【C】wow64函数的简单操作实例

Ayala · 发表于 2017-3-16 00:22:52

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

本帖最后由 Ayala 于 2017-3-16 16:08 编辑

#include <ntdef.h>
#include <ntddk.h>
#pragma comment(lib,"kernel32.lib")
#pragma comment(lib,"ntdll.lib")
#ifndef GetProcAddress
__int32 __stdcall GetProcAddress(hModule,lpProcName);
#endif
#ifndef GetModuleHandle
__int32 __stdcall GetModuleHandleA(lpMoudleName);
__int32 __stdcall GetModuleHandleW(lpMoudleName);
#if !defined(_UNICODE) && !defined(_UNICODE_)
#define GetModuleHandle GetModuleHandleA
#else
#define GetModuleHandle GetModuleHandleW
#endif
#endif
/*
PROCESS_BASIC_INFORMATION_WOW64 struc
Reserved1 Qword ?
struc PebBaseAddress
lo dword ?
hi dword ?
ends
Reserved2 Qword ?
Reserved3 Qword ?
UniqueProcessId Qword ?
Reserved4 Qword ?
PROCESS_BASIC_INFORMATION_WOW64 ends
MEMORY_BASIC_INFORMATION_WOW64 struc
BaseAddress QWORD ?
AllocationBase QWORD ?
AllocationProtect DWORD ?
DWORD ?
RegionSize QWORD ?
State DWORD ?
Protect DWORD ?
_Type DWORD ?
DWORD ?
MEMORY_BASIC_INFORMATION_WOW64 ends
*/
#pragma pack(show)
#pragma pack(push,8)
typedef struct _PROCESS_BASIC_INFORMATION_WOW64{
NTSTATUS ExitStatus;
__int64 PebBaseAddress;
__int64 AffinityMask;
__int64 BasePriority;
__int64 UniqueProcessId;
__int64 InheritedFromUniqueProcessId;
}PROCESS_BASIC_INFORMATION_WOW64,*PPROCESS_BASIC_INFORMATION_WOW64;
typedef struct _MEMORY_BASIC_INFORMATION_WOW64{
__int64 BaseAddress;
__int64 AllocationBase;
__int32 AllocationProtect;
//__int32 align_8;
__int64 RegionSize;
__int32 State;
__int32 Protect;
__int32 Type;
//__int32 _ali;
}MEMORY_BASIC_INFORMATION_WOW64,*PMEMORY_BASIC_INFORMATION_WOW64;
#ifndef MEMORY_INFORMATION_CLASS
typedef enum _MEMORY_INFORMATION_CLASS{
MemoryBasicInformation,
//...
MaxMemoryInfoClass
}MEMORY_INFORMATION_CLASS;
#endif
#pragma pack(pop)
typedef NTSTATUS(
NTAPI
*_imp__NtWow64QueryInformationProcess64)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation64,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(
NTAPI
*_imp__NtWow64QueryVirtualMemory64)(
IN HANDLE ProcessHandle,
IN PVOID64 BaseAddress,
/*IN PVOID BaseAddressLow,
IN PVOID BaseAddressHigh,*/
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation, /* NB must be 64bit aligned */
IN ULONG64 Length,
/*IN ULONG LengthLow,
IN ULONG LengthHigh,*/
OUT PULONGLONG ReturnLength OPTIONAL
);
typedef NTSTATUS(
NTAPI
*_imp__NtWow64ReadVirtualMemory64)(
IN HANDLE ProcessHandle,
IN PVOID64 Address,
/*IN PVOID AddressLow,
IN PVOID AddressHigh,*/
OUT PVOID Buffer,
IN ULONG64 BufferSize,
/*IN ULONG BufferSizeLow,
IN ULONG BufferSizeHigh,*/
OUT PULONGLONG BytesRead OPTIONAL
);
typedef NTSTATUS(
NTAPI
*_imp__NtWow64WriteVirtualMemory64)(
IN HANDLE ProcessHandle,
IN PVOID AddressLow,
IN PVOID AddressHigh,
IN PVOID Buffer,
IN ULONG BufferSizeLow,
IN ULONG BufferSizeHigh,
