VC中文网-VC-MFC编程论坛

 找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 136|回复: 0

VC读写64位程序内存

[复制链接]
发表于 2019-9-15 19:23:57 | 显示全部楼层 |阅读模式
32位程序可以通过NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64读写64程序的内存直接上代码了
自定义函数参数结构,获取模块中的函数指针
[C++] 纯文本查看 复制代码
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
    IN  HANDLE   ProcessHandle,
    IN  ULONG64  BaseAddress,
    OUT PVOID    BufferData,
    IN  ULONG64  BufferLength,
    OUT PULONG64 ReturnLength OPTIONAL);
 
 
typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
    IN  HANDLE   ProcessHandle,
    IN  ULONG64  BaseAddress,
    OUT PVOID    BufferData,
    IN  ULONG64  BufferLength,
    OUT PULONG64 ReturnLength OPTIONAL);
 
 
NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");
    if (NtdllModuleBase == NULL)
    {
        return FALSE;
    }
     
    __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
        "NtWow64ReadVirtualMemory64");
 
    __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,


获取进程ID和64进程中想要读写的地址,调用函数读写目标进程的内存
[C++] 纯文本查看 复制代码
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
    BaseAddress, BufferData, BufferLength, &ReturnLength);
if (NT_SUCCESS(Status))
{
    printf("%s\r\n", BufferData);
    ZeroMemory(BufferData, BufferLength);
    memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
    __NtWow64WriteVirtualMemory64(ProcessHandle,
        BaseAddress, BufferData,  strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
     
}

如果签到也有错,我愿意错上加错
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

VC中文网 - 豫ICP备14012807号|小黑屋|联系客服|金币冲值|VC中文网

GMT+8, 2019-10-18 05:08 , Processed in 0.093750 second(s), 25 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表