[求助]请教 ZwWriteVirtualMemory 等API哪里有介绍-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]请教 ZwWriteVirtualMemory 等API哪里有介绍

2008-5-24 00:11 12241

[求助]请教 ZwWriteVirtualMemory 等API哪里有介绍

suolao

2008-5-24 00:11

12241

跟踪某程序，该Dll文件先用CreateProcessA CreationFlags = CREATE_SUSPENDED创建一进程，然后向该进程中写入数据，这中间DLL文件判断调用自己的程序是不是许可的程序，若不是许可程序则想内存中写入的代码有问题。
正确顺序为写一次52K数据，第二次写后数据为56K，第三次写后数据为1480K。若非许可程序则第三次数据为1476K。程序不能正常运行。
ZwProtectVirtualMemory这一系列API看的头晕，请问那里有这类API的介绍啊？

0DC115CC 8BFF          mov    edi, edi
0DC115CE 55             push ebp
0DC115CF 8BEC          mov    ebp, esp
0DC115D1 8D45 14       lea    eax, dword ptr [ebp+14]
0DC115D4 50             push eax
0DC115D5 FF75 14       push dword ptr [ebp+14]
0DC115D8 FF75 10       push dword ptr [ebp+10]
0DC115DB FF75 0C       push dword ptr [ebp+C]
0DC115DE FF75 08       push dword ptr [ebp+8]
0DC115E1 FF15 0C14807C call dword ptr [<&ntdll.NtReadVirtual>; ntdll.ZwReadVirtualMemory
0DC115E7 8B4D 18       mov    ecx, dword ptr [ebp+18]
0DC115EA 85C9          test ecx, ecx
0DC115EC 75 0B          jnz    short 0DC115F9
0DC115EE 85C0          test eax, eax
0DC115F0 7C 0E          jl    short 0DC11600
0DC115F2 33C0          xor    eax, eax
0DC115F4 40             inc    eax
0DC115F5 5D             pop    ebp
0DC115F6 C2 1400       retn 14
0DC115F9 8B55 14       mov    edx, dword ptr [ebp+14]
0DC115FC 8911          mov    dword ptr [ecx], edx
0DC115FE  ^ EB EE          jmp    short 0DC115EE
0DC11600 50             push eax
0DC11601 E8 65710000    call 0DC1876B
0DC11606 33C0          xor    eax, eax
0DC11608  ^ EB EB          jmp    short 0DC115F5
0DC1160A 90             nop
0DC1160B 90             nop
0DC1160C 90             nop
0DC1160D 90             nop
0DC1160E 90             nop
0DC1160F 8BFF          mov    edi, edi
0DC11611 55             push ebp
0DC11612 8BEC          mov    ebp, esp
0DC11614 51             push ecx
0DC11615 51             push ecx
0DC11616 8B45 0C       mov    eax, dword ptr [ebp+C]
0DC11619 53             push ebx
0DC1161A 8B5D 14       mov    ebx, dword ptr [ebp+14]
0DC1161D 56             push esi
0DC1161E 8B35 B812807C mov    esi, dword ptr [<&ntdll.NtProtec>; ntdll.ZwProtectVirtualMemory
0DC11624 57             push edi
0DC11625 8B7D 08       mov    edi, dword ptr [ebp+8]
0DC11628 8945 F8       mov    dword ptr [ebp-8], eax
0DC1162B 8D45 14       lea    eax, dword ptr [ebp+14]
0DC1162E 50             push eax
0DC1162F 6A 40          push 40
0DC11631 8D45 FC       lea    eax, dword ptr [ebp-4]
0DC11634 50             push eax
0DC11635 8D45 F8       lea    eax, dword ptr [ebp-8]
0DC11638 50             push eax
0DC11639 57             push edi
0DC1163A 895D FC       mov    dword ptr [ebp-4], ebx
0DC1163D FFD6          call esi
0DC1163F 3D 4E0000C0    cmp    eax, C000004E
0DC11644 74 5C          je    short 0DC116A2
0DC11646 85C0          test eax, eax
0DC11648 7C 4D          jl    short 0DC11697
0DC1164A 8B45 14       mov    eax, dword ptr [ebp+14]
0DC1164D A8 CC          test al, 0CC
