64,646
社区成员
发帖
与我相关
我的任务
分享ZwUnmapViewOfSection 函数 C0000005错误
#include<iostream>
#include<Windows.h>
#include<tchar.h>
using namespace std;
#include<vector>
wchar_t strEventName []= L"China";
void main()
{
//////////////////////////////////////////////////////以挂起方式打开目标程序
STARTUPINFO si = {0};
si.cb = sizeof(si);
PROCESS_INFORMATION pi = {0};
BOOL b=CreateProcess(L"C:\\Users\\Administrator\\Desktop\\壳\\Debug\\壳.exe", 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);//创建自己
CONTEXT ct={0};
ct.ContextFlags = CONTEXT_INTEGER;
GetThreadContext(pi.hThread, &ct);
DWORD * ImageBase = (DWORD *)(ct.Ebx + 8);
HANDLE hDes = OpenProcess(PROCESS_ALL_ACCESS, 0, pi.dwProcessId);
/////////////////////////////////////////////////////////读取在自身进程的最后一个节到LastSection缓冲区
char *hThis1, *hThis2;
hThis1 = hThis2 = (char*)GetModuleHandle(L"C:\\Users\\Administrator\\Desktop\\壳\\Debug\\壳.exe");
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS NTHeader;
memcpy(&DosHeader, hThis1, sizeof(DosHeader));
hThis1 = hThis2;
hThis1 += DosHeader.e_lfanew;
memcpy(&NTHeader, hThis1, sizeof(NTHeader));
hThis1+= sizeof(IMAGE_NT_HEADERS);
vector<IMAGE_SECTION_HEADER> sections;
for(int i = 0; i<NTHeader.FileHeader.NumberOfSections; i++)
{
IMAGE_SECTION_HEADER temp = {0};
memcpy(&temp, hThis1, sizeof(IMAGE_SECTION_HEADER));
sections.push_back(temp);
}
char * LastSection = new char[ sections[sections.size()-1].Misc.VirtualSize ];
ZeroMemory(LastSection, sections[sections.size()-1].Misc.VirtualSize);
memcpy(LastSection, hThis2+sections[sections.size()-1].VirtualAddress, sections[sections.size()-1].Misc.VirtualSize);
//////////////////////////////////////////////////////卸载外壳程序的文件镜像
HMODULE h = LoadLibrary(L"NtosKrnl.exe");//成功
typedef NTSTATUS (*X)(HANDLE ,PVOID);
X ZwUnmapViewOfSection = (X)GetProcAddress(h, "ZwUnmapViewOfSection");//成功
DWORD Base = *ImageBase;
NTSTATUS pp = ZwUnmapViewOfSection(hDes,(void*)Base);
// ResumeThread(pi.hThread);
}
...全文
请发表友善的回复…
发表回复
paschen 版主 2016-03-26
- 打赏
- 举报
*InmageBase 这句可能这个位置不可读
