最强C++x86x64驱动级读写源码

简单350 · 简单350

//***************调用静态变量static***************需要修改下
X64常用内存读写库
DWORD GetModuleSizeX64(DWORD Pid, const TCHAR* ModuleName)//获取模块大小，只能搞64位=64位，32位无法对64位操作
{/*初始化DLL列表*/
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);
if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;
DWORD dwBuffSize = 0;
BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);
HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];
bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);
// 模块名称
TCHAR szModuleName[MAX_PATH] = { 0 };
TCHAR szBaseName[MAX_PATH];//新建
// 保存模块信息
MODULEINFO stcModuleInfo = { 0 };
// 遍历模块列表
int nCount = dwBuffSize / sizeof(HMODULE);
for (int i = 0; i < nCount; ++i)
{
// 根据进程句柄和模块句柄,获取模块信息
GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));
GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);
//printf("\n%x\n", (DWORD)stcModuleInfo.SizeOfImage); //模块内存大小
if (strcmp(szBaseName, ModuleName) == 0)
{
delete[] pModuleHandlerArr;// 释放数组
pModuleHandlerArr = nullptr;
return stcModuleInfo.SizeOfImage;
}
}
return NULL;
}
HMODULE GetModuleBaseX64(DWORD Pid, const TCHAR* ModuleName)
{/*初始化DLL列表*/ // 这个程序不能删除,基础功能
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);
if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;
DWORD dwBuffSize = 0;
BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);
HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];
bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);
// 模块名称
TCHAR szModuleName[MAX_PATH] = { 0 };
TCHAR szBaseName[MAX_PATH];//新建
// 保存模块信息
MODULEINFO stcModuleInfo = { 0 };
// 遍历模块列表
int nCount = dwBuffSize / sizeof(HMODULE);
for (int i = 0; i < nCount; ++i)
{
// 根据进程句柄和模块句柄,获取模块信息
GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));
// 根据进程句柄和模块句柄,获取模块的路径(包括模块名)
//GetModuleFileNameEx(hProcess, pModuleHandlerArr[i], szModuleName, MAX_PATH); //获取模块的路径
GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);
printf("\n%llx\n", (UINT64)stcModuleInfo.lpBaseOfDll); //获取模块基地址
printf("\n%llx\n", (UINT64)stcModuleInfo.EntryPoint); //获取模块入口地址
printf("\n%llx\n", (UINT64)stcModuleInfo.SizeOfImage); //模块内存大小
if (strcmp(szBaseName, ModuleName) == 0)
{
printf("基地址是：%s\n\n", szBaseName);
printf("基地址是：%llX\n\n", (UINT64)stcModuleInfo.lpBaseOfDll);
delete[] pModuleHandlerArr;// 释放数组
pModuleHandlerArr = nullptr;
return (HMODULE)stcModuleInfo.lpBaseOfDll;
}
// 基址
//CString szTemp;
//szTemp.Format(L"%08X", stcModuleInfo.lpBaseOfDll);
//// 入口点
//szTemp.Format(L"%08X", stcModuleInfo.EntryPoint);
//// 内存大小
//szTemp.Format(L"%d", stcModuleInfo.SizeOfImage);
//// 模块路径
//szModuleName;
}
return NULL;
}
HMODULE GetModuleBaseAddr(DWORD Pid, CONST TCHAR* moduleName)//获取进程模块入口地址 1.进程pid 2.模块的名称 xxx.exe 或者xxx.dll
{
MODULEENTRY32 moduleEntry; //模块信息的结构体
HANDLE handle = NULL;
handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid); // 获取进程快照中包含在th32ProcessID中指定的进程的所有的模块
//printf("handle %llX \n", (DWORD)handle);
if (!handle) { //handle 类似指针，指向进程模块信息
CloseHandle(handle);
return NULL;
}
ZeroMemory(&moduleEntry, sizeof(MODULEENTRY32)); //清空
moduleEntry.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(handle, &moduleEntry)) { //结果传到结构体指针moduleEntry
CloseHandle(handle);
return NULL;
}
do {
if (strcmp(moduleEntry.szModule, moduleName) == 0) { //wcscmp宽字节比较 moduleEntry.szModule模块名字
//printf("基地址是 %X \n", (DWORD)moduleEntry.hModule);
return moduleEntry.hModule; //返回模块入口地址
}
} while (Module32Next(handle, &moduleEntry));
CloseHandle(handle);
return 0;
}
BOOL EnableSeDebugPrivilege(IN const CHAR* PriviledgeName, BOOL IsEnable)
{
// 打开权限令牌
HANDLE ProcessHandle = GetCurrentProcess();
HANDLE TokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges = { 0 };
if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
LUID v1;
if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))// 通过权限名称查找uID
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数
TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0; // 动态数组，数组大小根据Count的数目
TokenPrivileges.Privileges[0].Luid = v1;
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return FALSE;
}
CloseHandle(TokenHandle);
TokenHandle = NULL;
return TRUE;
}
//==============================================x86x64内存读写wow64函数指针获取=====================================================
LPFN_NTWOW64READVIRTUALMEMORY64 __NtWow64ReadVirtualMemory64;
LPFN_NTWOW64WRITEVIRTUALMEMORY64 __NtWow64WriteVirtualMemory64;
BOOL GetNTWOW64MemoryProcAddress()
