-
-
[讨论]旧帖重拾,这段代码有没问题?
-
发表于: 2008-8-6 10:25
-
偶然百度到此贴
http://bbs.pediy.com/showthread.php?threadid=35431
先看了shoooo的代码,Patch()函数里
void Patch()
{
DWORD odpt;
ZwCP = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateProcess");
ZwCPEx = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateProcessEx");
if (ZwCP != 0)
{
NoCP = *(LPDWORD)(ZwCP+1);
VirtualProtect((LPVOID)ZwCP, 5, PAGE_EXECUTE_READWRITE, &odpt);
*(LPBYTE)(ZwCP+0x00) = 0xE9;
*(LPDWORD)(ZwCP+0x01) = (DWORD)FuckZwCP - ZwCP - 5;
}
if (ZwCPEx != 0)
{
NoCPEx = *(LPDWORD)(ZwCPEx+1);
VirtualProtect((LPVOID)ZwCPEx, 5, PAGE_EXECUTE_READWRITE, &odpt);
*(LPBYTE)(ZwCPEx+0x00) = 0xE9;
*(LPDWORD)(ZwCPEx+0x01) = (DWORD)FuckZwCPEx - ZwCPEx - 5;
}
}
做的修改是本地领空而不是explorer的吧?(具体修改的意义我不懂)
大家能成功吗?我反正用冰刃查看调用方还是本程序而不是explorer
http://bbs.pediy.com/showthread.php?threadid=35431
先看了shoooo的代码,Patch()函数里
void Patch()
{
DWORD odpt;
ZwCP = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateProcess");
ZwCPEx = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateProcessEx");
if (ZwCP != 0)
{
NoCP = *(LPDWORD)(ZwCP+1);
VirtualProtect((LPVOID)ZwCP, 5, PAGE_EXECUTE_READWRITE, &odpt);
*(LPBYTE)(ZwCP+0x00) = 0xE9;
*(LPDWORD)(ZwCP+0x01) = (DWORD)FuckZwCP - ZwCP - 5;
}
if (ZwCPEx != 0)
{
NoCPEx = *(LPDWORD)(ZwCPEx+1);
VirtualProtect((LPVOID)ZwCPEx, 5, PAGE_EXECUTE_READWRITE, &odpt);
*(LPBYTE)(ZwCPEx+0x00) = 0xE9;
*(LPDWORD)(ZwCPEx+0x01) = (DWORD)FuckZwCPEx - ZwCPEx - 5;
}
}
做的修改是本地领空而不是explorer的吧?(具体修改的意义我不懂)
大家能成功吗?我反正用冰刃查看调用方还是本程序而不是explorer
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
