DemonMemory/源代码/InjectDlg.cpp

410 lines
13 KiB
C++
Raw Normal View History

init init
2022-04-14 14:09:23 +00:00
// InjectDlg.cpp : ʵ<><CAB5><EFBFBD>ļ<EFBFBD>
//
#include "stdafx.h"
#include "HandleMemory.h"
#include "InjectDlg.h"
#include "afxdialogex.h"
// CInjectDlg <20>Ի<EFBFBD><D4BB><EFBFBD>
IMPLEMENT_DYNAMIC(CInjectDlg, CDialogEx)
CInjectDlg::CInjectDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CInjectDlg::IDD, pParent)
, m_strProcess(_T(""))
, m_strDll(_T(""))
{
m_dwID = 0;
::lstrcpy(m_szDllPath,"");
}
CInjectDlg::~CInjectDlg()
{
}
void CInjectDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT_PROCESS, m_strProcess);
DDX_Text(pDX, IDC_EDIT_DLL, m_strDll);
}
BEGIN_MESSAGE_MAP(CInjectDlg, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON_PROCESS, &CInjectDlg::OnBnClickedButtonProcess)
ON_BN_CLICKED(IDC_BUTTON_DLL, &CInjectDlg::OnBnClickedButtonDll)
ON_BN_CLICKED(IDC_BUTTON_INJECT, &CInjectDlg::OnBnClickedButtonInject)
END_MESSAGE_MAP()
// CInjectDlg <20><>Ϣ<EFBFBD><CFA2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
void CInjectDlg::OnBnClickedButtonProcess()
{
// TODO: <20>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD>ӿؼ<D3BF>֪ͨ<CDA8><D6AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
CChooseProcessDlg dlg;
DWORD dwID = 0;
char szProcessName[MAX_PATH] = {0};
if(IDOK == dlg.DoModal())
{
dwID = dlg.GetProcessID();
::lstrcat(szProcessName, dlg.GetProcessName());
}
m_dwID = dwID;
m_strProcess.Format("pid:%d exe file:%s", dwID, szProcessName);
UpdateData(FALSE);
}
void CInjectDlg::OnBnClickedButtonDll()
{
// TODO: <20>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD>ӿؼ<D3BF>֪ͨ<CDA8><D6AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
OPENFILENAME stOF;
::RtlZeroMemory(&stOF, sizeof(stOF));
char szFilter[MAX_PATH] = "dll files(*.dll)\0*.dll\0all files(*.*)\0*.*\0\0";
char szFileName[MAX_PATH] = {0};
stOF.lStructSize = sizeof(stOF);
stOF.hwndOwner = m_hWnd;
stOF.lpstrFilter = szFilter;
stOF.lpstrFile = szFileName;
stOF.nMaxFile = MAX_PATH;
stOF.Flags = OFN_PATHMUSTEXIST;
::GetOpenFileName(&stOF);
m_strDll = szFileName;
::lstrcpy(m_szDllPath, szFileName);
UpdateData(FALSE);
}
void CInjectDlg::OnBnClickedButtonInject()
{
// TODO: <20>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD>ӿؼ<D3BF>֪ͨ<CDA8><D6AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if(0 >= m_dwID)
{
::MessageBox(m_hWnd, "Please Choose A Process!", "Warn", MB_OK | MB_ICONWARNING);
return ;
}
if(0 >= ::lstrlen(m_szDllPath))
{
::MessageBox(m_hWnd, "Please Choose A Dll!", "Warn", MB_OK | MB_ICONWARNING);
return ;
}
BOOL bRet = RemoteProcessInject(m_dwID, m_szDllPath);
char szMsg[MAX_PATH] = {0};
if(bRet)
{
::wsprintf(szMsg, "Inject dll:%s \nto process pid:%d\nDONE!!!",m_szDllPath, m_dwID);
::MessageBox(m_hWnd, szMsg, "DONE", MB_OK | MB_ICONWARNING);
}
else
{
::wsprintf(szMsg, "Inject dll:%s \nto process pid:%d\nFAIL!!!",m_szDllPath, m_dwID);
::MessageBox(m_hWnd, szMsg, "FAIL", MB_OK | MB_ICONWARNING);
}
}
