• c++ x86_x64挂钩无参数函数


    #include "pch.h"
    #include <iostream>
    #include <Windows.h>
    #include "GameCheat.h"
    
    using namespace std;
    
    void __stdcall myHook()
    {
      printf("触发钩子了
    ");
    }
    
    DWORD WINAPI MyThread(HMODULE hModule)
    {
    
    #ifdef _WIN64
      GameCheat gc{ "Tutorial-x86_64.exe" };
    #else
      GameCheat gc{ "Tutorial-i386.exe" };
    #endif // _WIN64
    
      FILE* f;
      gc.openConsole(&f);
      printf("INJECT OK
    ");
    
      // 钩住这里
      //x64 Tutorial-x86_64.exe+2B08C - 29 83 F0070000 - sub [rbx+000007F0],eax
      //x86 Tutorial-i386.exe+2578F - 29 83 AC040000 - sub [ebx+000004AC],eax
    
    #ifdef _WIN64
      BYTE* addr = (BYTE*)gc.mi.lpBaseOfDll + 0x2B08C;
      vector<BYTE> copyBytes = GameCheat::byteStr2Bytes("29 83 F0 07 00 00");
      BYTE* lpAddress = (BYTE*)gc.mi.lpBaseOfDll - 0x10000;
    #else
      BYTE* addr = (BYTE*)gc.mi.lpBaseOfDll + 0x2578F;
      vector<BYTE> copyBytes = GameCheat::byteStr2Bytes("29 83 AC 04 00 00");
      BYTE* lpAddress = 0;
    #endif // _WIN64
    
      BYTE* newHook = (BYTE*)VirtualAlloc(lpAddress, 500, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      size_t position = 0;
    
      // push eax
      *(newHook + position) = 0x50;
      position += sizeof(BYTE);
    
    #ifdef _WIN64
      // mov rax,myHook
      // sub rsp,0x20
      // call rax
      // add rsp,0x20
      
      // mov rax,myHook
      *(WORD*)(newHook + position) = 0xB848; // mov
      position += sizeof(WORD);
    
      *(uintptr_t*)(newHook + position) = (uintptr_t)myHook; // myHook
      position += sizeof(uintptr_t);
    
      // sub rsp,0x20
      *(DWORD*)(newHook + position) = 0x20EC8348;
      position += sizeof(DWORD);
    
      // call rax
      *(WORD*)(newHook + position) = 0xD0FF;
      position += sizeof(WORD);
    
    
      // add rsp,0x20
      *(DWORD*)(newHook + position) = 0x20C48348;
      position += sizeof(DWORD);
    
    #else
      
      // call myHook
      DWORD callMyHookBytes = (BYTE*)myHook - (newHook + position) - 5;
      *(newHook + position) = 0xE8;
      position += sizeof(BYTE);
      *(DWORD*)(newHook + position) = callMyHookBytes;
      position += sizeof(DWORD);
    
    #endif // _win64
    
      // pop eax
      * (newHook + position) = 0x58;
      position += sizeof(BYTE);
    
      // 拷贝盗取的字节,看情况也可以不要
      memcpy_s(newHook + position, copyBytes.size(), copyBytes.data(), copyBytes.size());
      position += copyBytes.size();
    
      // return
      DWORD jmpReturnBytes = (addr + copyBytes.size()) - (newHook + position) - 5;
      *(newHook + position) = 0xE9;
      position += sizeof(BYTE);
      *(DWORD*)(newHook + position) = jmpReturnBytes;
    
      DWORD jmpHookBytes = newHook - addr - 5;
      bool bEnable = false;
      printf("  F4 开启/关闭
    ");
      while (!GetAsyncKeyState(VK_F12))
      {
        if ( GetAsyncKeyState(VK_F4) & 1 )
        {
          bEnable = !bEnable;
          if (bEnable)
          {
            printf("挂钩
    ");
            // Tutorial-x86_64.exe+2B08C >> jmp newHook
            DWORD oldProc;
            VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
            memset(addr, 0x90, copyBytes.size());
            *addr = 0xE9;
            *(DWORD*)(addr + 1) = jmpHookBytes;
            VirtualProtect(addr, copyBytes.size(), oldProc, 0);
          }
          else
          {
            printf("脱钩
    ");
            DWORD oldProc;
            VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
            memcpy_s(addr, copyBytes.size(), copyBytes.data(), copyBytes.size());
            VirtualProtect(addr, copyBytes.size(), oldProc, 0);
          }
        }
        Sleep(10);
      }
    
      VirtualFree(newHook, 0, MEM_RELEASE);
      gc.closeConsole(f);
      FreeLibraryAndExitThread(hModule, 0);
      return 0;
    }
    
    BOOL APIENTRY DllMain(HMODULE hModule,
      DWORD  ul_reason_for_call,
      LPVOID lpReserved
    )
    {
      switch (ul_reason_for_call)
      {
      case DLL_PROCESS_ATTACH:
        CloseHandle(CreateThread(0, 0, (LPTHREAD_START_ROUTINE)MyThread, hModule, 0, 0));
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
      case DLL_PROCESS_DETACH:
        break;
      }
      return TRUE;
    }
    
  • 相关阅读:
    弹出窗口插件
    多彩百分比 动态进度条 投票效果显示(jquery)
    Oracle EBS Shipping(WSH)模块日志收集方法
    自动创建采购订单提示汇率值无效
    Using API FND_PROFILE.save to update profile from backend (转)
    二手房怎么买不会吃亏 八大高招教您投资理财
    删除list中的元素
    Create Stock Locator By Using API(EBS R12)
    Oracle EBS中查询Profile的各种SQL
    与账户别名相关的表
  • 原文地址:https://www.cnblogs.com/ajanuw/p/13618247.html
Copyright © 2020-2023  润新知