猿问

什么是戈朗等价物。网络的元帅复制方法?

我试图修补戈朗的一大块内存。我已关闭虚拟保护功能,并且内存块正在更改为 RW,但我找不到用于复制到内存的 Golang 功能。


我想从强势外壳脚本中模拟这一点:


[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3)


我目前拥有的戈朗代码如下:


var patch = []byte {

    0x31, 0xC0, // xor rax, rax

    0xC3,        // ret

}


var oldfperms uint32

virtualProt(unsafe.Pointer(&patchAddr), unsafe.Sizeof(uintptr(2)), uint32(0x40), 

unsafe.Pointer(&oldfperms)) // Modify region for ReadWrite


var r uintptr

for _, b := range patch {

    r = (r << 8) | uintptr(b)

}


patch := unsafe.Pointer(uintptr(r)) // Attempting to copy into memory here and I'm stumped

fmt.Println(patch)


var a uint32

virtualProt(unsafe.Pointer(&patchAddr), unsafe.Sizeof(uintptr(2)), oldfperms, unsafe.Pointer(&a)) // Change region back to normal


莫回无
浏览 83回答 1
1回答

青春有我

没关系。找到对 Win32 写入过程内存函数的引用并使用该函数。https://pkg.go.dev/github.com/0xrawsec/golang-win32/win32/kernel32#WriteProcessMemoryfunc WriteProcMem(currProccess uintptr, patchAddr uintptr, patch uintptr) bool {&nbsp; &nbsp; kern32WriteMem := syscall.NewLazyDLL("kernel32.dll").NewProc("WriteProcessMemory")&nbsp; &nbsp; _, _, _ = kern32WriteMem.Call(&nbsp; &nbsp; currProccess,&nbsp; &nbsp; patchAddr,&nbsp; &nbsp; patch)&nbsp; &nbsp; fmt.Println("[+] Patched Memory!")&nbsp; &nbsp; return true}
随时随地看视频慕课网APP

相关分类

Go
我要回答