Three modules
1, game.exe, three methods, the console input command ( 'A', 'B', 'R') are three call control method;
2, WGDll.dll, dll file to be injected into the game process;
3, myconsole.exe, injection dll files for the program;
A method to open the game process, and then poured into dll myconsole the game, and myconsole dll module implemented using shared memory module communication process, the input command myconsole console, dllmokuai receive instructions, calls the game module to achieve the purpose of the game control
game module
#include<stdio.h> void attack() { printf("**********attack**********"); return; } void rest() { printf("**********rest**********\n"); return; } void blood() { printf("**********blood**********\n"); return; } int main() { char orderChar; printf("**********GAME BEGIN**********\n"); while (1) { orderChar = getchar(); switch (orderChar) { case 'A': attack(); break; case 'R': rest(); break; case 'B': blood(); break; case 'Q': printf("**********GAME OVER**********\n"); return 0; } } return 0; }
dll module
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include<Windows.h> #include<iostream> #include<stdio.h> using namespace std; #define _MAP_ TEXT("gameDll") #define ATTACK 0x0641740 #define REST 0x0641800 #define BLOOD 0x06417a0 HANDLE hMapFile; LPTSTR lpBuffer; TCHAR dwType; DWORD WINAPI ThreadProc(LPVOID lpParameter) { HANDLE hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, _MAP_); if (!hMapFile) { printf("OpenMappingFile Error : %d", GetLastError()); return 0; } lpBuffer = (LPTSTR)MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, BUFSIZ); for (;;) { Sleep(2000); if (lpBuffer != NULL) { // CopyMemory(&dwType, lpBuffer, 4); wmemcpy_s(&dwType, 4, lpBuffer, 1); wcout << lpBuffer << endl; } if (dwType == L'A') { //MessageBox(NULL, TEXT("AAAAA"), TEXT("AAAAA"), MB_OK); __asm { mov eax, ATTACK call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'B') { //MessageBox(NULL, TEXT("BBBBBB"), TEXT("BBBBBBB"), MB_OK); __asm { mov eax, BLOOD call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'R') { //MessageBox(NULL, TEXT("RRRRRRR"), TEXT("RRRRRRR"), MB_OK); __asm { mov eax, REST call eax } //dwType = 0; //CopyMemory(lpBuffer, &dwType, 4); } if (dwType == L'Q') { //MessageBox(NULL, TEXT("QQQQQQQ"), TEXT("QQQQQQ"),MB_OK); UnmapViewOfFile(lpBuffer); } } return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL, TEXT("hehe"), TEXT("HAHA"), MB_OKCANCEL); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ThreadProc, NULL, 0, NULL); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
myconsole module
#include<Windows.h> #include<stdio.h> #include<Tlhelp32.h> #include <iostream> #include<stdlib.h> using namespace std; #define _MAP_ TEXT("gameDll") HANDLE hFileMapping; LPTSTR lpBuffer; BOOL init() { hFileMapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000, _MAP_); if (hFileMapping==NULL) { printf("create filemapping failed error : %d", GetLastError()); return FALSE; } lpBuffer = (LPTSTR)MapViewOfFile(hFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, BUFSIZ); if (lpBuffer==NULL) { printf("create filemappingview failed error : %d", GetLastError()); return FALSE; } return TRUE; } DWORD GetPid(const TCHAR* pDest) { HANDLE hProcessHandle; PROCESSENTRY32 pe32 = {0}; hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcessHandle == INVALID_HANDLE_VALUE) { return FALSE; } pe32.dwSize = sizeof(PROCESSENTRY32); //const TCHAR* pDest = TEXT("game.exe"); while (Process32Next(hProcessHandle,&pe32)) { //printf("%s\n", pe32.szExeFile); if (wcscmp(pe32.szExeFile,pDest)==0) { CloseHandle(hProcessHandle); return pe32.th32ProcessID; wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl; } } return 0; } BOOL LoadDll(DWORD pID,const TCHAR* pName) { HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); DWORD pLEN = sizeof(WCHAR)*wcslen(pName)+1; LPVOID lpStart = VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE); BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL); if (!bRET) { cout << "writeprocessmemory failed error : %d" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll")); if (!hModule) { cout << "get kernel32 failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryW"); if (!f) { cout << "get loadLibraryA failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); CloseHandle(hModule); return FALSE; } CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL); CloseHandle(hDestProcess); CloseHandle(hModule); return TRUE; } int main() { init(); const TCHAR* pName = TEXT("game.exe"); DWORD pid = GetPid(pName); wcout << pid << endl; TCHAR DLLNAME[] = TEXT("D:\\vs-workspace\\WGDll\\Debug\\WGDll.dll"); TCHAR* DNAME = DLLNAME; BOOL fl = LoadDll(pid, DNAME); if (fl) { cout << "haha" << endl; } TCHAR gameCmd[] = { L'A',L'B',L'R' }; TCHAR tempp; int randnum = 0; for (;;) { randnum = rand()%3; tempp = gameCmd[randnum]; wcout << tempp << endl; CopyMemory(lpBuffer, &tempp,4); wmemcpy_s(lpBuffer, 4, &tempp, 1); Sleep(2000); } getchar(); return 0; }