关于 什么打开进程 提高权限 获取线程句柄 写内存 读内存的 知识
你好 大牛,很崇拜你,请问一下 @ryxcaixia有哪本书介绍,能告诉我吗 谢谢 @ryxcaixia 帮你 @ryxcaixia 本帖最后由 y290176346 于 2016-1-16 15:15 编辑小甲鱼 发表于 2016-1-16 14:10
帮你 @ryxcaixia
@ryxcaixia @ryxcaixia {:5_96:}我@出来怎么没有下划线 ,我@的好用吗?
是不是我out了
希望多分享下 我目测你说的这些都是win32平台上的
打开进程 获取句柄 提高权限 读写内存 少年 打算搞WG么?
如果一定要推荐书 肯定是win32核心编程 这个书上 在看不到windows核心源码的情况下
最大可能的剖析了很多核心的东西
直接看后面的关于内存和动态库 hook等的内容就行了
不过 这些都需要你对内存有一定的理解 和 win32平台上一些高级API的使用 少年 我想说 一步一步来把 先打好基础 再弄其他的 有相同的目的。。。。。。。 从基础开始吧 看<<windows核心编程>> 学习学习学习 AdjustTokenPrivileges ,打开调试权限,就可以打开别的进程做操作了,但是要管理员权限 这是我写的一个游戏的WG读写类,包含了一些基本的读写内存,申请内存的方法,希望可以帮到你!
这是MemoryRW.h文件
#pragma once
#include <Windows.h>
#include <iostream>
#include <qvector.h>
#include<math.h>
#include<stdio.h>
#include <stdarg.h>
#define BIT(num, n, m)((num & (m << n * 4)) > 0)
class MemoryRW
{
public:
MemoryRW(DWORD ProcessID, QString ProcessName);
~MemoryRW();
bool read(int address, LPVOID temp, int count);
bool write(int address, LPVOID temp, int count);
int readInt(int address);
bool writeInt(int address, int temp);
float readDecimal(int address);
bool writeDecimal(int address, float value);
void readWchar(int address, LPVOID temp, int count);
void callFunc(LPVOID mFunc, DWORD mFuncSize, LPVOID Param, DWORD ParamSize);
LPVOID applyMemory(int count, DWORD protect = PAGE_EXECUTE_READWRITE, DWORD type = MEM_COMMIT);
bool freeMemory(LPVOID address, DWORD Size = 0, DWORD type = MEM_RELEASE);
std::vector<int> SearchConditioncode(std::vector<byte> Conditioncode);
private:
HWND hWindows = NULL;
HANDLE hProcess = NULL;
DWORD ThreadID = NULL;
DWORD ProcessID = NULL;
unsigned long SearchBegin = 0x400000;
unsigned long SearchEnd = 0x7ffeffff;
};
这是.cpp文件
#include "MemoryRW.h"
MemoryRW::MemoryRW(DWORD ProcessID, QString ProcessName)
{
char str;
QByteArray ba = ProcessName.toLatin1();
char * mm = ba.data();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
sprintf_s(str, "process %s---processid %d", mm, ProcessID);
MessageBoxA(NULL, str, "nice", MB_OK);
}
MemoryRW::~MemoryRW()
{
}
std::vector<int> MemoryRW::SearchConditioncode(std::vector<byte> Conditioncode) {
BYTE * Conditioncode_array = new BYTE;
for (int i = 0; i < Conditioncode.size(); i++) {
Conditioncode_array = Conditioncode;
}
int Conditioncode_num = Conditioncode.size();
int i, j;
std::vector<int> temp;
MEMORY_BASIC_INFORMATION mbInfo = { 0 };
const SIZE_T BaseInfoLen = sizeof(MEMORY_BASIC_INFORMATION);
BYTE *lpBuf = new BYTE;
DWORD dwBufSize = 1;
for (i = SearchBegin; i < SearchEnd;) {
VirtualQueryEx(hProcess, (LPCVOID)i, &mbInfo, BaseInfoLen);
if (lpBuf != NULL) {
delete[] lpBuf;
lpBuf = NULL;
}
if (BIT(mbInfo.State, 3, 1) && (BIT(mbInfo.Protect, 1, 1) || BIT(mbInfo.Protect, 1, 2) || BIT(mbInfo.Protect, 1, 4))) {
dwBufSize = mbInfo.RegionSize;
lpBuf = new BYTE;
if (ReadProcessMemory(hProcess, (LPCVOID)i, lpBuf, dwBufSize, 0)) {
