C語言遊戲外掛(四):簡單 DLL 注入遊戲
通過C語言編寫一個DLL文件和一個EXE文件,其中DLL包含作弊功能,運行EXE後將DLL注入遊戲,使得遊戲僅靠自身進程便可以實現作弊功能。
對象分析
要用的API函數簡單介紹
編寫測試效果
總體評價
對象分析
注:本次遊戲對象為Super Mario XP
沒有更新所以可用任意版本 ,
試玩發現人物血量最大為10,心最大為99,命最大為99。
要用的API函數簡單介紹
HANDLE CreateThread(LPSECURITYATTRIBUTES, SIZET, LPTHREADSTARTROUTINE, LPVOID, DWORD ,LPDWORD
CreateThread 將在主線程的基礎上創建一個新線程
LPVOID VirtualAllocEx(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
VirtualAllocEx 向指定進程申請內存,其中flAllocationType取值MEM_COMMIT表示寫入物理存儲而非磁盤交換內存
FARPROC GetProcAddress(HMODULE hModule, LPCSTR);
GetProcAddress 檢索指定的動態鏈接庫(DLL)中的輸出庫函數地址
HANDLE CreateRemoteThread(HANDLE, LPSECURITYATTRIBUTES, SIZET, LPTHREADSTARTROUTINE, LPVOID, DWORD, LPDWORD);
CreateRemoteThread 創建一個在其它進程地址空間中運行的線程
編寫測試效果
打開遊戲
運行外掛
打開注入器Injecter,注入器注入DLL後自動退出,僅剩下游戲,此時遊戲已具備作弊效果(鎖定血量)
檢測有效
//
// 04簡單DLL注入遊戲(作弊模塊DLL部分)
// C/C++
//
#include<windows.h>
#defineDllfuncitonextern"C" __declspec(dllexport)//以C方式導出
Dllfuncitonvoid lockdata();
Dllfunciton DWORD WINAPI inject(LPVOID);
void lockdata(){
while(true){
DWORD hp =10;
DWORD heart =99;
DWORD life =99;
DWORD addr =0x00428282;
DWORD addr2 =0x00428292;
DWORD addr3 =0x004282a2;
DWORD res =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr,&hp,4,0);//寫入自身修改遊戲數據
DWORD res2 =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr2,&heart,4,0);
DWORD res3 =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr3,&life,4,0);
Sleep(1000);
}
}
DWORD WINAPI inject(LPVOID){
lockdata();
returntrue;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
switch(ul_reason_for_call){
case DLL_PROCESS_ATTACH:{
::DisableThreadLibraryCalls(hModule);//創建線程包含死循環,為防卡死必須設置
CreateThread(NULL,0, inject, NULL,0, NULL);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
default:;
}
returntrue;
}
//
// 04簡單DLL注入遊戲(注入器EXE部分)
// C/C++
//
#include<windows.h>
#include<string.h>
#include<string>
#include<iostream>
usingnamespace std;
HWND hwnd = NULL;
DWORD processid = NULL;
HANDLE hprocess = NULL;
PVOID procdlladdr = NULL;
char dllname[25]="cheatDLL";
char loadfunc[25]="LoadLibraryA";
FARPROC loadfuncaddr = NULL;
HANDLE hfile;
void getwindow(){
hwnd =::FindWindow(NULL,"Super Mario XP");
if(hwnd == NULL)
MessageBox(NULL,"找不到遊戲","錯誤", MB_OK);
GetWindowThreadProcessId(hwnd,&processid);
hprocess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,processid);
if(hprocess == NULL)
MessageBox(NULL,"打開遊戲失敗","錯誤", MB_OK);
}
void inject(){
int size = strlen(dllname)+5;
procdlladdr =::VirtualAllocEx(hprocess, NULL, size, MEM_COMMIT, PAGE_READWRITE);//向目標申請空間,得到新空間地址
if(procdlladdr == NULL)
MessageBox(NULL,"申請空間失敗","錯誤", MB_OK);
DWORD writenum;
::WriteProcessMemory(hprocess, procdlladdr, dllname, size,&writenum);//向新空間寫入要注入的DLL名稱
loadfuncaddr =::GetProcAddress(::GetModuleHandle("kernel32.dll"), loadfunc);//獲得LoadLibraryA的地址,在任何進程空間都一樣
HANDLE hthread =::CreateRemoteThread(hprocess, NULL,0,(LPTHREAD_START_ROUTINE)loadfuncaddr,(LPVOID)procdlladdr,0, NULL);
//新建線程執行LoadLibrary參數是已在目標進程新空間寫入的DLL名稱,注意這個函數在64位下無法成功
::WaitForSingleObject(hthread, INFINITE);
::CloseHandle(hthread);
::CloseHandle(hprocess);
}
int main(){
getwindow();
inject();
return0;
}
DLL注入可使作弊模塊在程序自身“名義”下進行作弊,提高作弊成功率,然而載入的DLL容易被DLL檢測發現。