c++ winapi 让目标程序(target)调用当前程序(local)的函数
2024-09-06 18:45:17
如果你的目标程序是x86/x64, 那么当前程序也需要编译为x84/x64
#include <iostream>
#include <string>
#include <vector>
#include <regex>
#include "GameCheatEx.h"
using namespace std;
int n = 1;
/*
extern "C" __declspec(dllexport) void __stdcall hello()
{
n++;
printf("%d\n", n);
}
*/
void __stdcall hello(uintptr_t p)
{
n++;
printf("%d\n", n);
printf("%d\n", p); // 233
}
int main()
{
GameCheatEx::GC gc{ "game2.exe" };
uintptr_t pCreateRemoteThread = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "kernel32.dll", "CreateRemoteThread");
uintptr_t pOpenProcess = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "kernel32.dll", "OpenProcess");
uintptr_t pCloseHandle = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "kernel32.dll", "CloseHandle");
uintptr_t pWaitForSingleObject = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "kernel32.dll", "WaitForSingleObject");
#ifdef _WIN64
/*
0000- 55 - push rbp
0001- 48 8B EC - mov rbp,rsp
0004- 48 83 EC 18 - sub rsp,18
0008- 48 89 4D F8 - mov [rbp-08],rcx // save regs param
// get local hProcess
000C- 48 83 EC 20 - sub rsp,20
0010- 48 B8 A0A10675F87F0000 - mov rax,KERNEL32.OpenProcess
001A- 48 B9 FFFF1F0000000000 - mov rcx,00000000001FFFFF // PROCESS_ALL_ACCESS
0024- 48 31 D2 - xor rdx,rdx
0027- 49 B8 DC48000000000000 - mov r8,00000000000048DC // lcoal pid
0031- FF D0 - call rax
0033- 48 89 45 F0 - mov [rbp-10],rax // save local hProcess
0037- 48 83 C4 20 - add rsp,20
// call CreateRemoteThread
003B- 48 83 EC 38 - sub rsp,38
003F- 48 8B C8 - mov rcx,rax
0042- 48 31 D2 - xor rdx,rdx
0045- 4D 31 C0 - xor r8,r8
0048- 49 B9 80102E86F67F0000 - mov r9,00007FF6862E1080 // lpLocalFun
0052- 48 8B 45 F8 - mov rax,[rbp-08]
0056- 48 89 44 24 20 - mov [rsp+8*4],rax // lpParam
005B- C7 44 24 28 00000000 - mov [rsp+8*5],00000000
0063- C7 44 24 30 00000000 - mov [rsp+8*6],00000000
006B- 48 B8 70590875F87F0000 - mov rax,KERNEL32.CreateRemoteThread
0075- FF D0 - call rax
0077- 48 89 45 E8 - mov [rbp-18],rax // save pThread
007B- 48 83 C4 38 - add rsp,38
// call WaitForSingleObject
007F- 48 83 EC 20 - sub rsp,20
0083- 48 B8 00200775F87F0000 - mov rax,KERNEL32.WaitForSingleObject
008D- 48 8B 4D E8 - mov rcx,[rbp-18]
0091- 48 BA FFFFFFFF00000000 - mov rdx,00000000FFFFFFFF // INFINITE
009B- FF D0 - call rax
009D- 48 83 C4 20 - add rsp,20
// close hThread and hProcess
00A1- 48 83 EC 20 - sub rsp,20
00A5- 49 BC 101E0775F87F0000 - mov r12,KERNEL32.CloseHandle
00AF- 48 8B 4D E8 - mov rcx,[rbp-18]
00B3- 41 FF D4 - call r12
00B6- 48 8B 4D F0 - mov rcx,[rbp-10]
00BA- 41 FF D4 - call r12
00BD- 48 83 C4 20 - add rsp,20
// end
00C1- 48 83 C4 18 - add rsp,18
00C5- 48 8B E5 - mov rsp,rbp
00C8- 5D - pop rbp
00C9- C3 - ret
*/
vector<BYTE> funcode = GameCheatEx::GC::byteStr2Bytes("55 48 8B EC 48 83 EC 18 48 89 4D F8 48 83 EC 20 48 B8 A0 A1 06 75 F8 7F 00 00 48 B9 FF FF 1F 00 00 00 00 00 48 31 D2 49 B8 DC 48 00 00 00 00 00 00 FF D0 48 89 45 F0 48 83 C4 20 48 83 EC 38 48 8B C8 48 31 D2 4D 31 C0 49 B9 80 10 2E 86 F6 7F 00 00 48 8B 45 F8 48 89 44 24 20 C7 44 24 28 00 00 00 00 C7 44 24 30 00 00 00 00 48 B8 70 59 08 75 F8 7F 00 00 FF D0 48 89 45 E8 48 83 C4 38 48 83 EC 20 48 B8 00 20 07 75 F8 7F 00 00 48 8B 4D E8 48 BA FF FF FF FF 00 00 00 00 FF D0 48 83 C4 20 48 83 EC 20 49 BC 10 1E 07 75 F8 7F 00 00 48 8B 4D E8 41 FF D4 48 8B 4D F0 41 FF D4 48 83 C4 20 48 83 C4 18 48 8B E5 5D C3");
*(uintptr_t*)(funcode.data() + 0x12) = (uintptr_t)pOpenProcess; // OpenProcess
*(uintptr_t*)(funcode.data() + 0x29) = (uintptr_t)GetCurrentProcessId(); // local pid
*(uintptr_t*)(funcode.data() + 0x4A) = (uintptr_t)&hello; // lpLocalFun
