API函数调用过程

ReadProcessMemory执行流程

.text:7C8021D0 ; BOOL __stdcall ReadProcessMemory(HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
)

.text:7C8021D0 public ReadProcessMemory
.text:7C8021D0 ReadProcessMemory proc near ; CODE XREF: GetProcessVersion+2F12Fp
.text:7C8021D0 ; GetProcessVersion+2F14Ep …
.text:7C8021D0
.text:7C8021D0 hProcess = dword ptr 8
.text:7C8021D0 lpBaseAddress = dword ptr 0Ch
.text:7C8021D0 lpBuffer = dword ptr 10h
.text:7C8021D0 nSize = dword ptr 14h
.text:7C8021D0 lpNumberOfBytesRead= dword ptr 18h
.text:7C8021D0
.text:7C8021D0 mov edi, edi
.text:7C8021D2 push ebp
.text:7C8021D3 mov ebp, esp
.text:7C8021D5 lea eax, [ebp+nSize]
.text:7C8021D8 push eax
.text:7C8021D9 push [ebp+nSize]
.text:7C8021DC push [ebp+lpBuffer]
.text:7C8021DF push [ebp+lpBaseAddress]
.text:7C8021E2 push [ebp+hProcess]
.text:7C8021E5 call ds:NtReadVirtualMemory //调用了另外一个模块的函数
.text:7C8021EB mov ecx, [ebp+lpNumberOfBytesRead]
.text:7C8021EE test ecx, ecx
.text:7C8021F0 jnz short loc_7C8021FD
.text:7C8021F2
.text:7C8021F2 loc_7C8021F2: ; CODE XREF: ReadProcessMemory+32j
.text:7C8021F2 test eax, eax
.text:7C8021F4 jl short loc_7C802204
.text:7C8021F6 xor eax, eax
.text:7C8021F8 inc eax
.text:7C8021F9
.text:7C8021F9 loc_7C8021F9: ; CODE XREF: ReadProcessMemory+3Cj
.text:7C8021F9 pop ebp
.text:7C8021FA retn 14h
.text:7C8021FD ;
.text:7C8021FD
.text:7C8021FD loc_7C8021FD: ; CODE XREF: ReadProcessMemory+20j
.text:7C8021FD mov edx, [ebp+nSize]
.text:7C802200 mov [ecx], edx
.text:7C802202 jmp short loc_7C8021F2
.text:7C802204 ;
.text:7C802204
.text:7C802204 loc_7C802204: ; CODE XREF: ReadProcessMemory+24j
.text:7C802204 push eax
.text:7C802205 call sub_7C8093FD
.text:7C80220A xor eax, eax
.text:7C80220C jmp short loc_7C8021F9
.text:7C80220C ReadProcessMemory endp

NtReadVirtualMemory

.text:7C92D9E0                 public ZwReadVirtualMemory
.text:7C92D9E0 ZwReadVirtualMemory proc near           ; CODE XREF: LdrFindCreateProcessManifest+1CCp
.text:7C92D9E0                                         ; LdrCreateOutOfProcessImage+7Cp ...
.text:7C92D9E0                 mov     eax, 0BAh       ; NtReadVirtualMemory
.text:7C92D9E5                 mov     edx, 7FFE0300h   
.text:7C92D9EA                 call    dword ptr [edx]   //此处进入内核
.text:7C92D9EC                 retn    14h 
.text:7C92D9EC ZwReadVirtualMemory endp

自己实现WriteProcess的三环部分