使用这个api可以在指定的进程中将数据写入内存区域。
注意:以管理员权限运行,并且以x64调试。
#include <windows.h> #include <iostream> #include <tlhelp32.h> #include <psapi.h> DWORD_PTR GetProcessBaseAddress(DWORD processID) { DWORD_PTR baseAddress = 0; HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID); HMODULE* moduleArray; LPBYTE moduleArrayBytes; DWORD bytesRequired; if (processHandle) { if (EnumProcessModules(processHandle, NULL, 0, &bytesRequired)) { if (bytesRequired) { moduleArrayBytes = (LPBYTE)LocalAlloc(LPTR, bytesRequired); if (moduleArrayBytes) { unsigned int moduleCount; moduleCount = bytesRequired / sizeof(HMODULE); moduleArray = (HMODULE*)moduleArrayBytes; if (EnumProcessModules(processHandle, moduleArray, bytesRequired, &bytesRequired)) { baseAddress = (DWORD_PTR)moduleArray[0]; } LocalFree(moduleArrayBytes); } } } CloseHandle(processHandle); } return baseAddress; } BOOL SetPrivilege( HANDLE hToken, // access token handle LPCTSTR lpszPrivilege, // name of privilege to enable/disable BOOL bEnablePrivilege // to enable or disable privilege ) { TOKEN_PRIVILEGES tp; LUID luid; if (!LookupPrivilegeValue( NULL, // lookup privilege on local system lpszPrivilege, // privilege to lookup &luid)) // receives LUID of privilege { printf("LookupPrivilegeValue error: %u\n", GetLastError()); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; // Enable the privilege or disable all privileges. if (!AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) { printf("AdjustTokenPrivileges error: %u\n", GetLastError()); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { printf("The token does not have the specified privilege. \n"); return FALSE; } return TRUE; } void write() { std::string writing = "lmaoxd"; auto writing_size = writing.size(); DWORD pID = 1092; HANDLE hToken; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); SetPrivilege(hToken, SE_DEBUG_NAME, TRUE); CloseHandle(hToken); HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); DWORD h = GetProcessBaseAddress(pID); SetLastError(0); DWORD oldProtect; BOOL ret = VirtualProtectEx(pHandle, (LPVOID)h, writing_size, PAGE_READWRITE, &oldProtect); // VOID* pp = VirtualAllocEx(pHandle, (LPVOID)h, writing_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); DWORD error = GetLastError(); SetLastError(0); ret = WriteProcessMemory(pHandle, (LPVOID)h, writing.c_str(), writing_size, 0); error = GetLastError(); std::cout << "Error: " << error << std::endl; CloseHandle(pHandle); } int main() { write(); system("pause"); }
VirtualProtectEx和VirtualAllocEx的效果类似。
使用VirtualAllocEx的代码示例:
VOID* pp = VirtualAllocEx(pHandle, (LPVOID)h, writing_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); DWORD error = GetLastError(); SetLastError(0); ret = WriteProcessMemory(pHandle, (LPVOID)pp, &writing, writing_size, 0);
原文链接: https://www.cnblogs.com/strive-sun/p/12769096.html
欢迎关注
微信关注下方公众号,第一时间获取干货硬货;公众号内回复【pdf】免费获取数百本计算机经典书籍;
也有高质量的技术群,里面有嵌入式、搜广推等BAT大佬
原创文章受到原创版权保护。转载请注明出处:https://www.ccppcoding.com/archives/404928
非原创文章文中已经注明原地址,如有侵权,联系删除
关注公众号【高性能架构探索】,第一时间获取最新文章
转载文章受原作者版权保护。转载请注明原作者出处!