一、在上节课DLL注入窗口我们已经实现了注入dll,这节课我们利用线程注入
DWORDWINAPI窗口函数地址(LPVOIDarg){AFX_MANAGE_STATE(AfxGetStaticModuleState());DLLTESTdt;();FreeLibraryAndExitThread(_hInstance,123);//自动卸载dllreturn1;}BOOLCMFCDLLApp::InitInstance(){CWinApp::InitInstance();DWORD线程ID=0;::CreateThread(0,0,窗口函数地址,0,0,线程ID);returnTRUE;}二、在窗口添加三个按钮,分别实现调试信息输出、解绑调试信息,获取护甲值
DWORD读地址(UINT_PTR地址){__try{return*(DWORD*)地址;}__except(1){return0;}}VOIDCALLBACK护甲(HWNDh,UINTarg2,UINT_PTRarg3_id,DWORDtime){KillTimer(h,11111);constchar*参数1="player";UINT_PTR返回值=0;UINT_PTR函数地址=0x60C1F0;__asm{push参数1call函数地址addesp,4mov返回值,eax}DWORD护甲=读地址(读地址(返回值+0xD0)+0x174);charbuf[256];sprintf_s(buf,"护甲=%d\r\n",护甲);printf(buf);};voidDLLTEST::OnBnClickedButton1(){HWND游戏窗口句柄=FindWindowA("GxWindowClassD3d","魔兽世界");::SetTimer(游戏窗口句柄,11111,1,护甲);}voidDLLTEST::OnBnClickedButton2(){AllocConsole();FILE*file=0;freopen_s(file,"CONOUT#34;,"w+t",stdout);}voidDLLTEST::OnBnClickedGbtsck(){FreeConsole();}三、查看效果
四、完整项目下载地址