- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
一直以来都是用代码注入的,现在想用dll注入.发现用消息钩子加载DLL的方法缷载不了,不便调试,于是有下面的代码:
typedef HMODULE (__stdcall *LoadLibraryPtr)(LPCTSTR lpFileName);
typedef FARPROC (__stdcall *GetProcAddressPtr)(HMODULE hModule,LPCSTR lpProcName);
typedef BOOL (__stdcall *FreeLibraryPtr)(HMODULE hModule);
typedef BOOL (__stdcall *CloseHandlePtr)( HANDLE hObject);
typedef HANDLE (__stdcall *CreateThreadPtr)( LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
typedef struct tagRemoteParam
{
HMODULE hModule;
HANDLE hThread;
DWORD len;
DWORD LoadDllAddr;
DWORD FreeDllAddr;
LoadLibraryPtr LoadLibraryA;
GetProcAddressPtr GetProcAddress;
FreeLibraryPtr FreeLibrary;
CreateThreadPtr CreateThread;
CloseHandlePtr CloseHandle;
char DllName[128];
}RemoteParam,*lpRemotoParam;
//全局变量
HWND hGameWnd=NULL;
DWORD GamePid=0;
char inifile[256]={0};
char path[256]={0};
RemoteParam rp={0};
BOOL CInjectDllDlg::OnInitDialog()
{
::GetModulePath (inifile,256);
::GetModulePath (path,256);
lstrcat(inifile,"\\setting.ini");
}
void __stdcall LoadDllThread(RemoteParam *rp)
{
rp->hModule =rp->LoadLibraryA (rp->DllName );
}
void __stdcall FreeDllThread(RemoteParam *rp)
{
if(rp->hModule )
{
rp->FreeLibrary (rp->hModule );
rp->hModule =NULL;
}
}
static __declspec(noinline) int End_Code(){return 1;}
BOOL CInjectDllDlg::InJectInto(long pid, const char * DllName)
{
PROCESS_INFORMATION pi={0};
pi.dwProcessId =pid;
char buf[1024]={0};
BOOL bret=0;
BOOL ISOK=0;
do
{
pi.hProcess =::OpenProcess (PROCESS_ALL_ACCESS,0,pi.dwProcessId );
if(pi.hProcess ==NULL)
{
msg="Open Process Fail.\r\n";
break;
}
DWORD nAddr;
LPVOID lpAddr=NULL;
char AppName[64]={0};
wsprintf(AppName,"rocessId:%d",pi.dwProcessId );
wsprintf(rp.DllName ,"%s\\%s",path,DllName);
rp.CloseHandle =::CloseHandle;
rp.CreateThread =::CreateThread ;
rp.FreeLibrary =::FreeLibrary;
rp.GetProcAddress =::GetProcAddress;
rp.LoadLibraryA =:oadLibraryA ;
nAddr=::ReadValue (AppName,"addr",16,inifile);
if(nAddr==0)
{
lpAddr=::VirtualAllocEx (pi.hProcess ,0,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE );
if(lpAddr==NULL)
{
msg="Alloc Virtual Memory Fail.\r\n";
break;
}
_asm{
push lpAddr;
pop nAddr;
}
::WriteValue (AppName,"addr",nAddr,16,inifile);
}
else
{
_asm{
push nAddr;
pop lpAddr;
}
}
rp.LoadDllAddr=nAddr+sizeof(rp);
::WriteValue (AppName,"load",rp.LoadDllAddr,16,inifile);
DWORD len=0;
len=DWORD(LPBYTE(FreeDllThread)-LPBYTE(LoadDllThread));
rp.FreeDllAddr =rp.LoadDllAddr+len;
::WriteValue (AppName,"free",rp.FreeDllAddr,16,inifile);
rp.len=DWORD(LPBYTE(End_Code)-LPBYTE(LoadDllThread));
bret=::WriteProcessMemory (pi.hProcess ,lpAddr,&rp,sizeof(rp),0);
if(bret==0)
{
msg="Write Param Data to Game's Process Faile.\r\n";
break;
}
bret=::WriteProcessMemory (pi.hProcess ,*(LPVOID*)&rp.LoadDllAddr ,(LPVOID)LoadDllThread,rp.len ,0);
if(bret==0)
{
msg="Write Code data to Game's Process Faile.\r\n";
break;
}
::Byte2Char ((BYTE*)&rp,buf,sizeof(rp)-128,1);
lstrcat(buf,rp.DllName );
::WriteString (AppName,"data",buf,inifile);
msg.Format ("Memory Addr:%#x\r\nLoad Addr:%#x\r\nFree Addr:%#x\r\nCode Size:%d\r\n",nAddr,rp.LoadDllAddr ,\
rp.FreeDllAddr ,rp.len );
::CloseHandle (::CreateRemoteThread (pi.hProcess ,0,0,LPTHREAD_START_ROUTINE (*(LPVOID*)&rp.LoadDllAddr ),lpAddr,0,0));
ISOK=1;
}while(0);
if(pi.hProcess )
{
::CloseHandle (pi.hProcess );
memset(π,0,sizeof(pi));
}
UpdateData (0);
return ISOK;
}
BOOL CInjectDllDlg::FreeDll(DWORD pid)
{
memset(&rp,0,sizeof(rp));
PROCESS_INFORMATION pi={0};
pi.dwProcessId =pid;
char buf[1024]={0};
BOOL bret=0;
BOOL ISOK=0;
do
{
pi.hProcess =::OpenProcess (PROCESS_ALL_ACCESS,0,pi.dwProcessId );
if(pi.hProcess ==NULL)
{
msg="Open Process Fail.\r\n";
break;
}
DWORD nAddr;
LPVOID lpAddr=NULL;
char AppName[64]={0};
wsprintf(AppName,"rocessId:%d",pi.dwProcessId );
nAddr=::ReadValue (AppName,"addr",16,inifile);
if(nAddr==0)break;
bret=::ReadProcessMemory (pi.hProcess ,*(LPVOID*)&nAddr,&rp,sizeof(rp),0);
if(bret==0)
{
msg="Read Param Data Fail.\r\n";
break;
}
if(rp.hModule )
{
::CloseHandle (::CreateRemoteThread (pi.hProcess ,0,0,LPTHREAD_START_ROUTINE (*(LPVOID*)&rp.FreeDllAddr ),*(LPVOID*)&nAddr,0,0));
}
else
{
break;
}
msg="Free Library from game's process is ok...\r\n";
ISOK=1;
}while(0);
if(pi.hProcess )
{
::CloseHandle (pi.hProcess );
memset(π,0,sizeof(pi));
}
UpdateData (0);
return ISOK;
}
void CInjectDllDlg::OnBnClickedButton1()//加载
{
do
{
//hGameWnd=::FindGameWnd ();
hGameWnd=::FindWindowEx (0,0,"Notepad","无标题 - 记事本");
if(hGameWnd==NULL)
{
msg="Find Game Window Error\r\n";
break;
}
::GetWindowThreadProcessId (hGameWnd,&GamePid );
if(GamePid==0)
{
msg="Get Process id Fail.\r\n";
break;
}
if(InJectInto(GamePid,"AutoLib.dll")==0)
{
msg+="Inject .Dll Into Game's Process Fail.\r\n";
break;
}
msg+="\r\nInject .Dll Into Game's Processs Ok...\r\n";
}while(0);
UpdateData (0);
}
void CInjectDllDlg::OnBnClickedButton2()//缷载
{
if(GamePid)
{
FreeDll(GamePid);
}
} |
|