吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2901|回复: 5
收起左侧

[C&C++ 转载] Inline Patch 补丁 C++源码分享了 !

  [复制链接]
R-R, 发表于 2020-12-14 12:30
//inline Patch补丁源码
//部分代码搬运至 https://www.52pojie.cn/thread-688291-1-1.html
//添加获取文件 AddressOfEntryPoint  PEB获取imagebase  获取内存实时OEP 主要针对EXE动态内存地址和电脑开始了ALSR


[Asm] 纯文本查看 复制代码

#include "stdafx.h"
#include "windows.h"

int GetOep(TCHAR* PeFileName){

	TCHAR* FileName = PeFileName;
	char* buf = nullptr;
	HANDLE hFile;
	DWORD dwFileSize;
	DWORD ReadSize = 0;
	DWORD OEP = 0;

	hFile = CreateFile(
		FileName, GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);

	dwFileSize = GetFileSize(hFile, NULL);
	buf = new char[dwFileSize];
	ReadFile(hFile, buf, dwFileSize, &
		ReadSize, NULL);

	PIMAGE_DOS_HEADER pDosH = (PIMAGE_DOS_HEADER)buf;
	PIMAGE_NT_HEADERS32 pNtH = (PIMAGE_NT_HEADERS32)(buf + pDosH->e_lfanew);
	PIMAGE_OPTIONAL_HEADER32 pOptH = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pNtH + IMAGE_SIZEOF_FILE_HEADER + 4);

	if (pDosH->e_magic != IMAGE_DOS_SIGNATURE)
	{
		MessageBoxW(NULL, L"DOS头错误!", L"Error", MB_OK);
		CloseHandle(hFile);
		return 0;
	}
	if (pNtH->Signature != IMAGE_NT_SIGNATURE)
	{
		MessageBoxW(NULL, L"NT头错误!", L"Error", MB_OK);
		CloseHandle(hFile);
		return 0;
	}

	OEP = pOptH->AddressOfEntryPoint;
	delete[] buf;
	CloseHandle(hFile);
	return OEP;
}

STARTUPINFO Si;
PROCESS_INFORMATION Pi;

typedef LONG(NTAPI* _NtQueryInformationProcess)(
	IN HANDLE ProcessHandle,
	IN ULONG ProcessInformationClass,
	OUT PVOID ProcessInformation,
	IN ULONG ProcessInformationLength,
	OUT PULONG ReturnLength OPTIONAL
	);

typedef struct
{
	DWORD ExitStatus; 
	DWORD PebBaseAddress; 
	DWORD AffinityMask; 
	DWORD BasePriority; 
	ULONG UniqueProcessId; 
	ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;




int _tmain(int argc, _TCHAR* argv[])
{
	
	TCHAR *PePatch = _T("C:\\Users\\Administrator\\Desktop\\1.exe");
	DWORD FileOep = GetOep(PePatch);
	
	if (FileOep == 0){
		MessageBoxW(NULL, L"获取FileOep失败!", L"Error", MB_OK);
		return 0;
	}
	//printf("%x", FileOep);


	BOOL Cret;
	Si = { 0 };
	Si.cb = sizeof(STARTUPINFO);
	PROCESS_INFORMATION Pi = { 0 };
	Cret = CreateProcess(PePatch, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &Si, &Pi);
	if (!Cret)
	{
		printf("创建进程失败!\n");
		return 0;
	}
	
	_NtQueryInformationProcess ZwQueryInformationProcess;
	HMODULE hNtDll = LoadLibrary(_T("ntdll.dll"));
	if (hNtDll == NULL){
		MessageBoxW(NULL, L"Ntdll加载失败!", L"Error", MB_OK);
		return 0;
	}
	ZwQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(hNtDll,"NtQueryInformationProcess");

	if (ZwQueryInformationProcess == NULL) {
		MessageBoxW(NULL, L"ZwQueryInformationProcess地址获取失败!", L"Error", MB_OK);
		FreeLibrary(hNtDll);
		return 0;
	}
	//printf("%x", ZwQueryInformationProcess);
	PROCESS_BASIC_INFORMATION Peb;
	ZwQueryInformationProcess(Pi.hProcess, NULL, (PVOID)&Peb, sizeof(Peb), NULL);
	//printf("%x", Peb.PebBaseAddress);
	DWORD	PebImaggeBase = Peb.PebBaseAddress + 8;
	BOOL ModuleRet;
	LPVOID ModuleBase = new int;
	ModuleRet = ReadProcessMemory(Pi.hProcess, LPCVOID(PebImaggeBase), ModuleBase, 4, NULL);
	if (ModuleRet == 0)
	{
		MessageBoxW(NULL, L"ModuleBase获取失败!", L"Error", MB_OK);
		return 0;
	}
	DWORD MemOep = *((PDWORD)ModuleBase) + FileOep;
	delete ModuleBase;
	//printf("%x", MemOep);