BOOL CInjectDlg::RemoteProcessInject(DWORD dwID, char *lpszDllPath)
{
// <20><><EFBFBD><EFBFBD>Ҫע<D2AA><D7A2>DLL<4C>Ľ<EFBFBD><C4BD><EFBFBD>
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwID);
if(NULL == hProcess)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Open Process Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// <20>ж<EFBFBD><D0B6><EFBFBD>32λ<32><CEBB><EFBFBD><EFBFBD>64λ
BOOL b32 = FALSE;
::IsWow64Process(hProcess, &b32);
// <20>ж<EFBFBD>DLL<4C><4C>32λ<32><CEBB><EFBFBD><EFBFBD>64λ
BOOL bDll32 = JudgePE32Or64(lpszDllPath);
if(b32)
{
if(!bDll32)
{
::MessageBox(m_hWnd, "Process Is 32bits, Dll Is 64bits!\nPlease Choose 32bits Dll to Inject!\n", "Warn", MB_OK | MB_ICONWARNING);
return FALSE;
}
}
else
{
if(bDll32)
{
::MessageBox(m_hWnd, "Process Is 64bits, Dll Is 32bits!\nPlease Choose 64bits Dll to Inject!\n", "Warn", MB_OK | MB_ICONWARNING);
return FALSE;
}
}
// <20><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>ڴ<EFBFBD>
DWORD dwSize = 1 + ::lstrlen(lpszDllPath);
LPVOID lpAddr = ::VirtualAllocEx(hProcess, 0, dwSize, MEM_COMMIT, PAGE_READWRITE);
if(NULL == lpAddr)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Alloc Virtual Memory Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// д<><D0B4><EFBFBD>ڴ<EFBFBD>
if(!::WriteProcessMemory(hProcess, lpAddr, (LPCVOID)lpszDllPath, dwSize, NULL))
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Write Process Memory Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// <20><>ȡLoadLibraryA<79><41><EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD>ַ
// <20><>ȡ<EFBFBD><C8A1><EFBFBD>̵Ļ<CCB5>ַ
HMODULE hBaseAddress = NULL;
GetProcessBaseAddress(&hBaseAddress, hProcess);
DWORD64 dwDllBaseAddress = GetProcessDllBaseAddress(hProcess, hBaseAddress, "kernel32.dll", b32);
DWORD64 dwFuncAddress = GetFuncInDll(hProcess, dwDllBaseAddress, "LoadLibraryA", b32);
// <20><><EFBFBD><EFBFBD>Զ<EFBFBD><D4B6><EFBFBD>߳<EFBFBD>
HANDLE hThread = ::CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)dwFuncAddress, lpAddr, 0, NULL);
if(NULL == hThread)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create Remote Thread Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
return TRUE;
}
BOOL CInjectDlg::JudgePE32Or64(char *lpszDllPath)
{
// <20>ڴ<EFBFBD>ӳ<EFBFBD><D3B3><EFBFBD>ļ<EFBFBD>
HANDLE hFile = ::CreateFile(lpszDllPath, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE, NULL);
if(INVALID_HANDLE_VALUE == hFile)
{
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create File Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
HANDLE hFileMap = ::CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if(!hFileMap)
{
::CloseHandle(hFile);
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Create File Mapping Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
LPVOID lpMemory = ::MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if(!lpMemory)
{
::CloseHandle(hFileMap);
::CloseHandle(hFile);
char szErr[MAX_PATH] = {0};
::wsprintf(szErr, "Map View Of File Error!\nError Code:%d\n", ::GetLastError());
