因为进浩方玩星际,每次都要挤房间,所以做了一个挤房间的小工具.
VC7.1 工程下载
关键代码如下:
1
typedef
struct
_remoteparameter
2
{
3
4
LVITEM item;
//
用于SendMessage
5
RECT rect;
6
int
iCount;
//
列表个数
7
char
strFileMap[MAX_PATH];
//
OpenFileMapping
8
HANDLE hFileMap;
//
OpenFileMapping 返回的句柄
9
BYTE
*
MapMem;
//
MapViewOfFile 返回的共享内存始址
10
HWND hListHwnd;
11
char
strItemText[
256
];
12
13
//
DWORD rpOutDebugString;
14
DWORD rpOpenFileMapping;
15
DWORD rpMapViewOfFile;
16
DWORD rpSendMessage;
17
18
}
REMOTEPARAMETER,
*
PREMOTEPARAMETER;
19
20
typedef
struct
_itemInfo
21
{
22
char
strItemText[
256
];
23
char
ipersonCount[
20
];
24
char
strspeed[
20
];
25
RECT rect;
26
}
ITEMINFO;
27
28
BOOL WINAPI MyInjectLib()
29
{
30
31
BOOL fOk
=
FALSE;
//
Assume that the function fails
32
HANDLE hProcess
=
NULL, hThread
=
NULL;
33
char
*
pszLibFileRemote
=
NULL;
34
char
*
remotepar
=
NULL;
35
36
__try
{
37
//
Get a handle for the target process.
38
hProcess
=
g_hTargetProcess;
39
//
Calculate the number of bytes needed for the DLL's pathname
40
int
cb
=
4
*
1024
;
41
42
//
Allocate space in the remote process for the pathname
43
pszLibFileRemote
=
(
char
*
)
44
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
45
if
(pszLibFileRemote
==
NULL) __leave;
46
47
//
Copy the DLL's pathname to the remote process's address space
48
if
(
!
WriteProcessMemory(hProcess, pszLibFileRemote,
49
(LPVOID) remote, cb, NULL)) __leave;
50
51
REMOTEPARAMETER rp;
52
memset((
char
*
)
&
rp,
0
,
sizeof
(rp));
53
54
HANDLE hkernel32
=
GetModuleHandle(_T(
"
kernel32.dll
"
));
55
if
( hkernel32
==
NULL ) __leave;
56
HANDLE huser32
=
GetModuleHandle(_T(
"
user32.dll
"
));
57
if
( huser32
==
NULL ) __leave;
58
59
60
rp.rpMapViewOfFile
=
(DWORD)GetProcAddress((HMODULE)hkernel32,
"
MapViewOfFile
"
);
61
rp.rpOpenFileMapping
=
(DWORD)GetProcAddress((HMODULE)hkernel32,
"
OpenFileMappingA
"
);
62
rp.rpSendMessage
=
(DWORD)GetProcAddress((HMODULE)huser32,
"
SendMessageA
"
);
63
//
rp.rpOutDebugString = (DWORD)GetProcAddress((HMODULE)hkernel32,"OutputDebugStringA");
64
65
strcpy(rp.strFileMap,
"
MMShare_EnterHF
"
);
66
rp.hListHwnd
=
g_SysList;
67
rp.iCount
=
g_itemCount;
68
rp.item.cchTextMax
=
256
;
69
rp.item.iSubItem
=
0
;
70
rp.item.pszText
=
rp.strItemText;
71
rp.item.mask
=
0
;
72
73
cb
=
sizeof
(rp);
74
remotepar
=
(
char
*
)VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
75
if
( remotepar
==
NULL) __leave;
76
77
if
(
!
WriteProcessMemory(hProcess,remotepar,(LPVOID)
&
rp,cb,NULL)) __leave;
78
79
//
Create a remote thread that calls LoadLibraryW(DLLPathname)Z
80
hThread
=
CreateRemoteThread(hProcess, NULL,
0
,
81
(LPTHREAD_START_ROUTINE)pszLibFileRemote,(LPVOID)remotepar,
0
, NULL);
82
if
(hThread
==
NULL) __leave;
83
84
//
Wait for the remote thread to terminate
85
WaitForSingleObject(hThread, INFINITE);
86
87
fOk
=
TRUE;
//
Everything executed successfully
88
}
89
__finally
{
//
Now, we can clean everthing up
90
91
//
Free the remote memory that contained the DLL's pathname
92
if
(pszLibFileRemote
!=
NULL)
93
VirtualFreeEx(hProcess, pszLibFileRemote,
0
, MEM_RELEASE);
94
95
if
(remotepar
!=
NULL)
96
VirtualFreeEx(hProcess, remotepar,
0
, MEM_RELEASE);
97
98
if
(hThread
!=
NULL)
99
CloseHandle(hThread);
100
101
if
(hProcess
!=
NULL)
102
CloseHandle(hProcess);
103
}
104
return
TRUE;
105
}
106
1
DWORD WINAPI remote(LPVOID pvparam)
2
{
3
4
5
PREMOTEPARAMETER erp
=
( PREMOTEPARAMETER)pvparam;
6
7
typedef LPVOID (WINAPI
*
defMapViewOfFile)(IN HANDLE hFileMappingObject,
8
IN DWORD dwDesiredAccess,
9
IN DWORD dwFileOffsetHigh,
10
IN DWORD dwFileOffsetLow,
11
IN SIZE_T dwNumberOfBytesToMap );
12
typedef HANDLE (WINAPI
*
defOpenFileMappingA)(IN DWORD dwDesiredAccess, IN BOOL bInheritHandle, IN LPCSTR lpName);
13
typedef LRESULT (WINAPI
*
defSendMessageA)(IN HWND hWnd, IN UINT Msg, IN WPARAM wParam, IN LPARAM lParam);
14
typedef VOID (WINAPI
*
defOutputDebugStringA)(IN LPCSTR lpOutputString);
15
defSendMessageA MySendMsg
=
(defSendMessageA)erp
->
rpSendMessage;
16
defOpenFileMappingA MyOpenFileMapping
=
(defOpenFileMappingA)erp
->
rpOpenFileMapping;
17
defMapViewOfFile MyMapViewOfFile
=
(defMapViewOfFile)erp
->
rpMapViewOfFile;
18
19
20
erp
->
hFileMap
=
(
*
MyOpenFileMapping)(FILE_MAP_WRITE,
0
, erp
->
strFileMap);
21
if
( erp
->
hFileMap
==
NULL )
22
return
0
;
23
erp
->
MapMem
=
(BYTE
*
)(
*
MyMapViewOfFile)(erp
->
hFileMap, FILE_MAP_WRITE,
0
,
0
,
0
);
24
if
( erp
->
MapMem
==
NULL)
25
return
0
;
26
27
for
(
int
i
=
0
; i
<
erp
->
iCount; i
++
)
28
{
29
30
31
erp
->
item.cchTextMax
=
256
;
32
33
34
erp
->
item.iImage
=
0
;
35
erp
->
item.iIndent
=
0
;
36
erp
->
item.iItem
=
0
;
37
erp
->
item.iSubItem
=
0
;
38
erp
->
item.lParam
=
0
;
39
erp
->
item.mask
=
0
;
40
erp
->
item.pszText
=
erp
->
strItemText;
41
42
erp
->
item.state
=
0
;
43
erp
->
item.stateMask
=
0
;
44
erp
->
rect.bottom
=
erp
->
rect.left
=
erp
->
rect.right
=
erp
->
rect.top
=
0
;
45
46
(
*
MySendMsg)(erp
->
hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM(
&
erp
->
item));
47
48
ITEMINFO
*
info
=
(ITEMINFO
*
)
&
erp
->
MapMem[i
*
sizeof
(ITEMINFO)];
49
for
(
int
j
=
0
;j
<
256
;j
++
)
50
{
51
info
->
strItemText[j]
=
erp
->
item.pszText[j];
52
}
53
54
//
取得人数
55
erp
->
item.cchTextMax
=
20
;
56
57
58
erp
->
item.iImage
=
0
;
59
erp
->
item.iIndent
=
0
;
60
erp
->
item.iItem
=
0
;
61
erp
->
item.iSubItem
=
1
;
62
erp
->
item.lParam
=
0
;
63
erp
->
item.mask
=
0
;
64
erp
->
item.pszText
=
erp
->
strItemText;
65
66
erp
->
item.state
=
0
;
67
erp
->
item.stateMask
=
0
;
68
erp
->
rect.bottom
=
erp
->
rect.left
=
erp
->
rect.right
=
erp
->
rect.top
=
0
;
69
70
(
*
MySendMsg)(erp
->
hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM(
&
erp
->
item));
71
72
for
(
int
j
=
0
;j
<
20
;j
++
)
73
{
74
info
->
ipersonCount[j]
=
erp
->
item.pszText[j];
75
}
76
77
78
erp
->
item.cchTextMax
=
20
;
79
80
81
erp
->
item.iImage
=
0
;
82
erp
->
item.iIndent
=
0
;
83
erp
->
item.iItem
=
0
;
84
erp
->
item.iSubItem
=
3
;
85
erp
->
item.lParam
=
0
;
86
erp
->
item.mask
=
0
;
87
erp
->
item.pszText
=
erp
->
strItemText;
88
89
erp
->
item.state
=
0
;
90
erp
->
item.stateMask
=
0
;
91
erp
->
rect.bottom
=
erp
->
rect.left
=
erp
->
rect.right
=
erp
->
rect.top
=
0
;
92
93
(
*
MySendMsg)(erp
->
hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM(
&
erp
->
item));
94
95
for
(
int
j
=
0
;j
<
20
;j
++
)
96
{
97
info
->
strspeed[j]
=
erp
->
item.pszText[j];
98
}
99
100
//
取得RECT
101
(
*
MySendMsg)(erp
->
hListHwnd, LVM_GETITEMRECT, WPARAM(i), LPARAM(
&
erp
->
rect));
102
info
->
rect.bottom
=
erp
->
rect.bottom;
103
info
->
rect.top
=
erp
->
rect.top;
104
info
->
rect.left
=
erp
->
rect.left;
105
info
->
rect.right
=
erp
->
rect.right;
106
}
107
108
return
0
;
109
}