#include <windows.h>
#include <iostream>
#include <string>
#include "tlhelp32.h"
#include "Shlwapi.h"
HMODULE GetProcessModuleHandleByName(DWORD pid, LPCSTR ModuleName) {
MODULEENTRY32 ModuleInfo;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (!hSnapshot) return 0;
ZeroMemory(&ModuleInfo, sizeof(MODULEENTRY32));
ModuleInfo.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hSnapshot, &ModuleInfo)) return 0;
do {
if (!lstrcmpi(ModuleInfo.szModule, ModuleName)) {
CloseHandle(hSnapshot);
return ModuleInfo.hModule;
}
} while (Module32Next(hSnapshot, &ModuleInfo));
CloseHandle(hSnapshot);
return 0;
}
DWORD GetProcessIDByName(const char* pName) {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot) return NULL;
PROCESSENTRY32 pe = { sizeof(pe) };
for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) {
if (strcmp(pe.szExeFile, pName) == 0) {
CloseHandle(hSnapshot);
return pe.th32ProcessID;
}
}
CloseHandle(hSnapshot);
return 0;
}
bool InjectDLL(DWORD processId, const std::string& dllPath) {
// 打开目标进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
if (hProcess == NULL) {
std::cerr << "无法打开目标进程: " << GetLastError() << std::endl;
return false;
}
// 分配内存给目标进程,用于存储DLL路径
LPVOID pRemoteMem = VirtualAllocEx(hProcess, NULL, dllPath.size() + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pRemoteMem == NULL) {
std::cerr << "无法分配内存: " << GetLastError() << std::endl;
CloseHandle(hProcess);
return false;
}
// 将DLL路径写入目标进程的内存
if (!WriteProcessMemory(hProcess, pRemoteMem, dllPath.c_str(), dllPath.size() + 1, NULL)) {
std::cerr << "无法写入内存: " << GetLastError() << std::endl;
VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return false;
}
// 获取LoadLibraryA函数的地址
LPVOID pLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if (pLoadLibrary == NULL) {
std::cerr << "无法获取LoadLibraryA地址: " << GetLastError() << std::endl;
VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return false;
}
// 创建远程线程,执行LoadLibraryA函数
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteMem, 0, NULL);
if (hThread == NULL) {
std::cerr << "无法创建远程线程: " << GetLastError() << std::endl;
VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return false;
}
// 等待远程线程完成
WaitForSingleObject(hThread, INFINITE);
// 清理
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return true;
}
int main() {
DWORD processId;
std::string dllPath;
//检测进程ID
while (true) {
processId = GetProcessIDByName("PlantsVsZombies.exe");
if (processId > 0)
{
std::cout << "目标进程ID: " << processId << std::endl;
break;
}
Sleep(200);
}
//检测模块句柄
while (true) {
HMODULE hModule = GetProcessModuleHandleByName(processId, "MEditor.dll");
DWORD Address = (DWORD)hModule + 0x122E34;
if (Address > 0x122E34)
{
std::cout << "模块地址获取到: " << Address << std::endl;
break;
}
Sleep(200);
}
//std::string dllPath = "F:\\Game\\Plants_Vs_Zombies中文版\\gdi42.dll";
std::cout << "请输入DLL文件的路径:也可以用上面固定的单独放一个路径 ";
std::cin.ignore(); // 忽略之前的换行符
std::getline(std::cin, dllPath);
if (InjectDLL(processId, dllPath)) {
std::cout << "DLL注入成功!" << std::endl;
} else {
std::cout << "DLL注入失败!" << std::endl;
}
return 0;
}
没有回复内容