for (j = 0; j <= mbInfo.RegionSize - Conditioncode_num; j++) {
for (int k = 0; k < Conditioncode_num; k++) {
if (lpBuf != Conditioncode_array) {
goto s;
}
}
temp.push_back(i + j);
if (lpBuf != NULL) {
delete[] lpBuf;
lpBuf = NULL;
}
//return temp;
s:;
}
}
}
i = (int)mbInfo.BaseAddress + mbInfo.RegionSize;
}
if (lpBuf != NULL) {
delete[] lpBuf;
lpBuf = NULL;
}
delete[]Conditioncode_array;
return temp;
}
bool MemoryRW::read(int address, LPVOID temp, int count) {
if (ReadProcessMemory(hProcess, (LPCVOID)address, temp, count, 0)) {
return true;
}
else {
return false;
}
}
bool MemoryRW::write(int address, LPVOID temp, int count) {
if (WriteProcessMemory(hProcess, (LPVOID)address, temp, count, 0)) {
return true;
}
else {
return false;
}
}
int MemoryRW::readInt(int address) {
int temp = 0;
ReadProcessMemory(hProcess, (LPCVOID)address, &temp, 4, 0);
return temp;
}
bool MemoryRW::writeInt(int address, int temp) {
if (WriteProcessMemory(hProcess, (LPVOID)address, &temp, 4, 0)) {
return true;
}
else {
return false;
}
}
float MemoryRW::readDecimal(int address) {
float temp;
ReadProcessMemory(hProcess, (LPCVOID)address, &temp, 4, 0);
return temp;
}
bool MemoryRW::writeDecimal(int address, float value) {
if (WriteProcessMemory(hProcess, (LPVOID)address, &value, 4, 0)) {
return true;
}
else {
return false;
}
}
void MemoryRW::readWchar(int address, LPVOID temp, int count) {
int tempCount = 0;
wchar_t tempWchar = L'\0';
while (true)
{
wchar_t tempWchar = WORD(readInt(address + tempCount * 2));
*((WORD *)temp + tempCount) = tempWchar;
tempCount++;
if (tempWchar == L'\0' || tempCount == count - 1) {
*((WORD *)temp + tempCount) = L'\0';
break;
}
}
}
LPVOID MemoryRW::applyMemory(int count, DWORD protect, DWORD type) {
return VirtualAllocEx(hProcess, NULL, count, type, protect);
}
bool MemoryRW::freeMemory(LPVOID address, DWORD Size, DWORD type) {
return VirtualFreeEx(hProcess, address, Size, type);
}
//**************************************************************************************
//函数名:InfusionFunc
//功能:封装远程注入的函数
//参数 1:进程ID
//参数 2:被注入函数指针<函数名>
//参数 3:参数
//参数 4:参数长度
//**************************************************************************************
void MemoryRW::callFunc(LPVOID mFunc, DWORD mFuncSize,LPVOID Param, DWORD ParamSize)
{
LPVOID mFuncAddr;//申请函数内存地址
LPVOID ParamAddr;//申请参数内存地址
HANDLE hThread; //线程句柄
DWORD NumberOfByte; //辅助返回值
//打开被注入的进程句柄
//申请内存
mFuncAddr = applyMemory(mFuncSize);
ParamAddr = applyMemory(ParamSize);
//写内存
write((int)mFuncAddr, mFunc, mFuncSize);
write((int)ParamAddr, Param, ParamSize);
//创建远程线程
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr,
ParamAddr, 0, &NumberOfByte);
WaitForSingleObject(hThread, INFINITE); //等待线程结束
//释放申请有内存
freeMemory(mFuncAddr);
freeMemory(ParamAddr);
//释放远程句柄
CloseHandle(hThread);
}
sorry的是我没写 注释 不过代码不长,看懂应该没问题! 还有一些东西是qt的,比如QByteArray !
页:
[1]