32位程序可以通過NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64讀寫64程序內存。
步驟:
1.自定義函數參數結構,獲取模塊中的函數指針:
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); NtdllModuleBase = GetModuleHandle(L"Ntdll.dll"); if (NtdllModuleBase == NULL) { return FALSE; } __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64ReadVirtualMemory64"); __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64WriteVirtualMemory64");
2.獲取進程ID和64進程中想要讀寫處的地址,調用函數讀寫目標進程內存
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, BufferLength, &ReturnLength);
if (NT_SUCCESS(Status))
{
printf("%s\r\n", BufferData);
ZeroMemory(BufferData, BufferLength);
memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
__NtWow64WriteVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
}