您的位置:首页 > 其它

如何获取 程序加载后的内存起始地址

2011-05-07 02:16 537 查看
Public Function GetProcessPath(ByVal dwProcessId As Long) As String

Dim ntStatus As Long

Dim objBasic As PROCESS_BASIC_INFORMATION

Dim objFlink As Long

Dim objPEB As Long, objLdr As Long

Dim objBaseAddress As Long

Dim bytName(260 * 2 - 1) As Byte

Dim strModuleName As String, objName As Long

Dim objCid As CLIENT_ID

Dim objOa As OBJECT_ATTRIBUTES

Dim i As Integer

Dim hProcess As Long

objOa.Length = Len(objOa)

objCid.UniqueProcess = dwProcessId

ntStatus = NtOpenProcess(hProcess, PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, objOa, objCid)

If hProcess = 0 Then

hProcess = GetHandleByProcessId(dwProcessId)

If hProcess = 0 Then

GetProcessPath = ""

Exit Function

End If

End If

Dim lngRet As Long, lngReturn As Long

ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, VarPtr(objBasic), Len(objBasic), ByVal 0&)

If (NT_SUCCESS(ntStatus)) Then

objPEB = objBasic.PebBaseAddress

lngRet = ReadProcessMemory(hProcess, ByVal objPEB + &HC, objLdr, 4, ByVal 0&)

lngRet = ReadProcessMemory(hProcess, ByVal objLdr + &HC, objFlink, 4, ByVal 0&)

lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H18, objBaseAddress, 4, ByVal 0&)

If objBaseAddress > 0 Then

lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H28, objName, 4, ByVal 0&)

lngRet = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2, ByVal 0&)

If ERROR_PARTIAL_COPY = lngRet Then

Start:

i = i + 1

If ERROR_PARTIAL_COPY = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2 - i, ByVal 0&) Then

GoTo Start

End If

End If

strModuleName = bytName

strModuleName = Left(strModuleName & Chr(0), InStr(strModuleName & Chr(0), Chr(0)) - 1)

GetProcessPath = strModuleName

End If

End If

NtClose hProcess

End Function

看这里objBaseAddress 这个就是你要的东西
http://blog.csdn.net/lxslove/archive/2008/10/18/3097310.aspx
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航