类人猿编程联盟

设为首页 | 收藏本站
课程推荐

最强C++x86x64驱动级读写开发库(导师开发)

2121
发表时间:2020-07-05 21:09

//***************调用静态变量static***************需要修改下

X64常用内存读写库

DWORD GetModuleSizeX64(DWORD Pid, const TCHAR* ModuleName)//获取模块大小,只能搞64位=64位,32位无法对64位操作

{/*初始化DLL列表*/

HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);

if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;

DWORD dwBuffSize = 0;

BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);

HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];

bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);

// 模块名称

TCHAR szModuleName[MAX_PATH] = { 0 };

TCHAR szBaseName[MAX_PATH];//新建

// 保存模块信息

MODULEINFO stcModuleInfo = { 0 };

// 遍历模块列表

int nCount = dwBuffSize / sizeof(HMODULE);

for (int i = 0; i < nCount; ++i)

{

// 根据进程句柄和模块句柄,获取模块信息

GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));

GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);

//printf("\n%x\n", (DWORD)stcModuleInfo.SizeOfImage); //模块内存大小

if (strcmp(szBaseName, ModuleName) == 0)

{

delete[] pModuleHandlerArr;// 释放数组

pModuleHandlerArr = nullptr;

return   stcModuleInfo.SizeOfImage;

}

}

return NULL;

}


HMODULE GetModuleBaseX64(DWORD Pid, const TCHAR* ModuleName)

{/*初始化DLL列表*/ // 这个程序不能删除,基础功能


HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);

if (hProcess == INVALID_HANDLE_VALUE || !hProcess)return NULL;


DWORD dwBuffSize = 0;

BOOL bRet = EnumProcessModulesEx(hProcess, NULL, 0, &dwBuffSize, LIST_MODULES_ALL);

HMODULE * pModuleHandlerArr = (HMODULE*) new char[dwBuffSize];


bRet = EnumProcessModulesEx(hProcess, pModuleHandlerArr, dwBuffSize, &dwBuffSize, LIST_MODULES_ALL);


// 模块名称

TCHAR szModuleName[MAX_PATH] = { 0 };

TCHAR szBaseName[MAX_PATH];//新建

// 保存模块信息

MODULEINFO stcModuleInfo = { 0 };

// 遍历模块列表

int nCount = dwBuffSize / sizeof(HMODULE);

for (int i = 0; i < nCount; ++i)

{

// 根据进程句柄和模块句柄,获取模块信息

GetModuleInformation(hProcess, pModuleHandlerArr[i], &stcModuleInfo, sizeof(stcModuleInfo));


// 根据进程句柄和模块句柄,获取模块的路径(包括模块名)

//GetModuleFileNameEx(hProcess, pModuleHandlerArr[i], szModuleName, MAX_PATH); //获取模块的路径

GetModuleBaseNameA(hProcess, pModuleHandlerArr[i], szBaseName, MAX_PATH);

printf("\n%llx\n", (UINT64)stcModuleInfo.lpBaseOfDll); //获取模块基地址

printf("\n%llx\n", (UINT64)stcModuleInfo.EntryPoint); //获取模块入口地址

printf("\n%llx\n", (UINT64)stcModuleInfo.SizeOfImage); //模块内存大小


if (strcmp(szBaseName, ModuleName) == 0)

{

printf("基地址是:%s\n\n", szBaseName);

printf("基地址是:%llX\n\n", (UINT64)stcModuleInfo.lpBaseOfDll);

delete[] pModuleHandlerArr;// 释放数组

pModuleHandlerArr = nullptr;

return   (HMODULE)stcModuleInfo.lpBaseOfDll;

}

// 基址

//CString szTemp;

//szTemp.Format(L"%08X", stcModuleInfo.lpBaseOfDll);


//// 入口点

//szTemp.Format(L"%08X", stcModuleInfo.EntryPoint);


//// 内存大小

//szTemp.Format(L"%d", stcModuleInfo.SizeOfImage);


//// 模块路径

//szModuleName;


}

return NULL;

}


HMODULE GetModuleBaseAddr(DWORD Pid, CONST TCHAR* moduleName)//获取进程模块入口地址   1.进程pid   2.模块的名称   xxx.exe 或者xxx.dll

{


MODULEENTRY32 moduleEntry;   //模块信息的结构体

HANDLE handle = NULL;

handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid); //   获取进程快照中包含在th32ProcessID中指定的进程的所有的模块

//printf("handle %llX \n", (DWORD)handle);

if (!handle) {                           //handle 类似指针,指向进程模块信息

CloseHandle(handle);

return NULL;

}

ZeroMemory(&moduleEntry, sizeof(MODULEENTRY32)); //清空

moduleEntry.dwSize = sizeof(MODULEENTRY32);

if (!Module32First(handle, &moduleEntry)) {   //结果传到 结构体指针moduleEntry

CloseHandle(handle);

return NULL;

}

do {

if (strcmp(moduleEntry.szModule, moduleName) == 0) {   //wcscmp宽字节比较   moduleEntry.szModule模块名字

//printf("基地址是 %X \n", (DWORD)moduleEntry.hModule);

return moduleEntry.hModule; //返回模块入口地址

}

} while (Module32Next(handle, &moduleEntry));

CloseHandle(handle);

return 0;

}


BOOL EnableSeDebugPrivilege(IN const CHAR*   PriviledgeName, BOOL IsEnable)

{

// 打开权限令牌

HANDLE   ProcessHandle = GetCurrentProcess();

HANDLE   TokenHandle = NULL;

