在Ruby中读/写进程内存

Question

在Ruby中读/写进程内存

5

我一直在尝试使用Ruby读写进程内存，希望将一些旧的C++程序移植到更具动态性的语言中。然而，我一直没有顺利地进行转换。我已经阅读了一些资料，但是没有找到关于我的具体问题的太多信息。由于我不太确定Ruby-ffi中指针管理的工作原理，因此下面可能存在一些非常基本的错误。

无论如何，我目前已经安装了ffi gem，并一直在使用它来获取函数。这就是我的代码：

module Memory
  PROC_READ = 0x10
  PROC_WRITE = 0x20
  PROC_RW = PROC_READ | PROC_WRITE

  extend FFI::Library

  ffi_lib 'kernel32'

  # HANDLE WINAPI OpenProcess(DWORD, BOOL, DWORD)
  attach_function :open, :OpenProcess, [:uint, :bool, :uint], :pointer

  # BOOL WINAPI CloseHandle(HANDLE)
  attach_function :close, :CloseHandle, [:pointer], :bool

  # BOOL WINAPI ReadProcessMemory(HANDLE, LPCVOID, out LPVOID, SIZE_T, out SIZE_T)
  attach_function :read, :ReadProcessMemory, [:pointer, :pointer, :pointer, :int, :int], :bool

  # BOOL WINAPI WriteProcessMemory(HANDLE, LPCVOID, LPVOID, SIZE_T, out SIZE_T)
  attach_function :write, :WriteProcessMemory, [:pointer, :pointer, :pointer, :int, :int], :bool

  # DWORD WINAPI GetLastError(void)
  attach_function :error, :GetLastError, [], :uint
end

似乎当我调用Memory.open时，我得到了一个正确的句柄。我不太确定，但这是一个存储结果的变量输出，以防我错了。

#<FFI::Pointer address=0x00000000000150>

以下是我目前拥有的完整代码：

这里是我目前拥有的完整代码：

# 1048 is a fixed pid currently
handle = Memory::open(Memory::PROC_RW, false, 1048)
puts "GetLastError: #{Memory::error()}"

# Address to read from
loc = 0x057C75F8

out = 0
read = 0

# Supposed to be the address of out to store the value read
val = FFI::MemoryPointer.new :uint, out

# Supposed to be a pointer to loc which holds the address to read from
addr = FFI::MemoryPointer.new :pointer, loc

res = Memory::read(handle, addr, val, 4, read)

puts "GetLastError: #{Memory::error()}"
puts "ReadProcessMemory: #{res}"
puts read
puts out

Memory::close(handle)

这将输出以下内容：

GetLastError: 0
GetLastError: 0
ReadProcessMemory: false
0
0

我知道我在指针变量方面一定做错了什么。如果我将addr更改为类型为:uint且值为loc的FFI::Pointer，那么ReadProcessMemory将返回true，但out和read变量不会改变。

希望这已经足够清楚了，如果似乎有缺失的地方，我可以进行澄清。

- ozdrgnaDiies

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- ozdrgnaDiies · Accepted Answer

在阅读该项目Github的示例页面之后，我终于能够解决指针问题：

https://github.com/ffi/ffi/wiki/Examples

具体来说，在“使用MemoryPointer输出参数”部分。阅读完后，我将代码更改为以下内容：

require 'ffi'

module Memory
  PROC_READ = 0x10
  PROC_WRITE = 0x20
  PROC_RW = PROC_READ | PROC_WRITE

  extend FFI::Library

  ffi_lib 'kernel32'
  ffi_convention :stdcall

  attach_function :open, :OpenProcess, [:uint, :bool, :uint], :pointer
  attach_function :close, :CloseHandle, [:pointer], :bool
  attach_function :read, :ReadProcessMemory, [:pointer, :pointer, :pointer, :size_t, :pointer], :bool
  attach_function :write, :WriteProcessMemory, [:pointer, :pointer, :pointer, :size_t, :pointer], :bool
  attach_function :error, :GetLastError, [], :uint
end

# 1048 is a fixed pid currently
handle = Memory::open(Memory::PROC_RW, false, 1048)
puts "GetLastError: #{Memory::error()}"

# Output parameters for ReadProcessMemory
out = FFI::MemoryPointer.new :pointer
read = FFI::MemoryPointer.new :pointer

# Pointer holding the location to read from
addr = FFI::Pointer.new :pointer, 0x057C75F8

res = Memory::read(handle, addr, out, 4, read)

# get_pointer(0) grabs the pointer to the value
# address holds the value we actually want (at least in this case)
read = read.get_pointer(0).address
out = out.get_pointer(0).address

puts "GetLastError: #{Memory::error()}"
puts "ReadProcessMemory: #{res}"
puts "Bytes Read: #{read}"
puts "Value Read: #{out}"
Memory::close(handle)

在我的特定案例中，上述代码正确输出以下内容：

GetLastError: 0
GetLastError: 0
ReadProcessMemory: true
Bytes Read: 4
Value Read: 10

我希望这能对未来的某个人有所帮助。