龙马谷

 找回密码
 立即注册

QQ登录

只需一步,快速开始

龙马谷VIP会员办理客服QQ:82926983(如果临时会话没有收到回复,请先加QQ好友再发。)
1 [已完结] GG修改器新手入门与实战教程 31课 2 [已完结] GG修改器美化修改教程 6课 3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课 5 [已完结] 手游自动化脚本入门实战教程 9课 6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课 8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课 9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课
以下是天马阁VIP教程,本站与天马阁合作,赞助VIP可以获得天马阁对应VIP会员,名额有限! 点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课 2 [已完结] x64汇编语言基础教程 16课 3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课 5 [已完结] C++x64内存检测与过检测技术教程 10课 6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课 8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路
查看: 8676|回复: 2

最强C++x86x64驱动级读写源码

[复制链接]

10

主题

2

回帖

15

积分

编程入门

Rank: 1

龙马币
30

  1. //***************调用静态变量static***************需要修改下

  2. X64常用内存读写库

  3. DWORD GetModuleSizeX64(DWORD Pid, const TCHAR* ModuleName)//获取模块大小,只能搞64位=64位,32位无法对64位操作

  4. {/*初始化DLL列表*/

  5. HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);

  6. if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;

  7. DWORD dwBuffSize = 0;

  8. BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);

  9. HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];

  10. bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);

  11. // 模块名称

  12. TCHAR szModuleName[MAX_PATH] = { 0 };

  13. TCHAR szBaseName[MAX_PATH];//新建

  14. // 保存模块信息

  15. MODULEINFO stcModuleInfo = { 0 };

  16. // 遍历模块列表

  17. int nCount = dwBuffSize / sizeof(HMODULE);

  18. for (int i = 0; i < nCount; ++i)

  19. {

  20. // 根据进程句柄和模块句柄,获取模块信息

  21. GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));

  22. GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);

  23. //printf("\n%x\n", (DWORD)stcModuleInfo.SizeOfImage); //模块内存大小

  24. if (strcmp(szBaseName, ModuleName) == 0)

  25. {

  26. delete[] pModuleHandlerArr;// 释放数组

  27. pModuleHandlerArr = nullptr;

  28. return   stcModuleInfo.SizeOfImage;

  29. }

  30. }

  31. return NULL;

  32. }



  33. HMODULE GetModuleBaseX64(DWORD Pid, const TCHAR* ModuleName)

  34. {/*初始化DLL列表*/ // 这个程序不能删除,基础功能



  35. HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);

  36. if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;



  37. DWORD dwBuffSize = 0;

  38. BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);

  39. HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];



  40. bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);



  41. // 模块名称

  42. TCHAR szModuleName[MAX_PATH] = { 0 };

  43. TCHAR szBaseName[MAX_PATH];//新建

  44. // 保存模块信息

  45. MODULEINFO stcModuleInfo = { 0 };

  46. // 遍历模块列表

  47. int nCount = dwBuffSize / sizeof(HMODULE);

  48. for (int i = 0; i < nCount; ++i)

  49. {

  50. // 根据进程句柄和模块句柄,获取模块信息

  51. GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));



  52. // 根据进程句柄和模块句柄,获取模块的路径(包括模块名)

  53. //GetModuleFileNameEx(hProcess, pModuleHandlerArr[i], szModuleName, MAX_PATH); //获取模块的路径

  54. GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);

  55. printf("\n%llx\n", (UINT64)stcModuleInfo.lpBaseOfDll); //获取模块基地址

  56. printf("\n%llx\n", (UINT64)stcModuleInfo.EntryPoint); //获取模块入口地址

  57. printf("\n%llx\n", (UINT64)stcModuleInfo.SizeOfImage); //模块内存大小



  58. if (strcmp(szBaseName, ModuleName) == 0)

  59. {

  60. printf("基地址是:%s\n\n", szBaseName);

  61. printf("基地址是:%llX\n\n", (UINT64)stcModuleInfo.lpBaseOfDll);

  62. delete[] pModuleHandlerArr;// 释放数组

  63. pModuleHandlerArr = nullptr;

  64. return   (HMODULE)stcModuleInfo.lpBaseOfDll;

  65. }

  66. // 基址

  67. //CString szTemp;

  68. //szTemp.Format(L"%08X", stcModuleInfo.lpBaseOfDll);



  69. //// 入口点

  70. //szTemp.Format(L"%08X", stcModuleInfo.EntryPoint);



  71. //// 内存大小

  72. //szTemp.Format(L"%d", stcModuleInfo.SizeOfImage);



  73. //// 模块路径

  74. //szModuleName;



  75. }

  76. return NULL;

  77. }



  78. HMODULE GetModuleBaseAddr(DWORD Pid, CONST TCHAR* moduleName)//获取进程模块入口地址   1.进程pid   2.模块的名称   xxx.exe 或者xxx.dll

  79. {



  80. MODULEENTRY32 moduleEntry;   //模块信息的结构体

  81. HANDLE handle = NULL;

  82. handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid); //   获取进程快照中包含在th32ProcessID中指定的进程的所有的模块

  83. //printf("handle %llX \n", (DWORD)handle);

  84. if (!handle) {                           //handle 类似指针,指向进程模块信息

  85. CloseHandle(handle);

  86. return NULL;

  87. }

  88. ZeroMemory(&moduleEntry, sizeof(MODULEENTRY32)); //清空

  89. moduleEntry.dwSize = sizeof(MODULEENTRY32);

  90. if (!Module32First(handle, &moduleEntry)) {   //结果传到 结构体指针moduleEntry

  91. CloseHandle(handle);

  92. return NULL;

  93. }

  94. do {

  95. if (strcmp(moduleEntry.szModule, moduleName) == 0) {   //wcscmp宽字节比较   moduleEntry.szModule模块名字

  96. //printf("基地址是 %X \n", (DWORD)moduleEntry.hModule);

  97. return moduleEntry.hModule; //返回模块入口地址

  98. }

  99. } while (Module32Next(handle, &moduleEntry));

  100. CloseHandle(handle);

  101. return 0;

  102. }



  103. BOOL EnableSeDebugPrivilege(IN const CHAR*   PriviledgeName, BOOL IsEnable)

  104. {

  105. // 打开权限令牌

  106. HANDLE   ProcessHandle = GetCurrentProcess();

  107. HANDLE   TokenHandle = NULL;

  108. TOKEN_PRIVILEGES TokenPrivileges = { 0 };

  109. if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))

  110. {

  111. return FALSE;

  112. }

  113. LUID v1;

  114. if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))// 通过权限名称查找uID

  115. {

  116. CloseHandle(TokenHandle);

  117. TokenHandle = NULL;

  118. return FALSE;

  119. }



  120. TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数

  121. TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0;    // 动态数组,数组大小根据Count的数目

  122. TokenPrivileges.Privileges[0].Luid = v1;

  123. if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,

  124. sizeof(TOKEN_PRIVILEGES), NULL, NULL))

  125. {

  126. CloseHandle(TokenHandle);

  127. TokenHandle = NULL;

  128. return FALSE;

  129. }

  130. CloseHandle(TokenHandle);

  131. TokenHandle = NULL;

  132. return TRUE;

  133. }



  134. //==============================================x86x64内存读写wow64函数指针获取=====================================================

  135. LPFN_NTWOW64READVIRTUALMEMORY64       __NtWow64ReadVirtualMemory64;

  136. LPFN_NTWOW64WRITEVIRTUALMEMORY64   __NtWow64WriteVirtualMemory64;

  137. BOOL GetNTWOW64MemoryProcAddress()

  138. {

  139. HMODULE NtdllModuleBase = NULL;

  140. NtdllModuleBase = GetModuleHandle("Ntdll.dll");

  141. if (NtdllModuleBase == NULL)

  142. {

  143. return FALSE;

  144. }

  145. __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,

  146. "NtWow64ReadVirtualMemory64");

  147. printf("__NtWow64ReadVirtualMemory64   %llx\n", (UINT64)__NtWow64ReadVirtualMemory64);

  148. __NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,

  149. "NtWow64WriteVirtualMemory64");

  150. return TRUE;

