游戏注入教程（一）--远程线程注入

一、我们新建一个win32的dll，用来注入到游戏进程当中，注入成功的时候，会提示“注入成功”，而且提示注入到哪个窗口。

代码如下：

// dllmain.cpp : 定义 DLL 应用程序的入口点。#include "stdafx.h"BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam){DWORD dwCurProcessId = *((DWORD*)lParam);DWORD dwProcessId = 0;GetWindowThreadProcessId(hwnd, &dwProcessId);if (dwProcessId == dwCurProcessId && GetParent(hwnd) == NULL){*((HWND *)lParam) = hwnd;return FALSE;}return TRUE;}HWND GetMainWindow(){DWORD dwCurrentProcessId = GetCurrentProcessId();if (!EnumWindows(EnumWindowsProc, (LPARAM)&dwCurrentProcessId)){return (HWND)dwCurrentProcessId;}return NULL;}BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  ul_reason_for_call,                       LPVOID lpReserved ){HWND hWnd = GetMainWindow(); // 获取被注入的窗口TCHAR windowText[1024];::GetWindowText(hWnd, windowText,1024);// 获取被注入的窗口的标题switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:MessageBox(hWnd,windowText,L"注入成功",MB_OK);break;case DLL_PROCESS_DETACH:MessageBox(hWnd, windowText, L"卸载注入", MB_OK);break;case DLL_THREAD_ATTACH:break;case DLL_THREAD_DETACH:break;}return TRUE;}

二、创建一个exe程序，用来把dll注入到目标进程中

/************************************************************************//*  提升当前进程的DEBUG权限/************************************************************************/HANDLE hToken;TOKEN_PRIVILEGES tp;LUID luid;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){AfxMessageBox(_T("OpenProcessToken error"));return;}if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)){AfxMessageBox(_T("LookupPrivilege error!"));}tp.PrivilegeCount = 1;tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;tp.Privileges[0].Luid = luid;if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)){AfxMessageBox(_T("AdjustTokenPrivileges error!"));return;}/************************************************************************//* 打开目标进程                                                                     /************************************************************************/HWND hwnd = ::FindWindow(NULL, _T("Injected"));if (hwnd == NULL) {AfxMessageBox(_T("not finded"));return;}DWORD processId;DWORD dRet = ::GetWindowThreadProcessId(hwnd, &processId);if (dRet == 0) {AfxMessageBox(_T("not open process"));return;}HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);/************************************************************************//* 给dll路径分配内存，并写入dll的路径/************************************************************************/char* dllPath = "G:\\MFC\\PRO\\InjectTool\\Debug\\my.dll";char* memAddr = (char*)::VirtualAllocEx(hProcess,NULL, strlen(dllPath)+1, MEM_COMMIT, PAGE_READWRITE);if (memAddr == NULL) {AfxMessageBox(_T("VirtualAllocEx failed"));return;}BOOL bRet = ::WriteProcessMemory(hProcess, (LPVOID)memAddr, (LPVOID)dllPath, strlen(dllPath) + 1,NULL);if (bRet == FALSE) {AfxMessageBox(_T("WriteProcessMemory failed"));return;}/************************************************************************//* 获取LoadLibraryA的地址，这个地址在所有的程序中都是固定的                                                              /************************************************************************/PTHREAD_START_ROUTINE pfnLibAddr= (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")),"LoadLibraryA");if (pfnLibAddr == NULL) {AfxMessageBox(_T("loadlibrary failed"));return;}/************************************************************************//* 创建远程线程                    /************************************************************************/HANDLE hRet = ::CreateRemoteThread(hProcess, NULL, 0, pfnLibAddr, memAddr, 0, NULL);if (hRet == NULL) {AfxMessageBox(_T("CreateRemoteThread failed"));return;}