C#关于外挂的⼀些思考(API函数FindWindow,FindWindowEx,Se。。。
这次我们试着运⽤C#的API函数去修改别的程序的标题⽂本(适⽤范围C#) 其实这是FindWindow,FindWindowEx,SendMessage的应⽤举例之⼀
也就是所谓的外挂.
需要⽤到的⼯具是
Microsoft Visual C#
Spy++ Lite
⽽我们今天要尝试修改的程序就是
GTA4Center(被搞过很多次了)
如图:
需要调⽤的函数是:
findwindow
[DllImport('user32.dll', EntryPoint='FindWindow')]
public static extern int FindWindow (string lpClassName,string lpWindowName);
FindWindowEx
[DllImport('user32.dll', EntryPoint='FindWindowEx')]
public static extern int FindWindowEx (int hWnd1,int hWnd2,string lpsz1,string lpsz2);
SendMessage
[DllImport('user32.dll', EntryPoint='SendMessage')]
public static extern int SendMessage (int hwnd,int wMsg,int wParam,ref int lParam);
其中Sendmessage中后⾯两个参数我把他修改成string型
[DllImport('user32.dll', EntryPoint='SendMessage')]
public static extern int SendMessage (int hwnd,int wMsg,string wParam,string lParam);
下⾯就正式开始了
在程序顶部中加⼊ using System.Runtime.InteropServices;
在public partial class Form1 : Form{}
中加⼊上⾯的参数
以便使⽤API函数
新建⼀个Form,然后加⼊⼀个Button
如图:
findwindow函数的⽤法
创新之路 纪录片
[DllImport('user32.dll', EntryPoint='FindWindow')]
public static extern int FindWindow (string lpClassName,string lpWindowName);
int a = FindWindow('要的类名','窗体名称'); //a就是程序句柄 在Button1的代码中填⼊相关语句以便到程序句柄
int handelA;
handelA = FindWindow('WindowsForms10.Window.8.app.0.378734a', 'GTA IV Control Center
v1.0 - [Player and Game Data]');
使⽤MessageBox来检查handelA是已经获得句柄,若返回值为0,则失败.
如图:
现在可以看到,GTA4C的窗⼝句柄是722322,成功了.
既然有了程序句柄,那么就可以尝试对其进⾏修改了,这时我们运⽤SendMessage函数
烯碳新材[DllImport('user32.dll', EntryPoint='SendMessage')]
public static extern int SendMessage (int hwnd,int wMsg,string wParam,string lParam);
SendMessage的⽤法
SendMessage(句柄,消息的标识符,'取决于消息','取决于消息');
从CSDN中可以查到消息 WM_SETTEXT =0x000C
那么可得
SendMessage(handelA, 0x000C, '', '哥要你改标题');
运⾏效果如图:
有关如何不轻易漏掉其中⼀个关键的⼦窗⼝,这⾥我推荐⽤SPY++的窗⼝选项
如图
点击'⼦窗⼝列表'便能⼀级⼀级查看下去了
接下来我们可以思考⼀下怎么修改⼦窗⼝的名称了.
FindWindowEx⽤法
int B = FindWindowEx (⽗窗⼝句柄,int hWnd2,类名1,类名名称);
以下引⽤解释
//hWnd2 ---------- Long,从这个窗⼝后开始查。这样便可利⽤对FindWindowEx的多次调⽤到符合条件的所有⼦窗⼝。如设为零,表⽰从第⼀个⼦窗⼝开始搜索
从SPY++中可以到其中的⼦窗体1的类名为
'WindowsForms10.MDICLIENT.app.0.378734a'
可从
handelB = FindWindowEx(handelA, 0, 'WindowsForms10.MDICLIENT.app.0.378734a', '');
中得到'WindowsForms10.MDICLIENT.app.0.378734a'的句柄,⽤同⼀个⽅法,可以得到下⼀级窗体的
Player and Game Data的句柄
handelC = FindWindowEx(handelB ,0,'WindowsForms10.Window.8.app.0.378734a', 'Player and Game Data');
下⼀级的句柄同样⽅法获得
handelD = FindWindowEx(handelC, 0, 'WindowsForms10.Window.8.app.0.378734a', 'Player Health (0):');
就是如图这个位置的句柄
既然得到了句柄那么就可以SendMessage了,如下
SendMessage(handelA, 0xc, '', 'GTA4控制中⼼');
SendMessage(handelD, 0xc, '', '⽣命值:');
运⾏后效果得到
思路就提到这⾥,昨晚⽆聊的时候突然想到还有这种⽅法,⼤家⽆聊不妨试试
除此之外,这⾥是对于FindWindow,FindWindowEx,SendMessage的⼀些⽤法提⽰.
