//现在用个进程ID,到时候我用句柄来抓
//进程ID比如是0*0123
#include <iostream>
using namespace std;
int main(){
int i=123;
cout<<&i<<endl;//这里打个比方得到的地址是0*123456
cout<<i<<endl;
}
现在我想用另一个程序改变I的值.
比如ReadProcessMemory和WriteProcessMemory之类的.(网上找的实在没看懂)
或者局部钩子也行,主要是不用全局钩子不要用到DLL.

写个详细点的,谢谢各位了.我用的是DEV-C++,不要叫我用VC内部系统来调试.
现在在做win32设计,希望有人能帮下忙.

天啊,来个人啊

/*
* 例子使用:
* 双击运行进程一，程序回停止在system("pause");那里,然后运行进程二修改内容,然后在进程一中按任意键
* 进程一结果输出3,而不是123
*/


//进程一
#include <process.h>
#include <Windows.h>
using namespace std;
void main()
{
int i=123;
FILE*pf=fopen("C:\\123.txt","w+");
if(!pf)return;
int pid=_getpid();
int addr=(int)&i;
fwrite(&pid,sizeof(int),1,pf);
fwrite(&addr,sizeof(int),1,pf);
fclose(pf);
system("pause");
cout<<i<<endl;

}

//进程二
#include <Windows.h>
void ErrorBox()
{
LPVOID lpMsgBuf;
FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,GetLastError(),0,(LPTSTR) &lpMsgBuf,0,NULL );
MessageBox( NULL, (LPCTSTR)lpMsgBuf, "Error", MB_OK | MB_ICONINFORMATION );
LocalFree( lpMsgBuf );
}
int _tmain(int argc, _TCHAR* argv[])
{
int a=3;
SIZE_T d=0;

FILE *pf=fopen("C:\\123.TXT","r");
if(!pf)return -1;
int pid=0;
int addr;
if(0>=fread(&pid,sizeof(int),1,pf))
return -1;
if(0>=fread(&addr,sizeof(int),1,pf))
return -1;
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);

if(!hProc)
{
ErrorBox();
return 1;
}
if(!WriteProcessMemory(hProc,(LPVOID)addr,&a,4,&d))
ErrorBox();
return 0;
}

你也可以用下面我写的几个函数来获取pid(根据程序名)
pidFromExe //进程名转PID
exeFileFromPid//PID进程名

bool Equal(char*string1,char* string2,bool bigsmall=FALSE/*是否大小写区分*/)
{
if(!string1||!string2)
return false;
if(bigsmall)
return (0!=strcmp(string1,string2));
if(strlen(string1)!=strlen(string2))
return false;
for(int i=0;i<strlen(string1);i++)
{
if(*string1!=*string2&&abs(*string1-*string2)!=32)
return false;
}
return true;
}

int pidFromExe(char * exeFile)
{
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(hSnapshot,&pe))
return -1;
do
{
if(Equal(exeFile,pe.szExeFile))
return pe.th32ProcessID;
}while(Process32Next(hSnapshot,&pe));
return -1;
}

char* exeFileFromPid(int pid)
{
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(hSnapshot,&pe))
return NULL;
do
{
if(pid==pe.th32ProcessID)
{
char*exeFile=new char[strlen(pe.szExeFile)+1];
memset(exeFile,0,strlen(pe.szExeFile)+1);
strcpy(exeFile,pe.szExeFile);
return exeFile;
}
}while(Process32Next(hSnapshot,&pe));
return NULL;
}

Reminds me of my first program for DLL injection used for hacking Diablo II.


int EnumProcesses()
{
// reset the list box
SendDlgItemMessage(g_hwndDlg, IDC_LST_D2PROCESS, LB_RESETCONTENT, 0, 0);

int nCount = 0;
PROCESSENTRY32 ppe = {0};
ppe.dwSize = sizeof(PROCESSENTRY32);

HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnapShot == INVALID_HANDLE_VALUE)
{
msgb("Error in CreateToolhelp32Snapshot");
return 0;
}

if(!Process32First(hSnapShot, &ppe))
{
msgb("Process32First returns FALSE.");
return 0;
}

while (Process32Next(hSnapShot, &ppe) && nCount < MAX_PROCESS )
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ppe.th32ProcessID);

char szBuf[256] = "";
HWND hwndTemp = GetHwndFromPid(ppe.th32ProcessID);
GetClassName(hwndTemp, szBuf, 255);

if (!strcmp(szBuf, "Diablo II"))
{
GetWindowText(hwndTemp, szBuf, sizeof(szBuf));

sprintf(g_szBuf, "%s (Pid: %d, Exe: %s)", szBuf, ppe.th32ProcessID, ppe.szExeFile);
SendDlgItemMessage(g_hwndDlg, IDC_LST_D2PROCESS, LB_ADDSTRING, 0, (LPARAM)(g_szBuf));

