能力值:
( LV10,RANK:163 )
|
-
-
2 楼
PE头里有大小.
|
能力值:
( LV10,RANK:163 )
|
-
-
3 楼
下面再送一个
ZwQueryVirtualMemory
套餐(有坑):ULONG WINAPI My_NtQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength)
{
ULONG uRet = KrlEngine::m_NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
if ((::GetCurrentProcess() == ProcessHandle) && (0 == uRet))
{
if (MemoryBasicInformation == MemoryInformationClass)
{
if ((NULL != BaseAddress) && (NULL != MemoryInformation) && (NULL != g_hModule))
{
while (true)
{
DWORD dwBase = (DWORD)BaseAddress;
bool bCall = false;
if (((int)dwBase >= (int)g_hModule) && ((int)dwBase <= ((int)g_hModule + g_ModuleSize)))
{
bCall = true;
}
if (bCall)
{
PMEMORY_BASIC_INFORMATION pMemInfo = (PMEMORY_BASIC_INFORMATION)MemoryInformation;
DWORD dwNextAddr = (DWORD)pMemInfo->BaseAddress + pMemInfo->RegionSize;
uRet = KrlEngine::m_NtQueryVirtualMemory(ProcessHandle, (PVOID)dwNextAddr, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
if (0 != uRet)
{
break;
}
}
else
{
break;
}
}
}
}
else if (MemoryRegionInformation == MemoryInformationClass)
{
if ((NULL != BaseAddress) && (NULL != MemoryInformation) && (NULL != g_hModule))
{
DWORD dwBase = (DWORD)BaseAddress;
bool bCall = false;
if (((int)dwBase >= (int)g_hModule) && ((int)dwBase <= ((int)g_hModule + g_ModuleSize))) {
bCall = true;
}
if (bCall)
{
::ZeroMemory(MemoryInformation, MemoryInformationLength);
uRet = 0xC0000141;
}
}
}
}
return uRet;
}
最后于 2019-1-21 10:02
被yimingqpa编辑
,原因:
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
yimingqpa
下面再送一个
ZwQueryVirtualMemory
套餐(有坑):ULONG WINAPI My_NtQueryVirtualMemory(HAND ...
谢谢
|
|
|
