进程间通讯——指针方式的内存读写
来源:互联网 发布:宝日龙梅 知乎 编辑:程序博客网 时间:2024/05/20 16:33
使用指针的方式进行进程间通讯,可以做到32位->32位,64位->64位,32位->64位的: 原因是调用了两套函数:ReadProcessMemory/Wow64Read
//进程间通讯的指针形式的内存访问#include<windows.h>#include<ntstatus.h>#include<iostream>using namespace std;BOOL EnableSeDebugPrivilege(IN const CHAR * PriviledgeName, BOOL IsEnable);typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(IN HANDLE ProcessHandle,IN ULONG64 BaseAddress,OUT PVOID BufferData,IN ULONG64 BufferLength,OUT PULONG64 ReturnLength OPTIONAL);typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(IN HANDLE ProcessHandle,IN ULONG64 BaseAddress,OUT PVOID BufferData,IN ULONG64 BufferLength,OUT PULONG64 ReturnLength OPTIONAL);LPFN_NTWOW64READVIRTUALMEMORY64 __NtWow64ReadVirtualMemory64 = NULL;LPFN_NTWOW64WRITEVIRTUALMEMORY64 __NtWow64WriteVirtualMemory64 = NULL;BOOL Point_IPC(ULONG ProcessID, ULONG64 BaseAddress);#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)int main(){HMODULE NtdllModuleBase = NULL;NtdllModuleBase = GetModuleHandle("Ntdll.dll");if (NtdllModuleBase == NULL){return FALSE;}__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64ReadVirtualMemory64");__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64WriteVirtualMemory64");ULONG ProcessID = 0;cout << "Input ProcessId" << endl;cin >> ProcessID;ULONG64 BaseAddress = 0;cout << "Input BaseAddress" << endl;//cin >> BaseAddress;//scanf("%p", &BaseAddress);scanf("%llx", &BaseAddress);Point_IPC(ProcessID, BaseAddress);printf("Input AnyKey To Exit\r\n");getchar(); return 0;}BOOL EnableSeDebugPrivilege(IN const CHAR* PriviledgeName, BOOL IsEnable){// 打开权限令牌HANDLE ProcessHandle = GetCurrentProcess();HANDLE TokenHandle = NULL;TOKEN_PRIVILEGES TokenPrivileges = { 0 };if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)){return FALSE;}LUID v1;if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))// 通过权限名称查找uID{CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0; // 动态数组,数组大小根据Count的数目TokenPrivileges.Privileges[0].Luid = v1;if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,sizeof(TOKEN_PRIVILEGES), NULL, NULL)){CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}CloseHandle(TokenHandle);TokenHandle = NULL;return TRUE;}BOOL Point_IPC(ULONG ProcessID,ULONG64 BaseAddress){if (BaseAddress == NULL){return FALSE;}BOOL IsWow64=FALSE;HANDLE ProcessHandle = NULL;//PVOID BufferData = NULL;char BufferData[20] = { 0 };ULONG64 BufferLength = 20;ULONG64 ReturnLength = 0;if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE){return FALSE;}ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE,FALSE,ProcessID);if (ProcessHandle == NULL){return FALSE;}int v1=IsWow64Process(ProcessHandle, &IsWow64);//0if (IsWow64 == TRUE)//目标进程是32位{__try {if (ReadProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, BufferLength,(SIZE_T*)&ReturnLength)){printf("%s\r\n", BufferData);ZeroMemory(BufferData, BufferLength);memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));WriteProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, strlen("Point-IPC")+1,(SIZE_T*)&ReturnLength);}}__except (EXCEPTION_EXECUTE_HANDLER){printf("异常\r\n");goto Exit;}}else //目标进程是64位{if (__NtWow64ReadVirtualMemory64 == NULL|| __NtWow64WriteVirtualMemory64 == NULL){goto Exit;}__try{NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,BaseAddress, BufferData, BufferLength,&ReturnLength);if (NT_SUCCESS(Status)){ZeroMemory(BufferData, BufferLength);printf("%s\r\n", BufferData);memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));__NtWow64WriteVirtualMemory64(ProcessHandle,BaseAddress, BufferData, strlen("Point-IPC")+1,&ReturnLength);}}__except (EXCEPTION_EXECUTE_HANDLER){printf("异常\r\n");goto Exit;}}Exit:if (ProcessHandle != NULL){CloseHandle(ProcessHandle);ProcessHandle = NULL;}EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);}
测试程序:
#include "stdafx.h"#include<Windows.h>int main(){char BufferData[20] = "HelloWorld";printf("ProcessID:%d\r\n", GetCurrentProcessId());printf("BaseAddress:%p\r\n", BufferData);printf("Input AnyKey To Continue\r\n");getchar();printf("BaseAddress:%s\r\n", BufferData);printf("Input AnyKey To Exit\r\n");getchar(); return 0;}
遇到的问题:
1.
IsWow64Process函数的使用;
2.
‘|’与‘||’的区别:在罗列进程权限的时候;3.
函数名不能加横线,只能加下划线;
4.
输入地址(包括32位与64位)的方法;
(程序中都有展示)
阅读全文
0 0
- 进程间通讯——指针方式的内存读写
- 进程间的通讯方式_共享内存
- 进程间的通讯方式
- 进程间的通讯方式
- 进程间通讯的方式
- 进程间通讯的方式
- 进程间的通讯方式
- 进程间通讯的方式
- 进程间的通讯方式
- 进程间的通讯方式
- 进程间通讯的方式
- 进程间通讯 —— 共享内存
- 进程间通讯——共享内存
- 进程间通讯——共享内存
- 进程间通讯——共享内存
- 进程间通讯—共享内存
- Linux—进程间通讯方式总结
- 进程间通讯方式
- 刷题——通过前序中序遍历重建二叉树
- java 基础篇
- android的recovery,fastboot和bootloader
- BZOJ 3377 [Usaco2004 Open]The Cow Lineup 奶牛序列
- 百练_2719:陶陶摘苹果
- 进程间通讯——指针方式的内存读写
- 使用深度网络创造艺术:CAN, creative adversarial networks
- css入门基础知识
- "狗日"的格力——记录一个屌丝消费者与世界500强格力的战斗史
- 数组——排序算法
- Vue2.x通过id参数数据请求
- 深究js(五)——运算符
- 001.JS validate file
- 百练_2720:大象喝水