0DC1164F 74 64          je    short 0DC116B5
0DC11651 8D4D 14       lea    ecx, dword ptr [ebp+14]
0DC11654 51             push ecx
0DC11655 50             push eax
0DC11656 8D45 FC       lea    eax, dword ptr [ebp-4]
0DC11659 50             push eax
0DC1165A 8D45 F8       lea    eax, dword ptr [ebp-8]
0DC1165D 50             push eax
0DC1165E 57             push edi
0DC1165F FFD6          call esi
0DC11661 8D45 08       lea    eax, dword ptr [ebp+8]
0DC11664 50             push eax
0DC11665 53             push ebx
0DC11666 FF75 10       push dword ptr [ebp+10]
0DC11669 FF75 0C       push dword ptr [ebp+C]
0DC1166C 57             push edi
0DC1166D FF15 F413807C call dword ptr [<&ntdll.NtWriteVirtua>; ntdll.ZwWriteVirtualMemory
0DC11673 8B4D 18       mov    ecx, dword ptr [ebp+18]
0DC11676 85C9          test ecx, ecx
0DC11678 0F85 9E000000 jnz    0DC1171C
0DC1167E 85C0          test eax, eax
0DC11680 7C 15          jl    short 0DC11697
0DC11682 53             push ebx
0DC11683 FF75 0C       push dword ptr [ebp+C]
0DC11686 57             push edi
0DC11687 FF15 C812807C call dword ptr [<&ntdll.NtFlushInstru>; ntdll.ZwFlushInstructionCache
0DC1168D 33C0          xor    eax, eax
0DC1168F 40             inc    eax
0DC11690 5F             pop    edi
0DC11691 5E             pop    esi
0DC11692 5B             pop    ebx
0DC11693 C9             leave
0DC11694 C2 1400       retn 14
0DC11697 50             push eax
0DC11698 E8 CE700000    call 0DC1876B
0DC1169D E9 84000000    jmp    0DC11726
0DC116A2 8D45 14       lea    eax, dword ptr [ebp+14]
0DC116A5 50             push eax
0DC116A6 6A 04          push 4
0DC116A8 8D45 FC       lea    eax, dword ptr [ebp-4]
0DC116AB 50             push eax
0DC116AC 8D45 F8       lea    eax, dword ptr [ebp-8]
0DC116AF 50             push eax
0DC116B0 57             push edi
0DC116B1 FFD6          call esi
0DC116B3  ^ EB 91          jmp    short 0DC11646
0DC116B5 A8 03          test al, 3
0DC116B7 75 40          jnz    short 0DC116F9
0DC116B9 8D45 08       lea    eax, dword ptr [ebp+8]
0DC116BC 50             push eax
0DC116BD 53             push ebx
0DC116BE FF75 10       push dword ptr [ebp+10]
0DC116C1 FF75 0C       push dword ptr [ebp+C]
0DC116C4 57             push edi
0DC116C5 FF15 F413807C call dword ptr [<&ntdll.NtWriteVirtua>; ntdll.ZwWriteVirtualMemory
0DC116CB 8945 10       mov    dword ptr [ebp+10], eax
0DC116CE 8B45 18       mov    eax, dword ptr [ebp+18]
0DC116D1 85C0          test eax, eax
0DC116D3 74 05          je    short 0DC116DA
0DC116D5 8B4D 08       mov    ecx, dword ptr [ebp+8]
0DC116D8 8908          mov    dword ptr [eax], ecx
0DC116DA 8D45 14       lea    eax, dword ptr [ebp+14]
0DC116DD 50             push eax
0DC116DE FF75 14       push dword ptr [ebp+14]
0DC116E1 8D45 FC       lea    eax, dword ptr [ebp-4]
0DC116E4 50             push eax
0DC116E5 8D45 F8       lea    eax, dword ptr [ebp-8]
0DC116E8 50             push eax
0DC116E9 57             push edi
0DC116EA FFD6          call esi