  151. }



  152. char* UTF8ToUnicode(char* szUTF8)//编码转换,已经修复delet释放bug

  153. {

  154. DWORD wcscLen = MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), NULL, 0);//得到所需空间的大小

  155. wchar_t wszcString[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。溢出数据自己修改

  156. MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), wszcString, wcscLen);   //转换

  157. wszcString[wcscLen] = '\0';

  158. DWORD len = WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL);

  159. static char m_char[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。

  160. WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), m_char, len, NULL, NULL);

  161. m_char[len] = '\0';

  162. return m_char;

  163. }



  164. char* UnicodeToUTF8(wchar_t* wszcString)//编码转换,已经修复 注意内存delet释放bug

  165. {

  166. DWORD utf8Len = ::WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL);    //得到所需空间的大小

  167. static char szUTF8[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。

  168. WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), szUTF8, utf8Len, NULL, NULL);    //转换

  169. szUTF8[utf8Len] = '\0';

  170. return szUTF8;

  171. }



  172. int Wow64ReadInt(ULONG ProcessID, ULONG64 BaseAddress)

  173. {

  174. BOOL     IsWow64 = FALSE;

  175. HANDLE   ProcessHandle = NULL;

  176. int   BufferData = NULL;//=====================ULONG64   BufferData = NULL

  177. ULONG64   ReturnLen = 4;//默认

  178. ULONG64   BufferLen = 4;//默认

  179. if (BaseAddress == NULL)

  180. {

  181. return FALSE;

  182. }

  183. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  184. {

  185. return FALSE;

  186. }

  187. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  188. if (ProcessHandle == NULL)

  189. {

  190. return FALSE;

  191. }



  192. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  193. {

  194. goto Exit;

  195. }

  196. __try

  197. {

  198. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

  199. printf("4字节数据是:%ld\r\n", BufferData);



  200. }

  201. __except (EXCEPTION_EXECUTE_HANDLER)

  202. {

  203. printf("异常\r\n");

  204. goto Exit;

  205. }

  206. Exit:

  207. if (ProcessHandle != NULL)

  208. {

  209. CloseHandle(ProcessHandle);

  210. ProcessHandle = NULL;

  211. }

  212. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  213. return BufferData;

  214. }



  215. char *   Wow64ReadAscii(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度

  216. {

  217. BOOL     IsWow64 = FALSE;

  218. HANDLE   ProcessHandle = NULL;

  219. static char   BufferData[4096] = { 0 };//=====================

  220. ULONG64   ReturnLen = 4;//默认



  221. if (BaseAddress == NULL)

  222. {

  223. return FALSE;

  224. }

  225. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  226. {

  227. return FALSE;

  228. }

  229. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  230. if (ProcessHandle == NULL)

  231. {

  232. return FALSE;

  233. }



  234. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  235. {

  236. goto Exit;

  237. }

  238. __try

  239. {

  240. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len, &ReturnLen);



  241. printf("字符串是:%s \n", BufferData);

  242. }

  243. __except (EXCEPTION_EXECUTE_HANDLER)

  244. {

  245. printf("异常\r\n");

  246. goto Exit;

  247. }

  248. Exit:

  249. if (ProcessHandle != NULL)

  250. {

  251. CloseHandle(ProcessHandle);

  252. ProcessHandle = NULL;

  253. }

  254. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  255. return BufferData;

  256. }



  257. wchar_t *   Wow64ReadUnicode(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度

  258. {

  259. setlocale(LC_ALL, "chs"); // unicode 必加 只有添加这一句下面的打印1,2与调试打印成功

  260. BOOL     IsWow64 = FALSE;

  261. HANDLE   ProcessHandle = NULL;

  262. static wchar_t   BufferData[4096] = { 0 };//=====================

  263. ULONG64   ReturnLen = 4;//默认



  264. if (BaseAddress == NULL)

  265. {

  266. return FALSE;

  267. }

  268. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  269. {

  270. return FALSE;

  271. }

  272. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  273. if (ProcessHandle == NULL)

  274. {

  275. return FALSE;

  276. }



  277. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  278. {

  279. goto Exit;

  280. }

  281. __try

  282. {

  283. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len * 5, &ReturnLen); //unicode编码要乘以2



  284. //printf("字符串是:%s \n", BufferData);

  285. }

  286. __except (EXCEPTION_EXECUTE_HANDLER)

  287. {

  288. printf("异常\r\n");

  289. goto Exit;

  290. }

  291. Exit:

  292. if (ProcessHandle != NULL)

  293. {

  294. CloseHandle(ProcessHandle);

  295. ProcessHandle = NULL;

  296. }

  297. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  298. return BufferData;

  299. }



  300. float Wow64ReadFloat(ULONG ProcessID, ULONG64 BaseAddress)

  301. {

  302. BOOL     IsWow64 = FALSE;

  303. HANDLE   ProcessHandle = NULL;

  304. FLOAT   BufferData = NULL;//=====================

  305. ULONG64   ReturnLen = 4;//默认

  306. ULONG64   BufferLen = 4;//默认

  307. if (BaseAddress == NULL)

  308. {

  309. return FALSE;

  310. }

  311. if (EnableSeDeb



  312. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  313. {

  314. goto Exit;

  315. }

  316. __try

  317. {

  318. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);



  319. printf("单精度数据是:%f \n", BufferData);

  320. }

  321. __except (EXCEPTION_EXECUTE_HANDLER)

  322. {

  323. printf("异常\r\n");

  324. goto Exit;

  325. }

  326. Exit:

  327. if (ProcessHandle != NULL)

  328. {

  329. CloseHandle(ProcessHandle);

  330. ProcessHandle = NULL;

  331. }

  332. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  333. return BufferData;

  334. }



  335. double Wow64ReadDouble(ULONG ProcessID, ULONG64 BaseAddress)

  336. {

  337. BOOL     IsWow64 = FALSE;

  338. HANDLE   ProcessHandle = NULL;

  339. DOUBLE   BufferData = NULL;//=====================

  340. ULONG64   ReturnLen = 8;//默认

  341. ULONG64   BufferLen = 8;//默认

  342. if (BaseAddress == NULL)

  343. {

  344. return FALSE;

  345. }

  346. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  347. {

  348. return FALSE;

  349. }

  350. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  351. if (ProcessHandle == NULL)

  352. {

  353. return FALSE;

  354. }



  355. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  356. {

  357. goto Exit;

  358. }

  359. __try

  360. {

  361. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

  362. printf("浮点数数据是:%lf \n", BufferData);

  363. }

  364. __except (EXCEPTION_EXECUTE_HANDLER)

  365. {

  366. printf("异常\r\n");

  367. goto Exit;

  368. }

  369. Exit:

  370. if (ProcessHandle != NULL)

  371. {

  372. CloseHandle(ProcessHandle);

  373. ProcessHandle = NULL;

  374. }

  375. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  376. return BufferData;

  377. }



  378. LONG64 Wow64ReadInt64(ULONG ProcessID, ULONG64 BaseAddress)

  379. {

  380. BOOL     IsWow64 = FALSE;

  381. HANDLE   ProcessHandle = NULL;

  382. ULONG64   BufferData = NULL;//=====================

  383. ULONG64   ReturnLen = 8;//默认

  384. ULONG64   BufferLen = 8;//默认

  385. if (BaseAddress == NULL)

  386. {

  387. return FALSE;

  388. }

  389. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  390. {

  391. return FALSE;

  392. }

  393. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  394. if (ProcessHandle == NULL)

  395. {

  396. return FALSE;

  397. }



  398. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  399. {

  400. goto Exit;

  401. }

  402. __try

  403. {

  404. NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

  405. printf("8字节数据是:%lld\r\n", BufferData);



  406. }

  407. __except (EXCEPTION_EXECUTE_HANDLER)

  408. {

  409. printf("异常\r\n");

  410. goto Exit;

  411. }

  412. Exit:

  413. if (ProcessHandle != NULL)

  414. {

  415. CloseHandle(ProcessHandle);

  416. ProcessHandle = NULL;

  417. }

  418. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  419. return BufferData;

