返回地址上的 WriteProcessMemory

WriteProcessMemory on returned addresses

所以我的程序基本上是在其他进程中搜索"specified strings" 内存,然后输出包含这些字符串的内存地址, 但我希望能够做一个 WriteProcessmemory 来替换所有这些 地址。 我只需要拥有所有返回的所有 writeprocessmemory 地址,程序已经完成,我只需要那个,也许可以 工作将地址存储到向量中,否则我不知道。

#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char someDatanew[] = "[=10=]";
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
    for (InIter1 pos = buf_start;
        buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
        ++pos)
    {
        *res++ = base + (pos - buf_start);
    }
}

template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {

    unsigned char* p = NULL;
    MEMORY_BASIC_INFORMATION info;

    for (p = NULL;
        VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
        p += info.RegionSize)
    {
        std::vector<char> buffer;
        std::vector<char>::iterator pos;

        if (info.State == MEM_COMMIT &&
            (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
        {
            SIZE_T bytes_read;
            buffer.resize(info.RegionSize);
            ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
            buffer.resize(bytes_read);
            find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
            //if (WriteProcessMemory(process, (LPVOID)here all returned addresses, someDatanew, sizeof(someDatanew), 0))
            ////    std::cout << "done";
            //}
        }
    }
}
void EnableDebugPriv() {
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkp;

    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);

    CloseHandle(hToken);
}

bool getMaximumPrivileges(HANDLE h_Process) {

    HANDLE h_Token;
    DWORD dw_TokenLength;

    if (OpenProcessToken(h_Process, TOKEN_READ | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &h_Token)) {
        // Read the old token privileges
        TOKEN_PRIVILEGES* privilages = new TOKEN_PRIVILEGES[100];
        if (GetTokenInformation(h_Token, TokenPrivileges, privilages, sizeof(TOKEN_PRIVILEGES) * 100, &dw_TokenLength)) {
            // Enable all privileges
            for (int i = 0; i < privilages->PrivilegeCount; i++) {
                privilages->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
            }

            // Adjust the privilges
            if (AdjustTokenPrivileges(h_Token, false, privilages, sizeof(TOKEN_PRIVILEGES) * 100, NULL, NULL)) {
                delete[] privilages;
                return true;
            }
        }
        delete[] privilages;

    }
    return false;
} //get all tokens

int main() {
    EnableDebugPriv();
    getMaximumPrivileges(GetCurrentProcess());


    DWORD pid;
    std::cout << "Enter PID: ";
    std::cin >> pid;

    std::cin.get();

    std::string pattern;

    std::cout << "pattern to find: ";
    std::getline(std::cin, pattern);

    HANDLE process = OpenProcess(
        PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
        false,
        pid);

    find_locs(process, pattern,
        std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings

    system("pause");

    return 0;
}

我希望用 someDatanew 替换所有返回的地址

与其将 find_locs() 的结果输出到控制台,不如将每个字符串地址记录到一个数组中。然后在这完成之后,遍历它们并调用 WriteProcessMemory,用你想要的任何东西覆盖它们,只要确保你有正确的 size/null 终止。

或者您可以扫描内存中的单个模式,覆盖结果,再次扫描下一个模式,再次覆盖直到 PatternScan() returns 没有结果。但是这样效率不高。

为了最快解决您的问题,我编辑了 find_all() 以包含对 WriteProcessMemory 的调用,这是完成您想要的任务的最快方法。我更改了一些其他内容,因此请务必复制并粘贴整个源代码,覆盖您的代码。

我删除了 SeDebug 令牌提升内容,没有必要。您只需要 运行 您的程序以管理员身份使用这些 API。

经测试有效,只需确保您覆盖的字符串至少与 someDataNew 的长度相同

#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>

const char * someDatanew = "Foobar[=10=]";

HANDLE process = 0;

template <class InIter1, class InIter2, class OutIter>

void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
    for (InIter1 pos = buf_start;
        buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
        ++pos)
    {
        *res++ = base + (pos - buf_start);

        if (WriteProcessMemory(process, (LPVOID)(base + (pos - buf_start)), (LPCVOID)someDatanew, strlen(someDatanew), 0))
        std::cout << "done";

    }
}

template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {

    unsigned char* p = NULL;
    MEMORY_BASIC_INFORMATION info;

    for (p = NULL;
        VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
        p += info.RegionSize)
    {
        std::vector<char> buffer;
        std::vector<char>::iterator pos;

        if (info.State == MEM_COMMIT &&
            (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
        {
            SIZE_T bytes_read;
            buffer.resize(info.RegionSize);
            ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
            buffer.resize(bytes_read);
            find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);

        }
    }
}

int main()
{
    DWORD pid;
    std::cout << "Enter PID: ";
    std::cin >> pid;

    std::cin.get();

    std::string pattern;

    std::cout << "pattern to find: ";
    std::getline(std::cin, pattern);

    process = OpenProcess(
        PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
        false,
        pid);

    find_locs(process, pattern,
        std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings

    system("pause");

    return 0;
}