36.远程注入到入口点注入

免责声明：内容仅供学习参考，请合法利用知识，禁止进行违法犯罪活动！

如果看不懂、不知道现在做的什么，那就跟着做完看效果，代码看不懂是正常的，只要会抄就行，抄着抄着就能懂了

上一个内容：35.简易远程数据框架的实现

以 35.简易远程数据框架的实现 它的代码为基础进行的修改

通过远程线程获取游戏首地址，然后把首地址的代码改为跳转到辅助功能里。

首先关闭安全检测

添加了RemoteThreadProce函数，修改了CodeRemoteData、CreateRemoteData、OnNMDblclkList1函数，修改了_REMOTE_DATA结构

CWndINJ.cpp: 实现文件

#include "pch.h"
#include "GAMEHACKER2.h"
#include "CWndINJ.h"
#include "afxdialogex.h"#include <ImageHlp.h>
#include <fstream>
#pragma comment(lib, "ImageHlp.lib")//void _stdcall INJECTCode() {
//    AfxMessageBox(L"aa");
//    unsigned address = 0xCCCCCCCC;
//    PREMOTE_DATA p = (PREMOTE_DATA)address;
//    p->f_LoadLibrary(p->dllName);
//}// CWndINJ 对话框IMPLEMENT_DYNAMIC(CWndINJ, CDialogEx)CWndINJ::CWndINJ(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_PAGE_0, pParent), B_INJCET(FALSE), B_DEBUG(FALSE), B_PAUSE(FALSE)
{}CWndINJ::~CWndINJ()
{
}BOOL CWndINJ::OnInitDialog()
{CDialogEx::OnInitDialog();LONG_PTR lStyle;// 得到窗口的样式，GWL_STYLE在GetWindowLongPtr说明中有lStyle = GetWindowLongPtr(ExeLst.m_hWnd, GWL_STYLE);lStyle |= LVS_REPORT;SetWindowLongPtr(ExeLst.m_hWnd, GWL_STYLE, lStyle);DWORD dStyle = ExeLst.GetExtendedStyle();dStyle |= LVS_EX_FULLROWSELECT;dStyle |= LVS_EX_GRIDLINES;ExeLst.SetExtendedStyle(dStyle);ExeLst.InsertColumn(0, L"名称", 0, 200);ExeLst.InsertColumn(1, L"可执行文件", 0, 400);ExeLst.InsertColumn(2, L"文件夹", 0, 400);ExeLst.InsertColumn(3, L"命令行", 0, 400);ExeLst.InsertColumn(4, L"注入模块", 0, 400);return 0;
}void CWndINJ::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);DDX_Control(pDX, IDC_LIST1, ExeLst);DDX_Check(pDX, IDC_CHECK1, B_INJCET);DDX_Check(pDX, IDC_CHECK2, B_DEBUG);DDX_Check(pDX, IDC_CHECK3, B_PAUSE);
}BEGIN_MESSAGE_MAP(CWndINJ, CDialogEx)ON_BN_CLICKED(IDC_BUTTON1, &CWndINJ::OnBnClickedButton1)ON_NOTIFY(NM_DBLCLK, IDC_LIST1, &CWndINJ::OnNMDblclkList1)ON_NOTIFY(LVN_ITEMCHANGED, IDC_LIST1, &CWndINJ::OnLvnItemchangedList1)
END_MESSAGE_MAP()// CWndINJ 消息处理程序void CWndINJ::OnBnClickedButton1()
{// TODO: 在此添加控件通知处理程序代码/*ExeLst.InsertItem(0, L"DNF");ExeLst.SetItemText(0, 1, L"dlls.dll");*/用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。//STARTUPINFO si{};//si.cb = sizeof(si);//PROCESS_INFORMATION prinfo{};//CreateProcess(L"C:\\Users\\am\\Desktop\\易道云\\游戏保护\\练手游戏\\初级\\JX2\\Sword2.exe",//    NULL,NULL,NULL,//    FALSE,//    // 新进程的主线程处于挂起状态创建，在调用 ResumeThread 函数之前不会运行。//    CREATE_SUSPENDED,//    NULL,//    L"C:\\Users\\am\\Desktop\\易道云\\游戏保护\\练手游戏\\初级\\JX2\\",//    &si,//    &prinfo//    );///**//    注入功能写在这里（CreateProcess与ResumeThread函数之间）//*/让游戏继续运行//ResumeThread(prinfo.hThread);wndAddGame.Init(this);wndAddGame.DoModal();}void CWndINJ::Init(CString& _AppPath)
{AppPath = _AppPath;GameIni.Format(L"%s\\config\\Games.ini", AppPath);LoadGame();
}void CWndINJ::AddGame(CString& GameName, CString& GamePath, CString& GameFullPath, CString& GameCmds, CString& DllPath)
{int count = GetPrivateProfileInt(L"main", L"count", 0, GameIni);count++;CString key;key.Format(L"count_%d", count);WritePrivateProfileString(key, L"GameName", GameName, GameIni);WritePrivateProfileString(key, L"GamePath", GamePath, GameIni);WritePrivateProfileString(key, L"GameFullPath", GameFullPath, GameIni);WritePrivateProfileString(key, L"GameCmds", GameCmds, GameIni);WritePrivateProfileString(key, L"DllPath", DllPath, GameIni);CString wCount;wCount.Format(L"%d", count);WritePrivateProfileString(L"main", L"count", wCount, GameIni);int iCount = ExeLst.GetItemCount();ExeLst.InsertItem(iCount, GameName);ExeLst.SetItemText(iCount, 1, GamePath);ExeLst.SetItemText(iCount, 2, GameFullPath);ExeLst.SetItemText(iCount, 3, GameCmds);ExeLst.SetItemText(iCount, 4, DllPath);}void CWndINJ::LoadGame()
