// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "windows.h"
#include <stdint.h>
#include <iostream>
#include <Winternl.h>
// 学习游戏辅助开发就上龙马谷 www.longmagu.com
typedef VOID(APIENTRY* RtlCopyMemoryT)(
_Out_writes_bytes_all_(_MaxCount) void* _Dst,
_In_reads_bytes_(_MaxCount) const void* _Src,
_In_ size_t _MaxCount
);
typedef NTSTATUS(APIENTRY* AllocateVirtualMemoryT)(
_In_ HANDLE hProcess,
_In_ PVOID* BaseAddress,
_In_ ULONG ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
typedef NTSTATUS(APIENTRY* FreeVirtualMemoryT)(
_In_ HANDLE hProcess,
_In_ PVOID* BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType
);
typedef NTSTATUS(APIENTRY* ProtectVirtualMemoryT)(
_In_ HANDLE hProcess,
_In_ PVOID* BaseAddress,
_Inout_ PSIZE_T NumberOfBytesToProtect,
_In_ ULONG NewAccessProtection,
_Out_ PULONG OldAccessProtection
);
typedef PVOID(APIENTRY* AddVectoredExceptionHandlerT)(
_In_ ULONG First,
_In_ PVECTORED_EXCEPTION_HANDLER Handler
);
typedef NTSTATUS(APIENTRY* LdrGetProcedureAddressT)(
_In_ PVOID DllHandle,
_In_opt_ PANSI_STRING ProcedureName,
_In_opt_ ULONG ProcedureNumber,
_Out_ FARPROC* ProcedureAddress
);
typedef VOID(APIENTRY* RtlFreeUnicodeStringT)(
_Inout_ PUNICODE_STRING UnicodeString
);
typedef VOID(APIENTRY* RtlInitAnsiStringT)(
_Out_ PANSI_STRING DestinationString,
_In_opt_ PCSZ SourceString
);
typedef NTSTATUS(APIENTRY* RtlAnsiStringToUnicodeStringT)(
_Inout_ PUNICODE_STRING DestinationString,
_In_ PCANSI_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString
);
typedef NTSTATUS(APIENTRY* LdrLoadDllT)(
_In_opt_ PWCHAR PathToFile,
_In_opt_ ULONG Flags,
_In_ PUNICODE_STRING ModuleFileName,
_Out_ PHANDLE ModuleHandle
);
typedef BOOL(APIENTRY* ProcDllMain)(
_In_ LPVOID,
_In_ DWORD,
_In_ LPVOID
);
struct PARAMX
{
PVOID HandleModule;
PVOID NtDllModule;
AllocateVirtualMemoryT RtlAllocateVirtualMemory;
FreeVirtualMemoryT RtlFreeVirtualMemory;
ProtectVirtualMemoryT RtlProtectVirtualMemory;
AddVectoredExceptionHandlerT RtlAddVectoredExceptionHandler;
LdrGetProcedureAddressT LdrGetProcedureAddress;
LdrLoadDllT pLdrLoadDll;
RtlInitAnsiStringT RtlInitAnsiString;
RtlAnsiStringToUnicodeStringT RtlAnsiStringToUnicodeString;
RtlFreeUnicodeStringT RtlFreeUnicodeString;
RtlCopyMemoryT RtlCopyMemory;
DWORD NtAllocateVirtualMemoryIndex;
DWORD NtFreeVirtualMemoryIndex;
DWORD NtProtectVirtualMemoryIndex;
DWORD NtAddVectoredExceptionHandlerIndex;
char LdrLoadDllOlgCode[6];
};
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
// 学习游戏辅助开发就上龙马谷 www.longmagu.com
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
memset((void*)hModule, 0, 0x1000);
AllocConsole();
freopen("CON", "w", stdout);
CONSOLE_SCREEN_BUFFER_INFO Info = { 0 };
memset(&Info, 0, sizeof(Info));
GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &Info);
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 11);
printf("hModule:%p\n", hModule);
break;
}
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
extern "C" __declspec(dllexport) void Magic_show(PARAMX * Parameter)//DLL初始化接口
{
PVOID HandleModule = Parameter->HandleModule;
LdrGetProcedureAddressT LdrGetProcedureAddress = (Parameter->LdrGetProcedureAddress);
LdrLoadDllT pLdrLoadDll = (Parameter->pLdrLoadDll);
RtlInitAnsiStringT RtlInitAnsiString = Parameter->RtlInitAnsiString;
RtlAnsiStringToUnicodeStringT RtlAnsiStringToUnicodeString = Parameter->RtlAnsiStringToUnicodeString;
RtlFreeUnicodeStringT RtlFreeUnicodeString = Parameter->RtlFreeUnicodeString;
RtlCopyMemoryT Call_RtlCopyMemory = Parameter->RtlCopyMemory;
AllocateVirtualMemoryT Call_AllocateVirtualMemory = Parameter->RtlAllocateVirtualMemory;
ANSI_STRING ansiStr;
UNICODE_STRING UnicodeString;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_SECTION_HEADER pSectionHeader;
pDosHeader = (PIMAGE_DOS_HEADER)HandleModule;//DOS头
pNTHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)HandleModule + pDosHeader->e_lfanew);//PE头
PVOID BaseAddress = NULL;
SIZE_T Length = 65536;
Call_AllocateVirtualMemory((HANDLE)-1, &BaseAddress, 0, &Length, MEM_COMMIT | MEM_RESERVE, 64);
*(PVOID*)((PVOID)((ULONG_PTR)HandleModule + 0x690)) = BaseAddress;
Call_RtlCopyMemory((PVOID)((ULONG_PTR)HandleModule + 0x600), Parameter->LdrLoadDllOlgCode, sizeof(Parameter->LdrLoadDllOlgCode));
//重定位信息
if (pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > 0 && pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > 0)
{
ULONG_PTR Delta = (ULONG_PTR)HandleModule - pNTHeader->OptionalHeader.ImageBase;
ULONG_PTR* pAddress;
//注意重定位表的位置可能和硬盘文件中的偏移地址不同,应该使用加载后的地址
PIMAGE_BASE_RELOCATION pLoc = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)HandleModule + pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
while ((pLoc->VirtualAddress + pLoc->SizeOfBlock) != 0) //开始扫描重定位表
{
WORD* pLocData = (WORD*)((ULONG_PTR)pLoc + sizeof(IMAGE_BASE_RELOCATION));
//计算本节需要修正的重定位项(地址)的数目
int NumberOfReloc = (pLoc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
for (int i = 0; i < NumberOfReloc; i++)
{
//printf("重定位:%d NumberOfReloc:%d\n", pLocData[i], NumberOfReloc);
if ((ULONG_PTR)(pLocData[i] & 0xF000) == 0x00003000 || (ULONG_PTR)(pLocData[i] & 0xF000) == 0x0000A000) //这是一个需要修正的地址
{
pAddress = (ULONG_PTR*)((ULONG_PTR)HandleModule + pLoc->VirtualAddress + (pLocData[i] & 0x0FFF));
*pAddress += Delta;
}
}
//转移到下一个节进行处理
pLoc = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)pLoc + pLoc->SizeOfBlock);
}
}
//修正引入地址表
ULONG_PTR Offset = pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (Offset == 0)
return; //No Import Table
PIMAGE_IMPORT_DESCRIPTOR pID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)HandleModule + Offset);
PIMAGE_IMPORT_BY_NAME pByName = NULL;
while (pID->Characteristics != 0)
{
PIMAGE_THUNK_DATA pRealIAT = (PIMAGE_THUNK_DATA)((ULONG_PTR)HandleModule + pID->FirstThunk);
PIMAGE_THUNK_DATA pOriginalIAT = (PIMAGE_THUNK_DATA)((ULONG_PTR)HandleModule + pID->OriginalFirstThunk);
//获取dll的名字
char* pName = (char*)((ULONG_PTR)HandleModule + pID->Name);
HANDLE hDll = 0;
RtlInitAnsiString(&ansiStr, pName);
RtlAnsiStringToUnicodeString(&UnicodeString, &ansiStr, true);
pLdrLoadDll(NULL, NULL, &UnicodeString, &hDll);
//Obs_LdrLoadDll(NULL, NULL, &UnicodeString, &hDll);
RtlFreeUnicodeString(&UnicodeString);
if (hDll == NULL)
{
//MessageBox(0, 0, 0, 0);
return;//NOT FOUND DLL
}
for (int i = 0; ; i++)
{
if (pOriginalIAT[i].u1.Function == 0)
break;
FARPROC lpFunction = NULL;
if (IMAGE_SNAP_BY_ORDINAL(pOriginalIAT[i].u1.Ordinal))
{
//这里的值给出的是导出序号
if (IMAGE_ORDINAL(pOriginalIAT[i].u1.Ordinal))
{
LdrGetProcedureAddress(hDll, NULL, IMAGE_ORDINAL(pOriginalIAT[i].u1.Ordinal), &lpFunction);
}
}
else
{
//获取此IAT项所描述的函数名称
pByName = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)HandleModule + (ULONG_PTR)(pOriginalIAT[i].u1.AddressOfData));
if ((char*)pByName->Name)
{
RtlInitAnsiString(&ansiStr, (char*)pByName->Name);
LdrGetProcedureAddress(hDll, &ansiStr, 0, &lpFunction);
}
}
if (lpFunction != NULL)
{
pRealIAT[i].u1.Function = (ULONG_PTR)lpFunction;
}
else
{
X64EIP内核注入DLL源码.zip (25个子文件) 
X64EIP loaddriver loaddriver 
【游戏辅助开发-龙马谷论坛】.url 169B loaddriver.rc 4KB loaddriver.aps 3KB loaddriver.vcxproj.user 165B resource.h 1KB loaddriver.h 597B Data.h 77KB main.cpp 4KB 【龙马谷官网】.url 160B loaddriver.vcxproj.filters 2KB loaddriver.vcxproj 8KB Driver.h 201KB loaddriver.cpp 5KB loaddriver.v12.suo 30KB loaddriver.sln 1KB MyDll MyDll.sln 1KB MyDll 【游戏辅助开发-龙马谷论坛】.url 169B MyDll.vcxproj.user 168B framework.h 159B MyDll.vcxproj.filters 969B pch.h 544B 【龙马谷官网】.url 160B pch.cpp 158B MyDll.vcxproj 8KB dllmain.cpp 8KB资源评论
龙马谷编程
- 粉丝: 7
- 资源: 25