{
HMODULE NtdllModuleBase = NULL;
NtdllModuleBase = GetModuleHandle("Ntdll.dll");
if (NtdllModuleBase == NULL)
{
return FALSE;
}
__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64ReadVirtualMemory64");
printf("__NtWow64ReadVirtualMemory64 %llx\n", (UINT64)__NtWow64ReadVirtualMemory64);
__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
"NtWow64WriteVirtualMemory64");
return TRUE;
}
char* UTF8ToUnicode(char* szUTF8)//编码转换，已经修复delet释放bug
{
DWORD wcscLen = MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), NULL, 0);//得到所需空间的大小
wchar_t wszcString[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。溢出数据自己修改
MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), wszcString, wcscLen); //转换
wszcString[wcscLen] = '\0';
DWORD len = WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL);
static char m_char[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。
WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), m_char, len, NULL, NULL);
m_char[len] = '\0';
return m_char;
}
char* UnicodeToUTF8(wchar_t* wszcString)//编码转换，已经修复注意内存delet释放bug
{
DWORD utf8Len = ::WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL); //得到所需空间的大小
static char szUTF8[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。
WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), szUTF8, utf8Len, NULL, NULL); //转换
szUTF8[utf8Len] = '\0';
return szUTF8;
}
int Wow64ReadInt(ULONG ProcessID, ULONG64 BaseAddress)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
int BufferData = NULL;//=====================ULONG64 BufferData = NULL
ULONG64 ReturnLen = 4;//默认
ULONG64 BufferLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);
printf("4字节数据是：%ld\r\n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
char * Wow64ReadAscii(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
static char BufferData[4096] = { 0 };//=====================
ULONG64 ReturnLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len, &ReturnLen);
printf("字符串是：%s \n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
wchar_t * Wow64ReadUnicode(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度
{
setlocale(LC_ALL, "chs"); // unicode 必加只有添加这一句下面的打印1,2与调试打印成功
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
static wchar_t BufferData[4096] = { 0 };//=====================
ULONG64 ReturnLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len * 5, &ReturnLen); //unicode编码要乘以2
//printf("字符串是：%s \n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
float Wow64ReadFloat(ULONG ProcessID, ULONG64 BaseAddress)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
FLOAT BufferData = NULL;//=====================
ULONG64 ReturnLen = 4;//默认
ULONG64 BufferLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDeb
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);
printf("单精度数据是：%f \n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
double Wow64ReadDouble(ULONG ProcessID, ULONG64 BaseAddress)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
DOUBLE BufferData = NULL;//=====================
ULONG64 ReturnLen = 8;//默认
ULONG64 BufferLen = 8;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);
printf("浮点数数据是：%lf \n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
LONG64 Wow64ReadInt64(ULONG ProcessID, ULONG64 BaseAddress)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 BufferData = NULL;//=====================
ULONG64 ReturnLen = 8;//默认
ULONG64 BufferLen = 8;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);
printf("8字节数据是：%lld\r\n", BufferData);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return BufferData;
}
BOOL Wow64WriteInt(ULONG ProcessID, ULONG64 BaseAddress, INT Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = 4;//默认
ULONG64 BufferLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteFloat(ULONG ProcessID, ULONG64 BaseAddress, FLOAT Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = 4;//默认
ULONG64 BufferLen = 4;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteDouble(ULONG ProcessID, ULONG64 BaseAddress, DOUBLE Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = 8;//默认
ULONG64 BufferLen = 8;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteInt64(ULONG ProcessID, ULONG64 BaseAddress, INT64 Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = 8;//默认
ULONG64 BufferLen = 8;//默认
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteAscii(ULONG ProcessID, ULONG64 BaseAddress, const char* Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = NULL;//默认
