接着上篇的文章, 进程间通信,主要依赖的是fileMapping

三个代码部分

1: Game.exe

#include "stdafx.h"



void Attack()

{

	printf("**********攻击**********\n");

	return;

}



void Relax()

{

	printf("**********打坐**********\n");

	return;

}





void Blood()

{

	printf("**********回血**********\n");

	return;

}



int main(int argc, char* argv[])

{

	//printf("Hello World!\n");



	for(;;)

	{

		char x = getchar();



		switch(x)

		{

		case 'A':

			Attack();

			break;

		case 'B':

			Blood();

			break;

		case 'R':

			Relax();

			break;

		case 'E':

			printf("退出\n");

			getchar();

			return 0;

		}



	}



	return 0;

}

2: dll文件

// TestDll.cpp : Defines the entry point for the DLL application.

//



#include "stdafx.h"

#include "stdio.h"



#define _MAP_ "gyarmy"

#define _ATTACK_ 0x401030

#define _RELAX_ 0x401080

#define _BLOOD_ 0x4010d0



HANDLE g_hModule;

HANDLE g_hMapFile;

LPTSTR lpBuff;

DWORD dwType;



DWORD WINAPI ThreadProc(LPVOID lpParameter)

{

	dwType = 0;



	//打开共享内存

	g_hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,_MAP_);



	if(g_hMapFile==NULL)

	{

		printf("OpenFileMapping Error: %d\n",GetLastError());

		return 0;

	}



	//映射内存

	lpBuff = (LPTSTR)MapViewOfFile(g_hMapFile,FILE_MAP_ALL_ACCESS,0,0,BUFSIZ);



	for(;;)

	{

		if(lpBuff!=NULL){

			CopyMemory(&dwType,lpBuff,4);

		}



		if(dwType==1)

		{

			__asm{

				mov eax,_ATTACK_

				call eax

			}

			dwType = 0;

			CopyMemory(lpBuff,&dwType,4);

		}



		if(dwType==2)

		{

			__asm{

				mov eax,_RELAX_

				call eax

			}

			dwType = 0;

			CopyMemory(lpBuff,&dwType,4);

		}



		if(dwType==3)

		{

			__asm{

				mov eax,_BLOOD_

				call eax

			}

			dwType = 0;

			CopyMemory(lpBuff,&dwType,4);

		}



		if(dwType==4)

		{

			FreeLibraryAndExitThread((HMODULE)g_hModule,0);

		}



		Sleep(600);

	}

	return 0;

}





BOOL APIENTRY DllMain( HANDLE hModule, 

                       DWORD  ul_reason_for_call, 

                       LPVOID lpReserved

					 )

{

	switch(ul_reason_for_call)

	{

		case DLL_PROCESS_ATTACH:

			CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc,NULL,0,NULL);

			break;

		case DLL_THREAD_ATTACH:

			

			break;

		case DLL_THREAD_DETACH:

			

			break;

	}

    return TRUE;

}

3:dll注入与进程通信

// DllInject.cpp : Defines the entry point for the console application.

//



#include "stdafx.h"

#include <windows.h>

#include <Tlhelp32.h>



#define _MAP_ "gyarmy"



HANDLE g_hModule;

HANDLE g_hMapFile;

LPTSTR lpBuff;

DWORD dwType;



BOOL DllInject(DWORD dwProcessID,LPCTSTR lpDllName)

{

	HANDLE hProcess = 0;



	//1 打开指定进程

	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);

	if(hProcess == NULL){

		OutputDebugString("OpenProcess Error!");

		return FALSE;

	}



	//2 远程分配内存

	DWORD dwAllocSize = lstrlen(lpDllName)+1;



	LPVOID lpStrArr = VirtualAllocEx(hProcess,NULL,dwAllocSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);



	if(lpStrArr==NULL){

		OutputDebugString("VirtualAllocEx Error!");

		CloseHandle(hProcess);

		return FALSE;

