在任何人问之前,这里没有恶意。该项目仅用于教育和个人使用,最多被设计为“作弊引擎”或未来可能的反作弊机制。无意以任何恶意方式使用它。
我有以下 3 个项目的解决方案:
- 32 位 MFC 应用程序,允许用户选择要注入的进程
- 32 位 Win32 DLL 通过 VirtualAlloc + WriteProcessMemory + CreateRemoteThread + LoadLibrary 技术注入目标进程
- 用于测试何时发生本地注入的 32 位 Win32 控制台应用程序
在 DLL 中,我创建了以下一组函数:
////////////////
// Deceiver.h //
////////////////
#ifdef DECEIVED_EXPORTS
# define DECEIVED_API __declspec(dllexport)
#else
# define DECEIVED_API __declspec(dllimport)
#endif
volatile class DECEIVED_API CDeceived
{
public:
CDeceived(void);
virtual HANDLE WINAPI GetRunningProcess();
virtual DWORD WINAPI GetRunningProcessId();
virtual HANDLE WINAPI GetRunningThread();
virtual DWORD WINAPI GetRunningThreadId();
virtual LPVOID WINAPI Allocate(DWORD size);
virtual BOOL WINAPI Deallocate(LPVOID address, DWORD size);
virtual BOOL WINAPI Read(LPVOID address, LPVOID buffer, DWORD size);
virtual BOOL WINAPI Write(LPVOID address, LPVOID buffer, DWORD size);
virtual BOOL WINAPI ReadEx(HANDLE hProcess, LPVOID address, LPVOID buffer, DWORD size);
virtual BOOL WINAPI WriteEx(HANDLE hProcess, LPVOID address, LPVOID buffer, DWORD size);
WCHAR m_signature[10];
};
extern DECEIVED_API CDeceived* deceiver;
LPVOID DECEIVED_API WINAPI RemoteInitialize();
//////////////////
// Deceiver.cpp //
//////////////////
#include "stdafx.h"
#include "Deceived.h"
DECEIVED_API CDeceived* deceiver = NULL;
CDeceived::CDeceived()
{
memcpy(&m_signature[0], L"Deceived?\0", 10);
}
HANDLE WINAPI CDeceived::GetRunningProcess()
{
return GetCurrentProcess();
}
DWORD WINAPI CDeceived::GetRunningProcessId()
{
return GetCurrentProcessId();
}
HANDLE WINAPI CDeceived::GetRunningThread()
{
return GetCurrentThread();
}
DWORD WINAPI CDeceived::GetRunningThreadId()
{
return GetCurrentThreadId();
}
LPVOID WINAPI CDeceived::Allocate(DWORD size)
{
return VirtualAlloc(NULL, size, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}
BOOL WINAPI CDeceived::Deallocate(LPVOID address, DWORD size)
{
return VirtualFree(address, size, MEM_RELEASE);
}
BOOL WINAPI CDeceived::Read(LPVOID address, LPVOID buffer, DWORD size)
{
DWORD dwBytesRead = 0;
BOOL bRet = ReadProcessMemory(GetCurrentProcess(), address, buffer, size, &dwBytesRead);
return bRet && (dwBytesRead > 0);
}
BOOL WINAPI CDeceived::Write(LPVOID address, LPVOID buffer, DWORD size)
{
DWORD dwBytesWritten = 0;
BOOL bRet = WriteProcessMemory(GetCurrentProcess(), address, buffer, size, &dwBytesWritten);
return bRet && (dwBytesWritten > 0);
}
BOOL WINAPI CDeceived::ReadEx(HANDLE hProcess, LPVOID address, LPVOID buffer, DWORD size)
{
DWORD dwBytesRead = 0;
BOOL bRet = ReadProcessMemory(hProcess, address, buffer, size, &dwBytesRead);
return bRet && (dwBytesRead > 0);
}
BOOL WINAPI CDeceived::WriteEx(HANDLE hProcess, LPVOID address, LPVOID buffer, DWORD size)
{
DWORD dwBytesWritten = 0;
BOOL bRet = WriteProcessMemory(hProcess, address, buffer, size, &dwBytesWritten);
return bRet && (dwBytesWritten > 0);
}
LPVOID DECEIVED_API WINAPI RemoteInitialize()
{
#ifdef _DEBUG
MessageBoxA(NULL, "Please attach a debugger", "Deceived::RemoteInitialize", MB_ICONINFORMATION);
#endif
if(deceiver != NULL) delete deceiver;
deceiver = new CDeceived();
LPVOID lpReturn = deceiver->Allocate(sizeof(deceiver));
if(lpReturn) {
deceiver->Write(lpReturn, &deceiver, sizeof(deceiver));
return lpReturn;
}
return NULL;
}
在 MFC 应用程序将 DLL 注入到控制台测试项目后...
它调用RemoteInitialize()来初始化远程类并将虚拟内存空间中的地址返回给调用者,然后将其本地化为CDeceived类的共享实例。以下是我的处理方式:
BOOL CDeceiverHook::Validate(LPVOID lpDeceivedAddress)
{
CDeceived *deceiver = new CDeceived();
BOOL bRet = deceiver->ReadEx(hProcess, lpDeceivedAddress, &m_deceived, sizeof(m_deceived));
int cmp = _wcsicmp(m_deceived->m_signature, L"Deceived?");
return bRet && (cmp == 0);
}
...但是本地化类指针似乎没有指向远程类指针,而是在它的虚拟表中保存了几个 NULL 指针,如果您尝试执行其中任何一个,则会导致访问冲突。
我可能应该注意到,我已经通过 OpenThreadToken、ImpersonateSelf 和 SetPrivilege 成功地为 MFC 应用程序提供了适当的调试权限。我是否还必须以某种方式将班级的地址锁定在内存中,也许?是volatile关键字不够用,还是在这里用错了?我需要做什么来检索由 DLL 分配的完全相同的指针?
提前致谢!任何有效的建议都将给予支持。