因為進浩方玩星際,每次都要擠房間,所以做了一個擠房間的小工具.
VC7.1 工程下載
關鍵代碼如下:
??1
typedef?
struct
?_remoteparameter
??2
{????
??3
??4
????LVITEM??item;????????
//
用于SendMessage
??5
????RECT????rect;
??6
????
int
?????iCount;????????
//
列表個數
??7
????
char
????strFileMap[MAX_PATH];????
//
OpenFileMapping?
??8
????HANDLE??hFileMap;????
//
OpenFileMapping?返回的句柄
??9
????BYTE????
*
MapMem;????
//
MapViewOfFile?返回的共享內存始址
?10
????HWND????hListHwnd;
?11
????
char
????strItemText[
256
];
?12
?13
????
//
DWORD???rpOutDebugString;
?14
????DWORD???rpOpenFileMapping;????
?15
????DWORD???rpMapViewOfFile;
?16
????DWORD???rpSendMessage;
?17
?18
}
REMOTEPARAMETER,?
*
PREMOTEPARAMETER;
?19
?20
typedef?
struct
?_itemInfo
?21
{????
?22
????
char
????strItemText[
256
];
?23
????
char
????ipersonCount[
20
];
?24
????
char
????strspeed[
20
];
?25
????RECT????rect;
?26
}
ITEMINFO;
?27
?28
BOOL?WINAPI?MyInjectLib()?
?29
{
?30
?31
????BOOL?fOk?
=
?FALSE;?
//
?Assume?that?the?function?fails
?32
????HANDLE?hProcess?
=
?NULL,?hThread?
=
?NULL;
?33
????
char
*
?pszLibFileRemote?
=
?NULL;
?34
????
char
*
?remotepar?
=
?NULL;
?35
?36
????__try?
{
?37
????????
//
?Get?a?handle?for?the?target?process.
?38
????????hProcess?
=
?g_hTargetProcess;
?39
????????
//
?Calculate?the?number?of?bytes?needed?for?the?DLL's?pathname
?40
????????
int
?cb??
=
?
4
*
1024
?;
?41
?42
????????
//
?Allocate?space?in?the?remote?process?for?the?pathname
?43
????????pszLibFileRemote?
=
?(
char
*
)?
?44
????????????VirtualAllocEx(hProcess,?NULL,?cb,?MEM_COMMIT,?PAGE_READWRITE);
?45
????????
if
?(pszLibFileRemote?
==
?NULL)?__leave;
?46
?47
????????
//
?Copy?the?DLL's?pathname?to?the?remote?process's?address?space
?48
????????
if
?(
!
WriteProcessMemory(hProcess,?pszLibFileRemote,?
?49
????????????(LPVOID)?remote,?cb,?NULL))?__leave;
?50
?51
????????REMOTEPARAMETER?rp;
?52
????????memset((
char
*
)
&
rp,
0
,
sizeof
(rp));
?53
?54
????????HANDLE?hkernel32
=
GetModuleHandle(_T(
"
kernel32.dll
"
));
?55
????????
if
(?hkernel32?
==
?NULL?)?__leave;
?56
????????HANDLE?huser32?
=
?GetModuleHandle(_T(
"
user32.dll
"
));
?57
????????
if
(?huser32?
==
?NULL?)?__leave;
?58
?59
?60
????????rp.rpMapViewOfFile?
=
?(DWORD)GetProcAddress((HMODULE)hkernel32,
"
MapViewOfFile
"
);?
?61
????????rp.rpOpenFileMapping?
=
?(DWORD)GetProcAddress((HMODULE)hkernel32,
"
OpenFileMappingA
"
);?
?62
????????rp.rpSendMessage?
=
?(DWORD)GetProcAddress((HMODULE)huser32,
"
SendMessageA
"
);?
?63
????????
//
rp.rpOutDebugString?=?(DWORD)GetProcAddress((HMODULE)hkernel32,"OutputDebugStringA");?
?64
?65
????????strcpy(rp.strFileMap,
"
MMShare_EnterHF
"
);
?66
????????rp.hListHwnd?
=
?g_SysList;
?67
????????rp.iCount?
=
?g_itemCount;
?68
????????rp.item.cchTextMax?
=
?
256
;
?69
????????rp.item.iSubItem?
=
?
0
;
?70
????????rp.item.pszText?
=
?rp.strItemText;
?71
????????rp.item.mask?
=
?
