远程线程插入,获得其它进程ListCtrl信息
因为进浩方玩星际,每次都要挤房间,所以做了一个挤房间的小工具.
VC7.1 工程下载
关键代码如下:
1
![]()
typedef
struct
_remoteparameter
2![]()
![]()
![]()
{
3![]()
4![]()
LVITEM item; // 用于SendMessage
5![]()
RECT rect;
6![]()
int iCount; // 列表个数
7![]()
char strFileMap[MAX_PATH]; // OpenFileMapping
8![]()
HANDLE hFileMap; // OpenFileMapping 返回的句柄
9![]()
BYTE * MapMem; // MapViewOfFile 返回的共享内存始址
10![]()
HWND hListHwnd;
11![]()
char strItemText[ 256 ];
12![]()
13![]()
// DWORD rpOutDebugString;
14![]()
DWORD rpOpenFileMapping;
15![]()
DWORD rpMapViewOfFile;
16![]()
DWORD rpSendMessage;
17![]()
18![]()
}
REMOTEPARAMETER,
*
PREMOTEPARAMETER;
19![]()
20![]()
typedef
struct
_itemInfo
21![]()
![]()
![]()
{
22![]()
char strItemText[ 256 ];
23![]()
char ipersonCount[ 20 ];
24![]()
char strspeed[ 20 ];
25![]()
RECT rect;
26![]()
}
ITEMINFO;
27![]()
28![]()
BOOL WINAPI MyInjectLib()
29![]()
![]()
![]()
{
30![]()
31![]()
BOOL fOk = FALSE; // Assume that the function fails
32![]()
HANDLE hProcess = NULL, hThread = NULL;
33![]()
char * pszLibFileRemote = NULL;
34![]()
char * remotepar = NULL;
35![]()
36![]()
![]()
__try ![]()
{
37![]()
// Get a handle for the target process.
38![]()
hProcess = g_hTargetProcess;
39![]()
// Calculate the number of bytes needed for the DLL's pathname
40![]()
int cb = 4 * 1024 ;
41![]()
42![]()
// Allocate space in the remote process for the pathname
43![]()
pszLibFileRemote = ( char * )
44![]()
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
45![]()
if (pszLibFileRemote == NULL) __leave;
46![]()
47![]()
// Copy the DLL's pathname to the remote process's address space
48![]()
if ( ! WriteProcessMemory(hProcess, pszLibFileRemote,
49![]()
(LPVOID) remote, cb, NULL)) __leave;
50![]()
51![]()
REMOTEPARAMETER rp;
52![]()
memset(( char * ) & rp, 0 , sizeof (rp));
53![]()
54![]()
HANDLE hkernel32 = GetModuleHandle(_T( " kernel32.dll " ));
55![]()
if ( hkernel32 == NULL ) __leave;
56![]()
HANDLE huser32 = GetModuleHandle(_T( " user32.dll " ));
57![]()
if ( huser32 == NULL ) __leave;
58![]()
59![]()
60![]()
rp.rpMapViewOfFile = (DWORD)GetProcAddress((HMODULE)hkernel32, " MapViewOfFile " );
61![]()
rp.rpOpenFileMapping = (DWORD)GetProcAddress((HMODULE)hkernel32, " OpenFileMappingA " );
62![]()
rp.rpSendMessage = (DWORD)GetProcAddress((HMODULE)huser32, " SendMessageA " );
63![]()
// rp.rpOutDebugString = (DWORD)GetProcAddress((HMODULE)hkernel32,"OutputDebugStringA");
64![]()
65![]()
strcpy(rp.strFileMap, " MMShare_EnterHF " );
66![]()
rp.hListHwnd = g_SysList;
67![]()
rp.iCount = g_itemCount;
68![]()
rp.item.cchTextMax = 256 ;
69![]()
rp.item.iSubItem = 0 ;
70![]()
rp.item.pszText = rp.strItemText;
71![]()
rp.item.mask = 0 ;
72![]()
73![]()
cb = sizeof (rp);
74![]()
remotepar = ( char * )VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
75![]()
if ( remotepar == NULL) __leave;
76![]()
77![]()
if ( ! WriteProcessMemory(hProcess,remotepar,(LPVOID) & rp,cb,NULL)) __leave;
78![]()
79![]()
// Create a remote thread that calls LoadLibraryW(DLLPathname)Z
80![]()
hThread = CreateRemoteThread(hProcess, NULL, 0 ,
81![]()
(LPTHREAD_START_ROUTINE)pszLibFileRemote,(LPVOID)remotepar, 0 , NULL);
82![]()
if (hThread == NULL) __leave;
83![]()
84![]()
// Wait for the remote thread to terminate
85![]()
WaitForSingleObject(hThread, INFINITE);
86![]()
87![]()
fOk = TRUE; // Everything executed successfully
88![]()
}
89![]()
![]()
__finally ![]()
{ // Now, we can clean everthing up
90![]()
91![]()
// Free the remote memory that contained the DLL's pathname
92![]()
if (pszLibFileRemote != NULL)
93![]()
VirtualFreeEx(hProcess, pszLibFileRemote, 0 , MEM_RELEASE);
94![]()
95![]()
if (remotepar != NULL)
96![]()
VirtualFreeEx(hProcess, remotepar, 0 , MEM_RELEASE);
97![]()
98![]()
if (hThread != NULL)
99![]()
CloseHandle(hThread);
100![]()
101![]()
if (hProcess != NULL)
102![]()
CloseHandle(hProcess);
103![]()
}
104![]()
return TRUE;
105![]()
}
106![]()
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
1
![]()
DWORD WINAPI remote(LPVOID pvparam)
2![]()
![]()
![]()
{
3![]()
4![]()
5![]()
PREMOTEPARAMETER erp = ( PREMOTEPARAMETER)pvparam;
6![]()
7![]()
typedef LPVOID (WINAPI * defMapViewOfFile)(IN HANDLE hFileMappingObject,
8![]()
IN DWORD dwDesiredAccess,
9![]()
IN DWORD dwFileOffsetHigh,
10![]()
IN DWORD dwFileOffsetLow,
11![]()
IN SIZE_T dwNumberOfBytesToMap );
12![]()
typedef HANDLE (WINAPI * defOpenFileMappingA)(IN DWORD dwDesiredAccess, IN BOOL bInheritHandle, IN LPCSTR lpName);
13![]()
typedef LRESULT (WINAPI * defSendMessageA)(IN HWND hWnd, IN UINT Msg, IN WPARAM wParam, IN LPARAM lParam);
14![]()
typedef VOID (WINAPI * defOutputDebugStringA)(IN LPCSTR lpOutputString);
15![]()
defSendMessageA MySendMsg = (defSendMessageA)erp -> rpSendMessage;
16![]()
defOpenFileMappingA MyOpenFileMapping = (defOpenFileMappingA)erp -> rpOpenFileMapping;
17![]()
defMapViewOfFile MyMapViewOfFile = (defMapViewOfFile)erp -> rpMapViewOfFile;
18![]()
19![]()
20![]()
erp -> hFileMap = ( * MyOpenFileMapping)(FILE_MAP_WRITE, 0 , erp -> strFileMap);
21![]()
if ( erp -> hFileMap == NULL )
22![]()
return 0 ;
23![]()
erp -> MapMem = (BYTE * )( * MyMapViewOfFile)(erp -> hFileMap, FILE_MAP_WRITE, 0 , 0 , 0 );
24![]()
if ( erp -> MapMem == NULL)
25![]()
return 0 ;
26![]()
27![]()
for ( int i = 0 ; i < erp -> iCount; i ++ )
28![]()
![]()
![]()
{
29![]()
30![]()
31![]()
erp -> item.cchTextMax = 256 ;
32![]()
33![]()
34![]()
erp -> item.iImage = 0 ;
35![]()
erp -> item.iIndent = 0 ;
36![]()
erp -> item.iItem = 0 ;
37![]()
erp -> item.iSubItem = 0 ;
38![]()
erp -> item.lParam = 0 ;
39![]()
erp -> item.mask = 0 ;
40![]()
erp -> item.pszText = erp -> strItemText;
41![]()
42![]()
erp -> item.state = 0 ;
43![]()
erp -> item.stateMask = 0 ;
44![]()
erp -> rect.bottom = erp -> rect.left = erp -> rect.right = erp -> rect.top = 0 ;
45![]()
46![]()
( * MySendMsg)(erp -> hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM( & erp -> item));
47![]()
48![]()
ITEMINFO * info = (ITEMINFO * ) & erp -> MapMem[i * sizeof (ITEMINFO)];
49![]()
for ( int j = 0 ;j < 256 ;j ++ )
50![]()
![]()
![]()
{
51![]()
info -> strItemText[j] = erp -> item.pszText[j];
52![]()
}
53![]()
54![]()
// 取得人数
55![]()
erp -> item.cchTextMax = 20 ;
56![]()
57![]()
58![]()
erp -> item.iImage = 0 ;
59![]()
erp -> item.iIndent = 0 ;
60![]()
erp -> item.iItem = 0 ;
61![]()
erp -> item.iSubItem = 1 ;
62![]()
erp -> item.lParam = 0 ;
63![]()
erp -> item.mask = 0 ;
64![]()
erp -> item.pszText = erp -> strItemText;
65![]()
66![]()
erp -> item.state = 0 ;
67![]()
erp -> item.stateMask = 0 ;
68![]()
erp -> rect.bottom = erp -> rect.left = erp -> rect.right = erp -> rect.top = 0 ;
69![]()
70![]()
( * MySendMsg)(erp -> hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM( & erp -> item));
71![]()
72![]()
for ( int j = 0 ;j < 20 ;j ++ )
73![]()
![]()
![]()
{
74![]()
info -> ipersonCount[j] = erp -> item.pszText[j];
75![]()
}
76![]()
77![]()
78![]()
erp -> item.cchTextMax = 20 ;
79![]()
80![]()
81![]()
erp -> item.iImage = 0 ;
82![]()
erp -> item.iIndent = 0 ;
83![]()
erp -> item.iItem = 0 ;
84![]()
erp -> item.iSubItem = 3 ;
85![]()
erp -> item.lParam = 0 ;
86![]()
erp -> item.mask = 0 ;
87![]()
erp -> item.pszText = erp -> strItemText;
88![]()
89![]()
erp -> item.state = 0 ;
90![]()
erp -> item.stateMask = 0 ;
91![]()
erp -> rect.bottom = erp -> rect.left = erp -> rect.right = erp -> rect.top = 0 ;
92![]()
93![]()
( * MySendMsg)(erp -> hListHwnd, LVM_GETITEMTEXT, WPARAM(i), LPARAM( & erp -> item));
94![]()
95![]()
for ( int j = 0 ;j < 20 ;j ++ )
96![]()
![]()
![]()
{
97![]()
info -> strspeed[j] = erp -> item.pszText[j];
98![]()
}
99![]()
100![]()
// 取得RECT
101![]()
( * MySendMsg)(erp -> hListHwnd, LVM_GETITEMRECT, WPARAM(i), LPARAM( & erp -> rect));
102![]()
info -> rect.bottom = erp -> rect.bottom;
103![]()
info -> rect.top = erp -> rect.top;
104![]()
info -> rect.left = erp -> rect.left;
105![]()
info -> rect.right = erp -> rect.right;
106![]()
}
107![]()
108![]()
return 0 ;
109![]()
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109