QQ三国简要分析

QQSG窗体程序不好找到,WINIO的驱动级键盘模拟被封杀,我试过改变WINIO.DLL的内部函数名,但是一样没效果. QQSG运行后会产生2个窗体"QQSG"隐藏起的可以取得句柄,"QQ三国"非隐藏但是无法取得窗体句柄 POSEMESSAGE(),FINDWINDOW(),SENDMESSAGE(),keybd_event()等函数被做手脚 全部没有效果.SPY++无法找到QQ三国窗口,我怀疑TX直接用DX写QQSG窗体从而修改了WINDOWS的窗体机制. EnumWindows() API无法枚举QQSG窗体. 我用CE无法打开QQSG进程,QQSG进程被保护起来,DLL无法注入. 其窗体"QQSG",怀疑是"QQ三国"的内存副本,"QQ三国"虽然不能读内存,但是我在"QQSG"的内存中发现了游戏中角色的血壳值及蓝壳值,一模一样且如果人物升级时候内存值会跟游戏内角色值一起改变,但是修改"QQSG"的内存并不影响"QQ三国"的内存值.不知道TX保留个内存副本有啥用?难道是为了误导大家找错的内存地址. PID(进程ID)和TID(线程ID)的取得很重要,因为要与QQSG的进程ID相同,然后取得其TID后才能获得窗口句柄,由于腾迅对API做了手脚,所以只有重新载入系统DLL,但是发现个问题为什么系统DLL重命名以后会找不到函数入口.还忘高手赐教.小弟感激泣淋.  ----------------------------------------------------------------------------------------------------- 但是可以用ICEWORD取得了QQSG的PID,我想到了一个思路来获取QQSG窗体: 1.我用LoadLibrary强制载入"user32.dll"及"kernel32.dll",要专门写个类模块,要不LoadLibrary会出错,这样做是为了试图绕过腾迅的函数屏蔽机制(感谢老外的劳动成果,省了不少事) 2.枚举所有窗口,调用GetWindowThreadProcessId根据PID取得该进程所有线程的ID,再通过线程ID获取线程句柄,再根据线程序句柄取得QQSG的窗体句柄. 用PID获得QQ三国窗体句柄的方法基本不太现实. 在这我产生了个问题由于用了老外的模块后GetWindowThreadProcessId参数中的pid无法返回,而这个PID是我要的. GetWindowThreadProcessId(hwnd, pid) 我无法获得pid,只能获得线程的TID,请高手帮忙修改 附代码. --------------------------------------------------------------------------------------------------- 我的代码: Option Explicit Private Sub Form_Load() '载入类模块 引用DLL Set FCall = New cFuncCall '枚举所有窗体 FCall.LibraryName = "user32.dll" FCall.FunctionName = "EnumWindows" FCall.CallFunction AddressOf EnumWindowsProc, 0 'Call EnumWindows(AddressOf EnumWindowsProc, 0) End Sub Private Sub Form_Unload(Cancel As Integer) '卸载类模块 Set FCall = Nothing End Sub  ---------------------------------------------------------------------------------------------------- 模块1 Function EnumWindowsProc(ByVal hwnd As Long, ByVal lParam As Long) As Long Dim pid As Long Dim tid As Long '线程ID Dim thwnd As Long '线程句柄 FCall.LibraryName = "user32.dll" FCall.FunctionName = "GetWindowThreadProcessId" tid = FCall.CallFunction(hwnd, pid) FCall.LibraryName = "kernel32.dll" FCall.FunctionName = "OpenThread" thwnd = FCall.CallFunction(THREAD_SUSPEND_RESUME, 0, tid) Form1.Text1.Text = Form1.Text1.Text + CStr(pid) & Chr(13) & Chr(10) EnumWindowsProc = True End Function ------------------------------------------------------------------------------------------------- 老外的模块 cFuncCall.cls Option Explicit Public Enum DECLSPEC     eStdCall     eCDecl End Enum Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpDest As Any, lpSource As Any, ByVal cBytes As Long) Private m_lParameters() As Long 'list of parameters Private m_lpFn As Long 'address of function to call Private m_abCode() As Byte 'buffer for assembly code Private m_lCP As Long 'used to keep track of latest byte added to code Private m_hLib As Long Private m_CallType As DECLSPEC Public Property Let LibraryName(ByVal sData As String)   If m_hLib Then FreeLibrary m_hLib   m_hLib = LoadLibrary(sData)   If m_hLib = 0 Then MsgBox "Can not find library " & Chr(34) & sData & Chr(34), vbCritical, "Function call error" End Property Public Property Let FunctionName(ByVal sData As String)   Dim sMsg As String   m_lpFn = GetProcAddress(m_hLib, sData)   If m_lpFn = 0 Then       sMsg = "Can not find function entry point for " & Chr(34) & sData & Chr(34)       sMsg = sMsg & vbCrLf & "Note: function names are case sensitive, check out you function spelling!"       