-
-
[原创]内存注册机源码
-
发表于:
2015-5-14 21:00
6483
-
不喜勿喷,用到了写了下,分享出来。
MyGetMemoryRegCode.h
#pragma once
#include <windows.h>
#define BUFFERCOUNT 0x100 //存储注册码的空间大小
#define REGCODEINREX (LPVOID)tagContext.Esi //出现注册码的寄存器
MyGetMemoryRegCode.cpp
#include "MyGetMemoryRegCode.h"
/************************************************************************
函数名字:TCHAR* MyGetMemoryRegCode(TCHAR *pExeName, PVOID pCmdLine, DWORD dwAddr)
功 能:获取某寄存器的内容
参 数 1:pExeName 软件文件名
参 数 2:pCmdLine 软件启动参数,没有填NULL
参 数 3:dwAddr 出现注册码的地址
返 回 值:成功返回存储注册码的指针,失败返回NULL
************************************************************************/
TCHAR* MyGetMemoryRegCode(TCHAR *pExeName, PVOID pCmdLine, DWORD dwAddr)
{
BOOL bRet = FALSE;
STARTUPINFO tagStartupInfoa = { 0 };
PROCESS_INFORMATION tagProcInfo = { 0 };
CONTEXT tagContext = { 0 };
TCHAR *pRegCode = new TCHAR[BUFFERCOUNT];
WORD wReadBuf = 0;
WORD wHookByte = 0xFEEB;
tagStartupInfoa.cb = sizeof(STARTUPINFO);
memset(pRegCode, 0, BUFFERCOUNT);
bRet = ::CreateProcess(pExeName, (LPWSTR)pCmdLine, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &tagStartupInfoa, &tagProcInfo);
if (bRet == FALSE)
{
goto EXIT_FUN;
}
bRet = ::ReadProcessMemory(tagProcInfo.hProcess,
(PVOID)dwAddr, &wReadBuf, 2, NULL);
if (bRet == FALSE)
{
::OutputDebugString(TEXT("读取进程内存失败,请检查是否错误."));
goto EXIT_FUN;
}
bRet = ::WriteProcessMemory(tagProcInfo.hProcess,
(LPVOID)dwAddr, &wHookByte, 2, NULL);
if (bRet == FALSE)
{
::OutputDebugString(TEXT("写入进程内存失败,请检查是否错误."));
goto EXIT_FUN;
}
::ResumeThread(tagProcInfo.hThread);
tagContext.ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS;
while (true)
{
::GetThreadContext(tagProcInfo.hThread, &tagContext);
if (tagContext.Eip == dwAddr)
{
bRet = ::ReadProcessMemory(tagProcInfo.hProcess,
REGCODEINREX,
pRegCode, BUFFERCOUNT, NULL);
if (bRet == FALSE)
{
::OutputDebugString(TEXT("恢复异常,请检查是否错误."));
goto EXIT_FUN;
}
bRet = ::WriteProcessMemory(tagProcInfo.hProcess, (LPVOID)dwAddr,
&wReadBuf, 2, NULL);
if (bRet == FALSE)
{
goto EXIT_FUN;
}
else
{
break;
}
}
}
EXIT_FUN:
if (tagProcInfo.hThread != NULL)
{
::CloseHandle(tagProcInfo.hThread);
tagProcInfo.dwThreadId = NULL;
}
if (tagProcInfo.hProcess != NULL)
{
::CloseHandle(tagProcInfo.hProcess);
tagProcInfo.hProcess = NULL;
}
return pRegCode;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!