*(uintptr_t*)(funcode.data() + 0x6D) = (uintptr_t)pCreateRemoteThread; // CreateRemoteThread
*(uintptr_t*)(funcode.data() + 0x85) = (uintptr_t)pWaitForSingleObject; // WaitForSingleObject
*(uintptr_t*)(funcode.data() + 0xA7) = (uintptr_t)pCloseHandle; // CloseHandle
#else
/*
0000- 55 - push ebp
0001- 8B EC - mov ebp,esp
0003- 83 EC 08 - sub esp,08
// get local hProcess
0006- 68 7C230000 - push 0000237C { local pid }
000B- 6A 00 - push 00
000D- 68 FFFF1F00 - push 001FFFFF { PROCESS_ALL_ACCESS }
0012- B8 0089C776 - mov eax,KERNEL32.OpenProcess
0017- FF D0 - call eax
0019- 89 45 FC - mov [ebp-04],eax
// call CreateRemoteThread
001C- 6A 00 - push 00
001E- 6A 00 - push 00
0020- FF 75 08 - push [ebp+08] { localfun param }
0023- 68 50102100 - push 00211050 { local funAddr }
0028- 6A 00 - push 00
002A- 6A 00 - push 00
002C- FF 75 FC - push [ebp-04]
002F- B8 0041C976 - mov eax,KERNEL32.CreateRemoteThread
0034- FF D0 - call eax
0036- 89 45 F8 - mov [ebp-08],eax
// call WaitForSingleObject
0039- B8 403EC876 - mov eax,KERNEL32.WaitForSingleObject
003E- 68 FFFFFFFF - push FFFFFFFF { INFINITE }
0043- FF 75 F8 - push [ebp-08]
0046- FF D0 - call eax
// close hThread and hProcess
0048- BB 503CC876 - mov ebx,KERNEL32.CloseHandle
004D- FF 75 F8 - push [ebp-08]
0050- FF D3 - call ebx
0052- FF 75 FC - push [ebp-04]
0055- FF D3 - call ebx
0057- 83 C4 08 - add esp,08
005A- 8B E5 - mov esp,ebp
005C- 5D - pop ebp
005D- C2 0400 - ret 0004
*/
vector<BYTE> funcode = GameCheatEx::GC::byteStr2Bytes("55 8B EC 83 EC 08 68 7C 23 00 00 6A 00 68 FF FF 1F 00 B8 00 89 C7 76 FF D0 89 45 FC 6A 00 6A 00 FF 75 08 68 50 10 21 00 6A 00 6A 00 FF 75 FC B8 00 41 C9 76 FF D0 89 45 F8 B8 40 3E C8 76 68 FF FF FF FF FF 75 F8 FF D0 BB 50 3C C8 76 FF 75 F8 FF D3 FF 75 FC FF D3 83 C4 08 8B E5 5D C2 04 00");
*(uintptr_t*)(funcode.data() + 0x07) = (uintptr_t)GetCurrentProcessId(); // local pid
*(uintptr_t*)(funcode.data() + 0x13) = (uintptr_t)pOpenProcess; // OpenProcess
*(uintptr_t*)(funcode.data() + 0x24) = (uintptr_t)&hello; // lpLocalFun
*(uintptr_t*)(funcode.data() + 0x30) = (uintptr_t)pCreateRemoteThread; // CreateRemoteThread
*(uintptr_t*)(funcode.data() + 0x3A) = (uintptr_t)pWaitForSingleObject; // WaitForSingleObject
*(uintptr_t*)(funcode.data() + 0x49) = (uintptr_t)pCloseHandle; // CloseHandle
#endif // _WIN64
BYTE* newmem = (BYTE*)VirtualAllocEx(gc.hProcess, 0, funcode.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
printf("newmem: %x\n", newmem);
WriteProcessMemory(gc.hProcess, newmem, funcode.data(), funcode.size(), 0);
while (true)
{
HANDLE hThread = CreateRemoteThread(gc.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)newmem, (LPVOID)233, 0, 0);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
Sleep(1000);
}
VirtualFreeEx(gc.hProcess, newmem, 0, MEM_RELEASE);
return 0;
}
最新文章
- Postman接口调试神器-Chrome浏览器插件
- Java中文编码小结
- 关于HttpHandler的相关知识总结
- uC/OS-II测试(TEST)块
- 退出Activity(转)
- 团队作业week3
- JS - 超强大文本动画插件Textillate.js
- iOS - UI - UIWebView
- 关于MySql链接url参数的设置
- iOS极光推送
- C#操作Xml:linq to xml操作XML
- AR9531的mac地址
- 微信小程序,超能装的实例教程
- Android一个包含表格的图标库
- ViewPagerIndicator+viewpager指示器详解
- Spring MVC详解
- win7 64位系统下安装autoitlibrary库遇到问题解决
- python全栈开发day87~91-整个流程梳理、CRM功能、知识点梳理
- 分页查询信息(使用jdbc连接mysql数据库实现分页查询任务)
- win32汇编(ASM)学习资源
热门文章
- WebServices 与 Web API 的区别
- LOJ10015扩散
- 高性能数据导入方案&表过滤器&一对多支持筛选- .NET SqlSugar ORM
- SpringMVC听课笔记(三:使用@RequestMapping映射请求)
- Language Guide (proto3) | proto3 语言指南(十二)定义服务
- SparkMLlib—协同过滤推荐算法,电影推荐系统,物品喜好推荐
- HaspMap源码分析(JDK 1.8)
- JavaWeb-tomcat安装(Unsupported major.minor version 51.0/startup.bat闪退)
- Codeforces Global Round 9 D. Replace by MEX
- hdu4521 小明系列问题——小明序列