msimg32 劫持dll源码 PureBasic 版本
本帖最后由 qqycra 于 2025-6-5 10:06 编辑劫持源码使用慎重,责任自负。
补充下吧,我也总使用大白,个别情况下不能用大白,还有就是我们自己也要有点动手能力。
再举个特别具体例子吧:
x32dbg导出补丁,就是1337文件,文本方式打开是下面这样:
>un.exe
001C58D5:74->EB
001C78E8:89->B8
001C78E9:45->01
然后把地址和要修改的字节对应的过来:
doFR($001C58D5,"EB",0)
doFR($001C78E8,"B8",0)
doFR($001C78E9,"01",0)
然后编译dll,放到对应目录下就能用了。
我没有检测是不是对应exe的内存,别的功能你们自己加吧
; 1. 定义原始函数指针类型(使用 PB_ 前缀避免冲突)
Prototype.i PB_GradientFill(hdc, *pVertex, dwNumVertex, *pMesh, dwNumMesh, dwMode)
Prototype.i PB_AlphaBlendFunc(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, blendFunction)
Prototype.i PB_TransparentBlt(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, crTransparent)
Prototype PB_vSetDdrawflag(dwFlag)
Prototype.i PB_DllInitialize(p1, p2)
Global Dim originalFunctions.i(4) ; 存储原始函数指针
Procedure doFR(Memory.i, RData.s, Zero.i)
hModule.i = GetModuleHandle_(0)
lpBaseADDRESS = hModule + Memory
For Index = Len(RData) To 2 Step -2
RRData.s = RRData + Mid(RData, Index - 1, 2)
Next
nSize.i = 0.5 * Len(RRData)
lpBuffer.i = Val("$" + RRData)
WriteProcessMemory_(GetCurrentProcess_(), lpBaseADDRESS, @lpBuffer, nSize, 0)
EndProcedure
; 3. DLL 入口点(官方要求的4个特殊过程)
ProcedureDLL AttachProcess(Instance)
Protected sysdir.s = Space(#MAX_PATH)
GetSystemDirectory_(@sysdir, #MAX_PATH)
Protected hOriginalDLL = LoadLibrary_(sysdir + "\msimg32.dll") ; 加载原始 DLL
If hOriginalDLL ; 获取所有原始函数地址
originalFunctions(0) = GetProcAddress_(hOriginalDLL, "GradientFill")
originalFunctions(1) = GetProcAddress_(hOriginalDLL, "AlphaBlend")
originalFunctions(2) = GetProcAddress_(hOriginalDLL, "TransparentBlt")
originalFunctions(3) = GetProcAddress_(hOriginalDLL, "vSetDdrawflag")
originalFunctions(4) = GetProcAddress_(hOriginalDLL, "DllInitialize")
EndIf
doFR($001C58D5,"EB",0)
doFR($001C78E8,"B8",0)
doFR($001C78E9,"01",0)
EndProcedure
ProcedureDLL AlphaBlend(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, blendFunction)
Protected.PB_AlphaBlendFunc pFunc = originalFunctions(1)
If pFunc
ProcedureReturn pFunc(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, blendFunction)
EndIf
ProcedureReturn #False
EndProcedure
ProcedureDLL DetachProcess(Instance)
; 清理代码(如有需要)
EndProcedure
ProcedureDLL GradientFill(hdc, *pVertex, dwNumVertex, *pMesh, dwNumMesh, dwMode)
Protected.PB_GradientFill pFunc = originalFunctions(0)
If pFunc
ProcedureReturn pFunc(hdc, *pVertex, dwNumVertex, *pMesh, dwNumMesh, dwMode)
EndIf
ProcedureReturn #False
EndProcedure
ProcedureDLL TransparentBlt(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, crTransparent)
Protected.PB_TransparentBlt pFunc = originalFunctions(2)
If pFunc
ProcedureReturn pFunc(hdc, xoriginDest, yoriginDest, wDest, hDest, hdcSrc, xoriginSrc, yoriginSrc, wSrc, hSrc, crTransparent)
EndIf
ProcedureReturn #False
EndProcedure
ProcedureDLL vSetDdrawflag(dwFlag)
Protected.PB_vSetDdrawflag pFunc = originalFunctions(3)
If pFunc
pFunc(dwFlag)
EndIf
EndProcedure
ProcedureDLL DllInitialize(p1, p2)
Protected.PB_DllInitialize pFunc = originalFunctions(4)
If pFunc
ProcedureReturn pFunc(p1, p2)
EndIf
ProcedureReturn #False
EndProcedure
再补充下,PureBasic 劫持dll文件小,代码简单易用,这就是他的优点。c++是真不好写 大白可以直接生成劫持模板 表哥方便放个demo版的project么? 厉害的工具 这部作品真的很棒。谢谢分享。 PYG有你更精彩! 感谢分享,对于加过壳优雅破解非常好用 这个有点强,感谢分享。 谢谢分享啊。好东西
页:
[1]