S
st52
Unregistered / Unconfirmed
GUEST, unregistred user!
function getDemp(ProcessID: Cardinal): Cardinal;label RET;var hProcess: THandle; _SystemInfo: _SYSTEM_INFO; minP, maxP, TempPointer: Pointer; MemoInfoLen: Integer; sMemoryInfo: MEMORY_BASIC_INFORMATION; ntStatus: Cardinal; objBasic: PROCESS_BASIC_INFORMATION; objLdr, objFlink, objBaseAddress, rReadSize: Cardinal; lngRet: LongBool; pDosHear: IMAGE_DOS_HEADER; pNTHeader: IMAGE_NT_HEADERS;begin hProcess := OpenProcess(PROCESS_ALL_ACCESS, False, ProcessID); //得到进程句柄// GetSystemInfo(_SystemInfo); //得到0~~2GB其中的一部分的起点和终点// minP := _SystemInfo.lpMinimumApplicationAddress;// maxP := _SystemInfo.lpMaximumApplicationAddress; ntStatus := NtQueryInformationProcess(hProcess, ProcessBasicInformation, @objBasic, SizeOf(objBasic), nil); if (NT_SUCCESS(ntStatus)) then lngRet := ReadProcessMemory(hProcess, Pointer(Integer(objBasic.PebBaseAddress) + $C), @objLdr, 4, rReadSize); if not lngRet then goto RET; lngRet := ReadProcessMemory(hProcess, Pointer(Integer(objLdr) + $C), @objFlink, 4, rReadSize); if not lngRet then goto RET; lngRet := ReadProcessMemory(hProcess, Pointer(Integer(objFlink) + $18), @objBaseAddress, 4, rReadSize); if not lngRet then goto RET; if objBaseAddress > 0 then begin// ntStatus := SizeOf(pDosHear);// if ntStatus = 1 then ; FillChar(pDosHear, SizeOf(pDosHear), 0); lngRet := ReadProcessMemory(hProcess, @objBaseAddress, @pDosHear, SizeOf(pDosHear), rReadSize); if not lngRet then goto RET; if pDosHear.e_magic <> $5A4D then if not lngRet then goto RET; lngRet := ReadProcessMemory(hProcess, Pointer(Integer(objBaseAddress) + pDosHear._lfanew), @pNTHeader, SizeOf(pNTHeader), rReadSize); if not lngRet then goto RET; if pNTHeader.Signature <> IMAGE_NT_SIGNATURE then goto RET; end; RET: begin // if hProcess = 1 then NtClose(hProcess); //Finalize(bytBuffer); // if lngRet then DumpMainModuleFile := True; end;end;