应用层实现驱动级别内存读写
#include<Windows.h>
#include<Tlhelp32.h>
#include<shlwapi.h>
//获取进程句柄
HANDLE GetThePidOfTargetProcess(DWORD pid)
{
//DWORD pid;
//GetWindowThreadProcessId(hwnd, &pid);
HANDLE hProcee = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_CREATE_THREAD, 0, pid);//打开
return hProcee;
}
DWORD GetPidByProcessName(TCHAR* pProcess)
{
HANDLE hSnapshot;
PROCESSENTRY32 lppe;
//创建系统快照
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); //#include<Tlhelp32.h>
if (hSnapshot == NULL)
return 0;
//初始化 lppe 的大小
lppe.dwSize = sizeof(lppe);
//查找第一个进程
if (!Process32First(hSnapshot, &lppe))
return 1;
do
{
if (StrCmp(lppe.szExeFile, pProcess) == 0)//#include<shlwapi.h>
{
return lppe.th32ProcessID;
}
} while (Process32Next(hSnapshot, &lppe)); //查找下一个进程
return 0;
}
typedef NTSTATUS(NTAPI* Ptr_NtReadVirtualMemory)( //读取
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL);
DWORD _Wow64Transition = NULL;
void __declspec(naked) WINAPI My_NtReadVirtualMemory(//读取实现
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL){
_asm {
mov eax, 0x3F //win10_函数序号
mov edx, _Wow64Transition
call edx
ret 0x14
}
}
DWORD fn_Wow64Transition() {
HMODULE LibHandle = LoadLibrary(TEXT("ntdll"));
DWORD Getnt =(DWORD)GetProcAddress(LibHandle, "/*Wow64Transition*/");
DWORD GetAddr = (DWORD)Getnt; //取地址
_Wow64Transition = *(DWORD*)GetAddr;//获得指针 取值
return 0;
}
int main() {
DWORD GameProcessID = NULL;
HWNDHandle = NULL;
HANDLEhP = NULL;
DWORD bass = 0x037FAC30;
DWORD container ;
do
{
Sleep(100);
Handle = FindWindow("Qt5QWindowIcon", NULL);//取窗口(类名,标题)
} while (!Handle);
do
{
Sleep(10);
GameProcessID = GetPidByProcessName("x32dbg.exe");//返回pid=取进程名(进程.exe)
} while (!GameProcessID);
if (hP = GetThePidOfTargetProcess(GameProcessID))//返回PID=取进程句柄(句柄)
{
fn_Wow64Transition();//动态得到函数地址
My_NtReadVirtualMemory(hP, (PVOID)bass, &container, 23, NULL);
}
return 0;
}
虽然看不懂,也来凑凑热闹! 学习了......
学习一下谢谢了
页:
[1]