C#仿CE注入实例

整理文档很辛苦,赏杯茶钱您下走!

免费阅读已结束,点击下载阅读编辑剩下 ...

阅读已结束,您可以下载文档离线阅读编辑

资源描述

C#仿CE注入实例CE第7关作业在其它程序注入汇编代码用到分配打开进程空间,读写内存等windowsAPI函数Tutorial-i386.exe第7关作业,我这里把减1变成加11//API调用需要的类publicclassWin32{publicstructMEMORY_BASIC_INFORMATION{publicintBaseAddress;publicintAllocationBase;publicintAllocationProtect;publicintRegionSize;publicintState;publicintProtect;publicintlType;}publicconstintMEM_COMMIT=0x1000;//已物理分配publicconstintMEM_PRIVATE=0x20000;publicconstintPAGE_READWRITE=0x04;//可读写内存[DllImport(kernel32.dll)]//声明API函数publicstaticexternintVirtualAllocEx(IntPtrhwnd,intlpaddress,intsize,inttype,inttect);[DllImport(kernel32.dll)]//查询内存块信息publicstaticexternintVirtualQueryEx(IntPtrhProcess,IntPtrlpAddress,outMEMORY_BASIC_INFORMATIONlpBuffer,intdwLength);[DllImport(kernel32.dll)]publicstaticexternboolReadProcessMemory(IntPtrhProcess,IntPtrlpBaseAddress,byte[]lpBuffer,intsize,outintnumBytesRead);[DllImport(kernel32.dll)]publicstaticexternboolWriteProcessMemory(IntPtrhProcess,IntPtrlpBaseAddress,byte[]lpBuffer,intsize,outintnumBytesWrite);[DllImport(kernel32.dll)]publicstaticexternboolWriteProcessMemory(IntPtrhProcess,IntPtrlpBaseAddress,int[]lpBuffer,intsize,outintnumBytesWrite);//以下是注册全局热键要用到Windows的API方法RegisterHotKey和UnregisterHotKey。[DllImport(user32.dll)]privatestaticexternintRegisterHotKey(IntPtrhwnd,intid,intfsModifiers,intvk);[DllImport(user32.dll)]privatestaticexternintUnregisterHotKey(IntPtrhwnd,intid);///summary///注册热键////summary///paramname=hwnd窗口句柄/param///paramname=hotKey_id热键ID/param///paramname=fsModifiers组合键/param///paramname=vk热键/parampublicstaticvoidRegKey(IntPtrhwnd,inthotKey_id,intfsModifiers,intvk){boolresult;if(RegisterHotKey(hwnd,hotKey_id,fsModifiers,vk)==0){result=false;}else{result=true;}if(!result){MessageBox.Show(注册热键失败!);}}///summary///注销热键////summary///paramname=hwnd窗口句柄/param///paramname=hotKey_id热键ID/parampublicstaticvoidUnRegKey(IntPtrhwnd,inthotKey_id){UnregisterHotKey(hwnd,hotKey_id);}//数值存入字节中publicstaticvoidLongToArray(longnumWrite,refbyte[]byWrite,intbytesSize){byWrite=newbyte[bytesSize];//将数据写入byte数组中for(inti=0;ibytesSize;i++){byWrite[i]=(byte)((numWrite&(0x00000000000000FFi*8))i*8);}}//字节数组转换为长整型publicstaticlongArrayToLong(byte[]byData,intnReadSize){longnumAddr;numAddr=byData[nReadSize-1];for(intj=nReadSize,k=2;j1;j--,k++){numAddr=numAddr8;numAddr=numAddr|byData[nReadSize-k];}returnnumAddr;}}//用到的类库usingSystem.Diagnostics;usingSystem.Threading;usingSystem.Runtime.InteropServices;//根据进程名获得进程,一般是程序文件名publicProcessGetprocess(stringp_name){stringproc_name;proc_name=p_name.ToLower();//进程名Process[]ps=Process.GetProcesses();foreach(System.Diagnostics.Processpinps){//Console.WriteLine(p.ProcessName);IntPtrhwnd=(IntPtr)p.MainWindowHandle.ToInt32();//进程句柄//如果进程为taskmgr,则关闭进程if(p.ProcessName.ToLower()==proc_name){returnp;}}returnnull;}//调用实例:privatevoidbutton2_Click(objectsender,EventArgse){Processps1=Getprocess(Tutorial-i386);intbaseaddress=Win32.VirtualAllocEx(ps1.Handle,0,0x100,4096,4);//分配虚拟空间intnumWriteSize=0;intt_Addr=0x426E99;//更改汇编起始位置intjmpadd=baseaddress-t_Addr-5;//目标地址-来源地址-5从来源地址(jmp跳转命令处)跳到目标地址(要跳转到的地址)longh_Addr=0x426E9F;//返回地址byteBYTE_e9=0xE9;//jmpbyteBYTE_nop=0x90;//nopbyte[]byData=newbyte[1];byData[0]=BYTE_e9;//jmpWin32.WriteProcessMemory(ps1.Handle,(IntPtr)t_Addr,byData,1,outnumWriteSize);byData=newbyte[4];//跳转到空间Win32.LongToArray(jmpadd,refbyData,4);Win32.WriteProcessMemory(ps1.Handle,(IntPtr)(t_Addr+1),byData,4,outnumWriteSize);byData[0]=BYTE_nop;//空指令Win32.WriteProcessMemory(ps1.Handle,(IntPtr)(t_Addr+5),byData,1,outnumWriteSize);byData[0]=0xff;//incWin32.WriteProcessMemory(ps1.Handle,(IntPtr)baseaddress,byData,1,outnumWriteSize);byData[0]=0x83;//ebxWin32.WriteProcessMemory(ps1.Handle,(IntPtr)(baseaddress+1),byData,1,outnumWriteSize);byData=newbyte[4];byData[0]=0x7c;byData[1]=0x04;byData[2]=0;byData[3]=0;Win32.WriteProcessMemory(ps1.Handle,(IntPtr)(baseaddress+2),byData,4,outnumWriteSize);byData[0]=BYTE_e9;//jmpWin32.WriteProcessMemory(ps1.Handle,(IntPtr)(baseaddress+6),byData,1,outnumWriteSize);h_Addr=h_Addr-5-(baseaddress+7);//目标地址-来源地址-5byData=newbyte[4];Win32.LongToArray(h_Addr,refbyData,4);Win32.WriteProcessMemory(ps1.Handle,(IntPtr)(baseaddress+7),byData,4,outnumWriteSize);}

1 / 5
下载文档,编辑使用

©2015-2020 m.777doc.com 三七文档.

备案号:鲁ICP备2024069028号-1 客服联系 QQ:2149211541

×
保存成功