windows扫雷注入（1s完成扫雷）

在windows扫雷进程下利用远线程技术注入扫雷dll。

创建远线程程序如下，调用前启动扫雷并获取其进程ID：

#include <stdio.h>#include <windows.h>BOOL injectProcess(DWORD processId, char* dllInjected){HANDLE handle,threadHandle;HMODULE hModule;char* remoteString;LPVOID ptrProc;SIZE_T stringLen;DWORD N, remoteThreadId;hModule = GetModuleHandle("kernel32.dll");#ifdef _DEBUGprintf("Hmodule:%d\n",hModule);#endifptrProc = GetProcAddress(hModule, "LoadLibraryA");//获取LoadLibraryA函数的地址#ifdef _DEBUGprintf("ptrProc:%d\n",ptrProc);#endif // _DEBUGhandle = 0;threadHandle = 0;remoteString = NULL;handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE,processId);if (handle == 0){return FALSE;}stringLen = strlen(dllInjected)+1; //dll名长度remoteString = (char*)VirtualAllocEx(handle, NULL, stringLen, MEM_COMMIT, PAGE_READWRITE);//申请分配内存if (remoteString == NULL) {return FALSE;}if (!WriteProcessMemory(handle, remoteString, dllInjected,stringLen, &N))//写入内存{return FALSE;}threadHandle = CreateRemoteThread(handle, NULL, 0, (unsigned long (__stdcall *)(void *))ptrProc, remoteString,0, &remoteThreadId);if (threadHandle == 0){return FALSE;}if (WaitForSingleObject(threadHandle, INFINITE) != WAIT_OBJECT_0){return FALSE;}if (remoteString != NULL){VirtualFree(remoteString, stringLen, MEM_RELEASE);//释放内存}if (threadHandle != 0){CloseHandle(threadHandle);//关闭远线程句柄}if (handle != 0){CloseHandle(handle);//关闭被注入进程}return TRUE;}int main(int argc, char* argv[]){char* dllName = "E:\\VS项目\\attack\\MineModifier\\Debug\\MineModifier.dll";//dll名DWORD processId;if (argc == 1){printf("Input targe process id:");scanf("%d", &processId);}else{#ifdef _DEBUGprintf("process id:%s\n",argv[1]);#endifprocessId = atoi(argv[1]);}if (injectProcess(processId, dllName)){printf("注入成功\n");return 0;}return 1;}

注入的dll即"E:\\VS项目\\attack\\MineModifier\\Debug\\MineModifier.dll"

该dll在启动的时候完成对扫雷进程的扫描等一系列操作

// MineModifier.cpp : Defines the entry point for the DLL application.//#include "stdafx.h"#include <stdio.h>void WINAPI findMine();DWORD WINAPI ThreadProc(LPVOID lpParameter   // thread data);BOOL APIENTRY DllMain( HANDLE hModule,                        DWORD  ul_reason_for_call,                        LPVOID lpReserved ){switch (ul_reason_for_call)   {   case DLL_PROCESS_ATTACH:   MessageBox( NULL, "远线程创建成功", "信息", MB_ICONINFORMATION ); // DWORD threadId;// CreateThread(NULL,// 0,// ThreadProc,// NULL,// CREATE_SUSPENDED,// &threadId);findMine();break;case DLL_PROCESS_DETACH:   //MessageBox( NULL, "远线程创建结束", "信息", MB_ICONINFORMATION );   ExitThread(0);break;   }       return TRUE;}// DWORD WINAPI ThreadProc(// LPVOID lpParameter   // thread data// ){// findMine();// return 0;// }void WINAPI findMine(){FILE *file = fopen("D:\\mine.txt","w");DWORD addr = 0x1005361;DWORD x = 0x10056A8;DWORD y = 0x10056AC;HWND hwnd = ::FindWindow(NULL, "扫雷");DWORD hProcessId;::GetWindowThreadProcessId(hwnd, &hProcessId);HANDLE Process = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, hProcessId);int b = 0 , nx = 0, ny = 0;DWORD s = 0;::ReadProcessMemory(Process, (LPCVOID)x, &nx, 1, NULL); //获取横向方格长度::ReadProcessMemory(Process, (LPCVOID)y, &ny, 1, NULL); //获取纵向方格长度DWORD xuanzong = 0x10037E1; //选方格的函数地址DWORD xaddr = 0x01005118;//xzDWORD yaddr = 0x0100511c;//yint Rec[100][100];for(int i = 0; i < nx ; i ++ ){for(int j = 0; j < ny; j++){::ReadProcessMemory(Process, (LPCVOID)(addr + i*32+j), &b, 1, NULL);if (b == 0x8E || b == 0x8F) //把内存布局写入自定义的数组{Rec[i][j] = 1;fprintf(file,"1 ");}else{Rec[i][j] = 0;fprintf(file,"0 ");}}fprintf(file,"\n");}fflush(file);fclose(file);unsigned char x1;unsigned char y1;unsigned int buffer[2];//保护源地址的数据for(unsigned char xidx = 0; xidx < nx; xidx ++){for(unsigned char yidx = 0; yidx < ny; yidx++){x1 = xidx + 1;y1 = yidx + 1;if(Rec[xidx][yidx] == 0) //选择没有雷的方格{*(unsigned int*)xaddr = (unsigned int)(y1) & 0x000000FF;*(unsigned int*)yaddr = (unsigned int)(x1) & 0x000000FF;_asm{pushadcall xuanzong //调用选方格函数popad// add esp,8}}}}}