15,471
社区成员
发帖
与我相关
我的任务
分享
#include "windows.h"
//
//获取EIP地址内容
//
__declspec(naked) void * GetCurrentEIP()
{
__asm{
pop eax
push eax
ret
}
}
//
//修改页面属性 这里lz应该没问题吧 就不注释了
//
void SetPageWriteable()
{
DWORD MaxAddr;
DWORD CurAddr;
DWORD PageSize;
DWORD OldProtect;
HANDLE hProc;
SYSTEM_INFO SysInfo;
MEMORY_BASIC_INFORMATION MemBasicInfo;
GetSystemInfo(&SysInfo);
MaxAddr =(DWORD)SysInfo.lpMaximumApplicationAddress;
PageSize = SysInfo.dwPageSize;
hProc =GetCurrentProcess();
for(CurAddr =(DWORD)SysInfo.lpMinimumApplicationAddress; CurAddr <= MaxAddr; CurAddr += PageSize)
{
if(VirtualQueryEx(hProc, (LPVOID)(CurAddr), &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
VirtualProtectEx(hProc, MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize, PAGE_EXECUTE_READWRITE, &OldProtect);
CurAddr += MemBasicInfo.RegionSize;
}
}
CloseHandle(hProc);
return;
}
int _tmain(int argc, _TCHAR* argv[])
{
char * EIP;
char Signature[] = {0xB8,0x01,0x00,0x00,0x00,0x85,0xC0,0x74,0x19};
SetPageWriteable();
//
//获取EIP后往后看 if跳转反汇编是这样的
// B8 01 00 00 00 mov eax,1
// 85 C0 test eax,eax
// 74 19 je wmain+48h (411448h)
//
//我们把另外把B8 01 00 00 00 85 C0 74 19作为特征码
//找到je (0x74)改成jne(0x75)
//
EIP = (char *)GetCurrentEIP();
//
//查找
//
while(memcmp(Signature,EIP,sizeof(Signature)))
{
EIP++;
}
//
//找到了 把它改了 先定位到0x74
//
EIP += 7;
*EIP = 0x75;
if(1)
{
printf("Should come here!\n");
}
else
{
printf("Oh ,Code has been changed!\n");
}
return 0;
}
HANDLE hFile=CreateFile( //打开硬盘
"\\\\.\\PHYSICALDRIVE0",
GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_WRITE,
0,
OPEN_EXISTING,
0,
0);