|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
LoadLibrary这个方式的话,我的那个使用GetCurrentProcess也是可以的,伪句柄跟实际句柄没啥区别,而且还不用释放! 从内存载入,相对安全性更高一些,也更隐蔽 |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
这个是.h文件代码 #include <Windows.h> #define STATUS_SUCCESS ((NTSTATUS)0L) enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 }; typedef NTSTATUS (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength); typedef struct _PROCESS_DEBUG_PORT_INFO { HANDLE DebugPort; } PROCESS_DEBUG_PORT_INFO; PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule); FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name); HMODULE LoadLibraryByFile(const char * pszDllPath); HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType); DWORD GetPECodeEnd(HMODULE hModule); DWORD GetPEImageEnd(HMODULE hModule); DWORD GetPEImageSize(HMODULE hModule); DWORD GetCodeSize(HMODULE hModule); |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
这是我写的测试代码,欢迎各位查看 // TestMemoryDll.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <assert.h> #include "TestMemoryDll.h" typedef BOOL (__stdcall * fnDllMain)(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved); PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule) { PBYTE pImage = (PBYTE)hModule; PIMAGE_DOS_HEADER pImageDosHeader; PIMAGE_NT_HEADERS pImageNtHeader; pImageDosHeader = (PIMAGE_DOS_HEADER)pImage; if(pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE) { pImageNtHeader = (PIMAGE_NT_HEADERS)&pImage[pImageDosHeader->e_lfanew]; if(pImageNtHeader->Signature==IMAGE_NT_SIGNATURE) { return pImageNtHeader; } } return NULL; } FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name) { if(!hModule) { hModule = GetModuleHandle(0); } PBYTE pDest = (PBYTE)hModule; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; PIMAGE_DATA_DIRECTORY pDirectory; PIMAGE_EXPORT_DIRECTORY pExport; DWORD i, *nameRef; WORD *ordinal; int idx=-1; pImageDosDest = (PIMAGE_DOS_HEADER)pDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew]; pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if(pDirectory->Size==0) return NULL; pExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pDest + pDirectory->VirtualAddress); if(pExport->NumberOfNames == 0 || pExport->NumberOfFunctions == 0) return NULL; ordinal = (WORD *) ((DWORD)pDest + pExport->AddressOfNameOrdinals); if((DWORD)(name) < 0x10000) { if ((DWORD)name >= pExport->NumberOfFunctions+pExport->Base || (DWORD)name < pExport->Base) return NULL; idx = (DWORD)pDest+((DWORD*)((DWORD)pDest+pExport->AddressOfFunctions))[(DWORD)name-pExport->Base]; }else { nameRef = (DWORD *) ((DWORD)pDest + pExport->AddressOfNames); for (i=0; i<pExport->NumberOfNames; i++, nameRef++, ordinal++) { //printf("%s--------------%s\n",name,(DWORD)pDest + (*nameRef)); if (strcmp(name, (const char *) ((DWORD)pDest + (*nameRef))) == 0) { idx = *ordinal; break; } } } if (idx == -1) { return NULL; } if ((DWORD)idx > pExport->NumberOfFunctions) { return NULL; } return (FARPROC) ((DWORD)hModule + (*(DWORD *) ((DWORD)hModule + pExport->AddressOfFunctions + (idx*4)))); } void CopySection(PBYTE pSrc,PBYTE pDest) { unsigned int i,size; PIMAGE_DOS_HEADER pImageDosSrc; PIMAGE_NT_HEADERS pImageNtSrc; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; PIMAGE_SECTION_HEADER pSection; pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc; pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew]; pImageDosDest = (PIMAGE_DOS_HEADER)pDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew]; pSection = IMAGE_FIRST_SECTION(pImageNtDest); for(i=0;i<pImageNtDest->FileHeader.NumberOfSections;i++,pSection++) { if(pSection->SizeOfRawData == 0) { size = pImageNtSrc->OptionalHeader.SectionAlignment; if(size > 0) { pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest; memset((PVOID)pSection->Misc.PhysicalAddress,0,size); } continue; } pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest; memcpy((PVOID)pSection->Misc.PhysicalAddress, (PVOID)((DWORD)pSrc + pSection->PointerToRawData), pSection->SizeOfRawData); } } void GetImportInfo(DWORD imgbase,DWORD impoff) { PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(imgbase+impoff); HMODULE hModuleSys; DWORD i,p; PIMAGE_THUNK_DATA32 pimpthunk; PIMAGE_IMPORT_BY_NAME pimpname; FARPROC* pimpwrite; FARPROC pFunc; for(i=0;pImport[i].Characteristics!=0;i++) { hModuleSys = LoadLibraryA((LPCSTR)(pImport[i].Name + imgbase)); pimpthunk = (PIMAGE_THUNK_DATA32)(pImport[i].OriginalFirstThunk + imgbase); pimpwrite = (FARPROC*)(pImport[i].FirstThunk + imgbase); for(p=0;pimpthunk[p].u1.AddressOfData!=0;p++) { pimpname = (PIMAGE_IMPORT_BY_NAME)((DWORD)pimpthunk[p].u1.AddressOfData+imgbase); if(IMAGE_SNAP_BY_ORDINAL32(pimpthunk[p].u1.AddressOfData)) { pFunc = GetProcAddress(hModuleSys,(LPCSTR)IMAGE_ORDINAL(pimpthunk[p].u1.AddressOfData)); pimpwrite[p] = pFunc; }else { pFunc = GetProcAddress(hModuleSys,(LPCSTR)&pimpname->Name); pimpwrite[p] = pFunc; } } } } void LoadImport(PBYTE pSrc,PBYTE pDest) { PIMAGE_DOS_HEADER pImageDosSrc; PIMAGE_NT_HEADERS pImageNtSrc; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; PIMAGE_DATA_DIRECTORY pDirectory; pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc; pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew]; pImageDosDest = (PIMAGE_DOS_HEADER)pDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew]; pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; if(!pDirectory->VirtualAddress) return; GetImportInfo((DWORD)pDest,pDirectory->VirtualAddress); } bool check_import(HMODULE hModule) { PBYTE pImage = (PBYTE)hModule; PIMAGE_DOS_HEADER pImageDos; PIMAGE_NT_HEADERS pImageNT; PIMAGE_DATA_DIRECTORY pDataDirectory; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; pImageDos = (PIMAGE_DOS_HEADER)pImage; pImageNT = (PIMAGE_NT_HEADERS)&pImage[pImageDos->e_lfanew]; pDataDirectory = &pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; if(!pDataDirectory->VirtualAddress) return false; pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)&pImage[pDataDirectory->VirtualAddress]; for(int i=0;pImportDescriptor[i].Characteristics!=0;i++) { HMODULE hCurrentModule = LoadLibraryA((LPCSTR)(&pImage[pImportDescriptor[i].Name])); PIMAGE_THUNK_DATA32 pCurrentImportThunk = (PIMAGE_THUNK_DATA32)(&pImage[pImportDescriptor[i].OriginalFirstThunk]); FARPROC* pCurrentImportList = (FARPROC*)(&pImage[pImportDescriptor[i].FirstThunk]); for(int m_imp=0;pCurrentImportThunk[m_imp].u1.AddressOfData!