我正在开发一个 DLL,它被注入到进程中并使用一些内存地址。我的想法是,我的 DLL 自动查找并更新这些地址,因为我有模式,并且我可以通过 Search -> Sequence of bytes...
在 IDA 中完美找到它们如您所见,它找到带有通配符的字节序列
现在,我正在尝试在我的 DLL 中复制此 IDA 功能。
到目前为止,我在代码中尝试过的内容如下:
uintptr_t mainModule = NULL;
DWORD WINAPI MainFunc(HMODULE hModule) {
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
mainModule = (uintptr_t)GetModuleHandle(L"client.dll");
if (hModule)
{
if (GetPatterns()) while (true) Sleep(1);
}
else
{
std::cout << "Main module not found, press ENTER to exit..." << std::endl;
getchar();
}
fclose(f);
FreeConsole();
FreeLibraryAndExitThread(hModule, 0);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)MainFunc, hModule, 0, nullptr));
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
bool Compare(const BYTE* pData, const BYTE* pMask, const char* pszMask) {
for (; *pszMask; ++pszMask, ++pData, ++pMask) {
if (*pszMask == 'x' && *pData != *pMask) {
return false;
}
}
return (*pszMask) == NULL;
}
uintptr_t FindPattern(uintptr_t dwAddress, DWORD dwLen, BYTE* bMask, const char* szMask) {
for (DWORD i = 0; i < dwLen; i++)
if (Compare((BYTE*)(dwAddress + i), bMask, szMask))
return (uintptr_t)(dwAddress + i);
return 0;
}
MODULEINFO mInfo;
bool GetPattern(BYTE pattern[], const char* mask)
{
DWORD foundAddress = FindPattern(mainModule, mInfo.SizeOfImage, pattern, mask);
if (foundAddress != 0) {
std::cout << "Found pattern at: 0x" << std::hex << foundAddress << std::endl;
return true;
}
std::cout << "Error: pattern not found" << std::endl;
return false;
}
bool GetPatterns()
{
if (GetModuleInformation(GetCurrentProcess(), (HMODULE)mainModule, &mInfo, sizeof(mInfo))) {
BYTE pattern[] = { 0x48, 0x8B, 0x05, 0x00, 0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x00, 0x8B, 0x88 };
const char* mask = "xxx????xxxx?xx";
if (!GetPattern(pattern, mask)) return false;
}
else {
std::cout << "Error: unable to get module info" << std::endl;
return false;
}
return true;
}
我得到一个地址作为输出发现模式:0xcae401b0无处可去:
(尝试client.dll +输出地址,但也无济于事)
解决了:)
更改此行:
DWORD foundAddress = FindPattern(mainModule, mInfo.SizeOfImage, pattern, mask);
对此:
uintptr_t foundAddress = FindPattern(mainModule, mInfo.SizeOfImage, pattern, mask);