|
发表于 2022-3-19 01:38:10
|
显示全部楼层
var hSpeedhack_i386 = 0//CE加速插件模块地址
var pfnInitializeSpeedhack = 0//CE加速插件中设置加速函数的地址(InitializeSpeedhack)
var pfnRealGetTickCount = 0//CE加速插件中保存GetTickCount真实地址的缓存
var pfnRealQueryPerformanceCounter = 0//CE加速插件中保存QueryPerformanceCounter真实地址的缓存
var pfnspeedhackversion_GetTickCount = 0
var pfnspeedhackversion_QueryPerformanceCounter = 0
var My_GetTickCount = 0//保存TC GetTickCount真实地址缓存
var My_QueryPerformanceCounter = 0//保存TC QueryPerformanceCounter真实地址缓存
var My_RtlQueryPerformanceCounter = 0
var hKernel32 = 0//kernel32模块基址
var g_tmp = 0//全局缓存
var g_hWnd = 0 //远程对象窗口句柄
var injectType = 0 //全局注入类型
var enumLocal = #C0000000 //枚举常量值 本地
var enumRemote = #C0000004 //枚举常量值 远程
//本地载入插件 + HOOK
//本地
//写入本地字节集
function writeLocalByteArray(addr, size, barray)
for(var j = 0; j < size; j++)
memset(addr + j, barray[j], 1)
end
end
//申请本地内存
function newByteArray(size)
return VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
end
//释放本地内存
function freeByteArray(addr, size)
return VirtualFree(addr, size, MEM_RELEASE)
end
function installLocalHook(pfnHookFunc, bOri, bNew, nsize)
var dwOldProtect = 0//页保护常量缓存
var dwOffset = pfnHookFunc - bOri - nsize//计算call 或 jmp
memcopy(bNew + (nsize - 4), varaddress(dwOffset), 4)//将数值写进BYTE数组缓存
VirtualProtect(bOri, nsize, PAGE_EXECUTE_READWRITE, dwOldProtect)//改写内存页保护为可读可写
memcopy(bOri, bNew, nsize)//写入bOri
VirtualProtect(bOri, nsize, dwOldProtect, dwOldProtect)//还原页保护
end
function GetUnDocumentApi()
var bret = 0
var hNtdll = 0
syssetcurrentpath(sysgetprocesspath())//设置当前目录为进程所在位置
hKernel32 = GetModuleHandleW("Kernel32.dll")//获取Kernel32.dll模块地址
My_GetTickCount = GetProcAddress(hKernel32, "GetTickCount")//获取GetTickCount函数入口地址
My_QueryPerformanceCounter = GetProcAddress(hKernel32, "QueryPerformanceCounter")//获取QueryPerformanceCounter函数入口地址
hNtdll = LoadLibraryW("ntdll.dll")//加载 ntdll.dll
My_RtlQueryPerformanceCounter = GetProcAddress(hNtdll, "RtlQueryPerformanceCounter")//获取QueryPerformanceCounter的底层函数入口地址
hSpeedhack_i386 = LoadLibraryW("speedhack-i386.dll")//载入CE插件
pfnInitializeSpeedhack = GetProcAddress(hSpeedhack_i386, "InitializeSpeedhack")//获取函数入口地址
pfnRealGetTickCount = GetProcAddress(hSpeedhack_i386, "realGetTickCount")//获取变量地址
pfnRealQueryPerformanceCounter = GetProcAddress(hSpeedhack_i386, "realQueryPerformanceCounter")//获取变量地址
pfnspeedhackversion_GetTickCount = GetProcAddress(hSpeedhack_i386, "speedhackversion_GetTickCount")//获取CE版GetTickCount
pfnspeedhackversion_QueryPerformanceCounter = GetProcAddress(hSpeedhack_i386, "speedhackversion_QueryPerformanceCounter")//获取CE版QueryPerformanceCounter
bret = (pfnInitializeSpeedhack && pfnRealGetTickCount && pfnRealQueryPerformanceCounter && hKernel32 && My_GetTickCount && My_QueryPerformanceCounter && pfnspeedhackversion_GetTickCount && pfnspeedhackversion_QueryPerformanceCounter)
return bret
end
function SpeedHack_Initialize()
var lpNumber = 0
var dwOldProtect = 0
var bNewGetTickCount = newByteArray(12)//申请12字节内存
memset(bNewGetTickCount, #51, 1)//push ecx
var tmpNewCall = newByteArray(6) //申请6字节缓存
writeLocalByteArray(tmpNewCall, 2, array(#FF, #15))//call dword ptr [Kernel32.dll + #8188C]