=0;m_imp++) { if(IMAGE_SNAP_BY_ORDINAL32(pCurrentImportThunk[m_imp].u1.AddressOfData)) { if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)IMAGE_ORDINAL(pCurrentImportThunk[m_imp].u1.AddressOfData))) return false; }else { if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)&((PIMAGE_IMPORT_BY_NAME)&pImage[pCurrentImportThunk[m_imp].u1.AddressOfData])->Name)) return false; } } } return true; } void FixupResource(PBYTE pDest) { DWORD imagebase; PIMAGE_RESOURCE_DIRECTORY pRes; PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry; DWORD nEntries; DWORD i; PIMAGE_RESOURCE_DIRECTORY pRes2; PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry2; DWORD nEntries2; PIMAGE_RESOURCE_DIR_STRING_U pDirStr; PIMAGE_RESOURCE_DIRECTORY pRes3; PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry3; DWORD nEntries3; DWORD j; DWORD k; PIMAGE_RESOURCE_DATA_ENTRY pData; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; pImageDosDest = (PIMAGE_DOS_HEADER)pDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew]; imagebase = pImageNtDest->OptionalHeader.ImageBase; if(!pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress) return; pRes = (PIMAGE_RESOURCE_DIRECTORY)(imagebase + pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); nEntries = pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries; pEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes + sizeof(IMAGE_RESOURCE_DIRECTORY)); for (i = 0; i < nEntries; ++i, ++pEntry) { if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData) { pRes2 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes + (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData)); nEntries2 = pRes2->NumberOfIdEntries + pRes2->NumberOfNamedEntries; pEntry2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes2 + sizeof(IMAGE_RESOURCE_DIRECTORY)); for (j = 0; j < nEntries2; ++j, ++pEntry2) { if (IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name) { pDirStr = (PIMAGE_RESOURCE_DIR_STRING_U)((DWORD)pRes + (~IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name)); } if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData) { pRes3 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes + (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData)); nEntries3 = pRes3->NumberOfIdEntries + pRes3->NumberOfNamedEntries; pEntry3 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes3 + sizeof(IMAGE_RESOURCE_DIRECTORY)); for (k = 0; k < nEntries3; ++k) { assert(~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry3->OffsetToData); pData = (PIMAGE_RESOURCE_DATA_ENTRY)((DWORD)pRes + pEntry3->OffsetToData); pData->OffsetToData += (DWORD)imagebase; } } } } } } PVOID ReadData(IN LPCSTR lpFileName,OUT DWORD* ReadSize) { PBYTE pLibrarySrc; HANDLE hFile = CreateFileA(lpFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL); if(hFile==INVALID_HANDLE_VALUE) { char szSysDir[256] = {0}; int nSysDirLen = 0; nSysDirLen = GetSystemDirectory(szSysDir,256); strcat(szSysDir,"\\"); strcat(szSysDir,lpFileName); HANDLE hFile = CreateFileA(szSysDir,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); *ReadSize = GetFileSize(hFile,NULL); pLibrarySrc = (PBYTE)VirtualAlloc(0,*ReadSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if(!ReadFile(hFile,pLibrarySrc,*ReadSize,ReadSize,NULL)) { CloseHandle(hFile); VirtualFree(pLibrarySrc,*ReadSize,MEM_DECOMMIT); return NULL; } CloseHandle(hFile); return (PVOID)pLibrarySrc; } return NULL; } BOOL CheckPEFile(PIMAGE_DOS_HEADER pImageDosDest,PIMAGE_NT_HEADERS* pImageNtDest) { PBYTE pImage = (PBYTE)pImageDosDest; if(pImageDosDest->e_magic!=IMAGE_DOS_SIGNATURE) return FALSE; *pImageNtDest = (PIMAGE_NT_HEADERS)&pImage[pImageDosDest->e_lfanew]; if((*pImageNtDest)->Signature!