实验计划

10.6.6 动态调用远程函数

 测试下是否可以在自己的进程调用游戏的CALL

函数原型:

NTSTATUS
RtlRemoteCall (
    HANDLE Process,
    HANDLE Thread,
    PVOID CallSite,
    ULONG ArgumentCount,
    PULONG_PTR Arguments,
    BOOLEAN PassContext,
    BOOLEAN AlreadySuspended
    )

/*++

Routine Description:

    This function calls a procedure in another thread/process using the
    system functions get and set context. Parameters are passed to the
    target procedure via the nonvolatile registers.

Arguments:

    Process - Supplies an open handle to the target process.

    Thread - Supplies an open handle to the target thread within the target
        process.

    CallSite - Supplies the address of the procedure to call in the target
        process.

    ArgumentCount - Supplies the number of parameters to pass to the target
        procedure.

    Arguments - Supplies a pointer to the array of parameters to pass.

    PassContext - Supplies a boolean value that determines whether a parameter
        is to be passed that points to a context record.

    AlreadySuspended - Supplies a boolean value that determines whether the
        target thread is already in a suspended or waiting state.

Return Value:

    Status - Status value

--*/

 

遇到问题:

1.OpenThread函数未定义.

解决方法:

typedef HANDLE (__stdcall *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);

//__stdcall 不能省略,因为OpenThread能自己平衡堆栈.

OPENTHREAD lpfnOpenThread = (OPENTHREAD)GetProcAddress(LoadLibrary("kernel32.dll"),"OpenThread");

 

2.最多只能传递4个参数.

3.貌似只能调用API,虽然能调用到另外进程的函数,但是由于编译引起的问题(如,用ecx传递参数),没办法CALL成功.郁闷