R3 R0窗口句柄分析 对抗GetWindow保护窗口源码
R3 R0窗口句柄分析 对抗GetWindow 保护窗口
系统版本:Microsoft Windows [版本 10.0.18362.175]
//用户层========================
//本来以为移除就好!最后竟然无法修改内存!!!!!
struct tagWnd_r3
{
__int64 h; //0x0000
__int64 offset; //0x0008
char pad_0x0010; //0x0010
__int64 nextOffset; //0x0048
__int64 piveOffset; //0x0050
char pad_0x0058; //0x0058
PWCHAR name; //0x0150
};
tagWnd_r3* ValidateHwnd(HWND hwnd)
{
HMODULE hModule = GetModuleHandle(TEXT("user32.dll"));
if(hModule!=0)
{
UINT_PTR ulGetMsgFunc = (UINT_PTR)GetProcAddress(hModule,"GetWindowTextA");
if(ulGetMsgFunc !=0)
{
UINT_PTR ptr = (UINT_PTR)memchr((PVOID)ulGetMsgFunc,0xE8,100);
UINT_PTR addr = *(PLONG)(ptr + 1) + ptr +5;
tagWnd_r3* (__fastcall * _ValidateHwnd)(HWND hwnd) = (tagWnd_r3* (__fastcall *)(HWND)) addr;
return _ValidateHwnd(hwnd);
}
}
return nullptr;
}
//获取下一个窗口对象
tagWnd_r3* GetNextHwnd(tagWnd_r3* hwnd)
{
tagWnd_r3* Next = nullptr;
Next = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->nextOffset);
return Next;
}
//获取上一个窗口对象
tagWnd_r3* GetPrveHwnd(tagWnd_r3* hwnd)
{
tagWnd_r3* Prve = nullptr;
Prve = (tagWnd_r3* )((INT_PTR)hwnd - hwnd->offset + hwnd->piveOffset);
return Prve;
}
void RemoveHwnd(tagWnd_r3* hwnd)
{
tagWnd_r3* Next = GetNextHwnd(hwnd);
tagWnd_r3* Prve = GetPrveHwnd(hwnd);
Prve->nextOffset = hwnd->nextOffset;
Next->piveOffset = hwnd->piveOffset;
}
int main(){
tagWnd_r3* h =ValidateHwnd((HWND)0x00070354);
RemoveHwnd(h);//在共享表中移除 可是这块共享内存无法修改!暂时没有办法
}
//内核层r0===============================
//测试了下窗口会卡死不能动
typedef struct _tagWnd
{
THRDESKHEAD hwnd; //0x0000
char pad_0x0008; //0x0018
_tagWnd* spwndNext; //0x0058
_tagWnd*spwndPrev; //0x0060
_tagWnd*spwndParent; //0x0068
_tagWnd*spwndChild; //0x0070
_tagWnd*spwndOwner; //0x0078
char pad_0x0080; //0x0080
PWCHAR strName; //0x00B8
} tagWnd, *pTagWnd;
pTagWnd getWindowTagWnd(ULONG hwnd)
{
ULONG cx = hwnd & 0xffff;
ULONG_PTR gpKernelHandleTable = *(PULONG_PTR)g_gpKernelHandleTable;//g_gpKernelHandleTable这个可以根据符号找到或者特征码
if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
{
return nullptr;
}
////g_gSharedInfo 这个可以根据符号找到或者特征码
ULONG_PTR gSharedInfo = (ULONG_PTR)g_gSharedInfo + 0x10;
gSharedInfo =*(PULONG_PTR)gSharedInfo;
gSharedInfo = gSharedInfo * cx;
gSharedInfo = gSharedInfo >> 5;
gSharedInfo = gSharedInfo * 0x18;
gpKernelHandleTable = gpKernelHandleTable+ gSharedInfo;
if(!MmIsAddressValid((PVOID)gpKernelHandleTable))
{
return nullptr;
}
pTagWnd tagWnd = (pTagWnd)( *(PULONG_PTR)gpKernelHandleTable);
return tagWnd;
}
bool RemoveWnd(ULONG hwnd)
{
// auto Wnd =getWindowTagWnd(0x10010);
auto removeWnd = getWindowTagWnd(hwnd);
removeWnd->spwndPrev->spwndNext = removeWnd->spwndNext;
removeWnd->spwndNext->spwndPrev = removeWnd->spwndPrev;
return true;
}
页:
[1]