1,486
社区成员
发帖
与我相关
我的任务
分享怎样能关闭这个互斥体?{(4分+万份感激+千言万语)换代码}
怎样能关闭这个互斥体?{(40分+万份感激+千言万语)换代码}
大哥,只有40分下,下边那个是100分的,你到下边那个回复一下,我把那个100分结给你
http://community.csdn.net/Expert/topic/5027/5027328.xml?temp=.6097071
大哥,只有40分下,下边那个是100分的,你到下边那个回复一下,我把那个100分结给你
http://community.csdn.net/Expert/topic/5027/5027328.xml?temp=.6097071
...全文
请发表友善的回复…
发表回复
ckillcn 2006-09-22
- 打赏
- 举报
我多让路过的人看看 再结贴
ckillcn 2006-09-22
- 打赏
- 举报
真是学无止尽呀!这段代码又可让我学习一段时间了!
ckillcn 2006-09-22
- 打赏
- 举报
谢谢大哥 太感动了
pigsanddogs 2006-09-21
- 打赏
- 举报
想了下, 其实可以不用机器码,插远程线程的时候地址填closehandle的即可.
closehandle和threadcallback的要求完全吻合. 可以少写大概30行代码
closehandle和threadcallback的要求完全吻合. 可以少写大概30行代码
pigsanddogs 2006-09-21
- 打赏
- 举报
在最新的qq游戏测试通过.
qqgame.exe版本为2.0.102.23
factory.dll大小为45124字节
只能工作在nt,2000后续版本. 不支持9x.
先打开一个大厅, 然后command1, 应该会报一个 "成功"
然后可以再打开大厅, 然后commond1, 应该会报二个"成功"
然后可以打开第3个大厅.
开多个大厅重复这个操作就可.
Option Explicit
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Boolean
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Boolean
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, lpme As MODULEENTRY32) As Boolean
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, lpme As MODULEENTRY32) As Boolean
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const TH32CS_SNAPPROCESS As Long = &H2
Private Const TH32CS_SNAPALL As Long = &HF
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const MEM_COMMIT As Long = &H1000&
Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Long
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 260
End Type
'当前hprocess,以及当前hprocess的factory.dll的基址
Dim hProcess As Long
Dim modFactory As Long
Private Sub Command1_Click()
Dim Pn As PROCESSENTRY32
Dim sHandle As Long
sHandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0)
Pn.dwSize = Len(Pn)
If Process32First(sHandle, Pn) Then
Do
If InStr(1, Pn.szExeFile, "QQGame.exe", vbTextCompare) > 0 Then
modFactory = GetFactoryBase(Pn.th32ProcessID)
Call CloseMutex(Pn.th32ProcessID)
End If
Loop While Process32Next(sHandle, Pn)
End If
Call CloseHandle(sHandle)
End Sub
Private Function GetFactoryBase(dwProcessId As Long) As Long
Dim Mn As MODULEENTRY32
Dim sHandle As Long
sHandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, dwProcessId)
Mn.dwSize = Len(Mn)
If Module32First(sHandle, Mn) Then
Do
If InStr(1, Mn.szModule, "Factory.dll", vbTextCompare) > 0 Then
GetFactoryBase = Mn.modBaseAddr
Exit Do
End If
Loop While Module32Next(sHandle, Mn)
End If
Call CloseHandle(sHandle)
End Function
Private Sub CloseMutex(dwProcessId As Long)
Dim MachineCode(24) As Byte
Dim hModule As Long, fnCloseHandle As Long
Dim virtualAdr As Long, offsetAdr As Long, ret As Long
Dim hndAdr As Long
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess = 0 Then MsgBox "打开进程失败": Exit Sub
hModule = LoadLibrary("kernel32.dll")
If hModule = 0 Then MsgBox "加载模块失败": Exit Sub
fnCloseHandle = GetProcAddress(hModule, "CloseHandle")
If fnCloseHandle = 0 Then MsgBox "查找函数失败": Exit Sub
virtualAdr = VirtualAllocEx(hProcess, ByVal 0, &H1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If virtualAdr = 0 Then MsgBox "内存分配失败": Exit Sub
offsetAdr = fnCloseHandle - (virtualAdr + 16)
hndAdr = GetHandle()
MachineCode(0) = &H55 'push ebp
MachineCode(1) = &H8B 'mov ebp, esp
MachineCode(2) = &HEC
MachineCode(3) = &H57 'push edi
MachineCode(4) = &H56 'push esi
MachineCode(5) = &H53 'push ebx
MachineCode(6) = &H68 'push ????????
