标签:optional using data wsize click iostream lse else readwrite
1 #include "Windows.h" 2 #include "tlhelp32.h" 3 #include "String.h" 4 #include "Shlwapi.h" 5 #include "iostream" 6 using namespace std; 7 8 HANDLE hProcess; 9 LPVOID lp_address; 10 LPVOID lp_ret_value_address; 11 DWORD lp_ret_jmp; 12 DWORD lp_to_jmp; 13 14 template <typename T> 15 T Read(LPVOID Address) 16 { 17 T Data; 18 ReadProcessMemory(hProcess, (LPVOID)Address, &Data, sizeof(T), nullptr); 19 return Data; 20 } 21 22 uintptr_t FindPattern(uintptr_t start, uintptr_t length, const unsigned char* pattern, const char* mask) 23 { 24 size_t pos = 0; 25 auto maskLength = strlen(mask) - 1; 26 27 auto startAdress = start; 28 for (auto it = startAdress; it < startAdress + length; ++it) 29 { 30 if (Read<unsigned char>(LPVOID(it)) == pattern[pos] || mask[pos] == ‘?‘) 31 { 32 if (mask[pos + 1] == ‘\0‘) 33 return it - maskLength; 34 35 pos++; 36 } 37 else pos = 0; 38 } 39 return 0; 40 } 41 42 //特征码寻址 43 uintptr_t FindPattern(HMODULE hModule, const unsigned char* pattern, const char* mask) 44 { 45 IMAGE_DOS_HEADER DOSHeader = Read<IMAGE_DOS_HEADER>(hModule); 46 IMAGE_NT_HEADERS NTHeaders = Read<IMAGE_NT_HEADERS>(LPVOID(uintptr_t(hModule) + DOSHeader.e_lfanew)); 47 48 return FindPattern( 49 reinterpret_cast<uintptr_t>(hModule) + NTHeaders.OptionalHeader.BaseOfCode, 50 reinterpret_cast<uintptr_t>(hModule) + NTHeaders.OptionalHeader.SizeOfCode, pattern, mask); 51 } 52 53 HMODULE GetProcessModuleHandleByName(DWORD pid, LPCSTR ModuleName) 54 { 55 MODULEENTRY32 ModuleInfo; 56 HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); 57 if (!hSnapshot) 58 { 59 return 0; 60 } 61 ZeroMemory(&ModuleInfo, sizeof(MODULEENTRY32)); 62 ModuleInfo.dwSize = sizeof(MODULEENTRY32); 63 if (!Module32First(hSnapshot, &ModuleInfo)) 64 { 65 return 0; 66 } 67 do 68 { 69 if (!lstrcmpi(ModuleInfo.szModule, ModuleName)) 70 { 71 CloseHandle(hSnapshot); 72 return ModuleInfo.hModule; 73 } 74 } while (Module32Next(hSnapshot, &ModuleInfo)); 75 CloseHandle(hSnapshot); 76 return 0; 77 } 78 79 DWORD GetProcessIDByName(const char* pName) 80 { 81 HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 82 if (INVALID_HANDLE_VALUE == hSnapshot) { 83 return NULL; 84 } 85 PROCESSENTRY32 pe = { sizeof(pe) }; 86 for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) { 87 if (strcmp(pe.szExeFile, pName) == 0) { 88 CloseHandle(hSnapshot); 89 return pe.th32ProcessID; 90 } 91 //printf("%-6d %s\n", pe.th32ProcessID, pe.szExeFile); 92 } 93 CloseHandle(hSnapshot); 94 return 0; 95 } 96 97 98 //内联汇编被写入 99 inline __declspec(naked) void ret_hook() 100 { 101 __asm 102 { 103 mov edi, edi 104 push ebp 105 mov ebp, esp 106 mov edx, edi 107 } 108 } 109 110 int main() 111 { 112 SetConsoleTitleA("过考试 "); 113 114 DWORD OldProtect = NULL; 115 int Pid = GetProcessIDByName("qwq.exe"); 116 hProcess = INVALID_HANDLE_VALUE; 117 hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);//游戏进程句柄 118 119 cout << "进程ID:" << Pid << endl << endl << "进程句柄:" << hProcess << endl << endl; 120 121 122 123 lp_address = VirtualAllocEx(hProcess, NULL, 128, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 124 125 //cout << "分配的写入hook的地址:" << lp_address << hex << endl; 126 127 //bcryptPrimitives.dll+24AFF - CC - int 3 128 129 HMODULE hbcryptPrimitives = GetProcessModuleHandleByName(Pid, "bcryptPrimitives.dll"); 130 131 132 //这边自己搞检测地址 133 lp_ret_jmp = (DWORD)hbcryptPrimitives + 0x24B05; 134 lp_to_jmp = (DWORD)hbcryptPrimitives + 0x24B00; 135 136 //cout << "跳回的地址计算:" << lp_ret_jmp << endl; 137 138 139 /*写ret hook*/ 140 if (WriteProcessMemory(hProcess, lp_address, ret_hook, 50, NULL) != 0) { 141 //cout << "写入成功!" << endl; 142 BYTE jmp_e9 = { 0xe9 }; 143 WriteProcessMemory(hProcess, (LPVOID)((DWORD)lp_address + 0x7), (LPVOID)&jmp_e9, 1, NULL); 144 int jmp_ret = (int)lp_ret_jmp - ((DWORD)lp_address + 0x7) - 5; 145 WriteProcessMemory(hProcess, (LPVOID)((DWORD)lp_address + 0x8), (LPVOID)&jmp_ret, 4, NULL); 146 147 148 /*to hook*/ 149 BYTE jmp_to_e9 = { 0xe9 }; 150 WriteProcessMemory(hProcess, (LPVOID)lp_to_jmp, (LPVOID)&jmp_to_e9, 1, NULL); 151 int jmp_to_hook = (int)lp_address - lp_to_jmp - 5; 152 WriteProcessMemory(hProcess, (LPVOID)(lp_to_jmp + 0x1), (LPVOID)&jmp_to_hook, 4, NULL); 153 } 154 /*ret jmp*/ 155 156 157 158 159 getchar(); 160 return 0; 161 }
标签:optional using data wsize click iostream lse else readwrite
原文地址:https://www.cnblogs.com/MiraculousB/p/12763103.html
