[toc]

读取数据

1.准备一个被调试程序,编译前关闭随机基址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <Windows.h>
#include <stdio.h>

int main()
{
        SetConsoleTitleA("Message");
        printf("Message.exe 0x%X\n",GetModuleHandle(TEXT("Message.exe")));
        SIZE* addr = 0x140000000;
        printf("0x140000000 value 0x%x",*addr);
        getchar();
        return TRUE;

}

2.用C语言调试已经打开的Message.exe并读取0x14000000地址处的数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

VOID DebugLoop();
BOOL OnCreateProcessDebugEvent(LPDEBUG_EVENT);
BOOL OnExceptionDebugEvent(LPDEBUG_EVENT);

LPVOID g_pfWriteFile = NULL; // Hook指针
CREATE_PROCESS_DEBUG_INFO g_cpdi; // 调试信息
BYTE g_chINT3 = 0xCC; // int3 字节码
BYTE g_chOrgByte = 0; // 原始字节码

int main() {
    // 寻找记事本窗口句柄
    HWND hWnd = FindWindowA(NULL, "Message");
    DWORD dwPid = -1;
    GetWindowThreadProcessId(hWnd, &dwPid);

    if (dwPid == 0) {
        printf("Notepad is not running.\n");
        return 1;
    }

    // 附加进程
    if (!DebugActiveProcess(dwPid)) {
        printf("Could not attach to process: %d\n", GetLastError());
        return 1;
    }

    // 调试器循环
    DebugLoop();

    return 0;
}

// 调试器循环
VOID DebugLoop() {
    DEBUG_EVENT de; // 调试事件
    DWORD dwContinueStatus;

    // 等待调试事件的发送
    while (WaitForDebugEvent(&de, INFINITE)) {
        dwContinueStatus = DBG_CONTINUE;

        // 被调试进程生成或附加事件
        if (CREATE_PROCESS_DEBUG_EVENT == de.dwDebugEventCode) {
            OnCreateProcessDebugEvent(&de);
        }
        // 异常事件调试
        else if (EXCEPTION_DEBUG_EVENT == de.dwDebugEventCode) {
            if (OnExceptionDebugEvent(&de))
                continue;
        }
        // 被调试进程终止事件
        else if (EXIT_PROCESS_DEBUG_EVENT == de.dwDebugEventCode) {
            break;
        }

        // 再次运行被调试者
        ContinueDebugEvent(de.dwProcessId, de.dwThreadId, dwContinueStatus);
    }
}

BOOL OnCreateProcessDebugEvent(LPDEBUG_EVENT pde) {
    // 获取WriteFile() API地址
    g_pfWriteFile = GetProcAddress(GetModuleHandleA("kernel32.dll"), "WriteFile");

    // 读取指定地址的数据
    DWORD_PTR addressToRead = 0x140000000; // 要读取的地址
    BYTE buffer[256]; // 用于存储读取的数据
    SIZE_T bytesRead;

    // 读取notepad.exe中指定地址的数据
    if (ReadProcessMemory(pde->u.CreateProcessInfo.hProcess, (LPCVOID)addressToRead, buffer, sizeof(buffer), &bytesRead)) {
        printf("Read %zu bytes from address 0x%p:\n", bytesRead, (void*)addressToRead);
        for (SIZE_T i = 0; i < bytesRead; i++) {
            printf("%02X ", buffer[i]);
        }
        printf("\n");
    }
    else {
        printf("Could not read memory: %d\n", GetLastError());
    }

    // API HOOK
    // 设置断点
    memcpy(&g_cpdi, &pde->u.CreateProcessInfo, sizeof(CREATE_PROCESS_DEBUG_INFO));
    // 读取WriteFile第一个字节,存起来
    ReadProcessMemory(g_cpdi.hProcess, g_pfWriteFile, &g_chOrgByte, sizeof(BYTE), NULL);
    WriteProcessMemory(g_cpdi.hProcess, g_pfWriteFile, &g_chINT3, sizeof(BYTE), NULL);

    return TRUE;
}

BOOL OnExceptionDebugEvent(LPDEBUG_EVENT pde) {
    // 这里可以处理异常事件
    return FALSE; // 继续处理其他事件
}

3.用C语言创建新的进程Message.exe后调试并读取0x14000000地址处的数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#include <windows.h>
#include <stdio.h>

int main() {
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    DEBUG_EVENT de;
    BOOL bContinueDebugging = TRUE;
    HANDLE hProcess;
    SIZE_T bytesRead;
    BYTE buffer[8]; // 假设读取8字节的数据

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    // 创建调试进程
    if (!CreateProcessA(NULL, "C:\\Message.exe", NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, &si, &pi)) {
        printf("CreateProcess failed (%d).\n", GetLastError());
        return 1;
    }

    // 调试主循环
    while (bContinueDebugging) {
        // 等待调试事件
        if (WaitForDebugEvent(&de, INFINITE)) {
            // 处理调试事件
            switch (de.dwDebugEventCode) {
            case CREATE_PROCESS_DEBUG_EVENT:
                printf("Process created.\n");
                hProcess = de.u.CreateProcessInfo.hProcess;
                break;
            case EXIT_PROCESS_DEBUG_EVENT:
                printf("Process exited.\n");
                bContinueDebugging = FALSE;
                break;
                // 处理其他调试事件
            default:
                break;
            }

            // 读取指定地址的数据
            if (ReadProcessMemory(hProcess, (LPCVOID)0x140000000, buffer, sizeof(buffer), &bytesRead)) {
                printf("Data at address 0x140000000: ");
                for (SIZE_T i = 0; i < bytesRead; i++) {
                    printf("%02X ", buffer[i]);
                }
                printf("\n");
            }
            else {
                printf("ReadProcessMemory failed (%d).\n", GetLastError());
            }

            // 继续调试事件
            ContinueDebugEvent(de.dwProcessId, de.dwThreadId, DBG_CONTINUE);
        }
        else {
            printf("WaitForDebugEvent failed (%d).\n", GetLastError());
            break;
        }
    }

    return 0;
}