::MessageBox(m_hWnd, szErr, "Error", MB_OK | MB_ICONWARNING);
return FALSE;
}
// PE<50>
PIMAGE_DOS_HEADER pDosHead = (PIMAGE_DOS_HEADER)lpMemory;
if(IMAGE_DOS_SIGNATURE == pDosHead->e_magic)
{
DWORD dwlfanew = pDosHead->e_lfanew;
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD64)pDosHead + dwlfanew);
if(IMAGE_NT_SIGNATURE == pNtHeaders->Signature)
{
if(IMAGE_FILE_MACHINE_AMD64 == pNtHeaders->FileHeader.Machine ||
IMAGE_FILE_MACHINE_IA64 == pNtHeaders->FileHeader.Machine)
{
return FALSE;
}
}
}
return TRUE;
}
BOOL CInjectDlg::GetProcessBaseAddress(HMODULE *lpBaseAddress, HANDLE hProcess)
{
::EnumProcessModules(hProcess, lpBaseAddress, sizeof(HMODULE), NULL);
return TRUE;
}
DWORD64 CInjectDlg::GetFuncInDll(HANDLE hProcess, DWORD64 dwDllBaseAddress, char *lpszFuncName, BOOL b32)
{
DWORD dwlfanew = 0;
DWORD dwFuncNameLen = ::lstrlen(lpszFuncName) + 1;
char szTemp[MAX_PATH] = {0};
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + 0x003c), &dwlfanew, 4, NULL);
DWORD dwExportRVA = 0;
// <20><><EFBFBD><EFBFBD>32λ<32><CEBB>64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>𣬷ֱ<F0A3ACB7><D6B1><EFBFBD>ȡ<EFBFBD>ڴ<EFBFBD>
// 32λ
if(b32)
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 96), &dwExportRVA, 4, NULL);
}
// 64λ
else
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwlfanew + 4 + 20 + 112), &dwExportRVA, 4, NULL);
}
// <20><>ȡNumberOfNames
DWORD dwNumberOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 24), &dwNumberOfNames, 4, NULL);
// <20><>ȡAddressOfNames
DWORD dwAddressOfNames = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 32), &dwAddressOfNames, 4, NULL);
// <20><><EFBFBD><EFBFBD>API<50><49><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ʋ<EFBFBD>ƥ<EFBFBD><C6A5>
DWORD dwNameRVA = 0;
for(DWORD i = 0; i < dwNumberOfNames; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNames + 4*i), &dwNameRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwNameRVA), szTemp, dwFuncNameLen, NULL);
if(0 == ::lstrcmpi(lpszFuncName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
// AddressOfNameOrdinals
DWORD dwAddressOfNameOrdinals = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 36), &dwAddressOfNameOrdinals, 4, NULL);
WORD wHint = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfNameOrdinals + 2*i), &wHint, 2, NULL);
// AddressOfFunctions
DWORD dwAddressOfFunctions = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwExportRVA + 28), &dwAddressOfFunctions, 4, NULL);
DWORD dwFuncRVA = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwDllBaseAddress + dwAddressOfFunctions + 4*wHint), &dwFuncRVA, 4, NULL);
DWORD64 dwRet = dwDllBaseAddress + dwFuncRVA;
return dwRet;
}
}
return 0;
}
DWORD64 CInjectDlg::GetProcessDllBaseAddress(HANDLE hProcess, HMODULE hBaseAddress, char szDllName[MAX_PATH], BOOL b32)
{
DWORD64 dwBaseAddress = (DWORD64)hBaseAddress;
DWORD dwlfanew = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + 0x003c), &dwlfanew, 4, NULL);
