36.远程注入到入口点注入

2024-06-23 20:28
文章标签 36 注入 远程 入口

本文主要是介绍36.远程注入到入口点注入,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

免责声明:内容仅供学习参考,请合法利用知识,禁止进行违法犯罪活动!

如果看不懂、不知道现在做的什么,那就跟着做完看效果,代码看不懂是正常的,只要会抄就行,抄着抄着就能懂了

上一个内容:35.简易远程数据框架的实现

以 35.简易远程数据框架的实现 它的代码为基础进行的修改

通过远程线程获取游戏首地址,然后把首地址的代码改为跳转到辅助功能里。

首先关闭安全检测

添加了RemoteThreadProce函数,修改了CodeRemoteData、CreateRemoteData、OnNMDblclkList1函数,修改了_REMOTE_DATA结构

CWndINJ.cpp: 实现文件

#include "pch.h"
#include "GAMEHACKER2.h"
#include "CWndINJ.h"
#include "afxdialogex.h"#include <ImageHlp.h>
#include <fstream>
#pragma comment(lib, "ImageHlp.lib")//void _stdcall INJECTCode() {
//    AfxMessageBox(L"aa");
//    unsigned address = 0xCCCCCCCC;
//    PREMOTE_DATA p = (PREMOTE_DATA)address;
//    p->f_LoadLibrary(p->dllName);
//}// CWndINJ 对话框IMPLEMENT_DYNAMIC(CWndINJ, CDialogEx)CWndINJ::CWndINJ(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_PAGE_0, pParent), B_INJCET(FALSE), B_DEBUG(FALSE), B_PAUSE(FALSE)
{}CWndINJ::~CWndINJ()
{
}BOOL CWndINJ::OnInitDialog()
{CDialogEx::OnInitDialog();LONG_PTR lStyle;// 得到窗口的样式,GWL_STYLE在GetWindowLongPtr说明中有lStyle = GetWindowLongPtr(ExeLst.m_hWnd, GWL_STYLE);lStyle |= LVS_REPORT;SetWindowLongPtr(ExeLst.m_hWnd, GWL_STYLE, lStyle);DWORD dStyle = ExeLst.GetExtendedStyle();dStyle |= LVS_EX_FULLROWSELECT;dStyle |= LVS_EX_GRIDLINES;ExeLst.SetExtendedStyle(dStyle);ExeLst.InsertColumn(0, L"名称", 0, 200);ExeLst.InsertColumn(1, L"可执行文件", 0, 400);ExeLst.InsertColumn(2, L"文件夹", 0, 400);ExeLst.InsertColumn(3, L"命令行", 0, 400);ExeLst.InsertColumn(4, L"注入模块", 0, 400);return 0;
}void CWndINJ::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);DDX_Control(pDX, IDC_LIST1, ExeLst);DDX_Check(pDX, IDC_CHECK1, B_INJCET);DDX_Check(pDX, IDC_CHECK2, B_DEBUG);DDX_Check(pDX, IDC_CHECK3, B_PAUSE);
}BEGIN_MESSAGE_MAP(CWndINJ, CDialogEx)ON_BN_CLICKED(IDC_BUTTON1, &CWndINJ::OnBnClickedButton1)ON_NOTIFY(NM_DBLCLK, IDC_LIST1, &CWndINJ::OnNMDblclkList1)ON_NOTIFY(LVN_ITEMCHANGED, IDC_LIST1, &CWndINJ::OnLvnItemchangedList1)
END_MESSAGE_MAP()// CWndINJ 消息处理程序void CWndINJ::OnBnClickedButton1()
{// TODO: 在此添加控件通知处理程序代码/*ExeLst.InsertItem(0, L"DNF");ExeLst.SetItemText(0, 1, L"dlls.dll");*/用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。//STARTUPINFO si{};//si.cb = sizeof(si);//PROCESS_INFORMATION prinfo{};//CreateProcess(L"C:\\Users\\am\\Desktop\\易道云\\游戏保护\\练手游戏\\初级\\JX2\\Sword2.exe",//    NULL,NULL,NULL,//    FALSE,//    // 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。//    CREATE_SUSPENDED,//    NULL,//    L"C:\\Users\\am\\Desktop\\易道云\\游戏保护\\练手游戏\\初级\\JX2\\",//    &si,//    &prinfo//    );///**//    注入功能写在这里(CreateProcess与ResumeThread函数之间)//*/让游戏继续运行//ResumeThread(prinfo.hThread);wndAddGame.Init(this);wndAddGame.DoModal();}void CWndINJ::Init(CString& _AppPath)
{AppPath = _AppPath;GameIni.Format(L"%s\\config\\Games.ini", AppPath);LoadGame();
}void CWndINJ::AddGame(CString& GameName, CString& GamePath, CString& GameFullPath, CString& GameCmds, CString& DllPath)
{int count = GetPrivateProfileInt(L"main", L"count", 0, GameIni);count++;CString key;key.Format(L"count_%d", count);WritePrivateProfileString(key, L"GameName", GameName, GameIni);WritePrivateProfileString(key, L"GamePath", GamePath, GameIni);WritePrivateProfileString(key, L"GameFullPath", GameFullPath, GameIni);WritePrivateProfileString(key, L"GameCmds", GameCmds, GameIni);WritePrivateProfileString(key, L"DllPath", DllPath, GameIni);CString wCount;wCount.Format(L"%d", count);WritePrivateProfileString(L"main", L"count", wCount, GameIni);int iCount = ExeLst.GetItemCount();ExeLst.InsertItem(iCount, GameName);ExeLst.SetItemText(iCount, 1, GamePath);ExeLst.SetItemText(iCount, 2, GameFullPath);ExeLst.SetItemText(iCount, 3, GameCmds);ExeLst.SetItemText(iCount, 4, DllPath);}void CWndINJ::LoadGame()
{int count = GetPrivateProfileInt(L"main", L"count", 0, GameIni);for (int i = 0; i < count; i++) {CString GameName, GameExe, GamePath, GameCmds, GameDlls, _AppName;_AppName.Format(L"count_%d", i+1);wchar_t wRead[0xFF];GetPrivateProfileString(_AppName, L"GameName", L"", wRead, 0xFF, GameIni);GameName.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GamePath", L"", wRead, 0xFF, GameIni);GameExe.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GameFullPath", L"", wRead, 0xFF, GameIni);GamePath.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"GameCmds", L"", wRead, 0xFF, GameIni);GameCmds.Format(L"%s", wRead);GetPrivateProfileString(_AppName, L"DllPath", L"", wRead, 0xFF, GameIni);GameDlls.Format(L"%s", wRead);ExeLst.InsertItem(i, GameName);ExeLst.SetItemText(i, 1,  GameExe);ExeLst.SetItemText(i, 2, GamePath);ExeLst.SetItemText(i, 3, GameCmds);ExeLst.SetItemText(i, 4, GameDlls);}
}void* _imageload(wchar_t* filename) {std::ifstream streamReader(filename, std::ios::binary);streamReader.seekg(0, std::ios::end);unsigned filesize = streamReader.tellg();char* _data = new char[filesize];streamReader.seekg(0, std::ios::beg);streamReader.read(_data, filesize);streamReader.close();return _data;
}void _unloadimage(void* _data) {delete[] _data;
}void CWndINJ::OnNMDblclkList1(NMHDR* pNMHDR, LRESULT* pResult)
{LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);// TODO: 在此添加控件通知处理程序代码*pResult = 0;int index = pNMItemActivate->iItem;if (index < 0)return;CString GamePath = ExeLst.GetItemText(index, 2);CString GameExe = ExeLst.GetItemText(index, 1);CString GameCmds = ExeLst.GetItemText(index, 3);CString GameDlls = ExeLst.GetItemText(index, 4);// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。// STARTUPINFO si{};// si.cb = sizeof(si);PROCESS_INFORMATION prinfo{};m_INJCET.StartProcess(GameExe, GamePath, GameCmds.GetBuffer(), &prinfo);m_INJCET.CreateRemoteData(prinfo.hProcess, GameExe, L"F:\\代码存放地\\c\\GAMEHACKER2\\Release\\Dlls.dll");//m_INJCET.CodeRemoteData(&_data);/**CreateProcess(GameExe,GameCmds.GetBuffer(),NULL,NULL,FALSE,// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,&prinfo);*//** 方式一调用apiCStringA GameExeA;GameExeA = GameExe;PLOADED_IMAGE image =  ImageLoad(GameExeA, NULL);DWORD dEntryPoint = image->FileHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);ImageUnload(image)*//** 方式二(要在32位环境下运行)void* image = _imageload(GameExe.GetBuffer());IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;unsigned PEAddress =  dosHeader->e_lfanew + (unsigned)image;IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);_unloadimage(image);*///LPVOID adrRemote = VirtualAllocEx(prinfo.hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//SIZE_T lwt;//WriteProcessMemory(prinfo.hProcess, adrRemote, INJECTCode, 0x200, &lwt);//CString wTxt;//wTxt.Format(L"%X", adrRemote);//AfxMessageBox(wTxt);// 让游戏继续运行//m_INJCET.CreateRemoteData(prinfo.hProcess, GameDlls.GetBuffer());// ResumeThread(prinfo.hThread);
}void CWndINJ::OnLvnItemchangedList1(NMHDR* pNMHDR, LRESULT* pResult)
{LPNMLISTVIEW pNMLV = reinterpret_cast<LPNMLISTVIEW>(pNMHDR);// TODO: 在此添加控件通知处理程序代码*pResult = 0;
}

INJCET.cpp文件代码:

#include "pch.h"
#include "INJCET.h"
#include <fstream>void _stdcall INJECTCode() {unsigned address = 0xCCCCCCCC;PREMOTE_DATA p = (PREMOTE_DATA)address;p->f_LoadLibrary(p->dllName);unsigned dEntry = p->EntryPoint;char* entryCode = (char*)p->EntryPoint;entryCode[0] = p->oldCode[0];entryCode[1] = p->oldCode[1];entryCode[2] = p->oldCode[2];entryCode[3] = p->oldCode[3];entryCode[4] = p->oldCode[4];_asm {mov eax, dEntryjmp eax}
}DWORD _stdcall RemoteThreadProce(PREMOTE_DATA p) {unsigned base = p->f_GetModuleHandleA(0);DWORD dRet;p->EntryPoint += base;p->f_VirtualProtect((LPVOID)p->EntryPoint, 0x1000, PAGE_EXECUTE_READWRITE, &dRet);char* entryCode = (char*)p->EntryPoint;p->oldCode[0] = entryCode[0];p->oldCode[1] = entryCode[1];p->oldCode[2] = entryCode[2];p->oldCode[3] = entryCode[3];p->oldCode[4] = entryCode[4];int* entryDis = (int*)(p->EntryPoint + 1);*entryCode = 0xE9;int Distance = p->HOOKFunction - p->EntryPoint - 5;*entryDis = Distance;return 1;
}BOOL INJCET::StartProcess(const wchar_t* GameExe, const wchar_t* GamePath, wchar_t* GameCmds, PROCESS_INFORMATION* LPinfo)
{// 用来指定创建时进程的主窗口的窗口工作站、桌面、标准句柄和外观。STARTUPINFO si{};si.cb = sizeof(si);CreateProcess(GameExe,GameCmds,NULL, NULL,FALSE,// 新进程的主线程处于挂起状态创建,在调用 ResumeThread 函数之前不会运行。CREATE_SUSPENDED,NULL,GamePath,&si,LPinfo);return TRUE;
}void* INJCET::ImageLoad(const wchar_t* filename) {std::ifstream streamReader(filename, std::ios::binary);streamReader.seekg(0, std::ios::end);unsigned filesize = streamReader.tellg();char* _data = new char[filesize];streamReader.seekg(0, std::ios::beg);streamReader.read(_data, filesize);streamReader.close();return _data;
}void INJCET::UnloadImage(void* _data) {delete[] _data;
}DWORD INJCET::GetEntryPoint(const wchar_t* filename)
{// 方式二(要在32位环境下运行根据游戏版本选择运行32还是64位的程序)void* image = ImageLoad(filename);IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)image;unsigned PEAddress = dosHeader->e_lfanew + (unsigned)image;IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)PEAddress;DWORD dEntryPoint = ntHeader->OptionalHeader.AddressOfEntryPoint;CString wTxt;wTxt.Format(L"%X", dEntryPoint);AfxMessageBox(wTxt);UnloadImage(image);return dEntryPoint;
}BOOL INJCET::CreateRemoteData(HANDLE hProcess, const wchar_t* GameExe, const wchar_t* dllName)
