CS1.6DLL注入外挂

CS1.6DLL注入外挂

研究外挂只是想学一下r0,r3攻防对抗,不干坏事,乖巧.jpg

这一次做一下锁血

首先常规操作获取血量地址:

进程注入相关代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
// dllinjecter.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string.h>
#include <atlstr.h>
using namespace std;


int main()
{
CString strMsg;
HANDLE hToken;
if (FALSE == OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) {
strMsg.Format(TEXT("Open process token failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}
LUID luid;
if (FALSE == LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
strMsg.Format(TEXT("Query privilegevalue failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (FALSE == AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
strMsg.Format(TEXT("Adjust process privilege token failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}

HWND hWindow = ::FindWindow(NULL, TEXT("Counter-Strike"));
if (hWindow == NULL) {
strMsg.Format(TEXT("FindWindow failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}

DWORD dwPid = 0;
GetWindowThreadProcessId(hWindow, &dwPid);
if (dwPid == 0) {
strMsg.Format(TEXT("GetWindowThreadProcessId() failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}

HANDLE hCSProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hCSProcess == NULL) {
strMsg.Format(TEXT("OpenProcess() failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}
char dllName[] = "CHEATINGPLUGIN.dll";
DWORD size = strlen(dllName) + 5;
LPVOID lpAddr = VirtualAllocEx(hCSProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE);
if (lpAddr == NULL) {
strMsg.Format(TEXT("VirtualAllocEx() failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}

if (FALSE == WriteProcessMemory(
hCSProcess,
lpAddr,
dllName,
size,
NULL
)) {
strMsg.Format(TEXT("WriteProcessMemory() failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}

PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(
TEXT("Kernel32.dll")),
"LoadLibraryA"
);
HANDLE hThreadHandle = ::CreateRemoteThread(hCSProcess, NULL, 0, pfnStartAddr, lpAddr, 0, NULL);
if (NULL == hThreadHandle) {
strMsg.Format(TEXT("CreateRemoteThread() failed, error code: %d"), GetLastError());
MessageBox(NULL, strMsg, TEXT("Warning"), MB_OK);
return 0;
}
//MessageBox(NULL, "Succeed!", "Congratulations", MB_OK);
}

Dll文件代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <windows.h>

DWORD WINAPI cheating(LPVOID lpParam) {
while (1) {
DWORD health = 100;

DWORD addr = 0x01A17C78;

DWORD res = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)addr, &health, 4, 0);

Sleep(30);
}
return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBox(NULL, "Dll Attached", "!!!", MB_OK);
::DisableThreadLibraryCalls(hModule);
CreateThread(NULL, 0, cheating, NULL, 0, NULL);
}
case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
default:
break;
}
return TRUE;
}

可以看到cs进程打开此文件并创建了一个新的线程:

效果如下,左下角血量(锁血延迟设置的较高0.3s,所以被秒没办法hhhh,我起了,一枪秒了,有什么好说的🔫):

其实在做这个期间遇到一些坑:

  • DllMain()中不要创建多线程,易造成死锁,或者是长时间无返回的函数如MessageBox()
  • CreateRemoteThread()创建远程线程时,Dll中不能含有静态变量如静态字符串或者static声明的函数,会在附加时产生一些权限问题,且data段已经确定无法修改,这样操作可能会使远程线程崩溃
  • 最好不要创建模态窗口
  • 等等。。。

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×