#include <windows.h>// 假设这两个函数是存在的
void DoRD() {}
void 改堆栈cal1() {}
void 改回堆栈cal1() {}__declspec(naked) void HOOKcall()
{__asm{pushadnop}__asm{popadmov eax, dword ptr [esi + 8]sub eax, ecxretn}
}int main() {// 第一个 Hook 操作DWORD HookAddress1 = 0x00491C62;//原函数地址DWORD HookSubroutinePtr1 = (DWORD)HOOKcall;//跳转函数地址DWORD JumpValue1 = HookSubroutinePtr1 - HookAddress1 - 5;DWORD old1 = 0;// 修改页面属性为可执行、可读、可写VirtualProtect((PVOID)HookAddress1, 114, PAGE_EXECUTE_READWRITE, &old1);// 修改内存*(BYTE*)HookAddress1 = 0xE8;//先写第一个B, 0xE8=Call*(DWORD*)(HookAddress1 + 1) = JumpValue1;//HookAddress1后面4个字节填写跳转值*(BYTE*)(HookAddress1 + 5) = 0x90;//空余的一个B用NOP填充// 恢复页面属性VirtualProtect((PVOID)HookAddress1, 114, old1, &old1);// 第二个 Hook 操作DWORD HookAddress2 = 0x00492008;DWORD HookSubroutinePtr2 = (DWORD)改回堆栈cal1;DWORD JumpValue2 = HookSubroutinePtr2 - HookAddress2 - 5;DWORD old2 = 0;// 修改页面属性为可执行、可读、可写VirtualProtect((PVOID)HookAddress2, 114, PAGE_EXECUTE_READWRITE, &old2);// 修改内存*(BYTE*)HookAddress2 = 0xE9;*(DWORD*)(HookAddress2 + 1) = JumpValue2;*(BYTE*)(HookAddress2 + 5) = 0x90;// 恢复页面属性VirtualProtect((PVOID)HookAddress2, 114, old2, &old2);return 0;
} DbgView输出调试信息
#include <stdio.h>
#include <stdarg.h>
#include <windows.h>void CallOutputDebugInfo(char* pszFormat, ...) {
#ifdef DEBUGchar szbufFormat[0x1000];char szbufFormat_Game[0x1100] = "";va_list argList;// 参数列表初始化va_start(argList, pszFormat);// 使用 vsprintf_s 格式化字符串vsprintf_s(szbufFormat, sizeof(szbufFormat), pszFormat, argList);// 拼接字符串strcat_s(szbufFormat_Game, sizeof(szbufFormat_Game), szbufFormat);// 输出调试信息OutputDebugStringA(szbufFormat_Game);// 结束可变参数列表的使用va_end(argList);
#endif
} 提权
#include <windows.h>
#include <stdio.h>//OpenProcess失败情况下的提权代码
BOOL Call_ElevatePrivilege(BOOL bEnable) {// 初始化成功标志BOOL fOK = FALSE;HANDLE hToken;// 打开当前进程的访问令牌if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {TOKEN_PRIVILEGES tp;// 设置权限数量tp.PrivilegeCount = 1;// 查找调试权限的 LUIDLookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);// 根据传入的参数设置权限属性if (bEnable) {tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;} else {tp.Privileges[0].Attributes = 0;}// 调整令牌权限AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);// 检查操作是否成功fOK = (GetLastError() == ERROR_SUCCESS);// 关闭令牌句柄CloseHandle(hToken);}return fOK;
} ——红黑树及模拟实现)
-第十三章 拷贝控制)
)
:源码解析:数据处理模块)
(Day 1))
)
