(5), select "Settings" from the "Project" menu, pop up the Project Setting dialog, select the Link tab, enter in Object / Library Module
WS2_32.lib.
(6), compile the project, generate WSOCK32.DLL library files.
(7), copy the system directory under the WSOCK32.DLL library file to the directory of the plug-in, and the name is WSOCK.001; will then generate above
WSOCK32.DLL files are also copied to the publicity of the plug-in. Restart the game program, at this time, the game program will load our own production.
WSOCK32.DLL file, then use the library file to indirectly call the original Winsock interface function to implement the access network. Above we only introduced the load winsock
Realization process, as for how to join the plug-in control code, the plug-in developer needs careful analysis of the game data package structure, content, encryption algorithm
(This process will be a hard process), regenerate into external control code. About packet analysis methods and techniques, not the scope of this article, such as you
Interested in online check-related information.
2. Revenge API
Blocking API technology is very similar to blocking Winsock technology, but the former provides a more powerful function than the latter. Blocking Winsock can only block
The Winsock interface function, while the Block API enables the shutdown of all API functions including Winsock API functions. If you
The plug-in program is only intended to stop the Winsock's function, you can only choose to use the blockwinning Winsock technology introduced by the previous section. With a large number of outside
The preface is functional extension, but they only provide the block of the packet, but also the Windows API or other DLL library functions used in the game program.
Shirt to make the plug-in functionality more powerful. For example, you can achieve this tool, with this tool, by a block-down associated API function.
You can make your plug-in.
The principle of blocking API technology is also using our own functions to replace the functions provided by Windows or other DLL libraries, a bit with a relaxed Winsock
The principle is similar. However, its implementation process is more complicated than blocking Winsock, as in the same way, like a shutdown Winsock process, the application calls
Some library files have written a simulated library a bit unlikely, just say that Windows API has thousands, and many libraries are not open,
In order to write a way to write an analog library, it is not realistic, so we must seek a good party.
The ultimate goal of the blocking API is to use the custom function instead of the original function. So, we should first know when the app, where, and what way
Call the original function. Next, you need to modify the instruction code of the original function in the application, so that it will correct the pointer to our own.
The function address of the righteousness. In this way, the plug-in program fully controls the API function called by the application, as for how to join the plug-in code, depending on the demand
. Finally, there is an important issue to be resolved, how to put our customized function code to the original API function to inject the plug-in game program
Space Space, because applications in the Windows system can only access code and data in this process address space.
In summary, to implement a blockade API function, at least the following three issues are required:
● How to locate the game program calling the API function instruction code?
● How to modify the game program to call the API function instruction code?
● How to put plug-in code (custom replacement function code) into the game program process address space?
Below we will introduce these questions:
(1), positioning call API function instruction code
We know that using the CALL instruction in assembly language calls a function or process, it is positioned to the corresponding function code through the function address in the command parameter. So, if we can find the CALL instructions of all calls that are being called in the program code, we can make functions in the instruction.
The address parameter is modified to an address of the alternative function. Although this is a feasible solution, it will be very cumbersome to achieve it. Fortunately, Windows
The executable (PE format) used in the system uses an input address table mechanism to store all the address information of the API function called by the program in the input ground.
In the address table, the address used in the program code CALL instruction is not the address of the API function, but the address item of the API function in the address table, if you want to make
The API function called in the order code is replaced, and only the address item of the API function in the input address table can be used. Specific understanding of the input address table
Mechanism, you also need to understand the PE format file structure, where Figure 3 lists the general structure of the PE format file.
Figure 3: PE format roughly structural map (003.jpg)
The PE format file is a DOS program. When your program is running in a Windows environment, it will display "this Program"
"Cannot Be Run in dos mode", then this DOS file head, start the real PE file content. The first is a paragraph
"Image_nt_Header" data, which is a number of messages on the entire PE file, the end of this data is a number called Data Directory
According to Table, it can quickly locate some of the address of some PE files. After this data, it is a "image_section_header"
The list, each of which describes the relevant information of the later segment. Then it is the main paragraph data in the PE file, execute code, number
According to information and resources, information is stored in these sections.
In all these segments, there is a paragraph (input data segment) called ".idata" worth noting that it is included in this section.
Add a data list of the address table (IAT, Import Address Table). Every DLL in which the API loaded with an implicit manner has an IAT and corresponding.
At the same time, an API address is also corresponding to one of IAT. When an application is loaded into the memory, the corresponding generation of each API function is called.
