能力值:
( LV3,RANK:20 )
|
-
-
26 楼
//dwExternData[0] = offset RecordCallProc
dwExternData[0] = (DWORD)RecordCallProc - (DWORD)HookGetProcAddress + (DWORD)dwProcAddrEntry;
//dwExternData[1] = HookGetProcAddress 起始地址
dwExternData[1] = (DWORD)dwProcAddrEntry;
dwExternData[2] = 0;
//LocalGetProcAddress1的起始地址
dwExternData[7] = (DWORD)LocalGetProcAddress1 - (DWORD)HookGetProcAddress + (DWORD)dwProcAddrEntry;
这段代码就是初始化几个变量,为后面的修正做准备
|
能力值:
( LV3,RANK:20 )
|
-
-
27 楼
* (DWORD *)((BYTE *)LocalGetProcAddress + 2) = (DWORD)((BYTE *)pMyAllocMemory + 28);
//修正LocalGetProcAddress1中的跳转
//dwExternData[1] = offset HookGetProcAddress
//(DWORD)((BYTE *)pMyAllocMemory + 4);就是dwExternData[1]注入到调试进程后的地址
* (DWORD *)((BYTE *)LocalGetProcAddress1 + 3) = (DWORD)((BYTE *)pMyAllocMemory + 4);
__declspec(naked) void LocalGetProcAddress1()
{
__asm{
pop ebp;
jmp [pMyAllocMemory];
}
}
//* (DWORD *)((BYTE *)LocalGetProcAddress1 + 3) = (DWORD)((BYTE *)pMyAllocMemory + 4);就是把jmp [pMyAllocMemory];修正成jmp HookGetProcAddress;
|
能力值:
( LV3,RANK:20 )
|
-
-
28 楼
__declspec(naked) void LocalGetProcAddress()
{
__asm{
jmp [pMyAllocMemory];
nop;
}
}
同理
//* (DWORD *)((BYTE *)LocalGetProcAddress + 2) = (DWORD)((BYTE *)pMyAllocMemory + 28);就是把jmp [pMyAllocMemory];修正成dwExternData[7] 也就是jmp LocalGetProcAddress1
|
能力值:
( LV3,RANK:20 )
|
-
-
29 楼
* (DWORD *)((DWORD)HookProc + 0x0f) = (DWORD)pMyAllocMemory;
这句是修正HookProc 中的call [pMyAllocMemory];使它变成call dwExternData[0]也就是call RecordCallProc
|
能力值:
( LV3,RANK:20 )
|
-
-
30 楼
dwAddress = dwExternData[5];
for (i = 0;i < 1000;i ++)
{
if (!WriteProcessMemory(hProcess,(LPVOID)dwAddress,HookProc,0x2c,&dwWrite))
{
MessageBox(NULL,"无法注入内存","",MB_OK);
return;
}
dwAddress += SIZEOF_API_ARRAY;
}
初始化IAT表,支持1000个API,并将修正好的HookProc复制进去(每个API都给一份,方便)
|
能力值:
( LV3,RANK:20 )
|
-
-
31 楼
dwAddress = dwExternData[5];
这句中的dwExternData[5] 的来源:
dwExternData[5] = (DWORD)VirtualAllocEx(hProcess,NULL,SIZEOF_API_ARRAY * 1000,MEM_COMMIT,PAGE_READWRITE);
|
能力值:
( LV3,RANK:20 )
|
-
-
32 楼
lpData = (BYTE*)dwExternData;
if (!WriteProcessMemory(hProcess,pMyAllocMemory,lpData,sizeof(DWORD) * 100,&dwWrite))
{
MessageBox(NULL,"无法注入内存1","",MB_OK);
return;
}
把初始化的dwExternData[100]复制到调试进程中去(pMyAllocMemory中)
|
能力值:
( LV3,RANK:20 )
|
-
-
33 楼
memset(szStringBuffer,0,1000);
strcpy(szStringBuffer,"kernel32.dll");
strcpy(szStringBuffer + 100,"CreateFileA");
strcpy(szStringBuffer + 200,"WriteFile");