	BOOL bRet = FALSE;
	BYTE szEntryPointData[2] = { 0 };
	bRet = ReadProcessMemory(Pi.hProcess, (LPVOID)MemOep, szEntryPointData, 2, NULL);
	if (!bRet)
	{
		printf("读取入口点数据失败!\n");
		return 0;
	}

	WriteProcessMemory(Pi.hProcess, (LPVOID)MemOep, "\xEB\xFE", 2, NULL);
	if (!bRet)
	{
		printf("写入到入口点数据失败!\n");
		return 0;
	}

	ResumeThread(Pi.hThread);
	CONTEXT Context;
	Context.ContextFlags = 65543;
	GetThreadContext(Pi.hThread, &Context);
	while (Context.Eip != MemOep)
	{
		Sleep(50);
		GetThreadContext(Pi.hThread, &Context);
	}
	SuspendThread(Pi.hThread);

	DWORD dApiAddress = (DWORD)GetProcAddress(GetModuleHandle(TEXT("User32.dll")), "CreateWindowExA");
	printf("dApiAddress = 0x%08x\n", dApiAddress);

	BYTE szApiAddressData[2] = { 0 };

	bRet = ReadProcessMemory(Pi.hProcess, (LPVOID)dApiAddress, szApiAddressData, 2, NULL);
	if (!bRet)
	{
		printf("读API数据失败\n");
		return 0;
	}

	bRet = WriteProcessMemory(Pi.hProcess, (LPVOID)dApiAddress, "\xEB\xFE", 2, NULL);
	if (!bRet)
	{
		printf("写API地址数据失败\n");
		return 0;
	}

	bRet = WriteProcessMemory(Pi.hProcess, (LPVOID)MemOep, szEntryPointData, 2, NULL);
	if (!bRet)
	{
		printf("写API地址数据失败\n");
		return 0;
	}


	ResumeThread(Pi.hThread);
	GetThreadContext(Pi.hThread, &Context);
	while (Context.Eip != dApiAddress)
	{
		Sleep(50);
		GetThreadContext(Pi.hThread, &Context);
	}
	SuspendThread(Pi.hThread);


	//写补丁数据

	LPVOID Address = (LPVOID)0x0040100C;
	BYTE Data[] = {0xC3};
	DWORD Datasize = sizeof(Data);
	WriteProcessMemory(Pi.hProcess, Address, (LPVOID)Data, Datasize, NULL);

	WriteProcessMemory(Pi.hProcess, (LPVOID)dApiAddress, szApiAddressData, 2, NULL);
	ResumeThread(Pi.hThread);
	CloseHandle(Pi.hThread);
	CloseHandle(Pi.hProcess);


	/*
	DWORD dOldProtect = 0;
	VirtualProtectEx(Pi.hProcess, (LPVOID)0x004010FD, Datasize, PAGE_EXECUTE_READWRITE, &dOldProtect);
	if (WriteProcessMemory(Pi.hProcess, (LPVOID)0x004010FD, (LPVOID)bPatchData, Datasize, NULL) == FALSE)
	{
		printf("写补丁失败,错误码:%d\n", GetLastError());
	}
	VirtualProtectEx(Pi.hProcess, (LPVOID)0x004010FD, Datasize, dOldProtect, &dOldProtect);
	*/
	getchar();
	
	return 0;


}

免费评分

参与人数 2吾爱币 +6 热心值 +2 收起 理由
wmsuper + 3 + 1 膜拜R大佬!
朱朱你堕落了 + 3 + 1 膜拜R大佬!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

朱朱你堕落了 发表于 2020-12-14 12:45
其实我感觉这和inline hook没有啥关系,大家都这么叫,就这么叫了。
lyliucn 发表于 2020-12-14 13:19
aaa0827 发表于 2020-12-14 14:01
云柔猫猫 发表于 2020-12-14 14:26
感谢R大佬
Dowson 发表于 2020-12-14 14:33
沙发坐一坐,谢谢楼主分享,日常回贴,一来可以升级,二来也可以赚经验。
kaninai 发表于 2020-12-14 22:10
感谢R大佬
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-25 22:49

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表