首页
社区
课程
招聘
[求助]Win10 64位系统不支持ZwQueryInformationProcess
发表于: 2017-1-9 18:19 18047

[求助]Win10 64位系统不支持ZwQueryInformationProcess

2017-1-9 18:19
18047
测试程序为32的exe
测试系统为Win10 64位,Win7 64位系统
测试代码为:
ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
PROCESS_DEBUG_PORT_INFO ProcessInfo;
ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)MyGetProcAddress(hModule,"ZwQueryInformationProcess");
ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo), NULL))


其中MyGetProcAddress是从把ntdll加载到自己的内存空间中(使用的方法是VirtualAlloc开辟一段空间),然后进行重定位修复,最终获取ZwQueryInformationProcess函数的地址
这段代码在Win7上是没有问题,但是Win10系统中最后一行代码会导致程序崩溃,GetLastError为487

如下是两种加载ntdll.dll的方式
1.
这个是从ntdll.dll的基址处加载ntdll
code = (unsigned char *)VirtualAlloc((LPVOID)(ntdllHeader->OptionalHeader.ImageBase), old_header->OptionalHeader.SizeOfImage, MEM_RESERVE, PAGE_READWRITE);

2.
这个是让系统分配位置来装载ntdll
code = (unsigned char *)VirtualAlloc(NULL, old_header->OptionalHeader.SizeOfImage, MEM_RESERVE, PAGE_READWRITE);


按照1的方法,所有函数正常运行;
按照2的方法,能找到函数地址,但是却运行出错,最主要,这个问题仅仅出现在Win10 系统

我想请教的是,为何在Win10上会有这个问题发生?或者说可能是什么原因导致的呢?

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (19)
雪    币: 4751
活跃值: (1783)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
win10下R3很多Zw函数取到的数据 不对
2017-1-9 21:17
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
3
我怀疑Win10上还有什么其他隐性的问题被忽略了,如果正常按照ntdll.dll的database位置加载的话,就没有任何问题,但是开辟新的内存空间就不行
2017-1-10 10:13
0
雪    币: 522
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
沒64位WIN10   你用IDA 打開内核文件   看看NtQueryInformationProcess 的30號功能怎麽處理的就知道了啊  
   不過3環下的程序崩潰  多半是指針和緩衝區的問題。
2017-1-10 10:47
0
雪    币: 174
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
// NtQueryInformationProcess for pure 32 and 64-bit processes
typedef LONG (NTAPI *_NtQueryInformationProcess)(
        IN HANDLE ProcessHandle,
        IN ULONG ProcessInformationClass,
        OUT PVOID ProcessInformation,
        IN ULONG ProcessInformationLength,
        OUT PULONG ReturnLength OPTIONAL
        );

// NtReadVirtualMemory for pure 32 and 64-bit processes
typedef LONG (NTAPI *_NtReadVirtualMemory)(
        IN HANDLE ProcessHandle,
        IN PVOID BaseAddress,
        OUT PVOID Buffer,
        IN SIZE_T NumberOfBytesToRead,
        OUT PSIZE_T NumberOfBytesRead
        );

// NtWow64QueryInformationProcess64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64QueryInformationProcess64)(
        IN HANDLE ProcessHandle,
        IN ULONG ProcessInformationClass,
        OUT PVOID ProcessInformation,
        IN ULONG ProcessInformationLength,
        OUT PULONG ReturnLength OPTIONAL
        );

// NtWow64ReadVirtualMemory64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64ReadVirtualMemory64)(
        IN HANDLE ProcessHandle,
        IN ULONG64 BaseAddress,
        OUT PVOID Buffer,
        IN ULONG64 NumberOfBytesToRead,
        OUT PULONG64 NumberOfBytesRead
        );
2017-1-10 17:50
0
雪    币: 174
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
如果你是32位程序的话 用下面这个就可以了

// NtWow64QueryInformationProcess64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64QueryInformationProcess64)(
  IN HANDLE ProcessHandle,
  IN ULONG ProcessInformationClass,
  OUT PVOID ProcessInformation,
  IN ULONG ProcessInformationLength,
  OUT PULONG ReturnLength OPTIONAL
  );
2017-1-10 17:51
0
雪    币: 396
活跃值: (54)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
7
解析PE32+什么保护都没用
2017-1-10 18:24
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
8
非常感谢,我试试先
2017-1-10 18:29
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
9
有所作为终比什么也不做好吧
2017-1-10 18:31
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
10
其实我很想知道,为什么函数地址我都找到了,但是调用的时候Win10系统会提示我地址无效
2017-1-10 18:45
0
雪    币: 3067
活跃值: (6769)
能力值: ( LV13,RANK:409 )
在线值:
发帖
回帖
粉丝
11
ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo), 

