社区
Windows Server
帖子详情
机器经常提示,"0x00aa567d"指令引用的"0x6c6e7553"内存。该内存不能为"read"。这是什么原因?
itme99
2003-10-17 02:22:55
我没有装过任何对机器“进行保护的程序”,这是病毒吗?
...全文
119
5
打赏
收藏
机器经常提示,"0x00aa567d"指令引用的"0x6c6e7553"内存。该内存不能为"read"。这是什么原因?
我没有装过任何对机器“进行保护的程序”,这是病毒吗?
复制链接
扫一扫
分享
转发到动态
举报
写回复
配置赞助广告
用AI写文章
5 条
回复
切换为时间正序
请发表友善的回复…
发表回复
打赏红包
smart2star
2003-10-18
打赏
举报
回复
看来要是高手来解释解释就好了
icuc88
2003-10-18
打赏
举报
回复
因为对于病毒只是一种猜测。具体什么病毒需要用杀毒工具检测。
这个原因是因为程序想要访问一个无权访问的内存造成的。
itme99
2003-10-18
打赏
举报
回复
如果是病毒,是什么种类的病毒!
icuc88
2003-10-17
打赏
举报
回复
1. 病毒
2. 软件不兼容
3. 系统被破坏
tolyen
2003-10-17
打赏
举报
回复
應該不是,
重裝系統吧。
au3反编译源码
au3反编译源码 myAut2Exe - The Open Source AutoIT Script Decompiler 2.9 ======================================================== *New* full support for AutoIT v3.2.6++ :) ... mmh here's what I merely missed in the 'public sources 3.1.0' This program is for studying the 'Compiled' AutoIt3 format. AutoHotKey was developed from AutoIT and so scripts are nearly the same. Drag the compiled *.exe or *.a3x into the AutoIT Script Decompiler textbox. To copy text or to enlarge the log window double click on it. Supported Obfuscators: 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.20 [Sept 8, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.22 [Oct 18, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.24 [Feb 15, 2008]' , 'EncodeIt 2.0' and 'Chr() string encode' Tested with: AutoIT : v3. 3. 0.0 and AutoIT : v2.64. 0.0 and AutoHotKey: v1.0.48.5 The options: =========== 'Force Old Script Type' Grey means auto detect and is the best in most cases. However if auto detection fails or is fooled through modification try to enable/disable this setting 'Don't delete temp files (compressed script)' this will keep *.pak files you may try to unpack manually with'LZSS.exe' as well as *.tok DeTokeniser files, tidy backups and *.tbl (<-Used in van Zande obfucation). If enable it will keep AHK-Scripts as they are and doesn't remove the linebreaks at the beginning Default:OFF 'Verbose LogOutput' When checked you get verbose information when decompiling(DeTokenise) new 3.2.6+ compiled Exe Default:OFF 'Restore Includes' will separated/restore includes. requires ';
hook api lib.zip
