2024年3月20日发(作者:)
C#仿CE注入实例
CE第7关作业
在其它程序注入汇编代码
用到分配打开进程空间,读写内存等windowsAPI函数
第7关作业,我这里把减1变成加11
//API调用需要的类
publicclassWin32
{
publicstructMEMORY_BASIC_INFORMATION
{
publicintBaseAddress;
publicintAllocationBase;
publicintAllocationProtect;
publicintRegionSize;
publicintState;
publicintProtect;
publicintlType;
}
publicconstintMEM_COMMIT=0x1000;//已物理分配
publicconstintMEM_PRIVATE=0x20000;
publicconstintPAGE_READWRITE=0x04;//可读写内存
[DllImport("")]//声明API函数
publicstaticexternintVirtualAllocEx(IntPtrhwnd,intlpaddress,intsize,
inttype,inttect);
[DllImport("")]//查询内存块信息
publicstaticexternintVirtualQueryEx(
IntPtrhProcess,IntPtrlpAddress,outMEMORY_BASIC_INFORMATION
lpBuffer,intdwLength);
[DllImport("")]
publicstaticexternboolReadProcessMemory(
IntPtrhProcess,IntPtrlpBaseAddress,byte[]lpBuffer,intsize,out
intnumBytesRead);
[DllImport("")]
publicstaticexternboolWriteProcessMemory(
IntPtrhProcess,IntPtrlpBaseAddress,byte[]lpBuffer,intsize,out
intnumBytesWrite);
[DllImport("")]
publicstaticexternboolWriteProcessMemory(
IntPtrhProcess,IntPtrlpBaseAddress,int[]lpBuffer,intsize,outint
numBytesWrite);
//以下是注册全局热键要用到Windows的API方法RegisterHotKey和
UnregisterHotKey。
[DllImport("")]
privatestaticexternintRegisterHotKey(IntPtrhwnd,intid,int
fsModifiers,intvk);
[DllImport("")]
privatestaticexternintUnregisterHotKey(IntPtrhwnd,intid);
///
///注册热键
///
///
///
///
///
publicstaticvoidRegKey(IntPtrhwnd,inthotKey_id,intfsModifiers,int
vk)
{
boolresult;
if(RegisterHotKey(hwnd,hotKey_id,fsModifiers,vk)==0)
{
result=false;
}
else
{
result=true;
}
if(!result)
{
("注册热键失败!");
}
}
///
///注销热键
///
///
///
publicstaticvoidUnRegKey(IntPtrhwnd,inthotKey_id)
{
UnregisterHotKey(hwnd,hotKey_id);
}
//数值存入字节中
publicstaticvoidLongToArray(longnumWrite,refbyte[]byWrite,int
bytesSize)
{
byWrite=newbyte[bytesSize];
//将数据写入byte数组中
for(inti=0;i { byWrite[i]=(byte)((numWrite&(0x00FF<> i*8); } } //字节数组转换为长整型 publicstaticlongArrayToLong(byte[]byData,intnReadSize) { longnumAddr; numAddr=byData[nReadSize-1]; for(intj=nReadSize,k=2;j>1;j--,k++) { numAddr=numAddr<<8; numAddr=numAddr|byData[nReadSize-k]; } returnnumAddr; } } //用到的类库 stics; ing; pServices; //根据进程名获得进程,一般是程序文件名 publicProcessGetprocess(stringp_name) { stringproc_name; proc_name=p_r();//进程名 Process[]ps=cesses(); foreach(spinps) { //ine(sName); IntPtrhwnd=(IntPtr)32(); 柄 //进程句 //如果进程为taskmgr,则关闭进程 if(r()==proc_name) { returnp; } } returnnull; } //调用实例: privatevoidbutton2_Click(objectsender,EventArgse) { Processps1=Getprocess("Tutorial-i386"); intbaseaddress=lAllocEx(,0,0x100,4096, 4);//分配虚拟空间 intnumWriteSize=0; intt_Addr=0x426E99;//更改汇编起始位置 intjmpadd=baseaddress-t_Addr-5;//目标地址-来源地址-5从 来源地址(jmp跳转命令处)跳到目标地址(要跳转到的地址) longh_Addr=0x426E9F;//返回地址 byteBYTE_e9=0xE9;//jmp byteBYTE_nop=0x90;//nop byte[]byData=newbyte[1]; byData[0]=BYTE_e9;//jmp rocessMemory(,(IntPtr)t_Addr,byData,1, outnumWriteSize); byData=newbyte[4];//跳转到空间 Array(jmpadd,refbyData,4); rocessMemory(,(IntPtr)(t_Addr+1),byData,4, outnumWriteSize); byData[0]=BYTE_nop;//空指令 rocessMemory(,(IntPtr)(t_Addr+5),byData,1, outnumWriteSize); byData[0]=0xff;//inc rocessMemory(,(IntPtr)baseaddress,byData, 1,outnumWriteSize); byData, byData, byData, byData, byData[0]=0x83;//ebx rocessMemory(,(IntPtr)(baseaddress+1), 1,outnumWriteSize); byData=newbyte[4]; byData[0]=0x7c; byData[1]=0x04; byData[2]=0; byData[3]=0; rocessMemory(,(IntPtr)(baseaddress+2), 4,outnumWriteSize); byData[0]=BYTE_e9;//jmp rocessMemory(,(IntPtr)(baseaddress+6), 1,outnumWriteSize); h_Addr=h_Addr-5-(baseaddress+7);//目标地址-来源地址-5 byData=newbyte[4]; Array(h_Addr,refbyData,4); rocessMemory(,(IntPtr)(baseaddress+7), 4,outnumWriteSize); }
发布评论