{LPVOID adrRemote = VirtualAllocEx(hProcess, 0, 0x3000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);SIZE_T lwt;LPVOID adrRemoteData = (LPVOID)((unsigned)adrRemote + 0x2000);LPVOID adrRemoteProc= (LPVOID)((unsigned)adrRemote + 0x500);_REMOTE_DATA remoteData{};remoteData.EntryPoint = GetEntryPoint(GameExe);CodeRemoteData(&remoteData, dllName);WriteProcessMemory(hProcess, adrRemoteData, &remoteData, sizeof(remoteData), &lwt);char _code[0x200];memcpy(_code, INJECTCode, sizeof(_code));for (int i = 0; i < 0x100; i++) {unsigned* pcode = (unsigned*)(&_code[i]);if (pcode[0] == 0xCCCCCCCC) {pcode[0] = (unsigned)adrRemoteData;break;}}WriteProcessMemory(hProcess, adrRemote, _code, 0x200, &lwt);remoteData.HOOKFunction = (unsigned)adrRemote;WriteProcessMemory(hProcess, adrRemoteProc, RemoteThreadProce, 0x200, &lwt);CString wTxt;wTxt.Format(L"%X", adrRemote);AfxMessageBox(wTxt);DWORD dwThreadId = 0;HANDLE remotehdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemoteProc, adrRemoteData, 0, &dwThreadId);WaitForSingleObject(remotehdl, INFINITE);//DWORD dwThreadId = 0;//HANDLE remoteHdl = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)adrRemote, NULL, 0, &dwThreadId);//WaitForSingleObject(remoteHdl, INFINITE);return TRUE;
}void INJCET::CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName)
{short lenth;// 求长度for (lenth = 0; dllName[lenth]; lenth++);HMODULE hKernel = LoadLibrary(_T("kernel32.dll"));//_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");_data->f_LoadLibrary = (_LoadLibrary)GetProcAddress(hKernel, "LoadLibraryW");_data->f_GetModuleHandleA = (_GetModuleHandleA)GetProcAddress(hKernel, "GetModuleHandleA");_data->f_VirtualProtect = (_VirtualProtect)GetProcAddress(hKernel, "VirtualProtect");//LoadLibraryW// wchar两字节拷贝是一字节所以长度要成2memcpy(_data->dllName, dllName, (lenth + 1) * 2);/*CString  wTxt;wTxt.Format(L"%X", _data->f_LoadLibrary);AfxMessageBox(wTxt);*/
}

INJCET.h文件代码:

#pragma once
#include <Windows.h>typedef unsigned int (WINAPI* _LoadLibrary)(wchar_t* dllName);
typedef unsigned int (WINAPI* _GetModuleHandleA)(wchar_t* modName);
typedef int (WINAPI* _VirtualProtect)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);typedef struct _REMOTE_DATA {wchar_t dllName[0xFF]; // 要输入的dll文件路径unsigned EntryPoint;unsigned HOOKFunction;char oldCode[5];_LoadLibrary f_LoadLibrary;_GetModuleHandleA f_GetModuleHandleA;_VirtualProtect f_VirtualProtect;
}*PREMOTE_DATA;class INJCET
{
public:BOOL StartProcess(const wchar_t * GameExe,const wchar_t * GamePath,wchar_t * GameCmds,PROCESS_INFORMATION* LPinfo);void* ImageLoad(const wchar_t* filename);void UnloadImage(void* _data);DWORD GetEntryPoint(const wchar_t* filename);
public:BOOL CreateRemoteData(HANDLE hProcess, const wchar_t* GameExe, const wchar_t* dllName);void CodeRemoteData(PREMOTE_DATA _data, const wchar_t* dllName);
};