TOKEN_PRIVILEGES TokenPrivileges = { 0 };

if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))

{

return FALSE;

}

LUID v1;

if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))// 通过权限名称查找uID

{

CloseHandle(TokenHandle);

TokenHandle = NULL;

return FALSE;

}


TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数

TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0;    // 动态数组,数组大小根据Count的数目

TokenPrivileges.Privileges[0].Luid = v1;

if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,

sizeof(TOKEN_PRIVILEGES), NULL, NULL))

{

CloseHandle(TokenHandle);

TokenHandle = NULL;

return FALSE;

}

CloseHandle(TokenHandle);

TokenHandle = NULL;

return TRUE;

}


//==============================================x86x64内存读写wow64函数指针获取=====================================================

LPFN_NTWOW64READVIRTUALMEMORY64       __NtWow64ReadVirtualMemory64;

LPFN_NTWOW64WRITEVIRTUALMEMORY64   __NtWow64WriteVirtualMemory64;

BOOL GetNTWOW64MemoryProcAddress()

{

HMODULE NtdllModuleBase = NULL;

NtdllModuleBase = GetModuleHandle("Ntdll.dll");

if (NtdllModuleBase == NULL)

{

return FALSE;

}

__NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,

"NtWow64ReadVirtualMemory64");

printf("__NtWow64ReadVirtualMemory64   %llx\n", (UINT64)__NtWow64ReadVirtualMemory64);

__NtWow64WriteVirtualMemory64 = (LPFN_NTWOW64WRITEVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,

"NtWow64WriteVirtualMemory64");

return TRUE;

}


char* UTF8ToUnicode(char* szUTF8)//编码转换,已经修复delet释放bug

{

DWORD wcscLen = MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), NULL, 0);//得到所需空间的大小

wchar_t wszcString[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。溢出数据自己修改

MultiByteToWideChar(CP_UTF8, NULL, szUTF8, (int)strlen(szUTF8), wszcString, wcscLen);   //转换

wszcString[wcscLen] = '\0';

DWORD len = WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL);

static char m_char[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。

WideCharToMultiByte(CP_ACP, 0, wszcString, (int)wcslen(wszcString), m_char, len, NULL, NULL);

m_char[len] = '\0';

return m_char;

}


char* UnicodeToUTF8(wchar_t* wszcString)//编码转换,已经修复 注意内存delet释放bug

{

DWORD utf8Len = ::WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), NULL, 0, NULL, NULL);    //得到所需空间的大小

static char szUTF8[1024] = { 0 };//这个大小的转换我这里是为了写辅助的。

WideCharToMultiByte(CP_UTF8, NULL, wszcString, (int)wcslen(wszcString), szUTF8, utf8Len, NULL, NULL);    //转换

szUTF8[utf8Len] = '\0';

return szUTF8;

}


int Wow64ReadInt(ULONG ProcessID, ULONG64 BaseAddress)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

int   BufferData = NULL;//=====================ULONG64   BufferData = NULL

ULONG64   ReturnLen = 4;//默认

ULONG64   BufferLen = 4;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

printf("4字节数据是:%ld\r\n", BufferData);


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


char *   Wow64ReadAscii(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

static char   BufferData[4096] = { 0 };//=====================

ULONG64   ReturnLen = 4;//默认


if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len, &ReturnLen);


printf("字符串是:%s \n", BufferData);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


wchar_t *   Wow64ReadUnicode(ULONG ProcessID, ULONG64 BaseAddress, DWORD Len) //写入ASCII 参数三是长度

{

setlocale(LC_ALL, "chs"); // unicode 必加 只有添加这一句下面的打印1,2与调试打印成功

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

static wchar_t   BufferData[4096] = { 0 };//=====================

ULONG64   ReturnLen = 4;//默认


if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, Len * 5, &ReturnLen); //unicode编码要乘以2


//printf("字符串是:%s \n", BufferData);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


float Wow64ReadFloat(ULONG ProcessID, ULONG64 BaseAddress)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

FLOAT   BufferData = NULL;//=====================

ULONG64   ReturnLen = 4;//默认

ULONG64   BufferLen = 4;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDeb


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);


printf("单精度数据是:%f \n", BufferData);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


double Wow64ReadDouble(ULONG ProcessID, ULONG64 BaseAddress)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

DOUBLE   BufferData = NULL;//=====================

ULONG64   ReturnLen = 8;//默认

ULONG64   BufferLen = 8;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

printf("浮点数数据是:%lf \n", BufferData);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


LONG64 Wow64ReadInt64(ULONG ProcessID, ULONG64 BaseAddress)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   BufferData = NULL;//=====================

ULONG64   ReturnLen = 8;//默认

ULONG64   BufferLen = 8;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}


if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

NTSTATUS Status = __NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

printf("8字节数据是:%lld\r\n", BufferData);


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return BufferData;

}


BOOL Wow64WriteInt(ULONG ProcessID, ULONG64 BaseAddress, INT Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = 4;//默认

ULONG64   BufferLen = 4;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);


__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteFloat(ULONG ProcessID, ULONG64 BaseAddress, FLOAT Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = 4;//默认

ULONG64   BufferLen = 4;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteDouble(ULONG ProcessID, ULONG64 BaseAddress, DOUBLE Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = 8;//默认

ULONG64   BufferLen = 8;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);

}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteInt64(ULONG ProcessID, ULONG64 BaseAddress, INT64 Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = 8;//默认

ULONG64   BufferLen = 8;//默认

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &Value, BufferLen, &ReturnLen);


