原理:让目标进程执行内存地址0,发生内存访问冲突
#include <cstdio> #include <Windows.h> using namespace std; int main(int argc, char* argv[]) { if (argc < 2) { printf("%s PID\n", argv[0]); return 1; } HANDLE p = OpenProcess(PROCESS_ALL_ACCESS, 0, atol(argv[1])); if (!p) { fprintf(stderr, "Cannot open process % s", argv[1]); return 1; } HANDLE hTh = CreateRemoteThread(p, 0, 0, 0, 0, 0, 0); if (!hTh) { fprintf(stderr, "CreateRemoteThread(%p,0,0,0,0,0,0) failed,GetLastError() == %d", p, GetLastError()); return 1; } CloseHandle(hTh); return 0; }
效果: