客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
作 者: Anskya 代码: type PMDL = ^_MDL; _MDL = packed record Next: PMDL; Size: USHORT; MdlFlags: USHORT; Process: Pointer; MappedSystemVa: PVOID; StartVa: PVOID; ByteCount: ULONG; ByteOffset: ULONG; end; MDL = _MDL; const MDL_MAPPED_TO_SYSTEM_VA = $0001; MDL_PAGES_LOCKED = $0002; MDL_SOURCE_IS_NONPAGED_POOL = $0004; MDL_ALLOCATED_FIXED_SIZE = $0008; MDL_PARTIAL = $0010; MDL_PARTIAL_HAS_BEEN_MAPPED = $0020; MDL_IO_PAGE_READ = $0040; MDL_WRITE_OPERATION = $0080; MDL_PARENT_MAPPED_SYSTEM_VA = $0100; MDL_LOCK_HELD = $0200; MDL_PHYSICAL_VIEW = $0400; MDL_IO_SPACE = $0800; MDL_NETWORK_HEADER = $1000; MDL_MAPPING_CAN_FAIL = $2000; MDL_ALLOCATED_MUST_SUCCEED = $4000; // 读写只读内存(源于Gates大叔) function WriteReadOnlyMemoryGates(lpDest, lpSource: Pointer; Length: Integer): NTSTATUS; var tempSpinLock: KSPIN_LOCK; oldirql: KIRQL; mdl: PMDL; writableAddress: Pointer; begin Result := STATUS_UNSUCCESSFUL; mdl := MmCreateMdl(nil, lpDest, Length); if (mdl <> nil) then begin MmBuildMdlForNonPagedPool(mdl); mdl^.MdlFlags := mdl^.MdlFlags or MDL_MAPPED_TO_SYSTEM_VA; writableAddress := MmMapLockedPages(mdl, KernelMode); if (writableAddress <> nil) then begin oldirql := 0; KeInitializeSpinLock(@tempSpinLock); fast_KfAcquireSpinLock(@tempSpinLock); memcpy(writableAddress, lpSource, Length); fast_KfReleaseSpinLock(@tempSpinLock, oldirql); MmUnmapLockedPages(writableAddress, mdl); Result := STATUS_SUCCESS; end; MmUnlockPages(mdl); IoFreeMdl(mdl); end; end; 关键一步就是修改mdl的属性.让他可写.... 代码: // 写只读内存(源于Mark代码) function WriteReadOnlyMemoryMark(lpDest, lpSource: Pointer; Length: Integer): NTSTATUS; var tempSpinLock: KSPIN_LOCK; oldirql: KIRQL; mdl: PMDL; writableAddress: Pointer; begin Result := STATUS_UNSUCCESSFUL; mdl := IoAllocateMdl(lpDest, Length, False, False, nil); if (mdl <> nil) then begin MmBuildMdlForNonPagedPool(mdl); MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess); writableAddress := MmMapLockedPages(mdl, KernelMode); if (writableAddress <> nil) then begin oldirql := 0; KeInitializeSpinLock(@tempSpinLock); fast_KfAcquireSpinLock(@tempSpinLock); memcpy(writableAddress, lpSource, Length); fast_KfReleaseSpinLock(@tempSpinLock, oldirql); MmUnmapLockedPages(writableAddress, mdl); Result := STATUS_SUCCESS; end; MmUnlockPages(mdl); IoFreeMdl(mdl); end; end; 代码源于Mark早期编写的代码 代码: asm cli //disable WP bit push eax mov eax, cr0 //move CR0 register into EAX and eax, not 000010000h //disable WP bit mov cr0, eax //write register back pop eax end; //改写的代码 asm push eax //enable WP bit mov eax, cr0 //move CR0 register into EAX or eax, 000010000h //enable WP bit mov cr0, eax //write register back pop eax sti end; 2.利用原子互斥操作 代码: ZwOpenProcessNextHook := TZwOpenProcess(InterlockedExchange(SystemServiceName (GetImportFunAddr(@ZwOpenProcess)), LONG(@ZwOpenProcessNextHook))); 提示一下这个函数使用的是fastcall调用方式,如果你使用的是Delphi的话建议你最好 代码: FORCEINLINE
LONG
FASTCALL
InterlockedExchange( IN OUT LONG volatile *Target, IN LONG Value )
{ __asm { mov eax, Value mov ecx, Target xchg [ecx], eax }
}
3.自转锁 |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
六六分期app的软件客服如何联系?不知道吗?加qq群【895510560】即可!标题:六六分期
今天小编告诉大家如何处理win10系统火狐flash插件总是崩溃的问题,可能很多用户都不知
今天小编告诉大家如何对win10系统删除桌面回收站图标进行设置,可能很多用户都不知道
今天小编告诉大家如何对win10系统电脑设置节能降温的设置方法,想必大家都遇到过需要
我们在使用xp系统的过程中,经常需要对xp系统无线网络安装向导设置进行设置,可能很多
今天小编告诉大家如何处理win7系统玩cf老是与主机连接不稳定的问题,可能很多用户都不
电脑对日常生活的重要性小编就不多说了,可是一旦碰到win7系统设置cf烟雾头的问题,很
我们在日常使用电脑的时候,有的小伙伴们可能在打开应用的时候会遇见提示应用程序无法
今天小编告诉大家如何对win7系统打开vcf文件进行设置,可能很多用户都不知道怎么对win
今天小编告诉大家如何对win10系统s4开启USB调试模式进行设置,可能很多用户都不知道怎
请发表评论