g_tmp = hKernel32 + #8188C
memcopy(tmpNewCall + #2, varaddress(g_tmp), 4) //将字节集写入BYTE数组缓存
memcopy(bNewGetTickCount + #1, tmpNewCall, 6) //将BYTE数组缓存写入刚刚申请的12字节内存
tmpNewCall = newByteArray(5)
memset(tmpNewCall, #E9, 1)//jmp My_GetTickCount + #7
installLocalHook(My_GetTickCount + #7, bNewGetTickCount + #7, tmpNewCall, 5)//写入跳转回真实的GetTickCount
freeByteArray(tmpNewCall, 5)
tmpNewCall = newByteArray(3)
//nop
//nop
//pop ecx
writeLocalByteArray(tmpNewCall, 3, array(#90, #90, #59))
VirtualProtect(My_GetTickCount + #5, 3, PAGE_EXECUTE_READWRITE, dwOldProtect)
memcopy(My_GetTickCount + #5, tmpNewCall, 3)
VirtualProtect(My_GetTickCount + #5, 3, dwOldProtect, dwOldProtect)
var bNewQueryPerformanceCounter = newByteArray(10)
//mov edi,edi
//push ebp
//mov ebp,esp
writeLocalByteArray(bNewQueryPerformanceCounter, 5, array(#8B, #FF, #55, #8B, #EC))
tmpNewCall = newByteArray(5)
memset(tmpNewCall, #E9, 1)//jmp My_RtlQueryPerformanceCounter + #5
installLocalHook(My_RtlQueryPerformanceCounter + #5, bNewQueryPerformanceCounter + #5, tmpNewCall, 5)//写入跳转回真实的RtlQueryPerformanceCounter
freeByteArray(tmpNewCall, 5)
tmpNewCall = newByteArray(5)
memset(tmpNewCall, #E9, 1)//jmp pfnspeedhackversion_GetTickCount
installLocalHook(pfnspeedhackversion_GetTickCount, My_GetTickCount, tmpNewCall, 5)//hook 原本的GetTickCount
freeByteArray(tmpNewCall, 5)
tmpNewCall = newByteArray(5)
memset(tmpNewCall, #E9, 1)//jmp pfnspeedhackversion_QueryPerformanceCounte
installLocalHook(pfnspeedhackversion_QueryPerformanceCounter, My_RtlQueryPerformanceCounter, tmpNewCall, 5)//hook 原本的RtlQueryPerformanceCounter
tmpNewCall = newByteArray(5)
//将新的缓存地址写入插件变量realGetTickCount
VirtualProtect(pfnRealGetTickCount, 4, PAGE_EXECUTE_READWRITE, dwOldProtect)
memcopy(pfnRealGetTickCount, varaddress(bNewGetTickCount), 4)//realGetTickCount = bNewGetTickCount
VirtualProtect(pfnRealGetTickCount, 4, dwOldProtect, dwOldProtect)
//将新的缓存地址写入插件变量realQueryPerformanceCounter
VirtualProtect(pfnRealQueryPerformanceCounter, 4, PAGE_EXECUTE_READWRITE, dwOldProtect)
memcopy(pfnRealQueryPerformanceCounter, varaddress(bNewQueryPerformanceCounter), 4)//realQueryPerformanceCounter = bNewQueryPerformanceCounter
VirtualProtect(pfnRealQueryPerformanceCounter, 4, dwOldProtect, dwOldProtect)
end
远程在源码内HOOK那段就留空给各位自己搞定了 跟本地差不多只是调用函数不同而已
//远程
//写入远程字节集
function writeRemoteByteArray(hProcess, addr, size, barray)
var bNum = 0
var dwOldProtect = 0
var tmp = 0
VirtualProtectEx(hProcess, addr, size, PAGE_EXECUTE_READWRITE, dwOldProtect)
for(var j = 0; j < size; j++)
tmp = barray[j]
WriteProcessMemory(hProcess, addr + j, varaddress(tmp), 1, bNum)
end
VirtualProtectEx(hProcess, addr, size, dwOldProtect, dwOldProtect)
end
//申请远程内存
function newRemoteByteArray(hProcess, size)
return VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
end
//释放远程内存
function freeRemoteByteArray(hProcess, addr, size)
return VirtualFreeEx(hProcess, addr, size, MEM_RELEASE)
end
//写入远程钩子
function installRemoteHook(hProcess, pfnHookFunc, bOri, bNew, nsize)
var bNum = 0
var dwOldProtect = 0//页保护常量缓存
