刘收获

导航

32位程序读写64位程序内存

  32位程序可以通过NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64读写64程序内存。

  步骤:

  1.自定义函数参数结构,获取模块中的函数指针:

typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
	IN  HANDLE   ProcessHandle,
	IN  ULONG64  BaseAddress,
	OUT PVOID    BufferData,
	IN  ULONG64  BufferLength,
	OUT PULONG64 ReturnLength OPTIONAL);


typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
	IN  HANDLE   ProcessHandle,
	IN  ULONG64  BaseAddress,
	OUT PVOID    BufferData,
	IN  ULONG64  BufferLength,
	OUT PULONG64 ReturnLength OPTIONAL);


NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");
	if (NtdllModuleBase == NULL)
	{
		return FALSE;
	}
	
	__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
		"NtWow64ReadVirtualMemory64");

	__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
		"NtWow64WriteVirtualMemory64");

  2.获取进程ID和64进程中想要读写处的地址,调用函数读写目标进程内存

			NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
				BaseAddress, BufferData, BufferLength, &ReturnLength);
			if (NT_SUCCESS(Status))
			{
				printf("%s\r\n", BufferData);
				ZeroMemory(BufferData, BufferLength);
				memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
				__NtWow64WriteVirtualMemory64(ProcessHandle,
					BaseAddress, BufferData,  strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
				
			}

  

posted on 2017-08-28 18:49  沉疴  阅读(4641)  评论(0编辑  收藏  举报