  420. }



  421. BOOL Wow64WriteInt(ULONG ProcessID, ULONG64 BaseAddress, INT Value)

  422. {

  423. BOOL     IsWow64 = FALSE;

  424. HANDLE   ProcessHandle = NULL;

  425. ULONG64   ReturnLen = 4;//默认

  426. ULONG64   BufferLen = 4;//默认

  427. if (BaseAddress == NULL)

  428. {

  429. return FALSE;

  430. }

  431. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  432. {

  433. return FALSE;

  434. }

  435. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);



  436. __except (EXCEPTION_EXECUTE_HANDLER)

  437. {

  438. printf("异常\r\n");

  439. goto Exit;

  440. }

  441. Exit:

  442. if (ProcessHandle != NULL)

  443. {

  444. CloseHandle(ProcessHandle);

  445. ProcessHandle = NULL;

  446. }

  447. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  448. return TRUE;

  449. }



  450. BOOL Wow64WriteFloat(ULONG ProcessID, ULONG64 BaseAddress, FLOAT Value)

  451. {

  452. BOOL     IsWow64 = FALSE;

  453. HANDLE   ProcessHandle = NULL;

  454. ULONG64   ReturnLen = 4;//默认

  455. ULONG64   BufferLen = 4;//默认

  456. if (BaseAddress == NULL)

  457. {

  458. return FALSE;

  459. }

  460. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  461. {

  462. return FALSE;

  463. }

  464. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  465. if (ProcessHandle == NULL)

  466. {

  467. return FALSE;

  468. }

  469. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  470. {

  471. goto Exit;

  472. }

  473. __try

  474. {

  475. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);

  476. }

  477. __except (EXCEPTION_EXECUTE_HANDLER)

  478. {

  479. printf("异常\r\n");

  480. goto Exit;

  481. }

  482. Exit:

  483. if (ProcessHandle != NULL)

  484. {

  485. CloseHandle(ProcessHandle);

  486. ProcessHandle = NULL;

  487. }

  488. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  489. return TRUE;

  490. }



  491. BOOL Wow64WriteDouble(ULONG ProcessID, ULONG64 BaseAddress, DOUBLE Value)

  492. {

  493. BOOL     IsWow64 = FALSE;

  494. HANDLE   ProcessHandle = NULL;

  495. ULONG64   ReturnLen = 8;//默认

  496. ULONG64   BufferLen = 8;//默认

  497. if (BaseAddress == NULL)

  498. {

  499. return FALSE;

  500. }

  501. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  502. {

  503. return FALSE;

  504. }

  505. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  506. if (ProcessHandle == NULL)

  507. {

  508. return FALSE;

  509. }

  510. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  511. {

  512. goto Exit;

  513. }

  514. __try

  515. {

  516. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);

  517. }

  518. __except (EXCEPTION_EXECUTE_HANDLER)

  519. {

  520. printf("异常\r\n");

  521. goto Exit;

  522. }

  523. Exit:

  524. if (ProcessHandle != NULL)

  525. {

  526. CloseHandle(ProcessHandle);

  527. ProcessHandle = NULL;

  528. }

  529. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  530. return TRUE;

  531. }



  532. BOOL Wow64WriteInt64(ULONG ProcessID, ULONG64 BaseAddress, INT64 Value)

  533. {

  534. BOOL     IsWow64 = FALSE;

  535. HANDLE   ProcessHandle = NULL;

  536. ULONG64   ReturnLen = 8;//默认

  537. ULONG64   BufferLen = 8;//默认

  538. if (BaseAddress == NULL)

  539. {

  540. return FALSE;

  541. }

  542. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  543. {

  544. return FALSE;

  545. }

  546. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  547. if (ProcessHandle == NULL)

  548. {

  549. return FALSE;

  550. }

  551. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  552. {

  553. goto Exit;

  554. }

  555. __try

  556. {

  557. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);



  558. }

  559. __except (EXCEPTION_EXECUTE_HANDLER)

  560. {

  561. printf("异常\r\n");

  562. goto Exit;

  563. }

  564. Exit:

  565. if (ProcessHandle != NULL)

  566. {

  567. CloseHandle(ProcessHandle);

  568. ProcessHandle = NULL;

  569. }

  570. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  571. return TRUE;

  572. }



  573. BOOL Wow64WriteAscii(ULONG ProcessID, ULONG64 BaseAddress, const char* Value)

  574. {

  575. BOOL     IsWow64 = FALSE;

  576. HANDLE   ProcessHandle = NULL;

  577. ULONG64   ReturnLen = NULL;//默认

  578. ULONG64   BufferLen = strlen(Value);//获取字符串长度

  579. //printf("BufferLen   %d\n", BufferLen);

  580. if (BaseAddress == NULL)

  581. {

  582. return FALSE;

  583. }

  584. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  585. {

  586. return FALSE;

  587. }

  588. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  589. if (ProcessHandle == NULL)

  590. {

  591. return FALSE;

  592. }

  593. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  594. {

  595. goto Exit;

  596. }

  597. __try

  598. {

  599. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别



  600. }

  601. __except (EXCEPTION_EXECUTE_HANDLER)

  602. {

  603. printf("异常\r\n");

  604. goto Exit;

  605. }

  606. Exit:

  607. if (ProcessHandle != NULL)

  608. {

  609. CloseHandle(ProcessHandle);

  610. ProcessHandle = NULL;

  611. }

  612. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  613. return TRUE;

  614. }



  615. BOOL Wow64WriteUTF8(ULONG ProcessID, UINT64 BaseAddress, const wchar_t   * GBK_Str)//为了兼容,写入的是unicode,函数内部会进行转换操作的。

  616. {

  617. BOOL     IsWow64 = FALSE; //64位程序备用

  618. HANDLE   ProcessHandle = NULL;

  619. ULONG64   ReturnLen = NULL;//默认

  620. char strUTF8[4096] = { 0 };

  621. char *unGunG = UnicodeToUTF8((wchar_t*)GBK_Str);

  622. size_t   BufferLen = strlen(unGunG);//获取字符串长度   宽字符用 wcslen

  623. RtlMoveMemory(strUTF8, unGunG, BufferLen);

  624. //printf("BufferLen   %lld\n", BufferLen);

  625. if (BaseAddress == NULL)

  626. {

  627. return FALSE;

  628. }

  629. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  630. {

  631. return FALSE;

  632. }

  633. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  634. if (ProcessHandle == NULL)

  635. {

  636. return FALSE;

  637. }

  638. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  639. {

  640. goto Exit;

  641. }

  642. __try

  643. {

  644. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &strUTF8, BufferLen, &ReturnLen);//32位和64位区别



  645. }

  646. __except (EXCEPTION_EXECUTE_HANDLER)

  647. {

  648. printf("异常\r\n");

  649. goto Exit;

  650. }

  651. Exit:

  652. if (ProcessHandle != NULL)

  653. {

  654. CloseHandle(ProcessHandle);

  655. ProcessHandle = NULL;

  656. }

  657. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  658. return TRUE;

  659. }



  660. BOOL Wow64WriteUnicode(ULONG ProcessID, UINT64 BaseAddress, const wchar_t * Value)

  661. {

  662. BOOL     IsWow64 = FALSE;

  663. HANDLE   ProcessHandle = NULL;

  664. UINT64   ReturnLen = NULL;//默认

  665. UINT64   BufferLen = wcslen(Value) * 2;//获取字符串长度   宽字符用 wcslen

  666. printf("BufferLen   %lld\n", BufferLen);

  667. if (BaseAddress == NULL)

  668. {

  669. return FALSE;

  670. }

  671. if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

  672. {

  673. return FALSE;

  674. }

  675. ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

  676. if (ProcessHandle == NULL)

  677. {

  678. return FALSE;

  679. }

  680. if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

  681. {

  682. goto Exit;

  683. }

  684. __try

  685. {

  686. __NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别



  687. }

  688. __except (EXCEPTION_EXECUTE_HANDLER)

  689. {

  690. printf("异常\r\n");

  691. goto Exit;

  692. }

  693. Exit:

  694. if (ProcessHandle != NULL)

  695. {

  696. CloseHandle(ProcessHandle);

  697. ProcessHandle = NULL;

  698. }

  699. EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

  700. return TRUE;

  701. }



  702. //===============================x86   r3层普通API 内存读写=================================================

