能力值:
( LV9,RANK:170 )
3 楼
我怀疑Win10上还有什么其他隐性的问题被忽略了,如果正常按照ntdll.dll的database位置加载的话,就没有任何问题,但是开辟新的内存空间就不行
能力值:
( LV4,RANK:50 )
4 楼
沒64位WIN10 你用IDA 打開内核文件 看看NtQueryInformationProcess 的30號功能怎麽處理的就知道了啊
不過3環下的程序崩潰 多半是指針和緩衝區的問題。
能力值:
( LV2,RANK:10 )
5 楼
// NtQueryInformationProcess for pure 32 and 64-bit processes
typedef LONG (NTAPI *_NtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// NtReadVirtualMemory for pure 32 and 64-bit processes
typedef LONG (NTAPI *_NtReadVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN SIZE_T NumberOfBytesToRead,
OUT PSIZE_T NumberOfBytesRead
);
// NtWow64QueryInformationProcess64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64QueryInformationProcess64)(
IN HANDLE ProcessHandle,
IN ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// NtWow64ReadVirtualMemory64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64ReadVirtualMemory64)(
IN HANDLE ProcessHandle,
IN ULONG64 BaseAddress,
OUT PVOID Buffer,
IN ULONG64 NumberOfBytesToRead,
OUT PULONG64 NumberOfBytesRead
);
能力值:
( LV2,RANK:10 )
6 楼
如果你是32位程序的话 用下面这个就可以了
// NtWow64QueryInformationProcess64 for 32-bit process on WOW64
typedef LONG (NTAPI *_NtWow64QueryInformationProcess64)(
IN HANDLE ProcessHandle,
IN ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
能力值:
( LV9,RANK:170 )
10 楼
其实我很想知道,为什么函数地址我都找到了,但是调用的时候Win10系统会提示我地址无效
能力值:
( LV13,RANK:409 )
11 楼
ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo),
HANDLE ProcessHandle ,
这个参数不是用GetCurrentProcess(),要用OpenProcess,通过打开对应PID
能力值:
( LV9,RANK:170 )
12 楼
这个是参数是没错的,用法也是没错的,这是在查看当前进程是否被调试,Win7可以正常运行,是Win10 运行不了
能力值:
( LV9,RANK:170 )
13 楼
我查看了一下导出函数,这个函数在Ntdll里没有导出,而且问题不是出现在这个函数,而是系统,Win10 系统里,如果我从ntdll的基址开始分配空间,加载ntdll的话,函数一切正常,但是我如果让windows自动分配的话,找到该函数的地址,反馈给我的是地址无效,甚至程序崩溃!
能力值:
( LV13,RANK:409 )
14 楼
win10 64 14393,使用OpenProcess,亲测可以的
GetCurrentProcess得到的是伪句柄
能力值:
( LV9,RANK:170 )
16 楼
这是我写的测试代码,欢迎各位查看
// TestMemoryDll.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <assert.h>
#include "TestMemoryDll.h"
typedef BOOL (__stdcall * fnDllMain)(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved);
PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule)
{
PBYTE pImage = (PBYTE)hModule;
PIMAGE_DOS_HEADER pImageDosHeader;
PIMAGE_NT_HEADERS pImageNtHeader;
pImageDosHeader = (PIMAGE_DOS_HEADER)pImage;
if(pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE)
{
pImageNtHeader = (PIMAGE_NT_HEADERS)&pImage[pImageDosHeader->e_lfanew];
if(pImageNtHeader->Signature==IMAGE_NT_SIGNATURE)
{
return pImageNtHeader;
}
}
return NULL;
}
FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name)
{
if(!hModule)
{
hModule = GetModuleHandle(0);
}
PBYTE pDest = (PBYTE)hModule;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
PIMAGE_DATA_DIRECTORY pDirectory;
PIMAGE_EXPORT_DIRECTORY pExport;
DWORD i, *nameRef;
WORD *ordinal;
int idx=-1;
pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if(pDirectory->Size==0)
return NULL;
pExport = (PIMAGE_EXPORT_DIRECTORY)((DWORD)pDest + pDirectory->VirtualAddress);
