已经弄出来了!发个大家共享下!#include #include //#include #include #define BYTESPERLINE 16 #define LINESPERSCREEN 25 #define OBJ_CASE_INSENSITIVE 0x00000040L #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; #else // MIDL_PASS PWSTR Buffer; #endif // MIDL_PASS } UNICODE_STRING; typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; // windbgkd typedef LONG NTSTATUS; typedef UNICODE_STRING *PUNICODE_STRING; typedef enum _SECTION_INHERIT{ ViewShare = 1 , ViewUnmap = 2 } SECTION_INHERIT; //************************************************************************************************* typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; //************************************************************************ NTSTATUS (__stdcall *NtUnmapViewOfSection) ( IN HANDLE ProcessHandle, IN PVOID BaseAddress ); NTSTATUS (__stdcall *NtOpenSection) ( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSTATUS (__stdcall *NtMapViewOfSection) ( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset, /* optional */ IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); VOID (__stdcall *RtlInitUnicodeString) ( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); ULONG (__stdcall *RtlNtStatusToDosError) ( IN NTSTATUS Status ); VOID UnmapPhysicalMemory( DWORD Address ) { NTSTATUS status; status = NtUnmapViewOfSection( (HANDLE) -1, (PVOID) Address ); } //************************************************************************ //-------------------------------------------------------- // // MapPhysicalMemory // // Maps a view of a section. // //-------------------------------------------------------- BOOLEAN MapPhysicalMemory( HANDLE PhysicalMemory, PDWORD Address, PDWORD Length, PDWORD VirtualAddress ) { NTSTATUS ntStatus; PHYSICAL_ADDRESS viewBase; //char error[256]; *VirtualAddress = 0; viewBase.QuadPart = (ULONGLONG) (*Address); ntStatus = NtMapViewOfSection (PhysicalMemory, (HANDLE) -1, (PVOID *) VirtualAddress, 0L, *Length, &viewBase, Length, ViewShare, 0, PAGE_READONLY ); *Address = viewBase.LowPart; return TRUE; } //-------------------------------------------------------- // // OpensPhysicalMemory // // This function opens the physical memory device. It // uses the native API since // //-------------------------------------------------------- HANDLE OpenPhysicalMemory() { NTSTATUS status; HANDLE physmem; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; WCHAR physmemName[] = L"\\device\\physicalmemory"; RtlInitUnicodeString( &physmemString, physmemName ); InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenSection( &physmem, SECTION_MAP_READ, &attributes ); return physmem; } //-------------------------------------------------------- // // LocateNtdllEntryPoints // // Finds the entry points for all the functions we // need within NTDLL.DLL. // //-------------------------------------------------------- BOOLEAN LocateNtdllEntryPoints() { if( !(RtlInitUnicodeString = (void (__stdcall *)(PUNICODE_STRING,PCWSTR)) GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString" )) ) { return FALSE; } if( !(NtUnmapViewOfSection = (NTSTATUS (__stdcall *)(HANDLE,PVOID)) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtUnmapViewOfSection" )) ) { return FALSE; } if( !(NtOpenSection = (NTSTATUS (__stdcall *)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES)) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtOpenSection" )) ) { return FALSE; } if( !(NtMapViewOfSection = (NTSTATUS (__stdcall *)(IN HANDLE, IN HANDLE, IN OUT PVOID *, IN ULONG , IN ULONG , IN OUT PLARGE_INTEGER , IN OUT PULONG, IN SECTION_INHERIT, IN ULONG , IN ULONG )) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtMapViewOfSection" )) ) { return FALSE; } if( !(RtlNtStatusToDosError = (ULONG (__stdcall *)(NTSTATUS)) GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlNtStatusToDosError" )) ) { return FALSE; } return TRUE; } //-------------------------------------------------------- // //Memory_Call // // //-------------------------------------------------------- void Memory_Call() { HANDLE physmem; DWORD vaddress, paddress, length; char key[16]; char input[256]; char mk[] = "12"; char jk[] = "12"; // // Load NTDLL entry points LocateNtdllEntryPoints(); physmem = OpenPhysicalMemory(); paddress = 0x00; length = 0x00; while(1) { memcpy(input,mk,3); sscanf( input, "%x", &paddress ); memcpy(input,jk,3); sscanf( input, "%x", &length ); if( !MapPhysicalMemory( physmem, &paddress, &length,&vaddress )) continue; memcpy(key,(char *)vaddress+1280,16); printf(key); printf("\n"); break; UnmapPhysicalMemory( vaddress ); } CloseHandle( physmem ); } //-------------------------------------------------------- // // Main // // This program drives the command loop // //-------------------------------------------------------- int main( int argc, char *argv[] ) { Memory_Call(); _getch(); return 0; } 复制代码
提升卡
变色卡
千斤顶
1/9 
京公网安备 11010802033920号
Copyright © 2005-2025 EEWORLD.com.cn, Inc. All rights reserved
