N年前的东西了 把它稍微改了下可用于 2000 XP 2003
2003 sp1后貌似只有驱动才行了..
用这个可以实现 SSDT INLINE HOOK的查看 还原 等等的基本内核读写
下载地址http://xacker.org/HViewer.rar
扫描了SSDT导出函数的入口地址 查看和还原SSDT 和INLINE HOOK 可用来还原冰刃的INLINE 从而轻易解决冰刃 小弟QQ40039462 欢迎有兴趣的朋友加入交流
下面是程序读写内核的代码 使用有一定的隐患(N次蓝屏中得出..) 如果是XP 建议使用下面的NtSystemDebugControl方法 Option ExplicitPrivate Const STATUS_ACCESS_DENIED = &HC0000022
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004Private Const STATUS_INVALID_HANDLE = &HC0000008
Private Const ERROR_SUCCESS = 0&Private Const SECTION_MAP_WRITE = &H2
Private Const SECTION_MAP_READ = &H4
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = &H4
'Private Type IO_STATUS_BLOCK
' Status As Long
' Information As Long
'End TypePrivate Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type'Private Const OBJ_INHERIT = &H2
'Private Const OBJ_PERMANENT = &H10
'Private Const OBJ_EXCLUSIVE = &H20
'Private Const OBJ_CASE_INSENSITIVE = &H40
'Private Const OBJ_OPENIF = &H80
'Private Const OBJ_KERNEL_HANDLE = &H200Private Const OBJ_OPENLINK = &H100
Private Const OBJ_VALID_ATTRIBUTES = &H3F2Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
'Private Type ACL
' AclRevision As Byte
' Sbz1 As Byte
' AclSize As Integer
' AceCount As Integer
' Sbz2 As Integer
'End Type
Private Enum ACCESS_MODE
NOT_USED_ACCES
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End EnumPrivate Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End EnumPrivate Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End EnumPrivate Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End TypePrivate Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type'Private Type AceArray
' List() As EXPLICIT_ACCESS
'End TypePrivate Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End EnumPrivate Declare Function SetSecurityInfo _
Lib "advapi32.dll" (ByVal Handle As Long, _
ByVal ObjectType As SE_OBJECT_TYPE, _
ByVal SecurityInfo As Long, _
ppsidOwner As Long, _
ppsidGroup As Long, _
ppDacl As Any, _
ppSacl As Any) As LongPrivate Declare Function GetSecurityInfo _
Lib "advapi32.dll" (ByVal Handle As Long, _
ByVal ObjectType As SE_OBJECT_TYPE, _
ByVal SecurityInfo As Long, _
ppsidOwner As Long, _
ppsidGroup As Long, _
ppDacl As Any, _
ppSacl As Any, _
ppSecurityDescriptor As Long) As Long
Private Declare Function SetEntriesInAcl _
Lib "advapi32.dll" _
Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, _
pListOfExplicitEntries As EXPLICIT_ACCESS, _
ByVal OldAcl As Long, _
NewAcl As Long) As Long'Private Declare Sub BuildExplicitAccessWithName _
Lib "advapi32.dll" _
Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, _
ByVal pTrusteeName As String, _
ByVal AccessPermissions As Long, _
ByVal AccessMode As ACCESS_MODE, _
ByVal Inheritance As Long)
Private Declare Sub RtlInitUnicodeString _
Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, _
ByVal SourceString As Long)Private Declare Function ZwOpenSection _
Lib "NTDLL.DLL" (SectionHandle As Long, _
ByVal DesiredAccess As Long, _
ObjectAttributes As Any) As LongPrivate Declare Function LocalFree _
Lib "kernel32" (ByVal hMem As Any) As LongPrivate Declare Function CloseHandle _
Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function MapViewOfFile _
Lib "kernel32" (ByVal hFileMappingObject As Long, _
ByVal dwDesiredAccess As Long, _
ByVal dwFileOffsetHigh As Long, _
ByVal dwFileOffsetLow As Long, _
ByVal dwNumberOfBytesToMap As Long) As LongPrivate Declare Function UnmapViewOfFile _
Lib "kernel32" (lpBaseAddress As Any) As LongPrivate Declare Sub CopyMemory _
Lib "kernel32" _
Alias "RtlMoveMemory" (ByVal Destination As Long, _
ByVal Source As Long, _
ByVal Length As Long)'Private g_hNtDLL As LongPrivate g_pMapPhysicalMemory As LongPrivate g_hMPM As Long
Dim aByte(3) As Byte'=========OS=============
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End TypePrivate Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long
Private VerInfo As OSVERSIONINFO
2003 sp1后貌似只有驱动才行了..
