DWORD VirtualQueryEx(
HANDLE hProcess, // 想要查詢的地址空間所屬的進程的句柄
LPCVOID lpAddress, // 區域地址
PMEMORY_BASIC_INFORMATION lpBuffer, // 結構緩衝區
SIZE_T dwLength // 結構大小
);
返回值:被填充的區域的字節數目
如果返回的字節數目和MEMORY_BASIC_INFORMATION 結構的數目相等則表示執行成功否則爲執行失敗
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
DWORD AllocationProtect;
SIZE_T RegionSize;
DWORD State;
DWORD Protect;
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
需要說明的是一個區域中地址中地址空間塊的數量也是可以計算的(備忘)
如果幾個塊AllocationBase相同,但是BaseAddress不同,則表明他們屬於同一個塊
舉個例子
AllocationBase:00030000
AllocationProtect:PAGE_READWRITE
BaseAddress:00030000
Protect:Unknow
RegionSize:fd000
State:MEM_RESERVE
Type:MEM_PRIVATE
AllocationBase:00030000
AllocationProtect:PAGE_READWRITE
BaseAddress:0012D000
Protect:Unknow
RegionSize:1000
State:MEM_COMMIT
Type:MEM_PRIVATE
AllocationBase:00030000
AllocationProtect:PAGE_READWRITE
BaseAddress:0012E000
Protect:PAGE_READWRITE
RegionSize:2000
State:MEM_COMMIT
Type:MEM_PRIVATE
這三個塊的AllocationBase都爲0x00030000,但是BaseAddress不一樣,所以,這三個塊同屬一個區域