ULONG64 BufferLen = strlen(Value);//获取字符串长度
//printf("BufferLen %d\n", BufferLen);
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteUTF8(ULONG ProcessID, UINT64 BaseAddress, const wchar_t * GBK_Str)//为了兼容，写入的是unicode，函数内部会进行转换操作的。
{
BOOL IsWow64 = FALSE; //64位程序备用
HANDLE ProcessHandle = NULL;
ULONG64 ReturnLen = NULL;//默认
char strUTF8[4096] = { 0 };
char *unGunG = UnicodeToUTF8((wchar_t*)GBK_Str);
size_t BufferLen = strlen(unGunG);//获取字符串长度宽字符用 wcslen
RtlMoveMemory(strUTF8, unGunG, BufferLen);
//printf("BufferLen %lld\n", BufferLen);
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &strUTF8, BufferLen, &ReturnLen);//32位和64位区别
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
BOOL Wow64WriteUnicode(ULONG ProcessID, UINT64 BaseAddress, const wchar_t * Value)
{
BOOL IsWow64 = FALSE;
HANDLE ProcessHandle = NULL;
UINT64 ReturnLen = NULL;//默认
UINT64 BufferLen = wcslen(Value) * 2;//获取字符串长度宽字符用 wcslen
printf("BufferLen %lld\n", BufferLen);
if (BaseAddress == NULL)
{
return FALSE;
}
if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)
{
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)
{
goto Exit;
}
__try
{
__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\r\n");
goto Exit;
}
Exit:
if (ProcessHandle != NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
}
EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);
return TRUE;
}
//===============================x86 r3层普通API 内存读写=================================================
BOOL WriteInt64(DWORD ProcessID, UINT64 Addr, __int64 Value)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);
CloseHandle(Process_handle);
return ret;
}
BOOL WriteInt(DWORD ProcessID, UINT64 Addr, int Value)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);
CloseHandle(Process_handle);
return ret;
}
BOOL WriteShort(DWORD ProcessID, UINT64 Addr, short Value) //2字节整数
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
//printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);
CloseHandle(Process_handle);
return ret;
}
bool WriteData(DWORD ProcessID, UINT64 Addr, byte byteArr[]) //写入字节集 "1d 80 66 a2"
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, byteArr, sizeof(byteArr), NULL);//strlen字符长度
CloseHandle(Process_handle);
return ret;
}
BOOL WriteByte(DWORD ProcessID, UINT64 Addr, byte Value)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
//printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);
CloseHandle(Process_handle);
return ret;
}
//
BOOL WriteFloat(DWORD ProcessID, UINT64 Addr, float Value)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
//printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);
CloseHandle(Process_handle);
return ret;
}
BOOL WriteDouble(DWORD ProcessID, UINT64 Addr, double Value)
{
//printf("打印输出进程pid ：%x \n", game_pid);
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);
CloseHandle(Process_handle);
return ret;
}
BOOL WriteAcsii(DWORD ProcessID, UINT64 Addr, const char * str)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, strlen(str), NULL);//strlen字符长度
CloseHandle(Process_handle);
return ret;
}
BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, const wchar_t * str)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2
CloseHandle(Process_handle);
return ret;
}
BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, wchar_t * str)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
{
printf("获取进程句柄失败\n");
}
else
{
printf("获取进程句柄成功\n");
}
BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2
//printf("iiiiiiiiiii %d\n", sizeof(str));
CloseHandle(Process_handle);
return ret;
}
DWORD GetPidByHwnd(HWND hwnd)
{
DWORD Pid = NULL;
GetWindowThreadProcessId(hwnd, &Pid); //lpdword指针类型
return Pid;
}
DWORD FloatToDword(float value)//单浮点数转整数
{
DWORD val = NULL;
memcpy(&val, &value, 4);
return val;
}
UINT64 DoubleToDword(double value)//双浮点数转整数
{
UINT64 val = NULL;
memcpy(&val, &value, 8);
return val;
}
int Int64To32(__int64 value)//部分接口
{
DWORD val = NULL;
memcpy(&val, &value, 4);
return val;
}
int DwordToInt(DWORD value)//无符号转有符号
{
int val = NULL;
memcpy(&val, &value, 4);
return val;
}
DWORD IntToDword(int value)//无符号转有符号
{
DWORD val = NULL;
memcpy(&val, &value, 4);
return val;
}
BOOL WriteIntEx(DWORD ProcessID, UINT64 Addr, __int64 Value, int NumByte)
{
HANDLE Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限（标志）,全局
if (Process_handle == NULL)
