1、远程注入代码,调用打坐CALL
HANDLE CreateRemoteThread(
HANDLE hProcess, //在指定的进程句柄里创建线程
LPSECURITY_ATTRIBUTES lpThreadAttributes, //安全结构指针 nil
DWORD dwStackSize, // 初始创建线程堆栈大小0
LPTHREAD_START_ROUTINE lpStartAddress,//CALL地址
LPVOID lpParameter, // 给远程CALL 传递的参数 nil
DWORD dwCreationFlags, // 创建标志 0
LPDWORD lpThreadId // 返回创建线程ID@tid
);
LPVOID VirtualAllocEx(
HANDLE hProcess, //进程句柄
LPVOID lpAddress, // 指定分配空间的起始地址
DWORD dwSize, // 分配空间大小
DWORD flAllocationType,
// 分配空间类型
DWORD flProtect // 空间页面访问权限
);
用spy++获取标题:'Element Client
2、远程调用CALL
CreateRemoteThread
ThreadHandle:= CreateRemoteThread(hProcess,nil, 0,打坐CALL地址, nil, 0, 返回远程创建线程ID);
//FindWindow 获取窗口
//GetWindowThreadProcessId //获取窗口的线程TID
//OpenProcess //打开进程 获取进程句柄
//VirtualAllocEx(hProcess,nil,Size,MEM_COMMIT orMEM_RESERVE,PAGE_EXECUTE_READWRITE);
//WriteProcessMemory
//CreateRemoteThread
//WaitForSingleObject
//GetExitCodeThread
//VirtualFreeEx
asm
push 1
mov ecx,$95E800
add ecx,$1C
mov ecx,[ecx] //ecx=Pointer(ecx^)
add ecx,$24 // ecx=ecx+$24
mov ecx,[ecx]
add ecx,$918
mov ecx,[ecx]
add ecx,$14
mov ecx,[ecx]
add ecx,$1C
mov ecx,[ecx]
mov ebx,$452b20
call ebx
end;
var
h:HWND;
tid,hProcess:Thandle;
Calladdr:Pointer;
writeByte:DWORD;
begin
h:=findwindow(nil,'Element Client');
windows.GetWindowThreadProcessId(h,tid);
hProcess:=windows.OpenProcess(windows.PROCESS_ALL_ACCESS,false,tid);
//在游戏进程里分配内存空间
Calladdr:=VirtualAllocEx(hProcess,nil,windows.MAX_PATH,windows.MEM_COMMITOR windows.MEM_RESERVE,windows.PAGE_EXECUTE_READWRITE);
//在游戏内存空间里写入代码
WriteProcessMemory(hProcess,Calladdr,@sitCall,MAX_PATH,writeByte);
//调用远程代码
CreateRemoteThread(hProcess,nil,0,Calladdr,nil,0,writeByte);
VirtualFreeEx(hProcess,nil,windows.MAX_PATH,windows.MEM_COMMITOR windows.MEM_RESERVE);
end;