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteAscii(ULONG ProcessID, ULONG64 BaseAddress, const char* Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = NULL;//默认

ULONG64   BufferLen = strlen(Value);//获取字符串长度

//printf("BufferLen   %d\n", BufferLen);

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteUTF8(ULONG ProcessID, UINT64 BaseAddress, const wchar_t   * GBK_Str)//为了兼容,写入的是unicode,函数内部会进行转换操作的。

{

BOOL     IsWow64 = FALSE; //64位程序备用

HANDLE   ProcessHandle = NULL;

ULONG64   ReturnLen = NULL;//默认

char strUTF8[4096] = { 0 };

char *unGunG = UnicodeToUTF8((wchar_t*)GBK_Str);

size_t   BufferLen = strlen(unGunG);//获取字符串长度   宽字符用 wcslen

RtlMoveMemory(strUTF8, unGunG, BufferLen);

//printf("BufferLen   %lld\n", BufferLen);

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, &strUTF8, BufferLen, &ReturnLen);//32位和64位区别


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


BOOL Wow64WriteUnicode(ULONG ProcessID, UINT64 BaseAddress, const wchar_t * Value)

{

BOOL     IsWow64 = FALSE;

HANDLE   ProcessHandle = NULL;

UINT64   ReturnLen = NULL;//默认

UINT64   BufferLen = wcslen(Value) * 2;//获取字符串长度   宽字符用 wcslen

printf("BufferLen   %lld\n", BufferLen);

if (BaseAddress == NULL)

{

return FALSE;

}

if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE)

{

return FALSE;

}

ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ProcessID);

if (ProcessHandle == NULL)

{

return FALSE;

}

if (__NtWow64ReadVirtualMemory64 == NULL || __NtWow64WriteVirtualMemory64 == NULL)

{

goto Exit;

}

__try

{

__NtWow64WriteVirtualMemory64(ProcessHandle, BaseAddress, (PVOID64)Value, BufferLen, &ReturnLen);//32位和64位区别


}

__except (EXCEPTION_EXECUTE_HANDLER)

{

printf("异常\r\n");

goto Exit;

}

Exit:

if (ProcessHandle != NULL)

{

CloseHandle(ProcessHandle);

ProcessHandle = NULL;

}

EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);

return TRUE;

}


//===============================x86   r3层普通API 内存读写=================================================

BOOL WriteInt64(DWORD ProcessID, UINT64 Addr, __int64 Value)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

CloseHandle(Process_handle);

return ret;

}


BOOL WriteInt(DWORD ProcessID, UINT64 Addr, int Value)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}


BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);

CloseHandle(Process_handle);

return ret;

}


BOOL WriteShort(DWORD ProcessID, UINT64 Addr, short Value) //2字节整数

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

//printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);

CloseHandle(Process_handle);

return ret;

}



bool WriteData(DWORD ProcessID, UINT64   Addr, byte byteArr[]) //写入字节集   "1d   80 66 a2"

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}


BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, byteArr, sizeof(byteArr), NULL);//strlen字符长度

CloseHandle(Process_handle);

return ret;

}




BOOL WriteByte(DWORD ProcessID, UINT64 Addr, byte Value)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

//printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 2, NULL);

CloseHandle(Process_handle);

return ret;

}

//

BOOL WriteFloat(DWORD ProcessID, UINT64 Addr, float Value)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

//printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 4, NULL);

CloseHandle(Process_handle);

return ret;

}


BOOL WriteDouble(DWORD ProcessID, UINT64 Addr, double Value)

{

//printf("打印输出进程pid :%x \n", game_pid);

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

CloseHandle(Process_handle);

return ret;

}


BOOL WriteAcsii(DWORD ProcessID, UINT64 Addr, const   char * str)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, strlen(str), NULL);//strlen字符长度

CloseHandle(Process_handle);

return ret;

}


BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, const wchar_t * str)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2

CloseHandle(Process_handle);

return ret;

}


BOOL WriteUnicode(DWORD ProcessID, UINT64 Addr, wchar_t * str)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

{

printf("获取进程句柄失败\n");

}

else

{

printf("获取进程句柄成功\n");

}

BOOL ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, (LPVOID)str, wcslen(str) * 2 + 2, NULL);//wcslen宽字符长度+2

//printf("iiiiiiiiiii    %d\n", sizeof(str));

CloseHandle(Process_handle);

return ret;

}




DWORD GetPidByHwnd(HWND hwnd)

{

DWORD Pid = NULL;

GetWindowThreadProcessId(hwnd, &Pid); //lpdword指针类型

return   Pid;

}


DWORD FloatToDword(float value)//单浮点数转整数

{

DWORD   val = NULL;

memcpy(&val, &value, 4);

return val;

}


UINT64 DoubleToDword(double value)//双浮点数转整数

{

UINT64   val = NULL;

memcpy(&val, &value, 8);

return val;

}


int Int64To32(__int64 value)//部分接口

{

DWORD   val = NULL;

memcpy(&val, &value, 4);

return val;

}


int DwordToInt(DWORD value)//无符号转有符号

{

int   val = NULL;

memcpy(&val, &value, 4);

return val;

}


DWORD IntToDword(int value)//无符号转有符号

{

DWORD   val = NULL;

memcpy(&val, &value, 4);

return val;

}


BOOL WriteIntEx(DWORD ProcessID, UINT64 Addr, __int64 Value, int NumByte)

{

HANDLE   Process_handle = OpenProcess(PROCESS_ALL_ACCESS, NULL, ProcessID); //1.渴望得到的访问权限(标志),全局   

if (Process_handle == NULL)

printf("获取进程句柄失败\n");

else

printf("获取进程句柄成功\n");

