Home Explore Help
Register Sign In
MOKA
/
repos_deltae_auxiliary_tool
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 97bd599c3c
Branches Tags
repos_deltae_au...
/
Source
/
Assist
/
Assist
/
Assist.cpp

Assist.cpp 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 
  1. // Assist.cpp : 定义 DLL 应用程序的导出函数。
    2. 

  2. //
    3. 

  3. 

  4. #include "stdafx.h"
    5. 

  5. #include "Assist.h"
    6. 

  6. 

  7. // 8组寄存器存储;
    8. 

  8. BYTE byEAX[8] = {0};
    9. 

  9. BYTE byEBX[8] = {0};
    10. 

  10. BYTE byECX[8] = {0};
    11. 

  11. BYTE byEDX[8] = {0};
    12. 

  12. BYTE byEBP[8] = {0};
    13. 

  13. BYTE byESP[8] = {0};
    14. 

  14. BYTE byESI[8] = {0};
    15. 

  15. BYTE byEDI[8] = {0};
    16. 

  16. 

  17. DWORD dwEAX = 0;
    18. 

  18. DWORD dwEBX = 0;
    19. 

  19. DWORD dwECX = 0;
    20. 

  20. DWORD dwEDX = 0;
    21. 

  21. DWORD dwEBP = 0;
    22. 

  22. DWORD dwESP = 0;
    23. 

  23. DWORD dwESI = 0;
    24. 

  24. DWORD dwEDI = 0;
    25. 

  25. 

  26. // 新的Call;
    27. 

  27. BYTE byNewCall[5] = {0};
    28. 

  28. 

  29. // 旧的Call备份;
    30. 

  30. BYTE byOldCall[5] = {0};
    31. 

  31. 

  32. void __declspec(naked) Call_MySaveAsOutputData()
    33. 

  33. {
    34. 

  34.     //004AB3FC
    35. 

  35.     __asm {
    36. 

  36.         // 保存寄存器;
    37. 

  37.         mov dwEAX, EAX;
    38. 

  38.         mov dwEBX, EBX;
    39. 

  39.         mov dwECX, ECX;
    40. 

  40.         mov dwEDX, EDX;
    41. 

  41.         mov dwEBP, EBP;
    42. 

  42.         mov dwESP, ESP;
    43. 

  43.         mov dwESI, ESI;
    44. 

  44.         mov dwEDI, EDI;
    45. 

  45.         // my call
    46. 

  46.         mov eax,0x004AB3FC
    47. 

  47.         mov dl,1
    48. 

  48.         call dword ptr[eax]
    49. 

  49.         // 恢复寄存器; 
    50. 

  50.         mov EAX, dwEAX;
    51. 

  51.         mov EBX, dwEBX;
    52. 

  52.         mov ECX, dwECX;
    53. 

  53.         mov EDX, dwEDX;
    54. 

  54.         mov EBP, dwEBP;
    55. 

  55.         mov ESP, dwESP;
    56. 

  56.         mov ESI, dwESI;
    57. 

  57.         mov EDI, dwEDI;
    58. 

  58.         // 返回
    59. 

  59.         ret
    60. 

  60.     }
    61. 

  61. }
    62. 

  62. 

  63. 

  64. DWORD dwGoNextAddr = 0x00417B2A;
    65. 

  65. void __declspec(naked) MyGo()
    66. 

  66. {
    67. 

  67.     // 备份寄存器;
    68. 

  68.     __asm{
    69. 

  69.         // 保存寄存器;
    70. 

  70.         mov dwEAX, EAX;
    71. 

  71.         mov dwEBX, EBX;
    72. 

  72.         mov dwECX, ECX;
    73. 

  73.         mov dwEDX, EDX;
    74. 

  74.         mov dwEBP, EBP;
    75. 

  75.         mov dwESP, ESP;
    76. 

  76.         mov dwESI, ESI;
    77. 

  77.         mov dwEDI, EDI;
    78. 

  78.     }
    79. 

  79. 

  80. 

  81.     MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
    82. 

  82. 

  83. 

  84.     __asm{
    85. 

  85.         // 恢复寄存器; 
    86. 

  86.         mov EAX, dwEAX;
    87. 

  87.         mov EBX, dwEBX;
    88. 

  88.         mov ECX, dwECX;
    89. 

  89.         mov EDX, dwEDX;
    90. 

  90.         mov EBP, dwEBP;
    91. 

  91.         mov ESP, dwESP;
    92. 

  92.         mov ESI, dwESI;
    93. 

  93.         mov EDI, dwEDI;
    94. 

  94.         // 最后返回原Call地址下一行;
    95. 

  95.         jmp dwGoNextAddr;
    96. 

  96.     }
    97. 

  97. }
    98. 

  98. 

  99. // 00417A84
    100. 

  100. // 00417B25 | E8 FA9F0E00          | call demo.501B24                        |
    101. 

  101. void Call_MyGo()
    102. 

  102. {
    103. 

  103.     BYTE szMyCall[5] = {0};
    104. 

  104.     szMyCall[0] = 0xE9; // 硬编码:jmp或call
    105. 

  105.     *(LPDWORD)(&szMyCall[1]) = (DWORD)MyGo - 0x00417B25 - 5;
    106. 

  106. 

  107.     HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
    108. 

  108.     // 将要Hook的地址指令备份下来;
    109. 

  109.     if ( !ReadProcessMemory(GetCurrentProcess(), (LPVOID)0x00417B25, byOldCall, 5, NULL) )
    110. 

  110.     {
    111. 

  111.         MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
    112. 

  112.         return;
    113. 

  113.     }
    114. 

  114. 

  115.     // 将我们的Call地址指令写入目标地址;
    116. 

  116.     if ( !WriteProcessMemory(hProc, (LPVOID)0x00417B25, szMyCall, 5, NULL) )
    117. 

  117.     {
    118. 

  118.         MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
    119. 

  119.         return;
    120. 

  120.     }
    121. 

  121. 

  122.     MessageBox(NULL, _T("替换成功"), _T("提示"), MB_OK);
    123. 

  123. }
    124.