=IMAGE_NT_SIGNATURE) return FALSE; return TRUE; } void LoadRelocation(PBYTE pSrc,PBYTE pDest) { PIMAGE_DOS_HEADER pImageDosSrc; PIMAGE_NT_HEADERS pImageNtSrc; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; PIMAGE_DATA_DIRECTORY pDirectory; PIMAGE_BASE_RELOCATION pRelocation; DWORD dwOriginAddress; DWORD dwBaseDelta; PWORD pData; int i,size; DWORD* dwRelocationPointer; int iType; pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc; pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew]; pImageDosDest = (PIMAGE_DOS_HEADER)pDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew]; pDirectory = (PIMAGE_DATA_DIRECTORY)&pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if(!pDirectory->VirtualAddress) return; pRelocation = (PIMAGE_BASE_RELOCATION)(pDirectory->VirtualAddress + (DWORD)pDest); dwOriginAddress = pImageNtSrc->OptionalHeader.ImageBase; dwBaseDelta = (DWORD)pDest - dwOriginAddress; while(pRelocation->VirtualAddress!=0) { size = (pRelocation->SizeOfBlock-sizeof(IMAGE_DATA_DIRECTORY))/2; pData = (PWORD)((DWORD)pRelocation + 8); for (i=0;i<size;i++) { iType = pData[i] >> 12; dwRelocationPointer = (DWORD*)((DWORD)pDest + ((pData[i] & 0x0fff) + pRelocation->VirtualAddress)); switch(iType) { case IMAGE_REL_BASED_ABSOLUTE: break; case IMAGE_REL_BASED_HIGH: *(PWORD)dwRelocationPointer = (WORD)(((dwBaseDelta + *(PWORD)dwRelocationPointer) >> 16) & 0xFFFF); break; case IMAGE_REL_BASED_LOW: *(PWORD)dwRelocationPointer = (WORD)((dwBaseDelta + *(PWORD)dwRelocationPointer) & 0xFFFF); break; case IMAGE_REL_BASED_HIGHLOW: *dwRelocationPointer = *dwRelocationPointer + dwBaseDelta; break; default: break; } } pRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocation + pRelocation->SizeOfBlock); } } HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType) { DWORD dwReadSize; PBYTE pLibrarySrc; PBYTE pLibraryDest; PIMAGE_DOS_HEADER pImageDosSrc; PIMAGE_NT_HEADERS pImageNtSrc; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; HRSRC hrsc = FindResourceA(NULL, MAKEINTRESOURCEA(wResID),pszFileType); HGLOBAL hG = LoadResource(NULL, hrsc); dwReadSize = SizeofResource( NULL, hrsc); pLibrarySrc = (PBYTE)hG; if(pLibrarySrc!=NULL) { pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc; if(!CheckPEFile(pImageDosSrc,&pImageNtSrc)) return NULL; pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE); //copy header memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders); pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew]; pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest; CopySection(pLibrarySrc,pLibraryDest); LoadRelocation(pLibrarySrc,pLibraryDest); //FixupResource(pLibraryDest); LoadImport(pLibrarySrc,pLibraryDest); if(pImageNtDest->OptionalHeader.AddressOfEntryPoint) ((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL); //pImageDosDest->e_magic = 0; //pImageNtDest->Signature = 0; return (HMODULE)pLibraryDest; } return NULL; } HMODULE LoadLibraryByFile(const char * pszDllPath) { DWORD dwReadSize; PBYTE pLibrarySrc; PBYTE pLibraryDest; PIMAGE_DOS_HEADER pImageDosSrc; PIMAGE_NT_HEADERS pImageNtSrc; PIMAGE_DOS_HEADER pImageDosDest; PIMAGE_NT_HEADERS pImageNtDest; pLibrarySrc = (PBYTE)ReadData(pszDllPath,&dwReadSize); if(pLibrarySrc!