一个简单的内存补丁程序

    技术2026-06-21  5

    ; 内存补丁例子一:对 Test.exe 进行内存补丁

       .386    .model flat, stdcall    option casemap :none

    include   windows.inc include   user32.inc include   kernel32.inc includelib user32.lib includelib kernel32.lib

    PATCH_POSITION equ 00401004h       ;补丁位置的线性地址 PATCH_BYTES equ 2               ;补丁内存的字节数

        .data? dbOldBytes db PATCH_BYTES dup (?) ;读 缓冲区 stStartUp STARTUPINFO   <?> stProcInfo PROCESS_INFORMATION <?>

         .const dbPatch   db 74h,15h               ;原内容 dbPatched db 90h,90h               ;补丁内容 szExecFilename db 'Test.exe',0          ;文件名 szErrExec db '无法装载执行文件!',0 szErrVersion db '执行文件的版本不正确,无法修正!',0

        .code Start: ; 创建进程         invoke GetStartupInfo,addr stStartUp           invoke CreateProcess,offset szExecFilename,NULL,NULL,NULL,NULL,/                      NORMAL_PRIORITY_CLASS or CREATE_SUSPENDED,NULL,NULL,/                           offset stStartUp,offset stProcInfo;创建进程时使其暂停,改写后再运行    .if eax    ; 读进程内存并验证内容是否正确      invoke ReadProcessMemory,stProcInfo.hProcess,PATCH_POSITION,/   ;读                   addr dbOldBytes,PATCH_BYTES,NULL     .if eax               mov ax,word ptr dbOldBytes              .if ax == word ptr dbPatch           ;验证                   invoke WriteProcessMemory,stProcInfo.hProcess,/   ;写                               PATCH_POSITION,addr dbPatched,PATCH_BYTES,NULL                 invoke ResumeThread,stProcInfo.hThread   ;改写后,使程序开始运行              .else                   invoke TerminateProcess,stProcInfo.hProcess,-1                  invoke MessageBox,NULL,addr szErrVersion,NULL,MB_OK or MB_ICONSTOP               .endif     .endif     invoke CloseHandle,stProcInfo.hProcess     invoke CloseHandle,stProcInfo.hThread    .else      invoke MessageBox,NULL,addr szErrExec,NULL,MB_OK or MB_ICONSTOP    .endif

    invoke ExitProcess,NULL    end Start

    最新回复(0)