三个模块
1,game.exe,三个方法,控制台输入指令('A','B','R')分别控制三个方法的调用;
2,WGDll.dll,要注入到game进程中的dll文件;
3,myconsole.exe,用来注入dll文件的程序;
先开启game进程,然后用myconsole把dll注入到game,dll模块和myconsole模块利用共享内存实现进程通信,在myconsole的控制台输入指令,dllmokuai接受指令,调用game模块的方法,达到控制game的目的
game模块
#include<stdio.h> void attack() { printf("**********attack**********"); return; } void rest() { printf("**********rest********** "); return; } void blood() { printf("**********blood********** "); return; } int main() { char orderChar; printf("**********GAME BEGIN********** "); while (1) { orderChar = getchar(); switch (orderChar) { case 'A': attack(); break; case 'R': rest(); break; case 'B': blood(); break; case 'Q': printf("**********GAME OVER********** "); return 0; } } return 0; }
dll模块
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include<Windows.h> #include<iostream> #include<stdio.h> using namespace std; #define _MAP_ TEXT("gameDll") #define ATTACK 0x0641740 #define REST 0x0641800 #define BLOOD 0x06417a0 HANDLE hMapFile; LPTSTR lpBuffer; TCHAR dwType; DWORD WINAPI ThreadProc(LPVOID lpParameter) { HANDLE hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, _MAP_); if (!hMapFile) { printf("OpenMappingFile Error : %d", GetLastError()); return 0; } lpBuffer = (LPTSTR)MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, BUFSIZ); for (;;) { Sleep(2000); if (lpBuffer != NULL) { // CopyMemory(&dwType, lpBuffer, 4); wmemcpy_s(&dwType, 4, lpBuffer, 1); wcout << lpBuffer << endl; } if (dwType == L'A') { //MessageBox(NULL, TEXT("AAAAA"), TEXT("AAAAA"), MB_OK); __asm { mov eax, ATTACK call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'B') { //MessageBox(NULL, TEXT("BBBBBB"), TEXT("BBBBBBB"), MB_OK); __asm { mov eax, BLOOD call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'R') { //MessageBox(NULL, TEXT("RRRRRRR"), TEXT("RRRRRRR"), MB_OK); __asm { mov eax, REST call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'Q') { //MessageBox(NULL, TEXT("QQQQQQQ"), TEXT("QQQQQQ"), MB_OK); UnmapViewOfFile(lpBuffer); } } return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL, TEXT("hehe"), TEXT("HAHA"), MB_OKCANCEL); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ThreadProc, NULL, 0, NULL); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
myconsole模块
#include<Windows.h> #include<stdio.h> #include<Tlhelp32.h> #include <iostream> #include<stdlib.h> using namespace std; #define _MAP_ TEXT("gameDll") HANDLE hFileMapping; LPTSTR lpBuffer; BOOL init() { hFileMapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000, _MAP_); if (hFileMapping==NULL) { printf("create filemapping failed error : %d", GetLastError()); return FALSE; } lpBuffer = (LPTSTR)MapViewOfFile(hFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, BUFSIZ); if (lpBuffer==NULL) { printf("create filemappingview failed error : %d", GetLastError()); return FALSE; } return TRUE; } DWORD GetPid(const TCHAR* pDest) { HANDLE hProcessHandle; PROCESSENTRY32 pe32 = {0}; hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcessHandle == INVALID_HANDLE_VALUE) { return FALSE; } pe32.dwSize = sizeof(PROCESSENTRY32); //const TCHAR* pDest = TEXT("game.exe"); while (Process32Next(hProcessHandle,&pe32)) { //printf("%s ", pe32.szExeFile); if (wcscmp(pe32.szExeFile,pDest)==0) { CloseHandle(hProcessHandle); return pe32.th32ProcessID; wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl; } } return 0; } BOOL LoadDll(DWORD pID,const TCHAR* pName) { HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); DWORD pLEN = sizeof(WCHAR)*wcslen(pName)+1; LPVOID lpStart = VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE); BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL); if (!bRET) { cout << "writeprocessmemory failed error : %d" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll")); if (!hModule) { cout << "get kernel32 failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryW"); if (!f) { cout << "get loadLibraryA failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); CloseHandle(hModule); return FALSE; } CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL); CloseHandle(hDestProcess); CloseHandle(hModule); return TRUE; } int main() { init(); const TCHAR* pName = TEXT("game.exe"); DWORD pid = GetPid(pName); wcout << pid << endl; TCHAR DLLNAME[] = TEXT("D:\vs-workspace\WGDll\Debug\WGDll.dll"); TCHAR* DNAME = DLLNAME; BOOL fl = LoadDll(pid, DNAME); if (fl) { cout << "haha" << endl; } TCHAR gameCmd[] = { L'A',L'B',L'R' }; TCHAR tempp; int randnum = 0; for (;;) { randnum = rand()%3; tempp = gameCmd[randnum]; wcout << tempp << endl; CopyMemory(lpBuffer, &tempp,4); wmemcpy_s(lpBuffer, 4, &tempp, 1); Sleep(2000); } getchar(); return 0; }