1 源码中 用到的结构和未公开函数 请到 http://www.cnblogs.com/IMyLife/p/4826286.html 获取 2 3 HANDLE ProcessHandle=NULL; 4 DWORD pPID=NULL; 5 DWORD TID=NULL; 6 HWND i = FindWindowW(NULL, L"游戏窗口名称"); 7 TID=GetWindowThreadProcessId(i,&pPID); 8 ProcessHandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pPID); 9 /映射字节集到进程 10 DWORD MappingBytes(PVOID Address,DWORD BYTE_SIZE,WCHAR Nume[]) 11 { 12 DWORD vaddress=NULL,size=NULL; 13 HANDLE hMap=CreateFileMappingW(INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,NULL,BYTE_SIZE,Nume); 14 if(hMap!=NULL) 15 { 16 HANDLE pAddress=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL); 17 if(pAddress!=NULL) 18 { 19 RtlMoveMemory(pAddress,Address,BYTE_SIZE); 20 //映射字节集到目标进程 21 ZwMapViewOfSection(hMap,ProcessHandle,&vaddress,NULL,NULL,NULL,&size,1,0,PAGE_EXECUTE_READWRITE); 22 UnmapViewOfFile(pAddress); 23 return vaddress; 24 } 25 } 26 return 0; 27 } 28 //获取HOOK函数的字节数量//记得HOOK函数最后加上 int 0 不然无法判断 29 DWORD GetFunctionLong(DWORD JMPAddress) 30 { 31 BYTE *p=(BYTE*)JMPAddress; 32 int i=0; 33 while (TRUE) 34 { 35 if((DWORD)*p==205) 36 { 37 return i; 38 } 39 p++; 40 i++; 41 } 42 return 0; 43 } 44 //远程调用CALL函数主功能 45 46 47 48 //要调用的CALL,参数结构,结构大小 可实现任意个数参数调用(看下面怎么获取参数的) 只测试了DWORD类型参数 49 DWORD LoadCALL(DWORD* CALLAddress, DWORD* ParameterStruct, DWORD ParameterStruct_SIZE) 50 { 51 DWORD vaddress = NULL, size = NULL,lsbuff = 0,lenght=0,structbuff=0; 52 lenght = GetFunctionLong((DWORD)CALLAddress); 53 HANDLE hMap = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, NULL, lenght, L"CALL"); 54 if (hMap != NULL) 55 { 56 HANDLE pAddress = MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, NULL, NULL, NULL); 57 if (pAddress != NULL) 58 { 59 RtlMoveMemory(pAddress, CALLAddress, lenght); 60 //映射CALL字节集到目标进程 61 ZwMapViewOfSection(hMap, ProcessHandle, &vaddress, NULL, NULL, NULL, &size, 1, 0, 4); 62 //映射参数结构到目标进程 63 structbuff=MappingBytes((PVOID)ParameterStruct, ParameterStruct_SIZE, L"struct"); 64 //修改内存页面保护属性 65 VirtualProtectEx(ProcessHandle, (LPVOID)vaddress, lenght, PAGE_EXECUTE_READWRITE, &lsbuff); 66 //创建远线程执行CALL 67 CreateRemoteThread(ProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)vaddress, (LPVOID)structbuff, NULL, NULL); 68 UnmapViewOfFile(pAddress); 69 return = vaddress; 70 } 71 } 72 return 0; 73 } 74 75 76 1 //调用远程CALL格式 77 2 /* 78 3 参数结构 79 4 typedef struct A 80 5 { 81 6 DWORD a1; 82 7 DWORD a2; 83 8 DWORD a3; 84 9 DWORD a4; 85 10 }; 86 11 typedef struct A A1; 87 12 typedef A1 *A2; 88 13 89 14 要调用的CALL 90 15 void __declspec( naked ) ZwGoodsCALL() 91 16 { 92 17 _asm 93 18 { 94 19 MOV EAX, [ebp+8] 95 20 mov ebx,dword ptr ds : [eax] //取结构第一个参数 第二个+4 第三个+8依次加4 96 21 mov ecx,dword ptr ds : [eax+4]//获取第二个参数 97 22 retn 98 23 int 0// 结尾标识符 给获取函数长度函数做判断 99 24 } 100 25 } 101 26 调用方法 102 27 A2 pA2 = NULL; 103 28 pA2 = (A2)malloc(sizeof(A1)); 104 29 pA2->a1 = 1; 105 30 pA2->a2 = 2; 106 31 pA2->a3 = 3; 107 32 pA2->a4 = 4; 108 33 LoadCALL((DWORD*)ZwGoodsCALL, (DWORD*)pA2, sizeof(A1)); 109 34 */ //