最近无聊,在研究外挂的F12呼出窗口的原理,在对某一款外挂进行分析后,按这个外挂的思路,也实现了F12呼出窗口的功能,特出来分享一下;
本人也只是刚研究C++编程,大神请飘过,莫笑哦……
首先新建一个MFC规则DLL,在这个DLL中插入一个对话框资源,对话框什么样子,你们自己可心着画呗;费话不多说,直接上代码:
// wgdll.cpp : Defines the initialization routines for the DLL.
//
#include "stdafx.h"
#include "wgdll.h"
#include "DLLDLG.h"
#include <WinInet.h>
#include "string"
using namespace std;
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
HHOOK g_hhook=NULL;
CDLLDLG *pCWndWGMain;
BOOL ishook=FALSE; //表示是否自已HOOK过了;
HMODULE hmod=NULL;
//
// Note!
//
// If this DLL is dynamically linked against the MFC
// DLLs, any functions exported from this DLL which
// call into MFC must have the AFX_MANAGE_STATE macro
// added at the very beginning of the function.
//
// For example:
//
// extern "C" BOOL PASCAL EXPORT ExportedFunction()
// {
// AFX_MANAGE_STATE(AfxGetStaticModuleState());
// // normal function body here
// }
//
// It is very important that this macro appear in each
// function, prior to any calls into MFC. This means that
// it must appear as the first statement within the
// function, even before any object variable declarations
// as their constructors may generate calls into the MFC
// DLL.
//
// Please see MFC Technical Notes 33 and 58 for additional
// details.
//
/////////////////////////////////////////////////////////////////////////////
// CWgdllApp
BEGIN_MESSAGE_MAP(CWgdllApp, CWinApp)
//{{AFX_MSG_MAP(CWgdllApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CWgdllApp construction
CWgdllApp::CWgdllApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance
}
/////////////////////////////////////////////////////////////////////////////
// The one and only CWgdllApp object
CWgdllApp theApp;
//下面是自己编写的代码
LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam);
BOOL installhook()
{
HMODULE hmod2=::GetModuleHandle(L"wgdll.dll");
if (g_hhook == NULL)
{
HWND gameh=FindWindow(NULL,L"PEiD v0.95");//查找游戏窗口
if (gameh==0) { AfxMessageBox(L"未找到游戏",MB_OK,NULL);}//出错处理
DWORD tid=::GetWindowThreadProcessId(gameh,NULL);//获取线程ID
g_hhook=::SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)KeyboardProc,hmod2,tid); //安装线程勾子
if (g_hhook != NULL)
return TRUE;
}
return FALSE;
}
BOOL selfhook()
{
if (g_hhook == NULL) {
g_hhook = ::SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc,NULL,GetCurrentThreadId());
if (g_hhook != NULL)
return TRUE;
}
return FALSE;
}
BOOL uninstallhook()
{
BOOL result=::UnhookWindowsHookEx(g_hhook);
g_hhook=NULL;
return result;
}
BOOL showdlg()
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
CWnd *pCWnd = CWnd::GetForegroundWindow();
if (pCWndWGMain==NULL)
{
pCWndWGMain=new CDLLDLG;
pCWndWGMain->Create(IDD_DLG,pCWnd);
}
pCWndWGMain->ShowWindow(SW_SHOW);
return true;
}
LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
//按F12弹起时呼出外挂
AFX_MANAGE_STATE(AfxGetStaticModuleState());
BOOL bKeyUp = lParam & (1 << 31);
if (bKeyUp && wParam == VK_F12 && nCode == HC_ACTION)
{
if(ishook)
{
showdlg();
}else
{
LoadLibrary(L"F:\\study\\c++\\wgdll\\Debug\\wgdll.dll"); //这个地址要注意,自己改一下;
selfhook();
ishook=true;
showdlg();
}
}
return ::CallNextHookEx(g_hhook, nCode, wParam ,lParam);
}
BOOL CWgdllApp::InitInstance()
{
// TODO: 在此添加专用代码和/或调用基类
hmod=this->m_hInstance;
return CWinApp::InitInstance();
}
另外,对话框的CPP文件如下:
// DLLDLG.cpp : implementation file
//
#include "stdafx.h"
#include "wgdll.h"
#include "DLLDLG.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CDLLDLG dialog
CDLLDLG::CDLLDLG(CWnd* pParent /*=NULL*/)
: CDialog(CDLLDLG::IDD, pParent)
{
//{{AFX_DATA_INIT(CDLLDLG)
m_edit1 = 0;
m_edit2 = 0;
m_edit3 = 0;
//}}AFX_DATA_INIT
}
void CDLLDLG::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CDLLDLG)
DDX_Text(pDX, IDC_EDIT1, m_edit1);
DDX_Text(pDX, IDC_EDIT2, m_edit2);
DDX_Text(pDX, IDC_EDIT3, m_edit3);
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CDLLDLG, CDialog)
//{{AFX_MSG_MAP(CDLLDLG)
ON_BN_CLICKED(IDC_BUTTON1, OnButton1)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDLLDLG message handlers
void CDLLDLG::OnButton1()
{
// TODO: Add your control notification handler code here
}
还有DEF文件,定义DLL导出函数的:
; wgdll.def : Declares the module parameters for the DLL.
LIBRARY "wgdll"
EXPORTS
; Explicit exports can go here
installhook;
uninstallhook;
selfhook;
使用的时候,只要用你的EXE文件导入这个DLL模块,调用这个DLL文件里的installhook函数,就可以对目标进程按装线程键盘钩子,在目标进程按F12,就会弹出所谓的外挂窗口;
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
