代码实现如下

 

#include "stdafx.h"//对比数据，找到相同字节集的偏移int GetInBuffer(const void *pStart, int nLen, const void *pFindBuffer, int nfLen){	for (int i = 0; i < nLen - nfLen; i++)	{		if (memcmp((void *)((ULONG)pStart + i), pFindBuffer, nfLen) == 0)		{			return i;		}	}	return -1;}void ReadQQ(DWORD dwProcessId){	//由于QQ是使用Unicode字符集的，所以我们使用wchar_t类型	static wchar_t QQDATA[] = L"Msg2.0.db";		//MsgEx.db，好像以前有个版本的数据库文件是MsgEx.db，用MsgEx来当关键字检索速度会变慢。	//但是QQ2010的是用Msg2.0.db的。	//打开进程	HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, dwProcessId);	int nMemLen = 28, nMemStart;	void *pMemAddress = NULL;	BYTE *bMemBuffer;	MEMORY_BASIC_INFORMATION mbi;	memset(&mbi, 0, sizeof(MEMORY_BASIC_INFORMATION));	wchar_t szQQnumber[15];	szQQnumber[0] = 0;	//寻找进程空间	while (VirtualQueryEx(hProcess, pMemAddress, &mbi, nMemLen) != 0)	{		if (mbi.Type == MEM_PRIVATE && mbi.Protect == PAGE_READWRITE)		{			//分配足够的内存空间，存放数据			bMemBuffer = new BYTE[mbi.RegionSize + 1];			bMemBuffer[mbi.RegionSize] = 0;			if (ReadProcessMemory(hProcess, pMemAddress, bMemBuffer, mbi.RegionSize, NULL))			{				//尝试寻找当前内存空间中是否包含Msg2.0.db				nMemStart = GetInBuffer(bMemBuffer, mbi.RegionSize, QQDATA, sizeof(QQDATA));				if (nMemStart != -1)				{					//向前推一定位置，因为路径是 ..\[QQ号]\Msg2.0.db					wchar_t *pQQText = (wchar_t *)&bMemBuffer[nMemStart - 28];					wchar_t *pQQstart = wcsstr(pQQText, L"\\");					if (pQQstart)					{						pQQstart++;						wchar_t *pQQEnd = wcsstr(pQQstart, L"\\");						if (pQQEnd)						{							lstrcpynW(szQQnumber, pQQstart, pQQEnd - pQQstart + 1);							wprintf(L"%s\n", szQQnumber);						}					}					delete[] bMemBuffer;					break;				}			}			//销毁刚刚分配的内存空间			delete[] bMemBuffer;		}		pMemAddress = (void *)((ULONG)pMemAddress + mbi.RegionSize);	}	CloseHandle(hProcess);}void FindQQ(){	DWORD dwProcessId = 0;	//进程快照~	HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);	PROCESSENTRY32 pl;	pl.dwSize=sizeof(PROCESSENTRY32);	bool bmore=Process32First(Snapshot, &pl);    while(bmore)	{		if(lstrcmpi(pl.szExeFile, _T("QQ.exe")) == 0)		{			//读取QQ号			ReadQQ(pl.th32ProcessID);			//dwProcessId = pl.th32ProcessID;			//循环，读取本地所有登录的QQ号。			//break;	跳出循环		}        bmore= Process32Next(Snapshot, &pl);	}	CloseHandle(Snapshot);//	return dwProcessId;}int _tmain(int argc, _TCHAR* argv[]){	FindQQ();	scanf("%*c");	return 0;}