zoukankan      html  css  js  c++  java
  • c++ winapi 在当前程序(local)调用目标程序(target)的函数

    如果你的目标程序是x86/x64, 那么当前程序也需要编译为x84/x64

    #include <iostream>
    #include <string>
    #include <vector>
    #include <regex>
    
    #include "GameCheatEx.h"
    
    using namespace std;
    
    int main()
    {
      GameCheatEx::GC gc{ "game2.exe" };
    
      uintptr_t pMessageBoxA = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "user32.dll", "MessageBoxA");
    
      const char* title = "hello";
      const char* content = "world";
      size_t titleLen = strlen(title) + 1;
      size_t contentLen = strlen(content) + 1;
    
      BYTE* newmem = (BYTE*)VirtualAllocEx(gc.hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      printf("newmem: %x
    ", newmem);
    
      uintptr_t titleAddr = (uintptr_t)newmem;
      uintptr_t contentAddr = titleAddr + titleLen;
      uintptr_t funAddr = contentAddr + contentLen + 8;
      printf("funAddr: %x
    ", funAddr);
    
      WriteProcessMemory(gc.hProcess, (LPVOID)titleAddr, (LPCVOID)title, titleLen, 0);
      WriteProcessMemory(gc.hProcess, (LPVOID)contentAddr, (LPCVOID)content, contentLen, 0);
    
    #ifdef _WIN64
    
      /*
    0000- 55                    - push rbp
    0001- 48 8B EC              - mov rbp,rsp
    0004- 48 83 EC 20           - sub rsp,20
    0008- 48 B9 0000000000000000 - mov rcx,0000000000000000
    0012- 48 BA 0000000000000000 - mov rdx,0000000000000000
    001C- 49 B8 0000000000000000 - mov r8,0000000000000000
    0026- 49 B9 0000000000000000 - mov r9,0000000000000000
    0030- 48 B8 E02C643FFD7F0000 - mov rax,user32.MessageBoxA
    003A- FF D0                 - call rax
    003C- 48 83 C4 20           - add rsp,20
    0040- 48 8B E5              - mov rsp,rbp
    0043- 5D                    - pop rbp
    0044- C3                    - ret
      */
    
      BYTE funcode[] = {
        0x55,
        0x48, 0x8B, 0xEC,
        0x48, 0x83, 0xEC, 0x20,
        0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x48, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0xFF, 0xD0,
        0x48, 0x83, 0xC4, 0x20,
        0x48, 0x8B, 0xE5,
        0x5D,
        0xC3,
      };
      memcpy_s(funcode + 0x14, sizeof(uintptr_t), &contentAddr, sizeof(uintptr_t)); // rdx
      memcpy_s(funcode + 0x1E, sizeof(uintptr_t), &titleAddr, sizeof(uintptr_t)); // r8
      memcpy_s(funcode + 0x32, sizeof(uintptr_t), &pMessageBoxA, sizeof(uintptr_t)); // rax
      WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
    #else
      /*
       3 00000000 6A00                        push 0
       4 00000002 6878563412                  push 0x12345678
       5 00000007 6878563412                  push 0x12345678
       6 0000000C 6A00                        push 0
       7 0000000E E800000000                  call MessageBoxA
       8 00000013 C3                          ret
      */
      BYTE funcode[] = {
       0x6A, 0x00,
       0x68, 0x00,0x00,0x00,0x00,
       0x68, 0x00,0x00,0x00,0x00,
       0x6A, 0x00,
       0xE8, 0x00,0x00,0x00,0x00,
       0xC3
      };
      DWORD MessageBoxA = pMessageBoxA - (funAddr + 0xE) - 5;
      memcpy_s(funcode + 0x3, sizeof(DWORD), &titleAddr, sizeof(DWORD));
      memcpy_s(funcode + 0x8, sizeof(DWORD), &contentAddr, sizeof(DWORD));
      memcpy_s(funcode + 0xF, sizeof(DWORD), &MessageBoxA, sizeof(DWORD));
      WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
    #endif // _WIN64
    
      HANDLE hThread = CreateRemoteThread(gc.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)funAddr, 0, 0, 0);
      WaitForSingleObject(hThread, INFINITE);
      CloseHandle(hThread);
      VirtualFreeEx(gc.hProcess, newmem, 0, MEM_RELEASE);
      return 0;
    }
    
  • 相关阅读:
    两数组相比筛选数据
    利用Cache防止同一帐号重复登录
    [转]post与get的区别
    巧妙运用SQL Server保护数据
    华为任正非:让一线呼唤炮火(续)
    ASP.NET到底该从哪开始学起?
    C# 4.0中泛型协变性和逆变性详解
    服装库存积压的解决路径
    Spring3 MVCx学习 skyCc
    Hibernate缓存(转述) skyCc
  • 原文地址:https://www.cnblogs.com/ajanuw/p/13638106.html
Copyright © 2011-2022 走看看