用这个可以实现 SSDT INLINE HOOK的查看 还原 等等的基本内核读写
下载地址http://xacker.org/HViewer.rar
扫描了SSDT导出函数的入口地址 查看和还原SSDT 和INLINE HOOK 可用来还原冰刃的INLINE 从而轻易解决冰刃 小弟QQ40039462 欢迎有兴趣的朋友加入交流
下面是程序读写内核的代码 使用有一定的隐患(N次蓝屏中得出..) 如果是XP 建议使用下面的NtSystemDebugControl方法 Option ExplicitPrivate Const STATUS_ACCESS_DENIED = &HC0000022
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004Private Const STATUS_INVALID_HANDLE = &HC0000008
Private Const ERROR_SUCCESS = 0&Private Const SECTION_MAP_WRITE = &H2
Private Const SECTION_MAP_READ = &H4
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = &H4
'Private Type IO_STATUS_BLOCK
' Status As Long
' Information As Long
'End TypePrivate Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type'Private Const OBJ_INHERIT = &H2
'Private Const OBJ_PERMANENT = &H10
'Private Const OBJ_EXCLUSIVE = &H20
'Private Const OBJ_CASE_INSENSITIVE = &H40
'Private Const OBJ_OPENIF = &H80
'Private Const OBJ_KERNEL_HANDLE = &H200Private Const OBJ_OPENLINK = &H100
Private Const OBJ_VALID_ATTRIBUTES = &H3F2Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
'Private Type ACL
' AclRevision As Byte
' Sbz1 As Byte
' AclSize As Integer
' AceCount As Integer
' Sbz2 As Integer
'End Type
Private Enum ACCESS_MODE
NOT_USED_ACCES
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End EnumPrivate Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End EnumPrivate Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End EnumPrivate Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End TypePrivate Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type'Private Type AceArray
' List() As EXPLICIT_ACCESS
'End TypePrivate Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End EnumPrivate Declare Function SetSecurityInfo _
Lib "advapi32.dll" (ByVal Handle As Long, _
ByVal ObjectType As SE_OBJECT_TYPE, _
ByVal SecurityInfo As Long, _
ppsidOwner As Long, _
ppsidGroup As Long, _
ppDacl As Any, _
ppSacl As Any) As LongPrivate Declare Function GetSecurityInfo _
Lib "advapi32.dll" (ByVal Handle As Long, _
ByVal ObjectType As SE_OBJECT_TYPE, _
ByVal SecurityInfo As Long, _
ppsidOwner As Long, _
ppsidGroup As Long, _
ppDacl As Any, _
ppSacl As Any, _
ppSecurityDescriptor As Long) As Long
Private Declare Function SetEntriesInAcl _
Lib "advapi32.dll" _
Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, _
pListOfExplicitEntries As EXPLICIT_ACCESS, _
ByVal OldAcl As Long, _
NewAcl As Long) As Long'Private Declare Sub BuildExplicitAccessWithName _
Lib "advapi32.dll" _
Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, _
ByVal pTrusteeName As String, _
ByVal AccessPermissions As Long, _
ByVal AccessMode As ACCESS_MODE, _
ByVal Inheritance As Long)
Private Declare Sub RtlInitUnicodeString _
Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, _
ByVal SourceString As Long)Private Declare Function ZwOpenSection _
Lib "NTDLL.DLL" (SectionHandle As Long, _
ByVal DesiredAccess As Long, _
ObjectAttributes As Any) As LongPrivate Declare Function LocalFree _
Lib "kernel32" (ByVal hMem As Any) As LongPrivate Declare Function CloseHandle _
Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function MapViewOfFile _
Lib "kernel32" (ByVal hFileMappingObject As Long, _
ByVal dwDesiredAccess As Long, _
