本帖最后由 xiaomingerniu 于 2024-1-8 08:00 编辑 经过分析,我猜测是系统在WriteProcessMemory内部,将存放hProcess的栈地址,用于临时存放用于返回实际写入数据长度的储存地址(即number of bytes written),再经过ZwFlushInstructionCache函数后,将实际写入数据的长度写入最初传入的参数lpNumberOfBytesWritten(number of bytes written)地址。 也不知道分析的对不对。 后面我按自己得传参方式中过中断门也实现了三环部分的功能: BOOL WINAPI MyWriteProcessMemoryPro( HANDLE hProcess, // handle to process LPVOID lpBaseAddress, // base of memory area LPVOID lpBuffer, // data buffer DWORD nSize, // number of bytes to write LPDWORD lpNumberOfBytesWritten // number of bytes written ) { __asm { pushad pushfd push dword ptr [ebp + 0x18] //lpNumberOfBytesWritten push dword ptr [ebp + 0x14] //nSize push dword ptr [ebp + 0x10] //lpBuffer push dword ptr [ebp + 0x0c] //lpBaseAddress push dword ptr [ebp + 0x08] //hProcess //NtWriteVirtualMemory Begin mov eax,0x115 //KiIntSystemCall lea edx,dword ptr ss:[esp] //指向第一个参数 int 0x2e //NtWriteVirtualMemory End:retn 0x14 add esp,0x14 popfd popad } if (*lpNumberOfBytesWritten != nSize) { return FALSE; } else { return TRUE; } } 如有错误恳请老师指教!谢谢! |