#include<Windows.h>
#include <iostream>
int main()
{
dll文件一定要拷贝到游戏可执行文件所在的路径或者设定为绝对路径, 因为是在游戏进程中通过loadLiabray进行加载的
char dllPath[] = "I:/C++Project/51hook软件安全培训/133函数调用堆栈图/函数调用堆栈图/Release/167SwordPluginWindowDll.dll";
int dllLen = sizeof(dllPath);
LPVOID lpBuff = NULL;
//1、找到游戏窗口
HWND hwnd = FindWindowA(NULL, "Sword2 Window");
if (NULL == hwnd)
{
MessageBoxA(0, "游戏未运行!", "提示", MB_OK);
return 0;
}
//获取窗口进程ID
DWORD pid = 0;
GetWindowThreadProcessId(hwnd, &pid);
//打开进程
HANDLE hProcess = 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if (0 == hProcess)
{
MessageBoxA(0, "打开进程失败!", "提示", MB_OK);
return 0;
}
//在目标进程中申请内存空间
lpBuff = VirtualAllocEx(hProcess, 0, 0x100, MEM_COMMIT, PAGE_READWRITE);
if (NULL == lpBuff)
{
MessageBoxA(0, "申请远程内存失败!", "提示", MB_OK);
return 0;
}
DWORD realWrite = 0;
//将dll路径写入目标进程
BOOL success = WriteProcessMemory(hProcess, lpBuff, dllPath, dllLen, &realWrite);
if (FALSE == success)
{
MessageBoxA(0, "写入远程内存失败!", "提示", MB_OK);
return 0;
}
HANDLE hRemoteThread = 0;
//创建远程线程,在远程进程中通过新建的线程调用LoadLibraryA函数将dll加载到远程进程中
hRemoteThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, lpBuff, 0, NULL);
if (NULL == hRemoteThread)
{
MessageBoxA(0, "创建远程线程失败!", "提示", MB_OK);
return 0;
}
WaitForSingleObject(hRemoteThread, -1); //等待远程线程响应
VirtualFreeEx(hProcess, lpBuff, 0, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
system("pause");
return 0;
}
参考链接:51hook软件安全培训课程