LJWT

course/frida/08_将目标窗口切换到前台/index.ts

 import User32 from '../winapi/user32'
+import Kernel32 from '../winapi/kernel32'
 
 class L07 {
   private module_name_winmine = "winmine.exe";
@@ -10,7 +11,7 @@ class L07 {
   private width: number = 0;
   private mine_count: number = 0;
   private head: NativePointer = ptr(0);
-  private hWnd: NativePointer = ptr(0);
+  hWnd: NativePointer = ptr(0);
 
   constructor() {
     console.log(
@@ -21,6 +22,8 @@ class L07 {
     console.log("Frida.version", Frida.version);
     //获取模块基址
     this.module_winmine = Process.getModuleByName(this.module_name_winmine);
+    // this.module_winmine = Process.mainModule
+    console.log("module_winmine", JSON.stringify(this.module_winmine));
 
     // 初始化游戏相关数据
     this.height = this.module_winmine.base.add(this.offset棋盘高度).readU32();
@@ -39,16 +42,16 @@ class L07 {
 
   将目标窗口切换到前台() {
     let hForeWnd = User32.GetForegroundWindow();
-    let dwCurID = User32.GetCurrentThreadId();
+    let dwCurID = Kernel32.GetCurrentThreadId();
     let dwForeID = User32.GetWindowThreadProcessId(hForeWnd, ptr(0));
-    // User32.AttachThreadInput(dwCurID, dwForeID, 1);
-    User32.ShowWindow(this.hWnd, User32.Const.SW_RESTORE);
+    User32.AttachThreadInput(dwCurID, dwForeID, 1);
 
+    User32.ShowWindow(this.hWnd, User32.Const.SW_RESTORE);
     User32.SetForegroundWindow(this.hWnd)
-    // User32.SetWindowPos(this.hWnd, User32.Const.HWND_TOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE);
-    // User32.SetWindowPos(this.hWnd, User32.Const.HWND_NOTOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE);
+    User32.SetWindowPos(this.hWnd, User32.Const.HWND_TOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE);
+    User32.SetWindowPos(this.hWnd, User32.Const.HWND_NOTOPMOST, 0, 0, 0, 0, User32.Const.SWP_NOSIZE | User32.Const.SWP_NOMOVE);
 
-    // User32.AttachThreadInput(dwCurID, dwForeID, 0);
+    User32.AttachThreadInput(dwCurID, dwForeID, 0);
   }
 
   run() {
@@ -76,4 +79,10 @@ class L07 {
 }
 
 let l07 = new L07();
+l07.hWnd = ptr(0x09A51A5E)
+// l07.将目标窗口切换到前台();
+// User32.MessageBox(l07.hWnd, 
+//   Memory.allocUtf16String("lpText"), 
+//   Memory.allocUtf16String("lpCapture"),
+//   User32.Const.MB_OKCANCEL)
 l07.run();

course/frida/09_获取软件窗口位置，设置鼠标指针位置/index.ts

@@ -53,8 +53,12 @@ class L07 {
   }
 
   获取软件窗口位置_设置鼠标指针位置() {
-    let lpOrgRect = Memory.alloc(4 * 4);
-    User32.GetCursorPos(lpOrgRect);
+    // typedef struct tagPOINT {
+    //   LONG x;
+    //   LONG y;
+    // } POINT, *PPOINT, *NPPOINT, *LPPOINT;
+    let lpPoint = Memory.alloc(4 * 2);
+    User32.GetCursorPos(lpPoint);
 
     // typedef struct tagRECT {
     //   LONG left;
@@ -72,8 +76,7 @@ class L07 {
     User32.SetCursorPos(lpRect.readU32(), lpRect.add(4).readU32());
 
     Kernel32.Sleep(2000);
-    User32.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32());
-
+    User32.SetCursorPos(lpPoint.readU32(), lpPoint.add(4).readU32());
   }
 
   run() {

course/frida/11_用鼠标自动标记棋盘上的雷区/index.ts

@@ -72,8 +72,8 @@ class L07 {
     console.log("top", lpRect.add(4).readU32());
     console.log("right", lpRect.add(8).readU32());
     console.log("bottom", lpRect.add(12).readU32());
-    this.start_x = lpRect.readU32() + 7;
-    this.start_y = lpRect.add(4).readU32() + 92;
+    this.start_x = lpRect.readU32() + 6;
+    this.start_y = lpRect.add(4).readU32() + 88;
     console.log("start_x", this.start_x);
     console.log("start_y", this.start_y);
 

course/frida/winapi/kernel32.ts

 
 /*
-@param moduleName — Module name or path.
-@param exportName
-@param retType
-@param argTypes
-@param abiOrOptions
+@param exportName - 导出函数名
+@param retType - 返回值类型
+@param argTypes - 参数类型数组
+@param abiOrOptions - ABI类型或者NativeFunctionOptions类型
+@param moduleName — 模块名或者路径默认为"Kernel32.dll"
 */
 function EZ生成NativeFunction(exportName: string, 
-    retType: NativeFunctionReturnType, argTypes: [] | NativeFunctionArgumentType[], 
+    retType: NativeFunctionReturnType,
+    argTypes: [] | NativeFunctionArgumentType[], 
     abiOrOptions: NativeABI | NativeFunctionOptions = "default",
     moduleName: string = "Kernel32.dll",
   ) {
@@ -16,22 +17,22 @@ function EZ生成NativeFunction(exportName: string,
 }
 