BOOL ret = NULL;

if (NumByte == 4)

{

int   real_val = (int)Value;

ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 4, NULL);

}

else if (NumByte == 2)

{

short   real_val = (short)Value;

ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 2, NULL);

}

else if (NumByte == 1)

{

short   real_val = (short)Value;

ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &real_val, 1, NULL);

}

else if (NumByte == 8)

{

ret = WriteProcessMemory(Process_handle, (LPVOID)Addr, &Value, 8, NULL);

}

CloseHandle(Process_handle);

return ret;

}



byte* ReadByteArray(DWORD ProcessID, UINT64   addr, DWORD size) //写入4字节整数

{

byte *Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), Value, size, NULL);//注意参数 4字节

}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}







byte ReadByte(DWORD ProcessID, UINT64   addr) //写入4字节整数

{

byte Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 1, NULL);//注意参数 4字节

}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


short ReadShort(DWORD ProcessID, UINT64   addr) //写入4字节整数

{

short Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 2, NULL);//注意参数 4字节

}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


int ReadInt(DWORD ProcessID, UINT64   addr) //写入4字节整数

{

int Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节

}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


DWORD ReadDword(DWORD ProcessID, UINT64   addr) //写入4字节整数

{

DWORD Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 4, NULL);//注意参数 4字节


}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


__int64 ReadInt64(DWORD ProcessID, UINT64   addr) //写入8字节整数,地址还是4字节

{

__int64 Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");

ReadProcessMemory(Hprocess, (LPVOID)(addr), &Value, 8, NULL);//注意参数 4字节


}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}




UINT64 MemoryVirtualAllocEx(DWORD ProcessID, DWORD Len) //远程申请内存空间

{

HANDLE Hprocess = NULL;

LPVOID   Addr = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

Addr = VirtualAllocEx(Hprocess, NULL, Len, MEM_COMMIT, PAGE_READWRITE);

CloseHandle(Hprocess);//关闭进程句柄

return (UINT64)Addr;

}



void * ReadAscii(DWORD ProcessID, UINT64   addr, DWORD Len) //写入8字节整数,地址还是4字节

{

static char   Value[1024] = { 0 };

char ByteBuffer = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");


for (size_t i = 0; i < 1024; i++)//遍历长度,上限1024

{

ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ByteBuffer, 1, NULL);//注意参数 4字节

//printf("遍历I数值!   %d   \n", i);

if (ByteBuffer == 0)

{

if (Len == 0)//如果是0自动长度

{

ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, i + 1, NULL); //   字节\0

break;


}

else {

ReadProcessMemory(Hprocess, (LPCVOID)(addr), &Value, Len, NULL); //   字节\0

break;

}


}


}

}

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


wchar_t * ReadUnicode(DWORD ProcessID, UINT64   addr, DWORD Len) //控制台程序不支持unicode打印输出

{

static wchar_t   StrValue[1024] = { 0 };

wchar_t ShortBuffer = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess == 0)

printf("打开进程失败!\n");

else

{

printf("打开进程成功!\n");


for (size_t i = 0; i < 1024; i = i + 2)//遍历长度,上限1024

{

ReadProcessMemory(Hprocess, (LPCVOID)(addr + i), &ShortBuffer, 2, NULL);//注意参数 4字节

if (ShortBuffer == '\0')

{

if (Len == 0)//如果是0自动长度

{

ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, i + 2, NULL); //   字节\0

printf("打印    %ls   \n", StrValue);

//printf("打印i   :   %d   \n", i);

break;

}

else {

ReadProcessMemory(Hprocess, (LPCVOID)(addr), &StrValue, Len, NULL); //   字节\0

break;

}

}

}

}

CloseHandle(Hprocess);//关闭进程句柄

return StrValue;

}


int ReadIntEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

{

int Value = NULL;

HANDLE Hprocess = NULL;

DWORD nBuffer = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess != 0)

{

ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节

for (size_t i = 0; i < Num; i++)//word占2字节

{

ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节

}

}

else printf("打开进程失败!\n");

CloseHandle(Hprocess);//关闭进程句柄

return Value;

}


float ReadFloatEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

{

UINT64 Value = NULL;

HANDLE Hprocess = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess != 0)

{

ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &Value, 4, NULL);//注意参数 4字节

for (size_t i = 0; i < Num; i++)//word占2字节

{

//printf("str       %lld\n", Value);

ReadProcessMemory(Hprocess, (LPVOID)(Value + OffsetArray[i]), &Value, 4, NULL);//注意参数 4字节

}

}

else printf("打开进程失败!\n");

CloseHandle(Hprocess);//关闭进程句柄

return (float)Value;

}


double ReadDoubleEx(DWORD ProcessID, UINT64   BaseAddr, UINT64 OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

{

double ValueDouble = NULL;

HANDLE Hprocess = NULL;

UINT64 nBuffer = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess != 0)

{

ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节

DWORD   i = NULL;

for (i = 0; i < Num - 1; i++)//word占2字节

{

ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节

/*printf("double       %x\n", OffsetArray[i]);*/

}

ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &ValueDouble, 8, NULL);//Value64最终结果

}

else printf("打开进程失败!\n");

CloseHandle(Hprocess);//关闭进程句柄

return ValueDouble;

}


__int64 ReadIntEx64(DWORD ProcessID, UINT64   BaseAddr, DWORD OffsetArray[], DWORD Num) //第二个是基地址 第三个参数是偏移数组 第四个偏移数量

{

__int64 value64 = NULL;

HANDLE Hprocess = NULL;

