原理:让目标进程执行内存地址0,发生内存访问冲突
#include <cstdio>
#include <Windows.h>
using namespace std;
int main(int argc, char* argv[]) {
if (argc < 2) {
printf("%s PID\n", argv[0]);
return 1;
}
HANDLE p = OpenProcess(PROCESS_ALL_ACCESS, 0, atol(argv[1]));
if (!p) {
fprintf(stderr, "Cannot open process % s", argv[1]);
return 1;
}
HANDLE hTh = CreateRemoteThread(p, 0, 0, 0, 0, 0, 0);
if (!hTh) {
fprintf(stderr, "CreateRemoteThread(%p,0,0,0,0,0,0) failed,GetLastError() == %d",
p, GetLastError());
return 1;
}
CloseHandle(hTh);
return 0;
}
效果: