|
|
20鱼币
一段读取修改内存代码,问题是在修改内存函数WriteProcessMemory()函数出现代码87,参数不正确,我觉得我的参数是对的所以求解
下面贴出代码
#include<stdio.h>
#include<windows.h>
#include<Error.h>
#include<Psapi.h>//包含进程状态的api头文件
#include<Tlhelp32.h>//包含运行的程序的程序信息函数文件
#define ID_BUTTON1 1
#define buff MAX_PATH
#define TYPE_LEVEL 0x1
#define TYPE_VETRICAL 0x2
DWORD buffs[1024];
DWORD size;
struct jiegou
{
int x;
int y;
}JG;
DWORD writeprocessmemory(HANDLE hp,DWORD zhi);//要写入的进程句柄,和写入值
BOOL Readprocessmemory(LPSTR lp,DWORD ints,DWORD zhi);
//参数一读取知道名称的进程内存,参数二 读取的数据,参数三 将读取的数据修改的值
BOOL Compareapage(HANDLE hremoteprocess,DWORD base,DWORD ints);
//内存比较,参数一基地址,参数二 要比较的值
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
HDC hdc;
MSG msg;
HWND hwnd;
WNDCLASSEX wc;
wc.style=CS_HREDRAW|CS_VREDRAW;
wc.cbSize=sizeof(wc);
wc.lpfnWndProc=WinProc;
wc.hInstance=hInstance;
wc.cbClsExtra=0;
wc.cbWndExtra=0;
wc.hIcon=NULL;
wc.hIconSm=NULL;
wc.hCursor=LoadCursor(NULL,IDC_ARROW);
wc.hbrBackground=(HBRUSH)GetStockObject(2);
wc.lpszClassName="window";
wc.lpszMenuName=NULL;
if(!RegisterClassEx(&wc))
{
MessageBox(NULL,"注册窗口失败","ERROR",MB_OK);
}
hdc=CreateDC("DISPLAY",NULL,NULL,NULL);
JG.x=GetDeviceCaps(hdc,8);
JG.y=GetDeviceCaps(hdc,10);
hwnd=CreateWindow("window","window",WS_OVERLAPPEDWINDOW,JG.x/2-200,JG.y/2-200,400,400,NULL,NULL,hInstance,NULL) ;
ShowWindow(hwnd,nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&msg,NULL,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return msg.wParam;
}
LRESULT CALLBACK WinProc(HWND hwnd,UINT message ,WPARAM wparam,LPARAM lparam)
{
HDC hdc;
PAINTSTRUCT ps;
RECT rect;
int x,y;
HWND hbutton1;
switch(message)
{
case WM_CREATE:
GetClientRect(hwnd,&rect);
x=rect.right;
y=rect.bottom;
hbutton1=CreateWindow("button","按钮1",WS_CHILD|WS_VISIBLE|BS_PUSHBUTTON,x/2-20,y-20,40,20,hwnd,(HMENU)ID_BUTTON1,((LPCREATESTRUCT)lparam)->hInstance,NULL);break;
case WM_PAINT:
hdc=BeginPaint(hwnd,&ps);
/* code位置 */
/* ↓ */
//processheap(3048);
//getEnumprocessid();
//Firstprocessid("360tray.exe");
//modulefirst("Psapi.dll");
/* ↑ */
/* code数位置 */
EndPaint(hwnd,&ps);
break;
case WM_COMMAND:
switch(LOWORD(wparam))
{
case ID_BUTTON1:
/* code位置 */
/* ↓ */
Readprocessmemory("模板.exe",(DWORD)'M',(DWORD)'S');
/* ↑ */
/* code数位置 */
InvalidateRect(hwnd,NULL,TRUE);
break;
};
break;
case 0x2:
PostQuitMessage(0); break;
}
return DefWindowProc(hwnd,message,wparam,lparam);
}
BOOL Readprocessmemory(LPSTR lp,DWORD ints,DWORD zhi)
{ char err[5];
char strerr[64];
int error;
HANDLE hprocess,hremoteprocess;
DWORD pid;
PROCESSENTRY32 pinfo={0};
THREADENTRY32 tinfo={0};
////////////////////
DWORD GB=1024*1024*1024;
DWORD page;
DWORD base;
SYSTEM_INFO sinfo;
