inlineHook 注入

inject.h

#pragma once

#ifndef INJECT_H
#define INJECT_H


int inject_sc();

#endif // !INJECT_H

#include <windows.h>
#include <stdio.h>
#include <iostream>
#include "include/inject.h"
#include <tchar.h>
#include <TlHelp32.h>

using namespace std;


static HANDLE hprocess;

char DllFileName[] = "E:\\codes\\cpp\\66pkscwc\\Debug\\66pkscwc.dll";
DWORD dllPathSize = strlen(DllFileName) + 1;


// 提权函数
BOOL EnableDebugPrivilege()
{
    HANDLE hToken;
    BOOL fOk = FALSE;
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
    {
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount = 1;
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);

        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

        fOk = (GetLastError() == ERROR_SUCCESS);
        CloseHandle(hToken);
    }
    return fOk;

}




int inject_sc() {
    //点击注入按钮
    wchar_t buff[0x100] = { 0 };
    DWORD weChatProcessId = 0;
    // 1） 遍历系统中的进程，找到进程（CreateToolhelp32Snapshot、Process32Next）
    HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    swprintf_s(buff, L"CreateToolhelp32Snapshot=%p", handle);
    OutputDebugString(buff);
    PROCESSENTRY32  processentry32 = { 0 };
    //这个结构体需要有一个初始值的大小
    processentry32.dwSize = sizeof(processentry32);

    BOOL next = Process32Next(handle, &processentry32);
    while (next == TRUE) {
        if (wcscmp(processentry32.szExeFile, L"starcraft.exe") == 0) {
            //如果这个等于星际争霸可执行文件的名字
            weChatProcessId = processentry32.th32ProcessID;
            break;
        }

        next = Process32Next(handle, &processentry32);

    }
    if (weChatProcessId == 0) {
        MessageBox(NULL, L"没找到星际争霸的进程！", L"错误", MB_OK);
        return false;

    }
    // 2)  打开进程，获得Handle（OpenProcess）
    HANDLE openHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, weChatProcessId);

    if (NULL == openHandle) {
        MessageBox(NULL, L"打开星际争霸的进程失败！", L"错误", MB_OK);
        return false;
    }


    // 3)  打开进程中的DLL文件路径字符串申请内存空间（VirtualAllocEx）
    LPVOID allocAddress = VirtualAllocEx(openHandle, NULL, dllPathSize, MEM_COMMIT, PAGE_READWRITE);

    if (NULL == allocAddress) {
        MessageBox(NULL, L"分配内存空间失败！", L"错误", MB_OK);
        return false;
    }
    swprintf_s(buff, L"VirtualAllocEx=%p", allocAddress);
    OutputDebugString(buff);
    // 4)  把DLL文件路径字符串写入到申请的内存空间（WriteProcessMemory）
    BOOL res = WriteProcessMemory(openHandle, allocAddress, DllFileName, dllPathSize, NULL);

    if (res == 0) {
        MessageBox(NULL, L"把DLL文件路径字符串写入到申请的内存空间失败！", L"错误", MB_OK);
        return false;
    }
    // 5)  从kerne32.dll中获取LoadLibraryA的函数地址（GetModuleHandler、GetProcAddress）

    HMODULE hMODULE = GetModuleHandle(L"kernel32.dll");
    FARPROC fARPROC = GetProcAddress(hMODULE, "LoadLibraryA");

    if (NULL == fARPROC) {
        MessageBox(NULL, L" 从kerne32.dll中获取LoadLibraryA的函数地址失败！", L"错误", MB_OK);
        return false;
    }

    // 6)  在启动内存指定了文件名路径诶DLL（CreateRemoteThread）
    //也就是调用DLL中的DLLMain（以DLL_PROCESS_ATTACH）为参数

    HANDLE hANDLE = CreateRemoteThread(openHandle, NULL, 0, (LPTHREAD_START_ROUTINE)fARPROC, allocAddress, 0, NULL);
    if (NULL == hANDLE) {
        MessageBox(NULL, L" 启动内存指定了文件名路径诶DLL失败！", L"错误", MB_OK);
        return false;
    }
    DWORD DllAddr = 0;
    //等待线程函数结束，获得退出码
    WaitForSingleObject(hANDLE, -1);
    GetExitCodeThread(hANDLE, &DllAddr);


   /* HWND scWnd = FindWindowA(0, "Brood War");
    if (NULL == scWnd) {
        MessageBox(NULL, L" 没有找到星际的窗口！", L"错误", MB_OK);
        return false;
    }*/
    
   // WinMain((HINSTANCE)scWnd,0, (LPSTR)"", 0);
    


    return 1;
}