HANDLE ProcessHandle  ,
这个参数不是用GetCurrentProcess(),要用OpenProcess,通过打开对应PID
2017-1-11 10:10
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
12
这个是参数是没错的,用法也是没错的,这是在查看当前进程是否被调试,Win7可以正常运行,是Win10 运行不了
2017-1-11 10:35
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
13
我查看了一下导出函数,这个函数在Ntdll里没有导出,而且问题不是出现在这个函数,而是系统,Win10 系统里,如果我从ntdll的基址开始分配空间,加载ntdll的话,函数一切正常,但是我如果让windows自动分配的话,找到该函数的地址,反馈给我的是地址无效,甚至程序崩溃!
2017-1-11 10:38
0
雪    币: 3067
活跃值: (6769)
能力值: ( LV13,RANK:409 )
在线值:
发帖
回帖
粉丝
14
win10 64 14393,使用OpenProcess,亲测可以的
GetCurrentProcess得到的是伪句柄
2017-1-11 10:49
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
15
恩,这个我测试过了,一样的结果,都是地址无效,程序崩溃!
2017-1-11 11:01
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
16
这是我写的测试代码,欢迎各位查看
// TestMemoryDll.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <assert.h> 
#include "TestMemoryDll.h"




typedef BOOL (__stdcall * fnDllMain)(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved);  


PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule)  
{  
	PBYTE pImage = (PBYTE)hModule;  
	PIMAGE_DOS_HEADER pImageDosHeader;  
	PIMAGE_NT_HEADERS pImageNtHeader;  
	pImageDosHeader = (PIMAGE_DOS_HEADER)pImage;  
	if(pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE)  
	{  
		pImageNtHeader = (PIMAGE_NT_HEADERS)&pImage[pImageDosHeader->e_lfanew];  
		if(pImageNtHeader->Signature==IMAGE_NT_SIGNATURE)  
		{  
			return pImageNtHeader;  
		}  
	}  
	return NULL;  
}  

FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name)  
{  
	if(!hModule)  
	{  
		hModule = GetModuleHandle(0);  
	}  
	PBYTE pDest = (PBYTE)hModule;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;  
	PIMAGE_DATA_DIRECTORY pDirectory;  
	PIMAGE_EXPORT_DIRECTORY pExport;  
	DWORD i, *nameRef;  
	WORD *ordinal;  
	int idx=-1;  
	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;  
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];  
	pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];  

	if(pDirectory->Size==0)  
		return NULL;  
	pExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pDest + pDirectory->VirtualAddress);  

	if(pExport->NumberOfNames == 0 || pExport->NumberOfFunctions == 0)  
		return NULL;  
	ordinal = (WORD *) ((DWORD)pDest + pExport->AddressOfNameOrdinals);  
	if((DWORD)(name) < 0x10000)  
	{  
		if ((DWORD)name >= pExport->NumberOfFunctions+pExport->Base || (DWORD)name < pExport->Base)  
			return NULL;  
		idx = (DWORD)pDest+((DWORD*)((DWORD)pDest+pExport->AddressOfFunctions))[(DWORD)name-pExport->Base];  
	}else  
	{  
		nameRef = (DWORD *) ((DWORD)pDest + pExport->AddressOfNames);  
		for (i=0; i<pExport->NumberOfNames; i++, nameRef++, ordinal++) 
		{  
			//printf("%s--------------%s\n",name,(DWORD)pDest + (*nameRef));
			if (strcmp(name, (const char *) ((DWORD)pDest + (*nameRef))) == 0) 
			{  
				idx = *ordinal;  
				break;  
			}  
		}  
	}  
	if (idx == -1) {  
		return NULL;  
	}  
	if ((DWORD)idx > pExport->NumberOfFunctions) {  
		return NULL;  
	}  
	return (FARPROC) ((DWORD)hModule + (*(DWORD *) ((DWORD)hModule + pExport->AddressOfFunctions + (idx*4))));  
}  
void CopySection(PBYTE pSrc,PBYTE pDest)  
{  
	unsigned int i,size;  
	PIMAGE_DOS_HEADER pImageDosSrc;  
	PIMAGE_NT_HEADERS pImageNtSrc;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;  
	PIMAGE_SECTION_HEADER pSection;  
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;  
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];  

