ength;//长度 18h
  HANDLE RootDirectory;// 00000000
  PUNICODE_STRING ObjectName;//指向对象名的指针
  ULONG Attributes;//对象属性00000040h
  PVOID SecurityDescriptor;    // Points to type SECURITY_DESCRIPTOR，0
  PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE，0
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

//函数指针变量类型生命
typedef DWORD (__stdcall *ZWOS)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES);
typedef DWORD (__stdcall *ZWMV)(HANDLE,HANDLE,PVOID,ULONG,ULONG,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG);
typedef DWORD (__stdcall *ZWUMV)(HANDLE,PVOID);
//以上在程序开始定义全局变量处定义

//以下在程序的主函数里
//变量声明
    UNICODE_STRING struniph;
  OBJECT_ATTRIBUTES obj_ar;
  ZWOS ZWopenS;
  ZWMV ZWmapV;
  ZWUMV ZWunmapV;
  HANDLE hSection;
  DWORD ba;
  LARGE_INTEGER so;
  SIZE_T ssize;
  so.LowPart=0x000f0000;//物理内存的基址，就是f000:0000
  so.HighPart=0x00000000;
  ssize=0xffff;
  wchar_t strPH[30]=L"\\device\\physicalmemory";
//变量初始化
    ba=0;//联系后的基址将在这里返回
    struniph.Buffer=strPH;
  struniph.Length=0x2c;//注意大小是按字节算
  struniph.MaximumLength =0x2e;//也是字节
    obj_ar.Attributes =64;//属性
  obj_ar.Length =24;//OBJECT_ATTRIBUTES类型的长度
  obj_ar.ObjectName=&struniph;//指向对象的指针
  obj_ar.RootDirectory=0;
  obj_ar.SecurityDescriptor=0;
    obj_ar.SecurityQualityOfService =0;
//读入ntdll.dll,得到函数地址
    hinstLib = LoadLibrary("ntdll.dll");
  ZWopenS=(ZWOS)GetProcAddress(hinstLib,"ZwOpenSection");
    ZWmapV=(ZWMV)GetProcAddress(hinstLib,"ZwMapViewOfSection");
  ZWunmapV=(ZWUMV)GetProcAddress(hinstLib,"ZwUnmapViewOfSection");
//调用函数，对物理内存进行映射
    ZWopenS(&hSection,4,&obj_ar);
  ZWmapV(
       (HANDLE)hSection, //打开Section时得到的句柄
       (HANDLE)0xffffffff, //将要映射进程的句柄，
       &ba, //映射的基址
       0, //没怎么看明白,设为0就好了
       0xffff, //分配的大小
       &so, //物理内存的地址
       &ssize, //指向读取内存块大小的指针
       1, //子进程的可继承性设定
       0, //分配类型
       2 //保护类型
       );
    //执行