免责声明：内容仅供学习参考，请合法利用知识，禁止进行违法犯罪活动！

上一个内容：44.实现管理HOOK点的链表对象

以 44.实现管理HOOK点的链表对象 它的代码为基础进行修改

HOOKPOINT.cpp文科修改，修改了FindPoint函数

#include "pch.h"
#include "HOOKPOINT.h"

HOOKPOINT::HOOKPOINT()
{
}

HOOKPOINT::HOOKPOINT(LPVOID _adr, HOOKBACK _hbk, HOOKPOINT* _BackP, HOOKPOINT* _NextPoint):
    Address(_adr), DestCall(_hbk), BackPoint{ _BackP }, NextPoint{ _NextPoint }
{
}

HOOKPOINT* HOOKPOINT::AddPonit(LPVOID _adr, HOOKBACK _hbk)
{
    NextPoint = new HOOKPOINT(_adr, _hbk, this);
    return NextPoint;
}

HOOKPOINT* HOOKPOINT::FindPoint(LPVOID _adr)
{
    PHOOKPOINT _point = this;
    do {
        if (_point->Address == _adr)return _point;
        _point = _point->NextPoint;
    }while(_point);
    return nullptr;
}

HOOKPOINT.h文件修改

#pragma once

typedef struct CPUINFO {
    unsigned eflags;
    unsigned edi;
    unsigned esi;
    unsigned ebp;
    unsigned esp;
    unsigned ebx;
    unsigned edx;
    unsigned ecx;
    unsigned eax;
    unsigned eip;
}*PCPUINFO;
typedef bool (*HOOKBACK)(PCPUINFO);
typedef class HOOKPOINT
{
private:
    // Address表示在哪进入外挂代码，也就是在什么地方做hook
    LPVOID Address;
    HOOKPOINT* NextPoint;
    HOOKPOINT* BackPoint;
public:
    // 外挂代码的地址
    HOOKBACK DestCall;
public:
    HOOKPOINT();
    HOOKPOINT(LPVOID, HOOKBACK, HOOKPOINT*, HOOKPOINT* _NextPoint = NULL);
    HOOKPOINT* AddPonit(LPVOID, HOOKBACK);
    HOOKPOINT* FindPoint(LPVOID);
}*PHOOKPOINT;

htdHook.h文件修改：

#pragma once
#include "HOOKPOINT.h"

class htdHook
{
private:
    PHOOKPOINT PPointLast{};
public:
    HOOKPOINT Points;
public:
    htdHook();
    void SetHook(LPVOID Address, HOOKBACK ookBack, unsigned short len);
};

htdHook.cpp文件中的代码，修改了SetHook、htdHook、DisHook函数

#include "pch.h"
#include "htdHook.h"
htdHook* htdHookPtr;


unsigned GetJMPCode(unsigned distance, unsigned eip) {
    return distance - eip - 0x5;
}

void _stdcall DisHook(PCPUINFO e) {

    /**
        call指令执行时会让eip指向下一条指令的位置，
        这里减去0x5是让他回到call的位置，也就是得到从哪来的
    */
    unsigned _eip = e->eip - 0x5;

    PHOOKPOINT point = htdHookPtr->Points.FindPoint((LPVOID)_eip);
    if (point) {
        if(point->DestCall(e)){
            // 继续执行原有代码
        }else{
            // 调转到指定位置执行
        }
    }
}

// 全局变量区可能无法执行，需要设置它内存的属性为可执行
char data_code[]{
    0x60,// pushad
    0x9C,// pushfd
    0x54,// push esp
    0xE8,0xCC,0xCC,0xCC,0xCC, // call DisHook
    0x9D,// popfd
    0x61,//popad
    0xC3//retn
};

htdHook::htdHook()
{
    PPointLast = &Points;
    htdHookPtr = this;

    DWORD dOld;
    VirtualProtect(data_code, sizeof(data_code), PAGE_EXECUTE_READWRITE, &dOld);

    unsigned* Adr = (unsigned*)(data_code + 0x4);
    unsigned target = (unsigned)DisHook;
    Adr[0] = GetJMPCode(target, (unsigned)(data_code + 0x3));

    CString wTxt;
    wTxt.Format(L"%X", data_code);
    AfxMessageBox(wTxt);
}

void htdHook::SetHook(LPVOID Address, HOOKBACK hokBack, unsigned short len)
{
    DWORD dOld;
    DWORD dNew;

    PPointLast = PPointLast->AddPonit(Address, hokBack);

    VirtualProtect(Address, 0x5, PAGE_EXECUTE_READWRITE, &dOld);

    char* code = (char*)Address;
    code[0] = 0xE8;
    unsigned* Adr = (unsigned*)(code + 1);
    Adr[0] = GetJMPCode((unsigned)data_code, (unsigned)Address);

    VirtualProtect(Address, 0x5, dOld, &dNew);
}

注入之后游戏会崩溃，原因是我们把游戏原有代码进行修改了但是没有把原有代码重新写回去导致的崩溃，后面写修复

---