VC读写64位程序内存代码

ツ未ヰ来ャ

32位程序可以通过NtWow64ReadVirtualMemory64，NtWow64WriteVirtualMemory64读写64程序的内存直接上代码了
自定义函数参数结构，获取模块中的函数指针

1. 
   
2. typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
   
3.     IN  HANDLE   ProcessHandle,
   
4.     IN  ULONG64  BaseAddress,
   
5.     OUT PVOID    BufferData,
   
6.     IN  ULONG64  BufferLength,
   
7.     OUT PULONG64 ReturnLength OPTIONAL);
   
8.    
   
9. typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
   
10.     IN  HANDLE   ProcessHandle,
    
11.     IN  ULONG64  BaseAddress,
    
12.     OUT PVOID    BufferData,
    
13.     IN  ULONG64  BufferLength,
    
14.     OUT PULONG64 ReturnLength OPTIONAL);
    
15.    
    
16.    
    
17. NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");
    
18.     if (NtdllModuleBase == NULL)
    
19.     {
    
20.         return FALSE;
    
21.     }
    
22.       
    
23. __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64ReadVirtualMemory64");
    
24. __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,"NtWow64WriteVirtualMemory64");
    
25. 
    

复制代码

获取进程ID和64进程中想要读写的地址，调用函数读写目标进程的内存

1. 
   
2. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
   
3.     BaseAddress, BufferData, BufferLength, &ReturnLength);
   
4. if (NT_SUCCESS(Status))
   
5. {
   
6.     printf("%s\r\n", BufferData);
   
7.     ZeroMemory(BufferData, BufferLength);
   
8.     memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
   
9.     __NtWow64WriteVirtualMemory64(ProcessHandle,
   
10.         BaseAddress, BufferData,  strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
    
11.       
    
12. }
    

复制代码