Theqiqi_blog

[toc] 前置准备 为了方便测试需要将随机基址关闭 1. 写一个被调试程序12345678910111213141516171819202122//Message.c#include <stdio.h>#include <windows.h>#include <conio.h>void Message(char *var){ printf("var vulue is 0x%s\n", var);}int main(int argc, char** argv){ char* var = "AAA"; printf("var vulue is 0x%s\n", var); printf("var address is 0x%p\n", var); printf("ProcessID is %d\n", GetCurrentProcessId()); printf(&q ...

[toc] 使用C语言获取系统架构1. 使用GetNativeSystemInfo获取系统架构1234567891011121314151617181920212223#include <windows.h>#include <stdio.h>BOOL Is64BitOS(){ SYSTEM_INFO stInfo = { 0 }; GetNativeSystemInfo(&stInfo); if (stInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64 || stInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) { return TRUE; } return FALSE;}int main(){ if (Is64BitOS()) printf(&q ...

[toc] 调用win32相关函数读取进程内存数据与shellcode注入1. 用C语言写一个程序Message.exe12345678910111213141516171819202122//Message.c#include <stdio.h>#include <windows.h>void Message(){ MessageBoxA(0, 0, 0, 0);}int main(int argc, char** argv){ size_t var = 0x8070605040302010; printf("var vulue is 0x%llX\n", var); printf("var address is 0x%p\n", &var); size_t* p = &var; printf("var vulue is 0x%llX\n", *p); printf("var ...

[toc] 使用C语言读取与写入文件1. c语言读取文件 新建一个文本文件，命名为first.txt。 在first.txt中编辑文本。 编写C语言代码在程序中读取文本内容。 123456789101112131415161718#define _CRT_SECURE_NO_WARNINGS#include<stdio.h>int main(){ FILE* fp = NULL; char buff[255]; fp = fopen("D:\\Users\\3\\Desktop\\first.txt", "r"); fgets(buff, 255, (FILE*)fp); printf("1: %s\n", buff); fgets(buff, 255, (FILE*)fp); printf("2: %s\n", buff); fgets(buff, 255, (FILE*)fp); printf("3: %s\n", buff); fclose(fp); ...

[toc] 遍历进程与模块1.设置Debug权限用来打开system进程句柄 设置Debug权限需要用管理员的什么打开 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748#include <stdio.h>#include <windows.h>BOOL SeDebug(BOOL bEnablePrivilege);int main(int argc, char** argv){ SeDebug(TRUE); DWORD dwPid=1180; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); printf("hProcess:0x%llX\n", hProcess); CloseHandle(hProcess); getchar(); return 0;}BOOL SeDebug(BOOL bEnablePr ...

[toc] C语言遍历1.使用while循环123456789101112#include <stdio.h>int main(int argv, char* argc[]){ int a = 10; while (a < 20) { printf("a 的值： %d\n", a); a++; } return 0;} 2.使用do{}while()循环do{}while()为先执行后判断 123456789101112#include <stdio.h>int main(int argv, char* argc[]){ int a = 10; do { printf("a 的值： %d\n", a); a++; } while (a < 20); return 0;} 3.使用while循环给数组赋值123 ...

[toc] C语言获取窗口句柄1.C语言获取控制台程序的句柄 完整代码功能为获取控制台程序的窗口句柄并在窗口用TextOutW写句话 12345678910111213141516171819202122232425262728#include <windows.h>#include <conio.h>#include <tchar.h>int main(int argc, char** argv) { TCHAR title[256];//控制台程序标题 //获取控制台标题 GetConsoleTitleW(title, 256); HWND hwnd1 = FindWindowW(0, title); HWND hwnd2 = FindWindowW(L"ConsoleWindowClass", 0); HWND hwnd3 = GetConsoleWindow(); HWND hwnd4 = GetForegroundWindow(); HWND hwnd = ...

[toc] 使用CE寻找种植Call并编写自动汇编脚本1. 通过CE找到汇编Call（掠过）2. 编写自动汇编脚本1234567891011121314151617181920212223242526[ENABLE]//code from here to '[DISABLE]' will be used to enable the cheatalloc(newmem,1024)createthread(newmem)newmem://根据基地址和偏移量计算第一个参数的变量地址mov ebx,00729670mov ebx,[ebx]mov ebx,[ebx+868]//call functionpush FFFFFFFF //常量-1push 2 //种植ID 此刻为樱桃炸弹mov eax,4 //Y轴座标push 0 //x轴坐标push ebx//地址[PlantsVsZombies.exe+329670]+868call 0040FA10//函数地址ret[DISABLE]//co ...

[toc] x86程序中的写法1. ce寻找MessageoxA函数地址并通过自动汇编调用MessageBoxA 打开CE，附加程序 搜索MessageBoxA的地址 编写自动汇编代码调用MessgeBoxA 写法1：使用push传递参数 123456789101112131415161718[ENABLE]Alloc(newaddr,100)createThreadAndWait(newaddr)newaddr:push 0push 0push 0push 0call 7714B730ret[DISABLE]dealloc(newaddr)//Auto Assembler Commands//https://wiki.cheatengine.org/index.php?title=Auto_Assembler:Commands 写法2：使用push传递参数并保存ebp 123456789101112131415161718192021[ENABLE]Alloc(newaddr,100)createThreadAndWait(newaddr)newaddr:push ...

[toc] 使用C语言将动态链接库加载到实验程序后调用汇编Call1.写一个C语言程序，在程序里通过内联汇编调用C语言函数1234567891011121314151617181920212223242526272829//Message.c#include <windows.h>#include <stdio.h> void Message(){ MessageBoxA(NULL, "HellWorld", "Text", MB_OK);}void AsmMessage(){ __asm { mov edx, 0x00411406 //0x00411406 is Message() address call edx }}int main(int argc, char** argv){ printf("MessageBoxA address is 0x%p\n", & ...