{int count = GetPrivateProfileInt(L"main", L"count", 0, GameIni);for (int i = 0; i < count; i++) {CString GameName, GameExe, GamePath, GameCmds, GameDlls, _AppName;_AppName.Format(L"count_%d", i+1);wchar_t wRead[0xFF];GetPrivateProfileString(_AppName, L"GameName", L"", wRead, 0xFF, GameIni);GameName.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GamePath", L"", wRead, 0xFF, GameIni);GameExe.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GameFullPath", L"", wRead, 0xFF, GameIni);GamePath.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GameCmds", L"", wRead, 0xFF, GameIni);GameCmds.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"DllPath", L"", wRead, 0xFF, GameIni);GameDlls.Format(L"%s", wRead);ExeLst.InsertItem(i, GameName);ExeLst.SetItemText(i, 1,  GameExe);ExeLst.SetItemText(i, 2, GamePath);ExeLst.SetItemText(i, 3, GameCmds);ExeLst.SetItemText(i, 4, GameDlls);}
}void* _imageload(wchar_t* filename) {std::ifstream streamReader(filename, std::ios::binary);streamReader.seekg(0, std::ios::end);unsigned filesize = streamReader.tellg();char* _data = new char[filesize];streamReader.seekg(0, std::ios::beg);streamReader.read(_data, filesize);streamReader.close();return _data;
}void _unloadimage(void* _data) {delete[] _data;
}void CWndINJ::OnNMDblclkList1(NMHDR* pNMHDR, LRESULT* pResult)
{LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);// TODO: 在此添加控件通知处理程序代码*pResult = 0;int index = pNMItemActivate->iItem;if (index < 0)return;CString GamePath = ExeLst.GetItemText(index, 2);CString GameExe = ExeLst.GetItemText(index, 1);CString GameCmds = ExeLst.GetItemText(index, 3);CString GameDlls = ExeLst.GetItemText(index, 4);// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。// STARTUPINFO si{};// si.cb = sizeof(si);PROCESS_INFORMATION prinfo{};m_INJCET.StartProcess(GameExe, GamePath, GameCmds.GetBuffer(), &prinfo);m_INJCET.CreateRemoteData(prinfo.hProcess, GameExe, L"F:\\代码存放地\\c\\GAMEHACKER2\\Release\\Dlls.dll");//m_INJCET.CodeRemoteData(&_data);/**CreateProcess(GameExe,GameCmds.GetBuffer(),NULL,NULL,FALSE,// 新进程的主线程处于挂起状态创建，在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,&prinfo);*//** 方式一调用apiCStringA GameExeA;GameExeA = GameExe;PLOADED_IMAGE image =  ImageLoad(GameExeA, NULL);DWORD dEntryPoint = image->FileHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);ImageUnload(image)*//** 方式二（要在32位环境下运行）void* image = _imageload(GameExe.GetBuffer());IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;unsigned PEAddress =  dosHeader->e_lfanew + (unsigned)image;IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);_unloadimage(image);*///LPVOID adrRemote = VirtualAllocEx(prinfo.hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//SIZE_T lwt;//WriteProcessMemory(prinfo.hProcess, adrRemote, INJECTCode, 0x200, &lwt);//CString wTxt;//wTxt.Format(L"%X", adrRemote);//AfxMessageBox(wTxt);// 让游戏继续运行//m_INJCET.CreateRemoteData(prinfo.hProcess, GameDlls.GetBuffer());// ResumeThread(prinfo.hThread);
}void CWndINJ::OnLvnItemchangedList1(NMHDR* pNMHDR, LRESULT* pResult)
{LPNMLISTVIEW pNMLV = reinterpret_cast<LPNMLISTVIEW>(pNMHDR);// TODO: 在此添加控件通知处理程序代码*pResult = 0;
}

