绕行和 DLL 注入问题 Win32 异常:0xc0000005
我观看了有关如何绕行的指导黑客视频。我试图绕过在 AssaultCube 游戏中射击后减少护甲的代码。那段汇编代码是(在 Cheat Engine 中查看):
(0x004637E9)ac_client.exe+637E9 FF 0E - dec [esi]
57 - push edi
8B 7C 24 14 - mov edi,[esp+14]
(0x004637F0)ac_client.exe+637F0 8D 74 24 28 - lea esi,[esp+28]
因此,按照视频,我必须在 0x4637E9 处放置一个跳转钩子,跳转到名为 ourFunction 的函数,该函数会增加而不是减少子弹数量(用于黑客测试目的)。为此,我创建一个如下所示的 C++ DLL:
#include <Windows.h>
#include "pch.h"
bool Hook(void* toHook, void* ourFunct, int len) {
if (len < 5) {
return false;
}
DWORD curProtection;
VirtualProtect(toHook, len, PAGE_EXECUTE_READWRITE, &curProtection);
memset(toHook, 0x90, len);
DWORD relativeAddress = ((DWORD)ourFunct - (DWORD)toHook) - 5;
*(BYTE*)toHook = 0xE9;
*(DWORD*)((DWORD)toHook + 1) = relativeAddress;
DWORD temp;
VirtualProtect(toHook, len, curProtection, &temp);
return true;
}
//DWORD jmpBackAddy; // i have tweak this a bit from video to make jmp instruction work
void __declspec(naked) ourFunction() {
__asm {
inc [esi]
push edi
mov edi, [esp + 14]
mov eax, 0x004637F0
jmp eax
//jmp [jmpBackAddy]
}
}
DWORD WINAPI MainThread(LPVOID param) {
int hookLength = 7;
DWORD hookAddress = 0x4637E9;
//jmpBackAddy = hookAddress + hookLength;
Hook((void*)hookAddress, ourFunction, hookLength);
while (true) {
if (GetAsyncKeyState(VK_ESCAPE)) break;
Sleep(50);
}
FreeLibraryAndExitThread((HMODULE)param, 0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, MainThread, hModule, 0, 0);
break;
}
return TRUE;
}
我在 C:\Users\Admin\source\repos\DETOUR_DLL\Debug\DETOUR_DLL.dll 中编译该 DLL,并通过此 C++ 注入器将该 DLL 注入到 ac_client.exe 进程中:
#include ....
....
void DLL_INJECTION(LPCWSTR exe_name, const char* dllPath) {
DWORD PID = 0;
while (!PID)
{
//function that get process id by it name in task manager
PID = obtain_process_id_with_exe_name(exe_name);
Sleep(30);
}
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, PID);
if (process && process != INVALID_HANDLE_VALUE)
{
void* loc = VirtualAllocEx(process, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (loc) {
WriteProcessMemory(process, loc, dllPath, strlen(dllPath) + 1, 0);
}
HANDLE hThread = CreateRemoteThread(process, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
//VirtualFreeEx(process, loc, MAX_PATH, MEM_DECOMMIT | MEM_RELEASE);
if (hThread) {
CloseHandle(hThread);
}
}
if (process) {
CloseHandle(process);
}
}
int main()
{
DWORD PID = obtain_process_id_with_exe_name(L"ac_client.exe");
HANDLE process = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, PID);
DLL_INJECTION(L"ac_client.exe", "C:\\Users\\Admin\\source\\repos\\DETOUR_DLL\\Debug\\DETOUR_DLL.dll");
CloseHandle(process);
}
在运行注入器之前,它会在正常射击后降低装甲,但在注入 DLL 并尝试单击射击后,它会崩溃并弹出一个消息框,显示:
突击立方体致命错误 Win32 异常:0xc0000005。 我已经通过作弊引擎检查了程序集显示,注入器成功在 0x004637E9 处注入了一个跳转,跳转到我的 DETOUR_DLL 中的一个奇怪的代码行,该行跳转到具有神奇功能的 ourFuntion 代码,然后跳回后挂钩代码0x4637F0 行。所以这一定是工作! 你能帮我看看问题出在哪里吗?非常感谢
I had follow Guided hacking video about How to detour. i tried to detour code that decrease armor after shoot in AssaultCube game. That piece of assembly code is (viewed in Cheat Engine):
(0x004637E9)ac_client.exe+637E9 FF 0E - dec [esi]
57 - push edi
8B 7C 24 14 - mov edi,[esp+14]
(0x004637F0)ac_client.exe+637F0 8D 74 24 28 - lea esi,[esp+28]
