C/C++ 动态与静态内存补丁

现动态内存补丁（读取）: 这种补丁是把程序加载到内存中以后对其进行修改,常用于加壳程序的破解.

#include <stdio.h>
#include <Windows.h>

BYTE * ReadMemory(char * FileName,DWORD dwVAddress, int Size)
{
	BYTE bCode = 0;
	BYTE *buffer = new BYTE[Size];
	STARTUPINFO si = { 0 };
	si.cb = sizeof(STARTUPINFO);
	si.wShowWindow = SW_SHOW;
	si.dwFlags = STARTF_USESHOWWINDOW;
	PROCESS_INFORMATION pi = { 0 };

	BOOL bRet = CreateProcess(FileName, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
	if (bRet == FALSE)
		exit(0);

	for (int x = 0; x < 10; x++)
	{
		ReadProcessMemory(pi.hProcess, (LPVOID)dwVAddress, (LPVOID)&bCode, sizeof(BYTE), 0);
		buffer[x] = bCode;
		dwVAddress++;
	}
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return buffer;
}

动态写入内存补丁：

#include <stdio.h>
#include <Windows.h>

BOOL WriteMemory(char * FileName, DWORD dwVAddress, unsigned char *ShellCode, int Size)
{
	BYTE *Buff = new BYTE[Size];
	STARTUPINFO si = { 0 };
	si.cb = sizeof(STARTUPINFO);
	si.wShowWindow = SW_SHOW;
	si.dwFlags = STARTF_USESHOWWINDOW;
	PROCESS_INFORMATION pi = { 0 };
	memset(Buff, *ShellCode, Size);

	// 创建子线程并默认暂停
	BOOL bRet = CreateProcess(FileName, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
	if (bRet == FALSE)
		exit(0);

	BOOL Ret = WriteProcessMemory(pi.hProcess, (LPVOID)dwVAddress, Buff, Size, 0);
	ResumeThread(pi.hThread);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return TRUE;
}

多次对内存进行修正 可以在上面代码基础上进行改进，这里我就不发出来了。

int main(int argc, char * argv[])
{
	PROCESS_INFORMATION pi = OpenExeFile("c://main.exe");
	BYTE *recv_buffer = ReadMemory(pi, 0x401000, 10);
	for (int x = 0; x < 10; x++)
		printf("%x ", recv_buffer[x]);
	printf("\n");

	BYTE cmp_code[] = { 0x33,0xc0,0xc2,0x90,0xc3 };
	int ret = CheckMemory(pi, 0x401000, cmp_code, 5);
	printf("返回值: %d \n", ret);

	unsigned char set_buffer[] = { 0x90, 0x90, 0x90 };
	WriteMemory(pi, 0x401000, set_buffer, 3);

	unsigned char set_buffer1[] = { 0x90, 0x90, 0x90 };
	WriteMemory(pi, 0x402000, set_buffer1, 3);


	system("pause");
	return 0;
}