Hook API Lib 0.5.rar Hook API Lib 0.51.rar /* ////////////////////////////////////////////////////////////////////////// HookApi 0.5 thanks to xIkUg ,sucsor by 海风月影[RCT] , eIcn#live.cn 2008.04.15 ////////////////////////////////////////////////////////////////////////// //更新内容 2008.04.15 0.5 1,重新写了Stub,换了一种模式,使hook更加自由,将hookbefore和hookafter合并 HookProc的定义方式与以前有所不同: HookProc的函数类型和原来的api一样,只是参数比原API多2个 DWORD WINAPI HookProc(DWORD RetAddr ,__pfnXXXX pfnXXXX, ...); //参数比原始的API多2个参数 RetAddr //调用api的返回地址 pfnXXX //类型为__pfnXXXX,待hook的api的声明类型,用于调用未被hook的api 详见My_LoadLibraryA 原始的LoadLibraryA的声明是: HMODULE WINAPI LoadLibraryA( LPCSTR lpLibFileName ); 那么首先定义一下hook的WINAPI的类型 typedef HMODULE (WINAPI __pfnLoadLibraryA)(LPCTSTR lpFileName); 然后hookproc的函数声明如下: HMODULE WINAPI My_LoadLibraryA(DWORD RetAddr, __pfnLoadLibraryA pfnLoadLibraryA, LPCTSTR lpFileName ); 比原来的多了2个参数,参数位置
不能
颠倒,在My_LoadLibraryA中可以自由的调用未被hook的pfnLoadLibraryA 也可以调用系统的LoadLibraryA,不过要自己在hookproc中处理好重入问题 另外,也可以在My_LoadLibraryA中使用UnInstallHookApi()函数来卸载hook,用法如下: 将第二个参数__pfnLoadLibraryA pfnLoadLibraryA强制转换成PHOOKENVIRONMENT类型,使用UnInstallHookApi来卸载 例如: UnInstallHookApi((PHOOKENVIRONMENT)pfnLoadLibraryA); 至于以前版本的HookBefore和HookAfter,完全可以在自己的HookProc里面灵活使用了 2,支持卸载hook InstallHookApi()调用后会返回一个PHOOKENVIRONMENT类型的指针 需要卸载的时候可以使用UnInstallHookApi(PHOOKENVIRONMENT pHookEnv)来卸载 在HookProc中也可以使用UnInstallHookApi来卸载,参数传入HookProc中的第二个参数 ★★注意: 1,如果在HookProc中自己不调用API(pfnXXXXX()),那么返回后,Stub是不会调用的,切记! 2,当HookProc中使用UnInstallHookApi卸载完后就
不能
用第二个参数来调用API了(pfnXXXX()),切记! 2008.04.15 0.41 1,前面的deroko的LdeX86 有BUG,678b803412 会算错 换了一个LDX32,代码更少,更容易理解 2,修复了VirtualProtect的一个小BUG 0.4以前 改动太大了,前面的就不写了 */ #include
#include
#include "HookApi.h" BYTE JMPGate[5] = { 0xE9, 0x00, 0x00, 0x00, 0x00 // JMP XXXXXXXX }; ////////////////////////////////////////////////////////////////////////// //另一个LDX32 #define C_ERROR 0xFFFFFFFF #define C_PREFIX 0x00000001 #define C_66 0x00000002 #define C_67 0x00000004 #define C_DATA66 0x00000008 #define C_DATA1 0x00000010 #define C_DATA2 0x00000020 #define C_DATA4 0x00000040 #define C_MEM67 0x00000080 #define C_MEM1 0x00000100 #define C_MEM2 0x00000200 #define C_MEM4 0x00000400 #define C_MODRM 0x00000800 #define C_DATAW0 0x00001000 #define C_FUCKINGTEST 0x00002000 #define C_TABLE_0F 0x00004000 DWORD table_1[256] = { /* 00 */ C_MODRM /* 01 */, C_MODRM /* 02 */, C_MODRM /* 03 */, C_MODRM /* 04 */, C_DATAW0 /* 05 */, C_DATAW0 /* 06 */, 0 /* 07 */, 0 /* 08 */, C_MODRM /* 09 */, C_MODRM /* 0A */, C_MODRM /* 0B */, C_MODRM /* 0C */, C_DATAW0 /* 0D */, C_DATAW0 /* 0E */, 0 /* 0F */, C_TABLE_0F /* 10 */, C_MODRM /* 11 */, C_MODRM /* 12 */, C_MODRM /* 13 */, C_MODRM /* 14 */, C_DATAW0 /* 15 */, C_DATAW0 /* 16 */, 0 /* 17 */, 0 /* 18 */, C_MODRM /* 19 */, C_MODRM /* 1A */, C_MODRM /* 1B */, C_MODRM /* 1C */, C_DATAW0 /* 1D */, C_DATAW0 /* 1E */, 0 /* 1F */, 0 /* 20 */, C_MODRM /* 21 */, C_MODRM /* 22 */, C_MODRM /* 23 */, C_MODRM /* 24 */, C_DATAW0 /* 25 */, C_DATAW0 /* 26 */, C_PREFIX /* 27 */, 0 /* 28 */, C_MODRM /* 29 */, C_MODRM /* 2A */, C_MODRM /* 2B */, C_MODRM /* 2C */, C_DATAW0 /* 2D */, C_DATAW0 /* 2E */, C_PREFIX /* 2F */, 0 /* 30 */, C_MODRM /* 31 */, C_MODRM /* 32 */, C_MODRM /* 33 */, C_MODRM /* 34 */, C_DATAW0 /* 35 */, C_DATAW0 /* 36 */, C_PREFIX /* 37 */, 0 /* 38 */, C_MODRM /* 39 */, C_MODRM /* 3A */, C_MODRM /* 3B */, C_MODRM /* 3C */, C_DATAW0 /* 3D */, C_DATAW0 /* 3E */, C_PREFIX /* 3F */, 0 /* 40 */, 0 /* 41 */, 0 /* 42 */, 0 /* 43 */, 0 /* 44 */, 0 /* 45 */, 0 /* 46 */, 0 /* 47 */, 0 /* 48 */, 0 /* 49 */, 0 /* 4A */, 0 /* 4B */, 0 /* 4C */, 0 /* 4D */, 0 /* 4E */, 0 /* 4F */, 0 /* 50 */, 0 /* 51 */, 0 /* 52 */, 0 /* 53 */, 0 /* 54 */, 0 /* 55 */, 0 /* 56 */, 0 /* 57 */, 0 /* 58 */, 0 /* 59 */, 0 /* 5A */, 0 /* 5B */, 0 /* 5C */, 0 /* 5D */, 0 /* 5E */, 0 /* 5F */, 0 /* 60 */, 0 /* 61 */, 0 /* 62 */, C_MODRM /* 63 */, C_MODRM /* 64 */, C_PREFIX /* 65 */, C_PREFIX /* 66 */, C_PREFIX+C_66 /* 67 */, C_PREFIX+C_67 /* 68 */, C_DATA66 /* 69 */, C_MODRM+C_DATA66 /* 6A */, C_DATA1 /* 6B */, C_MODRM+C_DATA1 /* 6C */, 0 /* 6D */, 0 /* 6E */, 0 /* 6F */, 0 /* 70 */, C_DATA1 /* 71 */, C_DATA1 /* 72 */, C_DATA1 /* 73 */, C_DATA1 /* 74 */, C_DATA1 /* 75 */, C_DATA1 /* 76 */, C_DATA1 /* 77 */, C_DATA1 /* 78 */, C_DATA1 /* 79 */, C_DATA1 /* 7A */, C_DATA1 /* 7B */, C_DATA1 /* 7C */, C_DATA1 /* 7D */, C_DATA1 /* 7E */, C_DATA1 /* 7F */, C_DATA1 /* 80 */, C_MODRM+C_DATA1 /* 81 */, C_MODRM+C_DATA66 /* 82 */, C_MODRM+C_DATA1 /* 83 */, C_MODRM+C_DATA1 /* 84 */, C_MODRM /* 85 */, C_MODRM /* 86 */, C_MODRM /* 87 */, C_MODRM /* 88 */, C_MODRM /* 89 */, C_MODRM /* 8A */, C_MODRM /* 8B */, C_MODRM /* 8C */, C_MODRM /* 8D */, C_MODRM /* 8E */, C_MODRM /* 8F */, C_MODRM /* 90 */, 0 /* 91 */, 0 /* 92 */, 0 /* 93 */, 0 /* 94 */, 0 /* 95 */, 0 /* 96 */, 0 /* 97 */, 0 /* 98 */, 0 /* 99 */, 0 /* 9A */, C_DATA66+C_MEM2 /* 9B */, 0 /* 9C */, 0 /* 9D */, 0 /* 9E */, 0 /* 9F */, 0 /* A0 */, C_MEM67 /* A1 */, C_MEM67 /* A2 */, C_MEM67 /* A3 */, C_MEM67 /* A4 */, 0 /* A5 */, 0 /* A6 */, 0 /* A7 */, 0 /* A8 */, C_DATA1 /* A9 */, C_DATA66 /* AA */, 0 /* AB */, 0 /* AC */, 0 /* AD */, 0 /* AE */, 0 /* AF */, 0 /* B0 */, C_DATA1 /* B1 */, C_DATA1 /* B2 */, C_DATA1 /* B3 */, C_DATA1 /* B4 */, C_DATA1 /* B5 */, C_DATA1 /* B6 */, C_DATA1 /* B7 */, C_DATA1 /* B8 */, C_DATA66 /* B9 */, C_DATA66 /* BA */, C_DATA66 /* BB */, C_DATA66 /* BC */, C_DATA66 /* BD */, C_DATA66 /* BE */, C_DATA66 /* BF */, C_DATA66 /* C0 */, C_MODRM+C_DATA1 /* C1 */, C_MODRM+C_DATA1 /* C2 */, C_DATA2 /* C3 */, 0 /* C4 */, C_MODRM /* C5 */, C_MODRM /* C6 */, C_MODRM+C_DATA66 /* C7 */, C_MODRM+C_DATA66 /* C8 */, C_DATA2+C_DATA1 /* C9 */, 0 /* CA */, C_DATA2 /* CB */, 0 /* CC */, 0 /* CD */, C_DATA1+C_DATA4 /* CE */, 0 /* CF */, 0 /* D0 */, C_MODRM /* D1 */, C_MODRM /* D2 */, C_MODRM /* D3 */, C_MODRM /* D4 */, 0 /* D5 */, 0 /* D6 */, 0 /* D7 */, 0 /* D8 */, C_MODRM /* D9 */, C_MODRM /* DA */, C_MODRM /* DB */, C_MODRM /* DC */, C_MODRM /* DD */, C_MODRM /* DE */, C_MODRM /* DF */, C_MODRM /* E0 */, C_DATA1 /* E1 */, C_DATA1 /* E2 */, C_DATA1 /* E3 */, C_DATA1 /* E4 */, C_DATA1 /* E5 */, C_DATA1 /* E6 */, C_DATA1 /* E7 */, C_DATA1 /* E8 */, C_DATA66 /* E9 */, C_DATA66 /* EA */, C_DATA66+C_MEM2 /* EB */, C_DATA1 /* EC */, 0 /* ED */, 0 /* EE */, 0 /* EF */, 0 /* F0 */, C_PREFIX /* F1 */, 0 // 0xF1 /* F2 */, C_PREFIX /* F3 */, C_PREFIX /* F4 */, 0 /* F5 */, 0 /* F6 */, C_FUCKINGTEST /* F7 */, C_FUCKINGTEST /* F8 */, 0 /* F9 */, 0 /* FA */, 0 /* FB */, 0 /* FC */, 0 /* FD */, 0 /* FE */, C_MODRM /* FF */, C_MODRM }; // table_1 DWORD table_0F[256] = { /* 00 */ C_MODRM /* 01 */, C_MODRM /* 02 */, C_MODRM /* 03 */, C_MODRM /* 04 */, -1 /* 05 */, -1 /* 06 */, 0 /* 07 */, -1 /* 08 */, 0 /* 09 */, 0 /* 0A */, 0 /* 0B */, 0 /* 0C */, -1 /* 0D */, -1 /* 0E */, -1 /* 0F */, -1 /* 10 */, -1 /* 11 */, -1 /* 12 */, -1 /* 13 */, -1 /* 14 */, -1 /* 15 */, -1 /* 16 */, -1 /* 17 */, -1 /* 18 */, -1 /* 19 */, -1 /* 1A */, -1 /* 1B */, -1 /* 1C */, -1 /* 1D */, -1 /* 1E */, -1 /* 1F */, -1 /* 20 */, -1 /* 21 */, -1 /* 22 */, -1 /* 23 */, -1 /* 24 */, -1 /* 25 */, -1 /* 26 */, -1 /* 27 */, -1 /* 28 */, -1 /* 29 */, -1 /* 2A */, -1 /* 2B */, -1 /* 2C */, -1 /* 2D */, -1 /* 2E */, -1 /* 2F */, -1 /* 30 */, -1 /* 31 */, -1 /* 32 */, -1 /* 33 */, -1 /* 34 */, -1 /* 35 */, -1 /* 36 */, -1 /* 37 */, -1 /* 38 */, -1 /* 39 */, -1 /* 3A */, -1 /* 3B */, -1 /* 3C */, -1 /* 3D */, -1 /* 3E */, -1 /* 3F */, -1 /* 40 */, -1 /* 41 */, -1 /* 42 */, -1 /* 43 */, -1 /* 44 */, -1 /* 45 */, -1 /* 46 */, -1 /* 47 */, -1 /* 48 */, -1 /* 49 */, -1 /* 4A */, -1 /* 4B */, -1 /* 4C */, -1 /* 4D */, -1 /* 4E */, -1 /* 4F */, -1 /* 50 */, -1 /* 51 */, -1 /* 52 */, -1 /* 53 */, -1 /* 54 */, -1 /* 55 */, -1 /* 56 */, -1 /* 57 */, -1 /* 58 */, -1 /* 59 */, -1 /* 5A */, -1 /* 5B */, -1 /* 5C */, -1 /* 5D */, -1 /* 5E */, -1 /* 5F */, -1 /* 60 */, -1 /* 61 */, -1 /* 62 */, -1 /* 63 */, -1 /* 64 */, -1 /* 65 */, -1 /* 66 */, -1 /* 67 */, -1 /* 68 */, -1 /* 69 */, -1 /* 6A */, -1 /* 6B */, -1 /* 6C */, -1 /* 6D */, -1 /* 6E */, -1 /* 6F */, -1 /* 70 */, -1 /* 71 */, -1 /* 72 */, -1 /* 73 */, -1 /* 74 */, -1 /* 75 */, -1 /* 76 */, -1 /* 77 */, -1 /* 78 */, -1 /* 79 */, -1 /* 7A */, -1 /* 7B */, -1 /* 7C */, -1 /* 7D */, -1 /* 7E */, -1 /* 7F */, -1 /* 80 */, C_DATA66 /* 81 */, C_DATA66 /* 82 */, C_DATA66 /* 83 */, C_DATA66 /* 84 */, C_DATA66 /* 85 */, C_DATA66 /* 86 */, C_DATA66 /* 87 */, C_DATA66 /* 88 */, C_DATA66 /* 89 */, C_DATA66 /* 8A */, C_DATA66 /* 8B */, C_DATA66 /* 8C */, C_DATA66 /* 8D */, C_DATA66 /* 8E */, C_DATA66 /* 8F */, C_DATA66 /* 90 */, C_MODRM /* 91 */, C_MODRM /* 92 */, C_MODRM /* 93 */, C_MODRM /* 94 */, C_MODRM /* 95 */, C_MODRM /* 96 */, C_MODRM /* 97 */, C_MODRM /* 98 */, C_MODRM /* 99 */, C_MODRM /* 9A */, C_MODRM /* 9B */, C_MODRM /* 9C */, C_MODRM /* 9D */, C_MODRM /* 9E */, C_MODRM /* 9F */, C_MODRM /* A0 */, 0 /* A1 */, 0 /* A2 */, 0 /* A3 */, C_MODRM /* A4 */, C_MODRM+C_DATA1 /* A5 */, C_MODRM /* A6 */, -1 /* A7 */, -1 /* A8 */, 0 /* A9 */, 0 /* AA */, 0 /* AB */, C_MODRM /* AC */, C_MODRM+C_DATA1 /* AD */, C_MODRM /* AE */, -1 /* AF */, C_MODRM /* B0 */, C_MODRM /* B1 */, C_MODRM /* B2 */, C_MODRM /* B3 */, C_MODRM /* B4 */, C_MODRM /* B5 */, C_MODRM /* B6 */, C_MODRM /* B7 */, C_MODRM /* B8 */, -1 /* B9 */, -1 /* BA */, C_MODRM+C_DATA1 /* BB */, C_MODRM /* BC */, C_MODRM /* BD */, C_MODRM /* BE */, C_MODRM /* BF */, C_MODRM /* C0 */, C_MODRM /* C1 */, C_MODRM /* C2 */, -1 /* C3 */, -1 /* C4 */, -1 /* C5 */, -1 /* C6 */, -1 /* C7 */, -1 /* C8 */, 0 /* C9 */, 0 /* CA */, 0 /* CB */, 0 /* CC */, 0 /* CD */, 0 /* CE */, 0 /* CF */, 0 /* D0 */, -1 /* D1 */, -1 /* D2 */, -1 /* D3 */, -1 /* D4 */, -1 /* D5 */, -1 /* D6 */, -1 /* D7 */, -1 /* D8 */, -1 /* D9 */, -1 /* DA */, -1 /* DB */, -1 /* DC */, -1 /* DD */, -1 /* DE */, -1 /* DF */, -1 /* E0 */, -1 /* E1 */, -1 /* E2 */, -1 /* E3 */, -1 /* E4 */, -1 /* E5 */, -1 /* E6 */, -1 /* E7 */, -1 /* E8 */, -1 /* E9 */, -1 /* EA */, -1 /* EB */, -1 /* EC */, -1 /* ED */, -1 /* EE */, -1 /* EF */, -1 /* F0 */, -1 /* F1 */, -1 /* F2 */, -1 /* F3 */, -1 /* F4 */, -1 /* F5 */, -1 /* F6 */, -1 /* F7 */, -1 /* F8 */, -1 /* F9 */, -1 /* FA */, -1 /* FB */, -1 /* FC */, -1 /* FD */, -1 /* FE */, -1 /* FF */, -1 }; // table_0F #pragma comment(linker, "/SECTION:HookStub,RW") #define NAKED __declspec(naked) #define ALLOCATE(x1) __declspec(allocate(#x1)) #define ALLOCATE_HookStub ALLOCATE(HookStub) #define ReloCationForADDR(x1,delta) ((DWORD(&x1) + delta)) #define ReloCationForDWORD(x1,delta) (*(LPDWORD(DWORD(&x1) + delta))) #define ReloCataonForTCHAR(x1,delta) (LPCTSTR(DWORD(&x1) + delta)) #define ReloCationForLP(x1,delta) (__##x1(ReloCationForDWORD(x1,delta))) #pragma code_seg("HookStub") #pragma optimize("",off) ALLOCATE_HookStub HOOKENVIRONMENT pEnv={0}; NAKED DWORD GetDelta() { __asm { call next next: pop eax sub eax,offset next ret } } NAKED void NewStub() { __asm { jmp next back: _emit 0xE9 NOP NOP NOP NOP next: push [esp] push [esp] push eax //保存一下Stub中唯一使用到的EAX call GetDelta lea eax,[eax+pEnv] mov dword ptr [esp+0xC],eax pop eax //恢复EAX jmp back } } NAKED DWORD GetEndAddr() { __asm { call next next: pop eax sub eax,5 ret } } #pragma optimize("",off) #pragma code_seg() DWORD __stdcall GetOpCodeSize(BYTE* iptr0) { BYTE* iptr = iptr0; DWORD f = 0; prefix: BYTE b = *iptr++; f |= table_1[b]; if (f&C_FUCKINGTEST) if (((*iptr)&0x38)==0x00) // ttt f=C_MODRM+C_DATAW0; // TEST else f=C_MODRM; // NOT,NEG,MUL,IMUL,DIV,IDIV if (f&C_TABLE_0F) { b = *iptr++; f = table_0F[b]; } if (f==C_ERROR) { //printf("error in X\n",b); return C_ERROR; } if (f&C_PREFIX) { f&=~C_PREFIX; goto prefix; } if (f&C_DATAW0) if (b&0x01) f|=C_DATA66; else f|=C_DATA1; if (f&C_MODRM) { b = *iptr++; BYTE mod = b & 0xC0; BYTE rm = b & 0x07; if (mod!