  703. BOOL WriteInt64(DWORD ProcessID, UINT64 Addr, __int64 Value)

  704. {

  705. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  706. if (Process_handle == NULL)

  707. {

  708. printf("获取进程句柄失败\n");

  709. }

  710. else

  711. {

  712. printf("获取进程句柄成功\n");

  713. }

  714. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

  715. CloseHandle(Process_handle);

  716. return ret;

  717. }



  718. BOOL WriteInt(DWORD ProcessID, UINT64 Addr, int Value)

  719. {

  720. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  721. if (Process_handle == NULL)

  722. {

  723. printf("获取进程句柄失败\n");

  724. }

  725. else

  726. {

  727. printf("获取进程句柄成功\n");

  728. }



  729. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);

  730. CloseHandle(Process_handle);

  731. return ret;

  732. }



  733. BOOL WriteShort(DWORD ProcessID, UINT64 Addr, short Value) //2字节整数

  734. {

  735. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  736. if (Process_handle == NULL)

  737. {

  738. printf("获取进程句柄失败\n");

  739. }

  740. else

  741. {

  742. //printf("获取进程句柄成功\n");

  743. }

  744. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);

  745. CloseHandle(Process_handle);

  746. return ret;

  747. }





  748. bool WriteData(DWORD ProcessID, UINT64   Addr, byte byteArr[]) //写入字节集   "1d   80 66 a2"

  749. {

  750. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  751. if (Process_handle == NULL)

  752. {

  753. printf("获取进程句柄失败\n");

  754. }

  755. else

  756. {

  757. printf("获取进程句柄成功\n");

  758. }



  759. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, byteArr, sizeof(byteArr), NULL);//strlen字符长度

  760. CloseHandle(Process_handle);

  761. return ret;

  762. }







  763. BOOL WriteByte(DWORD ProcessID, UINT64 Addr, byte Value)

  764. {

  765. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  766. if (Process_handle == NULL)

  767. {

  768. printf("获取进程句柄失败\n");

  769. }

  770. else

  771. {

  772. //printf("获取进程句柄成功\n");

  773. }

  774. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);

  775. CloseHandle(Process_handle);

  776. return ret;

  777. }

  778. //

  779. BOOL WriteFloat(DWORD ProcessID, UINT64 Addr, float Value)

  780. {

  781. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  782. if (Process_handle == NULL)

  783. {

  784. printf("获取进程句柄失败\n");

  785. }

  786. else

  787. {

  788. //printf("获取进程句柄成功\n");

  789. }

  790. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);

  791. CloseHandle(Process_handle);

  792. return ret;

  793. }



  794. BOOL WriteDouble(DWORD ProcessID, UINT64 Addr, double Value)

  795. {

  796. //printf("打印输出进程pid :%x \n", game_pid);

  797. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  798. if (Process_handle == NULL)

  799. {

  800. printf("获取进程句柄失败\n");

  801. }

  802. else

  803. {

  804. printf("获取进程句柄成功\n");

  805. }

  806. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

  807. CloseHandle(Process_handle);

  808. return ret;

  809. }



  810. BOOL WriteAcsii(DWORD ProcessID, UINT64 Addr, const   char * str)

  811. {

  812. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  813. if (Process_handle == NULL)

  814. {

  815. printf("获取进程句柄失败\n");

  816. }

  817. else

  818. {

  819. printf("获取进程句柄成功\n");

  820. }

  821. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, strlen(str), NULL);//strlen字符长度

  822. CloseHandle(Process_handle);

  823. return ret;

  824. }



  825. BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, const wchar_t * str)

  826. {

  827. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  828. if (Process_handle == NULL)

  829. {

  830. printf("获取进程句柄失败\n");

  831. }

  832. else

  833. {

  834. printf("获取进程句柄成功\n");

  835. }

  836. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2

  837. CloseHandle(Process_handle);

  838. return ret;

  839. }



  840. BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, wchar_t * str)

  841. {

  842. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  843. if (Process_handle == NULL)

  844. {

  845. printf("获取进程句柄失败\n");

  846. }

  847. else

  848. {

  849. printf("获取进程句柄成功\n");

  850. }

  851. BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2

  852. //printf("iiiiiiiiiii    %d\n", sizeof(str));

  853. CloseHandle(Process_handle);

  854. return ret;

  855. }







  856. DWORD GetPidByHwnd(HWND hwnd)

  857. {

  858. DWORD Pid = NULL;

  859. GetWindowThreadProcessId(hwnd, &Pid); //lpdword指针类型

  860. return   Pid;

  861. }



  862. DWORD FloatToDword(float value)//单浮点数转整数

  863. {

  864. DWORD   val = NULL;

  865. memcpy(&val, &value, 4);

  866. return val;

  867. }



  868. UINT64 DoubleToDword(double value)//双浮点数转整数

  869. {

  870. UINT64   val = NULL;

  871. memcpy(&val, &value, 8);

  872. return val;

  873. }



  874. int Int64To32(__int64 value)//部分接口

  875. {

  876. DWORD   val = NULL;

  877. memcpy(&val, &value, 4);

  878. return val;

  879. }



  880. int DwordToInt(DWORD value)//无符号转有符号

  881. {

  882. int   val = NULL;

  883. memcpy(&val, &value, 4);

  884. return val;

  885. }



  886. DWORD IntToDword(int value)//无符号转有符号

  887. {

  888. DWORD   val = NULL;

  889. memcpy(&val, &value, 4);

  890. return val;

  891. }



  892. BOOL WriteIntEx(DWORD ProcessID, UINT64 Addr, __int64 Value, int NumByte)

  893. {

  894. HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

  895. if (Process_handle == NULL)

  896. printf("获取进程句柄失败\n");

  897. else

  898. printf("获取进程句柄成功\n");

  899. BOOL ret = NULL;

  900. if (NumByte == 4)

  901. {

  902. int   real_val = (int)Value;

  903. ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 4, NULL);

  904. }

  905. else if (NumByte == 2)

  906. {

  907. short   real_val = (short)Value;

  908. ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 2, NULL);

  909. }

  910. else if (NumByte == 1)

  911. {

  912. short   real_val = (short)Value;

  913. ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 1, NULL);

  914. }

  915. else if (NumByte == 8)

  916. {

  917. ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

  918. }

  919. CloseHandle(Process_handle);

  920. return ret;

  921. }





  922. byte* ReadByteArray(DWORD ProcessID, UINT64   addr, DWORD size) //写入4字节整数

  923. {

  924. byte *Value = NULL;

  925. HANDLE Hprocess = NULL;

  926. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  927. if (Hprocess == 0)

  928. printf("打开进程失败!\n");

  929. else

  930. {

  931. printf("打开进程成功!\n");

  932. ReadProcessMemory(Hprocess, (LPVOID)(addr), Value, size, NULL);//注意参数 4字节

  933. }

  934. CloseHandle(Hprocess);//关闭进程句柄

  935. return Value;

  936. }













  937. byte ReadByte(DWORD ProcessID, UINT64   addr) //写入4字节整数

  938. {

  939. byte Value = NULL;

  940. HANDLE Hprocess = NULL;

  941. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  942. if (Hprocess == 0)

  943. printf("打开进程失败!\n");

  944. else

  945. {

  946. printf("打开进程成功!\n");

  947. ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 1, NULL);//注意参数 4字节

  948. }

  949. CloseHandle(Hprocess);//关闭进程句柄

  950. return Value;

  951. }



  952. short ReadShort(DWORD ProcessID, UINT64   addr) //写入4字节整数

  953. {

  954. short Value = NULL;

  955. HANDLE Hprocess = NULL;

  956. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  957. if (Hprocess == 0)

  958. printf("打开进程失败!\n");

  959. else

  960. {

  961. printf("打开进程成功!\n");

  962. ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 2, NULL);//注意参数 4字节

  963. }

  964. CloseHandle(Hprocess);//关闭进程句柄

  965. return Value;

  966. }



  967. int ReadInt(DWORD ProcessID, UINT64   addr) //写入4字节整数

  968. {

  969. int Value = NULL;

  970. HANDLE Hprocess = NULL;

  971. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  972. if (Hprocess == 0)

