- 注册时间
- 2022-8-23
- 最后登录
- 2024-3-6
- 在线时间
- 2 小时
编程入门
- 天马币
- 24
|
之前写辅助都用的是网上的帖子HOOK目标程序的send和recv,然后采用WriteProcessMemory替换我们的函数和Windows API函数,不断的来回切换,这个其实数据密集的时候容易出错也不稳定,不提倡!并且代码输写很容易出错。这里我贴出我自己写过的HOOK库,用过攻城略地和大皇帝等等游戏,均通过测试,非常之稳定- 把MHOOK封装成动态链接库,直接调用DLL文件进行HOOK目标函数,也可以实现远程注入。
- 并且不会被游戏反辅助发觉。动态链接库代码如下:
- #ifdef _M_IX86
- #define _M_IX86_X64
- #elif defined _M_X64
- #define _M_IX86_X64
- #endif
- BOOL Mhook_SetHook(PVOID *ppSystemFunction, PVOID pHookFunction);
- BOOL Mhook_Unhook(PVOID *ppHookedFunction);
- #define MHOOKS_MAX_SUPPORTED_HOOKS 64
- 我这里只针对HOOK socket的send和recv
- #include "stdafx.h"
- #include "mhook-lib/mhook.h"
- extern mhook_func _msend;
- extern mhook_func _mrecv;
- extern mhook_func _mwsend;
- extern mhook_func _mwrecv;
- //ppSystemFunction为系统API,pHookFunction为自己定义的API
- BOOL t001(PVOID *ppSystemFunction, PVOID pHookFunction)
- {
- return Mhook_SetHook(ppSystemFunction,pHookFunction);
- }
- //pHookFunction为自己定义的API
- BOOL t002(PVOID *ppHookedFunction)
- {
- return Mhook_Unhook(ppHookedFunction);
- }
- //设置1.0函数地址
- BOOL t003(mhook_func pHookSendFunc,mhook_func pHookRecvFuc)
- {
- _msend = pHookSendFunc;
- _mrecv = pHookRecvFuc;
- return TRUE;
- }
- //设置2.0函数地址
- BOOL t004(mhook_func pHookSendFunc,mhook_func pHookRecvFuc)
- {
- _mwsend = pHookSendFunc;
- _mwrecv = pHookRecvFuc;
- return TRUE;
- }
- DLL入口文件
- #include "stdafx.h"
- #include "mhook-lib/mhook.h"
- #include
- //////////////封包函数//////////////
- static void GT_WriteReleaseLog(char* str,char* path="C:\mk.log")
- {
- HANDLE hFile = CreateFileA(path, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
- if(hFile == NULL)
- return;
- //设置文件中进行读写的当前位置
- _llseek((HFILE)hFile,0, SEEK_END);
- DWORD dw;
- WriteFile(hFile,str,strlen(str),&dw,NULL);
- _lclose((HFILE)hFile);
- }
- HMODULE hMod = LoadLibraryA("Ws2_32");
- //1.0
- typedef int (WINAPI *_send)(SOCKET s, const char *buf, int len, int flags);
- typedef int (WINAPI *_recv)(SOCKET s, char *buf, int len, int flags);
- _send g_trueSend = (_send)GetProcAddress(hMod,"send");
- _recv g_trueRecv = (_recv)GetProcAddress(hMod,"recv");
- //2.0
- typedef int (WINAPI *_wsend)(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount,
- LPDWORD lpNumberOfBytesSent,DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped,
- LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);
- typedef int (WINAPI *_wrecv)(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount,
- LPDWORD lpNumberOfBytesRecvd, LPDWORD lpFlags, LPWSAOVERLAPPED lpOverlapped,
- LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);
- _wsend g_trueWSend = (_wsend)GetProcAddress(hMod,"WSASend");
- _wrecv g_trueWRecv = (_wrecv)GetProcAddress(hMod,"WSARecv");
- mhook_func _msend = NULL;
- mhook_func _mrecv = NULL;
- mhook_func _mwsend = NULL;
- mhook_func _mwrecv = NULL;
- /**
- 参数描述:
- SOCKET s 发送端套接字描述符
- const char *buf 应用程序要发送的数据的缓冲区(想要发送的数据)
- int len 实际要发送的字节数
- int flags 一般置为0即可
- 如果没有错误发生,send将返回的总字节数发送
