SteamRender 绘制Hook

发表于 2018-05-12  941 次阅读


文章目录

Hook GameOVerlayUi.exe Renader Interface

Steam.cpp

#include "stdafx.h"
#include "Steam.h"

Steam::Steam()
{
Begin = 0;

}
ULONG64 AllocateMem(DWORD Pid, DWORD ProtectType, DWORD Size) {

OBFI6(ULONG64) result= _regedit_allocmem((HANDLE)Pid, Size);
if (result>100)
{
_regedit_protectmem((HANDLE)Pid, result, Size, ProtectType);
}
return result;
}
DWORD ReadDw(HANDLE Pid, ULONG64 addr) {
DWORD data = 0;
_regedit_read(Pid, addr, (ULONG64)&data, 4);
return data;
}
void WriteDw(HANDLE Pid, ULONG64 addr, DWORD data) {

_regedit_write(Pid, addr, (ULONG64)&data, 4);

}
VOID Page_WriteCode(HANDLE Pid,ULONG64 addr, ULONG64 target, size_t size) {

OBFI6(ULONG32) old = _regedit_protectmem(Pid, addr, 4096, PAGE_EXECUTE_READWRITE);
_regedit_write(Pid, addr, (ULONG64)target, size);
_regedit_protectmem(Pid, addr, 4096, (ULONG32)old);

}
VOID Steam::SteamCheckThread(Steam * Context) {
VMProtectBeginMutation("SteamCheckThread");
while (true)
{
if (Context->dwGameOverlayUI != (DWORD)Context->GetProcessIdByNameA("GameOverlayUI.exe")) {
Sleep(5000);
if (!Context->SteamInit()) {
if ((DWORD)GetGamePid()<10)
{
ExitProcess(0);
}

}
}
Sleep(100);
}
VMProtectEnd();
}
BOOLEAN Steam::SteamCheckDrop(){
HANDLE ht = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)SteamCheckThread, this, NULL, NULL);
if ((DWORD)ht > 1)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL Steam::SteamInit() {
VMProtectBeginMutation("SteamInit");
DWORD old = 0;
dwGameOverlayUI= (DWORD)GetProcessIdByNameA("GameOverlayUI.exe");
if (!dwGameOverlayUI) return FALSE;
//_regedit_protect((HANDLE)dwGameOverlayUI);
ULONG64 hModule=_regedit_getmodule((HANDLE)dwGameOverlayUI, "vgui2_s.DLL");

if ((DWORD)hModule<1)return FALSE;
CacheMem = VirtualAlloc(0, 13479936, MEM_COMMIT, PAGE_READWRITE);
if ((ULONG_PTR)CacheMem<1)return FALSE;
p1= (LPVOID)AllocateMem(dwGameOverlayUI, PAGE_READWRITE,13479936);
if ((DWORD)p1<1)return FALSE;
p2 = (LPVOID)AllocateMem(dwGameOverlayUI, PAGE_READWRITE,13479936);
if ((DWORD)p2<1)return FALSE;

DWORD d1, d2, d3, d4, d5, d6, d7 = 0;

DWORD temp = hModule + 566884 + 76;
d1 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 84;
d2 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 88;
d3 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 96;
d4 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 52;
d5 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 64;
d6 = ReadDw((HANDLE)dwGameOverlayUI, temp);
temp = hModule + 566884 + 436;
d7 = ReadDw((HANDLE)dwGameOverlayUI, temp);
DWORD p3 = (DWORD)AllocateMem(dwGameOverlayUI, PAGE_EXECUTE_READWRITE, 4096);

