创建DLL项目
通过上一篇文章的基地址和偏移量,我们直接编写
DLL代码编写
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdio.h>
#include <windows.h>
DWORD WINAPI ThreadProc(void* param)
{
while (true)
{
if (*(DWORD*)((DWORD)GetModuleHandle(0) + 0x2A9EC0) != 0) {
DWORD A = *(DWORD*)(*(DWORD*)((DWORD)GetModuleHandle(0) + 0x2A9EC0) + 0x768);
if (A != 0) {
*(DWORD*)(A + 0x5560) = 10000; // 阳光修改
DWORD C = *(DWORD*)(A + 0x144);
if (C != 0) {
// CD冷却
*(BYTE*)(C + 0x70) = 1;
*(BYTE*)(C + 0x70 + 0x50) = 1;
*(BYTE*)(C + 0x70 + 0x50 * 2) = 1;
*(BYTE*)(C + 0x70 + 0x50 * 3) = 1;
*(BYTE*)(C + 0x70 + 0x50 * 4) = 1;
*(BYTE*)(C + 0x70 + 0x50 * 5) = 1;
}
}
}
Sleep(20);
}
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
DisableThreadLibraryCalls(hModule);
DWORD dwThreadID;
CreateThread(0, 0, ThreadProc, NULL, 0, &dwThreadID);
/* WCHAR wszhModule[MAX_PATH] = { 0 };
swprintf_s(wszhModule, L"dll地址为 0x%x DLL里调用获取到的地址为:0x%x 内容为: %d", \
hModule, GetModuleHandle(0), *(BYTE*)(*(DWORD*)(*(DWORD*)(*(DWORD*)((DWORD)GetModuleHandle(0) + 0x2A9EC0) + 0x768) + 0x144) + 0x70));
MessageBoxW(0, wszhModule, L"提示", 0);*/
MessageBox(NULL, L"DLL is patched to process!", L"Success", MB_OK);
}
return TRUE;
}里面大量使用了指针操作,如果不懂可以先去看看相关内容
DLL注入
这里我直接使用Xenos来注入DLL
注入完成后就可以直接Enjoy了
ESWINK , 版权所有丨如未注明 , 均为原创
📮评论