INJCET.cpp文件代码：

#include "pch.h"
#include "INJCET.h"
#include <fstream>void _stdcall INJECTCode() {unsigned address = 0xCCCCCCCC;PREMOTE_DATA p = (PREMOTE_DATA)address;p->f_LoadLibrary(p->dllName);unsigned dEntry = p->EntryPoint;char* entryCode = (char*)p->EntryPoint;entryCode[0] = p->oldCode[0];entryCode[1] = p->oldCode[1];entryCode[2] = p->oldCode[2];entryCode[3] = p->oldCode[3];entryCode[4] = p->oldCode[4];_asm {mov eax, dEntryjmp eax}
}DWORD _stdcall RemoteThreadProce(PREMOTE_DATA p) {unsigned base = p->f_GetModuleHandleA(0);DWORD dRet;p->EntryPoint += base;p->f_VirtualProtect((LPVOID)p->EntryPoint, 0x1000, PAGE_EXECUTE_READWRITE, &dRet);char* entryCode = (char*)p->EntryPoint;p->oldCode[0] = entryCode[0];p->oldCode[1] = entryCode[1];p->oldCode[2] = entryCode[2];p->oldCode[3] = entryCode[3];p->oldCode[4] = entryCode[4];int* entryDis = (int*)(p->EntryPoint + 1);*entryCode = 0xE9;int Distance = p->HOOKFunction - p->EntryPoint - 5;*entryDis = Distance;return 1;
}BOOL INJCET::StartProcess(const wchar_t* GameExe, const wchar_t* GamePath, wchar_t* GameCmds, PROCESS_INFORMATION* LPinfo)
{// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。STARTUPINFO si{};si.cb = sizeof(si);CreateProcess(GameExe,GameCmds,NULL, NULL,FALSE,// 新进程的主线程处于挂起状态创建，在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,LPinfo);return TRUE;
}void* INJCET::ImageLoad(const wchar_t* filename) {std::ifstream streamReader(filename, std::ios::binary);streamReader.seekg(0, std::ios::end);unsigned filesize = streamReader.tellg();char* _data = new char[filesize];streamReader.seekg(0, std::ios::beg);streamReader.read(_data, filesize);streamReader.close();return _data;
}void INJCET::UnloadImage(void* _data) {delete[] _data;
}DWORD INJCET::GetEntryPoint(const wchar_t* filename)
{// 方式二（要在32位环境下运行根据游戏版本选择运行32还是64位的程序）void* image = ImageLoad(filename);IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);UnloadImage(image);return dEntryPoint;
}BOOL INJCET::CreateRemoteData(HANDLE hProcess, const wchar_t* GameExe, const wchar_t* dllName)
