DLL外挂型内存补丁的实现
DLL外挂型内存补丁的实现:思路:自己写个DLL文件PYG.DLL 输出函数K ,找个程序需要调用DLL文件(我用的LPK.DLL,基本上可执行程序都要用到).用PE工具填加
输入表PYG.DLL函数K,然后把PYG.DLL和LPK.DLL COPY到要破解的程序目录.这样程序调用LPK.DLL 就会加载PYG.DLL来执行
修改内存的目的.
例子:
DLL部分:
library pyg;
{ Important note about DLL memory management: ShareMem must be the
first unit in your library's USES clause AND your project's (select
Project-View Source) USES clause if your DLL exports any procedures or
functions that pass strings as parameters or function results. This
applies to all strings passed to and from your DLL--even those that
are nested in records and classes. ShareMem is the interface unit to
the BORLNDMM.DLL shared memory manager, which must be deployed along
with your DLL. To avoid using BORLNDMM.DLL, pass string information
using PChar or ShortString parameters. }
uses
windows,
TlHelp32,
Unit1 in 'Unit1.pas';
var
Pn: TProcesseNtry32;
{$R *.res}
procedure k;stdcall;
begin
end;
procedure MyDLLProc;stdcall;
var
hHandle:HWND;
begin
hHandle:=pn.th32ParentProcessID;
//HookOn(hHandle,0);
HookOn(hHandle,WH_shell); //安装钩子
end;
exports
k;
begin
DLLProc:=@MyDLLProc;
MyDLLProc;
end.
修改内存模块:
unit Unit1;
interface
uses
windows;
var
hHk: HHOOK=0;
mhwnd:HWND=0;
hThread: Cardinal;
hmod: Pointer; //Hinstance
procedure HookProc;stdcall;
function HookOn(lpHwnd:HWND;lpType:Longint): Longint;stdcall;
function HookOff:Boolean;stdcall;
implementation
function HookOn(lpHwnd:HWND;lpType:Longint): Longint;stdcall; export;
begin
mhwnd:=lpHwnd;
if hHk<>0 then UnHookWindowsHookEx(hHk);
hThread :=GetWindowThreadProcessId(mhwnd,hmod);
hHk :=SetWindowsHookEx(lpType,@HookProc,hInstance,hThread); // WH_KEYBOARD
Result :=hHk;
end;
procedure ModMemData();
var
pData: pointer;
dwOldProtect:DWORD;
mbi_thunk: TMemoryBasicInformation;
begin
pData := pointer($004024e0);
//查询页信息。
VirtualQuery(pData, mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
//改变页保护属性为读写。
VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize,PAGE_READWRITE, mbi_thunk.Protect);
end;
procedure HookProc;stdcall;
var
ljj:pchar;
ljj2:string;
DLLHandle: THandle;
begin
try
begin
asm
pushad
pushfd
mov eax,$004024e0
mov edx,$358b6674
cmp ,edx
jne @@11
push eax
call ModMemData;
pop eax
mov edx,$358b9090
mov ,edx
@@11:
popfd
popad
end;
end;
except
begin
asm
popfd
popad
end;
end;
end;
HookOff; //卸载钩子
end;
function HookOff:Boolean;stdcall;
begin
if hHk<>0 then
begin
UnHookWindowsHookEx(hHk);
hHk :=0;
Result :=true;
end
else
Result :=false;
end;
end.
学习,修改DLL导入表,导入新DLL,这个想法/:good 。。。。。
004024e0是要修改软件的指令地址吗?358b6674是指令二进制代码吧。 不错的例子.收藏了 感谢~/:001 学习:loveliness: 超强 /:L
这个真的是强悍 很好的例程阿!学习