风
风铃夜思雨
Unregistered / Unconfirmed
GUEST, unregistred user!
原内容
004865DD |. BA 30664800 MOV EDX,Fa.00486630
004865E2 |. 8BC4 MOV EAX,ESP
004865E4 |. B9 11000000 MOV ECX,11
004865E9 |. E8 E69EFAFF CALL Fa.004304D4
正确要改为这样的
004865DD |. BA 30664800 MOV EDX,Fa.00486630
004865E2 - E9 199A6E00 JMP 00B70000 //00B70000 为自已写目标进程的MemData 地址
004865E7 90 NOP
004865E8 90 NOP
004865E9 |. E8 E69EFAFF CALL Fa.004304D4
Delphi 代码
Type
PJmpCode = ^TJmpCode;
TJmpCode = Packed Record
JmpCode: Byte;
Address: Pointer;
MovEAX: Array[0..1] Of Byte;
End;
{在目标进程中分配内存}
MemData := VirtualAllocEx(CurProc, Nil, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
{把自定义函数写入到目标进程中}
WriteProcessMemory(CurProc, MemData, @GetDataCode, 4096, Written);
//debug 显示地址
MessageBox(0,PChar('$' + IntToHex(LongInt(MemData), 8)), '', 0);
JmpCode.JmpCode := $EB;
JmpCode.Address := MemData; //地址是$00B7000 ,此方法错误,实际应为199A6E00,如果转这个地址
JmpCode.MovEAX[0] := $90;
JmpCode.MovEAX[1] := $90;
WriteProcessMemory(CurProc, Pointer($004865E2), @JmpCode, 7, Written);
004865DD |. BA 30664800 MOV EDX,Fa.00486630
004865E2 |. 8BC4 MOV EAX,ESP
004865E4 |. B9 11000000 MOV ECX,11
004865E9 |. E8 E69EFAFF CALL Fa.004304D4
正确要改为这样的
004865DD |. BA 30664800 MOV EDX,Fa.00486630
004865E2 - E9 199A6E00 JMP 00B70000 //00B70000 为自已写目标进程的MemData 地址
004865E7 90 NOP
004865E8 90 NOP
004865E9 |. E8 E69EFAFF CALL Fa.004304D4
Delphi 代码
Type
PJmpCode = ^TJmpCode;
TJmpCode = Packed Record
JmpCode: Byte;
Address: Pointer;
MovEAX: Array[0..1] Of Byte;
End;
{在目标进程中分配内存}
MemData := VirtualAllocEx(CurProc, Nil, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
{把自定义函数写入到目标进程中}
WriteProcessMemory(CurProc, MemData, @GetDataCode, 4096, Written);
//debug 显示地址
MessageBox(0,PChar('$' + IntToHex(LongInt(MemData), 8)), '', 0);
JmpCode.JmpCode := $EB;
JmpCode.Address := MemData; //地址是$00B7000 ,此方法错误,实际应为199A6E00,如果转这个地址
JmpCode.MovEAX[0] := $90;
JmpCode.MovEAX[1] := $90;
WriteProcessMemory(CurProc, Pointer($004865E2), @JmpCode, 7, Written);