UINT64 nBuffer = NULL;

Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

if (Hprocess != 0)

{

ReadProcessMemory(Hprocess, (LPVOID)(BaseAddr), &nBuffer, 4, NULL);//注意参数 4字节

DWORD   i = NULL;

for (i = 0; i < Num - 1; i++)//word占2字节

{

ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &nBuffer, 4, NULL);//注意参数 4字节

/*printf("double       %x\n", OffsetArray[i]);*/

}

ReadProcessMemory(Hprocess, (LPVOID)(nBuffer + OffsetArray[i]), &value64, 8, NULL);//Value64最终结果

}

else printf("打开进程失败!\n");

CloseHandle(Hprocess);//关闭进程句柄

return value64;

}


int EnableDebugPriv(const char *name)

{

HANDLE hToken;        //进程令牌句柄

TOKEN_PRIVILEGES tp;   //TOKEN_PRIVILEGES结构体,其中包含一个【类型+操作】的权限数组

LUID luid;           //上述结构体中的类型值

//打开进程令牌环

//GetCurrentProcess()获取当前进程的伪句柄,只会指向当前进程或者线程句柄,随时变化

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

{

fprintf(stderr, "OpenProcessToken error\n");

return -1;

}

//获得本地进程name所代表的权限类型的局部唯一ID

if (!LookupPrivilegeValue(NULL, name, &luid))

{

fprintf(stderr, "LookupPrivilegeValue error\n");

}


tp.PrivilegeCount = 1;                               //权限数组中只有一个“元素”

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;   //权限操作

tp.Privileges[0].Luid = luid;                        //权限类型


//调整进程权限

if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))

{

fprintf(stderr, "AdjustTokenPrivileges error!\n");

return -1;

}

return 0;

}



DWORD   GetPidByName(const char * ProcessName) //根据进程名字获取进程ID

{

HANDLE ProcessAll = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

PROCESSENTRY32 processInfo = { 0 };

processInfo.dwSize = sizeof(PROCESSENTRY32);

do {

if (strcmp(ProcessName, processInfo.szExeFile) == 0) {

return processInfo.th32ProcessID;

}


} while (Process32Next(ProcessAll, &processInfo));

return NULL;

}

//======================================注入==========================

VOID InjectDll(const CHAR pathStr[0x1000], const CHAR ProcessName[256])

{

//CHAR   pathStr[0x1000] = { "K:\\我的文档\\visual studio 2012\\Projects\\InjectChat\\Debug\\WeChatDll.dll" };

DWORD PID = GetPidByName((CHAR*)ProcessName);

if (PID == 0)

{

MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);

return;

}


HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);

if (hProcsee == NULL) {

MessageBox(NULL, "没有找到微信进程", "错误", 0);

return;

}


LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, strlen(pathStr), MEM_COMMIT, PAGE_READWRITE);

if (dllAdd == NULL) {

MessageBox(NULL, "内存写入", "错误", 0);

}

if (WriteProcessMemory(hProcsee, dllAdd, pathStr, strlen(pathStr), NULL) == 0) {

MessageBox(NULL, "内存写入", "错误", 0);

return;

}


HMODULE K32 = GetModuleHandle("Kernel32.dll");

LPVOID LoadAdd = GetProcAddress(K32, "LoadLibraryA");

HANDLE exec = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)LoadAdd, dllAdd, 0, NULL);

if (NULL == exec) {

MessageBox(NULL, "远程注入失败", "错误", 0);

return;

}

WaitForSingleObject(exec, INFINITE);

CloseHandle(hProcsee);

}


VOID InjectSellCode(DWORD processid, BYTE SellCode[]) //注入硬编码 shellcode

{

EnableDebugPriv(SE_DEBUG_NAME); //提高进程权限

if (processid == 0)

{

MessageBox(NULL, "没有找到微信进程或者微信没有启动", "错误", 0);

return;

}


HANDLE hProcsee = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processid); //打开目的程序,获取游戏权限   PROCESS_ALL_ACCESS获取所有权限

if (hProcsee == NULL) {

MessageBox(NULL, "没有找到微信进程", "错误", 0);

return;

}


LPVOID dllAdd = VirtualAllocEx(hProcsee, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//向游戏申请内存空间

if (dllAdd == NULL) {

MessageBox(NULL, "内存申请失败", "0", 0);

}



if (WriteProcessMemory(hProcsee, dllAdd, SellCode, 1023, NULL) == 0) {       //讲shellcode内存写入到游戏里面

MessageBox(NULL, "内存写入", "错误", 0);

return;

}


TRACE("申请的内存空间是 %x\n", dllAdd);


HANDLE ThreadHandle = CreateRemoteThread(hProcsee, NULL, 0, (LPTHREAD_START_ROUTINE)dllAdd, NULL, 0, NULL); //远程 创建线程   返回值是线程句柄

if (NULL == ThreadHandle) {

MessageBox(NULL, "远程注入失败", "错误", 0);

return;

}


WaitForSingleObject(ThreadHandle, INFINITE); //等到我线程代码执行完成之后,再返回,否则一直在等待   1秒=1000毫秒。 大量代码注入的

CloseHandle(ThreadHandle); ///释放线程句柄

CloseHandle(hProcsee); //关闭临时进程句柄        临时的指针


}


BOOL UnloadDll(DWORD dwPid, CHAR   strDllName[256])

{

//获取宿主进程的句柄,注意那几个参数,不然会出错

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,

FALSE, dwPid);

if (hProcess == NULL) {

::MessageBox(NULL, "无法获取进程句柄", "错误", MB_OK | MB_ICONERROR);

return FALSE;

