diff --git "a/course/frida/08_\345\260\206\347\233\256\346\240\207\347\252\227\345\217\243\345\210\207\346\215\242\345\210\260\345\211\215\345\217\260/index.ts" "b/course/frida/08_\345\260\206\347\233\256\346\240\207\347\252\227\345\217\243\345\210\207\346\215\242\345\210\260\345\211\215\345\217\260/index.ts" index ed13507c32375f2a0d1d17f26df17e210b3e9acb..cc485dee686b65bd5c4aaf8cb38644a685e5d7cf 100644 --- "a/course/frida/08_\345\260\206\347\233\256\346\240\207\347\252\227\345\217\243\345\210\207\346\215\242\345\210\260\345\211\215\345\217\260/index.ts" +++ "b/course/frida/08_\345\260\206\347\233\256\346\240\207\347\252\227\345\217\243\345\210\207\346\215\242\345\210\260\345\211\215\345\217\260/index.ts" @@ -1,4 +1,5 @@ import User32 from '../winapi/user32' +import Kernel32 from '../winapi/kernel32' class L07 { private module_name_winmine = "winmine.exe"; @@ -10,7 +11,7 @@ class L07 { private width: number = 0; private mine_count: number = 0; private head: NativePointer = ptr(0); - private hWnd: NativePointer = ptr(0); + hWnd: NativePointer = ptr(0); constructor() { console.log( @@ -21,6 +22,8 @@ class L07 { console.log("Frida.version", Frida.version); //获取模块基址 this.module_winmine = Process.getModuleByName(this.module_name_winmine); + // this.module_winmine = Process.mainModule + console.log("module_winmine", JSON.stringify(this.module_winmine)); // 初始化游戏相关数据 this.height = this.module_winmine.base.add(this.offset棋盘高度).readU32(); @@ -39,16 +42,16 @@ class L07 { 将目标窗口切换到前台() { let hForeWnd = User32.GetForegroundWindow(); - let dwCurID = User32.GetCurrentThreadId(); + let dwCurID = Kernel32.GetCurrentThreadId(); let dwForeID = User32.GetWindowThreadProcessId(hForeWnd, ptr(0)); - // User32.AttachThreadInput(dwCurID, dwForeID, 1); - User32.ShowWindow(this.hWnd, User32.Const.SW_RESTORE); + User32.AttachThreadInput(dwCurID, dwForeID, 1); + User32.ShowWindow(this.hWnd, User32.Const.SW_RESTORE); User32.SetForegroundWindow(this.hWnd) - // User32.SetWindowPos(this.hWnd, User32.Const.HWND_TOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE); - // User32.SetWindowPos(this.hWnd, User32.Const.HWND_NOTOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE); + User32.SetWindowPos(this.hWnd, User32.Const.HWND_TOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE); + User32.SetWindowPos(this.hWnd, User32.Const.HWND_NOTOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE); - // User32.AttachThreadInput(dwCurID, dwForeID, 0); + User32.AttachThreadInput(dwCurID, dwForeID, 0); } run() { @@ -76,4 +79,10 @@ class L07 { } let l07 = new L07(); +l07.hWnd = ptr(0x09A51A5E) +// l07.将目标窗口切换到前台(); +// User32.MessageBox(l07.hWnd, +// Memory.allocUtf16String("lpText"), +// Memory.allocUtf16String("lpCapture"), +// User32.Const.MB_OKCANCEL) l07.run(); diff --git "a/course/frida/09_\350\216\267\345\217\226\350\275\257\344\273\266\347\252\227\345\217\243\344\275\215\347\275\256\357\274\214\350\256\276\347\275\256\351\274\240\346\240\207\346\214\207\351\222\210\344\275\215\347\275\256/index.ts" "b/course/frida/09_\350\216\267\345\217\226\350\275\257\344\273\266\347\252\227\345\217\243\344\275\215\347\275\256\357\274\214\350\256\276\347\275\256\351\274\240\346\240\207\346\214\207\351\222\210\344\275\215\347\275\256/index.ts" index 8924ded73bda1cf7eaa403be826e63cf28a30268..89277abba0ff17dddce63f971f8fceac18e3b97e 100644 --- "a/course/frida/09_\350\216\267\345\217\226\350\275\257\344\273\266\347\252\227\345\217\243\344\275\215\347\275\256\357\274\214\350\256\276\347\275\256\351\274\240\346\240\207\346\214\207\351\222\210\344\275\215\347\275\256/index.ts" +++ "b/course/frida/09_\350\216\267\345\217\226\350\275\257\344\273\266\347\252\227\345\217\243\344\275\215\347\275\256\357\274\214\350\256\276\347\275\256\351\274\240\346\240\207\346\214\207\351\222\210\344\275\215\347\275\256/index.ts" @@ -53,8 +53,12 @@ class L07 { } 获取软件窗口位置_设置鼠标指针位置() { - let lpOrgRect = Memory.alloc(4 * 4); - User32.GetCursorPos(lpOrgRect); + // typedef struct tagPOINT { + // LONG x; + // LONG y; + // } POINT, *PPOINT, *NPPOINT, *LPPOINT; + let lpPoint = Memory.alloc(4 * 2); + User32.GetCursorPos(lpPoint); // typedef struct tagRECT { // LONG left; @@ -72,8 +76,7 @@ class L07 { User32.SetCursorPos(lpRect.readU32(), lpRect.add(4).readU32()); Kernel32.Sleep(2000); - User32.