C++截取函数拼接

Question

我想通过拼接截取函数。这就是我写的

#include <windows.h> 

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); 

WCHAR wch[60]; 
int i; 

typedef LONG NTSTATUS; 
typedef LONG KPRIORITY; 

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 

#define STATUS_SUCCESS     ((NTSTATUS)0x00000000L) 
#define STATUS_INFO_LENGTH_MISMATCH  ((NTSTATUS)0xC0000004L) 

#define SystemProcessesAndThreadsInformation 5 

typedef struct _UNICODE_STRING { 
     USHORT  Length; 
     USHORT  MaximumLength; 
     PWSTR   Buffer; 
     } UNICODE_STRING; 

typedef struct _SYSTEM_PROCESSES { 
    ULONG    NextEntryDelta; 
    ULONG    ThreadCount; 
    ULONG    Reserved1[6]; 
    LARGE_INTEGER  CreateTime; 
    LARGE_INTEGER  UserTime; 
    LARGE_INTEGER  KernelTime; 
    UNICODE_STRING ProcessName; 
    KPRIORITY   BasePriority; 
    ULONG    ProcessId; 
    ULONG    InheritedFromProcessId; 
    ULONG    HandleCount; 
    ULONG    Reserved2[2]; 
// VM_COUNTERS  VmCounters; 
// SYSTEM_THREADS Threads[1]; 
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES; 

UCHAR bufZwQSI[5]; 
typedef NTSTATUS (WINAPI *pWinApiF) (UINT SystemInformationClass, PVOID SystemInformation,         ULONG SystemInformationLength, PULONG ReturnLength); 

pWinApiF lpZwQSI; 

NTSTATUS WINAPI xZwQSI(UINT SystemInformationClass, PVOID SystemInformation, ULONG  SystemInformationLength, PULONG ReturnLength); 

bool SetSplicingHook(pWinApiF pfnDst, pWinApiF pfnHook, UCHAR buffer[5]) 
{ 
if(IsBadWritePtr(buffer, 5) || IsBadReadPtr(pfnDst, 5)) return false; 
memcpy(buffer, pfnDst, 5); 
DWORD old = 0; 
if(!VirtualProtect(pfnDst, 5, PAGE_EXECUTE_READWRITE, &old)) return false; 
DWORD offset = (DWORD) pfnHook - (DWORD) pfnDst - 5; 
*(BYTE*)pfnDst = 0xE9; 
*(DWORD*)((DWORD)pfnDst+1) = offset; 

if(!VirtualProtect(pfnDst, 5, old, &old)) return false; 
return true; 
} 

void UnsetSplicingHook(pWinApiF pfnDst, UCHAR buffer[5]) 
{ 
    DWORD old = 0; 
    if(!VirtualProtect(pfnDst, 5, PAGE_EXECUTE_READWRITE, &old)) return; 
    memcpy(pfnDst, buffer, 5); 
    if(!VirtualProtect(pfnDst, 5, old, &old)) return; 
} 

NTSTATUS WINAPI xZwQSI(UINT SystemInformationClass, PVOID SystemInformation, ULONG  SystemInformationLength, PULONG ReturnLength) 
{ 
    wsprintf(wch,L"%d",++i); 
    UnsetSplicingHook(lpZwQSI, bufZwQSI); 
    NTSTATUS ret = lpZwQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 
    if(!SetSplicingHook(lpZwQSI, xZwQSI, bufZwQSI)) 
    { 
     MessageBox(NULL, L"Cannot set hook to ZwQuerySystemInformation", L"Error", MB_OK); 
     ExitProcess(0); 
    } 
    if(ret != STATUS_SUCCESS) 
     return ret; 

    if(SystemInformationClass == SystemProcessesAndThreadsInformation) 
    { 
     PSYSTEM_PROCESSES pProcesses = (PSYSTEM_PROCESSES)SystemInformation; 

     memset(pProcesses, 0, sizeof(SYSTEM_PROCESSES)); 
     pProcesses->NextEntryDelta = 0; 
     pProcesses->ProcessId = 1; 
     pProcesses->ProcessName.Buffer = L"CepbIu 0wn3d u"; 
     pProcesses->ProcessName.Length = 100; 
    } 

    return ret; 
} 
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 
{ 
    wsprintf(wch,L"none"); 
    i=0; 
    *(FARPROC*)&lpZwQSI = GetProcAddress(LoadLibrary(L"ntdll.dll"), "ZwQuerySystemInformation"); 
    if(!SetSplicingHook(lpZwQSI, xZwQSI, bufZwQSI)) 
    { 
     MessageBox(NULL, L"Cannot set hook to ZwQuerySystemInformation", L"Error", MB_OK); 
     ExitProcess(0); 
    } 
    HWND hMainWnd; 
    WCHAR szClassName[] = L"Hide"; 
    MSG msg; 
    WNDCLASSEX wc; 
    wc.cbSize  = sizeof(wc);   
    wc.style   = CS_HREDRAW | CS_VREDRAW; 
    wc.lpfnWndProc = WndProc; 
    wc.cbClsExtra  = 0; 
    wc.cbWndExtra = 0; 
    wc.hInstance  = hInstance; 
    wc.hIcon   = LoadIcon(NULL, IDI_APPLICATION); 
    wc.hCursor  = LoadCursor(NULL, IDC_ARROW); 
    wc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH); 
    wc.lpszMenuName = NULL; 
    wc.lpszClassName = szClassName; 
    wc.hIconSm  = LoadIcon(NULL, IDI_APPLICATION); 

    if (!RegisterClassEx(&wc)) { 
     MessageBox(NULL, L"Cannot register class", L"Error", MB_OK); 
     return 0; 
    } 

    hMainWnd = CreateWindowEx( 
     NULL,szClassName, L"Hide", 
     WS_CAPTION | WS_SYSMENU, 
     1000, 400, 150, 150, 
     (HWND)NULL, (HMENU)NULL, 
     (HINSTANCE)hInstance, NULL 
    ); 

    if (!hMainWnd) { 
     MessageBox(NULL, L"Cannot create main window", L"Error", MB_OK); 
     return 0; 
    } 

    ShowWindow(hMainWnd, nCmdShow); 

    while (GetMessage(&msg, NULL, 0, 0)) { 
     TranslateMessage(&msg); 
     DispatchMessage(&msg); 
    } 

    return msg.wParam; 
} 

LRESULT CALLBACK WndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam) 
{ 
    HDC hDC; 
    PAINTSTRUCT ps; 
    RECT rect; 
    switch (msg) 
    { 
    case WM_CREATE: 
     SetTimer(hWnd,NULL,500,NULL); 
     return 0; 

    case WM_TIMER: 
      InvalidateRect(hWnd,NULL,TRUE); 
     return 0; 

    case WM_PAINT: 
     hDC = BeginPaint(hWnd, &ps); 
     GetClientRect(hWnd,&rect); 
     DrawText(hDC, wch, -1, &rect, 
      DT_SINGLELINE | DT_CENTER | DT_VCENTER); 
     EndPaint(hWnd, &ps); 
     return 0; 

    case WM_CLOSE: 
     DestroyWindow(hWnd); 
     return 0; 
    case WM_DESTROY: 
     PostQuitMessage(0); 
     return 0; 
    default: 
     return DefWindowProc(hWnd, msg, wParam, lParam); 
    } 
    return 0; 
} 

但它不工作，我想知道我在哪里做错了？在Windows 7和XP上测试。

Answer 1

VirtualProtect不会让您更多地访问映射页面，而不是您最初打开它的访问权限，并且您的用户帐户几乎肯定没有足够的权限来使用写入权限打开它。