// update d2Process array
d2Process[nCount].hProcess = hProcess;
d2Process[nCount].dwPid = ppe.th32ProcessID;
strcpy(d2Process[nCount].szProcessName, ppe.szExeFile);
strcpy(d2Process[nCount].szMainWindowTitle, szBuf);

nCount++;
}

CloseHandle(hProcess);
}

CloseHandle(hSnapShot);
return nCount;
}

///////////////////////////////////////////////////////////
//
// Input: dwPid is the process id we want to inject our module
// szModuleName is the name of the module with full path
//
BOOL InjectModule(DWORD dwPid, char *szModuleName)
{
if (!dwPid || !szModuleName)
return FALSE;

int nIndex = 0;
PROCSTRUCT *pProcStruct = d2Process;
for (int j=0; j<MAX_D2PROCESS; j++)
{
if ( pProcStruct->dwPid == dwPid )
{
nIndex = j;
break;
}
pProcStruct++;
}
if(nIndex == MAX_D2PROCESS) // inavliad Pid in d2 process list
{
MessageBox(NULL, "Could not find a process matching the PID", "InjectModule Error", MB_OK);
return FALSE;
}

// get the process handle from pid
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if(!hProcess) // failed to open the process
{
char str[256];
sprintf(str, "Failed to open the process with Pid %l", dwPid);
MessageBox(NULL, str, "InjectModule Error", MB_OK);
return FALSE;
}

// reserve memory
LPVOID RemoteString = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(szModuleName), MEM_COMMIT, PAGE_READWRITE);

// write the path name
if( !WriteProcessMemory(hProcess, (LPVOID)RemoteString, (LPVOID)szModuleName, strlen(szModuleName), NULL) )
{
char str[256];
sprintf(str, "Failed to writes memory in the process with Pid %l", dwPid);
MessageBox(NULL, str, "InjectModule Error", MB_OK);

return FALSE;
}

// create remote thread passing address of LoadLibraryA
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0L,
(LPTHREAD_START_ROUTINE)(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"),
(LPVOID)RemoteString, 0L, NULL);
if(!hThread) // failed to create the thread
{
MessageBox(NULL, "Failed to create remote thread", "InjectModule Error", MB_OK);
return FALSE;
}

// get base address of our module and save it for cleanup
WaitForSingleObject(hThread, INFINITE);

DWORD hLoadedModule;
GetExitCodeThread(hThread, &hLoadedModule);
if (!hLoadedModule) // check if the module has been successfully loaded
{
sprintf(g_szBuf, "Failed to load %s", szModuleName);
MessageBox(NULL, g_szBuf, "Error", MB_OK);
return FALSE;
}
else
{
d2Process[nIndex].hLoadedModule = hLoadedModule; // update our modules base address
}

CloseHandle(hThread);
// free the momory
VirtualFreeEx(hProcess, (LPVOID)RemoteString, strlen(szModuleName), MEM_RELEASE);
CloseHandle(hProcess);

return TRUE;
}
BOOL EjectModule(DWORD dwPid)
{
if (!dwPid)
return FALSE;

int nIndex = 0;
PROCSTRUCT *pProcStruct = d2Process;
for (int j=0; j<MAX_D2PROCESS; j++)
{
if ( pProcStruct->dwPid == dwPid )
{
nIndex = j;
break;
}
pProcStruct++;
}
if(nIndex == MAX_D2PROCESS) // inavliad Pid in d2 process list
{
MessageBox(NULL, "Could not find a process matching the PID", "EjectModule Error", MB_OK);
return FALSE;
}

// get the process handle from pid
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if(!hProcess) // failed to open the process
{
char str[256];
sprintf(str, "Failed to open the process with Pid %l", dwPid);
MessageBox(NULL, str, "EjectModule Error", MB_OK);
return FALSE;
}

HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0L,
(LPTHREAD_START_ROUTINE)(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary"),
(LPVOID)d2Process[nIndex].hLoadedModule, 0L, NULL);
if(!hThread) // failed to create the thread
{
MessageBox(NULL, "Failed to create remote thread", "EjectModule Error", MB_OK);
return FALSE;
}

CloseHandle(hThread);

return TRUE;
}
////////////////////////////////////////////////////////////////
// get pid from the list string
//
long GetPidFromString(char *szListItem, char* szSearch, char chSep)
{
if(!szListItem || !szSearch || !strlen(szSearch)
|| !strlen(szListItem) || !chSep)
return -1;

char *pTemp = strstr(szListItem, szSearch);
if(!pTemp) // did not find the sub string szSearch
return -1;

pTemp += strlen(szSearch);

pTemp = substrchr(pTemp, chSep);

if(!pTemp) // did not find chSep
return -1;

return atol(pTemp);
}
////////////////////////////////////////////////////////////////
// callback function (called by EnumWindows)
// used to find the mapping between PID and application top app window.
//
static BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
ENUMWINDOWSTRUCT *pParam =(ENUMWINDOWSTRUCT *) lParam;
DWORD dwPID;

GetWindowThreadProcessId(hwnd, &dwPID);
if (dwPID == pParam->dwPID)
{
pParam->hwndRet = hwnd;
return FALSE;
}
return TRUE;
}
////////////////////////////////////////////////////////////////
// input: The process ID
// return: HWND of top app window with the argument PID
//
HWND GetHwndFromPid(DWORD dwPid)
{
ENUMWINDOWSTRUCT str(dwPid);
EnumWindows(EnumWindowsProc, (LPARAM)&str);
return str.hwndRet;
}

[此贴子已经被作者于2007-8-29 16:53:35编辑过]

我拿回去测下,谢谢先




昏死,斑斑给的是hackmap的源代码吗.............

not hackmap's original code --- i made modifications.

As a matter of fact, I learned it from a German website --- the one with EasyMap.