技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 1163|回复: 1
收起左侧

【C】wow64函数的简单操作实例

[复制链接]

25

主题

86

帖子

1157

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
891 个
贡献
36 次
宅之契约
0 份
在线时间
204 小时
注册时间
2016-7-12
发表于 2017-3-16 00:22:52 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
本帖最后由 Ayala 于 2017-3-16 16:08 编辑

[C] 纯文本查看 复制代码
#include <ntdef.h>
#include <ntddk.h>

#pragma comment(lib,"kernel32.lib")
#pragma comment(lib,"ntdll.lib")

#ifndef GetProcAddress
__int32 __stdcall GetProcAddress(hModule,lpProcName);
#endif
#ifndef GetModuleHandle
__int32 __stdcall GetModuleHandleA(lpMoudleName);
__int32 __stdcall GetModuleHandleW(lpMoudleName);
#if !defined(_UNICODE) && !defined(_UNICODE_)
#define GetModuleHandle GetModuleHandleA
#else
#define GetModuleHandle GetModuleHandleW
#endif
#endif


/*
PROCESS_BASIC_INFORMATION_WOW64 struc
	Reserved1 		Qword ?
	struc PebBaseAddress
		lo dword ?
		hi  dword ?
	ends
	Reserved2		Qword ?
	Reserved3		Qword ?
	UniqueProcessId Qword ?
	Reserved4		Qword ?
PROCESS_BASIC_INFORMATION_WOW64 ends
MEMORY_BASIC_INFORMATION_WOW64 struc
	BaseAddress 		QWORD ?
	AllocationBase 		QWORD ?
	AllocationProtect   DWORD ?
						DWORD ?
	RegionSize			QWORD ?
	State				DWORD ?
	Protect				DWORD ?
	_Type				DWORD ?
						DWORD ?
MEMORY_BASIC_INFORMATION_WOW64 ends
*/
#pragma pack(show)
#pragma pack(push,8)
typedef struct _PROCESS_BASIC_INFORMATION_WOW64{
    NTSTATUS ExitStatus;
    __int64  PebBaseAddress;
    __int64  AffinityMask;
    __int64  BasePriority;
    __int64  UniqueProcessId;
    __int64  InheritedFromUniqueProcessId;
}PROCESS_BASIC_INFORMATION_WOW64,*PPROCESS_BASIC_INFORMATION_WOW64;

typedef struct _MEMORY_BASIC_INFORMATION_WOW64{
    __int64 BaseAddress;
    __int64 AllocationBase;
    __int32 AllocationProtect;
    //__int32 align_8;
	__int64 RegionSize;
    __int32 State;
    __int32 Protect;
    __int32 Type;
	//__int32 _ali;
}MEMORY_BASIC_INFORMATION_WOW64,*PMEMORY_BASIC_INFORMATION_WOW64;

#ifndef MEMORY_INFORMATION_CLASS
typedef enum _MEMORY_INFORMATION_CLASS{
	MemoryBasicInformation,
	
	//...
	MaxMemoryInfoClass
}MEMORY_INFORMATION_CLASS;	
	
#endif
#pragma pack(pop)

typedef NTSTATUS(
NTAPI 
*_imp__NtWow64QueryInformationProcess64)(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation64,
    IN ULONG Length,
    OUT PULONG ReturnLength OPTIONAL
    );
typedef NTSTATUS(
NTAPI
*_imp__NtWow64QueryVirtualMemory64)(
    IN HANDLE ProcessHandle,
	IN PVOID64 BaseAddress,
    /*IN PVOID BaseAddressLow,
    IN PVOID BaseAddressHigh,*/
    IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
    OUT PVOID MemoryInformation, /* NB must be 64bit aligned */
    IN ULONG64 Length,
	/*IN ULONG LengthLow,
    IN ULONG LengthHigh,*/
    OUT PULONGLONG ReturnLength OPTIONAL
    );
typedef NTSTATUS(
NTAPI
*_imp__NtWow64ReadVirtualMemory64)(
    IN HANDLE ProcessHandle,
	IN PVOID64 Address,
    /*IN PVOID AddressLow,
    IN PVOID AddressHigh,*/
    OUT PVOID Buffer,
	IN ULONG64 BufferSize,
    /*IN ULONG BufferSizeLow,
    IN ULONG BufferSizeHigh,*/
    OUT PULONGLONG BytesRead OPTIONAL
    );
typedef NTSTATUS(
NTAPI
*_imp__NtWow64WriteVirtualMemory64)(
    IN HANDLE ProcessHandle,
    IN PVOID AddressLow,
    IN PVOID AddressHigh,
    IN PVOID Buffer,
    IN ULONG BufferSizeLow,
    IN ULONG BufferSizeHigh,
    OUT PULONGLONG BytesWritten OPTIONAL
    );

typedef struct _delayload_t{
	__int32 		modbase;
	char *  		modname;
	struct{
		__int32 pb;
		char *  pn;
	}fp[];
}delayload_t,*delayload_p;


