c++ x86_x64挂钩无参数函数

2021-03-29 00:25

阅读:392

标签:game   read   comm   include   sub   enc   class   cal   vector   

  • https://github.com/januwA/GameCheat
#include "pch.h"
#include 
#include 
#include "GameCheat.h"

using namespace std;

void __stdcall myHook()
{
  printf("触发钩子了\n");
}

DWORD WINAPI MyThread(HMODULE hModule)
{

#ifdef _WIN64
  GameCheat gc{ "Tutorial-x86_64.exe" };
#else
  GameCheat gc{ "Tutorial-i386.exe" };
#endif // _WIN64

  FILE* f;
  gc.openConsole(&f);
  printf("INJECT OK\n");

  // 钩住这里
  //x64 Tutorial-x86_64.exe+2B08C - 29 83 F0070000 - sub [rbx+000007F0],eax
  //x86 Tutorial-i386.exe+2578F - 29 83 AC040000 - sub [ebx+000004AC],eax

#ifdef _WIN64
  BYTE* addr = (BYTE*)gc.mi.lpBaseOfDll + 0x2B08C;
  vector copyBytes = GameCheat::byteStr2Bytes("29 83 F0 07 00 00");
  BYTE* lpAddress = (BYTE*)gc.mi.lpBaseOfDll - 0x10000;
#else
  BYTE* addr = (BYTE*)gc.mi.lpBaseOfDll + 0x2578F;
  vector copyBytes = GameCheat::byteStr2Bytes("29 83 AC 04 00 00");
  BYTE* lpAddress = 0;
#endif // _WIN64

  BYTE* newHook = (BYTE*)VirtualAlloc(lpAddress, 500, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  size_t position = 0;

  // push eax
  *(newHook + position) = 0x50;
  position += sizeof(BYTE);

#ifdef _WIN64
  // mov rax,myHook
  // sub rsp,0x20
  // call rax
  // add rsp,0x20
  
  // mov rax,myHook
  *(WORD*)(newHook + position) = 0xB848; // mov
  position += sizeof(WORD);

  *(uintptr_t*)(newHook + position) = (uintptr_t)myHook; // myHook
  position += sizeof(uintptr_t);

  // sub rsp,0x20
  *(DWORD*)(newHook + position) = 0x20EC8348;
  position += sizeof(DWORD);

  // call rax
  *(WORD*)(newHook + position) = 0xD0FF; // mov
  position += sizeof(WORD);


  // add rsp,0x20
  *(DWORD*)(newHook + position) = 0x20C48348;
  position += sizeof(DWORD);

#else
  
  // call myHook
  DWORD callMyHookBytes = (BYTE*)myHook - (newHook + position) - 5;
  *(newHook + position) = 0xE8;
  position += sizeof(BYTE);
  *(DWORD*)(newHook + position) = callMyHookBytes;
  position += sizeof(DWORD);

#endif // _win64

  // pop eax
  * (newHook + position) = 0x58;
  position += sizeof(BYTE);

  // 拷贝盗取的字节,看情况也可以不要
  memcpy_s(newHook + position, copyBytes.size(), copyBytes.data(), copyBytes.size());
  position += copyBytes.size();

  // return
  DWORD jmpReturnBytes = (addr + copyBytes.size()) - (newHook + position) - 5;
  *(newHook + position) = 0xE9;
  position += sizeof(BYTE);
  *(DWORD*)(newHook + position) = jmpReturnBytes;

  DWORD jmpHookBytes = newHook - addr - 5;
  bool bEnable = false;
  printf("  F4 开启/关闭\n");
  while (!GetAsyncKeyState(VK_F12))
  {
    if ( GetAsyncKeyState(VK_F4) & 1 )
    {
      bEnable = !bEnable;
      if (bEnable)
      {
        printf("挂钩\n");
        // Tutorial-x86_64.exe+2B08C >> jmp newHook
        DWORD oldProc;
        VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
        memset(addr, 0x90, copyBytes.size());
        *addr = 0xE9;
        *(DWORD*)(addr + 1) = jmpHookBytes;
        VirtualProtect(addr, copyBytes.size(), oldProc, 0);
      }
      else
      {
        printf("脱钩\n");
        DWORD oldProc;
        VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
        memcpy_s(addr, copyBytes.size(), copyBytes.data(), copyBytes.size());
        VirtualProtect(addr, copyBytes.size(), oldProc, 0);
      }
    }
    Sleep(10);
  }

  VirtualFree(newHook, 0, MEM_RELEASE);
  gc.closeConsole(f);
  FreeLibraryAndExitThread(hModule, 0);
  return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
  DWORD  ul_reason_for_call,
  LPVOID lpReserved
)
{
  switch (ul_reason_for_call)
  {
  case DLL_PROCESS_ATTACH:
    CloseHandle(CreateThread(0, 0, (LPTHREAD_START_ROUTINE)MyThread, hModule, 0, 0));
  case DLL_THREAD_ATTACH:
  case DLL_THREAD_DETACH:
  case DLL_PROCESS_DETACH:
    break;
  }
  return TRUE;
}

c++ x86_x64挂钩无参数函数

标签:game   read   comm   include   sub   enc   class   cal   vector   

原文地址:https://www.cnblogs.com/ajanuw/p/13618247.html


评论


亲,登录后才可以留言!