public static void InitSystemRemoteThread(string path, IntPtr hwnd, IntPtr myHwnd, ResvMhMsg mhMsgCallBack) { //注入dll bool ret = util.WinApi.DoInjection(path, hwnd); if (!ret) { return; } //读取内存共享区函数基址 util.ShareMemory recvHwnd = new util.ShareMemory("mh_" + hwnd.ToInt32().ToString(), 4096); byte[] funcBytes = recvHwnd.Read(recvHwnd.lpBase.ToInt32(), Marshal.SizeOf(typeof(MhFuncAddrs))); MhFuncAddrs mf = (MhFuncAddrs)StringUtil.BytesToStruct(funcBytes, typeof(MhFuncAddrs)); //获取远程进程的函数地址 ProCallback pro = new ProCallback(); pro.hwnd = myHwnd; pro.callBack = mhMsgCallBack; int size = Marshal.SizeOf(typeof(LoadDll.ProCallback)); IntPtr process = LoadDll.GetHwndProcess(hwnd); IntPtr AllocAddr = util.WinApi.VirtualAllocEx(process, 0, size, util.WinApi.AllocationType.MEM_COMMIT, 0x04); byte[] data = StringUtil.StructToBytes(pro, size); LoadDll.WriteProcessMemory(process, AllocAddr, data, size, IntPtr.Zero); IntPtr hRemoteThread = util.WinApi.CreateRemoteThread(process, 0, 0, mf.InitSystemRemoteThread, AllocAddr, 0, 0); util.WinApi.WaitForSingleObject(hRemoteThread, 0xFFFFFFFF); //等待线程结束 int remoteModule = 0; util.WinApi.GetExitCodeThread(hRemoteThread, ref remoteModule); LoadDll.Free(process, hRemoteThread, AllocAddr); Global.mh_func[hwnd] = mf; }
public static int InitSystemMhxy(string path, IntPtr hwnd, IntPtr myHwnd, ResvMhMsg mhMsgCallBack) { //注入dll bool ret = util.WinApi.DoInjection(path, hwnd); if (!ret) { return(0); } //读取内存共享区函数基址 string sdd = "mh_" + hwnd.ToInt32().ToString(); util.ShareMemory recvHwnd = new util.ShareMemory(sdd, 4096); byte[] funcBytes = recvHwnd.Read(recvHwnd.lpBase.ToInt32(), Marshal.SizeOf(typeof(MhFuncAddrs))); MhFuncAddrs mf = (MhFuncAddrs)StringUtil.BytesToStruct(funcBytes, typeof(MhFuncAddrs)); return(InitSystem(path, mf.SetMhMsgCallBack.ToInt32(), mf.RecvMhxyPkgAddr.ToInt32(), mf.ReplaceSendPkgByteAddr.ToInt32(), myHwnd, mhMsgCallBack, hwnd)); }