├── LICENSE
├── PhysicalMemory.cpp
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 A-Normal-User
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/PhysicalMemory.cpp:
--------------------------------------------------------------------------------
 1 | #include <iostream>
 2 | #include <windows.h>
 3 | #include <sysinfoapi.h>
 4 | #include <memoryapi.h>
 5 | 
 6 | using namespace std;
 7 | 
 8 | void EnableSeLockMemoryPrivilege();
 9 | 
10 | int main()
11 | {
12 | 	SYSTEM_INFO sysInfo;
13 | 	ULONG_PTR PageArray = 0;
14 | 	ULONG_PTR PageArraySize = 1;
15 | 	PVOID Address = NULL;
16 | 	BOOL bRet = FALSE;
17 | 	
18 | 	//调整进程权限
19 | 	EnableSeLockMemoryPrivilege();
20 | 	//获取系统信息
21 | 	GetSystemInfo(&sysInfo);
22 | 	//输出PageSize
23 | 	cout << "当前系统的PageSize是：" << sysInfo.dwPageSize << "\n";
24 | 	//分配一块虚拟内存
25 | 	Address = VirtualAlloc(NULL, sysInfo.dwPageSize, MEM_RESERVE|MEM_PHYSICAL, PAGE_READWRITE);
26 | 	if (Address == NULL)
27 | 	{
28 | 		cout << "分配虚拟内存失败！\n";
29 | 		return 0;
30 | 	}
31 | 	//分配物理内存
32 | 	bRet = AllocateUserPhysicalPages(GetCurrentProcess(), &PageArraySize, &PageArray);
33 | 	if (!bRet) {
34 | 		cout << "分配虚拟内存失败！\n";
35 | 		return 0;
36 | 	}
37 | 	//cout << "分配的物理内存是：" << PageArray << "\n";
38 | 	//将物理内存映射到虚拟内存
39 | 	MapUserPhysicalPages(Address, 1, &PageArray);
40 | 	//向虚拟内存写入内容
41 | 	*(int*)Address = 114514;
42 | 	//解除物理内存映射
43 | 	MapUserPhysicalPages(Address, 1, NULL);
44 | 	cout << "写入的内容是整数：114514，写入地址：0x" << Address << "，你可以试试能不能搜索到数据，如果搜到了请修改，后面还会读取一次\n";
45 | 	system("pause");
46 | 	//再次将物理内存映射到虚拟内存
47 | 	MapUserPhysicalPages(Address, 1, &PageArray);
48 | 	cout << "读取的内容是整数：" << *(int*)Address << "\n";
49 | 	//释放物理内存
50 | 	FreeUserPhysicalPages(GetCurrentProcess(), &PageArraySize, &PageArray);
51 | 	//释放虚拟内存
52 | 	VirtualFree(Address, 0, MEM_RELEASE);
53 | 	cout << "测试结束\n";
54 | 	system("pause");
55 | 	return 0;
56 | }
57 | 
58 | void EnableSeLockMemoryPrivilege() {
59 | 	//调整当前进程权限，使得进程有SeLockMemory的权限
60 | 	HANDLE hToken;
61 | 	TOKEN_PRIVILEGES tkp;
62 | 	memset(&tkp, 0, sizeof(tkp));
63 | 	// Get a token for this process.
64 | 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
65 | 	{
66 | 		cout << "OpenProcessToken failed" << endl;
67 | 		return;
68 | 	}
69 | 	// Get the LUID for the lock memory privilege.
70 | 	LookupPrivilegeValue(NULL, SE_LOCK_MEMORY_NAME, &tkp.Privileges[0].Luid);
71 | 	tkp.PrivilegeCount = 1;  // one privilege to set
72 | 	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
73 | 	// Get the lock memory privilege for this process.
74 | 	AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0);
75 | 	if (GetLastError() != ERROR_SUCCESS)
76 | 	{
77 | 		cout << "AdjustTokenPrivileges failed" << endl;
78 | 		return;
79 | 	}
80 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Pretend_HideVirtualMemory
 2 |    - 利用物理内存映射，实现虚拟内存的伪隐藏
 3 | 
 4 | ## 简单内容：
 5 |    - 使用这种方法首先进程必须有SeLockMemoryPrivilege权限。
 6 |    - 相关内容资料：[Address Windowing Extensions](https://docs.microsoft.com/en-us/windows/win32/memory/address-windowing-extensions "Address Windowing Extensions")
 7 |    - 首先使用AllocateUserPhysicalPages分配一块物理内存
 8 |    - 然后使用MapUserPhysicalPages将这块物理内存映射到虚拟内存。
 9 |    - 向这块虚拟内存中写入数据
10 |    - 解除映射。
11 |    - 然后搜索进程内存，会发现这块内存找不到了。
12 | 
13 | ## 为什么是AWE
14 |    - 其实文件映射可以实现类似效果，但是为什么用AWE相关函数呢？
15 |    - 首先文件映射并不是完全没法外部读出，外部进程一样可以映射。
16 |    - 但是MapUserPhysicalPages就不一样了，系统为了防止乱映射物理地址，内部有很多检测，这导致用户层下，MapUserPhysicalPages只能映射自己进程用AllocateUserPhysicalPages分配出的物理内存，用户层下外部基本没法实现直接读出这个物理内存中的数据。
17 | 


--------------------------------------------------------------------------------