CopyMemory MachineCode(7), hndAdr, 4
MachineCode(11) = &HE8 'call CloseHandle
CopyMemory MachineCode(12), offsetAdr, 4
MachineCode(16) = &H5B 'pop ebx
MachineCode(17) = &H5E 'pop esi
MachineCode(18) = &H5F 'pop edi
MachineCode(19) = &H8B 'mov esp, ebp
MachineCode(20) = &HE5
MachineCode(21) = &H5D 'pop ebp
MachineCode(22) = &HC2 'ret 4
MachineCode(23) = &H4
MachineCode(24) = &H0
ret = WriteProcessMemory(hProcess, ByVal virtualAdr, MachineCode(0), 25, ByVal 0)
If ret = 0 Then MsgBox "写内存失败": Exit Sub
ret = CreateRemoteThread(hProcess, ByVal 0, 0, ByVal virtualAdr, ByVal 0, 0, ByVal 0)
If ret = 0 Then MsgBox "创建线程失败": Exit Sub
Call CloseHandle(ret)
MsgBox "成功"
End Sub
Private Function GetHandle() As Long
Dim ptr1 As Long, ptr2 As Long
ptr1 = A(A(modFactory + &H97C0&) + &H54&)
ptr2 = ptr1
If A(A(ptr1 + &HC) + 4) <> A(modFactory + &H181BC) Then
ptr1 = A(A(ptr1 + &HC) + 4)
Do
If A(ptr1 + &HC) < &H3001 Then
ptr1 = A(ptr1 + 8)
Else
ptr2 = ptr1
ptr1 = A(ptr1)
End If
Loop Until ptr1 = A(modFactory + &H181BC)
End If
GetHandle = A(A(A(ptr2 + &H10) + &H174) + &H38)
End Function
Private Function A(ByVal address As Long) As Long
Call ReadProcessMemory(hProcess, ByVal address, A, 4, ByVal 0)
End Function
qqgame.exe版本为2.0.102.23
factory.dll大小为45124字节
只能工作在nt,2000后续版本. 不支持9x.
先打开一个大厅, 然后command1, 应该会报一个 "成功"
然后可以再打开大厅, 然后commond1, 应该会报二个"成功"
然后可以打开第3个大厅.
开多个大厅重复这个操作就可.
Option Explicit
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Boolean
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Boolean
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, lpme As MODULEENTRY32) As Boolean
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, lpme As MODULEENTRY32) As Boolean
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const TH32CS_SNAPPROCESS As Long = &H2
Private Const TH32CS_SNAPALL As Long = &HF
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const MEM_COMMIT As Long = &H1000&
Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Long
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 260
End Type
'当前hprocess,以及当前hprocess的factory.dll的基址
Dim hProcess As Long
Dim modFactory As Long
Private Sub Command1_Click()
Dim Pn As PROCESSENTRY32
Dim sHandle As Long
sHandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0)
Pn.dwSize = Len(Pn)
If Process32First(sHandle, Pn) Then
Do
If InStr(1, Pn.szExeFile, "QQGame.exe", vbTextCompare) > 0 Then
modFactory = GetFactoryBase(Pn.th32ProcessID)
Call CloseMutex(Pn.th32ProcessID)
End If
Loop While Process32Next(sHandle, Pn)
End If
Call CloseHandle(sHandle)
End Sub
Private Function GetFactoryBase(dwProcessId As Long) As Long
Dim Mn As MODULEENTRY32
Dim sHandle As Long
sHandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, dwProcessId)
Mn.dwSize = Len(Mn)
If Module32First(sHandle, Mn) Then
Do
If InStr(1, Mn.szModule, "Factory.dll", vbTextCompare) > 0 Then
GetFactoryBase = Mn.modBaseAddr
Exit Do
End If
Loop While Module32Next(sHandle, Mn)
End If
Call CloseHandle(sHandle)
End Function
Private Sub CloseMutex(dwProcessId As Long)
Dim MachineCode(24) As Byte
Dim hModule As Long, fnCloseHandle As Long
Dim virtualAdr As Long, offsetAdr As Long, ret As Long
Dim hndAdr As Long
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess = 0 Then MsgBox "打开进程失败": Exit Sub
hModule = LoadLibrary("kernel32.dll")
If hModule = 0 Then MsgBox "加载模块失败": Exit Sub
fnCloseHandle = GetProcAddress(hModule, "CloseHandle")
If fnCloseHandle = 0 Then MsgBox "查找函数失败": Exit Sub
virtualAdr = VirtualAllocEx(hProcess, ByVal 0, &H1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If virtualAdr = 0 Then MsgBox "内存分配失败": Exit Sub
offsetAdr = fnCloseHandle - (virtualAdr + 16)
hndAdr = GetHandle()
MachineCode(0) = &H55 'push ebp
MachineCode(1) = &H8B 'mov ebp, esp
MachineCode(2) = &HEC
MachineCode(3) = &H57 'push edi
MachineCode(4) = &H56 'push esi
MachineCode(5) = &H53 'push ebx
MachineCode(6) = &H68 'push ????????