  973. printf("打开进程失败!\n");

  974. else

  975. {

  976. printf("打开进程成功!\n");

  977. ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节

  978. }

  979. CloseHandle(Hprocess);//关闭进程句柄

  980. return Value;

  981. }



  982. DWORD ReadDword(DWORD ProcessID, UINT64   addr) //写入4字节整数

  983. {

  984. DWORD Value = NULL;

  985. HANDLE Hprocess = NULL;

  986. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  987. if (Hprocess == 0)

  988. printf("打开进程失败!\n");

  989. else

  990. {

  991. printf("打开进程成功!\n");

  992. ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节



  993. }

  994. CloseHandle(Hprocess);//关闭进程句柄

  995. return Value;

  996. }



  997. __int64 ReadInt64(DWORD ProcessID, UINT64   addr) //写入8字节整数,地址还是4字节

  998. {

  999. __int64 Value = NULL;

  1000. HANDLE Hprocess = NULL;

  1001. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1002. if (Hprocess == 0)

  1003. printf("打开进程失败!\n");

  1004. else

  1005. {

  1006. printf("打开进程成功!\n");

  1007. ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 8, NULL);//注意参数 4字节



  1008. }

  1009. CloseHandle(Hprocess);//关闭进程句柄

  1010. return Value;

  1011. }







  1012. UINT64 MemoryVirtualAllocEx(DWORD ProcessID, DWORD Len) //远程申请内存空间

  1013. {

  1014. HANDLE Hprocess = NULL;

  1015. LPVOID   Addr = NULL;

  1016. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1017. Addr = VirtualAllocEx(Hprocess, NULL, Len, MEM_COMMIT, PAGE_READWRITE);

  1018. CloseHandle(Hprocess);//关闭进程句柄

  1019. return (UINT64)Addr;

  1020. }





  1021. void * ReadAscii(DWORD ProcessID, UINT64   addr, DWORD Len) //写入8字节整数,地址还是4字节

  1022. {

  1023. static char   Value[1024] = { 0 };

  1024. char ByteBuffer = NULL;

  1025. HANDLE Hprocess = NULL;

  1026. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1027. if (Hprocess == 0)

  1028. printf("打开进程失败!\n");

  1029. else

  1030. {

  1031. printf("打开进程成功!\n");



  1032. for (size_t i = 0; i < 1024; i++)//遍历长度,上限1024

  1033. {

  1034. ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ByteBuffer, 1, NULL);//注意参数 4字节

  1035. //printf("遍历I数值!   %d   \n", i);

  1036. if (ByteBuffer == 0)

  1037. {

  1038. if (Len == 0)//如果是0自动长度

  1039. {

  1040. ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, i + 1, NULL); //   字节\0

  1041. break;



  1042. }

  1043. else {

  1044. ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, Len, NULL); //   字节\0

  1045. break;

  1046. }



  1047. }



  1048. }

  1049. }

  1050. CloseHandle(Hprocess);//关闭进程句柄

  1051. return Value;

  1052. }



  1053. wchar_t * ReadUnicode(DWORD ProcessID, UINT64   addr, DWORD Len) //控制台程序不支持unicode打印输出

  1054. {

  1055. static wchar_t   StrValue[1024] = { 0 };

  1056. wchar_t ShortBuffer = NULL;

  1057. HANDLE Hprocess = NULL;

  1058. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1059. if (Hprocess == 0)

  1060. printf("打开进程失败!\n");

  1061. else

  1062. {

  1063. printf("打开进程成功!\n");



  1064. for (size_t i = 0; i < 1024; i = i + 2)//遍历长度,上限1024

  1065. {

  1066. ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ShortBuffer, 2, NULL);//注意参数 4字节

  1067. if (ShortBuffer == '\0')

  1068. {

  1069. if (Len == 0)//如果是0自动长度

  1070. {

  1071. ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, i + 2, NULL); //   字节\0

  1072. printf("打印    %ls   \n", StrValue);

  1073. //printf("打印i   :   %d   \n", i);

  1074. break;

  1075. }

  1076. else {

  1077. ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, Len, NULL); //   字节\0

  1078. break;

  1079. }

  1080. }

  1081. }

  1082. }

  1083. CloseHandle(Hprocess);//关闭进程句柄

  1084. return StrValue;

  1085. }



  1086. int ReadIntEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

  1087. {

  1088. int Value = NULL;

  1089. HANDLE Hprocess = NULL;

  1090. DWORD nBuffer = NULL;

  1091. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1092. if (Hprocess != 0)

  1093. {

  1094. ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节

  1095. for (size_t i = 0; i < Num; i++)//word占2字节

  1096. {

  1097. ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节

  1098. }

  1099. }

  1100. else printf("打开进程失败!\n");

  1101. CloseHandle(Hprocess);//关闭进程句柄

  1102. return Value;

  1103. }



  1104. float ReadFloatEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

  1105. {

  1106. UINT64 Value = NULL;

  1107. HANDLE Hprocess = NULL;

  1108. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1109. if (Hprocess != 0)

  1110. {

  1111. ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节

  1112. for (size_t i = 0; i < Num; i++)//word占2字节

  1113. {

  1114. //printf("str       %lld\n", Value);

  1115. ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节

  1116. }

  1117. }

  1118. else printf("打开进程失败!\n");

  1119. CloseHandle(Hprocess);//关闭进程句柄

  1120. return (float)Value;

  1121. }



  1122. double ReadDoubleEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

  1123. {

  1124. double ValueDouble = NULL;

  1125. HANDLE Hprocess = NULL;

  1126. UINT64 nBuffer = NULL;

  1127. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1128. if (Hprocess != 0)

  1129. {

  1130. ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节

  1131. DWORD   i = NULL;

  1132. for (i = 0; i < Num - 1; i++)//word占2字节

  1133. {

  1134. ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节

  1135. /*printf("double       %x\n", OffsetArray[i]);*/

  1136. }

  1137. ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &ValueDouble, 8, NULL);//Value64最终结果

  1138. }

  1139. else printf("打开进程失败!\n");

  1140. CloseHandle(Hprocess);//关闭进程句柄

  1141. return ValueDouble;

  1142. }



  1143. __int64 ReadIntEx64(DWORD ProcessID, UINT64   BaseAddr, DWORD OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

  1144. {

  1145. __int64 value64 = NULL;

  1146. HANDLE Hprocess = NULL;

  1147. UINT64 nBuffer = NULL;

  1148. Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1149. if (Hprocess != 0)

  1150. {

  1151. ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节

  1152. DWORD   i = NULL;

  1153. for (i = 0; i < Num - 1; i++)//word占2字节

  1154. {

  1155. ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节

  1156. /*printf("double       %x\n", OffsetArray[i]);*/

  1157. }

  1158. ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &value64, 8, NULL);//Value64最终结果

  1159. }

  1160. else printf("打开进程失败!\n");

  1161. CloseHandle(Hprocess);//关闭进程句柄

  1162. return value64;

  1163. }



  1164. int EnableDebugPriv(const char *name)

  1165. {

  1166. HANDLE hToken;        //进程令牌句柄

  1167. TOKEN_PRIVILEGES tp;   //TOKEN_PRIVILEGES结构体,其中包含一个【类型+操作】的权限数组

  1168. LUID luid;           //上述结构体中的类型值

  1169. //打开进程令牌环

  1170. //GetCurrentProcess()获取当前进程的伪句柄,只会指向当前进程或者线程句柄,随时变化

  1171. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

  1172. {

  1173. fprintf(stderr, "OpenProcessToken error\n");

  1174. return -1;

  1175. }

  1176. //获得本地进程name所代表的权限类型的局部唯一ID

  1177. if (!LookupPrivilegeValue(NULL, name, &luid))

  1178. {

  1179. fprintf(stderr, "LookupPrivilegeValue error\n");

  1180. }



  1181. tp.PrivilegeCount = 1;                               //权限数组中只有一个“元素”

  1182. tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;   //权限操作

  1183. tp.Privileges[0].Luid = luid;                        //权限类型



  1184. //调整进程权限

  1185. if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))

  1186. {

  1187. fprintf(stderr, "AdjustTokenPrivileges error!\n");