}


DWORD   dwSize = 0;

ULONG64   dwWritten = 0;

DWORD   dwHandle = 0;


dwSize = sizeof(strDllName) + 1;//dll的全路径名的长度,待会分配内存要用到的


//向宿主进程分配内存,返回一个指针

LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);


//如果在宿主进程空间写失败就直接报错闪人

if (!WriteProcessMemory(hProcess, lpBuf, strDllName, dwSize, (SIZE_T*)&dwWritten))

{

VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);

CloseHandle(hProcess);

MessageBox(NULL, "在目标进程中写入失败", "错误", MB_OK | MB_ICONERROR);

return FALSE;

}


//获取GetModuleHandleA函数地址

LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");


//在宿主进程中创建一个远程线程,线程函数为上面导出的GetModuleHandleA,参数为lpBuf指针,还

//记得我们获取的dll全路径不

HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,

lpBuf, 0, NULL);

//如果创建线程失败,直接报错闪人

if (hThread == NULL) {

CloseHandle(hProcess);

::MessageBox(NULL, "在目标进程创建远程线程失败", "错误", MB_OK | MB_ICONERROR);

return FALSE;

}


//   等待GetModuleHandle运行完毕   

WaitForSingleObject(hThread, INFINITE);

//   获得GetModuleHandle的返回值   

GetExitCodeThread(hThread, &dwHandle);


//   释放目标进程中申请的空间   

VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);

CloseHandle(hThread);


//   使目标进程调用FreeLibraryAndExit,卸载DLL,实际也可以用FreeLibrary,但是我发现前者好一点

pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");

hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, (LPVOID)dwHandle, 0, NULL);

//   等待FreeLibraryAndExitThread执行完毕   

WaitForSingleObject(hThread, INFINITE);

CloseHandle(hThread);

CloseHandle(hProcess);


return TRUE;   //操作成功

}


//提升进程访问权限

bool enableDebugPriv()

{

HANDLE   hToken;

LUID    sedebugnameValue;

TOKEN_PRIVILEGES tkp;

if (!OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)

)

{

return false;

}

if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))

{

CloseHandle(hToken);

return false;

}

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Luid = sedebugnameValue;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))

{

CloseHandle(hToken);

return false;

}

return true;

}

//======================================结尾部分

HANDLE GetModule()

{

HANDLE hProcess;                        //进程句柄

HANDLE hModule;                         //模块句柄

BOOL bProcess = FALSE;                  //获取进程信息的函数返回值

BOOL bModule = FALSE;                   //获取模块信息的函数返回值

PROCESSENTRY32 pe32;                    //保存进程信息

MODULEENTRY32   me32;                    //保存模块信息


int i = 0;

int j = 0;


//获取进程调试权限,如果失败,则提示获取权限失败,失败的话,有的进程信息就会获取不到

if (EnableDebugPriv(SE_DEBUG_NAME))

{

fprintf(stderr, "Add Privilege error\n");

}


hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照

if (hProcess == INVALID_HANDLE_VALUE)

{

printf("获取进程快照失败\n");

exit(1);

}


bProcess = Process32First(hProcess, &pe32);              //获取第一个进程信息

while (bProcess)                                         //循环获取其余进程信息

{

printf("%d :\t Father's PID(%d)\tPID(%d)\t%s\n", i, pe32.th32ParentProcessID, pe32.th32ProcessID, pe32.szExeFile);

i++;

j = 0;

if (0 != pe32.th32ParentProcessID)                   //获取进程PID不为0的模块信息

{

hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe32.th32ProcessID);   //获取模块快照

if (hModule != INVALID_HANDLE_VALUE)

{

bModule = Module32First(hModule, &me32);      //获取第一个模块信息,即进程相应可执行文件的信息

while (bModule)

{

printf("模块:\n%d\t%s\n", j, me32.szExePath);

j++;

bModule = Module32Next(hModule, &me32);   //获取其他模块信息

}

CloseHandle(hModule);

}

}


bProcess = Process32Next(hProcess, &pe32);           //继续获取其他进程信息

printf("\n\n");

getchar();

}


CloseHandle(hProcess);

return 0;

}


PVOID GetRemoteProcAddress32(HANDLE hProc, HMODULE hModule, LPCSTR lpProcName)//这个函数只支持32位的

{

PVOID pAddress = NULL;

SIZE_T OptSize;

IMAGE_DOS_HEADER DosHeader;

SIZE_T ProcNameLength = lstrlenA(lpProcName) + sizeof(CHAR);//'\0'  


//读DOS头  

if (ReadProcessMemory(hProc, hModule, &DosHeader, sizeof(DosHeader), &OptSize))

{

IMAGE_NT_HEADERS NtHeader;


//读NT头  

if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + DosHeader.e_lfanew), &NtHeader, sizeof(NtHeader), &OptSize))

{

IMAGE_EXPORT_DIRECTORY ExpDir;

SIZE_T ExportVirtualAddress = NtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;


//读输出表  

if (ExportVirtualAddress && ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExportVirtualAddress), &ExpDir, sizeof(ExpDir), &OptSize))

{


if (ExpDir.NumberOfFunctions)

{


//x64待定:地址数组存放RVA的数据类型是4字节还是8字节???  

SIZE_T *pProcAddressTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfFunctions * sizeof(SIZE_T));


//读函数地址表  

if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfFunctions), pProcAddressTable, ExpDir.NumberOfFunctions * sizeof(PVOID), &OptSize))

{

//x64待定:名称数组存放RVA的数据类型是4字节还是8字节???  

