注入DLL到目标进程后,替换$006cbfb7的代码,JMP到新的地址执行后再跳转回去,可是下面的代码为啥不行呀?可以改了$006cbfb7的代码为JMP XXXXXX 可是在XXXX那不是我的代码呀
procedure jmpmyfunc;
var
NewOrder:array [0..5] of Byte;
JmpCode:array [0..10] of Byte;
Tmp : array [0..3] of Byte;
nSize:Cardinal;
Dat: DWORD;
const oldadr=$006cbfb7;begin
JmpCode[0]:=$64; {mov eax,fs[00000000] jmp 006cbfbd}
JmpCode[1]:=$a1;
JmpCode[2]:=$00;
JmpCode[3]:=$00;
JmpCode[4]:=$00;
JmpCode[5]:=$00;
JmpCode[6]:=$e9;
JmpCode[7]:=$ac;
JmpCode[8]:=$bf;
JmpCode[9]:=$38;
JmpCode[10]:=$f4;MyAdr := VirtualAllocEx(ProcessHandle, nil, 512, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //建立内存
Dat := DWORD(@MyAdr);
Move(Dat, Tmp, 4);
NewOrder[0] := $e9 ; {jmp MyAdr}
NewOrder[1] := Tmp[0];
NewOrder[2] := Tmp[1];
NewOrder[3] := Tmp[2];
NewOrder[4] := Tmp[3];
NewOrder[5] := $90;WriteProcessMemory(ProcessHandle, Pointer(oldadr), @NewOrder, 6, nSize);
WriteProcessMemory(ProcessHandle, MyAdr,@JmpCode, 11, nSize);
end;
procedure jmpmyfunc;
var
NewOrder:array [0..5] of Byte;
JmpCode:array [0..10] of Byte;
Tmp : array [0..3] of Byte;
nSize:Cardinal;
Dat: DWORD;
const oldadr=$006cbfb7;begin
JmpCode[0]:=$64; {mov eax,fs[00000000] jmp 006cbfbd}
JmpCode[1]:=$a1;
JmpCode[2]:=$00;
JmpCode[3]:=$00;
JmpCode[4]:=$00;
JmpCode[5]:=$00;
JmpCode[6]:=$e9;
JmpCode[7]:=$ac;
JmpCode[8]:=$bf;
JmpCode[9]:=$38;
JmpCode[10]:=$f4;MyAdr := VirtualAllocEx(ProcessHandle, nil, 512, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //建立内存
Dat := DWORD(@MyAdr);
Move(Dat, Tmp, 4);
NewOrder[0] := $e9 ; {jmp MyAdr}
NewOrder[1] := Tmp[0];
NewOrder[2] := Tmp[1];
NewOrder[3] := Tmp[2];
NewOrder[4] := Tmp[3];
NewOrder[5] := $90;WriteProcessMemory(ProcessHandle, Pointer(oldadr), @NewOrder, 6, nSize);
WriteProcessMemory(ProcessHandle, MyAdr,@JmpCode, 11, nSize);
end;
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货