  1188. return -1;

  1189. }

  1190. return 0;

  1191. }





  1192. DWORD   GetPidByName(const char * ProcessName) //根据进程名字获取进程ID

  1193. {

  1194. HANDLE ProcessAll = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

  1195. PROCESSENTRY32 processInfo = { 0 };

  1196. processInfo.dwSize = sizeof(PROCESSENTRY32);

  1197. do {

  1198. if (strcmp(ProcessName, processInfo.szExeFile) == 0) {

  1199. return processInfo.th32ProcessID;

  1200. }



  1201. } while (Process32Next(ProcessAll, &processInfo));

  1202. return NULL;

  1203. }

  1204. //======================================注入==========================

  1205. VOID InjectDll(const CHAR pathStr[0x1000], const CHAR ProcessName[256])

  1206. {

  1207. //CHAR   pathStr[0x1000] = { "K:\\我的文档\\visual studio 2012\\Projects\\InjectChat\\Debug\\WeChatDll.dll" };

  1208. DWORD PID = GetPidByName((CHAR*)ProcessName);

  1209. if (PID == 0)

  1210. {

  1211. MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);

  1212. return;

  1213. }



  1214. HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);

  1215. if (hProcsee == NULL) {

  1216. MessageBox(NULL, "没有找到微信进程", "错误", 0);

  1217. return;

  1218. }



  1219. LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, strlen(pathStr), MEM_COMMIT, PAGE_READWRITE);

  1220. if (dllAdd == NULL) {

  1221. MessageBox(NULL, "内存写入", "错误", 0);

  1222. }

  1223. if (WriteProcessMemory(hProcsee, dllAdd, pathStr, strlen(pathStr), NULL) == 0) {

  1224. MessageBox(NULL, "内存写入", "错误", 0);

  1225. return;

  1226. }



  1227. HMODULE K32 = GetModuleHandle("Kernel32.dll");

  1228. LPVOID LoadAdd = GetProcAddress(K32, "LoadLibraryA");

  1229. HANDLE exec = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)LoadAdd, dllAdd, 0, NULL);

  1230. if (NULL == exec) {

  1231. MessageBox(NULL, "远程注入失败", "错误", 0);

  1232. return;

  1233. }

  1234. WaitForSingleObject(exec, INFINITE);

  1235. CloseHandle(hProcsee);

  1236. }



  1237. VOID InjectSellCode(DWORD processid, BYTE SellCode[]) //注入硬编码 shellcode

  1238. {

  1239. EnableDebugPriv(SE_DEBUG_NAME); //提高进程权限

  1240. if (processid == 0)

  1241. {

  1242. MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);

  1243. return;

  1244. }



  1245. HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processid); //打开目的程序,获取游戏权限   PROCESS_ALL_ACCESS获取所有权限

  1246. if (hProcsee == NULL) {

  1247. MessageBox(NULL, "没有找到微信进程", "错误", 0);

  1248. return;

  1249. }



  1250. LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//向游戏申请内存空间

  1251. if (dllAdd == NULL) {

  1252. MessageBox(NULL, "内存申请失败", "0", 0);

  1253. }





  1254. if (WriteProcessMemory(hProcsee, dllAdd, SellCode, 1023, NULL) == 0) {       //讲shellcode内存写入到游戏里面

  1255. MessageBox(NULL, "内存写入", "错误", 0);

  1256. return;

  1257. }



  1258. TRACE("申请的内存空间是 %x\n", dllAdd);



  1259. HANDLE ThreadHandle = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)dllAdd, NULL, 0, NULL); //远程 创建线程   返回值是线程句柄

  1260. if (NULL == ThreadHandle) {

  1261. MessageBox(NULL, "远程注入失败", "错误", 0);

  1262. return;

  1263. }



  1264. WaitForSingleObject(ThreadHandle, INFINITE); //等到我线程代码执行完成之后,再返回,否则一直在等待   1秒=1000毫秒。 大量代码注入的

  1265. CloseHandle(ThreadHandle); ///释放线程句柄

  1266. CloseHandle(hProcsee); //关闭临时进程句柄        临时的指针



  1267. }



  1268. BOOL UnloadDll(DWORD dwPid, CHAR   strDllName[256])

  1269. {

  1270. //获取宿主进程的句柄,注意那几个参数,不然会出错

  1271. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,

  1272. FALSE, dwPid);

  1273. if (hProcess == NULL) {

  1274. ::MessageBox(NULL, "无法获取进程句柄", "错误", MB_OK | MB_ICONERROR);

  1275. return FALSE;

  1276. }



  1277. DWORD   dwSize = 0;

  1278. ULONG64   dwWritten = 0;

  1279. DWORD   dwHandle = 0;



  1280. dwSize = sizeof(strDllName) + 1;//dll的全路径名的长度,待会分配内存要用到的



  1281. //向宿主进程分配内存,返回一个指针

  1282. LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);



  1283. //如果在宿主进程空间写失败就直接报错闪人

  1284. if (!WriteProcessMemory(hProcess, lpBuf, strDllName, dwSize, (SIZE_T*)&dwWritten))

  1285. {

  1286. VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);

  1287. CloseHandle(hProcess);

  1288. MessageBox(NULL, "在目标进程中写入失败", "错误", MB_OK | MB_ICONERROR);

  1289. return FALSE;

  1290. }



  1291. //获取GetModuleHandleA函数地址

  1292. LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");



  1293. //在宿主进程中创建一个远程线程,线程函数为上面导出的GetModuleHandleA,参数为lpBuf指针,还

  1294. //记得我们获取的dll全路径不

  1295. HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,

  1296. lpBuf, 0, NULL);

  1297. //如果创建线程失败,直接报错闪人

  1298. if (hThread == NULL) {

  1299. CloseHandle(hProcess);

  1300. ::MessageBox(NULL, "在目标进程创建远程线程失败", "错误", MB_OK | MB_ICONERROR);

  1301. return FALSE;

  1302. }



  1303. //   等待GetModuleHandle运行完毕   

  1304. WaitForSingleObject(hThread, INFINITE);

  1305. //   获得GetModuleHandle的返回值   

  1306. GetExitCodeThread(hThread, &dwHandle);



  1307. //   释放目标进程中申请的空间   

  1308. VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);

  1309. CloseHandle(hThread);



  1310. //   使目标进程调用FreeLibraryAndExit,卸载DLL,实际也可以用FreeLibrary,但是我发现前者好一点

  1311. pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");

  1312. hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, (LPVOID)dwHandle, 0, NULL);

  1313. //   等待FreeLibraryAndExitThread执行完毕   

  1314. WaitForSingleObject(hThread, INFINITE);

  1315. CloseHandle(hThread);

  1316. CloseHandle(hProcess);



  1317. return TRUE;   //操作成功

  1318. }



  1319. //提升进程访问权限

  1320. bool enableDebugPriv()

  1321. {

  1322. HANDLE   hToken;

  1323. LUID    sedebugnameValue;

  1324. TOKEN_PRIVILEGES tkp;

  1325. if (!OpenProcessToken(GetCurrentProcess(),

  1326. TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)

  1327. )

  1328. {

  1329. return false;

  1330. }

  1331. if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))

  1332. {

  1333. CloseHandle(hToken);

  1334. return false;

  1335. }

  1336. tkp.PrivilegeCount = 1;

  1337. tkp.Privileges[0].Luid = sedebugnameValue;

  1338. tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  1339. if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))

  1340. {

  1341. CloseHandle(hToken);

  1342. return false;

  1343. }

  1344. return true;

  1345. }

  1346. //======================================结尾部分

  1347. HANDLE GetModule()

  1348. {

  1349. HANDLE hProcess;                        //进程句柄

  1350. HANDLE hModule;                         //模块句柄

  1351. BOOL bProcess = FALSE;                  //获取进程信息的函数返回值

  1352. BOOL bModule = FALSE;                   //获取模块信息的函数返回值

  1353. PROCESSENTRY32 pe32;                    //保存进程信息

  1354. MODULEENTRY32   me32;                    //保存模块信息



  1355. int i = 0;

  1356. int j = 0;



  1357. //获取进程调试权限,如果失败,则提示获取权限失败,失败的话,有的进程信息就会获取不到

  1358. if (EnableDebugPriv(SE_DEBUG_NAME))

  1359. {

  1360. fprintf(stderr, "Add Privilege error\n");

  1361. }



  1362. hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照

  1363. if (hProcess == INVALID_HANDLE_VALUE)

  1364. {

  1365. printf("获取进程快照失败\n");

  1366. exit(1);

  1367. }



  1368. bProcess = Process32First(hProcess, &pe32);              //获取第一个进程信息

  1369. while (bProcess)                                         //循环获取其余进程信息

  1370. {

  1371. printf("%d :\t Father's PID(%d)\tPID(%d)\t%s\n", i, pe32.th32ParentProcessID, pe32.th32ProcessID, pe32.szExeFile);

  1372. i++;

  1373. j = 0;

  1374. if (0 != pe32.th32ParentProcessID)                   //获取进程PID不为0的模块信息

  1375. {

  1376. hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe32.th32ProcessID);   //获取模块快照

  1377. if (hModule != INVALID_HANDLE_VALUE)

  1378. {

  1379. bModule = Module32First(hModule, &me32);      //获取第一个模块信息,即进程相应可执行文件的信息

  1380. while (bModule)

  1381. {

  1382. printf("模块:\n%d\t%s\n", j, me32.szExePath);

  1383. j++;

  1384. bModule = Module32Next(hModule, &me32);   //获取其他模块信息

  1385. }

  1386. CloseHandle(hModule);

  1387. }

  1388. }



  1389. bProcess = Process32Next(hProcess, &pe32);           //继续获取其他进程信息

  1390. printf("\n\n");

  1391. getchar();

  1392. }



  1393. CloseHandle(hProcess);

  1394. return 0;

  1395. }



  1396. PVOID GetRemoteProcAddress32(HANDLE hProc, HMODULE hModule, LPCSTR lpProcName)//这个函数只支持32位的

  1397. {

  1398. PVOID pAddress = NULL;

  1399. SIZE_T OptSize;

  1400. IMAGE_DOS_HEADER DosHeader;

  1401. SIZE_T ProcNameLength = lstrlenA(lpProcName) + sizeof(CHAR);//'\0'  



  1402. //读DOS头  

  1403. if (ReadProcessMemory(hProc, hModule, &DosHeader, sizeof(DosHeader), &OptSize))

  1404. {

  1405. IMAGE_NT_HEADERS NtHeader;



  1406. //读NT头  

  1407. if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + DosHeader.e_lfanew), &NtHeader, sizeof(NtHeader), &OptSize))

  1408. {

  1409. IMAGE_EXPORT_DIRECTORY ExpDir;

  1410. SIZE_T ExportVirtualAddress = NtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;



  1411. //读输出表  

  1412. if (ExportVirtualAddress && ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExportVirtualAddress), &ExpDir, sizeof(ExpDir), &OptSize))

  1413. {



  1414. if (ExpDir.NumberOfFunctions)

  1415. {



  1416. //x64待定:地址数组存放RVA的数据类型是4字节还是8字节???  

  1417. SIZE_T *pProcAddressTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfFunctions * sizeof(SIZE_T));



  1418. //读函数地址表  

  1419. if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfFunctions), pProcAddressTable, ExpDir.NumberOfFunctions * sizeof(PVOID), &OptSize))

  1420. {

  1421. //x64待定:名称数组存放RVA的数据类型是4字节还是8字节???  

  1422. SIZE_T *pProcNamesTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfNames * sizeof(SIZE_T));



  1423. //读函数名称表  

  1424. if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNames), pProcNamesTable, ExpDir.NumberOfNames * sizeof(PVOID), &OptSize))

  1425. {

  1426. CHAR *pProcName = (CHAR *)GlobalAlloc(GPTR, ProcNameLength);



  1427. //遍历函数名称  

  1428. for (DWORD i = 0; i < ExpDir.NumberOfNames; i++)

  1429. {



  1430. if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + pProcNamesTable[i]), pProcName, ProcNameLength, &OptSize))

  1431. {

  1432. if (RtlEqualMemory(lpProcName, pProcName, ProcNameLength))

  1433. {

  1434. //x64待定:函数在地址数组索引的数据类型是2字节还是???  

  1435. WORD NameOrdinal;



  1436. //获取函数在地址表的索引  

  1437. if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNameOrdinals + sizeof(NameOrdinal) * i), &NameOrdinal, sizeof(NameOrdinal), &OptSize))

  1438. {

  1439. pAddress = (PVOID)((SIZE_T)hModule + pProcAddressTable[NameOrdinal]);

  1440. }

  1441. break;//for  

  1442. }

  1443. }

  1444. }

  1445. GlobalFree(pProcName);

  1446. }

  1447. GlobalFree(pProcNamesTable);

  1448. }

  1449. GlobalFree(pProcAddressTable);

  1450. }

  1451. }

  1452. }

  1453. }

  1454. return pAddress;

  1455. }









  1456. //=========================内存搜索支持x86x64位游戏===================================

  1457. //查找内存地址

  1458. INT64 X64ScanAddr(DWORD ProcessID, char *markCode, const wchar_t * ModuleName, DWORD offset)

  1459. {

  1460. DWORD size = 8; //==== 返回大小

  1461. DWORD ordinal = 1;//====返回次数

  1462. UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

  1463. UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

  1464. return X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

  1465. }



  1466. INT64 X64ScanBase(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset, DWORD size)//==== 返回大小)

  1467. {

  1468. DWORD ordinal = 1;//====返回次数

  1469. INT64 BufferData = NULL; //

  1470. //ULONG64 Len = size;

  1471. UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

  1472. UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

  1473. INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

  1474. HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1475. __NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, 0);//注意返回值大小问题,size就是字节大小

  1476. CloseHandle(Hprocess);

  1477. return BufferData;

  1478. }



  1479. INT64 X64ScanCall(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset)//==== 返回大小)

  1480. {

  1481. DWORD ordinal = 1;//====返回次数

  1482. DWORD size = 4;//x64的call只能是4字节的,不能8字节,否走要mov rax 0x1121212121   jmp rax

  1483. INT64 BufferData = NULL;

  1484. ULONG64 Len = size;

  1485. UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

  1486. UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

  1487. INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

  1488. HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1489. __NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, &Len);//注意返回值大小问题,size就是字节大小

  1490. CloseHandle(Hprocess);

  1491. return Addr_Ret - 1 + 5 + BufferData;;

  1492. }



  1493. /************************************************************************/

  1494. /* 函数说明:查找特征码

  1495. /* process: 要查找的进程

  1496. /* markCode: 特征码字符串,不能有空格

  1497. /* distinct:特征码首地址离目标地址的距离 负数在特征码在上

  1498. /* offset: 返回目标地址

  1499. /* size: 设置返回数据为几个BYTE 1 2 3 4

  1500. /* ordinal: 特征码出现的次数

  1501. /* beginAddr: 开始搜索地址

  1502. /* endAddr: 结束地址

  1503. /* ret:返回目标地址的内容

  1504. /************************************************************************/

  1505. INT64 X64ScanOpcode(DWORD ProcessID, const char *markCode,   ///核心算法

  1506. DWORD offset,

  1507. DWORD size,   // size: 设置返回数据为几个BYTE 1 2 3 4

  1508. DWORD ordinal, //ordinal: 特征码出现的次数

  1509. UINT64 beginAddr, UINT64 endAddr)

  1510. {

  1511. HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

  1512. GetNTWOW64MemoryProcAddress(); //加进去的

  1513. //每次读取游戏内存数目的大小

  1514. const DWORD pageSize = 4096;

  1515. ////////////////////////处理特征码/////////////////////

  1516. //特征码长度不能为单数

  1517. if (strlen(markCode) % 2 != 0) return 0;

  1518. //特征码长度

  1519. size_t len = strlen(markCode) / 2;

  1520. //将特征码转换成byte型

  1521. BYTE *m_code = new BYTE[len];

  1522. for (int i = 0; i < len; i++) {

  1523. char c[] = { markCode[i * 2], markCode[i * 2 + 1], '\0' };