printf("获取进程句柄失败\n");
else
printf("获取进程句柄成功\n");
BOOL ret = NULL;
if (NumByte == 4)
{
int real_val = (int)Value;
ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 4, NULL);
}
else if (NumByte == 2)
{
short real_val = (short)Value;
ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 2, NULL);
}
else if (NumByte == 1)
{
short real_val = (short)Value;
ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 1, NULL);
}
else if (NumByte == 8)
{
ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);
}
CloseHandle(Process_handle);
return ret;
}
byte* ReadByteArray(DWORD ProcessID, UINT64 addr, DWORD size) //写入4字节整数
{
byte *Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), Value, size, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
byte ReadByte(DWORD ProcessID, UINT64 addr) //写入4字节整数
{
byte Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 1, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
short ReadShort(DWORD ProcessID, UINT64 addr) //写入4字节整数
{
short Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 2, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
int ReadInt(DWORD ProcessID, UINT64 addr) //写入4字节整数
{
int Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
DWORD ReadDword(DWORD ProcessID, UINT64 addr) //写入4字节整数
{
DWORD Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
__int64 ReadInt64(DWORD ProcessID, UINT64 addr) //写入8字节整数,地址还是4字节
{
__int64 Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 8, NULL);//注意参数 4字节
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
UINT64 MemoryVirtualAllocEx(DWORD ProcessID, DWORD Len) //远程申请内存空间
{
HANDLE Hprocess = NULL;
LPVOID Addr = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
Addr = VirtualAllocEx(Hprocess, NULL, Len, MEM_COMMIT, PAGE_READWRITE);
CloseHandle(Hprocess);//关闭进程句柄
return (UINT64)Addr;
}
void * ReadAscii(DWORD ProcessID, UINT64 addr, DWORD Len) //写入8字节整数,地址还是4字节
{
static char Value[1024] = { 0 };
char ByteBuffer = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
for (size_t i = 0; i < 1024; i++)//遍历长度，上限1024
{
ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ByteBuffer, 1, NULL);//注意参数 4字节
//printf("遍历I数值！ %d \n", i);
if (ByteBuffer == 0)
{
if (Len == 0)//如果是0自动长度
{
ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, i + 1, NULL); // 字节\0
break;
}
else {
ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, Len, NULL); // 字节\0
break;
}
}
}
}
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
wchar_t * ReadUnicode(DWORD ProcessID, UINT64 addr, DWORD Len) //控制台程序不支持unicode打印输出
{
static wchar_t StrValue[1024] = { 0 };
wchar_t ShortBuffer = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess == 0)
printf("打开进程失败！\n");
else
{
printf("打开进程成功！\n");
for (size_t i = 0; i < 1024; i = i + 2)//遍历长度，上限1024
{
ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ShortBuffer, 2, NULL);//注意参数 4字节
if (ShortBuffer == '\0')
{
if (Len == 0)//如果是0自动长度
{
ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, i + 2, NULL); // 字节\0
printf("打印 %ls \n", StrValue);
//printf("打印i ： %d \n", i);
break;
}
else {
ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, Len, NULL); // 字节\0
break;
}
}
}
}
CloseHandle(Hprocess);//关闭进程句柄
return StrValue;
}
int ReadIntEx(DWORD ProcessID, UINT64 BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址第三个参数是偏移数组第四个偏移数量
{
int Value = NULL;
HANDLE Hprocess = NULL;
DWORD nBuffer = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess != 0)
{
ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节
for (size_t i = 0; i < Num; i++)//word占2字节
{
ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节
}
}
else printf("打开进程失败！\n");
CloseHandle(Hprocess);//关闭进程句柄
return Value;
}
float ReadFloatEx(DWORD ProcessID, UINT64 BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址第三个参数是偏移数组第四个偏移数量
{
UINT64 Value = NULL;
HANDLE Hprocess = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess != 0)
{
ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节
for (size_t i = 0; i < Num; i++)//word占2字节
{
//printf("str %lld\n", Value);
ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节
}
}
else printf("打开进程失败！\n");
CloseHandle(Hprocess);//关闭进程句柄
return (float)Value;
}
double ReadDoubleEx(DWORD ProcessID, UINT64 BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址第三个参数是偏移数组第四个偏移数量
{
double ValueDouble = NULL;
HANDLE Hprocess = NULL;
UINT64 nBuffer = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess != 0)
{
ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节
DWORD i = NULL;
for (i = 0; i < Num - 1; i++)//word占2字节
{
ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节
/*printf("double %x\n", OffsetArray[i]);*/
}
ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &ValueDouble, 8, NULL);//Value64最终结果
}
else printf("打开进程失败！\n");
CloseHandle(Hprocess);//关闭进程句柄
return ValueDouble;
}
__int64 ReadIntEx64(DWORD ProcessID, UINT64 BaseAddr, DWORD OffsetArray[], DWORD Num) //第二个是基地址第三个参数是偏移数组第四个偏移数量
{
__int64 value64 = NULL;
HANDLE Hprocess = NULL;
UINT64 nBuffer = NULL;
Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
if (Hprocess != 0)
{
ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节
DWORD i = NULL;
for (i = 0; i < Num - 1; i++)//word占2字节
{
ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节
/*printf("double %x\n", OffsetArray[i]);*/
}
ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &value64, 8, NULL);//Value64最终结果
}
else printf("打开进程失败！\n");
CloseHandle(Hprocess);//关闭进程句柄
return value64;
}
int EnableDebugPriv(const char *name)
{
HANDLE hToken; //进程令牌句柄
TOKEN_PRIVILEGES tp; //TOKEN_PRIVILEGES结构体，其中包含一个【类型+操作】的权限数组
LUID luid; //上述结构体中的类型值
//打开进程令牌环
//GetCurrentProcess()获取当前进程的伪句柄，只会指向当前进程或者线程句柄，随时变化
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
fprintf(stderr, "OpenProcessToken error\n");
return -1;
}
//获得本地进程name所代表的权限类型的局部唯一ID
if (!LookupPrivilegeValue(NULL, name, &luid))
{
fprintf(stderr, "LookupPrivilegeValue error\n");
}
tp.PrivilegeCount = 1; //权限数组中只有一个“元素”
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; //权限操作
tp.Privileges[0].Luid = luid; //权限类型
//调整进程权限
if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
fprintf(stderr, "AdjustTokenPrivileges error!\n");
return -1;
}
return 0;
}
DWORD GetPidByName(const char * ProcessName) //根据进程名字获取进程ID
{
HANDLE ProcessAll = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
PROCESSENTRY32 processInfo = { 0 };
processInfo.dwSize = sizeof(PROCESSENTRY32);
do {
if (strcmp(ProcessName, processInfo.szExeFile) == 0) {
return processInfo.th32ProcessID;
}
} while (Process32Next(ProcessAll, &processInfo));
return NULL;
}
//======================================注入==========================
VOID InjectDll(const CHAR pathStr[0x1000], const CHAR ProcessName[256])
{
//CHAR pathStr[0x1000] = { "K:\\我的文档\\visual studio 2012\\Projects\\InjectChat\\Debug\\WeChatDll.dll" };
DWORD PID = GetPidByName((CHAR*)ProcessName);
if (PID == 0)
{
MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);
return;
}
HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcsee == NULL) {
MessageBox(NULL, "没有找到微信进程", "错误", 0);
return;
}
LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, strlen(pathStr), MEM_COMMIT, PAGE_READWRITE);
if (dllAdd == NULL) {
MessageBox(NULL, "内存写入", "错误", 0);
}
if (WriteProcessMemory(hProcsee, dllAdd, pathStr, strlen(pathStr), NULL) == 0) {
MessageBox(NULL, "内存写入", "错误", 0);
return;
}
HMODULE K32 = GetModuleHandle("Kernel32.dll");
LPVOID LoadAdd = GetProcAddress(K32, "LoadLibraryA");
HANDLE exec = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)LoadAdd, dllAdd, 0, NULL);
if (NULL == exec) {
MessageBox(NULL, "远程注入失败", "错误", 0);
return;
}
WaitForSingleObject(exec, INFINITE);
CloseHandle(hProcsee);
}
VOID InjectSellCode(DWORD processid, BYTE SellCode[]) //注入硬编码 shellcode
{
EnableDebugPriv(SE_DEBUG_NAME); //提高进程权限
if (processid == 0)
{
MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);
return;
}
HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processid); //打开目的程序，获取游戏权限 PROCESS_ALL_ACCESS获取所有权限
if (hProcsee == NULL) {
MessageBox(NULL, "没有找到微信进程", "错误", 0);
return;
}
LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//向游戏申请内存空间
if (dllAdd == NULL) {
MessageBox(NULL, "内存申请失败", "0", 0);
}
if (WriteProcessMemory(hProcsee, dllAdd, SellCode, 1023, NULL) == 0) { //讲shellcode内存写入到游戏里面
MessageBox(NULL, "内存写入", "错误", 0);
return;
}
TRACE("申请的内存空间是 %x\n", dllAdd);
HANDLE ThreadHandle = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)dllAdd, NULL, 0, NULL); //远程创建线程返回值是线程句柄
if (NULL == ThreadHandle) {
MessageBox(NULL, "远程注入失败", "错误", 0);
return;
}
WaitForSingleObject(ThreadHandle, INFINITE); //等到我线程代码执行完成之后，再返回，否则一直在等待 1秒=1000毫秒。大量代码注入的
CloseHandle(ThreadHandle); ///释放线程句柄
CloseHandle(hProcsee); //关闭临时进程句柄临时的指针
}
BOOL UnloadDll(DWORD dwPid, CHAR strDllName[256])
{
//获取宿主进程的句柄，注意那几个参数，不然会出错
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, dwPid);