ByVal dwFileOffsetHigh As Long, _
ByVal dwFileOffsetLow As Long, _
ByVal dwNumberOfBytesToMap As Long) As LongPrivate Declare Function UnmapViewOfFile _
Lib "kernel32" (lpBaseAddress As Any) As LongPrivate Declare Sub CopyMemory _
Lib "kernel32" _
Alias "RtlMoveMemory" (ByVal Destination As Long, _
ByVal Source As Long, _
ByVal Length As Long)'Private g_hNtDLL As LongPrivate g_pMapPhysicalMemory As LongPrivate g_hMPM As Long
Dim aByte(3) As Byte'=========OS=============
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End TypePrivate Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long
Private VerInfo As OSVERSIONINFO
On Error GoTo OpenPhysicalMemory_Err
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES
RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
Attributes.Length = Len(Attributes)
Attributes.RootDirectory = 0
Attributes.ObjectName = VarPtr(PhysmemString)
Attributes.Attributes = 0
Attributes.SecurityDescriptor = 0
Attributes.SecurityQualityOfService = 0
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes) If Status = STATUS_ACCESS_DENIED Then
Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
SetPhyscialMemorySectionCanBeWrited g_hMPM
CloseHandle g_hMPM
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)
End If
Dim lDirectoty As Long
VerInfo.dwOSVersionInfoSize = Len(VerInfo) If (GetVersionEx(VerInfo)) <> 0 Then
If VerInfo.dwPlatformId = 2 Then
If VerInfo.dwMajorVersion = 5 Then
Select Case VerInfo.dwMinorVersion
Case 0
lDirectoty = &H30000
Case 1
lDirectoty = &H39000
End Select
End If
End If
End If
If Status = 0 Then
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000)
If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM
End If
Exit Function
OpenPhysicalMemory_Err:
OpenPhysicalMemory = False
End FunctionPrivate Function LinearToPhys(BaseAddress As Long, Addr As Long) As Long
On Error GoTo LinearToPhys_Err
Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long, lTemp As Long VAddr = Addr
CopyMemory VarPtr(aByte(0)), VarPtr(VAddr), 4
lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))
PGDE = BaseAddress + lTemp * 4
CopyMemory VarPtr(PGDE), PGDE, 4
If (PGDE And 1) Then
lTemp = PGDE And &H80 If lTemp Then
PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF)
Else
PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE And &HFFFFF000, &H1) '&H1000
lTemp = (VAddr And &H3FF000) / (2 ^ 12)
PTE = PGDE + lTemp * 4
CopyMemory VarPtr(PTE), PTE, 4 If (PTE And 1) Then
PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF)
UnmapViewOfFile PGDE
End If
End If
End If
LinearToPhys = PAddr
Exit Function
LinearToPhys_Err:
LinearToPhys = False
End FunctionPrivate Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long) Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long ', dwRes As Long
Dim EA As EXPLICIT_ACCESS
GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD EA.grfAccessPermissions = SECTION_MAP_WRITE
EA.grfAccessMode = GRANT_ACCESS
EA.grfInheritance = NO_INHERITANCE
EA.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
EA.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
EA.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar SetEntriesInAcl 1, EA, pDacl, pNewDacl
SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0
CleanUp:
LocalFree pSD
LocalFree pNewDacl
End SubPublic Function ClosePhysicalMemory() As Boolean
On Error GoTo ClosePhysicalMemory_Err: CloseHandle g_pMapPhysicalMemory
CloseHandle g_hMPM
ClosePhysicalMemory = True
Exit Function
ClosePhysicalMemory_Err:
ClosePhysicalMemory = False
End FunctionPrivate Function ByteArrToLong(inByte() As Byte) As Double
Dim i As Byte
For i = 0 To 3
ByteArrToLong = ByteArrToLong + inByte(i) * (&H100 ^ i)
Next i
End Function
Public Function GetData(VAddr As Long, Optional Length As Long = 4) As Long
On Error GoTo GetData_Err
Dim PAddr As Long, RAddr As Long, Tmp As Long, Ret As Long
Length = IIf(Length > 4, 4, Length)
PAddr = LinearToPhys(g_pMapPhysicalMemory, VAddr)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_READ, 0, PAddr And &HFFFFF000, Length)
If Tmp Then
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory VarPtr(Ret), RAddr, Length
UnmapViewOfFile Tmp
GetData = Ret
End If
Exit Function
GetData_Err:
GetData = False
End Function
'适合少量数据读取
'1地址 2读取长度 3返回数组 4每次读取字节数(建议使用默认1)
Public Function GetDataEx(VAddr As Long, Length As Long, RetByte() As Byte, Optional ReadCount As Long = 1) As Boolean
On Error GoTo GetDataEx_Err
Dim PAddr As Long, Tmp As Long, RAddr As Long, i As Long
ReDim RetByte(Length - 1) For i = 0 To Length - 1 Step ReadCount
PAddr = LinearToPhys(g_pMapPhysicalMemory, VAddr + i)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_READ, 0, PAddr And &HFFFFF000, ReadCount) If Tmp Then
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory VarPtr(RetByte(i)), ByVal RAddr, ReadCount
UnmapViewOfFile Tmp
End If
Next
GetDataEx = True
Exit Function
GetDataEx_Err:
GetDataEx = False
End Function'小心使用 可能导致程序崩溃
Public Function DumpKernelMemory(ByVal StartAddr As Long, ByVal Length As Long, ByRef lpBuffer() As Byte) As Boolean
On Error GoTo DumpKernelMemory_Err_Hdl
Dim PAddr As Long, Tmp As Long, RAddr As Long
Dim ReadLength As Long, leftLength As Long, MappedLength As Long
Const MapMemLength = &H1000
Do
PAddr = LinearToPhys(g_pMapPhysicalMemory, StartAddr + ReadLength)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_READ, 0, PAddr And &HFFFFF000, MapMemLength)
If Tmp Then
ReDim lpBuffer(Length - 1)
MappedLength = IIf(leftLength > MapMemLength, MapMemLength, leftLength)
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory (VarPtr(lpBuffer(LBound(lpBuffer)))), RAddr + ReadLength, MappedLength
ReadLength = ReadLength + MappedLength
UnmapViewOfFile Tmp
leftLength = Length - ReadLength
End If
Loop Until (ReadLength >= Length)
DumpKernelMemory = True
Exit Function
DumpKernelMemory_Err_Hdl:
DumpKernelMemory = False
End Function
Public Function SetData(ByVal VAddr As Long, ByVal Data As Long, Optional Length As Long = 4) As Boolean
On Error GoTo SetData_Err
Dim PAddr As Long, Tmp As Long, RAddr As Long Length = IIf(Length > 4, 4, Length)
PAddr = LinearToPhys(g_pMapPhysicalMemory, VAddr)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, PAddr And &HFFFFF000, Length) If Tmp Then
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory RAddr, VarPtr(Data), Length
UnmapViewOfFile Tmp
SetData = True
End If
Exit Function
SetData_Err:
SetData = False
End Function'适合少量数据写入 小心使用...
