支持x64和x32的代码注入库
如果这个帖子不符合版规请版主删除
点此获取完整的源码
这是对cheatlib的一次重大更新,加入了对x64的支持
点此查看cheatlib第一版的帖子
快速入门
测试程序源码
cheatlib_test.c
#include <stdio.h>
#include "cheatlib.h"
PDllInjectionInfo inject_dll_test_info = NULL;
PCodeInjectionInfo code_info = NULL;
int main()
{
// 根据窗口标题获取句柄
HANDLE hTarget = GetHandleByTitle("Cheatlib Target");
if(hTarget == NULL){
puts("Failed to get target handle");
return EXIT_FAILURE;
}
// dll注入演示
inject_dll_test_info = DllInjection(hTarget, "inject_dll_test.dll");
if(inject_dll_test_info == NULL){
printf("Dll injection Failed\n");
return EXIT_FAILURE;
}
Sleep(1000);
// dll注出演示
DllOutjection(inject_dll_test_info);
#ifdef CHEATLIB_TARGET_X64
// 代码注入演示
code_info = CodeInjection(hTarget, (LPVOID)0x40159a,
"add dword ptr ss:[rbp-0x4], 0xff;"
"push 0x401574;"
"ret;"
);
#else
// 代码注入演示
code_info = CodeInjection(hTarget, (LPVOID)0x40156a,
"add dword ptr ss:[ebp-0xC], 0xff;"
"push 0x40153E;"
"ret;"
);
#endif
if(code_info == NULL){
printf("Code Injection Failed\n");
return EXIT_FAILURE;
}
Sleep(2000);
// 代码注出演示
CodeOutjection(code_info);
return EXIT_SUCCESS;
}
测试动态库代码
inject_dll_test.c
#include <stdio.h>
#include "cheatlib.h"
PFuncHookInfo func_hook_info = NULL;
PIATHookInfo iat_hook_info = NULL;
typedef printf_type int(*)(const char * restrict, ...);
int func_hooked_printf(const char * restrict format, ...)
{
// to do something here...
// 现在CallOrigFunc可以直接返回函数返回值
return CallOrigFunc(func_hook_info, "This is Func hooked printf\n");
}
int iat_hooked_printf(const char * restrict format, ...)
{
// to do something here...
// IAT Hook 是不能用CallOrigFunc的
return ((printf_type)iat_hook_info->pFuncAddress)("This is IAT hooked printf\n");
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved ) // reserved
{
// Perform actions based on the reason for calling.
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
{
// 从IAT获取函数地址
LPVOID printf_addr = GetFuncFromIAT(NULL, "printf");
// 函数钩子演示
func_hook_info = FuncHook(printf_addr, (LPVOID)func_hooked_printf);
if(func_hook_info == NULL){
printf("function hook failed\n");
}
Sleep(2000);
// 函数钩子撤销演示
FuncUnhook(func_hook_info);
// IAT钩子演示
iat_hook_info = IATHook(NULL, "printf", (LPVOID)iat_hooked_printf);
Sleep(2000);
// 撤销IAT钩子演示
IATUnhook(iat_hook_info);
}
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
被攻击的目标程序代码
target.c
#include <stdio.h>
#include <windows.h>
int main()
{
SetConsoleTitle("Cheatlib Target");
for(int i=0;;++i)
{
printf("Target Program: %d printf address: %p\n", i, printf);
Sleep(200);
}
return 0;
}
如何编译这些代码?
这个库可以在VS项目里使用也可以在Mingw(GCC)项目里使用,这里演示在Mingw(GCC)中的使用方法
将cheatlib.h cheatlib.dll keystone.dll capstone.dll复制到你的项目目录下
编译32位运行
gcc -shared cheatlib.dll inject_dll_test.c -o inject_dll_test.dll -m32
gcc cheatlib.dll cheatlib_test.c -o cheatlib_test.exe -m32
gcc target.c -o target.exe -m32
编译64位运行
gcc -shared cheatlib.dll inject_dll_test.c -o inject_dll_test.dll -m64 -D CHEATLIB_TARGET_X64
gcc cheatlib.dll cheatlib_test.c -o cheatlib_test.exe -m64 -D CHEATLIB_TARGET_X64
gcc target.c -o target.exe -m64
对比上一版增加了那些内容?
- x64支持而且接口不变,只需简单定义CHEATLIB_TARGET_X64宏即可转变成x64的版本
- IAT Hook 支持
- 获取IAT数据支持
- CallOrigFunc 直接获取返回值支持.你可以直接写作 return CallOrigFunc(ptInfo, arg1, arg2);
注意
CodeInjection函数不会将跳转覆盖的指令复制到执行区执行
因此有必要知道在x32和x64下跳转需要占用多大的空间
x32下的跳转:
jmp hook function
共计5字节
x64下的跳转:
push target low address
mov dword ptr ss:[rsp], target high address
ret
共计14字节
最后
我写这个库是希望它能在各种场合下为你带来便利,有任何用的不爽或者不知道如何使用请让我知道
[复制链接]
发表于 2020-10-11 19:00
