EnableDebugPrivilege();
BREAK_POINT k;
k.content=0xE8;
k.address=0x4011E9;
byte bk[]={0xcc};
DWORD nSize=0;
long pbase=0;
HANDLE handle=getProcessAccess("零用钱大作战");
HWND hwnd=::FindWindow(NULL,"零用钱大作战");
DWORD pId=0;
DEBUG_EVENT de;
int flag=0;
BOOL cf=true;
CONTEXT context;
GetWindowThreadProcessId(hwnd,&pId);
::DebugActiveProcess(pId);
::WriteProcessMemory(handle,(void*)k.address,&bk,sizeof(bk),&nSize); //更改首字节为0xcc int3
while(cf){
::WaitForDebugEvent(&de,INFINITE);
switch (de.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
if(flag>=1){
SuspendThread(de.u.CreateThread.hThread); //挂起被调试线程
context.ContextFlags=CONTEXT_FULL;
::GetThreadContext(de.u.CreateThread.hThread,&context); //获取寄存器信息
pbase=context.Ecx; //获取ECX内容
byte bs[]={0xE8};
::WriteProcessMemory(handle,(void*)k.address,&bs,sizeof(bs),&nSize); //还原首字节
context.Eip--; //Eip减一
context.EFlags |= 0x100; //中断标志位复位
::SetThreadContext(de.u.CreateThread.hThread,&context); //设置寄存器信息
/*char* f=new char[20];
ltoa(pbase,f,16);
AfxMessageBox(f);*/
}
flag++;
//if(flag>1)flag=2;
::ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_EXCEPTION_NOT_HANDLED);
ResumeThread(de.u.CreateThread.hThread);
break;
case CREATE_PROCESS_DEBUG_EVENT:
::ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_CONTINUE);
break;
case EXIT_PROCESS_DEBUG_EVENT:
cf=false;
break;
default:
::ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_CONTINUE);
break;
}
};
纠结了。。。寄存器的内容读出来是错的。。。而且读出来后被调试的进程就崩溃了。还原不回去。。。纠结了一个通宵了。。。。。小弟初学。。请各位大牛看看小弟代码哪里有问题。。谢谢~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
