本帖最后由 领会 于 2022-3-11 22:57 编辑
在原来基础上增加功能。主要用来查杀或者内存辅助定位数据使用。应该是目前最好用的。
1.这个直接支持x86x64项目工程,同时针对x86x64程序全面支持的。
2.教程直接用__NtWow64ReadVirtualMemory64相关内核函数进行内存读写定位数据
3.函数 X64ScanAddr,X64ScanBase,X64ScanCall可以定位基地址、虚拟地址、call数值、偏移等数据
讨论 QQ:2273545181 Q群:550839408
- 讨论 QQ:2273545181 Q群:550839408
- DWORD BaseRole = X64ScanBase(GetCurrentProcessId(), “83C4043BB3F00000008BC675EB”, L"moxia.exe", 19, 4);//==== 返回大小)
- //=========================内存搜索支持x86x64位游戏
- HMODULE NtdllModuleBase = NULL;
- NtdllModuleBase = GetModuleHandle("Ntdll.dll");
- if (NtdllModuleBase == NULL)
- {
- return FALSE;
- }
- __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
- "NtWow64ReadVirtualMemory64");
- printf("__NtWow64ReadVirtualMemory64 %llx\n", (UINT64)__NtWow64ReadVirtualMemory64);
- __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
- "NtWow64WriteVirtualMemory64");
- return TRUE;
- ===================================
- //查找内存地址
- INT64 X64ScanAddr(DWORD ProcessID, char *markCode, const wchar_t * ModuleName, DWORD offset)
- {
- DWORD size = 8; //==== 返回大小
- DWORD ordinal = 1;//====返回次数
- UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
- UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
- return X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
- }
- INT64 X64ScanBase(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset, DWORD size)//==== 返回大小)
- {
- DWORD ordinal = 1;//====返回次数
- INT64 BufferData = NULL; //
- //ULONG64 Len = size;
- UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
- UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
- INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
- HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
- __NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, 0);//注意返回值大小问题,size就是字节大小
- CloseHandle(Hprocess);
- return BufferData;
- }
- INT64 X64ScanCall(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset)//==== 返回大小)
- {
- DWORD ordinal = 1;//====返回次数
- DWORD size = 4;//x64的call只能是4字节的,不能8字节,否走要mov rax 0x1121212121 jmp rax
- INT64 BufferData = NULL;
- ULONG64 Len = size;
- UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
- UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
- INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
- HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
- __NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, &Len);//注意返回值大小问题,size就是字节大小
- CloseHandle(Hprocess);
- return Addr_Ret - 1 + 5 + BufferData;;
- }
- /************************************************************************/
- /* 函数说明:查找特征码
- /* process: 要查找的进程
- /* markCode: 特征码字符串,不能有空格
- /* distinct:特征码首地址离目标地址的距离 负数在特征码在上
- /* offset: 返回目标地址
- /* size: 设置返回数据为几个BYTE 1 2 3 4
- /* ordinal: 特征码出现的次数
- /* beginAddr: 开始搜索地址
- /* endAddr: 结束地址
- /* ret:返回目标地址的内容
- /************************************************************************/
|
发表于 2022-3-11 22:42:05