 export default class Kernel32 {
-  private static address_GetCurrentThreadId: NativePointerValue | null;
+  // DWORD GetCurrentThreadId();
+  private static func_GetCurrentThreadId: AnyFunction;
   static GetCurrentThreadId(): number {
-      if (this.address_GetCurrentThreadId == null) {
-          this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId");
+      if (this.func_GetCurrentThreadId == null) {
+        this.func_GetCurrentThreadId = EZ生成NativeFunction("GetCurrentThreadId", "int", []);
       }
-      return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])();
+      return this.func_GetCurrentThreadId();
   }
   
-  private static func_Sleep: AnyFunction;
-  static Sleep(dwMilliseconds: number): void {
   // void Sleep(
   //     [in] DWORD dwMilliseconds
   // );
+  private static func_Sleep: AnyFunction;
+  static Sleep(dwMilliseconds: number): void {
       if (this.func_Sleep == null) {
-          let address = Module.findExportByName("Kernel32.dll", "Sleep");
-          this.func_Sleep = new NativeFunction(address!, "void", ["int"]);
+        this.func_Sleep = EZ生成NativeFunction("Sleep", "void", ["int"]);
       }
       return this.func_Sleep(dwMilliseconds);
   }

course/frida/winapi/user32.ts

@@ -7,7 +7,8 @@
 @param abiOrOptions
 */
 function EZ生成NativeFunction(exportName: string, 
-    retType: NativeFunctionReturnType, argTypes: [] | NativeFunctionArgumentType[], 
+    retType: NativeFunctionReturnType, 
+    argTypes: [] | NativeFunctionArgumentType[], 
     abiOrOptions: NativeABI | NativeFunctionOptions = "default",
     moduleName: string = "User32.dll",
   ) {
@@ -27,6 +28,9 @@ export default class User32 {
     MOUSEEVENTF_LEFTUP: 0x0004,
     MOUSEEVENTF_RIGHTDOWN: 0x0008,
     MOUSEEVENTF_RIGHTUP: 0x0010,
+
+    MB_OK: 0x00000000,
+    MB_OKCANCEL: 0x00000001,
   }
 
   // BOOL GetClientRect(
@@ -104,14 +108,6 @@ export default class User32 {
       return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])();
   }
   
-  private static address_GetCurrentThreadId: NativePointerValue | null;
-  static GetCurrentThreadId(): number {
-      if (this.address_GetCurrentThreadId == null) {
-          this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId");
-      }
-      return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])();
-  }
-  
   // DWORD GetWindowThreadProcessId(
   //     [in]            HWND    hWnd,
   //     [out, optional] LPDWORD lpdwProcessId
@@ -178,18 +174,6 @@ export default class User32 {
         return this.func_GetCursorPos(lpPoint);
     }
 
-    private static func_Sleep: AnyFunction;
-    static Sleep(dwMilliseconds: number): void {
-        // void Sleep(
-        //     [in] DWORD dwMilliseconds
-        // );
-        if (this.func_Sleep == null) {
-            let address = Module.findExportByName("Kernel32.dll", "Sleep");
-            this.func_Sleep = new NativeFunction(address!, "void", ["int"]);
-        }
-        return this.func_Sleep(dwMilliseconds);
-    }
-
     //mouse_event
     private static func_MouseEvent: AnyFunction;
     static MouseEvent(dwFlags: number, dx: number, dy: number, dwData: number, dwExtraInfo: NativePointerValue): void {
@@ -218,17 +202,16 @@ export default class User32 {
         return this.func_GetMessageExtraInfo();
     }
 
-    private static func_MessageBox: AnyFunction;
-    static MessageBox(hWnd: NativePointerValue, lpText: NativePointerValue, lpCaption: NativePointerValue, uType: number): number {
     //    int MessageBox(
     //        [in, optional] HWND    hWnd,
     //        [in, optional] LPCTSTR lpText,
     //        [in, optional] LPCTSTR lpCaption,
     //        [in]           UINT    uType
     //    );
+    private static func_MessageBox: AnyFunction;
+    static MessageBox(hWnd: NativePointerValue, lpText: NativePointerValue, lpCaption: NativePointerValue, uType: number): number {
       if (this.func_MessageBox == null) {
-            let address = Module.findExportByName("User32.dll", "MessageBoxW");
-            this.func_MessageBox = new NativeFunction(address!, "int", ["pointer", "pointer", "pointer", 'int']);
+        this.func_MessageBox = EZ生成NativeFunction("MessageBoxW", "int", ["pointer", "pointer", "pointer", 'int']);
       }
       return this.func_MessageBox(hWnd, lpText, lpCaption, uType);
     }