strcpy(szStringBuffer + 300,"e:\\log_files\\logfile.dat");
strcpy(szStringBuffer + 400,"CloseHandle");
strcpy(szStringBuffer + 500,"SetFilePointer");
if (!WriteProcessMemory(hProcess,lpszStringBuffer,szStringBuffer,1000,&dwWrite))
{
MessageBox(NULL,"无法注入内存11","",MB_OK);
return;
}
初始化这个字符串,是为了给RecordCallProc中使用
|
能力值:
( LV3,RANK:20 )
|
-
-
34 楼
BOOL SearchAndSet(BYTE * pbSearchData,DWORD dwSearchData,DWORD dwSetData)
{
int i,i1 = 0;
for (i = 0;i < 300;i ++,pbSearchData ++)
{
if (* (DWORD *)pbSearchData == dwSearchData)
{
i1 = i;
* (DWORD *)pbSearchData = dwSetData;
}
}
return i1;
}
就是在参数1中搜索指定值(参数2),找到后用参数3替换掉
|
能力值:
( LV3,RANK:20 )
|
-
-
35 楼
bRet = SearchAndSet((BYTE *)RecordCallProc,0x45678123,(DWORD)lpszStringBuffer);
if (!bRet)
return;
bRet = SearchAndSet((BYTE *)RecordCallProc,0x56781234,(DWORD)lpszStringBuffer + 100);
if (!bRet)
return;
bRet = SearchAndSet((BYTE *)RecordCallProc,0x67812345,(DWORD)lpszStringBuffer + 200);
if (!bRet)
return;
bRet = SearchAndSet((BYTE *)RecordCallProc,0x78123456,(DWORD)lpszStringBuffer + 300);
if (!bRet)
return;
bRet = SearchAndSet((BYTE *)RecordCallProc,0x81234567,(DWORD)lpszStringBuffer + 400);
if (!bRet)
return;
bRet = SearchAndSet((BYTE *)RecordCallProc,0x91234567,(DWORD)lpszStringBuffer + 500);
if (!bRet)
return;
这个就是替换成字符串的,这里不说了
|
能力值:
( LV3,RANK:20 )
|
-
-
36 楼
bRet = SearchAndSet((BYTE *)HookGetProcAddress,0x12345678,(DWORD)pMyAllocMemory + 8);
if (!bRet)
return;
替换成 pMyAllocMemory + 8 也就是dwExternData[2],初始化为0 它是存放获取的API个数
|
能力值:
( LV3,RANK:20 )
|
-
-
37 楼
bRet = SearchAndSet((BYTE *)HookGetProcAddress,0x23456781,(DWORD)OldGetProcAddress - (DWORD)HookGetProcAddress + dwProcAddrEntry);
if (!bRet)
return;
这是替换成OldGetProcAddress 在调试进程中的地址
bRet = SearchAndSet((BYTE *)RecordCallProc,0x7C80AE40,(DWORD)OldGetProcAddress - (DWORD)HookGetProcAddress + dwProcAddrEntry);
if (!bRet)
return;
功能同上
|
能力值:
( LV3,RANK:20 )
|
-
-
38 楼
if (!WriteProcessMemory(hProcess,(LPVOID)dwProcAddrEntry,HookGetProcAddress,0x300,&dwWrite))
{
MessageBox(NULL,"无法注入内存2","",MB_OK);
return;
}
在前面完成要注入的程序的修整后,就可以把程序复制到调试进程中了
|
能力值:
( LV3,RANK:20 )
|
-
-
39 楼
if (!WriteProcessMemory(hProcess,(LPVOID)MyGetProcAddress,LocalGetProcAddress,7,&dwWrite))
{
MessageBox(NULL,"无法注入内存3","",MB_OK);
return;
}
挂接 GetProcAddress
|
能力值:
( LV3,RANK:20 )
|
-
-
40 楼
Addtion.cpp中的代码,我下次再解释吧,今天就说到这
|
能力值:
( LV3,RANK:20 )
|
-
-
41 楼
后来想想,这个插件要是写成一个动态库要简单许多
|
能力值:
( LV3,RANK:20 )
|
-
-
42 楼
我这么好的贴,居然沉了。
|
|
|
|