=0xC0) { if (f&C_67) // modrm16 { if ((mod==0x00)&&(rm==0x06)) f|=C_MEM2; if (mod==0x40) f|=C_MEM1; if (mod==0x80) f|=C_MEM2; } else // modrm32 { if (mod==0x40) f|=C_MEM1; if (mod==0x80) f|=C_MEM4; if (rm==0x04) rm = (*iptr++) & 0x07; // rm<-sib.base if ((rm==0x05)&&(mod==0x00)) f|=C_MEM4; } } } // C_MODRM if (f&C_MEM67) if (f&C_67) f|=C_MEM2; else f|=C_MEM4; if (f&C_DATA66) if (f&C_66) f|=C_DATA2; else f|=C_DATA4; if (f&C_MEM1) iptr++; if (f&C_MEM2) iptr+=2; if (f&C_MEM4) iptr+=4; if (f&C_DATA1) iptr++; if (f&C_DATA2) iptr+=2; if (f&C_DATA4) iptr+=4; return iptr - iptr0; } PHOOKENVIRONMENT __stdcall InstallHookApi(PCHAR DllName,PCHAR ApiName,PVOID HookProc) { HMODULE DllHandle; PVOID ApiEntry; int ReplaceCodeSize; DWORD oldpro; DWORD SizeOfStub; DWORD delta; DWORD RetSize =0; PHOOKENVIRONMENT pHookEnv; if (HookProc == NULL) { return NULL; } DllHandle = GetModuleHandle(DllName); if (DllHandle == NULL) DllHandle = LoadLibrary(DllName); if (DllHandle == NULL) return NULL; ApiEntry = GetProcAddress(DllHandle,ApiName); if (ApiEntry == NULL) return NULL; ReplaceCodeSize = GetOpCodeSize((BYTE*)ApiEntry); while (ReplaceCodeSize < 5) ReplaceCodeSize += GetOpCodeSize((BYTE*)((DWORD)ApiEntry + (DWORD)ReplaceCodeSize)); if (ReplaceCodeSize > 16) return NULL; SizeOfStub = GetEndAddr()-(DWORD)&pEnv; pHookEnv = (PHOOKENVIRONMENT)VirtualAlloc(NULL,SizeOfStub,MEM_COMMIT,PAGE_
READ
WRITE); memset((void*)&pEnv,0x90,sizeof(pEnv)); CopyMemory(pHookEnv,(PVOID)&pEnv,SizeOfStub); CopyMemory((void*)pHookEnv,(void*)&pEnv,sizeof(pEnv.savebytes)); CopyMemory(pHookEnv->savebytes,ApiEntry,ReplaceCodeSize); pHookEnv->OrgApiAddr = ApiEntry; pHookEnv->SizeOfReplaceCode = ReplaceCodeSize; pHookEnv->jmptoapi[0]=0xE9; *(DWORD*)(&pHookEnv->jmptoapi[1]) = (DWORD)ApiEntry + ReplaceCodeSize - ((DWORD)pHookEnv->jmptoapi + 5); //patch api if (!VirtualProtect(ApiEntry,ReplaceCodeSize,PAGE_EXECUTE_
READ
WRITE,&oldpro)) return FALSE; delta = (DWORD)pHookEnv - (DWORD)&pEnv; *(DWORD*)(&JMPGate[1]) = ((DWORD)NewStub + delta) - ((DWORD)ApiEntry + 5); WriteProcessMemory(GetCurrentProcess(), ApiEntry, JMPGate, sizeof(JMPGate),&RetSize); if (!VirtualProtect(ApiEntry,ReplaceCodeSize,oldpro,&oldpro)) return FALSE; //写入变量 *(DWORD*)((DWORD)NewStub + delta + 3) = (DWORD)HookProc - ((DWORD)NewStub + delta + 3 + 4); return pHookEnv; } BOOL __stdcall UnInstallHookApi(PHOOKENVIRONMENT pHookEnv) { DWORD oldpro; DWORD RetSize; //如果
内存
不存在了,则退出 if(IsBad
Read
Ptr((const void*)pHookEnv,sizeof(HOOKENVIRONMENT))) return FALSE; if(!VirtualProtect(pHookEnv->OrgApiAddr,pHookEnv->SizeOfReplaceCode,PAGE_EXECUTE_
READ