if ((DWORD)p3<1)return FALSE;
BYTE shellcode[] = { 131, 236, 20, 83, 139, 218, 87, 137, 92, 36, 24, 139, 249, 131, 100, 36, 16, 0, 199, 68, 36, 16 ,0,0,0,0, 131, 100, 36, 12, 0, 199, 68, 36, 12 ,0,0,0,0,139, 76, 36, 16, 139, 1, 133, 192, 116, 48, 105, 192, 24, 1, 0, 0, 51, 210, 131, 192, 8, 116, 28, 139, 68, 36, 12, 138, 12, 10, 136, 12, 2, 66, 139, 76, 36, 16, 105, 1, 24, 1, 0, 0, 131, 192, 8, 59, 208, 114, 228, 131, 33, 0, 131, 97, 4, 0, 139, 84, 36, 12, 85, 51, 237, 137, 108, 36, 24, 57, 42, 15, 134, 117, 1, 0, 0, 86, 106, 73, 51, 246, 91, 139, 68, 22, 8, 61, 230, 89, 118, 2, 117, 113, 15, 182, 68, 22, 16, 139, 207, 80, 184,0,0,0,0, 51, 210, 255, 208, 139, 76, 36, 20, 51, 210, 15, 182, 68, 14, 15, 80, 15, 182, 68, 14, 14, 80, 15, 182, 68, 14, 13, 80, 15, 182, 68, 14, 12, 139, 207, 80, 184 ,0,0,0,0, 255, 208, 139, 68, 36, 20, 51, 210, 139, 207, 255, 116, 6, 24, 255, 116, 6, 20, 184 ,0,0,0,0,255, 208, 139, 76, 36, 20, 51, 210, 106, 0, 15, 182, 132, 14, 28, 1, 0, 0, 80, 141, 65, 28, 139, 207, 3, 198, 80, 184 ,0,0,0,0, 255, 208, 235, 73, 61, 165, 44, 225, 4, 117, 75, 15, 182, 68, 22, 15, 139, 207, 80, 15, 182, 68, 22, 14, 80, 15, 182, 68, 22, 13, 80, 15, 182, 68, 22, 12, 51, 210, 80, 184 ,0,0,0,0,255, 208, 139, 68, 36, 20, 51, 210, 139, 207, 255, 116, 6, 28, 255, 116, 6, 24, 255, 116, 6, 20, 255, 116, 6, 16, 184 ,0,0,0,0,255, 208, 139, 84, 36, 20, 233, 131, 0, 0, 0, 61, 251, 228, 245, 5, 117, 124, 15, 182, 68, 22, 15, 139, 207, 80, 15, 182, 68, 22, 14, 80, 15, 182, 68, 22, 13, 80, 15, 182, 68, 22, 12, 51, 210, 80, 184 ,0,0,0,0,255, 208, 139, 84, 36, 20, 50, 192, 136, 68, 36, 19, 56, 68, 22, 16, 118, 73, 189 ,0,0,0,0,15, 182, 200, 141, 4, 11, 15, 191, 68, 66, 64, 80, 141, 4, 11, 15, 191, 4, 66, 80, 141, 4, 11, 15, 191, 68, 66, 192, 80, 141, 4, 11, 139, 207, 15, 191, 68, 66, 128, 51, 210, 80, 255, 213, 138, 68, 36, 19, 139, 84, 36, 20, 254, 192, 136, 68, 36, 19, 58, 68, 22, 16, 114, 192, 139, 108, 36, 28, 69, 129, 195, 140, 0, 0, 0, 129, 198, 24, 1, 0, 0, 137, 108, 36, 28, 59, 42, 15, 130, 150, 254, 255, 255, 139, 92, 36, 32, 94, 93, 255, 116, 36, 36, 184 ,0,0,0,0, 139, 211, 255, 116, 36, 36, 139, 207, 255, 208, 95, 91, 131, 196, 20, 194, 8, 0 };
*(DWORD*)(&shellcode[0] + 22) = (DWORD)p1;
*(DWORD*)(&shellcode[0] + 35) = (DWORD)p2;
*(DWORD*)(&shellcode[0] + 142) = (DWORD)d1;
*(DWORD*)(&shellcode[0] + 183) = (DWORD)d2;
*(DWORD*)(&shellcode[0] + 206) = (DWORD)d3;
*(DWORD*)(&shellcode[0] + 238) = (DWORD)d4;
*(DWORD*)(&shellcode[0] + 282) = (DWORD)d5;
*(DWORD*)(&shellcode[0] + 313) = (DWORD)d6;
*(DWORD*)(&shellcode[0] + 364) = (DWORD)d5;
*(DWORD*)(&shellcode[0] + 387) = (DWORD)d6;
*(DWORD*)(&shellcode[0] + 495) = (DWORD)d7;
_regedit_write((HANDLE)dwGameOverlayUI, (ULONG64)p3, (ULONG64)&shellcode, sizeof(shellcode));
DWORD VTable = hModule + 566884 + 436;
Page_WriteCode((HANDLE)dwGameOverlayUI, VTable, (ULONG64)&p3, 4);
VMProtectEnd();
return TRUE;

}
DWORD Steam::GetProcessIdByNameA(const CHAR*name)
{
OBFI5(DWORD) Pid = 0;
PROCESSENTRY32 pe32 = { sizeof(pe32) };

HANDLE hProcessShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessShot == INVALID_HANDLE_VALUE)
return FALSE;

if (Process32First(hProcessShot, &pe32))
{
do {

// 把宽字符的进程名转化为ANSI字符串
if (strcmp(pe32.szExeFile, name) == 0)