=NULL) { pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc; if(!CheckPEFile(pImageDosSrc,&pImageNtSrc)) { VirtualFree(pLibrarySrc,dwReadSize,MEM_COMMIT); return NULL; } pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE); //copy header memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders); pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest; pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew]; pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest; CopySection(pLibrarySrc,pLibraryDest); LoadRelocation(pLibrarySrc,pLibraryDest); //FixupResource(pLibraryDest); LoadImport(pLibrarySrc,pLibraryDest); VirtualFree(pLibrarySrc,dwReadSize,MEM_DECOMMIT); if(pImageNtDest->OptionalHeader.AddressOfEntryPoint) ((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL); //pImageDosDest->e_magic = 0; //pImageNtDest->Signature = 0; return (HMODULE)pLibraryDest; } return NULL; } DWORD GetCodeSize(HMODULE hModule) { PBYTE pInfo = (PBYTE)hModule; PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo; PIMAGE_NT_HEADERS pImgNt; if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE) { pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew]; if(pImgNt) { if(pImgNt->Signature==IMAGE_NT_SIGNATURE) { return pImgNt->OptionalHeader.SizeOfCode; } } } return NULL; } DWORD GetPEImageSize(HMODULE hModule) { PBYTE pInfo = (PBYTE)hModule; PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo; PIMAGE_NT_HEADERS pImgNt; if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE) { pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew]; if(pImgNt) { if(pImgNt->Signature==IMAGE_NT_SIGNATURE) { return pImgNt->OptionalHeader.SizeOfImage; } } } return NULL; } DWORD GetPEImageEnd(HMODULE hModule) { return ((DWORD)hModule + GetPEImageSize(hModule)); } DWORD GetPECodeEnd(HMODULE hModule) { return ((DWORD)hModule + GetCodeSize(hModule)); } // 定义函数指针 typedef BOOL (__stdcall *MSGBOX)(char *,char *); void Test(HMODULE hModule) { if(hModule) { ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess; ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)MyGetProcAddress(hModule,"ZwQueryInformationProcess"); if(ZwQueryInformationProcess) { PROCESS_DEBUG_PORT_INFO ProcessInfo; if (STATUS_SUCCESS==ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo), NULL)) { printf("I Win!\n"); } else { printf("I got the exe!\n"); } } FreeLibrary(hModule); } } int _tmain(int argc, _TCHAR* argv[]) { Test(LoadLibraryByFile("ntdll.dll")); system("pause"); return 0; } |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
恩,这个我测试过了,一样的结果,都是地址无效,程序崩溃! |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
我查看了一下导出函数,这个函数在Ntdll里没有导出,而且问题不是出现在这个函数,而是系统,Win10 系统里,如果我从ntdll的基址开始分配空间,加载ntdll的话,函数一切正常,但是我如果让windows自动分配的话,找到该函数的地址,反馈给我的是地址无效,甚至程序崩溃! |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
这个是参数是没错的,用法也是没错的,这是在查看当前进程是否被调试,Win7可以正常运行,是Win10 运行不了 |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
其实我很想知道,为什么函数地址我都找到了,但是调用的时候Win10系统会提示我地址无效 |
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
有所作为终比什么也不做好吧 |
|
|
|
[求助]Win10 64位系统不支持ZwQueryInformationProcess
我怀疑Win10上还有什么其他隐性的问题被忽略了,如果正常按照ntdll.dll的database位置加载的话,就没有任何问题,但是开辟新的内存空间就不行 |
|
[求助][求助]Windows10 64位系统后去kernel32.dll内函数失败
恩,但是还有两个问题没解决: 1.为何ImageRVAToVA()获取到的输出表地址比实际地址少了0x1000? 2.为何Win10 64位系统加载Kernel32.dll的地址跟Win7 64位系统加载Kernel32.dll的地址差别如此之大?居然还动用了前8位的地址段? |
|
[求助][求助]Windows10 64位系统后去kernel32.dll内函数失败
问题原因大致已经搞清楚了!分一下几点说一下: 1.在Win1064位操作系统上这段代码会溢出的原因是pimED获取的这个地址是错误的,pimED得到的地址是实际地址的后8位 2.(DWROD)a,这是个错误的使用方式,它获得到的地址只有后八位,也就造成了错误的pimED地址的错误 3.有一点值得注意,我曾经试过直接使用ImageRVAToVA()这个函数去取输出表的地址,但是很可惜,结果也是错的,和实际结果差了0x1000,个人感觉这个绝不是巧合,但是原因不查,因为汇编不好,也就没继续追踪,如果有大神去研究,不妨把原因分享一下,嘿嘿! 4.之所以Win7 64位系统这段代码没问题是因为,Win7操作系统加载Kernel32的地址就是在后八位的地址中,而Win10 64位系统加载Kernel32的地址为0x00007ffaXXXX0000,已经超过DWROD的长度了 |
|
[求助]PE格式中的两个问题
第一个问题中的判断是有意义的,就是判断要做赋值的结构是否在最大数量范围内 |
|
[求助]PE格式中的两个问题
别人给的号,亲,能否帮忙解答上诉问题? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值