代码实现如下
#include "stdafx.h"
//对比数据,找到相同字节集的偏移
int GetInBuffer(const void *pStart, int nLen, const void *pFindBuffer, int nfLen)
{
for (int i = 0; i < nLen - nfLen; i++)
{
if (memcmp((void *)((ULONG)pStart + i), pFindBuffer, nfLen) == 0)
{
return i;
}
}
return -1;
}
void ReadQQ(DWORD dwProcessId)
{
//由于QQ是使用Unicode字符集的,所以我们使用wchar_t类型
static wchar_t QQDATA[] = L"Msg2.0.db";
//MsgEx.db,好像以前有个版本的数据库文件是MsgEx.db,用MsgEx来当关键字检索速度会变慢。
//但是QQ2010的是用Msg2.0.db的。
//打开进程
HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, dwProcessId);
int nMemLen = 28, nMemStart;
void *pMemAddress = NULL;
BYTE *bMemBuffer;
MEMORY_BASIC_INFORMATION mbi;
memset(&mbi, 0, sizeof(MEMORY_BASIC_INFORMATION));
wchar_t szQQnumber[15];
szQQnumber[0] = 0;
//寻找进程空间
while (VirtualQueryEx(hProcess, pMemAddress, &mbi, nMemLen) != 0)
{
if (mbi.Type == MEM_PRIVATE && mbi.Protect == PAGE_READWRITE)
{
//分配足够的内存空间,存放数据
bMemBuffer = new BYTE[mbi.RegionSize + 1];
bMemBuffer[mbi.RegionSize] = 0;
if (ReadProcessMemory(hProcess, pMemAddress, bMemBuffer, mbi.RegionSize, NULL))
{
//尝试寻找当前内存空间中是否包含Msg2.0.db
nMemStart = GetInBuffer(bMemBuffer, mbi.RegionSize, QQDATA, sizeof(QQDATA));
if (nMemStart != -1)
{
//向前推一定位置,因为路径是 ..\[QQ号]\Msg2.0.db
wchar_t *pQQText = (wchar_t *)&bMemBuffer[nMemStart - 28];
wchar_t *pQQstart = wcsstr(pQQText, L"\\");
if (pQQstart)
{
pQQstart++;
wchar_t *pQQEnd = wcsstr(pQQstart, L"\\");
if (pQQEnd)
{
lstrcpynW(szQQnumber, pQQstart, pQQEnd - pQQstart + 1);
wprintf(L"%s\n", szQQnumber);
}
}
delete[] bMemBuffer;
break;
}
}
//销毁刚刚分配的内存空间
delete[] bMemBuffer;
}
pMemAddress = (void *)((ULONG)pMemAddress + mbi.RegionSize);
}
CloseHandle(hProcess);
}
void FindQQ()
{
DWORD dwProcessId = 0;
//进程快照~
HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pl;
pl.dwSize=sizeof(PROCESSENTRY32);
bool bmore=Process32First(Snapshot, &pl);
while(bmore)
{
if(lstrcmpi(pl.szExeFile, _T("QQ.exe")) == 0)
{
//读取QQ号
ReadQQ(pl.th32ProcessID);
//dwProcessId = pl.th32ProcessID;
//循环,读取本地所有登录的QQ号。
//break; 跳出循环
}
bmore= Process32Next(Snapshot, &pl);
}
CloseHandle(Snapshot);
// return dwProcessId;
}
int _tmain(int argc, _TCHAR* argv[])
{
FindQQ();
scanf("%*c");
return 0;
}