#include <windows.h>
#include <tchar.h>
typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
BYTE Reserved1[48];
PVOID Reserved2[3];
HANDLE UniqueProcessId;
PVOID Reserved3;
ULONG HandleCount;
BYTE Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION;
SYSTEM_PROCESS_INFORMATION Sysinfo;
int _tmain()
{
LPCTSTR lpFileName="ntdll.dll";
LPCTSTR lpFunctName="ZwQuerySystemInformation";
char cbbuffer[60000];
DWORD length=0;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation=NULL;
HMODULE hLib=LoadLibrary(lpFileName);
_tprintf(TEXT("Loading ntdll.dll... ..."));
if(hLib!=NULL)
{
_tprintf(TEXT("Success!\nGeting Function Address... ..."));
ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(hLib,lpFunctName);
if(ZwQuerySystemInformation!=NULL)
{
_tprintf(TEXT("Success!\nGeting System Infomation... ..."));
ZwQuerySystemInformation(5,cbbuffer,60000,&length);
if(Sysinfo.NextEntryOffset)
_tprintf(TEXT("Success!\n"));
else
//length=GetLastError();
_tprintf(TEXT("Failed! 0x%x, %d, %d\n"),Sysinfo.NextEntryOffset,length,Sysinfo.NumberOfThreads);
}
_tprintf(TEXT("Free ntdll.dll... ..."));
FreeLibrary(hLib);
_tprintf(TEXT("Success!"));
}
return 0;
}
下面是用汇编写的,大家帮我看看,都不行啊。
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
SystemProcessInfo struct
NextEntryOffset dd ?
NumberOfThreads dd ?
Reserved1 db 48 dup(?)
Reserved2 PVOID 3 dup(?)
UniqueProcessId HANDLE ?
Reserved3 PVOID ?
HandleCount dd ?
Reserved4 db 4 dup(?)
Reserved5 PVOID 11 dup(?)
PeakPagefileUsage dd ?
PrivatePageCount dd ?
Reserved6 LARGE_INTEGER 6 dup(<>)
SystemProcessInfo ends
.data
LibName db "ntdll.dll",0
FunctionName db "ZwQuerySystemInformation",0
AppName db "Status",0
ErrorOfNoDll db "Load ntdll.dll faile...",0
ErrorOfNoFunction db "Load Function Fail...",0
SuccessLoadDll db "Success Load Dll",0
SuccessLoadFunction db "Success Load Function",0
formatstring db "%d",0
.data?
hLib dd ?
FunctionAddr dd ?
ErrorCode dd ?
cbbuffer db 50000 dup(?)
.code
start:
invoke LoadLibrary,addr LibName
.if eax!=NULL
mov hLib,eax
invoke MessageBox,NULL,addr SuccessLoadDll,addr AppName,MB_OK
invoke GetProcAddress,hLib,addr FunctionName
.if eax!=NULL
mov FunctionAddr,eax
invoke MessageBox,NULL,addr SuccessLoadFunction,addr AppName,MB_OK
call [FunctionAddr],SYSTEM_PROCESS_INFORMATION,\
addr cbbuffer,\
50000,\
sizeof SystemProcessInfo
.else
invoke MessageBox,NULL,addr ErrorOfNoFunction,NULL,MB_OK
.endif
invoke FreeLibrary,hLib
.else
invoke MessageBox,NULL,addr ErrorOfNoDll,NULL,MB_OK
.endif
invoke ExitProcess,NULL
end start
两个都是在调用函数是出错的,汇编编译都同步过去, c可以编译过去,但不能正常调用;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课