32位程序读写64位程序内存
32位程序可以通过NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64读写64程序内存。
步骤:
1.自定义函数参数结构,获取模块中的函数指针:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); NtdllModuleBase = GetModuleHandle(L "Ntdll.dll" ); if (NtdllModuleBase == NULL) { return FALSE; } __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64ReadVirtualMemory64" ); __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64WriteVirtualMemory64" ); |
2.获取进程ID和64进程中想要读写处的地址,调用函数读写目标进程内存
1 2 3 4 5 6 7 8 9 10 11 | NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, BufferData, BufferLength, &ReturnLength); if (NT_SUCCESS(Status)) { printf ( "%s\r\n" , BufferData); ZeroMemory(BufferData, BufferLength); memcpy (BufferData, "LIUDADA" , strlen ( "LIUDADA" )); __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, BufferData, strlen ( "LIUDADA" )+1, ( PULONG64 )&ReturnLength); } |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步