0DC116EC 837D 10 00    cmp    dword ptr [ebp+10], 0
0DC116F0  ^ 7D 90          jge    short 0DC11682
0DC116F2 BE 050000C0    mov    esi, C0000005
0DC116F7 EB 12          jmp    short 0DC1170B
0DC116F9 8D4D 14       lea    ecx, dword ptr [ebp+14]
0DC116FC 51             push ecx
0DC116FD 50             push eax
0DC116FE 8D45 FC       lea    eax, dword ptr [ebp-4]
0DC11701 50             push eax
0DC11702 8D45 F8       lea    eax, dword ptr [ebp-8]
0DC11705 50             push eax
0DC11706 57             push edi
0DC11707 FFD6          call esi
0DC11709 33F6          xor    esi, esi
0DC1170B 68 050000C0    push C0000005
0DC11710 E8 56700000    call 0DC1876B
0DC11715 8BC6          mov    eax, esi
0DC11717  ^ E9 74FFFFFF    jmp    0DC11690
0DC1171C 8B55 08       mov    edx, dword ptr [ebp+8]
0DC1171F 8911          mov    dword ptr [ecx], edx
0DC11721  ^ E9 58FFFFFF    jmp    0DC1167E
0DC11726 33C0          xor    eax, eax
0DC11728  ^ E9 63FFFFFF    jmp    0DC11690
0DC1172D 90             nop
0DC1172E 90             nop
0DC1172F 90             nop
0DC11730 90             nop
0DC11731 90             nop
0DC11732 8BFF          mov    edi, edi
0DC11734 55             push ebp
0DC11735 8BEC          mov    ebp, esp
0DC11737 6A 00          push 0
0DC11739 FF75 2C       push dword ptr [ebp+2C]
0DC1173C FF75 28       push dword ptr [ebp+28]
0DC1173F FF75 24       push dword ptr [ebp+24]
0DC11742 FF75 20       push dword ptr [ebp+20]
0DC11745 FF75 1C       push dword ptr [ebp+1C]
0DC11748 FF75 18       push dword ptr [ebp+18]
0DC1174B FF75 14       push dword ptr [ebp+14]
0DC1174E FF75 10       push dword ptr [ebp+10]
0DC11751 FF75 0C       push dword ptr [ebp+C]
0DC11754 FF75 08       push dword ptr [ebp+8]
0DC11757 6A 00          push 0
0DC11759 E8 B5710100    call 0DC28913
0DC1175E 5D             pop    ebp
0DC1175F C2 2800       retn 28
0DC11762 90             nop
0DC11763 90             nop
0DC11764 90             nop
0DC11765 90             nop
0DC11766 90             nop
0DC11767 8BFF          mov    edi, edi
0DC11769 55             push ebp
0DC1176A 8BEC          mov    ebp, esp
0DC1176C 6A 00          push 0
0DC1176E FF75 2C       push dword ptr [ebp+2C]
0DC11771 FF75 28       push dword ptr [ebp+28]
0DC11774 FF75 24       push dword ptr [ebp+24]
0DC11777 FF75 20       push dword ptr [ebp+20]
0DC1177A FF75 1C       push dword ptr [ebp+1C]
0DC1177D FF75 18       push dword ptr [ebp+18]
0DC11780 FF75 14       push dword ptr [ebp+14]
0DC11783 FF75 10       push dword ptr [ebp+10]
0DC11786 FF75 0C       push dword ptr [ebp+C]
0DC11789 FF75 08       push dword ptr [ebp+8]
0DC1178C 6A 00          push 0
0DC1178E E8 43BA0100    call 0DC2D1D6
0DC11793 5D             pop    ebp
0DC11794 C2 2800       retn 28
0DC11797 90             nop
0DC11798 90             nop
0DC11799 90             nop
0DC1179A 90             nop
0DC1179B 90             nop
0DC1179C 6A 2C          push 2C
0DC1179E 68 5824807C    push 7C802458
0DC117A3 E8 1E010000    call 0DC118C6