这篇关于36.远程注入到入口点注入的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1088185

相关文章

Python结合Flask框架构建一个简易的远程控制系统

《Python结合Flask框架构建一个简易的远程控制系统》这篇文章主要为大家详细介绍了如何使用Python与Flask框架构建一个简易的远程控制系统,能够远程执行操作命令(如关机、重启、锁屏等),还... 目录1.概述2.功能使用系统命令执行实时屏幕监控3. BUG修复过程1. Authorization

pycharm远程连接服务器运行pytorch的过程详解

《pycharm远程连接服务器运行pytorch的过程详解》:本文主要介绍在Linux环境下使用Anaconda管理不同版本的Python环境,并通过PyCharm远程连接服务器来运行PyTorc... 目录linux部署pytorch背景介绍Anaconda安装Linux安装pytorch虚拟环境安装cu

SpringBoot项目注入 traceId 追踪整个请求的日志链路(过程详解)

《SpringBoot项目注入traceId追踪整个请求的日志链路(过程详解)》本文介绍了如何在单体SpringBoot项目中通过手动实现过滤器或拦截器来注入traceId,以追踪整个请求的日志链... SpringBoot项目注入 traceId 来追踪整个请求的日志链路,有了 traceId, 我们在排

MobaXterm远程登录工具功能与应用小结

《MobaXterm远程登录工具功能与应用小结》MobaXterm是一款功能强大的远程终端软件,主要支持SSH登录,拥有多种远程协议,实现跨平台访问,它包括多会话管理、本地命令行执行、图形化界面集成和... 目录1. 远程终端软件概述1.1 远程终端软件的定义与用途1.2 远程终端软件的关键特性2. 支持的

VScode连接远程Linux服务器环境配置图文教程

《VScode连接远程Linux服务器环境配置图文教程》:本文主要介绍如何安装和配置VSCode,包括安装步骤、环境配置(如汉化包、远程SSH连接)、语言包安装(如C/C++插件)等,文中给出了详... 目录一、安装vscode二、环境配置1.中文汉化包2.安装remote-ssh,用于远程连接2.1安装2

SQL注入漏洞扫描之sqlmap详解

《SQL注入漏洞扫描之sqlmap详解》SQLMap是一款自动执行SQL注入的审计工具,支持多种SQL注入技术,包括布尔型盲注、时间型盲注、报错型注入、联合查询注入和堆叠查询注入... 目录what支持类型how---less-1为例1.检测网站是否存在sql注入漏洞的注入点2.列举可用数据库3.列举数据库

Xshell远程连接失败以及解决方案

《Xshell远程连接失败以及解决方案》本文介绍了在Windows11家庭版和CentOS系统中解决Xshell无法连接远程服务器问题的步骤,在Windows11家庭版中,需要通过设置添加SSH功能并... 目录一.问题描述二.原因分析及解决办法2.1添加ssh功能2.2 在Windows中开启ssh服务2

Python实现局域网远程控制电脑

《Python实现局域网远程控制电脑》这篇文章主要为大家详细介绍了如何利用Python编写一个工具,可以实现远程控制局域网电脑关机,重启,注销等功能,感兴趣的小伙伴可以参考一下... 目录1.简介2. 运行效果3. 1.0版本相关源码服务端server.py客户端client.py4. 2.0版本相关源码1

PHP防止SQL注入详解及防范

SQL 注入是PHP应用中最常见的漏洞之一。事实上令人惊奇的是,开发者要同时犯两个错误才会引发一个SQL注入漏洞。 一个是没有对输入的数据进行过滤(过滤输入),还有一个是没有对发送到数据库的数据进行转义(转义输出)。这两个重要的步骤缺一不可,需要同时加以特别关注以减少程序错误。 对于攻击者来说,进行SQL注入攻击需要思考和试验,对数据库方案进行有根有据的推理非常有必要(当然假设攻击者看不到你的

PHP防止SQL注入的方法(2)

如果用户输入的是直接插入到一个SQL语句中的查询,应用程序会很容易受到SQL注入,例如下面的例子: $unsafe_variable = $_POST['user_input'];mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')"); 这是因为用户可以输入类似VALUE”); DROP TA