// <20><><EFBFBD><EFBFBD>32λ<32><CEBB>64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>𣬷ֱ<F0A3ACB7><D6B1><EFBFBD>ȡ<EFBFBD>ڴ<EFBFBD>
// 32λ
if(b32)
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 96 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
DWORD dwFunctionAddress = 0;
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DLL<4C>ļ<EFBFBD><C4BC>ػ<EFBFBD>ַ
// ԭ<><D4AD><EFBFBD>ǣ<EFBFBD><C7A3>ļ<EFBFBD><C4BC>Ƕ<EFBFBD><C7B6><EFBFBD>64k(0x10000)װ<>ؽ<EFBFBD><D8BD>ڴ<EFBFBD><DAB4>ģ<EFBFBD>DLL<4C><4C>һ<EFBFBD><D2BB>PE<50><EFBFBD>ļ<EFBFBD>
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
// 64λ
else
{
// <20><>PEͷ<45>ļ<EFBFBD>Ŀ¼<C4BF><C2BC>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼƫ<CABC>ƺʹ<C6BA>С
DWORD dwIATRVA = 0;
DWORD dwIATSize = 0;
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8), &dwIATRVA, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwlfanew + 4 + 20 + 112 + 8 + 4), &dwIATSize, 4, NULL);
// <20><><EFBFBD><EFBFBD>DLLȫ<4C><C8AB>
DWORD dwIndex = (dwIATSize - 1)/20;
DWORD dwOffsetDllName = 0;
DWORD dwDllNameLen = ::lstrlen(szDllName) + 1;
char szTemp[MAX_PATH] = {0};
for(DWORD i = 0; i < dwIndex; i++)
{
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶ<EFBFBD>ƫ<EFBFBD><C6AB>
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 12), &dwOffsetDllName, 4, NULL);
// <20><>ȡDLL<4C><4C><EFBFBD>Ƶĵ<C6B5>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>ȡ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwOffsetDllName), szTemp, dwDllNameLen, NULL);
if(0 == ::lstrcmpi(szDllName, szTemp)) // <20><><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD>Сд
{
DWORD64 dwFunctionAddress = 0;
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwIATRVA + i*20 + 16), &dwFunctionAddress, 4, NULL);
// <20><>ȡDLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD>ĵ<EFBFBD>ַ
::ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddress + dwFunctionAddress), &dwFunctionAddress, 8, NULL);
// <20><><EFBFBD><EFBFBD>DLL<4C>еĺ<D0B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DLL<4C>ļ<EFBFBD><C4BC>ػ<EFBFBD>ַ
// ԭ<><D4AD><EFBFBD>ǣ<EFBFBD><C7A3>ļ<EFBFBD><C4BC>Ƕ<EFBFBD><C7B6><EFBFBD>64k(0x10000)װ<>ؽ<EFBFBD><D8BD>ڴ<EFBFBD><DAB4>ģ<EFBFBD>DLL<4C><4C>һ<EFBFBD><D2BB>PE<50><EFBFBD>ļ<EFBFBD>
DWORD64 dwRet = GetDllBase(hProcess, dwFunctionAddress, b32);
return dwRet;
}
}
}
return 0;
}
DWORD64 CInjectDlg::GetDllBase(HANDLE hProcess, DWORD64 dwFunctionAddress, BOOL b32)
{
WORD MZ = 0;
DWORD dwlfanew = 0;
DWORD PE00 = 0;
if(b32)
{
dwFunctionAddress = dwFunctionAddress & 0xFFFF0000;
}
else
{
dwFunctionAddress = dwFunctionAddress & 0xFFFFFFFFFFFF0000;
}
do
{
::ReadProcessMemory(hProcess, (LPCVOID)dwFunctionAddress, &MZ, 2, NULL);
if(IMAGE_DOS_SIGNATURE == MZ)
{
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + 0x003c), &dwlfanew, 4, NULL);
::ReadProcessMemory(hProcess, (LPCVOID)(dwFunctionAddress + dwlfanew), &PE00, 4, NULL);
if(IMAGE_NT_SIGNATURE == PE00)
{
return dwFunctionAddress;
}
}
dwFunctionAddress = dwFunctionAddress - 0x10000;
}while(dwFunctionAddress >= 0x10000000);
return 0;
}