// readMemory.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "windows.h"
void ReadMemory(HANDLE hProcess,PVOID pAddr,PVOID pBuffer,DWORD dwSize,DWORD *dwSizeRet)
{
_asm
{
lea eax, [ebp+0x14]
push eax
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
sub esp,4
mov eax, 0bah
mov edx,0X7FFE0300 //sysenter不能直接调用,我间接call的
CALL DWORD PTR[EDX]
add esp ,24
}
}
int main(int aaaa)
{
DWORD dwChromeID = GetCurrentProcessId();
HANDLE hChrome;
hChrome = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE, false, dwChromeID);
int aa = 123;
//int temp;
//ReadProcessMemory(hChrome,&aa,&temp,4,NULL);
int temp1;
ReadMemory(hChrome,&aa,&temp1,4,NULL);
int a = GetLastError();
//printf("%d", temp);
printf("%d", temp1);
system("pause");
return 0;
}
0X7FFE0300 到底存储的是什么,如果cpu支持快速调用,存储的是ntdll!KiFastSystemCall(),不支持ntdll.dll!KiLinitSystemCall()
程序由三环进入0环,由于权限的切换,cs段切换,ss,esp eip都要切换,这两种调用方式是为了找出这四个值。
如果cpu不支持systementer进0环,则是通过中断门进0环,
lea edx,[esp+arg_4]
int 2eh
retn
如果cpu支持快速调用,
mov edx,esp
sysenter