Pid = pe32.th32ProcessID;
} while (Process32Next(hProcessShot, &pe32));
}

CloseHandle(hProcessShot);
return Pid;
}
VOID Steam::DrawTextA(DWORD t, DWORD x, DWORD y, DWORD color,const char* text) {

LPVOID temp = (LPVOID)((ULONG_PTR)CacheMem + 8 + Begin * 280);
DWORD len = strlen(text);
*(DWORD*)(temp) = 41310694;
*(BYTE*)(&color + 3) = 255;
*(DWORD*)((ULONG_PTR)temp +4) = color;
*(DWORD*)((ULONG_PTR)temp + 4+4) = t;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4) = x;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 +4) = y;
MultiByteToWideChar(936, 0, text, -1, (LPWSTR)((ULONG_PTR)temp + 4 + 4 + 4 + 4+4), len);
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 + 4 + 4 + 256) = len;

Begin++;
}
VOID Steam::DrawTextW(DWORD t, DWORD x, DWORD y, DWORD color, wchar_t* text) {

DWORD len = wcslen(text);
LPVOID temp = (LPVOID)((ULONG_PTR)CacheMem + 8 + Begin * 280);
*(DWORD*)(temp) = 41310694;
*(BYTE*)(&color + 3) = 255;
*(DWORD*)((ULONG_PTR)temp + 4) = color;
*(DWORD*)((ULONG_PTR)temp + 4 + 4) = t;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4) = x;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 + 4) = y;

memcpy((LPWSTR)((ULONG_PTR)temp + 4 + 4 + 4 + 4 + 4), text, wcslen(text)*sizeof(wchar_t));
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 + 4 + 4 + 256) = len;

Begin++;
}
VOID Steam::DrawRect(DWORD x, DWORD y, DWORD x1, DWORD y1, DWORD color) {

LPVOID temp = (LPVOID)((ULONG_PTR)CacheMem + 8 + Begin * 280);
*(BYTE*)(&color + 3) = 255;
*(DWORD*)temp = 81865893;
*(DWORD*)((ULONG_PTR)temp +4) = color;
*(DWORD*)((ULONG_PTR)temp + 4+4) = x;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4) = y;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 + 4) = x1;
*(DWORD*)((ULONG_PTR)temp + 4 + 4 + 4 + 4 + 4) = y1;
Begin++;
}
VOID Steam::DrawRect2(DWORD x, DWORD y, DWORD x1, DWORD y1, DWORD color) {
DrawRect(x, y, x + x1, y + y1, color);
}
VOID Steam::Steam_RenderBegin() {
UINT CacheSize = (Begin * 8 + Begin * 280);;
memset(CacheMem, 0, CacheSize);
Begin = 0;

}
VOID Steam::Steam_RenderEnd() {
UINT CacheSize = (Begin * 8 + Begin * 280);;

_regedit_write((HANDLE)dwGameOverlayUI, (DWORD)p1, (ULONG64)CacheMem, CacheSize);

if (Begin == 0)
WriteDw((HANDLE)dwGameOverlayUI, (DWORD)p2, 0);
WriteDw((HANDLE)dwGameOverlayUI, (DWORD)p1, Begin);

}
Steam::~Steam()
{
}

Steam.h

#pragma once
#include "stdafx.h"
#include "windows.h"
#include <tlhelp32.h>
#include <iostream>
#include <list>
#include <vector>
using namespace std;
typedef struct SteamCache
{
BYTE Cache[280];
BYTE CacheSize;

};
class Steam
{
public:
Steam();
~Steam();
DWORD GetProcessIdByNameA(const CHAR*name);
BOOL SteamInit();
VOID Steam_RenderBegin();
VOID Steam_RenderEnd();
VOID DrawTextA(DWORD t, DWORD x, DWORD y, DWORD color, const char* text);
VOID DrawRect(DWORD x, DWORD y, DWORD w, DWORD h, DWORD color);
VOID DrawRect2(DWORD x, DWORD y, DWORD x1, DWORD y1, DWORD color);
VOID DrawTextW(DWORD t, DWORD x, DWORD y, DWORD color, wchar_t* text);
BOOLEAN SteamCheckDrop();
private:
static VOID SteamCheckThread(Steam * Context);
DWORD Begin;
LPVOID p1, p2;
LPVOID CacheMem;
DWORD dwGameOverlayUI;
//list<SteamCache> SteamGameOverlayCache;
};

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员