0
;
?72
?73
????????cb
=
sizeof
(rp);
?74
????????remotepar
=
(
char
*
)VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
?75
????????
if
(?remotepar?
==
?NULL)????__leave;
?76
?77
????????
if
(
!
WriteProcessMemory(hProcess,remotepar,(LPVOID)
&
rp,cb,NULL))????????__leave;
?78
?79
????????
//
?Create?a?remote?thread?that?calls?LoadLibraryW(DLLPathname)Z
?80
????????hThread?
=
?CreateRemoteThread(hProcess,?NULL,?
0
,?
?81
????????????(LPTHREAD_START_ROUTINE)pszLibFileRemote,(LPVOID)remotepar,?
0
,?NULL);
?82
????????
if
?(hThread?
==
?NULL)?__leave;
?83
?84
????????
//
?Wait?for?the?remote?thread?to?terminate
?85
????????WaitForSingleObject(hThread,?INFINITE);
?86
?87
????????fOk?
=
?TRUE;?
//
?Everything?executed?successfully
?88
????}
?89
????__finally?
{?
//
?Now,?we?can?clean?everthing?up
?90
?91
????????
//
?Free?the?remote?memory?that?contained?the?DLL's?pathname
?92
????????
if
?(pszLibFileRemote?
!=
?NULL)?
?93
????????????VirtualFreeEx(hProcess,?pszLibFileRemote,?
0
,?MEM_RELEASE);
?94
?95
????????
if
?(remotepar?
!=
?NULL)?
?96
????????????VirtualFreeEx(hProcess,?remotepar,?
0
,?MEM_RELEASE);
?97
?98
????????
if
?(hThread??
!=
?NULL)?
?99
????????????CloseHandle(hThread);
100
101
????????
if
?(hProcess?
!=
?NULL)?
102
????????????CloseHandle(hProcess);
103
????}
104
????
return
?TRUE;
105
}
106
??1
DWORD?WINAPI?remote(LPVOID?pvparam)
??2
{
??3
??4
???
??5
????PREMOTEPARAMETER?erp?
=
?(?PREMOTEPARAMETER)pvparam;
??6
??7
????typedef?LPVOID?????(WINAPI????
*
defMapViewOfFile)(IN?HANDLE?hFileMappingObject,????
??8
????????IN?DWORD?dwDesiredAccess,?
??9
????????IN?DWORD?dwFileOffsetHigh,????
?10
????????IN?DWORD?dwFileOffsetLow,????
?11
????????IN?SIZE_T?dwNumberOfBytesToMap????);
?12
????typedef?HANDLE????(WINAPI????
*
defOpenFileMappingA)(IN?DWORD?dwDesiredAccess,????IN?BOOL?bInheritHandle,????IN?LPCSTR?lpName);
?13
????typedef?LRESULT????(WINAPI????
*
defSendMessageA)(IN?HWND?hWnd,????IN?UINT?Msg,?IN?WPARAM?wParam,????IN?LPARAM?lParam);
?14
????typedef?VOID????(WINAPI?
*
defOutputDebugStringA)(IN?LPCSTR?lpOutputString);????
?15
????defSendMessageA????????MySendMsg?
=
?(defSendMessageA)erp
->
rpSendMessage;
?16
????defOpenFileMappingA?MyOpenFileMapping?
=
?(defOpenFileMappingA)erp
->
rpOpenFileMapping;
?17
????defMapViewOfFile????MyMapViewOfFile?
=
?(defMapViewOfFile)erp
->
rpMapViewOfFile;
?18
???
?19
?20
????erp
->
hFileMap?
=
?(
*
MyOpenFileMapping)(FILE_MAP_WRITE,?
0
,?erp
->
strFileMap);
?21
????
if
(?erp
->
hFileMap?
==
?NULL?)
?22
????????
return
?
0
;
?23
????erp
->
MapMem?
=
?(BYTE
*
)(
*
MyMapViewOfFile)(erp
->
hFileMap,?FILE_MAP_WRITE,?
0
,?
0
,?
0
);
?24
????
if
(?erp
->
MapMem?
==
?NULL)
?25
????????
return
?
0
;
?26
?27
????
for
(
int
?i
=
?
0
;?i
<
erp
->
iCount;?i
++
?)
?28
????
{
?29
????????
?
?30
????????
?31
????????erp
->
item.cchTextMax?
=
?
256
;
?32
????????
?33
????????
?34
????????erp
->
item.iImage?
=
?
0
;
?35
????????erp
->
item.iIndent?