if (hProcess == NULL) {
::MessageBox(NULL, "无法获取进程句柄", "错误", MB_OK | MB_ICONERROR);
return FALSE;
}
DWORD dwSize = 0;
ULONG64 dwWritten = 0;
DWORD dwHandle = 0;
dwSize = sizeof(strDllName) + 1;//dll的全路径名的长度，待会分配内存要用到的
//向宿主进程分配内存，返回一个指针
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
//如果在宿主进程空间写失败就直接报错闪人
if (!WriteProcessMemory(hProcess, lpBuf, strDllName, dwSize, (SIZE_T*)&dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
MessageBox(NULL, "在目标进程中写入失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
}
//获取GetModuleHandleA函数地址
LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");
//在宿主进程中创建一个远程线程，线程函数为上面导出的GetModuleHandleA，参数为lpBuf指针，还
//记得我们获取的dll全路径不
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
lpBuf, 0, NULL);
//如果创建线程失败，直接报错闪人
if (hThread == NULL) {
CloseHandle(hProcess);
::MessageBox(NULL, "在目标进程创建远程线程失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
}
// 等待GetModuleHandle运行完毕
WaitForSingleObject(hThread, INFINITE);
// 获得GetModuleHandle的返回值
GetExitCodeThread(hThread, &dwHandle);
// 释放目标进程中申请的空间
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
// 使目标进程调用FreeLibraryAndExit，卸载DLL,实际也可以用FreeLibrary，但是我发现前者好一点
pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, (LPVOID)dwHandle, 0, NULL);
// 等待FreeLibraryAndExitThread执行完毕
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE; //操作成功
}
//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
)
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
return true;
}
//======================================结尾部分
HANDLE GetModule()
{
HANDLE hProcess; //进程句柄
HANDLE hModule; //模块句柄
BOOL bProcess = FALSE; //获取进程信息的函数返回值
BOOL bModule = FALSE; //获取模块信息的函数返回值
PROCESSENTRY32 pe32; //保存进程信息
MODULEENTRY32 me32; //保存模块信息
int i = 0;
int j = 0;
//获取进程调试权限,如果失败,则提示获取权限失败,失败的话,有的进程信息就会获取不到
if (EnableDebugPriv(SE_DEBUG_NAME))
{
fprintf(stderr, "Add Privilege error\n");
}
hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照
if (hProcess == INVALID_HANDLE_VALUE)
{
printf("获取进程快照失败\n");
exit(1);
}
bProcess = Process32First(hProcess, &pe32); //获取第一个进程信息
while (bProcess) //循环获取其余进程信息
{
printf("%d :\t Father's PID(%d)\tPID(%d)\t%s\n", i, pe32.th32ParentProcessID, pe32.th32ProcessID, pe32.szExeFile);
i++;
j = 0;
if (0 != pe32.th32ParentProcessID) //获取进程PID不为0的模块信息
{
hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe32.th32ProcessID); //获取模块快照
if (hModule != INVALID_HANDLE_VALUE)
{
bModule = Module32First(hModule, &me32); //获取第一个模块信息,即进程相应可执行文件的信息
while (bModule)
{
printf("模块:\n%d\t%s\n", j, me32.szExePath);
j++;
bModule = Module32Next(hModule, &me32); //获取其他模块信息
}
CloseHandle(hModule);
}
}
bProcess = Process32Next(hProcess, &pe32); //继续获取其他进程信息
printf("\n\n");
getchar();
}
CloseHandle(hProcess);
return 0;
}
PVOID GetRemoteProcAddress32(HANDLE hProc, HMODULE hModule, LPCSTR lpProcName)//这个函数只支持32位的
{
PVOID pAddress = NULL;
SIZE_T OptSize;
IMAGE_DOS_HEADER DosHeader;
SIZE_T ProcNameLength = lstrlenA(lpProcName) + sizeof(CHAR);//'\0'
//读DOS头
if (ReadProcessMemory(hProc, hModule, &DosHeader, sizeof(DosHeader), &OptSize))
{
IMAGE_NT_HEADERS NtHeader;
//读NT头
if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + DosHeader.e_lfanew), &NtHeader, sizeof(NtHeader), &OptSize))
{
IMAGE_EXPORT_DIRECTORY ExpDir;
SIZE_T ExportVirtualAddress = NtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
//读输出表
if (ExportVirtualAddress && ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExportVirtualAddress), &ExpDir, sizeof(ExpDir), &OptSize))
{
if (ExpDir.NumberOfFunctions)
{
//x64待定:地址数组存放RVA的数据类型是4字节还是8字节???
SIZE_T *pProcAddressTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfFunctions * sizeof(SIZE_T));
//读函数地址表
if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfFunctions), pProcAddressTable, ExpDir.NumberOfFunctions * sizeof(PVOID), &OptSize))
{
//x64待定:名称数组存放RVA的数据类型是4字节还是8字节???
SIZE_T *pProcNamesTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfNames * sizeof(SIZE_T));
//读函数名称表
if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNames), pProcNamesTable, ExpDir.NumberOfNames * sizeof(PVOID), &OptSize))
{
CHAR *pProcName = (CHAR *)GlobalAlloc(GPTR, ProcNameLength);
//遍历函数名称
for (DWORD i = 0; i < ExpDir.NumberOfNames; i++)
{
if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + pProcNamesTable[i]), pProcName, ProcNameLength, &OptSize))
{
if (RtlEqualMemory(lpProcName, pProcName, ProcNameLength))
{
//x64待定:函数在地址数组索引的数据类型是2字节还是???
