15,471
社区成员
发帖
与我相关
我的任务
分享请问:我用NtWriteVirtualMemory写内存为何总是失败?(RING 3) 谢谢!
typedef
NTSTATUS
(NTAPI*pfnNtWriteVirtualMemory)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferLength,
PULONG ReturnLength OPTIONAL
);
pfnNtWriteVirtualMemory NtWriteVirtualMemory = (pfnNtWriteVirtualMemory)GetProcAddress(GetModuleHandle ( "ntdll.dll" ),"NtWriteVirtualMemory");
int main()
{
UpTokenPrivileges(); //提权
NTSTATUS status;
HANDLE w_hopen = OpenProcess(PROCESS_ALL_ACCESS,0,632);
DWORD temp=0x74;
status = NtWriteVirtualMemory(w_hopen,(LPVOID)0x6F2A0930,&temp,1,NULL);
if(!NT_SUCCESS(status))
MessageBox(NULL,"0","0",MB_OK);
return 0;
}
NtWriteVirtualMemory函数的地址已获取到.难道是我参数的问题吗? 总是失败,郁闷死了.
请各位指点一下,我这是第一次这样用.我这是在ring3下调用的
NTSTATUS
(NTAPI*pfnNtWriteVirtualMemory)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG BufferLength,
PULONG ReturnLength OPTIONAL
);
pfnNtWriteVirtualMemory NtWriteVirtualMemory = (pfnNtWriteVirtualMemory)GetProcAddress(GetModuleHandle ( "ntdll.dll" ),"NtWriteVirtualMemory");
int main()
{
UpTokenPrivileges(); //提权
NTSTATUS status;
HANDLE w_hopen = OpenProcess(PROCESS_ALL_ACCESS,0,632);
DWORD temp=0x74;
status = NtWriteVirtualMemory(w_hopen,(LPVOID)0x6F2A0930,&temp,1,NULL);
if(!NT_SUCCESS(status))
MessageBox(NULL,"0","0",MB_OK);
return 0;
}
NtWriteVirtualMemory函数的地址已获取到.难道是我参数的问题吗? 总是失败,郁闷死了.
请各位指点一下,我这是第一次这样用.我这是在ring3下调用的
...全文
请发表友善的回复…
发表回复
fewf333 2010-11-16
- 打赏
- 举报
一看就是war3的哈
fly4free 2010-05-08
- 打赏
- 举报
兔子大赠的是内核态代码?
mszjk 2010-05-04
- 打赏
- 举报
WriteProcessMemory不需要VirtualProtect么?
jingzhongrong 2010-05-04
- 打赏
- 举报
[Quote=引用 5 楼 mszjk 的回复:]
WriteProcessMemory不需要VirtualProtect么?
[/Quote]
同问
WriteProcessMemory不需要VirtualProtect么?
[/Quote]
同问
sanguomi 2010-05-04
- 打赏
- 举报
DWORD OldProtect;
::VirtualProtect((LPVOID)0x6F2A0930, temp, PAGE_READWRITE, &OldProtect);
::WriteProcessMemory(w_hopen, (LPVOID)0x6F2A0930, &temp, 1, NULL);
::VirtualProtect((LPVOID)0x6F2A0930, temp, OldProtect, 0);
ztxnet 2010-05-03
- 打赏
- 举报
[Quote=引用 2 楼 tr0j4n 的回复:]
保护都没关,你能写才怪。
ZwOpenProcess->ZwProtectVirtualMemory->ZwWriteVirtualMemory
[/Quote]
非常感谢您的指点
我以为跟WriteProcessMemory一样,不需要解除保护一样可写...我是第一次用native函数,所以完全是门外汉,谢谢指点,代码我会仔细研究的
保护都没关,你能写才怪。
ZwOpenProcess->ZwProtectVirtualMemory->ZwWriteVirtualMemory
[/Quote]
非常感谢您的指点
我以为跟WriteProcessMemory一样,不需要解除保护一样可写...我是第一次用native函数,所以完全是门外汉,谢谢指点,代码我会仔细研究的
MoXiaoRab 2010-05-03
- 打赏
- 举报
礼品附赠
NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
MoXiaoRab 2010-05-03
- 打赏
- 举报
保护都没关,你能写才怪。
ZwOpenProcess->ZwProtectVirtualMemory->ZwWriteVirtualMemory
ZwOpenProcess->ZwProtectVirtualMemory->ZwWriteVirtualMemory
jingzhongrong 2010-05-03
- 打赏
- 举报
用NtOpenProcess打开进程。