CopyMemory MachineCode(7), hndAdr, 4
MachineCode(11) = &HE8 'call CloseHandle
CopyMemory MachineCode(12), offsetAdr, 4
MachineCode(16) = &H5B 'pop ebx
MachineCode(17) = &H5E 'pop esi
MachineCode(18) = &H5F 'pop edi
MachineCode(19) = &H8B 'mov esp, ebp
MachineCode(20) = &HE5
MachineCode(21) = &H5D 'pop ebp
MachineCode(22) = &HC2 'ret 4
MachineCode(23) = &H4
MachineCode(24) = &H0
ret = WriteProcessMemory(hProcess, ByVal virtualAdr, MachineCode(0), 25, ByVal 0)
If ret = 0 Then MsgBox "写内存失败": Exit Sub
ret = CreateRemoteThread(hProcess, ByVal 0, 0, ByVal virtualAdr, ByVal 0, 0, ByVal 0)
If ret = 0 Then MsgBox "创建线程失败": Exit Sub
Call CloseHandle(ret)
MsgBox "成功"
End Sub
Private Function GetHandle() As Long
Dim ptr1 As Long, ptr2 As Long
ptr1 = A(A(modFactory + &H97C0&) + &H54&)
ptr2 = ptr1
If A(A(ptr1 + &HC) + 4) <> A(modFactory + &H181BC) Then
ptr1 = A(A(ptr1 + &HC) + 4)
Do
If A(ptr1 + &HC) < &H3001 Then
ptr1 = A(ptr1 + 8)
Else
ptr2 = ptr1
ptr1 = A(ptr1)
End If
Loop Until ptr1 = A(modFactory + &H181BC)
End If
GetHandle = A(A(A(ptr2 + &H10) + &H174) + &H38)
End Function
Private Function A(ByVal address As Long) As Long
Call ReadProcessMemory(hProcess, ByVal address, A, 4, ByVal 0)
End Function
pigsanddogs 2006-09-21
- 打赏
- 举报
Dim ptr1 As Long, ptr2 As Long, ptr3 As Long
ptr1 = [[0xdc97c0]+0x54]
If [[ptr1+0xc]+4] = [0xdd81bc] Then
ptr2 = ptr1
Else
ptr1 = [[ptr1+0xc]+4]
Do
if [ptr1+0xc] < 0x3001 then
ptr1 = [ptr1+8]
Else
ptr2 = ptr1
ptr1 = [ptr1]
End If
Loop Until ptr1 = [0xdd81bc]
End If
ptr3 = [[[ptr2+0x10]+0x174]+0x38]
其中ptr3则为那个mutex的handle
ptr1 = [[0xdc97c0]+0x54]
If [[ptr1+0xc]+4] = [0xdd81bc] Then
ptr2 = ptr1
Else
ptr1 = [[ptr1+0xc]+4]
Do
if [ptr1+0xc] < 0x3001 then
ptr1 = [ptr1+8]
Else
ptr2 = ptr1
ptr1 = [ptr1]
End If
Loop Until ptr1 = [0xdd81bc]
End If
ptr3 = [[[ptr2+0x10]+0x174]+0x38]
其中ptr3则为那个mutex的handle
pigsanddogs 2006-09-21
- 打赏
- 举报
已经差不多了. 明天贴代码.
province_ 2006-09-20
- 打赏
- 举报
楼主和爱吃猪肉兄在打哑谜?看不懂。
ReleaseMutex,CloseHandle就是用于释放MUTEX及关闭它的API。
ReleaseMutex,CloseHandle就是用于释放MUTEX及关闭它的API。
boywang 2006-09-20
- 打赏
- 举报
mark 一下.
happy_sea 2006-09-20
- 打赏
- 举报
严重关注。。。
ckillcn 2006-09-20
- 打赏
- 举报
楼上的 ReleaseMutex,CloseHandle就是用于释放MUTEX及关闭它的API。
那要是关闭其它进程的怎么关呢?CloseHandle是关不了的!
那要是关闭其它进程的怎么关呢?CloseHandle是关不了的!
ckillcn 2006-09-19
- 打赏
- 举报
嗯,谢谢哥哥!终于遇到高手了 ^o^
pigsanddogs 2006-09-19
- 打赏
- 举报
昨天特意下了一个最新的qq游戏大厅。
经过分析, 我错了。
他的handle并不是保存.data中, 也不是通过一下指针能够得到的。
里面全部是对象操作。
大概是通过factory创建一个对象, 并保存信息在global中,然后西够的
时候通过global来得到。
global中保存的是一个双向链表指针, 通过他便利得到对象,在去读里面的handle
是保存在堆中的
代码差不多了, 只是handle不太好取。
昨天时间不充足,晚上在帮你看下
对于出手100分的人, 偶是很乐意帮助的。
经过分析, 我错了。
他的handle并不是保存.data中, 也不是通过一下指针能够得到的。
里面全部是对象操作。
大概是通过factory创建一个对象, 并保存信息在global中,然后西够的
时候通过global来得到。
global中保存的是一个双向链表指针, 通过他便利得到对象,在去读里面的handle
是保存在堆中的
代码差不多了, 只是handle不太好取。
昨天时间不充足,晚上在帮你看下
对于出手100分的人, 偶是很乐意帮助的。
ckillcn 2006-09-18
- 打赏
- 举报
代码。。。。。。。。。。。。。。。。。