或许有更简单更踏实的实现⽅式,下次再探究
整个程序的代码如下
//////////////////////////////////////////////////////////分割线//////////////////////////////////////////////////////////////
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices; //必须
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
[DllImport('user32.dll', EntryPoint = 'FindWindow')]
public static extern int FindWindow(string lpClassName, string lpWindowName);
[DllImport('user32.dll', EntryPoint = 'FindWindowEx')]相转移催化剂
public static extern int FindWindowEx(int hWnd1, int hWnd2, string lpsz1, string lpsz2);
[DllImport('user32.dll', EntryPoint = 'SendMessage')]
public static extern int SendMessage(int hwnd, int wMsg, string wParam, string lParam); public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender,EventArgse)
{
int handelA, handelB,handelC,handelD;
handelA = FindWindow('WindowsForms10.Window.8.app.0.378734a', 'GTA IV Control Center v1.0 - [Player and Game Data]');
handelB = FindWindowEx(handelA, 0, 'WindowsForms10.MDICLIENT.app.0.378734a', '');
handelC = FindWindowEx(handelB ,0,'WindowsForms10.Window.8.app.0.378734a',
SendMessage(handelD, 0xc, '', '⽣命值:');
MessageBox.Show(handelD.ToString(),handelA.ToString());
}
}
}
//////////////////////////////////////////////////////////分割线//////////////////////////////////////////////////////////////
以下是全部的Windows消息,对于未在MSDN上的消息的WPARAM, LPARAM参数解释正确的给分
最⾼300[开贴加]
[已知:0x0313, 0x01e2, 0x01e5, 0x01eb, 0x006a]
WM_NULL 0x0000
WM_CREATE 0x0001
WM_DESTROY 0x0002
WM_MOVE 0x0003
巡回法庭WM_SIZEWAIT 0x0004
WM_SIZE 0x0005
WM_ACTIVATE 0x0006
WM_SETFOCUS 0x0007
WM_KILLFOCUS 0x0008
WM_SETVISIBLE 0x0009
WM_ENABLE 0x000A
WM_SETREDRAW 0x000B
WM_SETTEXT 0x000C
WM_GETTEXT 0x000D
WM_GETTEXTLENGTH 0x000E
刘庆聚
WM_PAINT 0x000F
WM_CLOSE 0x0010
WM_QUERYENDSESSION 0x0011
WM_QUIT 0x0012
WM_QUERYOPEN 0x0013
WM_ERASEBKGND 0x0014
WM_SYSCOLORCHANGE 0x0015
WM_ENDSESSION 0x0016
WM_SYSTEMERROR 0x0017
WM_SHOWWINDOW 0x0018
WM_CTLCOLOR 0x0019
WM_WININICHANGE 0x001A
WM_DEVMODECHANGE 0x001B
WM_ACTIVATEAPP 0x001C
WM_FONTCHANGE 0x001D
WM_TIMECHANGE 0x001E
WM_CANCELMODE 0x001F
WM_SETCURSOR 0x0020
WM_MOUSEACTIVATE 0x0021
WM_CHILDACTIVATE 0x0022
WM_QUEUESYNC 0x0023
WM_GETMINMAXINFO 0x0024
empty 0x0025
WM_PAINTICON 0x0026
WM_ICONERASEBKGND 0x0027
WM_NEXTDLGCTL 0x0028
WM_ALTTABACTIVE 0x0029
WM_SPOOLERSTATUS 0x002A
WM_DRAWITEM 0x002B
WM_MEASUREITEM 0x002C
WM_DELETEITEM 0x002D
WM_VKEYTOITEM 0x002E
WM_CHARTOITEM 0x002F
WM_ISACTIVEICON 0x0035
WM_QUERYPARKICON 0x0036
WM_QUERYDRAGICON 0x0037
WM_WINHELP 0x0038
WM_COMPAREITEM 0x0039
WM_FULLSCREEN 0x003A
WM_CLIENTSHUTDOWN 0x003B
WM_DDEMLEVENT 0x003C
empty 0x003D
empty 0x003E
MM_CALCSCROLL 0x003F
WM_TESTING 0x0040
WM_COMPACTING 0x0041
WM_OTHERWINDOWCREATED 0x0042 WM_OTHERWINDOWDESTROYED 0x0043 WM_COMMNOTIFY 0x0044
WM_MEDIASTATUSCHANGE 0x0045 WM_WINDOWPOSCHANGING 0x0046 WM_WINDOWPOSCHANGED 0x0047 WM_POWER 0x0048
WM_COPYGLOBALDATA 0x0049
WM_COPYDATA 0x004A
WM_CANCELJOURNAL 0x004B
WM_LOGONNOTIFY 0x004C
WM_KEYF1 0x004D
WM_NOTIFY 0x004E
WM_ACCESS_WINDOW 0x004f
WM_INPUTLANGCHANGEREQUEST 0x0050 WM_INPUTLANGCHANGE 0x0051
WM_TCARD 0x0052
WM_HELP 0x0053 WINHELP4
WM_USERCHANGED 0x0054
WM_NOTIFYFORMAT 0x0055
0x0059-0x005F
0x0060-0x0067
0x0068-0x006F
WM_FINALDESTROY 0x0070
WM_TASKACTIVATED 0x0072
丰年虫
WM_TASKDEACTIVATED 0x0073
WM_TASKCREATED 0x0074
WM_TASKDESTROYED 0x0075
WM_TASKUICHANGED 0x0076
WM_TASKVISIBLE 0x0077
WM_TASKNOTVISIBLE 0x0078
WM_SETCURSORINFO 0x0079
0x007A
WM_CONTEXTMENU 0x007B
WM_STYLECHANGING 0x007C
WM_STYLECHANGED 0x007D
0x007E
WM_GETICON 0x007f
WM_SETICON 0x0080
WM_NCCREATE 0x0081
WM_NCDESTROY 0x0082
WM_NCCALCSIZE 0x0083
WM_NCHITTEST 0x0084
WM_NCPAINT 0x0085
WM_LPKDRAWSWITCHWND 0x008C 0x008D-0x008F
0x0090-0x0097
0x0098-0x009F
WM_NCMOUSEMOVE 0x00A0 WM_NCLBUTTONDOWN 0x00A1 WM_NCLBUTTONUP 0x00A2
WM_NCLBUTTONDBLCLK 0x00A3 WM_NCRBUTTONDOWN 0x00A4 WM_NCRBUTTONUP 0x00A5 WM_NCRBUTTONDBLCLK 0x00A6 WM_NCMBUTTONDOWN 0x00A7 WM_NCMBUTTONUP 0x00A8 WM_NCMBUTTONDBLCLK 0x00A9 0x00AA-0x00AF
EM_GETSEL 0x00B0
EM_SETSEL 0x00B1
EM_GETRECT 0x00B2
EM_SETRECT 0x00B3
EM_SETRECTNP 0x00B4
EM_SCROLL 0x00B5
EM_LINESCROLL 0x00B6
empty 0x00B7
EM_GETMODIFY 0x00B8
EM_SETMODIFY 0x00B9
EM_GETLINECOUNT 0x00BA
EM_LINEINDEX 0x00BB
EM_SETHANDLE 0x00BC
EM_GETHANDLE 0x00BD
EM_GETTHUMB 0x00BE
empty 0x00BF
empty 0x00C0
EM_LINELENGTH 0x00C1
EM_REPLACESEL 0x00C2
EM_SETFONT 0x00C3
EM_GETLINE 0x00C4
EM_LIMITTEXT 0x00C5
EM_CANUNDO 0x00C6
EM_UNDO 0x00C7
EM_FMTLINES 0x00C8
EM_LINEFROMCHAR 0x00C9
EM_SETWORDBREAK 0x00CA EM_SETTABSTOPS 0x00CB
EM_SETPASSWORDCHAR 0x00CC EM_EMPTYUNDOBUFFER 0x00CD EM_GETFIRSTVISIBLELINE 0x00CE EM_SETREADONLY 0x00CF
EM_SETWORDBREAKPROC 0x00D0 EM_GETWORDBREAKPROC 0x00D1 EM_GETPASSWORDCHAR 0x00D2 EM_SETMARGINS 0x00D3
EM_GETMARGINS 0x00D4
EM_GETLIMITTEXT 0x00D5
EM_POSFROMCHAR 0x00D6
EM_CHARFROMPOS 0x00D7
EM_SETIMESTATUS 0x00D8
EM_GETIMESTATUS 0x00D9
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议