0DC117A8 C745 C4 1400000>mov    dword ptr [ebp-3C], 14
0DC117AF C745 C8 0100000>mov    dword ptr [ebp-38], 1
0DC117B6 33C0          xor    eax, eax
0DC117B8 8D7D CC       lea    edi, dword ptr [ebp-34]
0DC117BB AB             stos dword ptr es:[edi]
0DC117BC AB             stos dword ptr es:[edi]
0DC117BD AB             stos dword ptr es:[edi]
0DC117BE 33F6          xor    esi, esi
0DC117C0 56             push esi
0DC117C1 8D45 C4       lea    eax, dword ptr [ebp-3C]
0DC117C4 50             push eax
0DC117C5 FF15 3C12807C call dword ptr [<&ntdll.RtlActivateAc>; ntdll.RtlActivateActivationContextUnsafeFast
0DC117CB 8975 FC       mov    dword ptr [ebp-4], esi
0DC117CE FF75 08       push dword ptr [ebp+8]
0DC117D1 8D45 D8       lea    eax, dword ptr [ebp-28]
0DC117D4 50             push eax
0DC117D5 E8 96000000    call 0DC11870
0DC117DA 8945 E4       mov    dword ptr [ebp-1C], eax
0DC117DD 3BC6          cmp    eax, esi
0DC117DF 74 31          je    short 0DC11812
0DC117E1 FF75 E4       push dword ptr [ebp-1C]
0DC117E4 FF75 0C       push dword ptr [ebp+C]
0DC117E7 FF15 C014807C call dword ptr [<&ntdll.NtDelayExecut>; ntdll.ZwDelayExecution
0DC117ED 8945 E0       mov    dword ptr [ebp-20], eax
0DC117F0 3975 0C       cmp    dword ptr [ebp+C], esi
0DC117F3 75 2F          jnz    short 0DC11824
0DC117F5 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
0DC117F9 E8 34000000    call 0DC11832
0DC117FE B8 C0000000    mov    eax, 0C0
0DC11803 3945 E0       cmp    dword ptr [ebp-20], eax
0DC11806 74 02          je    short 0DC1180A
0DC11808 33C0          xor    eax, eax
0DC1180A E8 F2000000    call 0DC11901
0DC1180F C2 0800       retn 8
0DC11812 8975 D8       mov    dword ptr [ebp-28], esi
0DC11815 C745 DC 0000008>mov    dword ptr [ebp-24], 80000000
0DC1181C 8D45 D8       lea    eax, dword ptr [ebp-28]
0DC1181F 8945 E4       mov    dword ptr [ebp-1C], eax
0DC11822  ^ EB BD          jmp    short 0DC117E1
0DC11824 3D 01010000    cmp    eax, 101
0DC11829  ^ 75 CA          jnz    short 0DC117F5
0DC1182B  ^ EB B4          jmp    short 0DC117E1
0DC1182D 90             nop
0DC1182E 90             nop
0DC1182F 90             nop
0DC11830 90             nop
0DC11831 90             nop
0DC11832 8D45 C4       lea    eax, dword ptr [ebp-3C]
0DC11835 50             push eax
0DC11836 FF15 3812807C call dword ptr [<&ntdll.RtlDeactivate>; ntdll.RtlDeactivateActivationContextUnsafeFast
0DC1183C C3             retn

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

#调试逆向

收藏・2

点赞・0

打赏

最新回复 (3)
zhuliang 雪币： 1098 活跃值： (193) 能力值： (RANK：210 ) 在线值：发帖 33 回帖 400 粉丝 14 关注私信	zhuliang 5 2008-5-24 10:34 2 楼 0 从MSDN里找Nt版本的WriteVirtualMemory来看看吧。
kanxue 雪币： 32410 活跃值： (18735) 能力值： (RANK：350 ) 在线值：发帖 1827 回帖 15215 粉丝 487 关注私信	kanxue 8 2008-5-24 10:59 3 楼 0 http://www.pediy.com/Document.htm Windows NT 2000 Native API Reference
suolao 雪币： 109 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 36 粉丝 0 关注私信	suolao 2008-5-25 20:16 4 楼 0 十分感谢2楼及看雪老大！
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复