Código
Option Explicit Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Public Const PROCESS_ALL_ACCESS = &H1F0FFF 'Specifies all possible access flags for the process object. Public Const PROCESS_CREATE_THREAD = &H2 'Enables using the process handle in the CreateRemoteThread function to create a thread in the process. Public Const PROCESS_DUP_HANDLE = &H40 'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle. Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object. Public Const PROCESS_SET_INFORMATION = &H200 'Enables using the process handle in the SetPriorityClass function to set the priority class of the process. Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process. Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process. Public Const PROCESS_VM_READ = &H10 'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process. Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process. Public Const SYNCHRONIZE = &H100000 'Enables using the process handle in any of the wait functions to wait for the process to terminate. Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long) 'The WideCharToMultiByte function maps a wide-character string to a new character string. 'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL. 'CodePage Private Const CP_ACP = 0 'ANSI Private Const CP_MACCP = 2 'Mac Private Const CP_OEMCP = 1 'OEM Private Const CP_UTF7 = 65000 Private Const CP_UTF8 = 65001 'dwFlags Private Const WC_NO_BEST_FIT_CHARS = &H400 Private Const WC_COMPOSITECHECK = &H200 Private Const WC_DISCARDNS = &H10 Private Const WC_SEPCHARS = &H20 'Default Private Const WC_DEFAULTCHAR = &H40 Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long Public Function ByteArrayToString(Bytes() As Byte) As String Dim iUnicode As Long, i As Long, j As Long On Error Resume Next i = UBound(Bytes) If (i < 1) Then 'ANSI, just convert to unicode and return ByteArrayToString = StrConv(Bytes, vbUnicode) Exit Function End If i = i + 1 'Examine the first two bytes CopyMemory iUnicode, Bytes(0), 2 If iUnicode = Bytes(0) Then 'Unicode 'Account for terminating null If (i Mod 2) Then i = i - 1 'Set up a buffer to recieve the string ByteArrayToString = String$(i / 2, 0) 'Copy to string CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i Else 'ANSI ByteArrayToString = StrConv(Bytes, vbUnicode) End If End Function Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte() Dim lRet As Long Dim bytBuffer() As Byte Dim lLenB As Long If bReturnAsUnicode Then 'Number of bytes lLenB = LenB(strInput) 'Resize buffer, do we want terminating null? If bAddNullTerminator Then ReDim bytBuffer(lLenB) Else ReDim bytBuffer(lLenB - 1) End If 'Copy characters from string to byte array CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB Else 'METHOD ONE ' 'Get rid of embedded nulls ' strRet = StrConv(strInput, vbFromUnicode) ' lLenB = LenB(strRet) ' If bAddNullTerminator Then ' ReDim bytBuffer(lLenB) ' Else ' ReDim bytBuffer(lLenB - 1) ' End If ' CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB 'METHOD TWO 'Num of characters lLenB = Len(strInput) If bAddNullTerminator Then ReDim bytBuffer(lLenB) Else ReDim bytBuffer(lLenB - 1) End If lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&) End If StringToByteArray = bytBuffer End Function
Código
Option Explicit Private Sub Command1_Click() Dim handle_Process As Double handle_Process = OpenProcess(PROCESS_ALL_ACCESS, False, Val(Text1.Text)) If handle_Process <> 0 Then Dim zBytes(256) As Byte Dim lb As Long lb = LoadLibraryA("KERNEL32.DLL") If lb = 0 Then lb = &H77C50000 End If 'kernel32.dll+C6320 '0x77D16320 If ReadProcessMemory(handle_Process, lb + &HC6320, zBytes(0), 256, 0&) <> 0 Then Clipboard.SetText ByteArrayToString(zBytes) MsgBox Clipboard.GetText Else MsgBox "Error al ejecutar ReadProcessMemory. (" & Err.LastDllError & ")" End If Call CloseHandle(handle_Process) Else MsgBox "Error al ejecutar OpenProcess. (" & Err.LastDllError & ")" End If End Sub Private Sub Form_Load() Text1.Text = GetCurrentProcessId() End Sub
TaskMgr:
opera.exe 236 C:\Program Files\Opera\20.0.1387.91\opera.exe
OUTPUT: C:\Program Files\Opera\
McTray.exe 1796 C:\Program Files\McAfee\Common Framework\McTray.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\
Project1.exe 2368 (éste) C:\Users\***00001**\Desktop\Program Opened from\Project1.exe
OUTPUT: C:\Users\***00001**\Desktop\Program Opened from\
TeamViewer.exe 3308 C:\Program Files\TeamViewer\Version9\TeamViewer.exe
OUTPUT: C:\Windows\system32\ (muestra este output porque se cargó como servicio y aparentemente se abre desde ese path)
cheatengine-i386.exe 4320 C:\Misery-PC\Descargas\CE 6.3\CE 6.3\cheatengine-i386.exe
OUTPUT: C:\Misery-PC\Descargas\CE 6.3\CE 6.3\
UdaterUI.exe 5216 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\
notepad++.exe 7464 C:\Program Files\Notepad++\notepad++.exe
OUTPUT: C:\Users\***00001**\Desktop\GOTTA DO\ (abrí un txt desde ese lugar)
Si bien no muestra el path del ejecutable, muestra el path de donde se abrió, seguramente que por el address KERNEL32.DLL+offset debe estar el path original del .exe, cualquier cosa nueva la posteo.
Saludos.