返回地址上的 WriteProcessMemory
WriteProcessMemory on returned addresses
所以我的程序基本上是在其他进程中搜索"specified strings"
内存,然后输出包含这些字符串的内存地址,
但我希望能够做一个 WriteProcessmemory 来替换所有这些
地址。
我只需要拥有所有返回的所有 writeprocessmemory
地址,程序已经完成,我只需要那个,也许可以
工作将地址存储到向量中,否则我不知道。
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char someDatanew[] = "[=10=]";
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
//if (WriteProcessMemory(process, (LPVOID)here all returned addresses, someDatanew, sizeof(someDatanew), 0))
//// std::cout << "done";
//}
}
}
}
void EnableDebugPriv() {
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
bool getMaximumPrivileges(HANDLE h_Process) {
HANDLE h_Token;
DWORD dw_TokenLength;
if (OpenProcessToken(h_Process, TOKEN_READ | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &h_Token)) {
// Read the old token privileges
TOKEN_PRIVILEGES* privilages = new TOKEN_PRIVILEGES[100];
if (GetTokenInformation(h_Token, TokenPrivileges, privilages, sizeof(TOKEN_PRIVILEGES) * 100, &dw_TokenLength)) {
// Enable all privileges
for (int i = 0; i < privilages->PrivilegeCount; i++) {
privilages->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
// Adjust the privilges
if (AdjustTokenPrivileges(h_Token, false, privilages, sizeof(TOKEN_PRIVILEGES) * 100, NULL, NULL)) {
delete[] privilages;
return true;
}
}
delete[] privilages;
}
return false;
} //get all tokens
int main() {
EnableDebugPriv();
getMaximumPrivileges(GetCurrentProcess());
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
HANDLE process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings
system("pause");
return 0;
}
我希望用 someDatanew 替换所有返回的地址
与其将 find_locs() 的结果输出到控制台,不如将每个字符串地址记录到一个数组中。然后在这完成之后,遍历它们并调用 WriteProcessMemory,用你想要的任何东西覆盖它们,只要确保你有正确的 size/null 终止。
或者您可以扫描内存中的单个模式,覆盖结果,再次扫描下一个模式,再次覆盖直到 PatternScan() returns 没有结果。但是这样效率不高。
为了最快解决您的问题,我编辑了 find_all() 以包含对 WriteProcessMemory 的调用,这是完成您想要的任务的最快方法。我更改了一些其他内容,因此请务必复制并粘贴整个源代码,覆盖您的代码。
我删除了 SeDebug 令牌提升内容,没有必要。您只需要 运行 您的程序以管理员身份使用这些 API。
经测试有效,只需确保您覆盖的字符串至少与 someDataNew 的长度相同
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char * someDatanew = "Foobar[=10=]";
HANDLE process = 0;
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
if (WriteProcessMemory(process, (LPVOID)(base + (pos - buf_start)), (LPCVOID)someDatanew, strlen(someDatanew), 0))
std::cout << "done";
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
}
}
}
int main()
{
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings
system("pause");
return 0;
}
所以我的程序基本上是在其他进程中搜索"specified strings" 内存,然后输出包含这些字符串的内存地址, 但我希望能够做一个 WriteProcessmemory 来替换所有这些 地址。 我只需要拥有所有返回的所有 writeprocessmemory 地址,程序已经完成,我只需要那个,也许可以 工作将地址存储到向量中,否则我不知道。
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char someDatanew[] = "[=10=]";
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
//if (WriteProcessMemory(process, (LPVOID)here all returned addresses, someDatanew, sizeof(someDatanew), 0))
//// std::cout << "done";
//}
}
}
}
void EnableDebugPriv() {
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
bool getMaximumPrivileges(HANDLE h_Process) {
HANDLE h_Token;
DWORD dw_TokenLength;
if (OpenProcessToken(h_Process, TOKEN_READ | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &h_Token)) {
// Read the old token privileges
TOKEN_PRIVILEGES* privilages = new TOKEN_PRIVILEGES[100];
if (GetTokenInformation(h_Token, TokenPrivileges, privilages, sizeof(TOKEN_PRIVILEGES) * 100, &dw_TokenLength)) {
// Enable all privileges
for (int i = 0; i < privilages->PrivilegeCount; i++) {
privilages->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
// Adjust the privilges
if (AdjustTokenPrivileges(h_Token, false, privilages, sizeof(TOKEN_PRIVILEGES) * 100, NULL, NULL)) {
delete[] privilages;
return true;
}
}
delete[] privilages;
}
return false;
} //get all tokens
int main() {
EnableDebugPriv();
getMaximumPrivileges(GetCurrentProcess());
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
HANDLE process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings
system("pause");
return 0;
}
我希望用 someDatanew 替换所有返回的地址
与其将 find_locs() 的结果输出到控制台,不如将每个字符串地址记录到一个数组中。然后在这完成之后,遍历它们并调用 WriteProcessMemory,用你想要的任何东西覆盖它们,只要确保你有正确的 size/null 终止。
或者您可以扫描内存中的单个模式,覆盖结果,再次扫描下一个模式,再次覆盖直到 PatternScan() returns 没有结果。但是这样效率不高。
为了最快解决您的问题,我编辑了 find_all() 以包含对 WriteProcessMemory 的调用,这是完成您想要的任务的最快方法。我更改了一些其他内容,因此请务必复制并粘贴整个源代码,覆盖您的代码。
我删除了 SeDebug 令牌提升内容,没有必要。您只需要 运行 您的程序以管理员身份使用这些 API。
经测试有效,只需确保您覆盖的字符串至少与 someDataNew 的长度相同
#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
const char * someDatanew = "Foobar[=10=]";
HANDLE process = 0;
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char* base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
for (InIter1 pos = buf_start;
buf_end != (pos = std::search(pos, buf_end, pat_start, pat_end));
++pos)
{
*res++ = base + (pos - buf_start);
if (WriteProcessMemory(process, (LPVOID)(base + (pos - buf_start)), (LPCVOID)someDatanew, strlen(someDatanew), 0))
std::cout << "done";
}
}
template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {
unsigned char* p = NULL;
MEMORY_BASIC_INFORMATION info;
for (p = NULL;
VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
p += info.RegionSize)
{
std::vector<char> buffer;
std::vector<char>::iterator pos;
if (info.State == MEM_COMMIT &&
(info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE))
{
SIZE_T bytes_read;
buffer.resize(info.RegionSize);
ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
buffer.resize(bytes_read);
find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
}
}
}
int main()
{
DWORD pid;
std::cout << "Enter PID: ";
std::cin >> pid;
std::cin.get();
std::string pattern;
std::cout << "pattern to find: ";
std::getline(std::cin, pattern);
process = OpenProcess(
PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,
false,
pid);
find_locs(process, pattern,
std::ostream_iterator<void*>(std::cout, "\n")); //outputs addresses that contains the strings
system("pause");
return 0;
}