c++ winapi 在当前程序(local)调用目标程序(target)的函数
2024-10-21 03:42:42
如果你的目标程序是x86/x64, 那么当前程序也需要编译为x84/x64
#include <iostream>
#include <string>
#include <vector>
#include <regex>
#include "GameCheatEx.h"
using namespace std;
int main()
{
GameCheatEx::GC gc{ "game2.exe" };
uintptr_t pMessageBoxA = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "user32.dll", "MessageBoxA");
const char* title = "hello";
const char* content = "world";
size_t titleLen = strlen(title) + 1;
size_t contentLen = strlen(content) + 1;
BYTE* newmem = (BYTE*)VirtualAllocEx(gc.hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
printf("newmem: %x\n", newmem);
uintptr_t titleAddr = (uintptr_t)newmem;
uintptr_t contentAddr = titleAddr + titleLen;
uintptr_t funAddr = contentAddr + contentLen + 8;
printf("funAddr: %x\n", funAddr);
WriteProcessMemory(gc.hProcess, (LPVOID)titleAddr, (LPCVOID)title, titleLen, 0);
WriteProcessMemory(gc.hProcess, (LPVOID)contentAddr, (LPCVOID)content, contentLen, 0);
#ifdef _WIN64
/*
0000- 55 - push rbp
0001- 48 8B EC - mov rbp,rsp
0004- 48 83 EC 20 - sub rsp,20
0008- 48 B9 0000000000000000 - mov rcx,0000000000000000
0012- 48 BA 0000000000000000 - mov rdx,0000000000000000
001C- 49 B8 0000000000000000 - mov r8,0000000000000000
0026- 49 B9 0000000000000000 - mov r9,0000000000000000
0030- 48 B8 E02C643FFD7F0000 - mov rax,user32.MessageBoxA
003A- FF D0 - call rax
003C- 48 83 C4 20 - add rsp,20
0040- 48 8B E5 - mov rsp,rbp
0043- 5D - pop rbp
0044- C3 - ret
*/
BYTE funcode[] = {
0x55,
0x48, 0x8B, 0xEC,
0x48, 0x83, 0xEC, 0x20,
0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0xD0,
0x48, 0x83, 0xC4, 0x20,
0x48, 0x8B, 0xE5,
0x5D,
0xC3,
};
memcpy_s(funcode + 0x14, sizeof(uintptr_t), &contentAddr, sizeof(uintptr_t)); // rdx
memcpy_s(funcode + 0x1E, sizeof(uintptr_t), &titleAddr, sizeof(uintptr_t)); // r8
memcpy_s(funcode + 0x32, sizeof(uintptr_t), &pMessageBoxA, sizeof(uintptr_t)); // rax
WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
#else
/*
3 00000000 6A00 push 0
4 00000002 6878563412 push 0x12345678
5 00000007 6878563412 push 0x12345678
6 0000000C 6A00 push 0
7 0000000E E800000000 call MessageBoxA
8 00000013 C3 ret
*/
BYTE funcode[] = {
0x6A, 0x00,
0x68, 0x00,0x00,0x00,0x00,
0x68, 0x00,0x00,0x00,0x00,
0x6A, 0x00,
0xE8, 0x00,0x00,0x00,0x00,
0xC3
};
DWORD MessageBoxA = pMessageBoxA - (funAddr + 0xE) - 5;
memcpy_s(funcode + 0x3, sizeof(DWORD), &titleAddr, sizeof(DWORD));
memcpy_s(funcode + 0x8, sizeof(DWORD), &contentAddr, sizeof(DWORD));
memcpy_s(funcode + 0xF, sizeof(DWORD), &MessageBoxA, sizeof(DWORD));
WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
#endif // _WIN64
HANDLE hThread = CreateRemoteThread(gc.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)funAddr, 0, 0, 0);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(gc.hProcess, newmem, 0, MEM_RELEASE);
return 0;
}
最新文章
- jquery复习笔记
- Redis教程(三) list类型
- Get item by sharepoint web service jquery
- !!!四种常见的 POST 提交数据方式(含application/json)
- Linux, Mac下Shell 数组 Array 的修理工
- [Embed(source="asset.swf")] 使用其中的所有资源
- 【面试虐菜】—— MongoDB知识整理
- Angular简单应用剖析
- Android Fragment中使用Intent组件拍照
- jQuery 删除HTML元�
- CJOJ 1308 【HNOI 2002 】营业额统计 / CodeVS 1296 营业额统计(STL,二分)
- 关于模式为singTask的activity的bundle问题
- CodeForces Global Round 1
- Vue全局API总结
- css3流动布局
- poj2481树状数组解二维偏序
- HDU 5441 Travel(并查集+统计节点个数)
- Linux下文件的三种时间标记(atime ctime mtime)
- Difference between nn.softmax & softmax_cross_entropy_with_logits & softmax_cross_entropy_with_logits_v2
- Unity3D中的函数方法和解释