'1地址 2数据 3每次写入字节数(建议使用默认1)
Public Function SetDataEx(VAddr As Long, Data() As Byte, Optional WriteCount As Long = 1) As Boolean
On Error GoTo SetDataEx_Err
Dim PAddr As Long, Tmp As Long, RAddr As Long
Dim Length As Long, i As Long, j As Long, WriteLength As Long
Length = UBound(Data)
For i = 0 To Length Step WriteCount
PAddr = LinearToPhys(g_pMapPhysicalMemory, VAddr + i)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, PAddr And &HFFFFF000, WriteCount)
If Tmp Then
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory RAddr, VarPtr(Data(i)), WriteCount
UnmapViewOfFile Tmp
'剩余数检查
WriteLength = WriteLength + WriteCount
j = Length + 1 - WriteLength
If j < WriteCount Then
WriteCount = j
End If
End If
Next
Exit Function
SetDataEx_Err:
SetDataEx = False
End Function
'小心使用 可能导致系统崩溃
Public Function ModifyKernelMemory(ByVal StartAddr As Long, ByVal Length As Long, ByRef lpBuffer() As Byte, Optional ByRef RetStatus As Long) As Boolean
On Error GoTo ModifyKernelMemory_Err_Hdl Dim PAddr As Long, Tmp As Long, RAddr As Long
Dim WriteLength As Long, leftLength As Long, MappedLength As Long
Const MapMemLength = &H1000
Do
PAddr = LinearToPhys(g_pMapPhysicalMemory, StartAddr + WriteLength)
Tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, PAddr And &HFFFFF000, MapMemLength)
If Tmp Then
MappedLength = IIf(leftLength > MapMemLength, MapMemLength, leftLength)
RAddr = Tmp + ((PAddr And &HFFF) / (2 ^ 2)) * 4
CopyMemory RAddr, (VarPtr(lpBuffer(LBound(lpBuffer))) + WriteLength), MappedLength
WriteLength = WriteLength + MappedLength
UnmapViewOfFile Tmp
leftLength = Length - WriteLength
End If
Loop Until (WriteLength >= Length)
ModifyKernelMemory = True
Exit Function
ModifyKernelMemory_Err_Hdl:
ModifyKernelMemory = False
End Function
这个方法比较安全 当然 如果自己使用不当......
Option Explicit
Private Declare Function AdjustTokenPrivileges _
Lib "advapi32.dll" (ByVal TokenHandle As Long, _
ByVal DisableAllPriv As Long, _
ByRef NewState As TOKEN_PRIVILEGES, _
ByVal BufferLength As Long, _
ByRef PreviousState As TOKEN_PRIVILEGES, _
ByRef pReturnLength As Long) As Long
Private Declare Function GetCurrentProcess _
Lib "kernel32" () As Long
Private Declare Function GetVersionEx _
Lib "kernel32" _
Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long
Private Declare Function LookupPrivilegeValue _
Lib "advapi32.dll" _
Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, _
ByVal lpName As String, _
lpLuid As LUID) As Long
Private Declare Function NtSystemDebugControl _
Lib "NTDLL.DLL" (ByVal scCommand As SYSDBG_COMMAND, _
ByVal pInputBuffer As Long, _
ByVal InputBufferLength As Long, _
ByVal pOutputBuffer As Long, _
ByVal OutputBufferLength As Long, _
ByRef pReturnLength As Long) As Long
Private Declare Function OpenProcessToken _
