|
|
发表于 2020-6-15 20:54:12
|
查看: 4061 |
回复: 1
现动态内存补丁(读取): 这种补丁是把程序加载到内存中以后对其进行修改,常用于加壳程序的破解.
#include <stdio.h>
#include <Windows.h>
BYTE * ReadMemory(char * FileName,DWORD dwVAddress, int Size)
{
BYTE bCode = 0;
BYTE *buffer = new BYTE[Size];
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
PROCESS_INFORMATION pi = { 0 };
// 创建子线程并默认暂停
BOOL bRet = CreateProcess(FileName, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
if (bRet == FALSE)
exit(0);
for (int x = 0; x < 10; x++)
{
ReadProcessMemory(pi.hProcess, (LPVOID)dwVAddress, (LPVOID)&bCode, sizeof(BYTE), 0);
buffer[x] = bCode;
dwVAddress++;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return buffer;
}
int main(int argc, char * argv[])
{
BYTE *buf = ReadMemory("c://234.exe",0x00401000, 10);
return 0;
}
#include <stdio.h>
#include <Windows.h>
BOOL WriteMemory(char * FileName, DWORD dwVAddress, unsigned char *ShellCode, int Size)
{
BYTE *Buff = new BYTE[Size];
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
PROCESS_INFORMATION pi = { 0 };
memset(Buff, *ShellCode, Size);
// 创建子线程并默认暂停
BOOL bRet = CreateProcess(FileName, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
if (bRet == FALSE)
exit(0);
BOOL Ret = WriteProcessMemory(pi.hProcess, (LPVOID)dwVAddress, Buff, Size, 0);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return TRUE;
}
int main(int argc, char * argv[])
{
unsigned char set_buf[] = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
WriteMemory("c://234.exe", 0x00401000, set_buf, 8);
return 0;
}
int main(int argc, char * argv[])
{
PROCESS_INFORMATION pi = OpenExeFile("c://main.exe");
// 读取位于0x401000地址处的10条机器指令
BYTE *recv_buffer = ReadMemory(pi, 0x401000, 10);
for (int x = 0; x < 10; x++)
printf("%x ", recv_buffer[x]);
printf("\n");
// 比较内存中前5个字节是否是cmp_code
BYTE cmp_code[] = { 0x33,0xc0,0xc2,0x90,0xc3 };
int ret = CheckMemory(pi, 0x401000, cmp_code, 5);
printf("返回值: %d \n", ret);
// 多次写入修补文件
unsigned char set_buffer[] = { 0x90, 0x90, 0x90 };
WriteMemory(pi, 0x401000, set_buffer, 3);
unsigned char set_buffer1[] = { 0x90, 0x90, 0x90 };
WriteMemory(pi, 0x402000, set_buffer1, 3);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
system("pause");
return 0;
}
|
温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【 投诉建议】板块发帖举报。
|
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜
发表于 2021-10-3 06:13:23