进程间通讯——指针方式的内存读写
使用指针的方式进行进程间通讯,可以做到32位->32位,64位->64位,32位->64位的: 原因是调用了两套函数:ReadProcessMemory/Wow64Read
//进程间通讯的指针形式的内存访问
#include
#include
#include
using namespace std;
BOOL EnableSeDebugPrivilege(IN const CHAR * PriviledgeName, BOOL IsEnable);
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
IN HANDLE ProcessHandle,
IN ULONG64 BaseAddress,
OUT PVOID BufferData,
IN ULONG64 BufferLength,
OUT PULONG64 ReturnLength OPTIONAL);
typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)(
IN HANDLE ProcessHandle,
IN ULONG64 BaseAddress,
OUT PVOID BufferData,
IN ULONG64 BufferLength,
OUT PULONG64 ReturnLength OPTIONAL);
LPFN_NTWOW64READVIRTUALMEMORY64 __NtWow64ReadVirtualMemory64 = NULL;
LPFN_NTWOW64WRITEVIRTUALMEMORY64 __NtWow64WriteVirtualMemory64 = NULL;
BOOL Point_IPC(ULONG ProcessID, ULONG64 BaseAddress);
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
int main()
{
HMODULE NtdllModuleBase = NULL;
NtdllModuleBase = GetModuleHandle("Ntdll.dll");
if (NtdllModuleBase == NULL)
{
return FALSE;
}
__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64ReadVirtualMemory64");
__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64WriteVirtualMemory64");
ULONG ProcessID = 0;
cout << "Input ProcessId" << endl;
cin >> ProcessID;
ULONG64 BaseAddress = 0;
cout << "Input BaseAddress" << endl;
//cin >> BaseAddress;
//scanf("%p", &BaseAddress);
scanf("%llx", &BaseAddress);
Point_IPC(ProcessID, BaseAddress);
printf("Input AnyKey To Exit\r\n");
getchar();
return 0;
}
BOOL EnableSeDebugPrivilege(IN const CHAR* PriviledgeName, BOOL IsEnable)
{
// 打开权限令牌
HANDLE ProcessHandle = GetCurrentProcess();
HANDLE TokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges = { 0 };
if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
LUID v1;
if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1)) // 通过权限名称查找uID
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1; // 要提升的权限个数
TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0; // 动态数组,数组大小根据Count的数目
TokenPrivileges.Privileges[0].Luid = v1;
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
CloseHandle(TokenHandle);
TokenHandle = NULL;
return TRUE;
}
BOOL Point_IPC(ULONG ProcessID,ULONG64 BaseAddress)
{
if (BaseAddress == NULL)
{
return FALSE;
}
BOOL IsWow64=FALSE;
HANDLE ProcessHandle = NULL;
//PVOID BufferData = NULL;
char BufferData[20] = { 0 };
ULONG64 BufferLength = 20;
ULONG64 ReturnLength = 0;
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE,FALSE,ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
int v1=IsWow64Process(ProcessHandle, &IsWow64);//0
if (IsWow64 == TRUE)//目标进程是32位
{
__try
{
if (ReadProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, BufferLength,(SIZE_T*)&ReturnLength))
{
printf("%s\r\n", BufferData);
ZeroMemory(BufferData, BufferLength);
memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));
WriteProcessMemory(ProcessHandle, (PVOID)BaseAddress, BufferData, strlen("Point-IPC")+1,(SIZE_T*)&ReturnLength);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
}
else //目标进程是64位
{
if (__NtWow64ReadVirtualMemory64 == NULL|| __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, BufferLength,&ReturnLength);
if (NT_SUCCESS(Status))
{
ZeroMemory(BufferData, BufferLength);
printf("%s\r\n", BufferData);
memcpy(BufferData, "Point-IPC", strlen("Point-IPC"));
__NtWow64WriteVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, strlen("Point-IPC")+1,&ReturnLength);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
}
测试程序:
#include "stdafx.h"
#include
int main()
{
char BufferData[20] = "HelloWorld";
printf("ProcessID:%d\r\n", GetCurrentProcessId());
printf("BaseAddress:%p\r\n", BufferData);
printf("Input AnyKey To Continue\r\n");
getchar();
printf("BaseAddress:%s\r\n", BufferData);
printf("Input AnyKey To Exit\r\n");
getchar();
return 0;
}
遇到的问题:
1.
IsWow64Process函数的使用;
2.
‘|’与‘||’的区别:在罗列进程权限的时候;3.
函数名不能加横线,只能加下划线;
4.
输入地址(包括32位与64位)的方法;
(程序中都有展示)