WORD NameOrdinal;
//获取函数在地址表的索引
if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNameOrdinals + sizeof(NameOrdinal) * i), &NameOrdinal, sizeof(NameOrdinal), &OptSize))
{
pAddress = (PVOID)((SIZE_T)hModule + pProcAddressTable[NameOrdinal]);
}
break;//for
}
}
}
GlobalFree(pProcName);
}
GlobalFree(pProcNamesTable);
}
GlobalFree(pProcAddressTable);
}
}
}
}
return pAddress;
}
//=========================内存搜索支持x86x64位游戏===================================
//查找内存地址
INT64 X64ScanAddr(DWORD ProcessID, char *markCode, const wchar_t * ModuleName, DWORD offset)
{
DWORD size = 8; //==== 返回大小
DWORD ordinal = 1;//====返回次数
UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
return X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
}
INT64 X64ScanBase(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset, DWORD size)//==== 返回大小)
{
DWORD ordinal = 1;//====返回次数
INT64 BufferData = NULL; //
//ULONG64 Len = size;
UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
__NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, 0);//注意返回值大小问题，size就是字节大小
CloseHandle(Hprocess);
return BufferData;
}
INT64 X64ScanCall(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset)//==== 返回大小)
{
DWORD ordinal = 1;//====返回次数
DWORD size = 4;//x64的call只能是4字节的，不能8字节，否走要mov rax 0x1121212121 jmp rax
INT64 BufferData = NULL;
ULONG64 Len = size;
UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);
UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);
INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);
HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
__NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, &Len);//注意返回值大小问题，size就是字节大小
CloseHandle(Hprocess);
return Addr_Ret - 1 + 5 + BufferData;;
}
/************************************************************************/
/* 函数说明：查找特征码
/* process: 要查找的进程
/* markCode: 特征码字符串,不能有空格
/* distinct：特征码首地址离目标地址的距离负数在特征码在上
/* offset: 返回目标地址
/* size: 设置返回数据为几个BYTE 1 2 3 4
/* ordinal: 特征码出现的次数
/* beginAddr: 开始搜索地址
/* endAddr: 结束地址
/* ret:返回目标地址的内容
/************************************************************************/
INT64 X64ScanOpcode(DWORD ProcessID, const char *markCode, ///核心算法
DWORD offset,
DWORD size, // size: 设置返回数据为几个BYTE 1 2 3 4
DWORD ordinal, //ordinal: 特征码出现的次数
UINT64 beginAddr, UINT64 endAddr)
{
HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程
GetNTWOW64MemoryProcAddress(); //加进去的
//每次读取游戏内存数目的大小
const DWORD pageSize = 4096;
////////////////////////处理特征码/////////////////////
//特征码长度不能为单数
if (strlen(markCode) % 2 != 0) return 0;
//特征码长度
size_t len = strlen(markCode) / 2;
//将特征码转换成byte型
BYTE *m_code = new BYTE[len];
for (int i = 0; i < len; i++) {
char c[] = { markCode[i * 2], markCode[i * 2 + 1], '\0' };
m_code[i] = (BYTE)::strtol(c, NULL, 16);
}
/////////////////////////查找特征码/////////////////////
BOOL _break = FALSE;
//用来保存在第几页中的第几个找到的特征码
int curPage = 0;
int curIndex = 0;
//每页读取4096个字节
BYTE *page = new BYTE[pageSize + len - 1];
UINT64 tmpAddr = beginAddr;
DWORD ord = 0;
ULONG64 BufferLen = 4096;
while (tmpAddr <= endAddr - len) {
//printf("Status打印输出： %llx\n", tmpAddr);
NTSTATUS Status = __NtWow64ReadVirtualMemory64(Hprocess, tmpAddr, page, pageSize + len - 1, &BufferLen);
//在该页中查找特征码
for (int i = 0; i < pageSize; i++) {
for (int j = 0; j < len; j++) {
//只要有一个与特征码对应不上则退出循环
if (m_code[j] != page[i + j])break;
//找到退出所有循环
if (j == len - 1) {
ord++;
if (ord != ordinal)
break;
_break = TRUE;
curIndex = i; // 特征码的首地址偏移
break;
}
}
if (_break) break;
}
if (_break) break;
curPage++;
tmpAddr += pageSize;
}
// 一个也没找到
//__NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);
delete m_code;
delete page;
CloseHandle(Hprocess);
//printf("base :%llx\n", offsetaddr);
return offsetaddr;
}
UINT64 GetX86X64Module(DWORD ProcessID, const wchar_t* DllName)
{
DWORD dwPid = ProcessID;
HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
BOOL bTarget = FALSE;
BOOL bSource = FALSE;
IsWow64Process(GetCurrentProcess(), &bSource);
IsWow64Process(m_ProcessHandle, &bTarget);
SYSTEM_INFO si;
GetSystemInfo(&si);
if (bTarget == FALSE && bSource == TRUE)
{
HMODULE NtdllModule = GetModuleHandle("ntdll.dll");
pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");
pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");
PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))
{
DWORD64 Ldr64 = 0;
LIST_ENTRY64 ListEntry64 = { 0 };
LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
wchar_t ProPath64[256];
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))
{
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))
{
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))
{
while (1)
{
if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;
/*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改
{
//printf("模块基址:0x%llX 模块大小:0x%X 模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