MsgBox sMsg, vbCritical, "Function call error"   End If End Property Public Property Let CallType(ByVal lData As DECLSPEC)   m_CallType = lData End Property Public Function CallFunction(ParamArray FuncParams()) As Long   Dim i As Long   If m_lpFn = 0 Then       MsgBox "Function not defined!", vbCritical, "Call function error"       Exit Function   End If   ReDim m_abCode(0)   ReDim m_lParameters(UBound(FuncParams) + 1)   ReDim m_abCode(18 + 32 + 6 * UBound(m_lParameters))   For i = 1 To UBound(m_lParameters)       m_lParameters(i) = CLng(FuncParams(i - 1))   Next i   CallFunction = CallWindowProc(PrepareCode, 0, 0, 0, 0)   m_lpFn = 0 End Function Private Function PrepareCode() As Long     Dim i As Long, codeStart As Long     codeStart = GetAlignedCodeStart(VarPtr(m_abCode(0)))     m_lCP = codeStart - VarPtr(m_abCode(0))     For i = 0 To m_lCP - 1         m_abCode(i) = &HCC     Next     PrepareStack     For i = UBound(m_lParameters) To 1 Step -1         AddByteToCode &H68 'push wwxxyyzz         AddLongToCode m_lParameters(i)     Next     AddCallToCode m_lpFn     If m_CallType = eCDecl Then ClearStack     AddByteToCode &HC3     AddByteToCode &HCC     PrepareCode = codeStart End Function Private Sub AddCallToCode(ByVal dwAddress As Long)     AddByteToCode &HE8     AddLongToCode dwAddress - VarPtr(m_abCode(m_lCP)) - 4 End Sub Private Sub AddLongToCode(ByVal lng As Long)     Dim i As Integer     Dim byt(3) As Byte     CopyMemory byt(0), lng, 4     For i = 0 To 3         AddByteToCode byt(i)     Next End Sub Private Sub AddByteToCode(ByVal byt As Byte)     m_abCode(m_lCP) = byt     m_lCP = m_lCP + 1 End Sub Private Function GetAlignedCodeStart(ByVal dwAddress As Long) As Long     GetAlignedCodeStart = dwAddress + (15 - (dwAddress - 1) Mod 16)     If (15 - (dwAddress - 1) Mod 16) = 0 Then GetAlignedCodeStart = GetAlignedCodeStart + 16 End Function Private Sub PrepareStack()     AddByteToCode &H58 'pop eax -  pop return address     AddByteToCode &H59 'pop ecx -  kill hwnd     AddByteToCode &H59 'pop ecx -  kill wmsg     AddByteToCode &H59 'pop ecx -  kill wParam     AddByteToCode &H59 'pop ecx -  kill lParam     AddByteToCode &H50 'push eax - put return address back End Sub Private Sub ClearStack()   Dim i As Long   For i = 1 To UBound(m_lParameters)       AddByteToCode &H59 'pop ecx - remove params from stack   Next End Sub Private Sub Class_Initialize()   m_CallType = eStdCall End Sub Private Sub Class_Terminate()   If m_hLib Then FreeLibrary m_hLib End Sub ----------------------------------------------------------------------------------------------------- 以上是老外的模块,麻烦高手帮忙修改下,让FCall.CallFunction(hwnd, pid) 的参数信息能够传递出来,我VB没搞过多久,偶尔才用下`谢谢 -----------------------------------------------------------------------------------------------------