	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;  
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];  
	pSection = IMAGE_FIRST_SECTION(pImageNtDest);  
	for(i=0;i<pImageNtDest->FileHeader.NumberOfSections;i++,pSection++)  
	{  
		if(pSection->SizeOfRawData == 0)  
		{  
			size = pImageNtSrc->OptionalHeader.SectionAlignment;  
			if(size > 0)  
			{  
				pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;  
				memset((PVOID)pSection->Misc.PhysicalAddress,0,size);  
			}  
			continue;  
		}  
		pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;  
		memcpy((PVOID)pSection->Misc.PhysicalAddress, (PVOID)((DWORD)pSrc + pSection->PointerToRawData), pSection->SizeOfRawData);  
	}  
}  
void GetImportInfo(DWORD imgbase,DWORD impoff)  
{  
	PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(imgbase+impoff);  
	HMODULE hModuleSys;  
	DWORD i,p;  
	PIMAGE_THUNK_DATA32 pimpthunk;  
	PIMAGE_IMPORT_BY_NAME pimpname;  
	FARPROC* pimpwrite;  
	FARPROC pFunc;  
	for(i=0;pImport[i].Characteristics!=0;i++)  
	{     
		hModuleSys = LoadLibraryA((LPCSTR)(pImport[i].Name + imgbase));  
		pimpthunk = (PIMAGE_THUNK_DATA32)(pImport[i].OriginalFirstThunk + imgbase);  
		pimpwrite = (FARPROC*)(pImport[i].FirstThunk + imgbase);  
		for(p=0;pimpthunk[p].u1.AddressOfData!=0;p++)  
		{  
			pimpname = (PIMAGE_IMPORT_BY_NAME)((DWORD)pimpthunk[p].u1.AddressOfData+imgbase);  
			if(IMAGE_SNAP_BY_ORDINAL32(pimpthunk[p].u1.AddressOfData))  
			{  
				pFunc = GetProcAddress(hModuleSys,(LPCSTR)IMAGE_ORDINAL(pimpthunk[p].u1.AddressOfData));  
				pimpwrite[p] = pFunc;  
			}else  
			{  
				pFunc = GetProcAddress(hModuleSys,(LPCSTR)&pimpname->Name);  
				pimpwrite[p] = pFunc;  
			}  
		}  
	}  
}  
void LoadImport(PBYTE pSrc,PBYTE pDest)  
{  
	PIMAGE_DOS_HEADER pImageDosSrc;  
	PIMAGE_NT_HEADERS pImageNtSrc;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;   
	PIMAGE_DATA_DIRECTORY pDirectory;  
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;  
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];  

	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;  
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];  

	pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];  
	if(!pDirectory->VirtualAddress)  
		return;  
	GetImportInfo((DWORD)pDest,pDirectory->VirtualAddress);  
}  

bool check_import(HMODULE hModule)  
{  
	PBYTE pImage = (PBYTE)hModule;  
	PIMAGE_DOS_HEADER pImageDos;  
	PIMAGE_NT_HEADERS pImageNT;  
	PIMAGE_DATA_DIRECTORY pDataDirectory;  
	PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;  
	pImageDos = (PIMAGE_DOS_HEADER)pImage;  
	pImageNT = (PIMAGE_NT_HEADERS)&pImage[pImageDos->e_lfanew];  

	pDataDirectory = &pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];  
	if(!pDataDirectory->VirtualAddress)  
		return false;  
	pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)&pImage[pDataDirectory->VirtualAddress];  

	for(int i=0;pImportDescriptor[i].Characteristics!=0;i++)  
	{  
		HMODULE hCurrentModule = LoadLibraryA((LPCSTR)(&pImage[pImportDescriptor[i].Name]));  
		PIMAGE_THUNK_DATA32 pCurrentImportThunk = (PIMAGE_THUNK_DATA32)(&pImage[pImportDescriptor[i].OriginalFirstThunk]);  
		FARPROC* pCurrentImportList = (FARPROC*)(&pImage[pImportDescriptor[i].FirstThunk]);  
		for(int m_imp=0;pCurrentImportThunk[m_imp].u1.AddressOfData!=0;m_imp++)  
		{  
			if(IMAGE_SNAP_BY_ORDINAL32(pCurrentImportThunk[m_imp].u1.AddressOfData))  
			{  
				if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)IMAGE_ORDINAL(pCurrentImportThunk[m_imp].u1.AddressOfData)))  
					return false;  
			}else  
			{  
				if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)&((PIMAGE_IMPORT_BY_NAME)&pImage[pCurrentImportThunk[m_imp].u1.AddressOfData])->Name))  
					return false;  
			}  
		}  
	}  
	return true;  
}  
void FixupResource(PBYTE pDest)  
{  
	DWORD imagebase;  
	PIMAGE_RESOURCE_DIRECTORY pRes;  
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry;  
	DWORD nEntries;  
	DWORD i;  
	PIMAGE_RESOURCE_DIRECTORY pRes2;  
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry2;  
	DWORD nEntries2;  
	PIMAGE_RESOURCE_DIR_STRING_U pDirStr;  
	PIMAGE_RESOURCE_DIRECTORY pRes3;  
	PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry3;  
	DWORD nEntries3;  
	DWORD j;  
	DWORD k;  
	PIMAGE_RESOURCE_DATA_ENTRY pData;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;   

	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;  
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];  
	imagebase = pImageNtDest->OptionalHeader.ImageBase;  
	if(!pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress)  
		return;  
	pRes = (PIMAGE_RESOURCE_DIRECTORY)(imagebase + pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);  
	nEntries = pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries;  
	pEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes + sizeof(IMAGE_RESOURCE_DIRECTORY));  
	for (i = 0; i < nEntries; ++i, ++pEntry) {  

		if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData) {  
			pRes2 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes  
				+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData));  
			nEntries2 = pRes2->NumberOfIdEntries + pRes2->NumberOfNamedEntries;  
			pEntry2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes2 + sizeof(IMAGE_RESOURCE_DIRECTORY));  

			for (j = 0; j < nEntries2; ++j, ++pEntry2) {  
				if (IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name) {  

					pDirStr = (PIMAGE_RESOURCE_DIR_STRING_U)((DWORD)pRes  
						+ (~IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name));  
				}  
				if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData) {  
					pRes3 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes  
						+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData));  
					nEntries3 = pRes3->NumberOfIdEntries + pRes3->NumberOfNamedEntries;  
					pEntry3 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes3 + sizeof(IMAGE_RESOURCE_DIRECTORY));  

					for (k = 0; k < nEntries3; ++k) {  
						assert(~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry3->OffsetToData);  

						pData = (PIMAGE_RESOURCE_DATA_ENTRY)((DWORD)pRes + pEntry3->OffsetToData);  
						pData->OffsetToData += (DWORD)imagebase;  
					}  
				}  
			}  

		}  
	}  
}  
PVOID ReadData(IN LPCSTR lpFileName,OUT DWORD* ReadSize)  
{  
	PBYTE pLibrarySrc;  
	HANDLE hFile = CreateFileA(lpFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);  
	if(hFile==INVALID_HANDLE_VALUE)  
	{  

		char szSysDir[256] = {0};
		int nSysDirLen = 0;
		nSysDirLen = GetSystemDirectory(szSysDir,256);
		strcat(szSysDir,"\\");
		strcat(szSysDir,lpFileName);
		HANDLE hFile = CreateFileA(szSysDir,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);  

		*ReadSize = GetFileSize(hFile,NULL);  
		pLibrarySrc = (PBYTE)VirtualAlloc(0,*ReadSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);  
		if(!ReadFile(hFile,pLibrarySrc,*ReadSize,ReadSize,NULL))  
		{  
			CloseHandle(hFile);  
			VirtualFree(pLibrarySrc,*ReadSize,MEM_DECOMMIT);  
			return NULL;  
		}  
		CloseHandle(hFile);  
		return (PVOID)pLibrarySrc;  
	}  
	return NULL;  
}  
BOOL CheckPEFile(PIMAGE_DOS_HEADER pImageDosDest,PIMAGE_NT_HEADERS* pImageNtDest)  
{  
	PBYTE pImage = (PBYTE)pImageDosDest;  
	if(pImageDosDest->e_magic!=IMAGE_DOS_SIGNATURE)  
		return FALSE;  
	*pImageNtDest = (PIMAGE_NT_HEADERS)&pImage[pImageDosDest->e_lfanew];  
	if((*pImageNtDest)->Signature!=IMAGE_NT_SIGNATURE)  
		return FALSE;  
	return TRUE;  
}  
void LoadRelocation(PBYTE pSrc,PBYTE pDest)  
{  
	PIMAGE_DOS_HEADER pImageDosSrc;  
	PIMAGE_NT_HEADERS pImageNtSrc;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;  
	PIMAGE_DATA_DIRECTORY pDirectory;  
	PIMAGE_BASE_RELOCATION pRelocation;  
	DWORD dwOriginAddress;  
	DWORD dwBaseDelta;  
	PWORD pData;  
	int i,size;  
	DWORD* dwRelocationPointer;  
	int iType;  
	pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;  
	pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];  

