typedef
NTSTATUS
(NTAPI*pfnNtWriteVirtualMemory)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferLength,
PULONG ReturnLength OPTIONAL
);pfnNtWriteVirtualMemory NtWriteVirtualMemory = (pfnNtWriteVirtualMemory)GetProcAddress(GetModuleHandle ( "ntdll.dll" ),"NtWriteVirtualMemory");
int main()
{
UpTokenPrivileges(); //提权 NTSTATUS status; HANDLE w_hopen = OpenProcess(PROCESS_ALL_ACCESS,0,632); DWORD temp=0x74; status = NtWriteVirtualMemory(w_hopen,(LPVOID)0x6F2A0930,&temp,1,NULL); if(!NT_SUCCESS(status))
MessageBox(NULL,"0","0",MB_OK); return 0;
}NtWriteVirtualMemory函数的地址已获取到.难道是我参数的问题吗? 总是失败,郁闷死了.请各位指点一下,我这是第一次这样用.我这是在ring3下调用的
NTSTATUS
(NTAPI*pfnNtWriteVirtualMemory)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferLength,
PULONG ReturnLength OPTIONAL
);pfnNtWriteVirtualMemory NtWriteVirtualMemory = (pfnNtWriteVirtualMemory)GetProcAddress(GetModuleHandle ( "ntdll.dll" ),"NtWriteVirtualMemory");
int main()
{
UpTokenPrivileges(); //提权 NTSTATUS status; HANDLE w_hopen = OpenProcess(PROCESS_ALL_ACCESS,0,632); DWORD temp=0x74; status = NtWriteVirtualMemory(w_hopen,(LPVOID)0x6F2A0930,&temp,1,NULL); if(!NT_SUCCESS(status))
MessageBox(NULL,"0","0",MB_OK); return 0;
}NtWriteVirtualMemory函数的地址已获取到.难道是我参数的问题吗? 总是失败,郁闷死了.请各位指点一下,我这是第一次这样用.我这是在ring3下调用的
NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
非常感谢您的指点我以为跟WriteProcessMemory一样,不需要解除保护一样可写...我是第一次用native函数,所以完全是门外汉,谢谢指点,代码我会仔细研究的
DWORD OldProtect;
::VirtualProtect((LPVOID)0x6F2A0930, temp, PAGE_READWRITE, &OldProtect);
::WriteProcessMemory(w_hopen, (LPVOID)0x6F2A0930, &temp, 1, NULL);
::VirtualProtect((LPVOID)0x6F2A0930, temp, OldProtect, 0);