WRITE,&oldpro)) return FALSE; WriteProcessMemory(GetCurrentProcess(),pHookEnv->OrgApiAddr,pHookEnv->savebytes,pHookEnv->SizeOfReplaceCode,&RetSize); if(!VirtualProtect(pHookEnv->OrgApiAddr,pHookEnv->SizeOfReplaceCode,oldpro,&oldpro)) return FALSE; VirtualFree((LPVOID)pHookEnv,0,MEM_RELEASE); return TRUE; } //定义下面这行可以作为演示使用 //#define TEST_MAIN #ifdef TEST_MAIN BOOL IsMe = FALSE; //先定义一下要hook的WINAPI typedef HMODULE (WINAPI __pfnLoadLibraryA)(LPCTSTR lpFileName); HMODULE WINAPI My_LoadLibraryA(DWORD RetAddr, __pfnLoadLibraryA pfnLoadLibraryA, LPCTSTR lpFileName ) { HMODULE hLib; //需要自己处理重入和线程安全问题 if (!IsMe) { IsMe = TRUE; MessageBoxA(NULL,lpFileName,"test",MB_ICONINFORMATION); hLib = LoadLibrary(lpFileName);//这里调用的是系统的,已经被hook过的 IsMe = FALSE; //这里是卸载Hook,这里卸载完就
不能
用pfnLoadLibraryA来调用了 UnInstallHookApi((PHOOKENVIRONMENT)pfnLoadLibraryA); return hLib; } return pfnLoadLibraryA(lpFileName);//这里调用非hook的 } int main() { DWORD RetSize =0; DWORD dwTh
read
Id; HANDLE hTh
read
; PHOOKENVIRONMENT pHookEnv; pHookEnv = InstallHookApi("Kernel32.dll", "LoadLibraryA", My_LoadLibraryA); LoadLibrary("InjectDll.dll"); MessageBoxA(NULL,"Safe Here!!!","Very Good!!",MB_ICONINFORMATION); UnInstallHookApi(pHookEnv);//由于HookProc中卸载过了,所以这里的卸载就无效了 MessageBoxA(NULL,"UnInstall Success!!!","Good!!",MB_ICONINFORMATION); return 0; } #endif
出现:0x????????
指令
引用
的0x????????
内存
。该
内存
不能
为"
read
"或"written"
【1】对电脑没有影响或【偶尔】出现,不用管它,【重启电脑】后可能会自动消失。 【2】盗版系统或Ghost版本系统,可能会出现该问题,及时安装官方发行的补丁,{检查电脑年、月、日是否正确}。建议:安装【正版】系统。 【3】病毒引起的:升级杀毒软件或下载专杀工具,对电脑全盘杀毒。 【4】硬件引起的:如果是
内存
条引起的,把
内存
条拆下清理干净重新安装。必要时【更换】
内存
条。(硬件上很少出现该问题) 【5】
“*** error 65: access violation at 0x0000000C : no '
read
' permission”错误的解决
摘要:STM32F407VG工程进入软件仿真时,出现*** error 65: access violation at 0x0000000C : no '
read
' permission错误。当点击RUN按钮时会重复
提示
*** error 65: access violation at 0x00000000 : no 'execute/
read
' permission的错误。解决步骤: 1. Op
js逆向-ast混淆还原进阶案例(1)
我啥也不说,自行领悟。 混淆代码: var _0x1491 = ['\x77\x35\x58\x43\x6a\x33\x54\x43\x6b\x77\x77\x3d', '\x63\x63\x4f\x6e\x4a\x56\x30\x6d', '\x77\x36\x59\x53\x57\x38\x4f\x4f\x77\x6f\x6f\x3d', '\x63\x73\x4f\x61\x52\x38\x4f\x6a\x4e\x77\x3d\x3d', '\x4a\x6b\x5a\x45\x41\x63\x
Windows Server
6,849
社区成员
178,034
社区内容
发帖
与我相关
我的任务
Windows Server
Windows 2016/2012/2008/2003/2000/NT
复制链接
扫一扫
分享
社区描述
Windows 2016/2012/2008/2003/2000/NT
社区管理员
加入社区
获取链接或二维码
近7日
近30日
至今
加载中
查看更多榜单
社区公告
暂无公告
试试用AI创作助手写篇文章吧
+ 用AI写文章