Skip to content

Commit 1844257

Browse files
luguanxingluguanxing
committed
简单DLL劫持
1 parent 46b64f9 commit 1844257

File tree

8 files changed

+155
-0
lines changed

8 files changed

+155
-0
lines changed

05简单DLL劫持/cheatDLL.cpp

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
//
2+
// 05简单DLL劫持(作弊模块DLL部分)
3+
// C/C++
4+
//
5+
// Created by luguanxing.
6+
// Copyright @2016 LGX. All rights reserved.
7+
//
8+
#include <windows.h>
9+
#define Dllfunciton extern "C" __declspec(dllexport) //以C方式导出
10+
11+
Dllfunciton void lockdata();
12+
Dllfunciton DWORD WINAPI inject(LPVOID);
13+
14+
void lockdata() {
15+
while (true) {
16+
DWORD hp = 10;
17+
DWORD heart = 99;
18+
DWORD life = 99;
19+
20+
DWORD addr = 0x00428282;
21+
DWORD addr2 = 0x00428292;
22+
DWORD addr3 = 0x004282a2;
23+
24+
DWORD res = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr, &hp, 4, 0); //写入自身修改游戏数据
25+
DWORD res2 = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr2, &heart, 4, 0);
26+
DWORD res3 = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr3, &life, 4, 0);
27+
28+
Sleep(1000);
29+
}
30+
}
31+
32+
DWORD WINAPI inject(LPVOID) {
33+
lockdata();
34+
return true;
35+
}
36+
37+
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
38+
switch(ul_reason_for_call) {
39+
case DLL_PROCESS_ATTACH: {
40+
::DisableThreadLibraryCalls(hModule); //创建线程包含死循环,为防卡死必须设置
41+
CreateThread(NULL, 0, inject, NULL, 0, NULL);
42+
}
43+
break;
44+
case DLL_THREAD_ATTACH:
45+
case DLL_THREAD_DETACH:
46+
case DLL_PROCESS_DETACH:
47+
break;
48+
default:;
49+
}
50+
return true;
51+
}

05简单DLL劫持/mylpk.cpp

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
//
2+
// 05简单DLL劫持(自写LPK.DLL模块部分)
3+
// C/C++
4+
//
5+
// Created by luguanxing.
6+
// Copyright @2016 LGX. All rights reserved.
7+
//
8+
9+
#include <windows.h>
10+
#include <stdlib.h>
11+
#define Dllfunciton extern "C" __declspec(dllexport) //以C方式导出
12+
13+
#pragma comment(linker, "/EXPORT:LpkInitialize=_gamehacker_LpkInitialize,@1") //设置导出表
14+
#pragma comment(linker, "/EXPORT:LpkTabbedTextOut=_gamehacker_LpkTabbedTextOut,@2")
15+
#pragma comment(linker, "/EXPORT:LpkDllInitialize=_gamehacker_LpkDllInitialize,@3")
16+
#pragma comment(linker, "/EXPORT:LpkDrawTextEx=_gamehacker_LpkDrawTextEx,@4")
17+
#pragma comment(linker, "/EXPORT:LpkExtTextOut=_gamehacker_LpkExtTextOut,@6")
18+
#pragma comment(linker, "/EXPORT:LpkGetCharacterPlacement=_gamehacker_LpkGetCharacterPlacement,@7")
19+
#pragma comment(linker, "/EXPORT:LpkGetTextExtentExPoint=_gamehacker_LpkGetTextExtentExPoint,@8")
20+
#pragma comment(linker, "/EXPORT:LpkPSMTextOut=_gamehacker_LpkPSMTextOut,@9")
21+
#pragma comment(linker, "/EXPORT:LpkUseGDIWidthCache=_gamehacker_LpkUseGDIWidthCache,@10")
22+
#pragma comment(linker, "/EXPORT:ftsWordBreak=_gamehacker_ftsWordBreak,@11")
23+
24+
char syslpk[250] = {0};
25+
HMODULE hmodule;
26+
FARPROC funcaddr = NULL;
27+
28+
FARPROC WINAPI GetAddress(PCSTR pszProcName) { //从真正lpk.dll中找需要调用的真正函数地址
29+
funcaddr = GetProcAddress(hmodule, pszProcName);
30+
return funcaddr;
31+
}
32+
33+
Dllfunciton gamehacker_LpkInitialize() { //找真正函数地址后跳转
34+
GetAddress("LpkInitialize");
35+
__asm JMP EAX;
36+
}
37+
38+
Dllfunciton gamehacker_LpkTabbedTextOut() {
39+
GetAddress("LpkTabbedTextOut");
40+
__asm JMP EAX;
41+
}
42+
43+
Dllfunciton gamehacker_LpkDllInitialize() {
44+
GetAddress("LpkDllInitialize");
45+
__asm JMP EAX;
46+
}
47+
48+
Dllfunciton gamehacker_LpkDrawTextEx() {
49+
GetAddress("LpkDrawTextEx");
50+
__asm JMP EAX;
51+
}
52+
53+
Dllfunciton gamehacker_LpkEditControl() {
54+
GetAddress("LpkEditControl");
55+
__asm jmp DWORD ptr [EAX];
56+
}
57+
58+
Dllfunciton gamehacker_LpkExtTextOut() {
59+
GetAddress("LpkExtTextOut");
60+
__asm JMP EAX;
61+
}
62+
63+
Dllfunciton gamehacker_LpkGetCharacterPlacement() {
64+
GetAddress("LpkGetCharacterPlacement");
65+
__asm JMP EAX;
66+
}
67+
68+
Dllfunciton gamehacker_LpkGetTextExtentExPoint() {
69+
GetAddress("LpkGetTextExtentExPoint");
70+
__asm JMP EAX;
71+
}
72+
73+
Dllfunciton gamehacker_LpkPSMTextOut() {
74+
GetAddress("LpkPSMTextOut");
75+
__asm JMP EAX;
76+
}
77+
78+
Dllfunciton gamehacker_LpkUseGDIWidthCache() {
79+
GetAddress("LpkUseGDIWidthCache");
80+
__asm JMP EAX;
81+
}
82+
83+
Dllfunciton gamehacker_ftsWordBreak() {
84+
GetAddress("ftsWordBreak");
85+
__asm JMP EAX;
86+
}
87+
88+
89+
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
90+
switch(ul_reason_for_call) {
91+
case DLL_PROCESS_ATTACH: {
92+
GetSystemDirectory(syslpk, 250);
93+
strcat(syslpk, "\\lpk");
94+
hmodule = LoadLibrary(syslpk); //加载真正系统lpk.dll
95+
::LoadLibrary("cheatDLL"); //加载作弊模块lpk.dll
96+
} break;
97+
case DLL_THREAD_ATTACH:
98+
case DLL_THREAD_DETACH:
99+
case DLL_PROCESS_DETACH:
100+
break;
101+
default:;
102+
}
103+
return true;
104+
}

05简单DLL劫持/pictures/1.jpg

74.8 KB
Loading

05简单DLL劫持/pictures/2.jpg

84.2 KB
Loading

05简单DLL劫持/pictures/3.jpg

78.1 KB
Loading

05简单DLL劫持/pictures/4.jpg

113 KB
Loading

05简单DLL劫持/pictures/5.jpg

80.3 KB
Loading

05简单DLL劫持/pictures/6.jpg

77 KB
Loading

0 commit comments

Comments
 (0)