一、在上节课DLL注入窗口我们已经实现了注入dll,这节课我们利用线程注入
DWORD WINAPI 窗口函数地址(LPVOID arg)
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
DLLTEST dt;
dt.DoModal();
FreeLibraryAndExitThread(theApp.m_hInstance, 123);//自动卸载dll
return 1;
}
BOOL CMFCDLLApp::InitInstance()
{
CWinApp::InitInstance();
DWORD 线程ID = 0;
::CreateThread(0, 0, 窗口函数地址, 0, 0, &线程ID);
return TRUE;
}
二、在窗口添加三个按钮,分别实现调试信息输出、解绑调试信息,获取护甲值
DWORD 读地址(UINT_PTR 地址)
{
__try
{
return *(DWORD*)地址;
}
__except (1)
{
return 0;
}
}
VOID CALLBACK 护甲(HWND h, UINT arg2, UINT_PTR arg3_id, DWORD time)
{
KillTimer(h, 11111);
const char* 参数1 = "player";
UINT_PTR 返回值 = 0;
UINT_PTR 函数地址 = 0x60C1F0;
__asm
{
push 参数1
call 函数地址
add esp, 4
mov 返回值, eax
}
DWORD 护甲 = 读地址(读地址(返回值 0xD0) 0x174);
char buf[256];
sprintf_s(buf, "护甲=%d\r\n",护甲);
printf(buf);
};
void DLLTEST::OnBnClickedButton1()
{
HWND 游戏窗口句柄 = FindWindowA("GxWindowClassD3d", "魔兽世界");
::SetTimer(游戏窗口句柄, 11111, 1, 护甲);
}
void DLLTEST::OnBnClickedButton2()
{
AllocConsole();
FILE* file = 0;
freopen_s(&file, "CONOUT$", "w t", stdout);
}
void DLLTEST::OnBnClickedGbtsck()
{
FreeConsole();
}
三、查看效果
四、完整项目下载地址
关注下方公众号编程有你,回复20220504
,
