// 这里是MSG 硬编码,(本人当前机器是XP Sp2 英文系统,硬编码的)
BYTE szWriteBuffer[] = {
0x6a, 0x40, 0x68, 0xe2, 0x24, 0xa6, 0x7c, 0x68, 0xe2, 0x24, 0xa6, 0x7c, 0x6a, 0x00, 0xe8, 0x0c,
0xe0, 0x31, 0xfb, 0xc2, 0x10, 0x00, 0x90, 0xb0, 0xeb, 0xbd, 0xef, 0xb0, 0xcb, 0xc1, 0xbd, 0xb7,
0xb4, 0xb2, 0xb9, 0xb6, 0xa1, 0x00};
HMODULE hModule = GetModuleHandle("Kernel32.dll");
LPVOID lpWriteFun = GetProcAddress(hModule, "WriteProcessMemory");
// 英文计算器
HWND hWnd = ::FindWindow(NULL, "Calculator");
DWORD dwPID = 0;
GetWindowThreadProcessId(hWnd, &dwPID);
HANDLE hTarget = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
WriteProcessMemory(hTarget, TARGET_ADDRESS, szWriteBuffer, sizeof(szWriteBuffer), NULL);
DWORD dwOldProtect = 0;
VirtualProtect(lpWriteFun, 0x1, PAGE_NOACCESS, &dwOldProtect);
7C80220F > 8BFF mov edi,edi ; // WriteProcessMemory
7C802211 55 push ebp
7C802212 8BEC mov ebp,esp
7C802214 |. 51 push ecx
7C802215 |. 51 push ecx
7C802216 |. 8B45 0C mov eax,[arg.2]
我们用JMP指令来修改到任意一个EIP.
7C80220F > - E9 EBDD7F03 jmp 7FFFFFFF ; // WriteProcessMemory
7C802214 |. 51 push ecx
7C802215 |. 51 push ecx
7C802216 |. 8B45 0C mov eax,[arg.2]
// 这里是MSG 硬编码,(本人当前机器是XP Sp2 英文系统,硬编码的)
BYTE szWriteBuffer[] = {
0x6a, 0x40, 0x68, 0xe2, 0x24, 0xa6, 0x7c, 0x68, 0xe2, 0x24, 0xa6, 0x7c, 0x6a, 0x00, 0xe8, 0x0c,
0xe0, 0x31, 0xfb, 0xc2, 0x10, 0x00, 0x90, 0xb0, 0xeb, 0xbd, 0xef, 0xb0, 0xcb, 0xc1, 0xbd, 0xb7,
0xb4, 0xb2, 0xb9, 0xb6, 0xa1, 0x00};
void CPage1::OnAntiMonitor()
{
HMODULE hModule = LoadLibrary("WriteMem.dll");
DWORD WriteFun = (DWORD)GetProcAddress(hModule, "WriteProcessMemory");
BOOL (WINAPI *lpWriteFun)(HANDLE , LPVOID , LPCVOID , SIZE_T , SIZE_T *);
lpWriteFun = (int (__stdcall *)(void *,void *,const void *,
unsigned long,unsigned long *))WriteFun;
// 英文计算器
HWND hWnd = ::FindWindow(NULL, "Calculator");
DWORD dwPID = 0;
GetWindowThreadProcessId(hWnd, &dwPID);
HANDLE hTarget = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
// WriteProcessMemory
lpWriteFun(hTarget, TARGET_ADDRESS, szWriteBuffer, sizeof(szWriteBuffer), NULL);
}
// 特征码地址
#define SIGNATURE_ADDRESS (LPVOID)0x004E6716
// 特征码大小
#define SIGNATURE_SIZE 0x4
BYTE szSignature[MAXBYTE] = {0};
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 Process32 = {0};
Process32.dwSize = sizeof(PROCESSENTRY32);
BOOL bRect = Process32First(hSnapshot, &Process32);
while(bRect)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, Process32.th32ProcessID);
if(!hProcess)
{
bRect = Process32Next(hSnapshot, &Process32);
continue;
}
ReadProcessMemory(hProcess, SIGNATURE_ADDRESS,
szSignature, SIGNATURE_SIZE, NULL);
if(*szSignature == 0xa1)
{
AfxMessageBox("扫描到特征码, 表示检测到内存监视",
MB_ICONINFORMATION);
/*
...do
*/
}
bRect = Process32Next(hSnapshot, &Process32);
}
00400154 > 8725 D45F6200 xchg dword ptr ds:[625FD4],esp ; // AddressOfEntryPoint
0040015A 61 popad
0040015B 94 xchg eax,esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi],byte ptr ds:[esi]
0040015E B6 80 mov dh,80
0013FDC8 004E55DD /CALL to CreateFileA from 内存写入.004E55D8
0013FDCC 004E64C4 |FileName = "MemWrite.sys"
0013FDD0 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0013FDD4 00000001 |ShareMode = FILE_SHARE_READ
0013FDD8 00000000 |pSecurity = NULL
0013FDDC 00000002 |Mode = CREATE_ALWAYS
0013FDE0 00000000 |Attributes = 0
0013FDE4 00000000 \hTemplateFile = NULL
0013FDB0 004E5E4F /CALL to CreateFileA from 内存写入.004E5E4A
0013FDB4 00B338FC |FileName = "\\.\MemWrite"
0013FDB8 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0013FDBC 00000000 |ShareMode = 0
0013FDC0 00000000 |pSecurity = NULL
0013FDC4 00000003 |Mode = OPEN_EXISTING
0013FDC8 00000080 |Attributes = NORMAL
0013FDCC 00000000 \hTemplateFile = NULL
HANDLE hSymbolic = CreateFile("\\\\.\\MemWrite",
GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(INVALID_HANDLE_VALUE != hSymbolic)
{
AfxMessageBox("检测到符号链接...:)", MB_ICONERROR);
/*
do...
*/
}
else
{
AfxMessageBox("没有发现符号链接~~~:)", MB_ICONINFORMATION);
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后那个一字节异常有点看头。前面的等于科普了。。。。
膜拜啊。。。学习了
