上一个内容:34.构建核心注入代码
34.构建核心注入代码它的调用LoadLibrary函数的代码写到游戏进程中之后无法调用,动态链接库的路径是一个内存地址,写到游戏进程中只把内存地址写过去了,内存地址里的内容没写过去,导致LoadLibrary函数调用时找不到动态链接库地址的字符串。
这次实现的就是把我们进程中的数据写到游戏进程中。让LoadLibrary可以正常调用。
这里实现的是远程线程注入,不是入口点注入。
34.构建核心注入代码它的代码为基础进行修改
CWndINJ.cpp文件中的修改:注入的dll必须要与目标进程环境一样目标进行是32位dll也要是32位
void CWndINJ::OnNMDblclkList1(NMHDR* pNMHDR, LRESULT* pResult)
{
LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
// TODO: 在此添加控件通知处理程序代码
*pResult = 0;
int index = pNMItemActivate->iItem;
if (index < 0)return;
CString GamePath = ExeLst.GetItemText(index, 2);
CString GameExe = ExeLst.GetItemText(index, 1);
CString GameCmds = ExeLst.GetItemText(index, 3);
CString GameDlls = ExeLst.GetItemText(index, 4);
// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。
// STARTUPINFO si{};
// si.cb = sizeof(si);
PROCESS_INFORMATION prinfo{};
m_INJCET.StartProcess(GameExe, GamePath, GameCmds.GetBuffer(), &prinfo);
m_INJCET.CreateRemoteData(prinfo.hProcess, L"F:\\代码存放地\\c\\GAMEHACKER2\\Release\\Dlls.dll");
//m_INJCET.CodeRemoteData(&_data);
/**
CreateProcess(GameExe,
GameCmds.GetBuffer(),
NULL,NULL,
FALSE,
// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。
CREATE_SUSPENDED,
NULL,
GamePath,
&si,
&prinfo
);
*/
/** 方式一调用api
CStringA GameExeA;
GameExeA = GameExe;
PLOADED_IMAGE image = ImageLoad(GameExeA, NULL);
DWORD dEntryPoint = image->FileHeader->OptionalHeader.AddressOfEntryPoint;
CString wTxt;
wTxt.Format(L"%X", dEntryPoint);
AfxMessageBox(wTxt);
ImageUnload(image)
*/
/** 方式二(要在32位环境下运行)
void* image = _imageload(GameExe.GetBuffer());
IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;
unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;
IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;
DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;
CString wTxt;
wTxt.Format(L"%X", dEntryPoint);
AfxMessageBox(wTxt);
_unloadimage(image);
*/
//LPVOID adrRemote = VirtualAllocEx(prinfo.hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//SIZE_T lwt;
//WriteProcessMemory(prinfo.hProcess, adrRemote, INJECTCode, 0x200, &lwt);
//CString wTxt;
//wTxt.Format(L"%X", adrRemote);
//AfxMessageBox(wTxt);
// 让游戏继续运行
//m_INJCET.CreateRemoteData(prinfo.hProcess, GameDlls.GetBuffer());
ResumeThread(prinfo.hThread);
INJCET.h文件
#pragma once
#include <Windows.h>
typedef unsigned int (WINAPI* _LoadLibrary)(wchar_t* dllName);
typedef struct _REMOTE_DATA {
wchar_t dllName[0xFF]; // 要输入的dll文件路径
_LoadLibrary f_LoadLibrary;
}*PREMOTE_DATA;
class INJCET
{
public:
BOOL StartProcess(
const wchar_t * GameExe,
const wchar_t * GamePath,
wchar_t * GameCmds,
PROCESS_INFORMATION* LPinfo
);
void* ImageLoad(const wchar_t* filename);
void UnloadImage(void* _data);
DWORD GetEntryPoint(const wchar_t* filename);
public:
BOOL CreateRemoteData(HANDLE hProcess, const wchar_t* dllName);
void CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName);
};
INJCET.cpp文件
#include "pch.h"
#include "INJCET.h"
#include <fstream>
void _stdcall INJECTCode() {
unsigned address = 0xCCCCCCCC;
PREMOTE_DATA p = (PREMOTE_DATA)address;
p->f_LoadLibrary(p->dllName);
}
BOOL INJCET::StartProcess(const wchar_t* GameExe, const wchar_t* GamePath, wchar_t* GameCmds, PROCESS_INFORMATION* LPinfo)
{
// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。
STARTUPINFO si{};
si.cb = sizeof(si);
CreateProcess(GameExe,
GameCmds,
NULL, NULL,
FALSE,
// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。
CREATE_SUSPENDED,
NULL,
GamePath,
&si,
LPinfo
);
return TRUE;
}
void* INJCET::ImageLoad(const wchar_t* filename) {
std::ifstream streamReader(filename, std::ios::binary);
streamReader.seekg(0, std::ios::end);
unsigned filesize = streamReader.tellg();
char* _data = new char[filesize];
streamReader.seekg(0, std::ios::beg);
streamReader.read(_data, filesize);
streamReader.close();
return _data;
}
void INJCET::UnloadImage(void* _data) {
delete[] _data;
}
DWORD INJCET::GetEntryPoint(const wchar_t* filename)
{
// 方式二(要在32位环境下运行根据游戏版本选择运行32还是64位的程序)
void* image = ImageLoad(filename);
IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;
unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;
IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;
DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;
CString wTxt;
wTxt.Format(L"%X", dEntryPoint);
AfxMessageBox(wTxt);
UnloadImage(image);
return dEntryPoint;
}
BOOL INJCET::CreateRemoteData(HANDLE hProcess, const wchar_t* dllName)
{
LPVOID adrRemote = VirtualAllocEx(hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
SIZE_T lwt;
LPVOID adrRemoteData = (LPVOID)((unsigned)adrRemote + 0x2000);
_REMOTE_DATA remoteData{};
CodeRemoteData(&remoteData, dllName);
WriteProcessMemory(hProcess, adrRemoteData, &remoteData, sizeof(remoteData), &lwt);
char _code[0x200];
memcpy(_code, INJECTCode, sizeof(_code));
for (int i = 0; i < 0x100; i++) {
unsigned* pcode = (unsigned*)(&_code[i]);
if (pcode[0] == 0xCCCCCCCC) {
pcode[0] = (unsigned)adrRemoteData;
break;
}
}
// 0x001c0000
WriteProcessMemory(hProcess, adrRemote, _code, 0x200, &lwt);
CString wTxt;
wTxt.Format(L"%X", adrRemote);
AfxMessageBox(wTxt);
DWORD dwThreadId = 0;
HANDLE remoteHdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemote, NULL, 0, &dwThreadId);
WaitForSingleObject(remoteHdl, INFINITE);
return TRUE;
}
void INJCET::CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName)
{
short lenth;
// 求长度
for (lenth = 0; dllName[lenth]; lenth++);
HMODULE hKernel = LoadLibrary(_T("kernel32.dll"));
//_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");
_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");
//LoadLibraryW
// wchar两字节拷贝是一字节所以长度要成2
memcpy(_data->dllName, dllName, (lenth + 1) * 2);
/*CString wTxt;
wTxt.Format(L"%X", _data->f_LoadLibrary);
AfxMessageBox(wTxt);*/
}
