void CtestwmDlg::OnBnClickedButton1() { CStringA lpszFile; m_file.GetWindowText(lpszFile); if (lpszFile.IsEmpty()) lpszFile = GetExeDirA()+"\\element\\elementclient.exe"; LPCSTR lpDir = GetDirA(lpszFile); LPSTR lpwParam = " game:cpw"; CStringA lpDll; LPCSTR dll[5] = { "CEGUIBase.dll", "DirectX81GUIRenderer.dll", "CEGUIExpatParser.dll", "CEGUIFalagardWRBase.dll", "wmsdk.dll" //自己的,要最后注入,不然失败 }; STARTUPINFO si= {0}; si.cb = sizeof si; si.dwFlags = STARTF_USECOUNTCHARS; si.wShowWindow = SW_SHOW; PROCESS_INFORMATION pi; CreateProcess(lpszFile,lpwParam,0,0,FALSE,CREATE_SUSPENDED,0,lpDir,&si,&pi); ResumeThread(pi.hThread); for (int i = 0;i < 5;i++) { lpDll.Format("%s\\%s",GetExeDirA(),dll); injectionDll(pi.hProcess,lpDll); } injectionDll 函数 void injectionDll(HANDLE hProcess,LPCSTR lpDll) { DWORD dwSize = strlen(lpDll) + 1; LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(hProcess,lpBuf,LPVOID(lpDll),dwSize,NULL); LPVOID lpFun = LoadLibraryA; ASSERT(lpFun); HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpFun,lpBuf,0,0); WaitForSingleObject(hThread,INFINITE); VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT); CloseHandle(hThread); } }
DLL代码
#include "Main.h" #include "Game.h" #include "IDirect3D8.h" DWORD WINAPI ThreadProc(LPVOID lpParameter); LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); typedef IDirect3D8 * (WINAPI * lpDirect3DCreate8)(UINT SDKVersion); lpDirect3DCreate8 pDirect3DCreate8; IDirect3D8 * WINAPI myDirect3DCreate8(UINT SDKVersion); CGame * Game; HMODULE phModule; MyIDirect3D8 * NewIDirect3D8; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { phModule = hModule; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL,0,ThreadProc,NULL,0,NULL); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } DWORD WINAPI ThreadProc(LPVOID lpParameter) { HMODULE hD3D8 = GetModuleHandle(L"d3d8.dll"); while (hD3D8 == 0) { Sleep(1); hD3D8 = GetModuleHandle(L"d3d8.dll"); } LPVOID lpFunC = GetProcAddress(hD3D8,"Direct3DCreate8"); DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)lpFunC,myDirect3DCreate8); DetourTransactionCommit(); pDirect3DCreate8= (lpDirect3DCreate8)lpFunC; return 0; } IDirect3D8 * WINAPI myDirect3DCreate8(UINT SDKVersion) { static int doing; doing++; IDirect3D8 * tmp = pDirect3DCreate8(SDKVersion); if (doing == 2) //2=窗口模式 3=全屏模式 { NewIDirect3D8 = new MyIDirect3D8(tmp); tmp= (IDirect3D8*)NewIDirect3D8; } return tmp; } HRESULT APIENTRY MyIDirect3D8::CreateDevice(UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface) { HRESULT hr=lpD3D->CreateDevice(Adapter,DeviceType,hFocusWindow,BehaviorFlags, pPresentationParameters,&lpD3DD8bak); lpD3DD8=new MyIDirect3DDevice8(lpD3DD8bak); *ppReturnedDeviceInterface = (IDirect3DDevice8*)lpD3DD8; Game=new CGame(lpD3DD8,phModule); Game->hWnd=hFocusWindow; Game->WndProc=(WNDPROC)SetWindowLong(hFocusWindow,GWL_WNDPROC,(LONG)&WndProc); Game->init(); return hr; }
我用VS2010+VC9 + GEGUI 0.62 + Detours 编译通过