zoukankan      html  css  js  c++  java

  • 内存映射+远线程 调用游戏CALL

    转载于:https://www.cnblogs.com/IMyLife/p/4827870.html

    源码中 用到的结构和未公开函数 请到 http://www.cnblogs.com/IMyLife/p/4826286.html 获取

    HANDLE ProcessHandle=NULL;
    DWORD pPID=NULL;
    DWORD TID=NULL;
    HWND i = FindWindowW(NULL, L"游戏窗口名称");
    TID=GetWindowThreadProcessId(i,&pPID);
    ProcessHandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pPID);
    /映射字节集到进程
    DWORD MappingBytes(PVOID Address,DWORD BYTE_SIZE,WCHAR Nume[])
    {
    DWORD vaddress=NULL,size=NULL;
    HANDLE hMap=CreateFileMappingW(INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,NULL,BYTE_SIZE,Nume);
    if(hMap!=NULL)
    {
    HANDLE pAddress=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
    if(pAddress!=NULL)
    {
    RtlMoveMemory(pAddress,Address,BYTE_SIZE);
    //映射字节集到目标进程
    ZwMapViewOfSection(hMap,ProcessHandle,&vaddress,NULL,NULL,NULL,&size,1,0,PAGE_EXECUTE_READWRITE);
    UnmapViewOfFile(pAddress);
    return vaddress;
    }
    }
    return 0;
    }
    //获取HOOK函数的字节数量//记得HOOK函数最后加上 int 0 不然无法判断
    DWORD GetFunctionLong(DWORD JMPAddress)
    {
    BYTE *p=(BYTE*)JMPAddress;
    int i=0;
    while (TRUE)
    {
    if((DWORD)*p==205)
    {
    return i;
    }
    p++;
    i++;
    }
    return 0;
    }
    //远程调用CALL函数主功能

    //要调用的CALL,参数结构,结构大小 可实现任意个数参数调用(看下面怎么获取参数的) 只测试了DWORD类型参数
    DWORD LoadCALL(DWORD* CALLAddress, DWORD* ParameterStruct, DWORD ParameterStruct_SIZE)
    {
    DWORD vaddress = NULL, size = NULL,lsbuff = 0,lenght=0,structbuff=0;
    lenght = GetFunctionLong((DWORD)CALLAddress);
    HANDLE hMap = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, NULL, lenght, L"CALL");
    if (hMap != NULL)
    {
    HANDLE pAddress = MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, NULL, NULL, NULL);
    if (pAddress != NULL)
    {
    RtlMoveMemory(pAddress, CALLAddress, lenght);
    //映射CALL字节集到目标进程
    ZwMapViewOfSection(hMap, ProcessHandle, &vaddress, NULL, NULL, NULL, &size, 1, 0, 4);
    //映射参数结构到目标进程
    structbuff=MappingBytes((PVOID)ParameterStruct, ParameterStruct_SIZE, L"struct");
    //修改内存页面保护属性
    VirtualProtectEx(ProcessHandle, (LPVOID)vaddress, lenght, PAGE_EXECUTE_READWRITE, &lsbuff);
    //创建远线程执行CALL
    CreateRemoteThread(ProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)vaddress, (LPVOID)structbuff, NULL, NULL);
    UnmapViewOfFile(pAddress);
    return = vaddress;
    }
    }
    return 0;
    }

    //调用远程CALL格式

    参数结构
    typedef struct A
    {
    DWORD a1;
    DWORD a2;
    DWORD a3;
    DWORD a4;
    };
    typedef struct A A1;
    typedef A1 *A2;

    要调用的CALL
    void __declspec( naked ) ZwGoodsCALL()
    {
    _asm
    {
    MOV EAX, [ebp+8]
    mov ebx,dword ptr ds : [eax] //取结构第一个参数 第二个+4 第三个+8依次加4
    mov ecx,dword ptr ds : [eax+4]//获取第二个参数
    retn
    int 0// 结尾标识符 给获取函数长度函数做判断
    }
    }
    调用方法
    A2 pA2 = NULL;
    pA2 = (A2)malloc(sizeof(A1));
    pA2->a1 = 1;
    pA2->a2 = 2;
    pA2->a3 = 3;
    pA2->a4 = 4;
    LoadCALL((DWORD*)ZwGoodsCALL, (DWORD*)pA2, sizeof(A1));
  • 相关阅读:
    46. Permutations 全排列,无重复
    243. Shortest Word Distance 最短的单词index之差
    171. Excel Sheet Column Number Excel列号转数字
    179. Largest Number 用数组中的元素凑一个最大数字
    49. Group Anagrams 多组anagram合并
    电话号码的字母组合(leetcode17)
    最接近的三数之和(leetcode16)
    c#之dynamic类型通过属性获取值(get value by key)
    三数之和(leetcode15)
    java-list与array转换
  • 原文地址:https://www.cnblogs.com/jszyx/p/13730000.html
Copyright © 2011-2022 走看看