VC中文網-VC-MFC編程論壇

 找回密碼
 立即注冊

QQ登錄

只需一步,快速開始

查看: 242|回復: 0
打印 上一主題 下一主題

VC讀寫64位程序內存

[復制鏈接]
跳轉到指定樓層
樓主
發表于 2019-9-15 19:23:57 | 只看該作者 回帖獎勵 |倒序瀏覽 |閱讀模式
32位程序可以通過NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64讀寫64程序的內存直接上代碼了
自定義函數參數結構,獲取模塊中的函數指針
[C++] 純文本查看 復制代碼
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
    IN  HANDLE   ProcessHandle,
    IN  ULONG64  BaseAddress,
    OUT PVOID    BufferData,
    IN  ULONG64  BufferLength,
    OUT PULONG64 ReturnLength OPTIONAL);
 
 
typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
    IN  HANDLE   ProcessHandle,
    IN  ULONG64  BaseAddress,
    OUT PVOID    BufferData,
    IN  ULONG64  BufferLength,
    OUT PULONG64 ReturnLength OPTIONAL);
 
 
NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");
    if (NtdllModuleBase == NULL)
    {
        return FALSE;
    }
     
    __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
        "NtWow64ReadVirtualMemory64");
 
    __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,


獲取進程ID和64進程中想要讀寫的地址,調用函數讀寫目標進程的內存
[C++] 純文本查看 復制代碼
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
    BaseAddress, BufferData, BufferLength, &ReturnLength);
if (NT_SUCCESS(Status))
{
    printf("%s\r\n", BufferData);
    ZeroMemory(BufferData, BufferLength);
    memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
    __NtWow64WriteVirtualMemory64(ProcessHandle,
        BaseAddress, BufferData,  strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
     
}

如果簽到也有錯,我愿意錯上加錯
您需要登錄后才可以回帖 登錄 | 立即注冊

本版積分規則

VC中文網 - 豫ICP備14012807號|小黑屋|聯系客服|金幣沖值|VC中文網

GMT+8, 2019-12-13 15:43 , Processed in 0.125000 second(s), 24 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回復 返回頂部 返回列表
千炮捕鱼联网版官方