[toc]

基本函数的用法

1.NtOpenProcess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <windows.h>
#include <winternl.h>
#include <stdio.h>

#pragma comment(lib, "ntdll.lib")

typedef NTSTATUS(NTAPI* NtOpenProcess_t)(
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    CLIENT_ID* ClientId
    );

int main() {
    // 获取 ntdll.dll 模块句柄
    HMODULE ntdll = GetModuleHandleA("ntdll.dll");
    if (!ntdll) {
        printf("Failed to get ntdll handle.\n");
        return 1;
    }

    // 获取 NtOpenProcess 函数地址
    NtOpenProcess_t NtOpenProcess = (NtOpenProcess_t)GetProcAddress(ntdll, "NtOpenProcess");
    if (!NtOpenProcess) {
        printf("Failed to get NtOpenProcess address.\n");
        return 1;
    }

    HANDLE hProcess;
    OBJECT_ATTRIBUTES objAttr;
    CLIENT_ID clientId;

    // 设置要打开的进程 ID(例如,假设我们要打开进程 ID 为 1234 的进程)
    clientId.UniqueProcess = (HANDLE)1234; // 替换为实际的进程 ID
    clientId.UniqueThread = NULL; // 线程 ID 可以为 NULL

    // 初始化对象属性
    InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);

    // 打开进程
    NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clientId);

    if (status == 0) {
        // 进程打开成功
        printf("Process opened successfully. Handle: %p\n", hProcess);
        CloseHandle(hProcess); // 关闭进程句柄
    }
    else {
        // 处理错误
        printf("Failed to open process. NTSTATUS: 0x%x\n", status);
    }

    return 0;
}

2. NtAllocateVirtualMemory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include <windows.h>
#include <winternl.h>
#include <stdio.h>

#pragma comment(lib, "ntdll.lib")

typedef NTSTATUS(NTAPI* NtAllocateVirtualMemory_t)(
    HANDLE ProcessHandle,
    PVOID* BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
    );

int main() {
    // 获取 ntdll.dll 模块句柄
    HMODULE ntdll = GetModuleHandleA("ntdll.dll");
    if (!ntdll) {
        printf("Failed to get ntdll handle.\n");
        return 1;
    }

    // 获取 NtAllocateVirtualMemory 函数地址
    NtAllocateVirtualMemory_t NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(ntdll, "NtAllocateVirtualMemory");
    if (!NtAllocateVirtualMemory) {
        printf("Failed to get NtAllocateVirtualMemory address.\n");
        return 1;
    }

    HANDLE hProcess = GetCurrentProcess(); // 获取当前进程句柄
    PVOID baseAddress = NULL; // 基地址设置为 NULL,系统将选择地址
    SIZE_T regionSize = 4096; // 要分配的内存大小(4KB)
    NTSTATUS status;

    // 调用 NtAllocateVirtualMemory 分配内存
    status = NtAllocateVirtualMemory(hProcess, &baseAddress, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (status == 0) {
        // 内存分配成功
        printf("Memory allocated successfully. Base Address: %p, Size: %zu bytes\n", baseAddress, regionSize);

        // 这里可以使用分配的内存
        // ...

        // 释放分配的内存
        SIZE_T freeSize = 0;
        NtFreeVirtualMemory(hProcess, &baseAddress, &freeSize, MEM_RELEASE);
    }
    else {
        // 处理错误
        printf("Failed to allocate memory. NTSTATUS: 0x%x\n", status);
    }

    return 0;
}

3.NtWriteVirtualMemory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <windows.h>
#include <winternl.h>
#include <stdio.h>

#pragma comment(lib, "ntdll.lib")

typedef NTSTATUS(NTAPI* NtWriteVirtualMemory_t)(
    HANDLE ProcessHandle,
    PVOID BaseAddress,
    PVOID Buffer,
    SIZE_T NumberOfBytes,
    PSIZE_T NumberOfBytesWritten
    );

int main() {
    // 获取 ntdll.dll 模块句柄
    HMODULE ntdll = GetModuleHandleA("ntdll.dll");
    if (!ntdll) {
        printf("Failed to get ntdll handle.\n");
        return 1;
    }

    // 获取 NtWriteVirtualMemory 函数地址
    NtWriteVirtualMemory_t NtWriteVirtualMemory = (NtWriteVirtualMemory_t)GetProcAddress(ntdll, "NtWriteVirtualMemory");
    if (!NtWriteVirtualMemory) {
        printf("Failed to get NtWriteVirtualMemory address.\n");
        return 1;
    }

    HANDLE hProcess = GetCurrentProcess(); // 获取当前进程句柄
    PVOID baseAddress = NULL; // 基地址设置为 NULL,系统将选择地址
    SIZE_T regionSize = 4096; // 要分配的内存大小(4KB)
    NTSTATUS status;

    // 分配内存
    baseAddress = VirtualAlloc(NULL, regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (baseAddress == NULL) {
        printf("Failed to allocate memory. Error: %d\n", GetLastError());
        return 1;
    }

    // 要写入的数据
    const char* data = "Hello, World!";
    SIZE_T dataSize = strlen(data) + 1; // 包括 null 终止符
    SIZE_T bytesWritten;

    // 调用 NtWriteVirtualMemory 写入数据
    status = NtWriteVirtualMemory(hProcess, baseAddress, (PVOID)data, dataSize, &bytesWritten);

    if (status == 0) {
        // 写入成功
        printf("Data written successfully. Bytes Written: %zu\n", bytesWritten);

        // 读取并打印写入的数据
        printf("Data in memory: %s\n", (char*)baseAddress);
    }
    else {
        // 处理错误
        printf("Failed to write memory. NTSTATUS: 0x%x\n", status);
    }

    // 释放分配的内存
    VirtualFree(baseAddress, 0, MEM_RELEASE);

    return 0;
}

4.NtCreateThreadEx

1
2
3
4
5
6
7
8
9
10
void inject(HANDLE hProcess,LPVOID mFuncAddr)
{
	HANDLE hThread;
    status = NtCreateThreadEx(&hThread,
        THREAD_ALL_ACCESS, NULL, (PHANDLE)hProcess, (PVOID)mFuncAddr,
        NULL,FALSE, NULL, NULL, NULL, NULL);

    NtWaitForSingleObject(hThread, FALSE,NULL);
    NtClose(hThread);
}