{LPVOID adrRemote = VirtualAllocEx(hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);SIZE_T lwt;LPVOID adrRemoteData = (LPVOID)((unsigned)adrRemote + 0x2000);LPVOID adrRemoteProc= (LPVOID)((unsigned)adrRemote + 0x500);_REMOTE_DATA remoteData{};remoteData.EntryPoint = GetEntryPoint(GameExe);CodeRemoteData(&remoteData, dllName);WriteProcessMemory(hProcess, adrRemoteData, &remoteData, sizeof(remoteData), &lwt);char _code[0x200];memcpy(_code, INJECTCode, sizeof(_code));for (int i = 0; i < 0x100; i++) {unsigned* pcode = (unsigned*)(&_code[i]);if (pcode[0] == 0xCCCCCCCC) {pcode[0] = (unsigned)adrRemoteData;break;}}WriteProcessMemory(hProcess, adrRemote, _code, 0x200, &lwt);remoteData.HOOKFunction = (unsigned)adrRemote;WriteProcessMemory(hProcess, adrRemoteProc, RemoteThreadProce, 0x200, &lwt);CString wTxt;wTxt.Format(L"%X", adrRemote);AfxMessageBox(wTxt);DWORD dwThreadId = 0;HANDLE remotehdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemoteProc, adrRemoteData, 0, &dwThreadId);WaitForSingleObject(remotehdl, INFINITE);//DWORD dwThreadId = 0;//HANDLE remoteHdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemote, NULL, 0, &dwThreadId);//WaitForSingleObject(remoteHdl, INFINITE);return TRUE;
}void INJCET::CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName)
{short lenth;// 求长度for (lenth = 0; dllName[lenth]; lenth++);HMODULE hKernel = LoadLibrary(_T("kernel32.dll"));//_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");_data->f_GetModuleHandleA = (_GetModuleHandleA)GetProcAddress(hKernel, "GetModuleHandleA");_data->f_VirtualProtect = (_VirtualProtect)GetProcAddress(hKernel, "VirtualProtect");//LoadLibraryW// wchar两字节拷贝是一字节所以长度要成2memcpy(_data->dllName, dllName, (lenth + 1) * 2);/*CString  wTxt;wTxt.Format(L"%X", _data->f_LoadLibrary);AfxMessageBox(wTxt);*/
}

INJCET.h文件代码：

#pragma once
#include <Windows.h>typedef unsigned int (WINAPI* _LoadLibrary)(wchar_t* dllName);
typedef unsigned int (WINAPI* _GetModuleHandleA)(wchar_t* modName);
typedef int (WINAPI* _VirtualProtect)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);typedef struct _REMOTE_DATA {wchar_t dllName[0xFF]; // 要输入的dll文件路径unsigned EntryPoint;unsigned HOOKFunction;char oldCode[5];_LoadLibrary f_LoadLibrary;_GetModuleHandleA f_GetModuleHandleA;_VirtualProtect f_VirtualProtect;
}*PREMOTE_DATA;class INJCET
{
public:BOOL StartProcess(const wchar_t * GameExe,const wchar_t * GamePath,wchar_t * GameCmds,PROCESS_INFORMATION* LPinfo);void* ImageLoad(const wchar_t* filename);void UnloadImage(void* _data);DWORD GetEntryPoint(const wchar_t* filename);
public:BOOL CreateRemoteData(HANDLE hProcess, const wchar_t* GameExe, const wchar_t* dllName);void CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName);
};