hprocess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pinfo.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(hprocess,&pinfo))
{
itoa(GetLastError(),err,10);
MessageBox(NULL,err,"错误",MB_OK);
return FALSE;
}
do{
if(lstrcmpi(lp,pinfo.szExeFile)==0)
{
pid=pinfo.th32ProcessID;
}
}while(Process32Next(hprocess,&pinfo));
// hthread=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,pid);
/* tinfo.dwSize=sizeof(THREADENTRY32);
if(!Thread32First(hthread,&tinfo))
{
itoa(GetLastError(),err,10);
MessageBox(NULL,err,"错误",MB_OK);
return FALSE;
}
do{
if(tinfo.th32OwnerProcessID==pid)
{
tid=tinfo.th32ThreadID;
}
}while(Thread32Next(hthread,&tinfo));
*/
if(EnablePrivilege("CE_DEBUG_NAME"))//提升权限
{
MessageBox(NULL,"权限提升失败","错误",MB_OK);
}
if(!(hremoteprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid)))
{
itoa(GetLastError(),err,10);
MessageBox(NULL,err,"错误",MB_OK);
return FALSE;
}
/*
//tid=GetThreadId(hremoteprocess);此函数无法得到进程句柄
if(!(hremotethread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid)))
{
itoa(GetLastError(),err,10);
MessageBox(NULL,err,"错误",MB_OK);
return FALSE;
}
CloseHandle(hremotethread);
*/
GetSystemInfo(&sinfo);//获得系统的信息
base=sinfo.dwAllocationGranularity;//得到分配粒度进程内存分配的开始
page=sinfo.dwPageSize;//分页大小
for(;base<GB*2;base+=page)//32位系统程序和系统各用2GB
{
Compareapage(hremoteprocess,base,ints);//对每个分页内存进行比较
}
if(error=writeprocessmemory(hremoteprocess,zhi))
{
itoa(error,err,10);
sprintf(strerr,"写入失败,错误代码:%s",err);
MessageBox(NULL,strerr,"错误",MB_OK);
return FALSE;
}
return TRUE;
}
BOOL Compareapage(HANDLE hremoteprocess,DWORD base,DWORD ints)
{
BYTE bByte[4096];
int i;
DWORD *dw;
if(!ReadProcessMemory(hremoteprocess,(LPVOID)base,bByte,4096,NULL))
{
// MessageBox(NULL,"不可读","错误",MB_OK);
return FALSE;
}
for(i=0;i<4096-3;i++)
{
dw=(DWORD*)&bByte[i];
if(*dw == ints)
{
if(size>=1024)
{
return FALSE;
}
buffs[size++]=base+i;//将找到对应想要的值的分页地址偏移量放入数组
}
}
return TRUE;
}
//修改内存值
DWORD writeprocessmemory(HANDLE hp,DWORD zhi)
{
SIZE_T h=0;
DWORD s;
for(s=0;s<=size;s++)
{
if(!WriteProcessMemory(hp,(LPVOID)buffs[s],(LPVOID)&zhi,sizeof(DWORD),&h))
{
return GetLastError();
}
}
return TRUE;
}
//进程权限提升函数
BOOL EnablePrivilege(LPSTR lp)//提升进程权限
{
HANDLE hken;
TOKEN_PRIVILEGES ken;//令牌
LookupPrivilegeValue(NULL,lp,&ken.Privileges[0].Luid);//获得系统令牌信息
ken.PrivilegeCount=1;//特权的数组个数
ken.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;//启用特权令牌
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hken);//得到当前进程的令牌
AdjustTokenPrivileges(hken,FALSE,&ken,sizeof(ken),0,0);//设置令牌
//CloseHandle(hken);
return (GetLastError()==ERROR_SUCCESS) ;//返回错误信息
}
|
|
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2013-11-3 10:20:52
置顶卡
千斤顶
显身卡
楼主