c++ winapi 在当前程序(local)调用目标程序(target)的函数

• GameCheat
• stackoverflow

如果你的目标程序是x86/x64, 那么当前程序也需要编译为x84/x64

#include <iostream>
#include <string>
#include <vector>
#include <regex>

#include "GameCheatEx.h"

using namespace std;

int main()
{
  GameCheatEx::GC gc{ "game2.exe" };

  uintptr_t pMessageBoxA = GameCheatEx::GC::GetProcAddressEx(gc.hProcess, "user32.dll", "MessageBoxA");

  const char* title = "hello";
  const char* content = "world";
  size_t titleLen = strlen(title) + 1;
  size_t contentLen = strlen(content) + 1;

  BYTE* newmem = (BYTE*)VirtualAllocEx(gc.hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  printf("newmem: %x
", newmem);

  uintptr_t titleAddr = (uintptr_t)newmem;
  uintptr_t contentAddr = titleAddr + titleLen;
  uintptr_t funAddr = contentAddr + contentLen + 8;
  printf("funAddr: %x
", funAddr);

  WriteProcessMemory(gc.hProcess, (LPVOID)titleAddr, (LPCVOID)title, titleLen, 0);
  WriteProcessMemory(gc.hProcess, (LPVOID)contentAddr, (LPCVOID)content, contentLen, 0);

#ifdef _WIN64

  /*
0000- 55                    - push rbp
0001- 48 8B EC              - mov rbp,rsp
0004- 48 83 EC 20           - sub rsp,20
0008- 48 B9 0000000000000000 - mov rcx,0000000000000000
0012- 48 BA 0000000000000000 - mov rdx,0000000000000000
001C- 49 B8 0000000000000000 - mov r8,0000000000000000
0026- 49 B9 0000000000000000 - mov r9,0000000000000000
0030- 48 B8 E02C643FFD7F0000 - mov rax,user32.MessageBoxA
003A- FF D0                 - call rax
003C- 48 83 C4 20           - add rsp,20
0040- 48 8B E5              - mov rsp,rbp
0043- 5D                    - pop rbp
0044- C3                    - ret
  */

  BYTE funcode[] = {
    0x55,
    0x48, 0x8B, 0xEC,
    0x48, 0x83, 0xEC, 0x20,
    0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x48, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0xD0,
    0x48, 0x83, 0xC4, 0x20,
    0x48, 0x8B, 0xE5,
    0x5D,
    0xC3,
  };
  memcpy_s(funcode + 0x14, sizeof(uintptr_t), &contentAddr, sizeof(uintptr_t)); // rdx
  memcpy_s(funcode + 0x1E, sizeof(uintptr_t), &titleAddr, sizeof(uintptr_t)); // r8
  memcpy_s(funcode + 0x32, sizeof(uintptr_t), &pMessageBoxA, sizeof(uintptr_t)); // rax
  WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
#else
  /*
   3 00000000 6A00                        push 0
   4 00000002 6878563412                  push 0x12345678
   5 00000007 6878563412                  push 0x12345678
   6 0000000C 6A00                        push 0
   7 0000000E E800000000                  call MessageBoxA
   8 00000013 C3                          ret
  */
  BYTE funcode[] = {
   0x6A, 0x00,
   0x68, 0x00,0x00,0x00,0x00,
   0x68, 0x00,0x00,0x00,0x00,
   0x6A, 0x00,
   0xE8, 0x00,0x00,0x00,0x00,
   0xC3
  };
  DWORD MessageBoxA = pMessageBoxA - (funAddr + 0xE) - 5;
  memcpy_s(funcode + 0x3, sizeof(DWORD), &titleAddr, sizeof(DWORD));
  memcpy_s(funcode + 0x8, sizeof(DWORD), &contentAddr, sizeof(DWORD));
  memcpy_s(funcode + 0xF, sizeof(DWORD), &MessageBoxA, sizeof(DWORD));
  WriteProcessMemory(gc.hProcess, (LPVOID)funAddr, funcode, sizeof(funcode), 0);
#endif // _WIN64

  HANDLE hThread = CreateRemoteThread(gc.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)funAddr, 0, 0, 0);
  WaitForSingleObject(hThread, INFINITE);
  CloseHandle(hThread);
  VirtualFreeEx(gc.hProcess, newmem, 0, MEM_RELEASE);
  return 0;
}