• 1642阅读
  • 2回复

[游戏相关]郁金香控制台注入DLL代码 [复制链接]

上一主题 下一主题
离线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-07-15

// InjectDLL.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>//FindWindow

#define GameClassName "D3D Window"
#define DllFullpath "D:\\Documents\\Visual Studio 2010\\Projects\\MFC_DLL\\Debug\\MFC_DLL.dll"

void InjectDLL()
{
    DWORD pid = 0;
    DWORD byWriteSize;
    HANDLE hProcess = NULL;
    LPDWORD AddressDW = NULL;
    HANDLE threadHandle = NULL;//存放写入线程的句柄
    //查找窗口句柄
    HWND Gameh = FindWindow(GameClassName,NULL);//通过查找进程句柄
    if (Gameh != 0)
    {
        //获得线程句柄
        GetWindowThreadProcessId(Gameh,&pid);//获得线程句柄
        if (pid != 0)
        {
                       //打开线程(权限,子进程继承,进程句柄)
            hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
                        
            if (hProcess != 0)
            {
                //在游戏线程分配一段空间
                //访问权限(线程句柄,分配起始地址,写入字节,内存标志,页面属性)
                AddressDW = (LPDWORD)VirtualAllocEx(hProcess,NULL,256,MEM_COMMIT,PAGE_READWRITE);
                                      
                if (AddressDW != NULL)
                {
                    //写入内存(线程,起始地址,缓冲区,字节长度,具体写入字节)
                    WriteProcessMemory(hProcess,AddressDW,DllFullpath,strlen(DllFullpath)+1,&byWriteSize);
                            
                    if (byWriteSize >= strlen(DllFullpath))
                    {
                        threadHandle = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,AddressDW,NULL,NULL);
                                       //创建远线程(线程句柄,安全属性,初始大小,该线程函数起始地址,参数(路径),标志,返回值)
                        WaitForSingleObject(threadHandle,0xffffffff);//等待注入DLL的线程挺无再进行下一步
                        CloseHandle(threadHandle);//关闭写入线程句柄
                        VirtualFreeEx(hProcess,AddressDW,256,MEM_DECOMMIT);//释放远程地址空间
                        CloseHandle(hProcess);//关闭打开线程
                    }else
                    {
                        printf ("与入DLL路径失败\r\n");
                    }
                }else
                {
                    printf("未找到AddressDW");
                }
            }else
            {
                printf("未找到hProcess");
            }
        }else
        {
            printf("未找到pid");
        }
    }else
    {
        printf("未找到Gameh");
    }
}
int _tmain(int argc, _TCHAR* argv[])
{
    printf("注入DLL\r\n");
    InjectDLL();
    printf("成功\r\n");
    getchar();
    return 0;
}
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线啊冲

只看该作者 沙发  发表于: 2016-07-15
DLL代码部分



CMFC_DLLApp theApp;
CMainDialogWnd *PMainDialog;
DWORD WINAPI ShowDialog(LPARAM lpData)
{
    AFX_MANAGE_STATE(AfxGetStaticModuleState());
    //添加显示窗口的代码
    PMainDialog =new CMainDialogWnd;
    PMainDialog->DoModal();//阻塞的方式
    //关闭此窗口后
    delete PMainDialog;//释放new分配的空间
    FreeLibraryAndExitThread(theApp.m_hInstance,1);//释放mfc_dll.dll //FreeLibrary (GetModuleHandle("mfc_dll.dll")

    return TRUE;
}

// CMFC_DLLApp 初始化

BOOL CMFC_DLLApp::InitInstance()
{
    CWinApp::InitInstance();
    ::CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)ShowDialog,NULL,NULL,NULL);
    return TRUE;
}

善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线lzq123456781

只看该作者 板凳  发表于: 2017-05-28
好强大的论坛
快速回复
限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
上一个 下一个