进程间通讯——指针方式的内存读写

使用指针的方式进行进程间通讯，可以做到32位->32位，64位->64位，32位->64位的：  原因是调用了两套函数：ReadProcessMemory/Wow64Read

//进程间通讯的指针形式的内存访问#include<windows.h>#include<ntstatus.h>#include<iostream>using namespace std;BOOL EnableSeDebugPrivilege(IN const CHAR * PriviledgeName, BOOL IsEnable);typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(IN  HANDLE   ProcessHandle,IN  ULONG64  BaseAddress,OUT PVOID    BufferData,IN  ULONG64  BufferLength,OUT PULONG64 ReturnLength OPTIONAL);typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(IN  HANDLE   ProcessHandle,IN  ULONG64  BaseAddress,OUT PVOID    BufferData,IN  ULONG64  BufferLength,OUT PULONG64 ReturnLength OPTIONAL);LPFN_NTWOW64READVIRTUALMEMORY64       __NtWow64ReadVirtualMemory64 = NULL;LPFN_NTWOW64WRITEVIRTUALMEMORY64  __NtWow64WriteVirtualMemory64 = NULL;BOOL Point_IPC(ULONG ProcessID, ULONG64 BaseAddress);#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)int main(){HMODULE NtdllModuleBase = NULL;NtdllModuleBase = GetModuleHandle("Ntdll.dll");if (NtdllModuleBase == NULL){return FALSE;}__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64ReadVirtualMemory64");__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64WriteVirtualMemory64");ULONG ProcessID = 0;cout << "Input ProcessId" << endl;cin >> ProcessID;ULONG64 BaseAddress = 0;cout << "Input BaseAddress" << endl;//cin >> BaseAddress;//scanf("%p", &BaseAddress);scanf("%llx", &BaseAddress);Point_IPC(ProcessID, BaseAddress);printf("Input AnyKey To Exit\r\n");getchar();    return 0;}BOOL EnableSeDebugPrivilege(IN const CHAR*  PriviledgeName, BOOL IsEnable){// 打开权限令牌HANDLE  ProcessHandle = GetCurrentProcess();HANDLE  TokenHandle = NULL;TOKEN_PRIVILEGES TokenPrivileges = { 0 };if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)){return FALSE;}LUID v1;if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))// 通过权限名称查找uID{CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0;    // 动态数组，数组大小根据Count的数目TokenPrivileges.Privileges[0].Luid = v1;if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,sizeof(TOKEN_PRIVILEGES), NULL, NULL)){CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}CloseHandle(TokenHandle);TokenHandle = NULL;return TRUE;}BOOL Point_IPC(ULONG ProcessID,ULONG64 BaseAddress){if (BaseAddress == NULL){return FALSE;}BOOL IsWow64=FALSE;HANDLE ProcessHandle = NULL;//PVOID BufferData = NULL;char     BufferData[20] = { 0 };ULONG64 BufferLength = 20;ULONG64 ReturnLength = 0;if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE){return FALSE;}ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE,FALSE,ProcessID);if (ProcessHandle == NULL){return FALSE;}int v1=IsWow64Process(ProcessHandle, &IsWow64);//0if (IsWow64 == TRUE)//目标进程是32位{__try {if (ReadProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, BufferLength,(SIZE_T*)&ReturnLength)){printf("%s\r\n", BufferData);ZeroMemory(BufferData, BufferLength);memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));WriteProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, strlen("Point-IPC")+1,(SIZE_T*)&ReturnLength);}}__except (EXCEPTION_EXECUTE_HANDLER){printf("异常\r\n");goto Exit;}}else //目标进程是64位{if (__NtWow64ReadVirtualMemory64 == NULL|| __NtWow64WriteVirtualMemory64 == NULL){goto Exit;}__try{NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,BaseAddress, BufferData, BufferLength,&ReturnLength);if (NT_SUCCESS(Status)){ZeroMemory(BufferData, BufferLength);printf("%s\r\n", BufferData);memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));__NtWow64WriteVirtualMemory64(ProcessHandle,BaseAddress, BufferData, strlen("Point-IPC")+1,&ReturnLength);}}__except (EXCEPTION_EXECUTE_HANDLER){printf("异常\r\n");goto Exit;}}Exit:if (ProcessHandle != NULL){CloseHandle(ProcessHandle);ProcessHandle = NULL;}EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);} 

测试程序：

#include "stdafx.h"#include<Windows.h>int main(){char BufferData[20] = "HelloWorld";printf("ProcessID:%d\r\n", GetCurrentProcessId());printf("BaseAddress:%p\r\n", BufferData);printf("Input AnyKey To Continue\r\n");getchar();printf("BaseAddress:%s\r\n", BufferData);printf("Input AnyKey To Exit\r\n");getchar();    return 0;}

遇到的问题：

1.
IsWow64Process函数的使用；

2.

‘|’与‘||’的区别：在罗列进程权限的时候；

3.

函数名不能加横线,只能加下划线；

4.

输入地址（包括32位与64位）的方法；

（程序中都有展示）