SIZE_T *pProcNamesTable = (SIZE_T *)GlobalAlloc(GPTR, ExpDir.NumberOfNames * sizeof(SIZE_T));


//读函数名称表  

if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNames), pProcNamesTable, ExpDir.NumberOfNames * sizeof(PVOID), &OptSize))

{

CHAR *pProcName = (CHAR *)GlobalAlloc(GPTR, ProcNameLength);


//遍历函数名称  

for (DWORD i = 0; i < ExpDir.NumberOfNames; i++)

{


if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + pProcNamesTable[i]), pProcName, ProcNameLength, &OptSize))

{

if (RtlEqualMemory(lpProcName, pProcName, ProcNameLength))

{

//x64待定:函数在地址数组索引的数据类型是2字节还是???  

WORD NameOrdinal;


//获取函数在地址表的索引  

if (ReadProcessMemory(hProc, (PVOID)((SIZE_T)hModule + ExpDir.AddressOfNameOrdinals + sizeof(NameOrdinal) * i), &NameOrdinal, sizeof(NameOrdinal), &OptSize))

{

pAddress = (PVOID)((SIZE_T)hModule + pProcAddressTable[NameOrdinal]);

}

break;//for  

}

}

}

GlobalFree(pProcName);

}

GlobalFree(pProcNamesTable);

}

GlobalFree(pProcAddressTable);

}

}

}

}

return pAddress;

}





//=========================内存搜索支持x86x64位游戏===================================

//查找内存地址

INT64 X64ScanAddr(DWORD ProcessID, char *markCode, const wchar_t * ModuleName, DWORD offset)

{

DWORD size = 8; //==== 返回大小

DWORD ordinal = 1;//====返回次数

UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

return X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

}


INT64 X64ScanBase(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset, DWORD size)//==== 返回大小)

{

DWORD ordinal = 1;//====返回次数

INT64 BufferData = NULL; //

//ULONG64 Len = size;

UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

__NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, 0);//注意返回值大小问题,size就是字节大小

CloseHandle(Hprocess);

return BufferData;

}


INT64 X64ScanCall(DWORD ProcessID, const char *markCode, const wchar_t * ModuleName, DWORD offset)//==== 返回大小)

{

DWORD ordinal = 1;//====返回次数

DWORD size = 4;//x64的call只能是4字节的,不能8字节,否走要mov rax 0x1121212121   jmp rax

INT64 BufferData = NULL;

ULONG64 Len = size;

UINT64 beginAddr = GetX86X64Module(ProcessID, ModuleName);

UINT64 endAddr = beginAddr + GetX86X64ModuleSize(ProcessID, ModuleName);

INT64 Addr_Ret = X64ScanOpcode(ProcessID, markCode, offset, size, ordinal, beginAddr, endAddr);

HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

__NtWow64ReadVirtualMemory64(Hprocess, Addr_Ret, &BufferData, size, &Len);//注意返回值大小问题,size就是字节大小

CloseHandle(Hprocess);

return Addr_Ret - 1 + 5 + BufferData;;

}


/************************************************************************/

/* 函数说明:查找特征码

/* process: 要查找的进程

/* markCode: 特征码字符串,不能有空格

/* distinct:特征码首地址离目标地址的距离 负数在特征码在上

/* offset: 返回目标地址

/* size: 设置返回数据为几个BYTE 1 2 3 4

/* ordinal: 特征码出现的次数

/* beginAddr: 开始搜索地址

/* endAddr: 结束地址

/* ret:返回目标地址的内容

/************************************************************************/

INT64 X64ScanOpcode(DWORD ProcessID, const char *markCode,   ///核心算法

DWORD offset,

DWORD size,   // size: 设置返回数据为几个BYTE 1 2 3 4

DWORD ordinal, //ordinal: 特征码出现的次数

UINT64 beginAddr, UINT64 endAddr)

{

HANDLE Hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);//打开进程

GetNTWOW64MemoryProcAddress(); //加进去的

//每次读取游戏内存数目的大小

const DWORD pageSize = 4096;

////////////////////////处理特征码/////////////////////

//特征码长度不能为单数

if (strlen(markCode) % 2 != 0) return 0;

//特征码长度

size_t len = strlen(markCode) / 2;

//将特征码转换成byte型

BYTE *m_code = new BYTE[len];

for (int i = 0; i < len; i++) {

char c[] = { markCode[i * 2], markCode[i * 2 + 1], '\0' };

m_code[i] = (BYTE)::strtol(c, NULL, 16);

}

/////////////////////////查找特征码/////////////////////

BOOL _break = FALSE;

//用来保存在第几页中的第几个找到的特征码

int curPage = 0;

int curIndex = 0;

//每页读取4096个字节

BYTE *page = new BYTE[pageSize + len - 1];

UINT64 tmpAddr = beginAddr;

DWORD ord = 0;

ULONG64   BufferLen = 4096;

while (tmpAddr <= endAddr - len) {

//printf("Status打印输出:   %llx\n", tmpAddr);

NTSTATUS Status = __NtWow64ReadVirtualMemory64(Hprocess, tmpAddr, page, pageSize + len - 1, &BufferLen);

//在该页中查找特征码

for (int i = 0; i < pageSize; i++) {

for (int j = 0; j < len; j++) {

//只要有一个与特征码对应不上则退出循环

if (m_code[j] != page[i + j])break;