Lib "advapi32.dll" (ByVal ProcessHandle As Long, _
ByVal DesiredAccess As Long, _
TokenHandle As Long) As Long
'=========Checking OS staff=============
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Private Type MEMORY_CHUNKS
Address As Long
pData As Long
Length As Long
End Type
Private Type LUID
UsedPart As Long
IgnoredForNowHigh32BitPart As Long
End Type 'Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
TheLuid As LUID
Attributes As Long
End TypePrivate Enum SYSDBG_COMMAND
'//以下5个在Windows NT各个版本上都有
SysDbgGetTraceInformation = 1
SysDbgSetInternalBreakpoint = 2
SysDbgSetSpecialCall = 3
SysDbgClearSpecialCalls = 4
SysDbgQuerySpecialCalls = 5
'// 以下是NT 5.1 新增的
SysDbgDbgBreakPointWithStatus = 6
'//获取KdVersionBlock
SysDbgSysGetVersion = 7
'//从内核空间拷贝到用户空间或者从用户空间拷贝到用户空间
'//但是不能从用户空间拷贝到内核空间
SysDbgCopyMemoryChunks_0 = 8
'//SysDbgReadVirtualMemory = 8
'//从用户空间拷贝到内核空间或者从用户空间拷贝到用户空间
'//但是不能从内核空间拷贝到用户空间
SysDbgCopyMemoryChunks_1 = 9
'//SysDbgWriteVirtualMemory = 9
'//从物理地址拷贝到用户空间 不能写到内核空间
SysDbgCopyMemoryChunks_2 = 10
'//SysDbgReadVirtualMemory = 10
'//从用户空间拷贝到物理地址 不能读取内核空间
SysDbgCopyMemoryChunks_3 = 11
'//SysDbgWriteVirtualMemory = 11
'//读写处理器相关控制块
SysDbgSysReadControlSpace = 12
SysDbgSysWriteControlSpace = 13
'//读写端口
SysDbgSysReadIoSpace = 14
SysDbgSysWriteIoSpace = 15
'//分别调用RDMSR@4和_WRMSR@12
SysDbgSysReadMsr = 16
SysDbgSysWriteMsr = 17
'//读写总线数据
SysDbgSysReadBusData = 18
SysDbgSysWriteBusData = 19
SysDbgSysCheckLowMemory = 20
'// 以下是NT 5.2 新增的
'//分别调用_KdEnableDebugger@0和_KdDisableDebugger@0
SysDbgEnableDebugger = 21
SysDbgDisableDebugger = 22
'//获取和设置一些调试相关的变量
SysDbgGetAutoEnableOnEvent = 23
SysDbgSetAutoEnableOnEvent = 24
SysDbgGetPitchDebugger = 25
SysDbgSetDbgPrintBufferSize = 26
SysDbgGetIgnoreUmExceptions = 27
SysDbgSetIgnoreUmExceptions = 28
End Enum
Private Const SE_DEBUG As String = "SeDebugPrivilege"
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const TOKEN_QUERY As Long = &H8
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Dim VerInfo As OSVERSIONINFOPublic Function InitMemoryControl() As Boolean
InitMemoryControl = True
InitMemoryControl = InitMemoryControl And IsSupportedOS
InitMemoryControl = InitMemoryControl And EnablePrivilege(SE_DEBUG)
End FunctionPublic Function IsSupportedOS() As Boolean
On Error GoTo IsSupportedOS_Err_Hdl
IsSupportedOS = False
VerInfo.dwOSVersionInfoSize = Len(VerInfo) If (GetVersionEx(VerInfo)) <> 0 Then
If VerInfo.dwPlatformId = 2 Then
If VerInfo.dwMajorVersion = 5 Then If (VerInfo.dwMinorVersion > 0) Then
IsSupportedOS = True
End If End If
End If
End If
IsSupportedOS_Err_Hdl:End Function
Private Function EnablePrivilege(ByVal seName As String) As Boolean
On Error Resume Next
Dim p_lngRtn As Long
Dim p_lngToken As Long
Dim p_lngBufferLen As Long
