- 注册时间
- 2021-4-16
- 最后登录
- 2024-3-30
- 在线时间
- 4 小时
编程入门
- 龙马币
- 88
|
32位程序可以通过NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64读写64程序的内存直接上代码了
自定义函数参数结构,获取模块中的函数指针
- typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
- IN HANDLE ProcessHandle,
- IN ULONG64 BaseAddress,
- OUT PVOID BufferData,
- IN ULONG64 BufferLength,
- OUT PULONG64 ReturnLength OPTIONAL);
-
- typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
- IN HANDLE ProcessHandle,
- IN ULONG64 BaseAddress,
- OUT PVOID BufferData,
- IN ULONG64 BufferLength,
- OUT PULONG64 ReturnLength OPTIONAL);
-
-
- NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");
- if (NtdllModuleBase == NULL)
- {
- return FALSE;
- }
-
- __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64ReadVirtualMemory64");
- __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64WriteVirtualMemory64");
复制代码
获取进程ID和64进程中想要读写的地址,调用函数读写目标进程的内存
- NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
- BaseAddress, BufferData, BufferLength, &ReturnLength);
- if (NT_SUCCESS(Status))
- {
- printf("%s\r\n", BufferData);
- ZeroMemory(BufferData, BufferLength);
- memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
- __NtWow64WriteVirtualMemory64(ProcessHandle,
- BaseAddress, BufferData, strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
-
- }
复制代码 |
|