//
// VC6 Code By PiaoYun
typedef enum _PROCESS_INFORMATION_CLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass
} PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;
typedef LONG NTSTATUS;
void GetNtAPI()
{
HMODULE NtHandle = NULL;
typedef NTSTATUS (NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength );
typedef NTSTATUS (NTAPI *pfnNtReadVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL);
typedef NTSTATUS (NTAPI *pfnNtWriteVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG NumberOfBytesToWrite,
OUT PULONG NumberOfBytesWritten OPTIONAL );
pfnNtQueryInformationProcess NtQueryInformationProcess = NULL;
pfnNtReadVirtualMemory NtReadVirtualMemory = NULL;
pfnNtWriteVirtualMemory NtWriteVirtualMemory = NULL;
NtHandle = GetModuleHandleA(TEXT("ntdll.dll"));
NtQueryInformationProcess = (pfnNtQueryInformationProcess)(GetProcAddress(NtHandle, TEXT("NtQueryInformationProcess")));
NtReadVirtualMemory = (pfnNtReadVirtualMemory)(GetProcAddress(NtHandle, TEXT("NtReadVirtualMemory")));
NtWriteVirtualMemory = (pfnNtWriteVirtualMemory)(GetProcAddress(NtHandle, TEXT("NtWriteVirtualMemory")));
}
/*
00401000 /$ 56 PUSH ESI
00401001 |. 57 PUSH EDI
00401002 |. 68 60204000 PUSH WinMain.00402060 ; /pModule = "ntdll.dll"
00401007 |. FF15 00204000 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
0040100D |. 8B3D 08204000 MOV EDI, DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
00401013 |. 8BF0 MOV ESI, EAX
00401015 |. 68 44204000 PUSH WinMain.00402044 ; /ProcNameOrOrdinal = "NtQueryInformationProcess"
0040101A |. 56 PUSH ESI ; |hModule
0040101B |. FFD7 CALL NEAR EDI ; \GetProcAddress
0040101D |. 68 30204000 PUSH WinMain.00402030 ; /ProcNameOrOrdinal = "NtReadVirtualMemory"
00401022 |. 56 PUSH ESI ; |hModule
00401023 |. FFD7 CALL NEAR EDI ; \GetProcAddress
00401025 |. 68 18204000 PUSH WinMain.00402018 ; /ProcNameOrOrdinal = "NtWriteVirtualMemory"
0040102A |. 56 PUSH ESI ; |hModule
0040102B |. FFD7 CALL NEAR EDI ; \GetProcAddress
0040102D |. 5F POP EDI
0040102E |. 5E POP ESI
0040102F \. C3 RETN
*/你可能感兴趣的文章
评论区
热门文章
-
【神器】insert_dylib 给 macOS APP 添加导入表注入--你懂的~~阅读: 146524 评论:890
-
dyld详解阅读: 109099 评论:903
-
[2021-05-20更新]LLDB常用命令--飘云整理
阅读: 97104 评论:2289
-
遍历自身加载的dylib--获取载入地址和ASLR地址等
阅读: 53477 评论:893
-
Python与C51单片机交互阅读: 50995 评论:871
-
iOS生成随机数及随机字符串小结
阅读: 50678 评论:849
发表评论