int __delayload(delayload_t* lt)
{
	int ret=0,i=0;
	
	lt->modbase = GetModuleHandle(lt->modname);
	if (!lt->modbase) goto done;
	
	while (lt->fp[i].pn)
	{
		lt->fp[i].pb=GetProcAddress(lt->modbase,lt->fp[i].pn);
		if (!lt->fp[i].pb) goto done;
		i++;
	}
	ret=1;
done:	
	return ret;
}

delayload_t imp_ntdll =	{0,\
						"ntdll.dll",\
							{ 
#define NtWow64QueryInformationProcess64 ((_imp__NtWow64QueryInformationProcess64)(imp_ntdll.fp[0].pb))
								{
									0,\
									"NtWow64QueryInformationProcess64"
								},
#define NtWow64QueryVirtualMemory64 ((_imp__NtWow64QueryVirtualMemory64)(imp_ntdll.fp[1].pb))
								{
									0,\
									"NtWow64QueryVirtualMemory64"
								},
#define NtWow64ReadVirtualMemory64 ((_imp__NtWow64ReadVirtualMemory64)(imp_ntdll.fp[2].pb))
								{
									0,\
									"NtWow64ReadVirtualMemory64"
								},
#define NtWow64WriteVirtualMemory64 ((_imp__NtWow64WriteVirtualMemory64)(imp_ntdll.fp[3].pb))
								{
									0,\
									"NtWow64WriteVirtualMemory64"
								},
								{
									0,\
									0
								}
							}
						};

int main()
{
	__declspec(align(8)) PROCESS_BASIC_INFORMATION_WOW64  pbi={0};
	__declspec(align(8)) MEMORY_BASIC_INFORMATION_WOW64	 pbm={0};
	__declspec(align(8)) char outbuffer[PAGE_SIZE];
	
	__int64	dwbytes;
	NTSTATUS	Status;
	HANDLE		ProcessHandle;
	OBJECT_ATTRIBUTES oa;
	CLIENT_ID 	ClientId={0};
	
	__delayload(&imp_ntdll);
	
	while (1)
	{
		printf("process id=");
		scanf("%d",&ClientId.UniqueProcess);
		
		InitializeObjectAttributes( &oa, NULL, 0, NULL, NULL );
		Status=ZwOpenProcess(&ProcessHandle,\
								PROCESS_ALL_ACCESS,\
								&oa,\
								&ClientId);
		if (!NT_SUCCESS(Status)) {

			printf("OpenProcess failed 0x%lx\n",Status);
			continue;
		}
		
		Status=NtWow64QueryInformationProcess64(ProcessHandle,\
												ProcessBasicInformation,\
												&pbi,\
												sizeof(pbi),\
												(PULONG)&dwbytes);
		if (!NT_SUCCESS(Status)) {

			printf("NtWow64QueryInformationProcess64 failed 0x%lx\n",Status);
			goto done;
		}
		printf("procss %d peb base=0x%llX\n",ClientId.UniqueProcess,pbi.PebBaseAddress);
				
		
		Status=NtWow64QueryVirtualMemory64(ProcessHandle,\
											(PVOID64)pbi.PebBaseAddress,\
											MemoryBasicInformation,\
											&pbm,\
											(ULONG64)sizeof(pbm),\
											(PULONGLONG)&dwbytes);
		if (!NT_SUCCESS(Status)) {

			printf("NtWow64QueryVirtualMemory64 failed 0x%lx\n",Status);
			goto done;
		}
		// do nothing;
		
		printf("base=0x%llx size=%lld\n",pbm.BaseAddress,pbm.RegionSize);
		
		
		Status=NtWow64ReadVirtualMemory64(ProcessHandle,\
											(PVOID64)pbi.PebBaseAddress,\
											&outbuffer,\
											(ULONG64)sizeof(outbuffer),\
											(PULONGLONG)&dwbytes);
		if (!NT_SUCCESS(Status)) {

			printf("NtWow64ReadVirtualMemory64 failed 0x%lx\n",Status);
			goto done;
		}
		// do nothing;
		printf("tRead=%lld, rRead=%lld\n",(ULONG64)sizeof(outbuffer),(ULONG64)dwbytes);
done:		
		Status=ZwClose(ProcessHandle);
	}

	system("pause");
	return 0;
}

0

主题

72

帖子

166

积分

用户组: 小·技术宅

UID
1291
精华
0
威望
2 点
宅币
89 个
贡献
1 次
宅之契约
0 份
在线时间
2 小时
注册时间
2015-11-25
发表于 2017-3-22 20:29:29 | 显示全部楼层
回复

使用道具 举报

本版积分规则

QQ|申请友链|Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号|网站地图

GMT+8, 2018-11-21 15:54 , Processed in 0.071704 second(s), 14 queries , Gzip On, Memcache On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表