	}



	//3 远程内存写入

	DWORD dwWriteRet = WriteProcessMemory(hProcess,lpStrArr,(LPVOID)lpDllName,dwAllocSize,NULL);

	if(dwWriteRet == 0){

		OutputDebugString("WriteProcessMemory Error!");

		CloseHandle(hProcess);

		return FALSE;		

	}



	//4 本地获取LoadLibrary地址

	HMODULE hModule = GetModuleHandle("kernel32.dll");

	if(hModule==NULL){

		OutputDebugString("GetModuleHandle Error!");

		CloseHandle(hProcess);

		return FALSE;

	}

	FARPROC  dwProcAddr = GetProcAddress(hModule,"LoadLibraryA");

	if(dwProcAddr == NULL)

	{

		OutputDebugString("GetProcAddress Error!");

		CloseHandle(hProcess);

		return FALSE;

	}



	//5 远程线程载入指定的dll

	HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)dwProcAddr,lpStrArr,0,NULL);

	if(hThread==NULL)

	{

		OutputDebugString("CreateRemoteThread Error!");

		CloseHandle(hProcess);

		return FALSE;

	}



	//6 关闭句柄

	CloseHandle(hProcess);

	return TRUE;



}



//获取进程ID

DWORD GetProcessIDByName(LPCTSTR szProcessName)

{

    STARTUPINFO st;

    PROCESS_INFORMATION pi;

    PROCESSENTRY32 ps;

    HANDLE hSnapshot;

    DWORD dwPID=0;

    ZeroMemory(&st, sizeof(STARTUPINFO));

    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));

    st.cb = sizeof(STARTUPINFO);

    ZeroMemory(&ps, sizeof(PROCESSENTRY32));

    ps.dwSize = sizeof(PROCESSENTRY32);



    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//拍摄进程快照

    if (hSnapshot == INVALID_HANDLE_VALUE)//快照拍摄失败

    {

        return dwPID;

    }





    if (!Process32First(hSnapshot, &ps))

    {

        return dwPID;

    }

    do

    {

        if (lstrcmpi(ps.szExeFile, szProcessName) == 0)//遍历进程快照，比较进程名

        {

            //进程id

			dwPID = ps.th32ProcessID;

        }

    }while (Process32Next(hSnapshot, &ps));

    // 没有找到  

    CloseHandle(hSnapshot);

    return dwPID;//返回容器

}





//创建FileMapping

BOOL InitFileMapping()

{

	g_hMapFile = CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,0x1000,_MAP_);

	if(g_hMapFile==NULL){

		printf("CreateFileMapping Error\n");

		return FALSE;

	}

	lpBuff = (LPTSTR)MapViewOfFile(g_hMapFile,FILE_MAP_ALL_ACCESS,0,0,BUFSIZ);

	if(lpBuff==NULL){

		printf("MapViewOfFile Error\n");

		return FALSE;

	}

	return TRUE;

}





int main(int argc, char* argv[])

{

	//注入DLL

	DWORD pId = GetProcessIDByName("Game.exe");

	DWORD dwOrderList[255]={0};

	if(InitFileMapping()){

		DllInject(pId,"C:\\Documents and Settings\\Administrator\\桌面\\TestDll.dll");



		//脚本队列

		dwOrderList[0] = 1;

		dwOrderList[1] = 2;

		dwOrderList[2] = 3;

		dwOrderList[3] = 3;

		dwOrderList[4] = 2;

		dwOrderList[5] = 1;

		dwOrderList[6] = 1;

		dwOrderList[7] = 2;

		dwOrderList[8] = 3;

		dwOrderList[9] = 4;

		dwOrderList[10] = 1;



		DWORD dwCtrlCode = 0;



		for(int i=0;i<10;i++)

		{

			dwCtrlCode  = dwOrderList[i];

			CopyMemory(lpBuff,&dwCtrlCode,4);

			Sleep(2000);

		}

		

	}



	return 0;

	

}