cs1.6dll注入外挂

研究外挂只是想学一下r0,r3攻防对抗，不干坏事，乖巧.jpg

这一次做一下锁血

首先常规操作获取血量地址：

进程注入相关代码


//

#include <stdio.h>
#include <iostream>
#include <string.h>
#include <atlstr.h>
using namespace std;


int ()
{
	CString strMsg;
	HANDLE hToken;
	if (FALSE == OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) {
		strMsg.Format(TEXT("Open process token failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}
	LUID luid;
	if (FALSE == LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
		strMsg.Format(TEXT("Query privilegevalue failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}
	TOKEN_PRIVILEGES tkp;
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luid;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if (FALSE == AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
		strMsg.Format(TEXT("Adjust process privilege token failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}

	HWND hWindow = ::FindWindow(NULL, TEXT("Counter-Strike"));
	if (hWindow == NULL) {
		strMsg.Format(TEXT("FindWindow failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}

	DWORD dwPid = 0;
	GetWindowThreadProcessId(hWindow, &dwPid);
	if (dwPid == 0) {
		strMsg.Format(TEXT("GetWindowThreadProcessId() failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}

	HANDLE hCSProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
	if (hCSProcess == NULL) {
		strMsg.Format(TEXT("OpenProcess() failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}
	char dllName[] = "CHEATINGPLUGIN.dll";
	DWORD size = strlen(dllName) + 5;
	LPVOID lpAddr = VirtualAllocEx(hCSProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE);
	if (lpAddr == NULL) {
		strMsg.Format(TEXT("VirtualAllocEx() failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}

	if (FALSE == WriteProcessMemory(
		hCSProcess,
		lpAddr,
		dllName,
		size,
		NULL
	)) {
		strMsg.Format(TEXT("WriteProcessMemory() failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}

	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(
		TEXT("Kernel32.dll")),
		"LoadLibraryA"
	);
	HANDLE hThreadHandle = ::CreateRemoteThread(hCSProcess, NULL, 0, pfnStartAddr, lpAddr, 0, NULL);
	if (NULL == hThreadHandle) {
		strMsg.Format(TEXT("CreateRemoteThread() failed, error code: %d"), GetLastError());
		MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
		return 0;
	}
	//MessageBox(NULL, "Succeed!", "Congratulations", MB_OK);
}

Dll文件代码：

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"


DWORD WINAPI cheating(LPVOID lpParam) {
	while (1) {
		DWORD health = 100;

		DWORD addr = 0x01A17C78;

		DWORD res = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr, &health, 4, 0);

		Sleep(30);
	}
	return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
	{
		//MessageBox(NULL, "Dll Attached", "!!!", MB_OK);
		::DisableThreadLibraryCalls(hModule);
		CreateThread(NULL, 0, cheating, NULL, 0, NULL);
	}
    case DLL_THREAD_ATTACH:

    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
	default:
		break;
    }
    return TRUE;
}

可以看到cs进程打开此文件并创建了一个新的线程：

效果如下，左下角血量（锁血延迟设置的较高0.3s，所以被秒没办法hhhh，我起了，一枪秒了，有什么好说的🔫）：

其实在做这个期间遇到一些坑：

DllMain()中不要创建多线程，易造成死锁，或者是长时间无返回的函数如MessageBox()
CreateRemoteThread()创建远程线程时，Dll中不能含有静态变量如静态字符串或者static声明的函数，会在附加时产生一些权限问题，且data段已经确定无法修改，这样操作可能会使远程线程崩溃
最好不要创建模态窗口
等等。。。

cs1.6dll注入外挂

近期文章

近期评论

标签

热门

文章归档

分类目录

功能