1 源码中 用到的结构和未公开函数 请到 http:
//www.cnblogs.com/IMyLife/p/4826286.html 获取
2
3 HANDLE ProcessHandle=
NULL;
4 DWORD pPID=
NULL;
5 DWORD TID=
NULL;
6 HWND i = FindWindowW(NULL, L
"游戏窗口名称");
7 TID=GetWindowThreadProcessId(i,&
pPID);
8 ProcessHandle=
OpenProcess(PROCESS_ALL_ACCESS,FALSE,pPID);
9 /
映射字节集到进程
10 DWORD MappingBytes(PVOID Address,DWORD BYTE_SIZE,WCHAR Nume[])
11 {
12 DWORD vaddress=NULL,size=
NULL;
13 HANDLE hMap=
CreateFileMappingW(INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,NULL,BYTE_SIZE,Nume);
14 if(hMap!=
NULL)
15 {
16 HANDLE pAddress=
MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
17 if(pAddress!=
NULL)
18 {
19 RtlMoveMemory(pAddress,Address,BYTE_SIZE);
20 //映射字节集到目标进程
21 ZwMapViewOfSection(hMap,ProcessHandle,&vaddress,NULL,NULL,NULL,&size,
1,
0,PAGE_EXECUTE_READWRITE
);
22 UnmapViewOfFile(pAddress);
23 return vaddress;
24 }
25 }
26 return 0;
27 }
28 //获取HOOK函数的字节数量//记得HOOK函数最后加上 int 0 不然无法判断
29 DWORD GetFunctionLong(DWORD JMPAddress)
30 {
31 BYTE *p=(BYTE*
)JMPAddress;
32 int i=
0;
33 while (TRUE)
34 {
35 if((DWORD)*p==
205)
36 {
37 return i;
38 }
39 p++
;
40 i++
;
41 }
42 return 0;
43 }
44 //远程调用CALL函数主功能
45
46
47
48 //要调用的CALL,参数结构,结构大小 可实现任意个数参数调用(看下面怎么获取参数的) 只测试了DWORD类型参数
49 DWORD LoadCALL(DWORD* CALLAddress, DWORD*
ParameterStruct, DWORD ParameterStruct_SIZE)
50 {
51 DWORD vaddress = NULL, size = NULL,lsbuff =
0,lenght=
0,structbuff=
0;
52 lenght =
GetFunctionLong((DWORD)CALLAddress);
53 HANDLE hMap = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, NULL, lenght, L
"CALL");
54 if (hMap !=
NULL)
55 {
56 HANDLE pAddress =
MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, NULL, NULL, NULL);
57 if (pAddress !=
NULL)
58 {
59 RtlMoveMemory(pAddress, CALLAddress, lenght);
60 //映射CALL字节集到目标进程
61 ZwMapViewOfSection(hMap, ProcessHandle, &vaddress, NULL, NULL, NULL, &size,
1,
0,
4);
62 //映射参数结构到目标进程
63 structbuff=MappingBytes((PVOID)ParameterStruct, ParameterStruct_SIZE, L
"struct");
64 //修改内存页面保护属性
65 VirtualProtectEx(ProcessHandle, (LPVOID)vaddress, lenght, PAGE_EXECUTE_READWRITE, &
lsbuff);
66 //创建远线程执行CALL
67 CreateRemoteThread(ProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)vaddress, (LPVOID)structbuff, NULL, NULL);
68 UnmapViewOfFile(pAddress);
69 return =
vaddress;
70 }
71 }
72 return 0;
73 }
74
75
76 1 //调用远程CALL格式
77 2 /*
78 3 参数结构
79 4 typedef struct A
80 5 {
81 6 DWORD a1;
82 7 DWORD a2;
83 8 DWORD a3;
84 9 DWORD a4;
85 10 };
86 11 typedef struct A A1;
87 12 typedef A1 *A2;
88 13
89 14 要调用的CALL
90 15 void __declspec( naked ) ZwGoodsCALL()
91 16 {
92 17 _asm
93 18 {
94 19 MOV EAX, [ebp+8]
95 20 mov ebx,dword ptr ds : [eax] //取结构第一个参数 第二个+4 第三个+8依次加4
96 21 mov ecx,dword ptr ds : [eax+4]//获取第二个参数
97 22 retn
98 23 int 0// 结尾标识符 给获取函数长度函数做判断
99 24 }
100 25 }
101 26 调用方法
102 27 A2 pA2 = NULL;
103 28 pA2 = (A2)malloc(sizeof(A1));
104 29 pA2->a1 = 1;
105 30 pA2->a2 = 2;
106 31 pA2->a3 = 3;
107 32 pA2->a4 = 4;
108 33 LoadCALL((DWORD*)ZwGoodsCALL, (DWORD*)pA2, sizeof(A1));
109 34 */ //
转载于:https://www.cnblogs.com/IMyLife/p/4827870.html
