关于内存访问
大家都用过IDE,里面有个调试器,可以查看相关变量的地址和二进制码或者转换后的ascii码。我估计IDE是申请一个内存块,然后对它逻辑编址,然后可以对那个申请的内存块访问;我的疑问是我如何去获取内存条上真正存在的实际地址的实际数据,不要求修改(如果会的话可以说),只求能输出地址和相应地址1字节的二进制码。别说什么非法啊,系统不允许啊或者其他什么安全问题。只问你可不可以,可以就写下来,不写的话就别回帖了,大家也知道一楼一楼看帖挺烦的。求c详细代码(附上注释)。谢各位!
[解决办法]
什么意思?没看懂。
IDE不是已经显示了内存地址和地址对应的值吗?那就是内存条上的实际地址,实际数据!不是吗?
[解决办法]
ZwMapViewOfSection
The ZwMapViewOfSection routine maps a view of a section into the virtual address space of a subject process.
[解决办法]
#include <stdio.h>#include<windows.h>typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING,*PUNICODE_STRING;typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES;typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;typedef DWORD (__stdcall *ZWOS)(PHANDLE ,ACCESS_MASK ,POBJECT_ATTRIBUTES );typedef DWORD (__stdcall *ZWMV)(HANDLE,HANDLE,PVOID,ULONG,ULONG,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG);typedef DWORD (__stdcall *ZWUMV)(HANDLE,PVOID);ZWOS ZWopenS;ZWMV ZWmapV;ZWUMV ZWunmapV;HANDLE hSection;LARGE_INTEGER PhyMemAddr;HINSTANCE hinstLib;SIZE_T ssize;unsigned char *BaseAddr; UNICODE_STRING struniph; OBJECT_ATTRIBUTES obj_ar;void InitPhyMemMap(DWORD StartAddr,DWORD Length){ PhyMemAddr.LowPart=StartAddr; PhyMemAddr.HighPart=0x0; ssize=Length; BaseAddr=NULL; struniph.Buffer=L"\\device\\physicalmemory"; struniph.Length=0x2c; struniph.MaximumLength =0x2e; obj_ar.Attributes =64; obj_ar.Length =24; obj_ar.ObjectName=&struniph; obj_ar.RootDirectory=0; obj_ar.SecurityDescriptor=0; obj_ar.SecurityQualityOfService =0; hinstLib = LoadLibrary("ntdll.dll"); if (hinstLib==NULL) { printf("Error:Can't open ntdll.dll"); return; } ZWopenS=(ZWOS)GetProcAddress(hinstLib,"ZwOpenSection"); ZWmapV=(ZWMV)GetProcAddress(hinstLib,"ZwMapViewOfSection"); ZWunmapV=(ZWUMV)GetProcAddress(hinstLib,"ZwUnmapViewOfSection"); if(ZWopenS==NULL || ZWmapV==NULL || ZWunmapV==NULL) { printf("Error:Can't get function address "); return; } ZWopenS(&hSection,4,&obj_ar); if(hSection==NULL) { printf("Error:Can't open Zw\n "); return; } ZWmapV( (HANDLE)hSection, (HANDLE)0xffffffff, &BaseAddr, 0, ssize, &PhyMemAddr, &ssize, 1, 0, 2 ); if(BaseAddr==NULL) { printf("Error:Can't Map Adderess\n"); return; } } void ReleasePhyMemMap(void) { if (hSection!=NULL) ZWunmapV((HANDLE)hSection,&BaseAddr); if (hinstLib!=NULL) FreeLibrary(hinstLib); } int PhyMemRead(unsigned char *buff,unsigned int startaddr,unsigned int rsize){ if (BaseAddr==NULL || startaddr>ssize) return FALSE; if (startaddr+rsize>ssize) rsize=ssize-startaddr; memcpy(buff,BaseAddr+startaddr,rsize) ; return TRUE;}int main(){ unsigned char buff[0x100]; int i; memset(buff,0,sizeof(buff)); InitPhyMemMap(0x000f0000,0x100); //读物理地址0x000f0000 256个字节 PhyMemRead(buff,0,0x100); ReleasePhyMemMap(); for(i=0;i<0x100;i++) printf("%02x ",buff[i]); printf("\n"); return 0; }
[解决办法]
ring3是什么东西?