-
Notifications
You must be signed in to change notification settings - Fork 38
/
Virtualization.cpp
152 lines (117 loc) · 3.75 KB
/
Virtualization.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#include "globals.h"
#include "HideMemory.h"
#include "fun.h"
DWORD64 hidemem;
//如果只想读写的话可以删除这个锁,并打开在VEH处理函数内的锁, 要执行的话可能会在执行时触发双重异常,所以在这里加锁
//std::mutex m;
typedef NTSTATUS (NTAPI* _NtClose)(IN HANDLE ObjectHandle);
typedef NTSTATUS (NTAPI* _NtReadVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,PVOID Buffer,ULONG NumberOfBytesToRead,PULONG NumberOfBytesReaded);
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INVALID_HANDLE ((NTSTATUS)0xC0000008L)
extern PSHARE_VEH pInfo;
typedef VOID(WINAPI *_testDemo)();
_testDemo pTestDemo = NULL;
BOOL IsMemoryHidden()
{
MEMORY_BASIC_INFORMATION MemInfo = { 0 };
VirtualQuery((LPVOID)hidemem, &MemInfo, sizeof(MemInfo));
if (MemInfo.Protect != PAGE_NOACCESS)
{
return FALSE;
}
return TRUE;
}
BOOL bOnce = FALSE;
void ReadThreadProc2()
{
while (1)
{
if (!bOnce)
{
pTestDemo = (_testDemo)pInfo->export_fun;
//因为是自己拉伸 必须要执行 pDllMain()
ProcDllMain pDllMain = ((ProcDllMain)(pInfo->DllOfEntryPoint));
pDllMain(0, DLL_PROCESS_ATTACH, (PVOID)pInfo->DllBase);
bOnce = TRUE;
}
/* __try {
pTestDemo();
}
__except (1)
{
}*/
pTestDemo();
printf("testDemo already run %llx \n", pTestDemo);
Sleep(1000);
}
}
void ReadThreadProc3()
{
while (1)
{
ULONGLONG tick = GetTickCount64();
//m.lock();
printf("Thread3 ReadTime %llu ms Data:%llx\n", GetTickCount64() - tick, *(DWORD64*)hidemem);
//m.unlock();
Sleep(100);
}
}
int main()
{
WCHAR title[64];
_snwprintf_s(title, sizeof(title), L"PID: %lx", GetCurrentProcessId());
SetConsoleTitleW(title);
Init();
hidemem = AllocateHiddenMemory(NULL, 1,
[](DWORD64 lpAddress, size_t _Size) {
for (int i = 0; i < _Size; i++)
{
((char*)lpAddress)[i] += (char)6;
((char*)lpAddress)[i] = ((char*)lpAddress)[i] ^ 'a';
}
},
[](DWORD64 lpAddress, size_t _Size) {
for (int i = 0; i < _Size; i++)
{
((char*)lpAddress)[i] = ((char*)lpAddress)[i] ^ 'a';
((char*)lpAddress)[i] -= (char)6;
}
});
std::thread ReadThread1(ReadThreadProc2);
//std::thread ReadThread2(ReadThreadProc3);
//BOOL MessageBoxState = TRUE;
getchar();
//while (1)
//{
// printf("Allocated %llx\n\n", hidemem);
// ULONGLONG tick = GetTickCount64();
// //R/W ==========================================================================================
// //m.lock();
// *(DWORD64*)hidemem += 1;
// printf("ReadWriteTime %llu ms Data:%llx\n", GetTickCount64() - tick, *(DWORD64*)hidemem);
// //m.unlock();
// //R/W ==========================================================================================
// //Execute =======================================================================================
// //tick = GetTickCount64(); 请查看当前文件头部的锁
// //m.lock();
// //if (ExecuteHiddenMemory())
// // printf("ExecuteTime %llu ms \n", GetTickCount64() - tick);
// //else
// // printf("Execute Failed\n");
// //m.unlock();
// //Execute =======================================================================================
// //SEH ===========================================================================================
// tick = GetTickCount64();
// //m.lock();
// if(CheckSEH())
// printf("Support SEH %llu ms\n", GetTickCount64() - tick);
// //m.unlock();
// //SEH ===========================================================================================
// Sleep(200);
// system("cls");
//}
END:
//m.lock();
FreeHiddenMemory(hidemem);
//m.unlock();
}