if(pExport->NumberOfNames == 0 || pExport->NumberOfFunctions == 0)
return NULL;
ordinal = (WORD *) ((DWORD)pDest + pExport->AddressOfNameOrdinals);
if((DWORD)(name) < 0x10000)
{
if ((DWORD)name >= pExport->NumberOfFunctions+pExport->Base || (DWORD)name < pExport->Base)
return NULL;
idx = (DWORD)pDest+((DWORD*)((DWORD)pDest+pExport->AddressOfFunctions))[(DWORD)name-pExport->Base];
}else
{
nameRef = (DWORD *) ((DWORD)pDest + pExport->AddressOfNames);
for (i=0; i<pExport->NumberOfNames; i++, nameRef++, ordinal++)
{
//printf("%s--------------%s\n",name,(DWORD)pDest + (*nameRef));
if (strcmp(name, (const char *) ((DWORD)pDest + (*nameRef))) == 0)
{
idx = *ordinal;
break;
}
}
}
if (idx == -1) {
return NULL;
}
if ((DWORD)idx > pExport->NumberOfFunctions) {
return NULL;
}
return (FARPROC) ((DWORD)hModule + (*(DWORD *) ((DWORD)hModule + pExport->AddressOfFunctions + (idx*4))));
}
void CopySection(PBYTE pSrc,PBYTE pDest)
{
unsigned int i,size;
PIMAGE_DOS_HEADER pImageDosSrc;
PIMAGE_NT_HEADERS pImageNtSrc;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
PIMAGE_SECTION_HEADER pSection;
pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];
pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
pSection = IMAGE_FIRST_SECTION(pImageNtDest);
for(i=0;i<pImageNtDest->FileHeader.NumberOfSections;i++,pSection++)
{
if(pSection->SizeOfRawData == 0)
{
size = pImageNtSrc->OptionalHeader.SectionAlignment;
if(size > 0)
{
pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;
memset((PVOID)pSection->Misc.PhysicalAddress,0,size);
}
continue;
}
pSection->Misc.PhysicalAddress = pSection->VirtualAddress + (DWORD)pDest;
memcpy((PVOID)pSection->Misc.PhysicalAddress, (PVOID)((DWORD)pSrc + pSection->PointerToRawData), pSection->SizeOfRawData);
}
}
void GetImportInfo(DWORD imgbase,DWORD impoff)
{
PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(imgbase+impoff);
HMODULE hModuleSys;
DWORD i,p;
PIMAGE_THUNK_DATA32 pimpthunk;
PIMAGE_IMPORT_BY_NAME pimpname;
FARPROC* pimpwrite;
FARPROC pFunc;
for(i=0;pImport[i].Characteristics!=0;i++)
{
hModuleSys = LoadLibraryA((LPCSTR)(pImport[i].Name + imgbase));
pimpthunk = (PIMAGE_THUNK_DATA32)(pImport[i].OriginalFirstThunk + imgbase);
pimpwrite = (FARPROC*)(pImport[i].FirstThunk + imgbase);
for(p=0;pimpthunk[p].u1.AddressOfData!=0;p++)
{
pimpname = (PIMAGE_IMPORT_BY_NAME)((DWORD)pimpthunk[p].u1.AddressOfData+imgbase);
if(IMAGE_SNAP_BY_ORDINAL32(pimpthunk[p].u1.AddressOfData))
{
pFunc = GetProcAddress(hModuleSys,(LPCSTR)IMAGE_ORDINAL(pimpthunk[p].u1.AddressOfData));
pimpwrite[p] = pFunc;
}else
{
pFunc = GetProcAddress(hModuleSys,(LPCSTR)&pimpname->Name);
pimpwrite[p] = pFunc;
}
}
}
}
void LoadImport(PBYTE pSrc,PBYTE pDest)
{
PIMAGE_DOS_HEADER pImageDosSrc;
PIMAGE_NT_HEADERS pImageNtSrc;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
PIMAGE_DATA_DIRECTORY pDirectory;
pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];
pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
