先声明一些变量

HANDLE objhandle;//目标句柄

int  baseaddress;//开始读取的基址

char bytes[14];//保存内存数据

char putbytes[14] = {"你好"};

本次操作不需要提权

打开进程

objhandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 12012);

读取内存

baseaddress = 0x403072;

ReadProcessMemory(objhandle, (LPCVOID)baseaddress, (LPVOID)bytes, sizeof(bytes), NULL);

结果保存到 bytes 数组中

修改内存页面属性,不然不能写

DWORD protectmunber = 0;

VirtualProtectEx(objhandle, (LPVOID)baseaddress, sizeof(putbytes), PAGE_EXECUTE_READWRITE, (PDWORD)&protectmunber);

写内存

WriteProcessMemory(objhandle, (LPVOID)baseaddress, putbytes, sizeof(putbytes), NULL);

恢复内存页面属性

VirtualProtectEx(objhandle, (LPVOID)baseaddress, sizeof(putbytes), protectmunber, (PDWORD)&protectmunber);

效果如图:

全部代码如下,myputerror函数是封装的getlasterror函数

#define _WIN32_WINNT 0x0501

#include

#include

HANDLE objhandle;//目标句柄

int  baseaddress;//开始读取的基址

char bytes[14];//保存内存数据

char putbytes[14] = {"你好"};

void myputerror(void);

int main(int argc, char* argv[]){

//获得进程的访问令牌,如果 OpenProcess 无法打开进程的话

//要修改访问权限的进程句柄,指定要进行的操作类型,返回访问令牌指针

//得到本进程的令牌

HANDLE hToken;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){

myputerror();

}else{

printf("获取令牌句柄成功\n");

}

//查看系统权限的特权值

TOKEN_PRIVILEGES tp;//新特权结构体

LUID Luid;

if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Luid) == 0){

printf("获取LUID失败 ");

myputerror();

}else{

printf("获取LUID成功 %d\n", Luid.LowPart);

}

//给TP和TP里的LUID结构体赋值

tp.PrivilegeCount = 1;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

tp.Privileges[0].Luid = Luid;

//启用指定访问令牌的特权

if (AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL) !=0){

if (GetLastError() == ERROR_SUCCESS){

printf("指定的特权修改成功!\n");//其实是打开原本用户就有的特权

}

else{

printf("修改特权不完全或失败!\n");

myputerror();

}

}else{

printf("修改失败!\n");

myputerror();

}

objhandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 12012);

if (objhandle == 0){

myputerror();

}

baseaddress = 0x403072;

if (ReadProcessMemory(objhandle, (LPCVOID)baseaddress, (LPVOID)bytes, sizeof(bytes), NULL)!=0){

printf("结果:%s\n ", bytes);

}

else{

myputerror();

}

//设置页面属性

DWORD protectmunber = 0;

//修改内存页属性为可写

if (VirtualProtectEx(objhandle, (LPVOID)baseaddress, sizeof(putbytes), PAGE_EXECUTE_READWRITE, (PDWORD)&protectmunber) == FALSE){

myputerror();

}

if (WriteProcessMemory(objhandle, (LPVOID)baseaddress, putbytes, sizeof(putbytes), NULL)==0){

myputerror();

}

else{

printf("内存写入成功\n");

if (ReadProcessMemory(objhandle, (LPCVOID)baseaddress, (LPVOID)bytes, sizeof(bytes), NULL) != 0){

printf("结果:%s\n ", bytes);

myputerror();

}

else{

myputerror();

}

}

//恢复

if (VirtualProtectEx(objhandle, (LPVOID)baseaddress, sizeof(putbytes), protectmunber, (PDWORD)&protectmunber) == FALSE){

myputerror();

}

//TerminateProcess(objhandle, 0);

getchar();

return 0;

}