能力值:
( LV2,RANK:10 )
|
-
-
2 楼
你要问问题也要先放代码,没有代码也要尽量说详细点吧。
最鄙视这种拿到别人的代码就乱编译一通又不成功的还遮遮掩掩的做WG的人,看雪里面几乎成了这些人乱叫的乐园了
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
BOOLEAN flag=TRUE;
dprintf("进入WriteProcessMemory\n");
PEPROCESS pstKProcess = NULL;
PEPROCESS pstCurrent = NULL;
ULONG ulPDT = 0;
ULONG ulOldCr3 = 0;
dprintf("pstKProcess初始化,得到PCB\n");
pstKProcess =pstEProcess;
dprintf("pstKProcess :0x%08X\n",pstKProcess);
dprintf("ulPDT初始化,得到DirectoryTableBase[0]\n");
ulPDT =*(ULONG*) ((ULONG)pstKProcess+0x18);//->DirectoryTableBase[0];
dprintf("ulPDT :0x%08X\n",ulPDT);
dprintf("开始汇编\n");
//load cr3
_asm
{
cli;
mov eax, cr3;
mov ulOldCr3, eax;
mov eax, ulPDT;
mov cr3,eax
}
_asm sti;
dprintf("开始写入内存\n");
dprintf("====================\n");
dprintf("Address :0x%08X.\n",address);
dprintf("Value Address :0x%08X.\n",Value);
dprintf("Value :%d.\n",*((UINT16*)Value));
dprintf("Size Value : %d\n",2);
dprintf("====================\n");
ULONG addreslong=(ULONG)address;
dprintf("Address Asm : 0x%08X\n",addreslong);
ULONG valueasm=(ULONG)(*((UINT16*)Value));
dprintf("Value Asm : %d\n",valueasm);
__try{
__asm{
mov eax, addreslong
mov ebx ,valueasm
mov [eax],ebx
}
//RtlCopyMemory( address,Value, 2); //直接复制内存
dprintf("修改成功!!!!!!!!!!!!!!!!!!!!!n");
}
__except(1)
{
dprintf("修改失败!!!!!!!!!!!!!!!!!!!!!n");
flag=FALSE;
}
dprintf("完成写入内存,开始还原DirectoryTableBase\n");
_asm cli;
_asm
{
mov eax, ulOldCr3;
mov cr3,eax;
sti;
}
dprintf("还原DirectoryTableBase结束\n");
dprintf("WriteProcessMemory函数结束\n");
if(flag)
{
return STATUS_SUCCESS;
}
else
{
return STATUS_UNSUCCESSFUL;;
}
误会了。。。纯粹菜鸟自娱自乐。。。
想学点东西而已
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
晕,直接切换CR3,还是用 ke***切换吧
切换后你还敢调用dprintf
|
能力值:
( LV12,RANK:760 )
|
-
-
5 楼
切了未必好用,对于进程内存要Attach,但是光Attach还不能保证copy成功,还需再做些余外的操作,简单方法用Zw系列函数工作多么好啊~
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
额。。。不直接切CR3就没法用了。。
|
|
|
|