  1524. m_code[i] = (BYTE)::strtol(c, NULL, 16);

  1525. }

  1526. /////////////////////////查找特征码/////////////////////

  1527. BOOL _break = FALSE;

  1528. //用来保存在第几页中的第几个找到的特征码

  1529. int curPage = 0;

  1530. int curIndex = 0;

  1531. //每页读取4096个字节

  1532. BYTE *page = new BYTE[pageSize + len - 1];

  1533. UINT64 tmpAddr = beginAddr;

  1534. DWORD ord = 0;

  1535. ULONG64   BufferLen = 4096;

  1536. while (tmpAddr <= endAddr - len) {

  1537. //printf("Status打印输出:   %llx\n", tmpAddr);

  1538. NTSTATUS Status = __NtWow64ReadVirtualMemory64(Hprocess, tmpAddr, page, pageSize + len - 1, &BufferLen);

  1539. //在该页中查找特征码

  1540. for (int i = 0; i < pageSize; i++) {

  1541. for (int j = 0; j < len; j++) {

  1542. //只要有一个与特征码对应不上则退出循环

  1543. if (m_code[j] != page[i + j])break;

  1544. //找到退出所有循环

  1545. if (j == len - 1) {

  1546. ord++;

  1547. if (ord != ordinal)

  1548. break;

  1549. _break = TRUE;

  1550. curIndex = i; // 特征码的首地址偏移

  1551. break;

  1552. }

  1553. }

  1554. if (_break) break;

  1555. }

  1556. if (_break) break;

  1557. curPage++;

  1558. tmpAddr += pageSize;

  1559. }

  1560. // 一个也没找到



  1561. //__NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

  1562. delete m_code;

  1563. delete page;

  1564. CloseHandle(Hprocess);

  1565. //printf("base   :%llx\n", offsetaddr);

  1566. return offsetaddr;

  1567. }





  1568. UINT64   GetX86X64Module(DWORD ProcessID, const wchar_t* DllName)

  1569. {

  1570. DWORD dwPid = ProcessID;

  1571. HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

  1572. BOOL bTarget = FALSE;

  1573. BOOL bSource = FALSE;



  1574. IsWow64Process(GetCurrentProcess(), &bSource);

  1575. IsWow64Process(m_ProcessHandle, &bTarget);



  1576. SYSTEM_INFO si;

  1577. GetSystemInfo(&si);



  1578. if (bTarget == FALSE && bSource == TRUE)

  1579. {

  1580. HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

  1581. pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");

  1582. pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");

  1583. PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };

  1584. if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))

  1585. {

  1586. DWORD64 Ldr64 = 0;

  1587. LIST_ENTRY64 ListEntry64 = { 0 };

  1588. LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };

  1589. wchar_t ProPath64[256];

  1590. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))

  1591. {

  1592. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))

  1593. {

  1594. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))

  1595. {

  1596. while (1)

  1597. {

  1598. if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;

  1599. /*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/

  1600. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改

  1601. {



  1602. //printf("模块基址:0x%llX   模块大小:0x%X    模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);

  1603. //printf("BaseDllName :%ls\n", ProPath64);

  1604. if (wcscmp(ProPath64, DllName) == 0)

  1605. {

  1606. //printf("BaseDllName :%ls\n", ProPath64);

  1607. return   (UINT64)LDTE64.DllBase;

  1608. }



  1609. }

  1610. if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;

  1611. }

  1612. }

  1613. }

  1614. }

  1615. }



  1616. }

  1617. else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||

  1618. si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)

  1619. {

  1620. HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

  1621. pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");

  1622. PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };

  1623. if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))

  1624. {

  1625. DWORD Ldr32 = 0;

  1626. LIST_ENTRY32 ListEntry32 = { 0 };

  1627. LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };

  1628. wchar_t ProPath32[256];

  1629. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))

  1630. {

  1631. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))

  1632. {

  1633. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))

  1634. {

  1635. while (1)

  1636. {

  1637. if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;

  1638. if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer

  1639. {

  1640. //printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

  1641. //printf("模块基址:0x%X   模块大小:0x%X   模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

  1642. //printf("%d\n",   LDTE32.BaseDllName);



  1643. if (wcscmp(ProPath32, DllName) == 0)

  1644. {

  1645. //printf("BaseDllName :%ls\n", ProPath32);

  1646. return   (UINT64)LDTE32.DllBase;   //============32位这里最好改成DWORD

  1647. }





  1648. }

  1649. if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;

  1650. }

  1651. }

  1652. }

  1653. }

  1654. }

  1655. }

  1656. return   FALSE;

  1657. CloseHandle(m_ProcessHandle);

  1658. }





  1659. UINT64   GetX86X64ModuleSize(DWORD ProcessID, const wchar_t* DllName)

  1660. {

  1661. DWORD dwPid = ProcessID;

  1662. HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

  1663. BOOL bTarget = FALSE;

  1664. BOOL bSource = FALSE;



  1665. IsWow64Process(GetCurrentProcess(), &bSource);

  1666. IsWow64Process(m_ProcessHandle, &bTarget);



  1667. SYSTEM_INFO si;

  1668. GetSystemInfo(&si);



  1669. if (bTarget == FALSE && bSource == TRUE)

  1670. {

  1671. HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

  1672. pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");

  1673. pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");

  1674. PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };

  1675. if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))

  1676. {

  1677. DWORD64 Ldr64 = 0;

  1678. LIST_ENTRY64 ListEntry64 = { 0 };

  1679. LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };

  1680. wchar_t ProPath64[256];

  1681. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))

  1682. {

  1683. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))

  1684. {

  1685. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))

  1686. {

  1687. while (1)

  1688. {

  1689. if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;

  1690. /*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/

  1691. if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改

  1692. {



  1693. //printf("模块基址:0x%llX   模块大小:0x%X    模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);

  1694. //printf("BaseDllName :%ls\n", ProPath64);

  1695. if (wcscmp(ProPath64, DllName) == 0)

  1696. {

  1697. //printf("BaseDllName :%ls\n", ProPath64);

  1698. return   (UINT64)LDTE64.SizeOfImage;

  1699. }



  1700. }

  1701. if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;

  1702. }

  1703. }

  1704. }

  1705. }

  1706. }



  1707. }

  1708. else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||

  1709. si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)

  1710. {

  1711. HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

  1712. pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");

  1713. PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };

  1714. if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))

  1715. {

  1716. DWORD Ldr32 = 0;

  1717. LIST_ENTRY32 ListEntry32 = { 0 };

  1718. LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };

  1719. wchar_t ProPath32[256];

  1720. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))

  1721. {

  1722. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))

  1723. {

  1724. if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))

  1725. {

  1726. while (1)

  1727. {

  1728. if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;

  1729. if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer

  1730. {

  1731. //printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

  1732. //printf("模块基址:0x%X   模块大小:0x%X   模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

  1733. //printf("%d\n",   LDTE32.BaseDllName);



  1734. if (wcscmp(ProPath32, DllName) == 0)

  1735. {

  1736. //printf("BaseDllName :%ls\n", ProPath32);

  1737. return   (UINT64)LDTE32.SizeOfImage;   //============32位这里最好改成DWORD

  1738. }





  1739. }

  1740. if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;

  1741. }

  1742. }

  1743. }

  1744. }

  1745. }

  1746. }

  1747. return   FALSE;

  1748. CloseHandle(m_ProcessHandle);

  1749. }

复制代码

1

主题

5

回帖

7

积分

编程入门

Rank: 1

龙马币
12
moon58654 | 显示全部楼层
代码真长呀,慢慢看。

0

主题

5

回帖

6

积分

编程入门

Rank: 1

龙马币
10
会不会被检测到
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

龙马谷| C/C++辅助教程| 安卓逆向安全| 论坛导航| 免责申明|Archiver|
拒绝任何人以任何形式在本论坛发表与中华人民共和国法律相抵触的言论,本站内容均为会员发表,并不代表龙马谷立场!
任何人不得以任何方式翻录、盗版或出售本站视频,一经发现我们将追究其相关责任!
我们一直在努力成为最好的编程论坛!
Copyright© 2018-2021 All Right Reserved.
在线客服
快速回复 返回顶部 返回列表