通過C語言編寫一個DLL文件和一個EXE文件，其中DLL包含作弊功能沈贝，運行EXE后將DLL注入游戲咳短，使得游戲僅靠自身進程便可以實現(xiàn)作弊功能。

對象分析

要用的API函數(shù)簡單介紹

編寫測試效果

總體評價

對象分析

注：本次游戲對象為Super Mario XP

沒有更新所以可用任意版本 砰粹，

試玩發(fā)現(xiàn)人物血量最大為10唧躲，心最大為99，命最大為99碱璃。

要用的API函數(shù)簡單介紹

HANDLE CreateThread(LPSECURITYATTRIBUTES, SIZET, LPTHREADSTARTROUTINE, LPVOID, DWORD ,LPDWORD

CreateThread 將在主線程的基礎上創(chuàng)建一個新線程

LPVOID VirtualAllocEx(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);

VirtualAllocEx 向指定進程申請內(nèi)存弄痹，其中flAllocationType取值MEM_COMMIT表示寫入物理存儲而非磁盤交換內(nèi)存

FARPROC GetProcAddress(HMODULE hModule, LPCSTR);

GetProcAddress 檢索指定的動態(tài)鏈接庫(DLL)中的輸出庫函數(shù)地址

HANDLE CreateRemoteThread(HANDLE, LPSECURITYATTRIBUTES, SIZET, LPTHREADSTARTROUTINE, LPVOID, DWORD, LPDWORD);

CreateRemoteThread 創(chuàng)建一個在其它進程地址空間中運行的線程

編寫測試效果

打開游戲

運行外掛

打開注入器Injecter，注入器注入DLL后自動退出嵌器，僅剩下游戲肛真，此時游戲已具備作弊效果(鎖定血量)

檢測有效

//

// 04簡單DLL注入游戲(作弊模塊DLL部分)

// C/C++

//

#include

#defineDllfuncitonextern"C" __declspec(dllexport)//以C方式導出

Dllfuncitonvoid lockdata();

Dllfunciton DWORD WINAPI inject(LPVOID);

void lockdata(){

while(true){

DWORD hp =10;

DWORD heart =99;

DWORD life =99;

DWORD addr3 =0x004282a2;

DWORD res =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr,&hp,4,0);//寫入自身修改游戲數(shù)據(jù)

DWORD res2 =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr2,&heart,4,0);

DWORD res3 =WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)addr3,&life,4,0);

Sleep(1000);

}

}

DWORD WINAPI inject(LPVOID){

lockdata();

returntrue;

}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){

switch(ul_reason_for_call){

case DLL_PROCESS_ATTACH:{

::DisableThreadLibraryCalls(hModule);//創(chuàng)建線程包含死循環(huán)，為防卡死必須設置

CreateThread(NULL,0, inject, NULL,0, NULL);

}

break;

case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:

case DLL_PROCESS_DETACH:

break;

default:;

}

returntrue;

}

//

// 04簡單DLL注入游戲(注入器EXE部分)

// C/C++

//

#include

#include

#include

#include

usingnamespace std;

HWND hwnd = NULL;

DWORD processid = NULL;

HANDLE hprocess = NULL;

PVOID procdlladdr = NULL;

char dllname[25]="cheatDLL";

char loadfunc[25]="LoadLibraryA";

FARPROC loadfuncaddr = NULL;

HANDLE hfile;

void getwindow(){

hwnd =::FindWindow(NULL,"Super Mario XP");

if(hwnd == NULL)

MessageBox(NULL,"找不到游戲","錯誤", MB_OK);

GetWindowThreadProcessId(hwnd,&processid);

hprocess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,processid);

if(hprocess == NULL)

MessageBox(NULL,"打開游戲失敗","錯誤", MB_OK);

}

void inject(){

int size = strlen(dllname)+5;

procdlladdr =::VirtualAllocEx(hprocess, NULL, size, MEM_COMMIT, PAGE_READWRITE);//向目標申請空間爽航，得到新空間地址

if(procdlladdr == NULL)

MessageBox(NULL,"申請空間失敗","錯誤", MB_OK);

DWORD writenum;

::WriteProcessMemory(hprocess, procdlladdr, dllname, size,&writenum);//向新空間寫入要注入的DLL名稱

loadfuncaddr =::GetProcAddress(::GetModuleHandle("kernel32.dll"), loadfunc);//獲得LoadLibraryA的地址,在任何進程空間都一樣

HANDLE hthread =::CreateRemoteThread(hprocess, NULL,0,(LPTHREAD_START_ROUTINE)loadfuncaddr,(LPVOID)procdlladdr,0, NULL);

//新建線程執(zhí)行LoadLibrary參數(shù)是已在目標進程新空間寫入的DLL名稱,注意這個函數(shù)在64位下無法成功

::WaitForSingleObject(hthread, INFINITE);

::CloseHandle(hthread);

::CloseHandle(hprocess);

}

int main(){

getwindow();

inject();

return0;

}

DLL注入可使作弊模塊在程序自身“名義”下進行作弊蚓让，提高作弊成功率，然而載入的DLL容易被DLL檢測發(fā)現(xiàn)讥珍。