Dim p_typLUID As LUID
Dim p_typTokenPriv As TOKEN_PRIVILEGES
Dim p_typPrevTokenPriv As TOKEN_PRIVILEGES
p_lngRtn = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or _
TOKEN_QUERY, p_lngToken) If p_lngRtn = 0 Then
EnablePrivilege = False
Exit Function
End If If err.LastDllError <> 0 Then
EnablePrivilege = False
Exit Function
End If p_lngRtn = LookupPrivilegeValue(0&, seName, p_typLUID) If p_lngRtn = 0 Then
EnablePrivilege = False
Exit Function
End If p_typTokenPriv.PrivilegeCount = 1
p_typTokenPriv.Attributes = SE_PRIVILEGE_ENABLED
p_typTokenPriv.TheLuid = p_typLUID
EnablePrivilege = (AdjustTokenPrivileges(p_lngToken, False, p_typTokenPriv, Len( _
p_typPrevTokenPriv), p_typPrevTokenPriv, p_lngBufferLen) <> 0)
End FunctionPrivate Function NT_SUCCESS(ByVal nsStatus As Long) As Boolean
NT_SUCCESS = (nsStatus >= 0)
End Function
On Error GoTo ModifyKernelMemory_Err_Hdl
Dim mc As MEMORY_CHUNKS
Dim retv&, retl&
With mc
.Address = StartAddr
.Length = Length
.pData = VarPtr(lpBuffer(LBound(lpBuffer)))
End With
Dim st As Long: st = &HC0000001 'unsuccessful
st = NtSystemDebugControl(SysDbgCopyMemoryChunks_1, VarPtr(mc), Len(mc), 0&, 0&, VarPtr(retl))
RetStatus = st
ModifyKernelMemory_Err_Hdl:
ModifyKernelMemoryEx = NT_SUCCESS(st)
End FunctionPublic Function DumpKernelMemoryEx(ByVal StartAddr As Long, ByVal Length As Long, ByRef lpBuffer() As Byte) As Boolean
On Error GoTo DumpKernelMemory_Err_Hdl
Dim mc As MEMORY_CHUNKS
Dim retv&, retl&
ReDim lpBuffer(Length - 1)
With mc
.Address = StartAddr
.Length = Length
.pData = VarPtr(lpBuffer(LBound(lpBuffer)))
End With
Dim st As Long
st = NtSystemDebugControl(SysDbgCopyMemoryChunks_0, VarPtr(mc), Len(mc), 0&, 0&, VarPtr(retl))
DumpKernelMemory_Err_Hdl:
DumpKernelMemoryEx = NT_SUCCESS(st)
End FunctionPublic Function SetDataEx(ByVal addr As Long, _
ByVal data As Long) As Boolean
Dim mc As MEMORY_CHUNKS
Dim retv&, retl&
With mc
.Address = addr
.Length = Len(addr)
.pData = VarPtr(data)
End With
Dim st As Long
st = NtSystemDebugControl(SysDbgCopyMemoryChunks_1, VarPtr(mc), Len(mc), 0&, 0&, VarPtr(retl))
SetDataEx = NT_SUCCESS(st)
End Function
Public Function GetDataEx(ByVal addr As Long) As Long
Dim mc As MEMORY_CHUNKS
Dim retv&, retl&
With mc
.Address = addr
.Length = Len(addr)
.pData = VarPtr(retv)
End With
Dim st As Long
st = NtSystemDebugControl(SysDbgCopyMemoryChunks_0, VarPtr(mc), Len(mc), 0&, 0&, VarPtr(retl))
GetDataEx = retv
If (Not NT_SUCCESS(st)) Then GetDataEx = 0
End Function
http://xacker.org/showdown.asp?soft_id=221
在城市英雄被高手耍来耍去,3个PERFECT经常出现.......上面代码可能导致出错的主要原因在于
转换的物理内存地址不连续 COPYMEMORY时就会...
使用上面的代码时尽量一个字节一个字节的读(其他想不出什么好办法..) 就不会出现不稳定情况了...
希望高手在VB下给出解决办法...
会2001 应该很容易上手 上手后可能就放不下了 哈哈
到时别怪我拉你们下水啊!然后补充一下 其实我最强的是 七枷社(殿后) 八神打头阵
基本上是八神一摆对方三 小七很少出场 哈哈!