本次锻炼的本来是对ReadProcessMemory 里边的NtReadVirtualMemory 进行反汇编,为了验证反汇编成功,需要先使用NtReadVirtualMemory 的上层函数ReadProcessMemory去看看功能效果,ReadProcessMemory这个函数的声明是:
BOOL WINAPI ReadProcessMemory(
_In_ HANDLE hProcess,
_In_ LPCVOID lpBaseAddress,
_Out_ LPVOID lpBuffer,
_In_ SIZE_T nSize,
_Out_ SIZE_T *lpNumberOfBytesRead
);
它的作用是将hProcess句柄所指向的线程里边部分内存数据读到我们自己临时创建的空间中(比如数组内存),而使用的时候调用是这样的:
ReadProcessMemory(appHandle, (LPVOID)address, (LPVOID) &buffer, buffersize, 0);
MSDN上的解释是:hProcess [in]
-
A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
lpBaseAddress [in]
-
A pointer to the base address in the specified process from which to read. Before