04简单DLL注入游戏

Author: luguanxing

04简单DLL注入游戏/Injecter.cpp

@@ -0,0 +1,54 @@
+//
+//  04简单DLL注入游戏(注入器EXE部分)
+//  C/C++
+//
+//  Created by luguanxing.
+//  Copyright @2016 LGX. All rights reserved.
+//
+#include <windows.h>
+#include <string.h>
+#include <string>
+#include <iostream>
+using namespace std;
+
+HWND hwnd = NULL;
+DWORD processid = NULL;
+HANDLE hprocess = NULL;
+PVOID procdlladdr = NULL;
+
+char dllname[25] = "cheatDLL";
+char loadfunc[25] = "LoadLibraryA";
+FARPROC loadfuncaddr = NULL;
+HANDLE hfile;
+
+void getwindow() {
+    hwnd = ::FindWindow(NULL, "Super Mario XP");
+	if (hwnd == NULL)
+		MessageBox(NULL, "找不到游戏", "错误",  MB_OK);
+    GetWindowThreadProcessId(hwnd, &processid);
+    hprocess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processid);
+	if (hprocess == NULL)
+		MessageBox(NULL, "打开游戏失败", "错误", MB_OK);
+}
+
+
+void inject() {
+	int size = strlen(dllname)+5;
+	procdlladdr = ::VirtualAllocEx(hprocess, NULL, size, MEM_COMMIT, PAGE_READWRITE);	//向目标申请空间，得到新空间地址
+	if (procdlladdr == NULL)
+		MessageBox(NULL, "申请空间失败", "错误", MB_OK);
+	DWORD writenum;
+	::WriteProcessMemory(hprocess, procdlladdr, dllname, size, &writenum);	//向新空间写入要注入的DLL名称
+	loadfuncaddr = ::GetProcAddress(::GetModuleHandle("kernel32.dll"), loadfunc);	//获得LoadLibraryA的地址,在任何进程空间都一样
+	HANDLE hthread = ::CreateRemoteThread(hprocess, NULL, 0, (LPTHREAD_START_ROUTINE)loadfuncaddr, (LPVOID)procdlladdr, 0, NULL);
+	//新建线程执行LoadLibrary参数是已在目标进程新空间写入的DLL名称,注意这个函数在64位下无法成功
+	::WaitForSingleObject(hthread, INFINITE); 
+	::CloseHandle(hthread);
+	::CloseHandle(hprocess);
+}
+
+int main() {
+	getwindow();
+	inject();
+	return 0;
+}

04简单DLL注入游戏/cheatDLL.cpp

@@ -0,0 +1,51 @@
+//
+//  04简单DLL注入游戏(作弊模块DLL部分)
+//  C/C++
+//
+//  Created by luguanxing.
+//  Copyright @2016 LGX. All rights reserved.
+//
+#include <windows.h>
+#define Dllfunciton extern "C" __declspec(dllexport)	//以C方式导出
+
+Dllfunciton void lockdata();
+Dllfunciton DWORD WINAPI inject(LPVOID);
+
+void lockdata() {
+	while (true) {
+		DWORD hp = 10;
+		DWORD heart = 99;
+		DWORD life = 99;
+
+		DWORD addr = 0x00428282;
+		DWORD addr2 = 0x00428292;
+		DWORD addr3 = 0x004282a2;
+  
+		DWORD res = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr, &hp, 4, 0);	//写入自身修改游戏数据
+		DWORD res2 = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr2, &heart, 4, 0);
+		DWORD res3 = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr3, &life, 4, 0);
+
+		Sleep(1000);
+	}
+}
+
+DWORD WINAPI inject(LPVOID) {
+	lockdata();
+	return true;
+}
+
+BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
+	switch(ul_reason_for_call) {
+		case DLL_PROCESS_ATTACH: {
+			::DisableThreadLibraryCalls(hModule);	//创建线程包含死循环，为防卡死必须设置
+			CreateThread(NULL, 0, inject, NULL, 0, NULL);
+		}
+		break;
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+		case DLL_PROCESS_DETACH:
+			break;
+		default:;
+	}
+    return true;
+}