C PowerShell尝试读取或写入受保护的内存
我一点也不喜欢PowerShell,但我知道如何使用C。在使用VritualAlloc()分配内存并使用memset()对其进行写入后,我遇到了一个错误 另外,为了与x86兼容,我在SysWOW64上运行这个。如果架构是x64,它将重新启动PS1并从SysWOW64执行它 相关代码:C PowerShell尝试读取或写入受保护的内存,c,powershell,memory,memory-management,C,Powershell,Memory,Memory Management,我一点也不喜欢PowerShell,但我知道如何使用C。在使用VritualAlloc()分配内存并使用memset()对其进行写入后,我遇到了一个错误 另外,为了与x86兼容,我在SysWOW64上运行这个。如果架构是x64,它将重新启动PS1并从SysWOW64执行它 相关代码: $code = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSi
$code = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@
$win = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
$size = 100;
$vptr=$win::VirtualAlloc(0,0x1000,$size,0x40)
#0x1000 = MEM_COMMIT, 0x40 = PAGE_EXECUE_READWRITE
$win::memset([IntPtr]$vptr, 0x00, 1)
我收到的错误信息:
Unhandled Exception: System.AccessViolationException: Attempted to read or write protected\
memory. This is often an indication that other memory is corrupt.
相关“bcdedit”信息:
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume2
path \EFI\Microsoft\Boot\bootmgfw.efi
description Windows Boot Manager
locale en-US
inherit {globalsettings}
integrityservices Enable
default {current}
resumeobject {dda7e6ba-e18d-11e3-b50a-ecf4bb7add72}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \windows\system32\winload.efi
description Windows 8.1
locale en-US
inherit {bootloadersettings}
recoverysequence {dda7e6c4-e18d-11e3-b50a-ecf4bb7add72}
integrityservices Enable
recoveryenabled Yes
isolatedcontext Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot \windows
resumeobject {dda7e6ba-e18d-11e3-b50a-ecf4bb7add72}
nx AlwaysOn
bootmenupolicy Standard
vga No
quietboot Yes
bootlog No
sos No
这与DEP/NX有关吗?我现在不能简单地重新启动我的机器。它不应该是
$win::VirtualAlloc(0,$size,0x1000,0x40)
?一开始我是这么想的,但现在不行了。即使为了安全起见我做了$win::VirtualAlloc(0,0x1000,0x1000,0x40)
,我也会得到同样的错误。我的想法是它与DEP有关,但我无法知道。我在Windows 10机器上测试了它,NX设置为OptIn。相同的结果似乎我可以使用[System.Runtime.InteropServices.marshall]:Copy()
函数和VirtualAlloc([IntPtr]0,$size,0x3000,0x40)
执行此操作。稍后当我得到一个有效的概念证明时,我会更新这篇文章。