//找到退出所有循环

if (j == len - 1) {

ord++;

if (ord != ordinal)

break;

_break = TRUE;

curIndex = i; // 特征码的首地址偏移

break;

}

}

if (_break) break;

}

if (_break) break;

curPage++;

tmpAddr += pageSize;

}

// 一个也没找到


//__NtWow64ReadVirtualMemory64(ProcessHandle, BaseAddress, &BufferData, BufferLen, &ReturnLen);

delete m_code;

delete page;

CloseHandle(Hprocess);

//printf("base   :%llx\n", offsetaddr);

return offsetaddr;

}



UINT64   GetX86X64Module(DWORD ProcessID, const wchar_t* DllName)

{

DWORD dwPid = ProcessID;

HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

BOOL bTarget = FALSE;

BOOL bSource = FALSE;


IsWow64Process(GetCurrentProcess(), &bSource);

IsWow64Process(m_ProcessHandle, &bTarget);


SYSTEM_INFO si;

GetSystemInfo(&si);


if (bTarget == FALSE && bSource == TRUE)

{

HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");

pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");

PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };

if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))

{

DWORD64 Ldr64 = 0;

LIST_ENTRY64 ListEntry64 = { 0 };

LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };

wchar_t ProPath64[256];

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))

{

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))

{

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))

{

while (1)

{

if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;

/*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改

{


//printf("模块基址:0x%llX   模块大小:0x%X    模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);

//printf("BaseDllName :%ls\n", ProPath64);

if (wcscmp(ProPath64, DllName) == 0)

{

//printf("BaseDllName :%ls\n", ProPath64);

return   (UINT64)LDTE64.DllBase;

}


}

if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;

}

}

}

}

}


}

else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||

si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)

{

HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");

PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };

if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))

{

DWORD Ldr32 = 0;

LIST_ENTRY32 ListEntry32 = { 0 };

LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };

wchar_t ProPath32[256];

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))

{

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))

{

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))

{

while (1)

{

if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;

if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer

{

//printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

//printf("模块基址:0x%X   模块大小:0x%X   模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

//printf("%d\n",   LDTE32.BaseDllName);


if (wcscmp(ProPath32, DllName) == 0)

{

//printf("BaseDllName :%ls\n", ProPath32);

return   (UINT64)LDTE32.DllBase;   //============32位这里最好改成DWORD

}



}

if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;

}

}

}

}

}

}

return   FALSE;

CloseHandle(m_ProcessHandle);

}



UINT64   GetX86X64ModuleSize(DWORD ProcessID, const wchar_t* DllName)

{

DWORD dwPid = ProcessID;

HANDLE m_ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

BOOL bTarget = FALSE;

BOOL bSource = FALSE;


IsWow64Process(GetCurrentProcess(), &bSource);

IsWow64Process(m_ProcessHandle, &bTarget);


SYSTEM_INFO si;

GetSystemInfo(&si);


if (bTarget == FALSE && bSource == TRUE)

{

HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");

pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");

PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };

if (NT_SUCCESS(NtWow64QueryInformationProcess64(m_ProcessHandle, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL)))

{

DWORD64 Ldr64 = 0;

LIST_ENTRY64 ListEntry64 = { 0 };

LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };

wchar_t ProPath64[256];

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL)))

{

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL)))

{

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL)))

{

while (1)

{

if (LDTE64.InLoadOrderLinks.Flink == ListEntry64.Flink) break;

/*if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.FullDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))*/

if (NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.BaseDllName.Buffer, ProPath64, sizeof(ProPath64), NULL)))//修改

{


//printf("模块基址:0x%llX   模块大小:0x%X    模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);

//printf("BaseDllName :%ls\n", ProPath64);

if (wcscmp(ProPath64, DllName) == 0)

{

//printf("BaseDllName :%ls\n", ProPath64);

return   (UINT64)LDTE64.SizeOfImage;

}


}

if (!NT_SUCCESS(NtWow64ReadVirtualMemory64(m_ProcessHandle, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(_LDR_DATA_TABLE_ENTRY64), NULL))) break;

}

}

}

}

}


}

else if (bTarget == TRUE && bSource == TRUE || si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 ||

si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_IA64)

{

HMODULE NtdllModule = GetModuleHandle("ntdll.dll");

pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule, "NtQueryInformationProcess");

PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };

if (NT_SUCCESS(NtQueryInformationProcess(m_ProcessHandle, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL)))

{

DWORD Ldr32 = 0;

LIST_ENTRY32 ListEntry32 = { 0 };

LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };

wchar_t ProPath32[256];

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL))

{

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL))

{

if (ReadProcessMemory(m_ProcessHandle, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL))

{

while (1)

{

if (LDTE32.InLoadOrderLinks.Flink == ListEntry32.Flink) break;

if (ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.BaseDllName.Buffer, ProPath32, sizeof(ProPath32), NULL))//修改PVOID)LDTE32.BaseDllName.Buffer

{

//printf("模块基址:0x%X\n模块大小:0x%X\n模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

//printf("模块基址:0x%X   模块大小:0x%X   模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);

//printf("%d\n",   LDTE32.BaseDllName);


if (wcscmp(ProPath32, DllName) == 0)

{

//printf("BaseDllName :%ls\n", ProPath32);

return   (UINT64)LDTE32.SizeOfImage;   //============32位这里最好改成DWORD

}



}

if (!ReadProcessMemory(m_ProcessHandle, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(_LDR_DATA_TABLE_ENTRY32), NULL)) break;

}

}

}

}

}

}

return   FALSE;

CloseHandle(m_ProcessHandle);

}