本帖最后由 领会 于 2022-3-11 22:58 编辑
- // BaseAddrTools.cpp : Defines the entry point for the DLL application.
- //
- #include <windows.h>
- #include <tlhelp32.h>
- #include <stdio.h>
- BOOL GetProcessModuleHandle(DWORD PID,const char*szModuleName,MODULEENTRY32 *pModule);//获取模块信息的
- BOOL StringToByte(const char *InBuff,unsigned char *OutBuff);//字符串转换为字节数组
- BYTE *MemoryFind(BYTE *Buff1,BYTE *Buff2,DWORD Buff1Size,DWORD Buff2Size);//查找数组地址
- void FindCallAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找CALL地址
- void FindFunctionAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找函数头地址
- void FindConstAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找常量的值
- BOOL WINAPI DllMain( HANDLE hModule,
- DWORD ul_reason_for_call,
- LPVOID lpReserved
- )
- {
-
- FindConstAddr("558B??83????5356578D????B9????????B8????????F3??",0XD,"BaseAddrTools.exe","0x%08X\n");
- return TRUE;
- }
- void FindConstAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
- {
- MODULEENTRY32 Module32;
- if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
- return ;//如果没找到该模块则返回
- DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
- BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
- if(!StringToByte(Buff,OutBuff))
- {//如果转换失败则释放内存返回
- delete []OutBuff;
- return ;
- }
- BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
- while (Temp)
- {
- char DbgOutBuff[MAX_PATH] = {0};
- sprintf(DbgOutBuff,Regexp,*(DWORD *)((int)Temp+OffsetSize));
- OutputDebugString(DbgOutBuff);
- Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
- }
- delete []OutBuff;
- }
- void FindFunctionAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
- {
- MODULEENTRY32 Module32;
- if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
- return ;//如果没找到该模块则返回
- DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
- BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
- if(!StringToByte(Buff,OutBuff))
- {//如果转换失败则释放内存返回
- delete []OutBuff;
- return ;
- }
- BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
- while (Temp)
- {
- char DbgOutBuff[MAX_PATH] = {0};
- sprintf(DbgOutBuff,Regexp,(int)Temp+OffsetSize);
- OutputDebugString(DbgOutBuff);
- Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
- }
- delete []OutBuff;
- }
- void FindCallAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
- {
- MODULEENTRY32 Module32;
- if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
- return ;//如果没找到该模块则返回
- DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
- BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
- if(!StringToByte(Buff,OutBuff))
- {//如果转换失败则释放内存返回
- delete []OutBuff;
- return ;
- }
- BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
- while (Temp)
- {
- DWORD CallAddr = *(DWORD*)(Temp+OffsetSize+1) + (int)Temp+OffsetSize + 5;
- char DbgOutBuff[MAX_PATH] = {0};
- sprintf(DbgOutBuff,Regexp,CallAddr);
- OutputDebugString(DbgOutBuff);
- Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
- }
- delete []OutBuff;
- }
|
发表于 2022-3-11 22:34:14