pDirectory = &pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
if(!pDirectory->VirtualAddress)
return;
GetImportInfo((DWORD)pDest,pDirectory->VirtualAddress);
}
bool check_import(HMODULE hModule)
{
PBYTE pImage = (PBYTE)hModule;
PIMAGE_DOS_HEADER pImageDos;
PIMAGE_NT_HEADERS pImageNT;
PIMAGE_DATA_DIRECTORY pDataDirectory;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
pImageDos = (PIMAGE_DOS_HEADER)pImage;
pImageNT = (PIMAGE_NT_HEADERS)&pImage[pImageDos->e_lfanew];
pDataDirectory = &pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
if(!pDataDirectory->VirtualAddress)
return false;
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)&pImage[pDataDirectory->VirtualAddress];
for(int i=0;pImportDescriptor[i].Characteristics!=0;i++)
{
HMODULE hCurrentModule = LoadLibraryA((LPCSTR)(&pImage[pImportDescriptor[i].Name]));
PIMAGE_THUNK_DATA32 pCurrentImportThunk = (PIMAGE_THUNK_DATA32)(&pImage[pImportDescriptor[i].OriginalFirstThunk]);
FARPROC* pCurrentImportList = (FARPROC*)(&pImage[pImportDescriptor[i].FirstThunk]);
for(int m_imp=0;pCurrentImportThunk[m_imp].u1.AddressOfData!=0;m_imp++)
{
if(IMAGE_SNAP_BY_ORDINAL32(pCurrentImportThunk[m_imp].u1.AddressOfData))
{
if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)IMAGE_ORDINAL(pCurrentImportThunk[m_imp].u1.AddressOfData)))
return false;
}else
{
if(pCurrentImportList[m_imp] != GetProcAddress(hCurrentModule,(LPCSTR)&((PIMAGE_IMPORT_BY_NAME)&pImage[pCurrentImportThunk[m_imp].u1.AddressOfData])->Name))
return false;
}
}
}
return true;
}
void FixupResource(PBYTE pDest)
{
DWORD imagebase;
PIMAGE_RESOURCE_DIRECTORY pRes;
PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry;
DWORD nEntries;
DWORD i;
PIMAGE_RESOURCE_DIRECTORY pRes2;
PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry2;
DWORD nEntries2;
PIMAGE_RESOURCE_DIR_STRING_U pDirStr;
PIMAGE_RESOURCE_DIRECTORY pRes3;
PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry3;
DWORD nEntries3;
DWORD j;
DWORD k;
PIMAGE_RESOURCE_DATA_ENTRY pData;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
imagebase = pImageNtDest->OptionalHeader.ImageBase;
if(!pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress)
return;
pRes = (PIMAGE_RESOURCE_DIRECTORY)(imagebase + pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
nEntries = pRes->NumberOfIdEntries + pRes->NumberOfNamedEntries;
pEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes + sizeof(IMAGE_RESOURCE_DIRECTORY));
for (i = 0; i < nEntries; ++i, ++pEntry) {
if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData) {
pRes2 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes
+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry->OffsetToData));
nEntries2 = pRes2->NumberOfIdEntries + pRes2->NumberOfNamedEntries;
pEntry2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
for (j = 0; j < nEntries2; ++j, ++pEntry2) {
if (IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name) {