	pImageDosDest = (PIMAGE_DOS_HEADER)pDest;  
	pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];  
	pDirectory = (PIMAGE_DATA_DIRECTORY)&pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];  
	if(!pDirectory->VirtualAddress)  
		return;  
	pRelocation = (PIMAGE_BASE_RELOCATION)(pDirectory->VirtualAddress + (DWORD)pDest);  
	dwOriginAddress = pImageNtSrc->OptionalHeader.ImageBase;  
	dwBaseDelta = (DWORD)pDest - dwOriginAddress;  
	while(pRelocation->VirtualAddress!=0)  
	{  
		size = (pRelocation->SizeOfBlock-sizeof(IMAGE_DATA_DIRECTORY))/2;  
		pData = (PWORD)((DWORD)pRelocation + 8);  
		for (i=0;i<size;i++)  
		{  
			iType = pData[i] >> 12;  
			dwRelocationPointer =  (DWORD*)((DWORD)pDest + ((pData[i] & 0x0fff) + pRelocation->VirtualAddress));  
			switch(iType)  
			{  
			case IMAGE_REL_BASED_ABSOLUTE:  
				break;  
			case IMAGE_REL_BASED_HIGH:  
				*(PWORD)dwRelocationPointer = (WORD)(((dwBaseDelta + *(PWORD)dwRelocationPointer) >> 16) & 0xFFFF);  
				break;  
			case IMAGE_REL_BASED_LOW:  
				*(PWORD)dwRelocationPointer = (WORD)((dwBaseDelta + *(PWORD)dwRelocationPointer) & 0xFFFF);  
				break;  
			case IMAGE_REL_BASED_HIGHLOW:  
				*dwRelocationPointer = *dwRelocationPointer + dwBaseDelta;  
				break;  
			default:  
				break;  
			}  
		}  
		pRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocation + pRelocation->SizeOfBlock);         
	}  
}  

HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType)  
{  
	DWORD dwReadSize;  
	PBYTE pLibrarySrc;  
	PBYTE pLibraryDest;  
	PIMAGE_DOS_HEADER pImageDosSrc;  
	PIMAGE_NT_HEADERS pImageNtSrc;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;  

	HRSRC   hrsc =  FindResourceA(NULL, MAKEINTRESOURCEA(wResID),pszFileType);  
	HGLOBAL hG   = LoadResource(NULL, hrsc);  

	dwReadSize   = SizeofResource( NULL,  hrsc);  
	pLibrarySrc  = (PBYTE)hG;  
	if(pLibrarySrc!=NULL)  
	{  
		pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;  
		if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))  
			return NULL;  
		pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);  

		//copy header  
		memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);  
		pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;  
		pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];  
		pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;  

		CopySection(pLibrarySrc,pLibraryDest);  
		LoadRelocation(pLibrarySrc,pLibraryDest);  
		//FixupResource(pLibraryDest);  
		LoadImport(pLibrarySrc,pLibraryDest);  
		if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)  
			((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);  
		//pImageDosDest->e_magic = 0;  
		//pImageNtDest->Signature = 0;  
		return (HMODULE)pLibraryDest;  
	}  
	return NULL;  
}  

HMODULE LoadLibraryByFile(const char * pszDllPath)  
{  
	DWORD dwReadSize;  
	PBYTE pLibrarySrc;  
	PBYTE pLibraryDest;  
	PIMAGE_DOS_HEADER pImageDosSrc;  
	PIMAGE_NT_HEADERS pImageNtSrc;  
	PIMAGE_DOS_HEADER pImageDosDest;  
	PIMAGE_NT_HEADERS pImageNtDest;  
	pLibrarySrc  = (PBYTE)ReadData(pszDllPath,&dwReadSize);  
	if(pLibrarySrc!=NULL)  
	{  
		pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;  
		if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))  
		{  
			VirtualFree(pLibrarySrc,dwReadSize,MEM_COMMIT);  
			return NULL;  
		}  
		pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);  
		//copy header  
		memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);  

		pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;  
		pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];  
		pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;  

