返回地址上的WriteProcessMemory
WriteProcessMemory on returned addresses
所以我的程序基本上是在其他进程中搜索"指定字符串"然后输出包含这些字符串的存储器地址,但我希望能够做一个WriteProcessmemory来替换所有这些地址。我只需要拥有所有返回的writeprocessmemory地址,程序已经完成了我只需要它,也许它可以将地址存储到矢量中,否则我不知道。
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char someDatanew[] = "�";
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
//if (WriteProcessMemory(process, (LPVOID)here all returned addresses, someDatanew, sizeof(someDatanew), 0))
//// std::cout << "done";
//}
}
}
}
void EnableDebugPriv() {
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
bool getMaximumPrivileges(HANDLE h_Process) {
HANDLE h_Token;
DWORD dw_TokenLength;
if (OpenProcessToken(h_Process, TOKEN_READ | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &h_Token)) {
// Read the old token privileges
TOKEN_PRIVILEGES* privilages = new TOKEN_PRIVILEGES[100];
if (GetTokenInformation(h_Token, TokenPrivileges, privilages, sizeof(TOKEN_PRIVILEGES) * 100, &dw_TokenLength)) {
// Enable all privileges
for (int i = 0; i < privilages->PrivilegeCount; i++) {
privilages->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
// Adjust the privilges
if (AdjustTokenPrivileges(h_Token, false, privilages, sizeof(TOKEN_PRIVILEGES) * 100, NULL, NULL)) {
delete[] privilages;
return true;
}
}
delete[] privilages;
}
return false;
} //get all tokens
int main() {
EnableDebugPriv();
getMaximumPrivileges(GetCurrentProcess());
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
HANDLE process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "n")); //outputs addresses that contains the strings
system("pause");
return 0;
}
我希望用someDatanew 替换所有返回的地址
与其将find_locs((的结果输出到控制台,不如将每个字符串地址记录到一个数组中。然后,完成后,循环遍历它们并调用WriteProcessMemory,用您想要的任何内容覆盖它们,只需确保具有正确的大小/null终止即可。
或者,您可以扫描内存中的单个模式,覆盖结果,再次扫描下一个模式,再次覆盖,直到PatternScan((没有返回结果。但这样做的效率较低。
为了最快地解决您的问题,我编辑了find_all((以包含对WriteProcessMemory的调用,这是实现您想要的内容的最快方法。我更改了一些其他内容,所以一定要复制并粘贴整个源代码,覆盖您的源代码。
我删除了SeDebug令牌提升的内容,这是不必要的。您只需要以管理员身份运行程序即可使用这些API。
测试工作,只需确保您覆盖的字符串至少与someDataNew相同的长度
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char * someDatanew = "Foobar�";
HANDLE process = 0;
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
if (WriteProcessMemory(process, (LPVOID)(base + (pos - buf_start)), (LPCVOID)someDatanew, strlen(someDatanew), 0))
std::cout << "done";
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
}
}
}
int main()
{
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "n")); //outputs addresses that contains the strings
system("pause");
return 0;
}
相关文章:
- 没有找到相关文章