The assembly instruction:
JMP DWORD PTR [xxxxxxxx]
or
Call DWORD PTR [xxxxxxxx]
Among them, [xxxxxxxx] indicates an item in the input address table, and its content is a DWORD, but it is this DWORD is the API function in memory.
The real address. So we want to intercept an API call, as long as it is simple to change the DWORD to our own function.
(2), modify the API function code
From the above analysis of the PE file format, the modification call API function code is actually modified to call the API function in the input address table IAT item content. by
The strict protection mechanism for the application instruction code address space in the Windows system makes the modification program code is very difficult, so that many masters are
Write VXD to enter Ring0. Here, I will introduce you to a more convenient way to modify the process memory, it only needs to call several Windows core API letters
Number, let me learn about these API functions:
DWord VirtualQuery (LPCVOID LPADDRESS, // Address of Region PMemory_basic_information lpbuffer, // information buffer DWLENGTH / / SIZE OF BUFFER); This function is used to query information about the virtual address page within this process. Where lpaddress represents the area address of the query page; lpbuffer is used for
Save the buffer of the query page information; DWLENGTH indicates the buffer size. The return value is the actual buffer size.
Bool VirtualProtect (lpvoid lpaddress, // region of committed pages size_t dwsize, // size of the region ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
This function is used to change the protection attribute of the virtual address page in this process. Among them, lpaddress represents the change protection property page area address; DWSIZE
Page area size; flnewprotect represents a new protection attribute, which can be valued for Page_ReadOnly, Page_Execute, etc .;
LPFLOLDPROTECT represents the protection attribute used to save the change. If the function call successfully returns "T", "f" is returned.
With these two API functions, we can save the process of modifying the process as you wish. First, call the VirtualQuery () function query to be modified
Page information, then call the VirtualProtect () function according to this information to change the protection attributes of these pages to Page_Readwrite, with this permission you can
Arbitrary modify the process memory data. The following section shows how to clear the byte of the process virtual address to 0x0040106c.
BYTE * PDATA = 0x0040106c; memory_basic_information mbi_thunk; // Query page information. VirtualQuery (pData, & mbi_thunk, sizeof); // Change the page protection attribute to read and write. VirtualProtect (Mbi_thunk.Baseaddress, Mbi_thunk.regionSize, Page_Readwrite, & Mbi_thunk.protect); // Clear. * Pdata = 0x00; // Restore the original protection properties of the page. DWORD DWOLDPROTECT; VirtualProtect (Mbi_thunk.Baseaddress, Mbi_thunk.regionsize, mbi_thunk.protect, & dwoldprotect); (3), injecting the plug-in code into the hovering process
After completing the API function code in the positioning and modification program, we can design the alternative function of the custom API function. Do finished all this
These codes are also needed to inject these codes into the pluggable game program process memory space, otherwise the game process will not access the alternative function code at all. Injection
There are many ways, such as using the global hook injection, use the registry to inject the API function in the blocking USER32 library, use CreateRemoteThread injection (limited to
NT / 2000), using BHO injection, etc. Because we have already contacted global hooks in the action simulation technology section, I believe that smart readers have fully mastered
The overall hook production process, so we will continue to use this global hook in the following examples. As for several other injection methods, if you are interested
See the MSDN related content. With the above theoretical basis, we will start to make an instance of blocking MessageBoxa and RECV functions, and when developing a game plug-in program,
With this example as the frame, add the corresponding alternative function and processing code. The development process of this example is as follows:
(1) Open the ActiveKey project created in front.
(2) Add the HookAPI structure in the ActiveKey.h file, this structure is used to store the name of the blocked API function name, the original API function address, and alternative functions.
site.