- */
- int WINAPI hook_send(SOCKET s, const char *buf, int len, int flags)
- {
- int ret = g_trueSend(s,buf,len,flags);
- if (ret > 0)
- {
- char *temp = new char[ret];
- memcpy_s(temp,ret,buf,ret);
- if(_msend != NULL)
- _msend(s,temp,ret);
- delete temp;
- }
- return ret;
- }
- /**
- 参数描述:
- SOCKET s 发送端套接字描述符
- const char *buf 应用程序存放接收的数据的缓冲区
- int len buf的长度
- int flags 一般置为0即可
- 如果没有错误发生,recv返回的字节数的接收
- */
- int WINAPI hook_recv(SOCKET s, char *buf, int len, int flags)
- {
- int ret = g_trueRecv(s,buf,len,flags);
- if (ret > 0)
- {
- char *temp = new char[ret];
- memcpy_s(temp,ret,buf,ret);
- if(_msend != NULL)
- _mrecv(s,temp,ret);
- delete temp;
- }
- return ret;
- }
- /*
- s:标识一个已连接套接口的描述字。
- lpBuffers:一个指向WSABUF结构数组的指针。每个WSABUF结构包含缓冲区的指针和缓冲区的大小。
- dwBufferCount:lpBuffers数组中WSABUF结构的数目。
- lpNumberOfBytesSent:如果发送操作立即完成,则为一个指向所发送数据字节数的指针。
- dwFlags:标志位。
- lpOverlapped:指向WSAOVERLAPPED结构的指针(对于非重叠套接口则忽略)。
- lpCompletionRoutine:一个指向发送操作完成后调用的完成例程的指针。(对于非重叠套接口则忽略)。
- 若无错误发生且发送操作立即完成,则WSASend()函数返回0
- */
- int WINAPI hook_wsend(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount,
- LPDWORD lpNumberOfBytesSent,DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped,
- LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
- {
- int ret = g_trueWSend(s,lpBuffers,dwBufferCount,lpNumberOfBytesSent
- ,dwFlags,lpOverlapped,lpCompletionRoutine);
- DWORD len = *lpNumberOfBytesSent;
- if (len > 0)
- {
- char *temp = new char[len];
- memcpy_s(temp,len,lpBuffers->buf,len);
- if(_mwsend != NULL)
- _mwsend(s,temp,len);
- delete temp;
- }
- return ret;
- }
- int WINAPI hook_wrecv(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount,
- LPDWORD lpNumberOfBytesRecvd, LPDWORD lpFlags, LPWSAOVERLAPPED lpOverlapped,
- LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
- {
- int ret = g_trueWRecv(s,lpBuffers,dwBufferCount,lpNumberOfBytesRecvd,lpFlags
- ,lpOverlapped,lpCompletionRoutine);
- DWORD len = *lpNumberOfBytesRecvd;
- if (len > 0)
- {
- char *temp = new char[len];
- memcpy_s(temp,len,lpBuffers->buf,len);
- if(_mwrecv != NULL)
- _mwrecv(s,temp,len);
- delete temp;
- }
- return ret;
- }
- BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
- {
- switch (ul_reason_for_call)
- {
- case DLL_PROCESS_ATTACH:
- //直接在这里HOOK SEND和RECV函数
- Mhook_SetHook((LPVOID*)&g_trueSend,hook_send);
- Mhook_SetHook((LPVOID*)&g_trueRecv,hook_recv);
- Mhook_SetHook((LPVOID*)&g_trueWSend,hook_wsend);
- Mhook_SetHook((LPVOID*)&g_trueWRecv,hook_wrecv);
- break;
- case DLL_THREAD_ATTACH:
- break;
- case DLL_THREAD_DETACH:
- break;
- case DLL_PROCESS_DETACH:
- //直接在这里UNHOOK SEND和RECV函数)
- Mhook_Unhook((LPVOID*)&g_trueSend);
- Mhook_Unhook((LPVOID*)&g_trueRecv);
- Mhook_Unhook((LPVOID*)&g_trueWSend);
- Mhook_Unhook((LPVOID*)&g_trueWRecv);
- if(hModule != NULL)
- FreeLibrary(hModule);
- break;
- }
- return TRUE;
- }
- 最后加上DEF文件
- LIBRARY
- EXPORTS
- ; 此处可以是显式导出
- t001 @1
- t002 @2
- t003 @3
- t004 @4
|
|
发表于 2024-3-4 09:18:28