外挂之内存读取

 

模块
Option Explicit
'---------------声明函数-----------------------
'得到窗体句柄的函数,FindWindow函数用来返回符合指定的类名( ClassName )和窗口名( WindowTitle )的窗口句柄
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
'得到窗体控件句柄的函数
Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
'得到进程标识符的函数
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
'得到目标进程句柄的函数
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'关闭句柄的函数
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
'读取进程内存的函数
Public Declare Function ReadProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
'存储进程内存的函数
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'=====================================================================================

'发送信息的函数
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
'SendMessage hwd, &H100, &H70, 0&   '按住F1键，&H100代表按下，&H70代表F1
'SendMessage hwd, &H101, &H70, 0&   '松开F1键，&H101代表松开，&H70代表F1

Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'延迟函数
Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
'=================================================================================================
'参数决定了对进程的存储权限，使用完全控制
Public Const PROCESS_ALL_ACCESS = &H1F0FFF


'////////////////////////////////////////////////////
'////////////////////////////////////////////////////////

‘form
Option Explicit

Dim hwd As Long '储存 FindWindow 函数返回的句柄
Dim pid As Long
Dim hProcess As Long '存放进程句柄

Const dz = &H1F32930 ’要修改的内存地址 常量化。

Private Sub Form_Load()
hwd = FindWindow("TForm2", "步骤 2 ")
'得到窗体句柄的函数,FindWindow函数用来返回符合指定的
'类名( ClassName )和窗口名( WindowTitle )的窗口句柄

If hwd = 0 Then
   MsgBox "未启动游戏", vbOKOnly, "提示"
   Unload Form1
End If
GetWindowThreadProcessId hwd, pid   '获取进程标识符
'将进程标识符做为参数，返回目标进程PID的句柄，得到此句柄后
'即可对目标进行读写操,PROCESS_ALL_ACCESS表示完全控制,权限最大
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid)
If hProcess = 0 Then
   MsgBox "不能打开进程", vbOKOnly, "提示"
   Unload Form1
End If
CloseHandle hProcess

End Sub

Private Sub Timer1_Timer()
'4.我们在Form中添加一个Label控件和一个Timer控件，设置Timer的Interval属性为100，Timer1_Timer的代码如下：
Dim h As Long
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)

If hProcess Then
    ReadProcessMemory hProcess, ByVal dz, h, 4, 0& '注意内存的地址位数,本机上16位,前面是0省略。
'第一个参数就是pHandle
'第二个参数是你要读的地址,用了个公用的dz  这个地址方便修改
'第三个参数就是你要把地址值存在哪个变量了,hr是个长整形变量,因为我现在知道那里是数值型.
'第四个参数是要读的长度,我用4个字节,
'第五个参数判断是不是无值(不是0),以传地址来取得
'一个程序可以用很多内存,但是不会有程序用尽的,没有用上的记忆体,就是无值,如果&H3CACF28是无值,就会传回0

   CloseHandle hProcess
End If

Label1.Caption = h '输出数值
End Sub
Private Sub Command1_Click()
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If hProcess Then
   WriteProcessMemory hProcess, ByVal dz, 1000, 4, 0& '写入内存“1000”这个值。
   CloseHandle hProcess
End If
End Sub