//获取窗口句柄
DWORD CMFCApplication1Dlg::GetWindows(CString Filename)
{
HWND hWnd = ::FindWindow(NULL, Filename.GetBuffer());
if (!hWnd)
{
MessageBox(L"没有窗口",NULL,0);
return 0;
}
DWORD dWid = 0;
GetWindowThreadProcessId(hWnd,&dWid);
return dWid;
}
static DWORD __stdcall PuthLants(LPVOID lpThreadParame); //静态汇编代码跟__declspec(naked)声明一样..防止程序自己加东西
__declspec(naked) void PuthLant() //第一种声明完全按照代码
{
__asm
{
pushad
push -1
push 2
mov eax, 4
push 4
mov ebx, ds:[0x6A9EC0]
mov ebx, ds:[ebx + 0x768]
push ebx
mov edx, 0x40D120
call edx
popad
ret
}
}
DWORD __stdcall CMFCApplication1Dlg::PuthLants(LPVOID lpThreadParame) //第二种声明完全按照代码
{
putPlant pParame = (putPlant)lpThreadParame;
UINT u_x = pParame->U_X;
UINT u_y = pParame->U_Y;
UINT u_ID = pParame->U_ID;
__asm
{
pushad
push -1
push u_ID
mov eax, u_x
push u_y
mov ebx, ds:[0x6A9EC0]
mov ebx, ds:[ebx + 0x768]
push ebx
mov edx, 0x40D120
call edx
popad
}
return 0;
}
//线程封装
BOOL CMFCApplication1Dlg::InjectRemoteFunc(DWORD dwPid, LPVOID mFunc, LPVOID pRemoteParam, DWORD dwSize, DWORD dwWaitTime)
{
HANDLE hProcess = NULL;
LPVOID ThreadAdd = NULL;
DWORD lpNumber = 0;
BOOL bret = FALSE, bSucc = FALSE;
LPVOID ParamAdd = NULL;
HANDLE hThread = NULL;
DWORD dwWait = 0;
do
{
//打开注入进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, dwPid);
if (NULL == hProcess)
{
break;
}
//装载空间
ThreadAdd = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == ThreadAdd)
{
break;
}
//写入函数
bret = WriteProcessMemory(hProcess, ThreadAdd, mFunc,4096, &lpNumber);
if (FALSE == bret) break;
if (dwSize != 0)
{
//装载函数需要的参数空间
ParamAdd = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (NULL == ParamAdd)break;
//写入函数
bret = WriteProcessMemory(hProcess, ParamAdd, pRemoteParam, dwSize, &lpNumber);
if (FALSE == bret) break;
}
//创建远程线程
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadAdd, ParamAdd, NULL, &lpNumber);
if (NULL == hThread) break;
bSucc = TRUE;
} while (false);
//等待线程结束
if (bSucc)
{
dwWait = WaitForSingleObject(hThread, dwWaitTime);
if (dwWait == WAIT_TIMEOUT)
goto end;//如果等待超时放弃释放资源,
}
//释放目标资源
if (bSucc && ThreadAdd && hProcess)
VirtualFreeEx(hProcess, ThreadAdd, 0,MEM_RELEASE);
if (bSucc && (0 != dwSize) && pRemoteParam && hProcess)
VirtualFreeEx(hProcess, pRemoteParam, 0, MEM_RELEASE);
//失败操作
end:
if (NULL != hThread) CloseHandle(hThread);
if (NULL != hProcess) CloseHandle(hProcess);
return bSucc;
}
调用:
typedef struct _putPlant
{
UINT U_X;
UINT U_Y;
UINT U_ID;
}_putPlant, *putPlant;
//第一步拿到句柄打开窗口
DWORD Pid = GetWindows(L"雨版:疯狂模式 by sanshou & ttbbs");
if (Pid == 0)
{
Pid = GetWindows(L"植物大战僵尸雨版");
}
if (!InjectRemoteFunc(Pid, PuthLants, ¶me, sizeof(_putPlant)))
{
MessageBox(L"远程调用失败", NULL, 0);
}
执行步骤:
//第一步拿到句柄打开窗口
DWORD Pid = GetWindows(L"雨版:疯狂模式 by sanshou & ttbbs");
if (Pid == 0)
{
Pid = GetWindows(L"植物大战僵尸雨版");
}
//第二步打开窗口
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (!hProcess)
{
MessageBox(L"打开失败", NULL, 0);
return;
}
第三步分配空间
PVOID Poid = ::VirtualAllocEx(hProcess,NULL,4096, MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (Poid == NULL)
{
MessageBox(L"分配空间失败", NULL, 0);
return;
}
第四步 往分配的内存写入代码
WriteProcessMemory(窗口句柄, 写的分配地址, 写什么进去汇编代码,写多大,&拿写的地址 );
DWORD byWrite = 0;
if (!::WriteProcessMemory(hProcess, Poid , PuthLant, 4096, &byWrite) )
{
MessageBox(L"写入汇编代码失败", NULL, 0);
return;
}
第五步 执行目标代码 创建远程线程 执行HOOK
HANDLE hThread = ::CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)Poid,NULL,NULL,NULL);
if (NULL == hThread) break;
第六步 线程结束后 释放资源
dwWait = WaitForSingleObject(hThread, dwWaitTime = INFINITE 默认时间); 写失败后的操作关闭句柄
if (dwWait == WAIT_TIMEOUT)
goto end;//如果等待超时放弃释放资源,
//释放目标资源
if (bSucc && ThreadAdd && hProcess)
VirtualFreeEx(hProcess, ThreadAdd, 0,MEM_RELEASE);
if (bSucc && (0 != dwSize) && pRemoteParam && hProcess)
VirtualFreeEx(hProcess, pRemoteParam, 0, MEM_RELEASE);
//失败操作
end:
if (NULL != hThread) CloseHandle(hThread); 关闭句柄 每次失败或者完成就关闭句柄
if (NULL != hProcess) CloseHandle(hProcess);
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
