能力值:
( LV5,RANK:60 )
|
-
-
2 楼
PsAcquireProcessExitSynchronization是必须的,
winxp下,就用另外一个未公开的函数...
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
大哥,哪个未公开的函数,我把我源码贴一下
#pragma PAGECODE
ULONG readmemory(IN ULONG windowh,IN ULONG BaseAdd,IN ULONG BufferSize)
{
KeAcquireSpinLockAtDpcLevel(&lock1);
HANDLE ProcessId =(HANDLE) RealNtUserQueryWindow(windowh, 0);
//HANDLE ProcessId =(HANDLE)windowh;
if (!ProcessId)return NULL;
PEPROCESS EProcess=NULL;
KAPC_STATE ApcState;
//PVOID readbuffer=NULL;
PVOID BaseAddress=(PVOID)BaseAdd;
ULONG status=NULL;
__try
{
status=PsLookupProcessByProcessId(ProcessId,&EProcess);
if (status != STATUS_SUCCESS)
{
//ObDereferenceObject(EProcess);
KdPrint(("PsLookupProcessByProcessId函数失败\n"));
KeReleaseSpinLockFromDpcLevel(&lock1);
status = NULL;
goto end;
}
}
__except(1)
{
status = NULL;
goto end;
}
//readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
/*
__try
{
readbuffer = ExAllocatePool (NonPagedPool, BufferSize);
if(readbuffer==NULL)
{
//ExFreePoolWithTag(readbuffer, 'Sys');
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
readbuffer=NULL;
KdPrint(("ExAllocatePoolWithTag返回失败"));
status = NULL;
goto tend;
}
*(ULONG*)readbuffer=(ULONG)0x0;
}
__except(1)
{
ObDereferenceObject(EProcess);
status = NULL;
goto tend;
}
*/
__try
{
KeStackAttachProcess ((PRKPROCESS)EProcess, &ApcState);
}
__except(1)
{
ObDereferenceObject(EProcess);
status = NULL;
goto end;
}
__try
{
if (MmIsAddressValid(BaseAddress))
{
ULONG readbuffer=0;
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (&readbuffer, BaseAddress, BufferSize);
//status=*(ULONG*)readbuffer;
status=readbuffer;
//KdPrint(("读到的内存=%i",(*(ULONG*)readbuffer)));
}
else
{
//KdPrint(("MmIsAddressValid返回失败\n"));
status = NULL;
goto tend;
}
}
__except(1)
{
//KdPrint(("内存不可读\n"));
status = NULL;
goto tend;
}
tend:
__try
{
KeUnstackDetachProcess (&ApcState);
ObDereferenceObject(EProcess);
//ExFreePool (readbuffer);
//readbuffer=NULL;
//KdPrint(("IoReadMemory完成"));
}
__except(1)
{
status = NULL;
goto end;
}
end:
KeReleaseSpinLockFromDpcLevel(&lock1);
return status;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
看看dump的信息吧,看提示的什么 走到哪里蓝的
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
不会,菜鸟Y.Y
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
1.看该函数执行时的irql等级
2.是否使用了如ansi转unicode之类的函数(unicode表是放在分页内存的.如果使用.有几率触发切换.如果irql等级高.则会蓝屏)
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
如果irql等级高.则会蓝屏,可能是这个原因,具体能贴两句代码吗,大哥,我新手
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
if (!ProcessId)return NULL;
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
这句代码有问题?
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
慢慢试 别着急 相信在不久的将来你会成功的
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
感觉就是irql的问题
|
能力值:
( LV15,RANK:440 )
|
-
-
12 楼
大致看了下,感觉这句可能有些问题,LZ妨测试下。
RtlCopyMemory (&readbuffer, BaseAddress, BufferSize);
&readbuffer 是一个栈地址吧?这样你把数据复制到栈里了,而不是动态申请的内存中。
|
能力值:
( LV2,RANK:10 )
|
-
-
13 楼
不能复制到栈里?我以前是复制到动态分配的内存里,也是蓝屏
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
错误代码0x0000000A IRQL NOT OR LESS EQUAL
|
能力值:
( LV2,RANK:10 )
|
-
-
15 楼
解决了,因为XP和WIN7内存管理不一样的原因,XP如果读了高八位的内存,就会蓝屏,而WIN7不会
|
|
|
|
