上一个内容:34.构建核心注入代码
34.构建核心注入代码它的调用LoadLibrary函数的代码写到游戏进程中之后无法调用,动态链接库的路径是一个内存地址,写到游戏进程中只把内存地址写过去了,内存地址里的内容没写过去,导致LoadLibrary函数调用时找不到动态链接库地址的字符串。
这次实现的就是把我们进程中的数据写到游戏进程中。让LoadLibrary可以正常调用。
这里实现的是远程线程注入,不是入口点注入。
34.构建核心注入代码它的代码为基础进行修改
CWndINJ.cpp文件中的修改:注入的dll必须要与目标进程环境一样目标进行是32位dll也要是32位
void CWndINJ::OnNMDblclkList1(NMHDR* pNMHDR, LRESULT* pResult)
{
LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
// TODO: 在此添加控件通知处理程序代码
*pResult = 0;
int index = pNMItemActivate->iItem;
if (index < 0)return;
CString GamePath = ExeLst.GetItemText(index, 2);
CString GameExe = ExeLst.GetItemText(index, 1);
CString GameCmds = ExeLst.GetItemText(index, 3);
CString GameDlls = ExeLst.GetItemText(index, 4);// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。
// STARTUPINFO si{};
// si.cb = sizeof(si);
PROCESS_INFORMATION prinfo{};
m_INJCET.StartProcess(GameExe, GamePath, GameCmds.GetBuffer(), &prinfo);m_INJCET.CreateRemoteData(prinfo.hProcess, L"F:\\代码存放地\\c\\GAMEHACKER2\\Release\\Dlls.dll");
//m_INJCET.CodeRemoteData(&_data);/**CreateProcess(GameExe,GameCmds.GetBuffer(),NULL,NULL,FALSE,// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,&prinfo);
*//** 方式一调用apiCStringA GameExeA;GameExeA = GameExe;PLOADED_IMAGE image = ImageLoad(GameExeA, NULL);DWORD dEntryPoint = image->FileHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);ImageUnload(image)
*//** 方式二(要在32位环境下运行)
void* image = _imageload(GameExe.GetBuffer());
IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;
unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;
IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;
DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;
CString wTxt;
wTxt.Format(L"%X", dEntryPoint);
AfxMessageBox(wTxt);
_unloadimage(image);
*/
//LPVOID adrRemote = VirtualAllocEx(prinfo.hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//SIZE_T lwt;//WriteProcessMemory(prinfo.hProcess, adrRemote, INJECTCode, 0x200, &lwt);//CString wTxt;
//wTxt.Format(L"%X", adrRemote);
//AfxMessageBox(wTxt);
// 让游戏继续运行
//m_INJCET.CreateRemoteData(prinfo.hProcess, GameDlls.GetBuffer());
ResumeThread(prinfo.hThread);
INJCET.h文件
#pragma once
#include <Windows.h>typedef unsigned int (WINAPI* _LoadLibrary)(wchar_t* dllName);typedef struct _REMOTE_DATA {wchar_t dllName[0xFF]; // 要输入的dll文件路径_LoadLibrary f_LoadLibrary;
}*PREMOTE_DATA;class INJCET
{
public:BOOL StartProcess(const wchar_t * GameExe,const wchar_t * GamePath,wchar_t * GameCmds,PROCESS_INFORMATION* LPinfo);void* ImageLoad(const wchar_t* filename);void UnloadImage(void* _data);DWORD GetEntryPoint(const wchar_t* filename);
public:BOOL CreateRemoteData(HANDLE hProcess, const wchar_t* dllName);void CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName);
};INJCET.cpp文件
#include "pch.h"
#include "INJCET.h"
#include <fstream>void _stdcall INJECTCode() {unsigned address = 0xCCCCCCCC;PREMOTE_DATA p = (PREMOTE_DATA)address;p->f_LoadLibrary(p->dllName);
}BOOL INJCET::StartProcess(const wchar_t* GameExe, const wchar_t* GamePath, wchar_t* GameCmds, PROCESS_INFORMATION* LPinfo)
{// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。STARTUPINFO si{};si.cb = sizeof(si);CreateProcess(GameExe,GameCmds,NULL, NULL,FALSE,// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,LPinfo);return TRUE;
}void* INJCET::ImageLoad(const wchar_t* filename) {std::ifstream streamReader(filename, std::ios::binary);streamReader.seekg(0, std::ios::end);unsigned filesize = streamReader.tellg();char* _data = new char[filesize];streamReader.seekg(0, std::ios::beg);streamReader.read(_data, filesize);streamReader.close();return _data;
}void INJCET::UnloadImage(void* _data) {delete[] _data;
}DWORD INJCET::GetEntryPoint(const wchar_t* filename)
{// 方式二(要在32位环境下运行根据游戏版本选择运行32还是64位的程序)void* image = ImageLoad(filename);IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);UnloadImage(image);return dEntryPoint;
}BOOL INJCET::CreateRemoteData(HANDLE hProcess, const wchar_t* dllName)
{LPVOID adrRemote = VirtualAllocEx(hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);SIZE_T lwt;LPVOID adrRemoteData = (LPVOID)((unsigned)adrRemote + 0x2000);_REMOTE_DATA remoteData{};CodeRemoteData(&remoteData, dllName);WriteProcessMemory(hProcess, adrRemoteData, &remoteData, sizeof(remoteData), &lwt);char _code[0x200];memcpy(_code, INJECTCode, sizeof(_code));for (int i = 0; i < 0x100; i++) {unsigned* pcode = (unsigned*)(&_code[i]);if (pcode[0] == 0xCCCCCCCC) {pcode[0] = (unsigned)adrRemoteData;break;}}// 0x001c0000WriteProcessMemory(hProcess, adrRemote, _code, 0x200, &lwt);CString wTxt;wTxt.Format(L"%X", adrRemote);AfxMessageBox(wTxt);DWORD dwThreadId = 0;HANDLE remoteHdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemote, NULL, 0, &dwThreadId);WaitForSingleObject(remoteHdl, INFINITE);return TRUE;
}void INJCET::CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName)
{short lenth;// 求长度for (lenth = 0; dllName[lenth]; lenth++);HMODULE hKernel = LoadLibrary(_T("kernel32.dll"));//_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");//LoadLibraryW// wchar两字节拷贝是一字节所以长度要成2memcpy(_data->dllName, dllName, (lenth + 1) * 2);/*CString wTxt;wTxt.Format(L"%X", _data->f_LoadLibrary);AfxMessageBox(wTxt);*/
}