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32()); - + User32.SetCursorPos(lpPoint.readU32(), lpPoint.add(4).readU32()); } run() { diff --git "a/course/frida/11_\347\224\250\351\274\240\346\240\207\350\207\252\345\212\250\346\240\207\350\256\260\346\243\213\347\233\230\344\270\212\347\232\204\351\233\267\345\214\272/index.ts" "b/course/frida/11_\347\224\250\351\274\240\346\240\207\350\207\252\345\212\250\346\240\207\350\256\260\346\243\213\347\233\230\344\270\212\347\232\204\351\233\267\345\214\272/index.ts" index cdf490a3201f7aac52a7e318f27ceaa96e6c41eb..3aa67b86f8d5e8188aed81d58faa1a94a436cfbf 100644 --- "a/course/frida/11_\347\224\250\351\274\240\346\240\207\350\207\252\345\212\250\346\240\207\350\256\260\346\243\213\347\233\230\344\270\212\347\232\204\351\233\267\345\214\272/index.ts" +++ "b/course/frida/11_\347\224\250\351\274\240\346\240\207\350\207\252\345\212\250\346\240\207\350\256\260\346\243\213\347\233\230\344\270\212\347\232\204\351\233\267\345\214\272/index.ts" @@ -72,8 +72,8 @@ class L07 { console.log("top", lpRect.add(4).readU32()); console.log("right", lpRect.add(8).readU32()); console.log("bottom", lpRect.add(12).readU32()); - this.start_x = lpRect.readU32() + 7; - this.start_y = lpRect.add(4).readU32() + 92; + this.start_x = lpRect.readU32() + 6; + this.start_y = lpRect.add(4).readU32() + 88; console.log("start_x", this.start_x); console.log("start_y", this.start_y); @@ -84,15 +84,15 @@ class L07 { } mouse_click(x: number, y: number, left_click: boolean = true) { - User32.SetCursorPos(this.start_x + this.step * x, this.start_y + this.step * y); - if (left_click) { - User32.MouseEvent(User32.Const.MOUSEEVENTF_LEFTDOWN, 0, 0, 0, User32.GetMessageExtraInfo()); - User32.MouseEvent(User32.Const.MOUSEEVENTF_LEFTUP, 0, 0, 0, User32.GetMessageExtraInfo()); - } - else { - User32.MouseEvent(User32.Const.MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, User32.GetMessageExtraInfo()); - User32.MouseEvent(User32.Const.MOUSEEVENTF_RIGHTUP, 0, 0, 0, User32.GetMessageExtraInfo()); - } + User32.SetCursorPos(this.start_x + this.step * x, this.start_y + this.step * y); + if (left_click) { + User32.MouseEvent(User32.Const.MOUSEEVENTF_LEFTDOWN, 0, 0, 0, User32.GetMessageExtraInfo()); + User32.MouseEvent(User32.Const.MOUSEEVENTF_LEFTUP, 0, 0, 0, User32.GetMessageExtraInfo()); + } + else { + User32.MouseEvent(User32.Const.MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, User32.GetMessageExtraInfo()); + User32.MouseEvent(User32.Const.MOUSEEVENTF_RIGHTUP, 0, 0, 0, User32.GetMessageExtraInfo()); + } } 设置鼠标位置_自动点击鼠标() { diff --git a/course/frida/winapi/kernel32.ts b/course/frida/winapi/kernel32.ts index 444628e6273446c8ac454fdbc53750a9015e6cd7..956cee5bb46518e493c106b7cade4bf68c9a21cf 100644 --- a/course/frida/winapi/kernel32.ts +++ b/course/frida/winapi/kernel32.ts @@ -1,13 +1,14 @@ /* -@param moduleName — Module name or path. -@param exportName -@param retType -@param argTypes -@param abiOrOptions +@param exportName - 导出函数名 +@param retType - 返回值类型 +@param argTypes - 参数类型数组 +@param abiOrOptions - ABI类型或者NativeFunctionOptions类型 +@param moduleName — 模块名或者路径默认为"Kernel32.dll" */ function EZ生成NativeFunction(exportName: string, - retType: NativeFunctionReturnType, argTypes: [] | NativeFunctionArgumentType[], + retType: NativeFunctionReturnType, + argTypes: [] | NativeFunctionArgumentType[], abiOrOptions: NativeABI | NativeFunctionOptions = "default", moduleName: string = "Kernel32.dll", ) { @@ -16,22 +17,22 @@ function EZ生成NativeFunction(exportName: string, } export default class Kernel32 { - private static address_GetCurrentThreadId: NativePointerValue | null; + // DWORD GetCurrentThreadId(); + private static func_GetCurrentThreadId: AnyFunction; static GetCurrentThreadId(): number { - if (this.address_GetCurrentThreadId == null) { - this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); + if (this.func_GetCurrentThreadId == null) { + this.func_GetCurrentThreadId = EZ生成NativeFunction("GetCurrentThreadId", "int", []); } - return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); + return this.func_GetCurrentThreadId(); } + // void Sleep( + // [in] DWORD dwMilliseconds + // ); private static func_Sleep: AnyFunction; static Sleep(dwMilliseconds: number): void { - // void Sleep( - // [in] DWORD dwMilliseconds - // ); if (this.func_Sleep == null) { - let address = Module.findExportByName("Kernel32.dll", "Sleep"); - this.func_Sleep = new NativeFunction(address!, "void", ["int"]); + this.func_Sleep = EZ生成NativeFunction("Sleep", "void", ["int"]); } return this.func_Sleep(dwMilliseconds); } diff --git a/course/frida/winapi/user32.ts b/course/frida/winapi/user32.ts index ff7d5951fd2d5cd7c6a8d74515b7496d148f98e7..e0f1789120c454d1196d1d71d1f0e16e7f0375f5 100644 --- a/course/frida/winapi/user32.ts +++ b/course/frida/winapi/user32.ts @@ -7,7 +7,8 @@ @param abiOrOptions */ function EZ生成NativeFunction(exportName: string, - retType: NativeFunctionReturnType, argTypes: [] | NativeFunctionArgumentType[], + retType: NativeFunctionReturnType, + argTypes: [] | NativeFunctionArgumentType[], abiOrOptions: NativeABI | NativeFunctionOptions = "default", moduleName: string = "User32.dll", ) { @@ -27,6 +28,9 @@ export default class User32 { MOUSEEVENTF_LEFTUP: 0x0004, MOUSEEVENTF_RIGHTDOWN: 0x0008, MOUSEEVENTF_RIGHTUP: 0x0010, + + MB_OK: 0x00000000, + MB_OKCANCEL: 0x00000001, } // BOOL GetClientRect( @@ -103,14 +107,6 @@ export default class User32 { } return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); } - - private static address_GetCurrentThreadId: NativePointerValue | null; - static GetCurrentThreadId(): number { - if (this.address_GetCurrentThreadId == null) { - this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); - } - return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); - } // DWORD GetWindowThreadProcessId( // [in] HWND hWnd, @@ -178,18 +174,6 @@ export default class User32 { return this.func_GetCursorPos(lpPoint); } - private static func_Sleep: AnyFunction; - static Sleep(dwMilliseconds: number): void { - // void Sleep( - // [in] DWORD dwMilliseconds - // ); - if (this.func_Sleep == null) { - let address = Module.findExportByName("Kernel32.dll", "Sleep"); - this.func_Sleep = new NativeFunction(address!, "void", ["int"]); - } - return this.func_Sleep(dwMilliseconds); - } - //mouse_event private static func_MouseEvent: AnyFunction; static MouseEvent(dwFlags: number, dx: number, dy: number, dwData: number, dwExtraInfo: NativePointerValue): void { @@ -218,18 +202,17 @@ export default class User32 { return this.func_GetMessageExtraInfo(); } + // int MessageBox( + // [in, optional] HWND hWnd, + // [in, optional] LPCTSTR lpText, + // [in, optional] LPCTSTR lpCaption, + // [in] UINT uType + // ); private static func_MessageBox: AnyFunction; static MessageBox(hWnd: NativePointerValue, lpText: NativePointerValue, lpCaption: NativePointerValue, uType: number): number { - // int MessageBox( - // [in, optional] HWND hWnd, - // [in, optional] LPCTSTR lpText, - // [in, optional] LPCTSTR lpCaption, - // [in] UINT uType - // ); - if (this.func_MessageBox == null) { - let address = Module.findExportByName("User32.dll", "MessageBoxW"); - this.func_MessageBox = new NativeFunction(address!, "int", ["pointer", "pointer", "pointer", 'int']); - } - return this.func_MessageBox(hWnd, lpText, lpCaption, uType); + if (this.func_MessageBox == null) { + this.func_MessageBox = EZ生成NativeFunction("MessageBoxW", "int", ["pointer", "pointer", "pointer", 'int']); + } + return this.func_MessageBox(hWnd, lpText, lpCaption, uType); } } \ No newline at end of file