//printf("BaseDllName :%ls\n", ProPath64);
if (wcscmp(ProPath64, DllName) == 0)
{
//printf("BaseDllName :%ls\n", ProPath64);
return (UINT64)LDTE64.DllBase;
}
}
if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;
}
}
}
}
}
}
else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||
si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)
{
HMODULE NtdllModule = GetModuleHandle("ntdll.dll");
pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };
if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))
{
DWORD Ldr32 = 0;
LIST_ENTRY32 ListEntry32 = { 0 };
LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };
wchar_t ProPath32[256];
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))
{
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))
{
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))
{
while (1)
{
if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;
if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer
{
//printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
//printf("模块基址:0x%X 模块大小:0x%X 模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
//printf("%d\n", LDTE32.BaseDllName);
if (wcscmp(ProPath32, DllName) == 0)
{
//printf("BaseDllName :%ls\n", ProPath32);
return (UINT64)LDTE32.DllBase; //============32位这里最好改成DWORD
}
}
if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;
}
}
}
}
}
}
return FALSE;
CloseHandle(m_ProcessHandle);
}
UINT64 GetX86X64ModuleSize(DWORD ProcessID, const wchar_t* DllName)
{
DWORD dwPid = ProcessID;
HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
BOOL bTarget = FALSE;
BOOL bSource = FALSE;
IsWow64Process(GetCurrentProcess(), &bSource);
IsWow64Process(m_ProcessHandle, &bTarget);
SYSTEM_INFO si;
GetSystemInfo(&si);
if (bTarget == FALSE && bSource == TRUE)
{
HMODULE NtdllModule = GetModuleHandle("ntdll.dll");
pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");
pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");
PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))
{
DWORD64 Ldr64 = 0;
LIST_ENTRY64 ListEntry64 = { 0 };
LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
wchar_t ProPath64[256];
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))
{
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))
{
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))
{
while (1)
{
if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;
/*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/
if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改
{
//printf("模块基址:0x%llX 模块大小:0x%X 模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
//printf("BaseDllName :%ls\n", ProPath64);
if (wcscmp(ProPath64, DllName) == 0)
{
//printf("BaseDllName :%ls\n", ProPath64);
return (UINT64)LDTE64.SizeOfImage;
}
}
if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;
}
}
}
}
}
}
else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||
si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)
{
HMODULE NtdllModule = GetModuleHandle("ntdll.dll");
pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };
if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))
{
DWORD Ldr32 = 0;
LIST_ENTRY32 ListEntry32 = { 0 };
LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };
wchar_t ProPath32[256];
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))
{
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))
{
if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))
{
while (1)
{
if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;
if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer
{
//printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
//printf("模块基址:0x%X 模块大小:0x%X 模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
//printf("%d\n", LDTE32.BaseDllName);
if (wcscmp(ProPath32, DllName) == 0)
{
//printf("BaseDllName :%ls\n", ProPath32);
return (UINT64)LDTE32.SizeOfImage; //============32位这里最好改成DWORD
}
}
if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;
}
}
}
}
}
}
return FALSE;
CloseHandle(m_ProcessHandle);
}

复制代码

moon58654 · moon58654

代码真长呀，慢慢看。

yongli · yongli

会不会被检测到

		自动登录	找回密码
密码			立即注册

龙马谷VIP会员办理客服QQ：82926983（如果临时会话没有收到回复，请先加QQ好友再发。）
1 [已完结] GG修改器新手入门与实战教程 31课	2 [已完结] GG修改器美化修改教程 6课	3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课	5 [已完结] 手游自动化脚本入门实战教程 9课	6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课	8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课	9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课

以下是天马阁VIP教程，本站与天马阁合作，赞助VIP可以获得天马阁对应VIP会员，名额有限！点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课	2 [已完结] x64汇编语言基础教程 16课	3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课	5 [已完结] C++x64内存检测与过检测技术教程 10课	6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课	8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路