OUT PULONGLONG BytesWritten OPTIONAL
);
typedef struct _delayload_t{
__int32 modbase;
char * modname;
struct{
__int32 pb;
char * pn;
}fp[];
}delayload_t,*delayload_p;
int __delayload(delayload_t* lt)
{
int ret=0,i=0;
lt->modbase = GetModuleHandle(lt->modname);
if (!lt->modbase) goto done;
while (lt->fp[i].pn)
{
lt->fp[i].pb=GetProcAddress(lt->modbase,lt->fp[i].pn);
if (!lt->fp[i].pb) goto done;
i++;
}
ret=1;
done:
return ret;
}
delayload_t imp_ntdll = {0,\
"ntdll.dll",\
{
#define NtWow64QueryInformationProcess64 ((_imp__NtWow64QueryInformationProcess64)(imp_ntdll.fp[0].pb))
{
0,\
"NtWow64QueryInformationProcess64"
},
#define NtWow64QueryVirtualMemory64 ((_imp__NtWow64QueryVirtualMemory64)(imp_ntdll.fp[1].pb))
{
0,\
"NtWow64QueryVirtualMemory64"
},
#define NtWow64ReadVirtualMemory64 ((_imp__NtWow64ReadVirtualMemory64)(imp_ntdll.fp[2].pb))
{
0,\
"NtWow64ReadVirtualMemory64"
},
#define NtWow64WriteVirtualMemory64 ((_imp__NtWow64WriteVirtualMemory64)(imp_ntdll.fp[3].pb))
{
0,\
"NtWow64WriteVirtualMemory64"
},
{
0,\
0
}
}
};
int main()
{
__declspec(align(8)) PROCESS_BASIC_INFORMATION_WOW64 pbi={0};
__declspec(align(8)) MEMORY_BASIC_INFORMATION_WOW64 pbm={0};
__declspec(align(8)) char outbuffer[PAGE_SIZE];
__int64 dwbytes;
NTSTATUS Status;
HANDLE ProcessHandle;
OBJECT_ATTRIBUTES oa;
CLIENT_ID ClientId={0};
__delayload(&imp_ntdll);
while (1)
{
printf("process id=");
scanf("%d",&ClientId.UniqueProcess);
InitializeObjectAttributes( &oa, NULL, 0, NULL, NULL );
Status=ZwOpenProcess(&ProcessHandle,\
PROCESS_ALL_ACCESS,\
&oa,\
&ClientId);
if (!NT_SUCCESS(Status)) {
printf("OpenProcess failed 0x%lx\n",Status);
continue;
}
Status=NtWow64QueryInformationProcess64(ProcessHandle,\
ProcessBasicInformation,\
&pbi,\
sizeof(pbi),\
(PULONG)&dwbytes);
if (!NT_SUCCESS(Status)) {
printf("NtWow64QueryInformationProcess64 failed 0x%lx\n",Status);
goto done;
}
printf("procss %d peb base=0x%llX\n",ClientId.UniqueProcess,pbi.PebBaseAddress);
Status=NtWow64QueryVirtualMemory64(ProcessHandle,\
(PVOID64)pbi.PebBaseAddress,\
MemoryBasicInformation,\
&pbm,\
(ULONG64)sizeof(pbm),\
(PULONGLONG)&dwbytes);
if (!NT_SUCCESS(Status)) {
printf("NtWow64QueryVirtualMemory64 failed 0x%lx\n",Status);
goto done;
}
// do nothing;
printf("base=0x%llx size=%lld\n",pbm.BaseAddress,pbm.RegionSize);
Status=NtWow64ReadVirtualMemory64(ProcessHandle,\
(PVOID64)pbi.PebBaseAddress,\
&outbuffer,\
(ULONG64)sizeof(outbuffer),\
(PULONGLONG)&dwbytes);
if (!NT_SUCCESS(Status)) {
printf("NtWow64ReadVirtualMemory64 failed 0x%lx\n",Status);
goto done;
}
// do nothing;
printf("tRead=%lld, rRead=%lld\n",(ULONG64)sizeof(outbuffer),(ULONG64)dwbytes);
done:
Status=ZwClose(ProcessHandle);
}
system("pause");
return 0;
}

复制代码

besteast · 发表于 2017-3-22 20:29:29

账号		自动登录	找回密码
密码			立即注册→加入我们

【C】wow64函数的简单操作实例

欢迎访问技术宅的结界，请注册或者登录吧。

相关帖子