支持x64和x32的代码注入库
如果这个帖子不符合版规请版主删除
点此获取完整的源码
这是对cheatlib的一次重大更新,加入了对x64的支持
快速入门
测试程序源码
cheatlib_test.c
- #include <stdio.h>
- #include "cheatlib.h"
- PDllInjectionInfo inject_dll_test_info = NULL;
- PCodeInjectionInfo code_info = NULL;
- int main()
- {
- // 根据窗口标题获取句柄
- HANDLE hTarget = GetHandleByTitle("Cheatlib Target");
- if(hTarget == NULL){
- puts("Failed to get target handle");
- return EXIT_FAILURE;
- }
- // dll注入演示
- inject_dll_test_info = DllInjection(hTarget, "inject_dll_test.dll");
- if(inject_dll_test_info == NULL){
- printf("Dll injection Failed\n");
- return EXIT_FAILURE;
- }
- Sleep(1000);
- // dll注出演示
- DllOutjection(inject_dll_test_info);
- #ifdef CHEATLIB_TARGET_X64
- // 代码注入演示
- code_info = CodeInjection(hTarget, (LPVOID)0x40159a,
- "add dword ptr ss:[rbp-0x4], 0xff;"
- "push 0x401574;"
- "ret;"
- );
- #else
- // 代码注入演示
- code_info = CodeInjection(hTarget, (LPVOID)0x40156a,
- "add dword ptr ss:[ebp-0xC], 0xff;"
- "push 0x40153E;"
- "ret;"
- );
- #endif
- if(code_info == NULL){
- printf("Code Injection Failed\n");
- return EXIT_FAILURE;
- }
- Sleep(2000);
- // 代码注出演示
- CodeOutjection(code_info);
- return EXIT_SUCCESS;
- }
测试动态库代码
inject_dll_test.c
- #include <stdio.h>
- #include "cheatlib.h"
- PFuncHookInfo func_hook_info = NULL;
- PIATHookInfo iat_hook_info = NULL;
- typedef printf_type int(*)(const char * restrict, ...);
- int func_hooked_printf(const char * restrict format, ...)
- {
- // to do something here...
- // 现在CallOrigFunc可以直接返回函数返回值
- return CallOrigFunc(func_hook_info, "This is Func hooked printf\n");
- }
- int iat_hooked_printf(const char * restrict format, ...)
- {
- // to do something here...
- // IAT Hook 是不能用CallOrigFunc的
- return ((printf_type)iat_hook_info->pFuncAddress)("This is IAT hooked printf\n");
- }
- BOOL WINAPI DllMain(
- HINSTANCE hinstDLL, // handle to DLL module
- DWORD fdwReason, // reason for calling function
- LPVOID lpReserved ) // reserved
- {
- // Perform actions based on the reason for calling.
- switch( fdwReason )
- {
- case DLL_PROCESS_ATTACH:
- {
- // 从IAT获取函数地址
- LPVOID printf_addr = GetFuncFromIAT(NULL, "printf");
- // 函数钩子演示
- func_hook_info = FuncHook(printf_addr, (LPVOID)func_hooked_printf);
- if(func_hook_info == NULL){
- printf("function hook failed\n");
- }
- Sleep(2000);
- // 函数钩子撤销演示
- FuncUnhook(func_hook_info);
- // IAT钩子演示
- iat_hook_info = IATHook(NULL, "printf", (LPVOID)iat_hooked_printf);
- Sleep(2000);
- // 撤销IAT钩子演示
- IATUnhook(iat_hook_info);
- }
- break;
- }
- return TRUE; // Successful DLL_PROCESS_ATTACH.
- }
target.c
- #include <stdio.h>
- #include <windows.h>
- int main()
- {
- SetConsoleTitle("Cheatlib Target");
- for(int i=0;;++i)
- {
- printf("Target Program: %d printf address: %p\n", i, printf);
- Sleep(200);
- }
- return 0;
- }
- 如何编译这些代
这个库可以在VS项目里使用也可以在Mingw(GCC)项目里使用,这里演示在Mingw(GCC)中的使用方法
将cheatlib.h cheatlib.dll keystone.dll capstone.dll复制到你的项目目录下
编译32位运行 - gcc -shared cheatlib.dll inject_dll_test.c -o inject_dll_test.dll -m32
- gcc cheatlib.dll cheatlib_test.c -o cheatlib_test.exe -m32
- gcc target.c -o target.exe -m32
编译64位运行 - gcc -shared cheatlib.dll inject_dll_test.c -o inject_dll_test.dll -m64 -D CHEATLIB_TARGET_X64
- gcc cheatlib.dll cheatlib_test.c -o cheatlib_test.exe -m64 -D CHEATLIB_TARGET_X64
- gcc target.c -o target.exe -m64
- 对比上一版增加了那些内
对比上一版增加了那些内容? x64支持而且接口不变,只需简单定义CHEATLIB_TARGET_X64宏即可转变成x64的版本 IAT Hook 支持 获取IAT数据支持 CallOrigFunc 直接获取返回值支持.你可以直接写作 return CallOrigFunc(ptInfo, arg1, arg2); 注意 CodeInjection函数不会将跳转覆盖的指令复制到执行区执行 因此有必要知道在x32和x64下跳转需要占用多大的空间 x32下的跳转: 共计5字节 x64下的跳转: push target low address
mov dword ptr ss:[rsp], target high address
ret 共计14字节 最后 我写这个库是希望它能在各种场合下为你带来便利,有任何用的不爽或者不知道如何使用请让我知道
| 
雷达卡
发表于 2020-10-11 21:52
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
发表于 2020-12-18 23:21