我正在用ctypes构建内存扫描仪,在我用VirtualAlloc()创建缓冲区之后,然后我使用ReadProcessMemory()来写入缓冲区中的内存内容,但是我如何才能看到搜索恶意软件字符串的内容?VirtualAlloc()返回给我缓冲区的地址,所以create_buffer_string,如果我使用它而不是VirtualAlloc(),但是我可以用什么函数/lib来实际知道缓冲区中的字符串,并最终与我的恶意软件字符串数据库进行比较?
主代码的一部分(完整的代码太大,由于某种原因我不能插入pastebin链接,如果你想告诉我)
while VQEResult != 0:
VQEResult = VirtualQueryEx( # If VirtualQueryEx == Verifica se é possível retornar info sobre a page do Adress
process, # HANDLE para o Processo
Adress, # Pointer pro Adress a ser lido
byref(mbi), # Pointer pra variável com output da MEMORY_BASIC_INFORMATION
sizeof(mbi), # Tamanho da variável com output da MEMORY_BASIC_INFORMATION
)
print(mbi.BaseAddress,mbi.RegionSize,Adress)
if mbi.State == MEM_COMMIT or 65536 and mbi.RegionSize > 41000: # Se haver memória alocada:
ContentsBuffer = VirtualAlloc ( # Alocando conteúdo do processo num buffer
None, # Sem adress específico
mbi.RegionSize, # Tamanho do buffer alocado é igual o do app
0x1000, # 0x1000 = MEMORY_COMMIT
0x04, # 0x04 = PAGE_READWRITE
)
if not ReadProcessMemory (
process, # handle pro processo
Adress, # ponteiro pro adress do buffer
ContentsBuffer, # ponteiro pro output
mbi.RegionSize, # tanto de bytes a serem lidos
byref(BytesRead), # output de quantos bytes foram lidos
):
continue
# print("Erro:",GetLastError)
if VQEResult:
Adress += mbi.RegionSize
基本上我想看到ContentsBuffer变量所指向的地址中的内容。
您可以使用ContentsBuffer = ctypes.create_string_buffer(),然后ContentsBuffer.raw是整个缓冲区作为bytes对象。使用VirtualAlloc不需要ReadProcessMemory的缓冲区地址。
你的恶意软件签名,如果保存为bytes字符串,那么可以只是:
for s in malware:
if s in ContentsBuffer:
...