pDirStr = (PIMAGE_RESOURCE_DIR_STRING_U)((DWORD)pRes
+ (~IMAGE_RESOURCE_NAME_IS_STRING & pEntry2->Name));
}
if (IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData) {
pRes3 = (PIMAGE_RESOURCE_DIRECTORY)((DWORD)pRes
+ (~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry2->OffsetToData));
nEntries3 = pRes3->NumberOfIdEntries + pRes3->NumberOfNamedEntries;
pEntry3 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((DWORD)pRes3 + sizeof(IMAGE_RESOURCE_DIRECTORY));
for (k = 0; k < nEntries3; ++k) {
assert(~IMAGE_RESOURCE_DATA_IS_DIRECTORY & pEntry3->OffsetToData);
pData = (PIMAGE_RESOURCE_DATA_ENTRY)((DWORD)pRes + pEntry3->OffsetToData);
pData->OffsetToData += (DWORD)imagebase;
}
}
}
}
}
}
PVOID ReadData(IN LPCSTR lpFileName,OUT DWORD* ReadSize)
{
PBYTE pLibrarySrc;
HANDLE hFile = CreateFileA(lpFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
char szSysDir[256] = {0};
int nSysDirLen = 0;
nSysDirLen = GetSystemDirectory(szSysDir,256);
strcat(szSysDir,"\\");
strcat(szSysDir,lpFileName);
HANDLE hFile = CreateFileA(szSysDir,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
*ReadSize = GetFileSize(hFile,NULL);
pLibrarySrc = (PBYTE)VirtualAlloc(0,*ReadSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(!ReadFile(hFile,pLibrarySrc,*ReadSize,ReadSize,NULL))
{
CloseHandle(hFile);
VirtualFree(pLibrarySrc,*ReadSize,MEM_DECOMMIT);
return NULL;
}
CloseHandle(hFile);
return (PVOID)pLibrarySrc;
}
return NULL;
}
BOOL CheckPEFile(PIMAGE_DOS_HEADER pImageDosDest,PIMAGE_NT_HEADERS* pImageNtDest)
{
PBYTE pImage = (PBYTE)pImageDosDest;
if(pImageDosDest->e_magic!=IMAGE_DOS_SIGNATURE)
return FALSE;
*pImageNtDest = (PIMAGE_NT_HEADERS)&pImage[pImageDosDest->e_lfanew];
if((*pImageNtDest)->Signature!=IMAGE_NT_SIGNATURE)
return FALSE;
return TRUE;
}
void LoadRelocation(PBYTE pSrc,PBYTE pDest)
{
PIMAGE_DOS_HEADER pImageDosSrc;
PIMAGE_NT_HEADERS pImageNtSrc;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
PIMAGE_DATA_DIRECTORY pDirectory;
PIMAGE_BASE_RELOCATION pRelocation;
DWORD dwOriginAddress;
DWORD dwBaseDelta;
PWORD pData;
int i,size;
DWORD* dwRelocationPointer;
int iType;
pImageDosSrc = (PIMAGE_DOS_HEADER)pSrc;
pImageNtSrc = (PIMAGE_NT_HEADERS)&pSrc[pImageDosSrc->e_lfanew];
pImageDosDest = (PIMAGE_DOS_HEADER)pDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pDest[pImageDosDest->e_lfanew];
pDirectory = (PIMAGE_DATA_DIRECTORY)&pImageNtDest->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if(!pDirectory->VirtualAddress)
return;
pRelocation = (PIMAGE_BASE_RELOCATION)(pDirectory->VirtualAddress + (DWORD)pDest);
dwOriginAddress = pImageNtSrc->OptionalHeader.ImageBase;
dwBaseDelta = (DWORD)pDest - dwOriginAddress;
while(pRelocation->VirtualAddress!=0)
{
size = (pRelocation->SizeOfBlock-sizeof(IMAGE_DATA_DIRECTORY))/2;
pData = (PWORD)((DWORD)pRelocation + 8);
for (i=0;i<size;i++)
{
iType = pData[i] >> 12;
dwRelocationPointer = (DWORD*)((DWORD)pDest + ((pData[i] & 0x0fff) + pRelocation->VirtualAddress));
switch(iType)
{
