前置知识:无痕Hook
上一个内容:51.通过获取数据快速实现一个辅助
以 50.破坏性更小的代码跳转功能完善(无敌+秒杀) 它的代码为基础进行修改
htdHook2.cpp文件里的修改:新加 UnHook、Init、InThread、ThreadTrap函数
#include "pch.h"
#include "htdHook2.h"
htdHook2* htdHook2Ptr;
LONG _stdcall PvectoredExceptionHandler(PEXCEPTION_POINTERS val) {
//CString wTxt;
//wTxt.Format(L"111----%X", val->ContextRecord->Eip);
//AfxMessageBox(wTxt);
//return EXCEPTION_CONTINUE_SEARCH;
/**
call指令执行时会让eip指向下一条指令的位置,
这里减去0x5是让他回到call的位置,也就是得到从哪来的
*/
unsigned _eip = val->ContextRecord->Eip;
PHOOKPOINT point = htdHook2Ptr->Points.FindPoint((LPVOID)_eip);
if (point) {
if (point->GetHookBack2()(val->ContextRecord)) {
// 继续执行原有代码
val->ContextRecord->Eip = (unsigned)point->CodeFix;
}
else {
// 调转到指定位置执行
val->ContextRecord->Eip = (unsigned)point->AddressRet;
}
// 拦截异常不让当前异常往后传递
return EXCEPTION_CONTINUE_EXECUTION;
}
// 拦截异常让当前异常往后传递(表示当前异常不是我们要拦截的异常)
else return EXCEPTION_CONTINUE_SEARCH;
}
// 目的为了不让编译器把汇编优化掉
void ThreadTrap() {
_asm {
mov eax,eax
mov eax,eax
mov eax,eax
}
}
bool InThread(HOOKREFS2) {
htdHook2Ptr->UnHook((LPVOID)_EIP);
AfxMessageBox(L"a");
val->Dr0 = 0x41FDB2;
val->Dr7 = 0x455;
return false;
}
void htdHook2::Init()
{
// 对当前线程做hook,我们的dll注入到目标游戏中之后当前线程就是游戏的主线程
SetHook(ThreadTrap, 2, InThread, ThreadTrap);
// 触发 MessageBoxA 弹框之后,在 Ollydbg.exe 中anctrl 加 g输入 MessageBoxA进行跳转然后在它的ret哪里打断点可以进入到我们这里的Init函数,然后就可以调试了
// MessageBoxA(0, "2", "2", MB_OK);
DWORD dRet = (DWORD)ThreadTrap;
_asm call dRet
}
htdHook2::htdHook2()
{
PPointLast = &Points;
htdHook2Ptr = this;
AddVectoredExceptionHandler(1, PvectoredExceptionHandler);
}
void htdHook2::SetHook(LPVOID Address, uchar len, HOOKBACK2 hookBack, LPVOID AddressRet)
{
DWORD dOld;
DWORD dNew;
// 更改内存权限让它可读可写
VirtualProtect(Address, 0x1, PAGE_EXECUTE_READWRITE, &dOld);
PPointLast = PPointLast->AddPonit(Address, AddressRet, hookBack, len);
char* code = (char*)Address;
code[0] = 0xCC;
VirtualProtect(Address, 0x1, dOld, &dNew);
}
void htdHook2::UnHook(LPVOID Address)
{
PHOOKPOINT _point = Points.FindPoint(Address);
if (_point) {
_point->Recover();
_point->BackPoint->NextPoint = _point->NextPoint;
if (_point->NextPoint) _point->NextPoint->BackPoint = _point->BackPoint;
delete _point;
}
}
htdHook2.h文件里的修改:
// 当前文件是用来关联拦截点与拦截之后处理函数、游戏代码修改、还原的 HOOKPOINT.h 文件里的函数
#pragma once
#include "HOOKPOINT.h"
class htdHook2
{
private:
PHOOKPOINT PPointLast{};
public:
HOOKPOINT Points;
void Init();
public:
htdHook2();
void SetHook(LPVOID Address, uchar len, HOOKBACK2 hookBack, LPVOID AddressRet=0);
void UnHook(LPVOID Address);
};
CWndMain.cpp文件里的修改:
void CWndMain::OnBnClickedButton2()
{
// TODO: 在此添加控件通知处理程序代码
//hook.SetHook((LPVOID)0x41FDB2, 3, Wudi, (LPVOID)0);
hook.Init();
}
文章评论