		CopySection(pLibrarySrc,pLibraryDest);  
		LoadRelocation(pLibrarySrc,pLibraryDest);  
		//FixupResource(pLibraryDest);  
		LoadImport(pLibrarySrc,pLibraryDest);  
		VirtualFree(pLibrarySrc,dwReadSize,MEM_DECOMMIT);  
		if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)  
			((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);  
		//pImageDosDest->e_magic = 0;  
		//pImageNtDest->Signature = 0;  
		return (HMODULE)pLibraryDest;  
	}  
	return NULL;  
}  


DWORD GetCodeSize(HMODULE hModule)  
{  
	PBYTE pInfo = (PBYTE)hModule;  
	PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;  
	PIMAGE_NT_HEADERS pImgNt;  
	if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)  
	{  
		pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];  
		if(pImgNt)  
		{  
			if(pImgNt->Signature==IMAGE_NT_SIGNATURE)  
			{  
				return pImgNt->OptionalHeader.SizeOfCode;  
			}  
		}  
	}  
	return NULL;  
}  
DWORD GetPEImageSize(HMODULE hModule)  
{  
	PBYTE pInfo = (PBYTE)hModule;  
	PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;  
	PIMAGE_NT_HEADERS pImgNt;  
	if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)  
	{  
		pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];  
		if(pImgNt)  
		{  
			if(pImgNt->Signature==IMAGE_NT_SIGNATURE)  
			{  
				return pImgNt->OptionalHeader.SizeOfImage;  
			}  
		}  
	}  
	return NULL;  
}  
DWORD GetPEImageEnd(HMODULE hModule)  
{  
	return ((DWORD)hModule + GetPEImageSize(hModule));  
}  
DWORD GetPECodeEnd(HMODULE hModule)  
{  
	return ((DWORD)hModule + GetCodeSize(hModule));  
}  


// 定义函数指针  
typedef BOOL (__stdcall *MSGBOX)(char *,char *);  

void Test(HMODULE hModule)  
{  
	if(hModule)  
	{    
		ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
		ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)MyGetProcAddress(hModule,"ZwQueryInformationProcess");
		if(ZwQueryInformationProcess)  
		{  
			PROCESS_DEBUG_PORT_INFO ProcessInfo;
			if (STATUS_SUCCESS==ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo), NULL))
			{
				printf("I Win!\n");
				
			}
			else
			{
				printf("I got the exe!\n");
			}
		}  
		FreeLibrary(hModule);  
	}  
}  


int _tmain(int argc, _TCHAR* argv[])
{
	Test(LoadLibraryByFile("ntdll.dll"));
	system("pause");
	return 0;
}

2017-1-11 11:10
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
17
这个是.h文件代码
#include <Windows.h>



#define STATUS_SUCCESS    ((NTSTATUS)0L) 

enum PROCESS_INFO_CLASS      { ProcessDebugPort                = 7  }; 
typedef NTSTATUS  (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength); 


typedef struct _PROCESS_DEBUG_PORT_INFO 
{ 
	HANDLE DebugPort; 
}    PROCESS_DEBUG_PORT_INFO;


PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule);  
FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name);  
HMODULE LoadLibraryByFile(const char * pszDllPath);  
HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType);  
DWORD GetPECodeEnd(HMODULE hModule);  
DWORD GetPEImageEnd(HMODULE hModule);  
DWORD GetPEImageSize(HMODULE hModule);  
DWORD GetCodeSize(HMODULE hModule); 
2017-1-11 11:11
0
雪    币: 3067
活跃值: (6769)
能力值: ( LV13,RANK:409 )
在线值:
发帖
回帖
粉丝
18
没搞懂你前面为啥要用VirtualAlloc,我贴下我测试的:

HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
PFN_NTQUERYINFORMATIONPROCESS pfnNtQIP = (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll, "NtQueryInformationProcess");

DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId);
lStatus = pfnNtQIP(hProcess, (PROCESSINFOCLASS)30, cOut, 4, &dwOutLen);
2017-1-11 11:11
0
雪    币: 230
活跃值: (101)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
19
LoadLibrary这个方式的话,我的那个使用GetCurrentProcess也是可以的,伪句柄跟实际句柄没啥区别,而且还不用释放!
从内存载入,相对安全性更高一些,也更隐蔽
2017-1-11 11:18
0
雪    币: 19
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
20
ZwQueryInformationProcess(hProcess,7,&Temp,4,0)
ret Temp
2019-2-6 12:40
0
游客
登录 | 注册 方可回帖
返回
//