So follow the video i had to place a jump hook at 0x4637E9 that jump to the function called ourFunction which increase bullet number instead of decrease it (for hacking test purpose). To do it i create a C++ DLL like this:
#include <Windows.h>
#include "pch.h"
bool Hook(void* toHook, void* ourFunct, int len) {
if (len < 5) {
return false;
}
DWORD curProtection;
VirtualProtect(toHook, len, PAGE_EXECUTE_READWRITE, &curProtection);
memset(toHook, 0x90, len);
DWORD relativeAddress = ((DWORD)ourFunct - (DWORD)toHook) - 5;
*(BYTE*)toHook = 0xE9;
*(DWORD*)((DWORD)toHook + 1) = relativeAddress;
DWORD temp;
VirtualProtect(toHook, len, curProtection, &temp);
return true;
}
//DWORD jmpBackAddy; // i have tweak this a bit from video to make jmp instruction work
void __declspec(naked) ourFunction() {
__asm {
inc [esi]
push edi
mov edi, [esp + 14]
mov eax, 0x004637F0
jmp eax
//jmp [jmpBackAddy]
}
}
DWORD WINAPI MainThread(LPVOID param) {
int hookLength = 7;
DWORD hookAddress = 0x4637E9;
//jmpBackAddy = hookAddress + hookLength;
Hook((void*)hookAddress, ourFunction, hookLength);
while (true) {
if (GetAsyncKeyState(VK_ESCAPE)) break;
Sleep(50);
}
FreeLibraryAndExitThread((HMODULE)param, 0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, MainThread, hModule, 0, 0);
break;
}
return TRUE;
}
I compile that DLL in C:\Users\Admin\source\repos\DETOUR_DLL\Debug\DETOUR_DLL.dll and i inject that DLL to the ac_client.exe process by this C++ injector:
#include ....
....
void DLL_INJECTION(LPCWSTR exe_name, const char* dllPath) {
DWORD PID = 0;
while (!PID)
{
//function that get process id by it name in task manager
PID = obtain_process_id_with_exe_name(exe_name);
Sleep(30);
}
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, PID);
if (process && process != INVALID_HANDLE_VALUE)
{
void* loc = VirtualAllocEx(process, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (loc) {
WriteProcessMemory(process, loc, dllPath, strlen(dllPath) + 1, 0);
}
HANDLE hThread = CreateRemoteThread(process, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
//VirtualFreeEx(process, loc, MAX_PATH, MEM_DECOMMIT | MEM_RELEASE);
if (hThread) {
CloseHandle(hThread);
}
}
if (process) {
CloseHandle(process);
}
}
int main()
{
DWORD PID = obtain_process_id_with_exe_name(L"ac_client.exe");
HANDLE process = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, PID);
DLL_INJECTION(L"ac_client.exe", "C:\\Users\\Admin\\source\\repos\\DETOUR_DLL\\Debug\\DETOUR_DLL.dll");
CloseHandle(process);
}
Before run the injector it decrease armor after shoot at normal but after inject DLL and tried to click shoot it crash and pop up a Message Box say:
Assault Cube fatal error
Win32 Exception: 0xc0000005.
I had checked in assembly show by cheat engine that the Injector successfully inject a jump at 0x004637E9, jump to a strange code line in my DETOUR_DLL and that line jump to the ourFuntion code which does the magic, then jump back to the after-hook code line which is 0x4637F0. So this must be work !
Can you help me show where is the problem ? Thanks very much
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我找到了。问题出在我的 declspec(naked) 函数中。 mov edi, [esp + 14] 必须修复为 mov edi, [esp + 0x14]
i found it. problem was in my declspec(naked)function. mov edi, [esp + 14] must be fix to mov edi, [esp + 0x14]