32位程序可以通过NtWow64ReadVirtualMemory64,NtWow64WriteVirtualMemory64读写64程序内存。
步骤:
1.自定义函数参数结构,获取模块中的函数指针:
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); typedef NTSTATUS(NTAPI *LPFN_NTWOW64WRITEVIRTUALMEMORY64)( IN HANDLE ProcessHandle, IN ULONG64 BaseAddress, OUT PVOID BufferData, IN ULONG64 BufferLength, OUT PULONG64 ReturnLength OPTIONAL); NtdllModuleBase = GetModuleHandle(L"Ntdll.dll"); if (NtdllModuleBase == NULL) { return FALSE; } __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64ReadVirtualMemory64"); __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase, "NtWow64WriteVirtualMemory64");
2.获取进程ID和64进程中想要读写处的地址,调用函数读写目标进程内存
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, BufferLength, &ReturnLength);
if (NT_SUCCESS(Status))
{
printf("%s
", BufferData);
ZeroMemory(BufferData, BufferLength);
memcpy(BufferData, "LIUDADA", strlen("LIUDADA"));
__NtWow64WriteVirtualMemory64(ProcessHandle,
BaseAddress, BufferData, strlen("LIUDADA")+1, (PULONG64)&ReturnLength);
}