- 注册时间
- 2014-1-19
- 最后登录
- 1970-1-1
该用户从未签到
|
发表于 2015-5-18 20:01:41
|
显示全部楼层
void CCALLDlg::OnButton1()
{
DWORD pRocessid;
TCHAR w[12],p[12],r[12];
// TODO: Add your control notification handler code here
HWND hWnd=::FindWindow("AskTao","");
_itot((int)hWnd,w,10);
//GetDlgItem(IDC_EDIT1)->SetWindowText(w);
m_mytext+="窗口句柄:";
m_mytext+=w;
m_mytext+="\r\n";
::GetWindowThreadProcessId(hWnd,&pRocessid);
_itot((int)pRocessid,p,10);
m_mytext+="PID:";
m_mytext+=p;
m_mytext+="\r\n";
HANDLE h = OpenProcess(PROCESS_ALL_ACCESS,false,pRocessid);
_itot((int)h,r,10);
m_mytext+="进程句柄:";
m_mytext+=r;
m_mytext+="\r\n";
UpdateData(FALSE);
LPVOID callMemorynum =VirtualAllocEx(h,NULL,0x1500,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!WriteProcessMemory(h,callMemorynum,discardeditems,0x1500,NULL)){
MessageBox(_T("写内存失败!"),_T("错误信息"),MB_OK);
}
DWORD Theadid;
CreateRemoteThread(h,NULL,0,(LPTHREAD_START_ROUTINE)callMemorynum,0,0,&Theadid);
VirtualFreeEx(h,callMemorynum,1500,MEM_RELEASE);
CloseHandle(h);
}
//005EDE96 . 51 PUSH ECX ; 数量
//005EDE97 > 8B95 F4020000 MOV EDX,DWORD PTR SS:[EBP+2F4]
//005EDE9D . 52 PUSH EDX ; 位置
//005EDE9E . 68 2CBAAE00 PUSH asktao.00AEBA2C ; ASCII "pos = %d, amount = %d"
//005EDEA3 . 68 48200000 PUSH 2048
//005EDEA8 . E8 D3EF0A00 CALL asktao.0069CE80
//005EDEAD . 83C4 10 ADD ESP,10
VOID discardeditems()
{
_asm
{
pushad
mov ecx,0x1
push ecx
mov edx,0x66
push edx
push 0x00AEBA2C
push 0x2048
mov esi,0x0069CE80
call esi
add esp,0x10
popad
}
}
这是问道丢掉物品远程写入函数
你可以根据这个ReadProcessMemory 这个函数读取内存 基址+偏移 找到地址 直接用WriteProcessMemory写到这个地址就行了 |
|