编程入门
- 龙马币
- 38
|
原理:
微软提供的内存WriteWatch跟踪技术,
对于申请为MEM_WRITE_WATCH的内存,
可以监控内存变更(包括外界变更)。
举例代码:仅仅是举个例子
- #include <windows.h>
- #include <stdio.h>
-
- typedef struct _POSITION_
- {
- DWORD dx;
- DWORD dz;
- DWORD dy;
- }POSITION,*PPOSITION;
-
- #define BASE_SIZE 0x1000
- #define WALK_ADD 10
- DWORD WINAPI WatchThread(LPVOID Param)
- {
- ULONG size = 0;
- DWORD p = 0;
- UINT Ret = 0;
- PVOID px[0x400] = { 0 };
- while (1)
- {
- size = 0x400;
- p = 0;
- Ret = GetWriteWatch(WRITE_WATCH_FLAG_RESET, Param, BASE_SIZE, px, &size, &p);
- if (Ret == 0
- && size != 0)
- {
- MessageBoxW(NULL, L"发现第三方软件修改关键内存", L"发现第三方软件", MB_OK);
- }
- }
- return 0;
- }
- int __cdecl main(int argc, char *argv[])
- {
- //申请Base基址内存
- PVOID Base = VirtualAlloc(NULL, BASE_SIZE, MEM_RESERVE | MEM_COMMIT | MEM_WRITE_WATCH, PAGE_READWRITE);
- PPOSITION pos = (PPOSITION)Base;
- //初始化坐标
- pos->dx = pos->dy = pos->dz = 1000;
- //清空监控记录
- ResetWriteWatch(Base, BASE_SIZE);
- //开启监控线程
- HANDLE hThread = CreateThread(NULL, 0, WatchThread, Base, 0, NULL);
- while (1)
- {
- //暂停监控线程
- SuspendThread(hThread);//也可以通过其他方式进行!!!!暂停线程只是简单模型
- //模拟走路过程
- pos->dx += WALK_ADD;
- //继续监控
- ResetWriteWatch(Base, BASE_SIZE);
- ResumeThread(hThread);
- //输出X坐标
- printf("x = %d\n", pos->dx);
- Sleep(1000);
- }
- return 0;
- }
|
|
三月的天气