Typedef struct tag_hookapi {lpcstr szfunc; // is used by HOOK's API function name. Proc pnewproc; // replaces the function address. Proc POLDPROC; // Original API function address. Hookapi, * lphookApi;
(3) Open the activeKey.cpp file, first join a function to locate the IAT address in the input database in the input data segment. code show as below:
Extern "C" __DECLSPEC (DLLEXPORT) PIMAGE_IMPORT_DEScriptor Locationiat (HModule HModule, LPCSTR SzimportMod) // where hmodule is a process module handle; SzimportMod is the name of the input library. {// Check if it is a DOS program, such as returning null, because the DOS program is not IAT. PIMAGE_DOS_HEADER PDOSHEADER = (pimage_dos_header) hmodule; if (pdosheader-> e_magic! = Image_dos_signature) return null; // Check if the NT flag, otherwise returns NULL. PIMAGE_NT_HEADERS PNTHEADER = (pimage_nt_headers) ((DWORD) PDoSHeader (DWORD) (PDOSHeader)
> e_lfanew); if (pntheader-> signature! = image_nt_signature) return null; // No IAT table returns NULL. IF (pntheader-> optionalHeader.DataDirectory [image_directory_entry_import] .virtualaddress == 0)
Return null; // Position the first IAT location. PIMAGE_IMPORT_DESCRIPTOR PIMPORTDESC = (PIMAGE_IMPORT_DESCRIPTOR) (DWORD) PDOSHEADER (DWORD)
(Pntheader-> OptionalHeader.DataDirectory [image_directory_entry_import] .virtualaddress); // Check all IAT based on the input library name loop, return the IAT address, otherwise the next IAT is detected. While (PimportDesc-> Name) {// Gets the name of the input library description of the IAT. PSTR SZCURRMOD = (PSTR) (PimportDesc-> Name); if (StricsP (SZCurRMod, SzimportMod) == 0) Break; PimportDesc ;} if (pimportdesc-> name == null) Return Null; Return PimportDesc;} Add a function to locate the IAT item that is blocked the API function and modifies its content as an alternative function address. code show as below:
Extern "C" __Declspec (dllexport) hookApibyname (HModule HModule, LPCSTR SzimportMod, LPhookApiphookApi) // where hmodule is the process module handle; SzimportMod is the input library name; PhookAPI is Hookapi structure pointer. {// Positioning the SzimportMod Enter the IAT address in the input data segment. PIMAGE_IMPORT_DESCRIPTOR PIMPORTDESC = Locationiat (hmodule, szimportmod); if (pimportDesc == null) return false; // The first THUNK address. PIMAGE_THUNK_DATA PORIGTHUNK = (PIMAGE_THUNK_DATA) (DWORD) HMODULE (DWORD) (PimportDesc
> OriginalFirstthunk); // The first IAT item THUNK address. PIMAGE_THUNK_DATA PreAlthunk = (PIMAGE_THUNK_DATA) (DWORD) HMODULE (DWORD) (PimportDesc
> Firstthunk); // loop look up the IAT item of the Armed API function and modify its value using the alternative function address. While (PORIGTHUNK-> U1.Function) {// Check this thunk is an IAT item. IF ((PORIGTHUNK-> u1.ordinal & image_ordinal_flag)! = image_ordinal_flag) {// Gets the function name described in this IAT item. PIMAGE_IMPORT_BY_NAME PBYNAME = (PIMAGE_IMPORT_BY_NAME) ((DWORD) HMODULE (DWORD) (Porigthunk-
> u1.addressofdata); if (pbyname-> name [0] == / 0) Return false; // Detect whether it is a block function. IF (strcmpi (phookapi-> szfunc, (char *) pBYNAME-> NAME) == 0) {MEMORY_BASIC_INFORMATION MBI_THUNK; / / Query the information of the modified page. VirtualQuery (PreAlthunk, & Mbi_thunk, sizeof (memory_basic_information)); // Change the Modify Page Protection Properties is Page_Readwrite. VirtualProtect (Mbi_thunk.BaseAddress, Mbi_thunk.region, page_readwrite, & mbi_thunk.protect); // Save the original API function address. IF (PhookApi-> PoldProc == NULL) Phooki-> PoldProc = (proc) preArthunk-> u1.function; // Modify the API function IAT item as an alternative function address. PreAlthunk-> u1.function = (pdword) phookapi-> pnewproc; // Restore the modified page protection attribute. DWORD dwoldprotect; VirtualProtect (Mbi_thunk.baseaddress, Mbi_thunk.regionsize, Mbi_thunk.protect,
& dwoldprotect);}} PORIGTHUNK ; PreAlthunk ;} setLastError (ERROR_SUCCESS); // Setting error is ERROR_SUCCESS, indicating success. Return True;}
(4) Define an alternative function, which only gives the Messageboxa and the RECV two APIs in this instance. code show as below:
Static int WinAPI MessageBoxa1 (HWND HWND, LPCTSTR LPTEXT, LPCTSTRLPCAPTION, UINT UTYPE) {// Filter the text and title content of the original Messageboxa, only the following is displayed. Return MessageBox (HOND, HOOK API! "," Hook API ", UTYPE);} Static Int WinAPI Recv1 (Socket S, Char Far * BUF, INT LEN, INT FLAGS) {// This can be blocked Sending network packets, you can add analysis and processing data code. RETURN RECV (S, BUF, LEN, FLAGS);
(5) Add to activate the API code in the KeyboardProc function, add the following ELSE if statement in the if (wparam == 0x79) statement:
