内存扫描可实现数值小于255的查找

’模块
Option Explicit
Public Type SYSTEM_INFO
  dwOemID As Long
  dwPageSize As Long
  lpMinimumApplicationAddress As Long
  lpMaximumApplicationAddress As Long
  dwActiveProcessorMask As Long
  dwNumberOrfProcessors As Long
  dwProcessorType As Long
  dwAllocationGranularity As Long
  dwReserved As Long
End Type
Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
Public Const SYNCHRONIZE = &H100000
Public Const SPECIFIC_RIGHTS_ALL = &HFFFF
Public Const STANDARD_RIGHTS_ALL = &H1F0000
Public Const PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF
Public Const PROCESS_VM_OPERATION = &H8&
Public Const PROCESS_VM_READ = &H10&
Public Const PROCESS_VM_WRITE = &H20&
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)
Public Declare Function GetWindowThreadProcessId Lib "user32" _
(ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Type MEMORY_BASIC_INFORMATION
  BaseAddress As Long
  AllocationBase As Long
  AllocationProtect As Long
  RegionSize As Long
  State As Long
  Protect As Long
  lType As Long
End Type
Public Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
'Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
'Public Const SYNCHRONIZE = &H100000
'Public Const SPECIFIC_RIGHTS_ALL = &HFFFF
'Public Const STANDARD_RIGHTS_ALL = &H1F0000
'Public Const PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF

Public Const MEM_COMMIT = &H1000
Public Const MEM_FREE = &H10000
Public Const MEM_RESERVE = &H2000

Public Const PAGE_NOACCESS = &H1
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_WRITECOPY = &H8
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_EXECUTE_READWRITE = &H40
Public Const PAGE_EXECUTE_WRITECOPY = &H80
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOCACHE = &H200

Public Const SEC_IMAGE = &H1000000
Public Const MEM_MAPPED = &H40000
Public Const MEM_PRIVATE = &H20000
Public Const MEM_IMAGE = SEC_IMAGE

’窗体
Option Explicit
Dim hProcess As Long
Dim hProcessID As Long
Dim hThreadID As Long
Dim hWndOfApp As Long
Dim hSysInfo As SYSTEM_INFO
Dim lBassAddr As Long
Private Sub Command1_Click()
List2.Clear
Dim s() As Byte, n As Long, i As Long
lBassAddr = Text2.Text
n = Text3.Text
ReDim s(n - 1)
hWndOfApp = FindWindow(vbNullString, Text1.Text)
If hWndOfApp = 0 Then
  MsgBox "無法找到該視窗"
  Exit Sub
End If
hThreadID = GetWindowThreadProcessId(hWndOfApp, hProcessID)
If hProcessID = 0 Then
  MsgBox "無法取得ProcessID"
  Exit Sub
End If
   
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hProcessID)

If hProcess = 0 Then
  MsgBox "無法開啟該Process"
  Exit Sub
End If
 
ReadProcessMemory hProcess, ByVal lBassAddr, s(0), n, ByVal 0&
For i = 0 To n - 1
  List2.AddItem "位址:" & (i + lBassAddr) & "= " & s(i)
Next


CloseHandle hProcess
End Sub

Private Sub Command2_Click()
Dim s() As Byte, n As Long, i As Long
Dim Data1 As Byte, Data2 As Integer, Data4 As Long
lBassAddr = Text4.Text
If Option1(0).Value Then
  n = 1
  ReDim s(0)
  Data1 = Text5.Text
  CopyMemory s(0), Data1, n
ElseIf Option1(1).Value Then
  n = 2
  ReDim s(0 To 1)
  Data2 = Text5.Text
  CopyMemory s(0), Data2, n
ElseIf Option1(2).Value Then
  n = 4
  ReDim s(0 To 3)
  Data4 = Text5.Text
  CopyMemory s(0), Data4, n
End If

'ReDim s(n - 1)
hWndOfApp = FindWindow(vbNullString, Text1.Text)
hThreadID = GetWindowThreadProcessId(hWndOfApp, hProcessID)
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hProcessID)
WriteProcessMemory hProcess, ByVal lBassAddr, s(0), n, ByVal 0&
CloseHandle hProcess
End Sub

Private Sub Command3_Click()
Dim mbi As MEMORY_BASIC_INFORMATION
Dim hwnd As Long, hProcessID As Long
Dim tmpBassAddr As Double, lBassAddr As Long
Dim BassAddr() As Long, PageSize() As Long, PageNum As Long
hwnd = FindWindow(vbNullString, Text1.Text)
If hwnd = 0 Then
  MsgBox "無法找到該視窗"
  Exit Sub
End If
Call GetWindowThreadProcessId(hwnd, hProcessID)
If hProcessID = 0 Then
  MsgBox "無法取得ProcessID"
  Exit Sub
End If
  List1.Clear
  List3.Clear
  Text7 = hProcessID
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hProcessID)
If hProcess = 0 Then
  MsgBox "無法開啟該Process"
  Exit Sub
End If

Do While VirtualQueryEx(hProcess, ByVal lBassAddr, mbi, Len(mbi))
  tmpBassAddr = mbi.BaseAddress
  tmpBassAddr = tmpBassAddr + mbi.RegionSize
  If tmpBassAddr > hSysInfo.lpMaximumApplicationAddress Then '預防溢位
  Exit Do
  End If
   
  If mbi.State = MEM_COMMIT Then '已配置
  If mbi.Protect And (PAGE_READWRITE Or PAGE_EXECUTE_READWRITE Or PAGE_EXECUTE_WRITECOPY) Then
  '符合 紀錄基底位址以及區塊大小
  ReDim Preserve BassAddr(PageNum)
  ReDim Preserve PageSize(PageNum)
  BassAddr(PageNum) = mbi.BaseAddress
  PageSize(PageNum) = mbi.RegionSize
  PageNum = PageNum + 1
  End If
  End If
   
  lBassAddr = tmpBassAddr '對應下一筆
Loop

Dim data() As Byte, i As Long, j As Long, k As Long
Dim finded As Long, fio As Byte, buffer As Long
fio = CByte(Text6.Text)
For i = 0 To PageNum - 1
  ReDim data(1 To PageSize(i))
  ReadProcessMemory hProcess, ByVal BassAddr(i), data(1), PageSize(i), ByVal 0&
  For j = 1 To PageSize(i)
  If data(j) = fio Then
  List1.AddItem Hex(BassAddr(i) + j - 1)
  ReadProcessMemory hProcess, ByVal BassAddr(i) + j - 1, buffer, 4, ByVal 0&
  If buffer = Text6 Then List3.AddItem BassAddr(i) + j - 1
  DoEvents
  finded = finded + 1
  End If
  Next
Next
MsgBox "執行完畢 一共找到 " & finded & "筆資料"
CloseHandle hProcess

Erase BassAddr
Erase PageSize
End Sub

Private Sub Command4_Click()
'Timer1.Enabled = True
Dim i, buffer As Long
List4.Clear
hProcessID = Text7
Call OpenProcess(PROCESS_ALL_ACCESS, 0, hProcessID)
'Do While Text7 <> ""
For i = 0 To List3.ListCount - 1
Text8 = List3.List(i)
If Text8 <> "" Then
List4.AddItem buffer
If ReadProcessMemory(hProcess, ByVal CLng(Text8), buffer, 4, ByVal 0&) Then
If buffer <> Text6 Then List3.RemoveItem (i)
End If


End If
DoEvents
Next
'Loop

CloseHandle hProcess
End Sub

Private Sub Form_Load()

GetSystemInfo hSysInfo
Text2.Text = hSysInfo.lpMinimumApplicationAddress
Text4.Text = hSysInfo.lpMaximumApplicationAddress
Label5.Caption = "可用位址從" & hSysInfo.lpMinimumApplicationAddress & _
" 到 " & hSysInfo.lpMaximumApplicationAddress

End Sub

Private Sub Form_Unload(Cancel As Integer)
CloseHandle hProcess
End Sub

Private Sub List3_Click()
Text8 = List3.Text
End Sub

Private Sub Timer1_Timer()
Dim i, buffer As Long
For i = 0 To List3.ListCount - 1

Next
End Sub

我想实现查找字符串和长整数，请大家帮我改下，如果能改进此方法，使查找更快就更好了

直接读取内存地址，试问你怎么分辨它是Long？我看不可能

我想搜索518，这个数填在text6里，运行就会出错了呀