case IMAGE_REL_BASED_ABSOLUTE:
break;
case IMAGE_REL_BASED_HIGH:
*(PWORD)dwRelocationPointer = (WORD)(((dwBaseDelta + *(PWORD)dwRelocationPointer) >> 16) & 0xFFFF);
break;
case IMAGE_REL_BASED_LOW:
*(PWORD)dwRelocationPointer = (WORD)((dwBaseDelta + *(PWORD)dwRelocationPointer) & 0xFFFF);
break;
case IMAGE_REL_BASED_HIGHLOW:
*dwRelocationPointer = *dwRelocationPointer + dwBaseDelta;
break;
default:
break;
}
}
pRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pRelocation + pRelocation->SizeOfBlock);
}
}
HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType)
{
DWORD dwReadSize;
PBYTE pLibrarySrc;
PBYTE pLibraryDest;
PIMAGE_DOS_HEADER pImageDosSrc;
PIMAGE_NT_HEADERS pImageNtSrc;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
HRSRC hrsc = FindResourceA(NULL, MAKEINTRESOURCEA(wResID),pszFileType);
HGLOBAL hG = LoadResource(NULL, hrsc);
dwReadSize = SizeofResource( NULL, hrsc);
pLibrarySrc = (PBYTE)hG;
if(pLibrarySrc!=NULL)
{
pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;
if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))
return NULL;
pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
//copy header
memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);
pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];
pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;
CopySection(pLibrarySrc,pLibraryDest);
LoadRelocation(pLibrarySrc,pLibraryDest);
//FixupResource(pLibraryDest);
LoadImport(pLibrarySrc,pLibraryDest);
if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)
((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);
//pImageDosDest->e_magic = 0;
//pImageNtDest->Signature = 0;
return (HMODULE)pLibraryDest;
}
return NULL;
}
HMODULE LoadLibraryByFile(const char * pszDllPath)
{
DWORD dwReadSize;
PBYTE pLibrarySrc;
PBYTE pLibraryDest;
PIMAGE_DOS_HEADER pImageDosSrc;
PIMAGE_NT_HEADERS pImageNtSrc;
PIMAGE_DOS_HEADER pImageDosDest;
PIMAGE_NT_HEADERS pImageNtDest;
pLibrarySrc = (PBYTE)ReadData(pszDllPath,&dwReadSize);
if(pLibrarySrc!=NULL)
{
pImageDosSrc = (PIMAGE_DOS_HEADER)pLibrarySrc;
if(!CheckPEFile(pImageDosSrc,&pImageNtSrc))
{
VirtualFree(pLibrarySrc,dwReadSize,MEM_COMMIT);
return NULL;
}
pLibraryDest = (PBYTE)VirtualAlloc(NULL,pImageNtSrc->OptionalHeader.SizeOfImage,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
//copy header
memcpy(pLibraryDest, pImageDosSrc, pImageDosSrc->e_lfanew + pImageNtSrc->OptionalHeader.SizeOfHeaders);
pImageDosDest = (PIMAGE_DOS_HEADER)pLibraryDest;
pImageNtDest = (PIMAGE_NT_HEADERS)&pLibraryDest[pImageDosDest->e_lfanew];
pImageNtDest->OptionalHeader.ImageBase = (DWORD)pLibraryDest;
CopySection(pLibrarySrc,pLibraryDest);
LoadRelocation(pLibrarySrc,pLibraryDest);
//FixupResource(pLibraryDest);
LoadImport(pLibrarySrc,pLibraryDest);
VirtualFree(pLibrarySrc,dwReadSize,MEM_DECOMMIT);
if(pImageNtDest->OptionalHeader.AddressOfEntryPoint)
((fnDllMain)(pImageNtDest->OptionalHeader.AddressOfEntryPoint + (DWORD)pLibraryDest))((HINSTANCE)pLibraryDest,DLL_PROCESS_ATTACH,NULL);
