プロセス間通信-ポインタ方式のメモリ読み書き
5531 ワード
ポインタ方式でプロセス間通信を行い、32ビット->32ビット、64ビット->64ビット、32ビット->64ビットを実現します. なぜなら、ReadProcessMemory/Wow 64 Readの2つの関数が呼び出されたからです.
試験手順:
問題:
1.IsWow 64 Process関数の使用;
2.
'|'と'||'の違い:プロセス権限を羅列するとき;
3.
関数名に横線を付けることはできません.下線を付けるしかありません.
4.
32ビットと64ビットを含むアドレスを入力する方法.
(プログラムに展示されています)
//
#include
#include
#include
using namespace std;
BOOL EnableSeDebugPrivilege(IN const CHAR * PriviledgeName, BOOL IsEnable);
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
IN HANDLE ProcessHandle,
IN ULONG64 BaseAddress,
OUT PVOID BufferData,
IN ULONG64 BufferLength,
OUT PULONG64 ReturnLength OPTIONAL);
typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
IN HANDLE ProcessHandle,
IN ULONG64 BaseAddress,
OUT PVOID BufferData,
IN ULONG64 BufferLength,
OUT PULONG64 ReturnLength OPTIONAL);
LPFN_NTWOW64READVIRTUALMEMORY64 __NtWow64ReadVirtualMemory64 = NULL;
LPFN_NTWOW64WRITEVIRTUALMEMORY64 __NtWow64WriteVirtualMemory64 = NULL;
BOOL Point_IPC(ULONG ProcessID, ULONG64 BaseAddress);
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
int main()
{
HMODULE NtdllModuleBase = NULL;
NtdllModuleBase = GetModuleHandle("Ntdll.dll");
if (NtdllModuleBase == NULL)
{
return FALSE;
}
__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64ReadVirtualMemory64");
__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64WriteVirtualMemory64");
ULONG ProcessID = 0;
cout << "Input ProcessId" << endl;
cin >> ProcessID;
ULONG64 BaseAddress = 0;
cout << "Input BaseAddress" << endl;
//cin >> BaseAddress;
//scanf("%p", &BaseAddress);
scanf("%llx", &BaseAddress);
Point_IPC(ProcessID, BaseAddress);
printf("Input AnyKey To Exit\r
");
getchar();
return 0;
}
BOOL EnableSeDebugPrivilege(IN const CHAR* PriviledgeName, BOOL IsEnable)
{
//
HANDLE ProcessHandle = GetCurrentProcess();
HANDLE TokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges = { 0 };
if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
LUID v1;
if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1)) // uID
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1; //
TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0; // , Count
TokenPrivileges.Privileges[0].Luid = v1;
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
CloseHandle(TokenHandle);
TokenHandle = NULL;
return TRUE;
}
BOOL Point_IPC(ULONG ProcessID,ULONG64 BaseAddress)
{
if (BaseAddress == NULL)
{
return FALSE;
}
BOOL IsWow64=FALSE;
HANDLE ProcessHandle = NULL;
//PVOID BufferData = NULL;
char BufferData[20] = { 0 };
ULONG64 BufferLength = 20;
ULONG64 ReturnLength = 0;
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE,FALSE,ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
int v1=IsWow64Process(ProcessHandle, &IsWow64);//0
if (IsWow64 == TRUE)// 32
{
__try
{
if (ReadProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, BufferLength,(SIZE_T*)&ReturnLength))
{
printf("%s\r
", BufferData);
ZeroMemory(BufferData, BufferLength);
memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));
WriteProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, strlen("Point-IPC")+1,(SIZE_T*)&ReturnLength);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf(" \r
");
goto Exit;
}
}
else // 64
{
if (__NtWow64ReadVirtualMemory64 == NULL|| __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, BufferLength,&ReturnLength);
if (NT_SUCCESS(Status))
{
ZeroMemory(BufferData, BufferLength);
printf("%s\r
", BufferData);
memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));
__NtWow64WriteVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, strlen("Point-IPC")+1,&ReturnLength);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf(" \r
");
goto Exit;
}
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
}
試験手順:
#include "stdafx.h"
#include
int main()
{
char BufferData[20] = "HelloWorld";
printf("ProcessID:%d\r
", GetCurrentProcessId());
printf("BaseAddress:%p\r
", BufferData);
printf("Input AnyKey To Continue\r
");
getchar();
printf("BaseAddress:%s\r
", BufferData);
printf("Input AnyKey To Exit\r
");
getchar();
return 0;
}
問題:
1.IsWow 64 Process関数の使用;
2.
'|'と'||'の違い:プロセス権限を羅列するとき;
3.
関数名に横線を付けることはできません.下線を付けるしかありません.
4.
32ビットと64ビットを含むアドレスを入力する方法.
(プログラムに展示されています)