-
-
未解决
[悬赏][求助]PsSetLoadImageNotifyRoutine 拦截dll注入,向dll eop写入内存时ZwProtectVirtualMemory返回c0000045求解
50.00雪花
-
发表于:
2018-1-4 14:26
4562
-
未解决 [悬赏][求助]PsSetLoadImageNotifyRoutine 拦截dll注入,向dll eop写入内存时ZwProtectVirtualMemory返回c0000045求解
50.00雪花
//获得dll eop
PVOID GetDriverEntryByImageBase(PVOID ImageBase) {
PIMAGE_DOS_HEADER pDOSHeader;
PVOID pEntryPoint;
pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;
if ((ULONG64)ImageBase < (ULONG64)0x7FFFFFFF) {
PIMAGE_NT_HEADERS32 pNTHeader;
pNTHeader = (PIMAGE_NT_HEADERS32)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint = (PVOID)((ULONG64)ImageBase + pNTHeader->OptionalHeader.AddressOfEntryPoint);
} else {
PIMAGE_NT_HEADERS64 pNTHeader;
pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint = (PVOID)((ULONG64)ImageBase + pNTHeader->OptionalHeader.AddressOfEntryPoint);
}
return pEntryPoint;
}
//上面是获得eop,下面是根据eop向这个地址写入
PVOID BaseAddress = AddressOEP;
ULONG OldProtect;
SIZE_T RegionSize;
KAPC_STATE ks = { 0 };
if ((ULONG64)BaseAddress<(ULONG64)0x7FFFFFFF) {
RegionSize = sizeof(fuck32);
}
else {
RegionSize = sizeof(fuck64);
}
KeStackAttachProcess(dld_ep, &ks);
st = ZwProtectVirtualMemory(ProcessHandle, &BaseAddress, &RegionSize, PAGE_EXECUTE_READWRITE, &OldProtect);
//这里st返回c0000045,求打什么帮忙
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!