问题描述

为了尝试使用其他共享选项重新打开文件，我将DLL注入到进程中，并尝试写入特定的内存地址，我认为这是存储文件挂钩的地址...但是最终导致应用程序崩溃.

我一直在使用TSearch在4个字节中查找句柄的数字表示形式，最初我发现7个内存地址随着文件句柄的变化而变化，通过截获CreateFile可以找到该地址.我试图使用ReOpenFile创建一个新的文件句柄，并用新的文件句柄覆盖了这7个内存地址，但这导致应用程序崩溃.但是，在应用程序崩溃后，我再也找不到了始终显示该文件句柄的内存地址. .

这是我用来覆盖旧句柄的方法....但是，即使它是正确的，我也找不到在哪里覆盖....

In an attempt to reopen a file with a different share option, I have injected a DLL into the process, and attempt to write to a specific memory address which I thought was the address where a file hook was stored... But it ended up crashing the application.

I had been using TSearch to look for the numerical representation of the handle in 4 bytes, and originally I had found 7 memory addresses that changed with the file handle I could find by intercepting CreateFile. I attempted to create a new file handle using ReOpenFile, and overwrote those 7 memory addresses with the new file handle, but that caused the application to crash However after the application crashed, I can no longer find a memory address that consistently shows the file handle.

This is the method I used to overwrite the old handle.... But even if it is correct I can''t find where to overwrite....

IntPtr[] memAddr = { new IntPtr(0x18971C), new IntPtr(0x617B9AAC), new IntPtr(0x645106DC), new IntPtr(0x660CC0EC), new IntPtr(0x6F861728), new IntPtr(0x74E300BC), new IntPtr(0x7500011C) };
foreach (IntPtr iter in memAddr)
{
    IntPtr iinn = Marshal.ReadIntPtr(iter, Marshal.SizeOf(typeof(IntPtr)));
    IntPtr outt = ReOpenFile(iinn, 0x00000001, 0x00000001, 0x00000000);
    Marshal.WriteIntPtr(iter, Marshal.SizeOf(typeof(IntPtr)), outt);
}
Queue.Push(memAddr.Length + " memory addresses patched!");

推荐答案

这篇关于如何找到变量的内存地址(文件句柄)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！