流沙团
ReadProcessMemory
2018-1-6 流沙团


测试进程之间互相读取信息


// 20180106_06.cpp : Defines the entry point for the console application.

//



#include "stdafx.h"

#include <stdio.h>

#include <windows.h>



int main(int argc, char* argv[])

{

	TCHAR szFileName[] = "c://ipmsg.exe";



	STARTUPINFO si={0};

	si.cb = sizeof(STARTUPINFO);

	PROCESS_INFORMATION pi;



	//创建进程, 并挂起

	CreateProcess(szFileName,

		NULL,

		NULL,

		NULL,

		FALSE,

		CREATE_SUSPENDED,

		NULL,

		NULL,

		&si,

		&pi);



	printf("进程的: %x, %x\n",pi.hProcess,pi.hThread);

	//获取挂起的继承信息

	CONTEXT contx;

	contx.ContextFlags = CONTEXT_FULL;

	GetThreadContext(pi.hThread,&contx);

	printf("OEP: %x \n",contx.Eax);



	//获取ImageBase的信息

	char* baseAddress  = (CHAR*)contx.Ebx+8;

	TCHAR szBuffer[4]={0};

	ReadProcessMemory(pi.hProcess,baseAddress,szBuffer,4,NULL);

	int* fileImageBase         ;

	//sscanf(szBuffer,"%s",&fileImageBase);

	fileImageBase = (int*)szBuffer;

	printf("ImageBase: %x\n",*fileImageBase);



	ResumeThread(pi.hThread);

	

	return 0;

}


 



 

发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容