var dwOffset = pfnHookFunc - bOri - nsize//计算call 或 jmp
memcopy(bNew + (nsize - 4), varaddress(dwOffset), 4)//将数值写进BYTE数组缓存
VirtualProtectEx(hProcess, bOri, nsize, PAGE_EXECUTE_READWRITE, dwOldProtect)//改写内存页保护为可读可写
WriteProcessMemory(hProcess, bOri, bNew, nsize, bNum)//写入bOri
VirtualProtectEx(hProcess, bOri, nsize, dwOldProtect, dwOldProtect)//还原页保护
return bNum == nsize
end
function InjectHackSpeed(hWnd)
var dwProcessId = 0
GetWindowThreadProcessId(hWnd, dwProcessId)
EnablePrivilege("SeDebugPrivilege")
var hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessId)
if(!hProcess)
return false
end
注入dllW(hProcess, sysgetprocesspath() & "speedhack-i386.dll")
syssetcurrentpath(sysgetprocesspath())//设置当前目录为进程所在位置
hKernel32 = GetModuleHandleW("Kernel32.dll")//获取Kernel32.dll模块地址
My_GetTickCount = GetProcAddress(hKernel32, "GetTickCount")//获取GetTickCount函数入口地址
My_QueryPerformanceCounter = GetProcAddress(hKernel32, "QueryPerformanceCounter")//获取QueryPerformanceCounter函数入口地址
hSpeedhack_i386 = GetFindDataAddr("speedhack-i386.dll", dwProcessId)
pfnInitializeSpeedhack = 跨进程获取函数名地址(hProcess, "speedhack-i386.dll", "InitializeSpeedhack", 0)
pfnRealGetTickCount = 跨进程获取函数名地址(hProcess, "speedhack-i386.dll", "realGetTickCount", 0)
pfnRealQueryPerformanceCounter = 跨进程获取函数名地址(hProcess, "speedhack-i386.dll", "realQueryPerformanceCounter", 0)
pfnspeedhackversion_GetTickCount = 跨进程获取函数名地址(hProcess, "speedhack-i386.dll", "speedhackversion_GetTickCount")
pfnspeedhackversion_QueryPerformanceCounter = 跨进程获取函数名地址(hProcess, "speedhack-i386.dll", "speedhackversion_QueryPerformanceCounter")
var bret = 0
var lpNumber = 0
var dwOldProtect = 0
////////////////////////////////////////////////////////////////
// 这段HOOK请自行比照本地方式依样画葫芦
// 本地: VirtualAlloc VirtualFree VirtualProtect memcpy
// 远程: VirtualAllocEx VirtualFreeEx VirtualProtectEx WriteProcessMemory
////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////
bret = (pfnInitializeSpeedhack && pfnRealGetTickCount && pfnRealQueryPerformanceCounter && hKernel32 && My_GetTickCount && My_QueryPerformanceCounter)
return bret
end
安装完钩子后 调用 InitializeSpeedhack 切换速度
function setRemoteSpeed(hWnd, fSpeed)
var dwProcessId = 0
GetWindowThreadProcessId(hWnd, dwProcessId)
EnablePrivilege("SeDebugPrivilege")
var hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessId)
var handleDLL = LoadLibraryW("kernel32.dll")
var GetProAddr = GetProcAddress(handleDLL, "LoadLibraryW")
AsmClear()
MOV_EAX_Value(floattohex(fSpeed))
Push_EAX()
MOV_EBX_Value(pfnInitializeSpeedhack)//远程调用目标进程中的 InitializeSpeedhack
Call_EBX()
Ret()
RunAsmCode(hProcess, 1)
CloseHandle(hProcess)
end
function setSpeed(fSpeed)
if (!pfnInitializeSpeedhack || !pfnRealGetTickCount || !pfnRealQueryPerformanceCounter || !hKernel32 || !My_GetTickCount || !My_QueryPerformanceCounter || !pfnspeedhackversion_GetTickCount || !pfnspeedhackversion_QueryPerformanceCounter)
return false
end
editsettext("edit0", cstring(int(fSpeed)))
if(injectType == enumLocal)
return pointercall("bool", pfnInitializeSpeedhack, "float", fSpeed)//本地
elseif (injectType == enumRemote)
return setRemoteSpeed(g_hWnd, fSpeed)//远程
end
end |
|