=
?
0
;
?36
????????erp
->
item.iItem??
=
?
0
;
?37
????????erp
->
item.iSubItem?
=
?
0
;
?38
????????erp
->
item.lParam?
=
?
0
;
?39
????????erp
->
item.mask?
=
?
0
;
?40
????????erp
->
item.pszText?
=
?erp
->
strItemText;
?41
????????
?42
????????erp
->
item.state?
=
?
0
;
?43
????????erp
->
item.stateMask?
=
?
0
;
?44
????????erp
->
rect.bottom?
=
?erp
->
rect.left?
=
?erp
->
rect.right?
=
?erp
->
rect.top?
=
?
0
;
?45
?46
????????(
*
MySendMsg)(erp
->
hListHwnd,?LVM_GETITEMTEXT,?WPARAM(i),?LPARAM(
&
erp
->
item));
?47
?48
????????ITEMINFO?
*
info?
=
?(ITEMINFO?
*
)
&
erp
->
MapMem[i
*
sizeof
(ITEMINFO)];
?49
????????
for
(
int
?j
=
?
0
;j
<
256
;j
++
)
?50
????????
{
?51
????????????info
->
strItemText[j]?
=
?????erp
->
item.pszText[j];
?52
????????}
?53
?54
????????
//
取得人數
?55
????????erp
->
item.cchTextMax?
=
?
20
;
?56
????????
?57
???????
?58
????????erp
->
item.iImage?
=
?
0
;
?59
????????erp
->
item.iIndent?
=
?
0
;
?60
????????erp
->
item.iItem??
=
?
0
;
?61
????????erp
->
item.iSubItem?
=
?
1
;
?62
????????erp
->
item.lParam?
=
?
0
;
?63
????????erp
->
item.mask?
=
?
0
;
?64
????????erp
->
item.pszText?
=
?erp
->
strItemText;
?65
????????
?66
????????erp
->
item.state?
=
?
0
;
?67
????????erp
->
item.stateMask?
=
?
0
;
?68
????????erp
->
rect.bottom?
=
?erp
->
rect.left?
=
?erp
->
rect.right?
=
?erp
->
rect.top?
=
?
0
;
?69
?70
????????(
*
MySendMsg)(erp
->
hListHwnd,?LVM_GETITEMTEXT,?WPARAM(i),?LPARAM(
&
erp
->
item));
?71
?72
????????
for
(
int
?j
=
?
0
;j
<
20
;j
++
)
?73
????????
{
?74
????????????info
->
ipersonCount[j]?
=
?????erp
->
item.pszText[j];
?75
????????}
?76
?77
??????
?78
????????erp
->
item.cchTextMax?
=
?
20
;
?79
????????
?80
????????
?81
????????erp
->
item.iImage?
=
?
0
;
?82
????????erp
->
item.iIndent?
=
?
0
;
?83
????????erp
->
item.iItem??
=
?
0
;
?84
????????erp
->
item.iSubItem?
=
?
3
;
?85
????????erp
->
item.lParam?
=
?
0
;
?86
????????erp
->
item.mask?
=
?
0
;
?87
????????erp
->
item.pszText?
=
?erp
->
strItemText;
?88
????????
?89
????????erp
->
item.state?
=
?
0
;
?90
????????erp
->
item.stateMask?
=
?
0
;
?91
????????erp
->
rect.bottom?
=
?erp
->
rect.left?
=
?erp
->
rect.right?
=
?erp
->
rect.top?
=
?
0
;
?92
?93
????????(
*
MySendMsg)(erp
->
hListHwnd,?LVM_GETITEMTEXT,?WPARAM(i),?LPARAM(
&
erp
->
item));
?94
?95
????????
for
(
int
?j
=
?
0
;j
<
20
;j
++
)
?96
????????
{
?97
????????????info
->
strspeed[j]?
=
?????erp
->
item.pszText[j];
?98
????????}
?99
100
????????
//
取得RECT
101
????????(
*
MySendMsg)(erp
->
hListHwnd,?LVM_GETITEMRECT,?WPARAM(i),?LPARAM(
&
erp
->
rect));
102
????????info
->
rect.bottom?
=
?erp
->
rect.bottom;
103
????????info
->
rect.top?
=
?erp
->
rect.top;
104
????????info
->
rect.left?
=
?erp
->
rect.left;
105
????????info
->
rect.right?
=
?erp
->
rect.right;
106
????}
107
108
????
return
?
0
;
109
}
?