//pImageDosDest->e_magic = 0;
//pImageNtDest->Signature = 0;
return (HMODULE)pLibraryDest;
}
return NULL;
}
DWORD GetCodeSize(HMODULE hModule)
{
PBYTE pInfo = (PBYTE)hModule;
PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;
PIMAGE_NT_HEADERS pImgNt;
if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)
{
pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];
if(pImgNt)
{
if(pImgNt->Signature==IMAGE_NT_SIGNATURE)
{
return pImgNt->OptionalHeader.SizeOfCode;
}
}
}
return NULL;
}
DWORD GetPEImageSize(HMODULE hModule)
{
PBYTE pInfo = (PBYTE)hModule;
PIMAGE_DOS_HEADER pImgDos = (PIMAGE_DOS_HEADER)pInfo;
PIMAGE_NT_HEADERS pImgNt;
if(pImgDos->e_magic==IMAGE_DOS_SIGNATURE)
{
pImgNt = (PIMAGE_NT_HEADERS)&pInfo[pImgDos->e_lfanew];
if(pImgNt)
{
if(pImgNt->Signature==IMAGE_NT_SIGNATURE)
{
return pImgNt->OptionalHeader.SizeOfImage;
}
}
}
return NULL;
}
DWORD GetPEImageEnd(HMODULE hModule)
{
return ((DWORD)hModule + GetPEImageSize(hModule));
}
DWORD GetPECodeEnd(HMODULE hModule)
{
return ((DWORD)hModule + GetCodeSize(hModule));
}
// 定义函数指针
typedef BOOL (__stdcall *MSGBOX)(char *,char *);
void Test(HMODULE hModule)
{
if(hModule)
{
ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)MyGetProcAddress(hModule,"ZwQueryInformationProcess");
if(ZwQueryInformationProcess)
{
PROCESS_DEBUG_PORT_INFO ProcessInfo;
if (STATUS_SUCCESS==ZwQueryInformationProcess(GetCurrentProcess( ), (PROCESS_INFO_CLASS)0x0000001e, &ProcessInfo, sizeof(ProcessInfo), NULL))
{
printf("I Win!\n");
}
else
{
printf("I got the exe!\n");
}
}
FreeLibrary(hModule);
}
}
int _tmain(int argc, _TCHAR* argv[])
{
Test(LoadLibraryByFile("ntdll.dll"));
system("pause");
return 0;
}
能力值:
( LV9,RANK:170 )
17 楼
这个是.h文件代码
#include <Windows.h>
#define STATUS_SUCCESS ((NTSTATUS)0L)
enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 };
typedef NTSTATUS (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength);
typedef struct _PROCESS_DEBUG_PORT_INFO
{
HANDLE DebugPort;
} PROCESS_DEBUG_PORT_INFO;
PIMAGE_NT_HEADERS AnalyaisImage(HMODULE hModule);
FARPROC __stdcall MyGetProcAddress(HMODULE hModule,LPCSTR name);
HMODULE LoadLibraryByFile(const char * pszDllPath);
HMODULE LoadLibraryByResource(WORD wResID,char *pszFileType);
DWORD GetPECodeEnd(HMODULE hModule);
DWORD GetPEImageEnd(HMODULE hModule);
DWORD GetPEImageSize(HMODULE hModule);
DWORD GetCodeSize(HMODULE hModule);
能力值:
( LV13,RANK:409 )
18 楼
没搞懂你前面为啥要用VirtualAlloc,我贴下我测试的:
HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
PFN_NTQUERYINFORMATIONPROCESS pfnNtQIP = (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll, "NtQueryInformationProcess");
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId);
lStatus = pfnNtQIP(hProcess, (PROCESSINFOCLASS)30, cOut, 4, &dwOutLen);
能力值:
( LV9,RANK:170 )
19 楼
LoadLibrary这个方式的话,我的那个使用GetCurrentProcess也是可以的,伪句柄跟实际句柄没啥区别,而且还不用释放!
从内存载入,相对安全性更高一些,也更隐蔽
能力值:
( LV2,RANK:10 )
20 楼
ZwQueryInformationProcess(hProcess,7,&Temp,4,0) ret Temp