-
-
[原创]flv 抓取小工具
-
2007-10-20 22:53
-
// 以前就想写个这样的工具,一直都很懒。
// 今天实在无聊,才踏踏实实写出
// 主要功能就是在抓取 flv 的路径, 实现方法就是 patch fash 控件处理 flv 路径的地方。
// 只在 xp 下测试了 flash9d.ocx
// 今天实在无聊,才踏踏实实写出
// 主要功能就是在抓取 flv 的路径, 实现方法就是 patch fash 控件处理 flv 路径的地方。
// 只在 xp 下测试了 flash9d.ocx
/*
提供 flv 路径捕获接口
written by dummyz@126.com
2007/10/20
*/
#include <tchar.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
#include "GetFlv.h"
#include "Hook.h"
//////////////////////////////////////////////////////////////////////////
// 类型定义
//////////////////////////////////////////////////////////////////////////
typedef HMODULE (WINAPI* PFN_LoadLibraryExW)(LPCWSTR,HANDLE,DWORD);
//////////////////////////////////////////////////////////////////////////
// 全局变量
//////////////////////////////////////////////////////////////////////////
#pragma data_seg(".sh")
HHOOK __hMouseHook = NULL;
HWND __hWnd = NULL;
int __nMonitorState = 0;
#pragma data_seg()
#pragma comment(linker, "/section:.sh,rws")
HMODULE __hModule;
HOOKIMPORT __HookImpStc[2];
struct
{
ULONG sub_300BE976; // 300BE976
ULONG PatchedCode; // 300910DB
BOOL bPatched;
} __PatchFlashOcx;
//////////////////////////////////////////////////////////////////////////
// 函数实现
//////////////////////////////////////////////////////////////////////////
void __stdcall LogOut(PCTSTR pszString)
{
if ( pszString != NULL )
{
PCTSTR p = strrchr(pszString, '.');
if ( p != NULL && stricmp(p, ".flv") == 0 )
{
#if 0
FILE* f = fopen("c:\\getflv.log", "a+");
if ( f != NULL )
{
fprintf(f, "%s\n", pszString);
fclose(f);
}
#else
COPYDATASTRUCT cds;
cds.dwData = 0x8702;
cds.cbData = strlen(pszString) + 1;
cds.lpData = (LPVOID)pszString;
SendMessage(__hWnd, WM_COPYDATA, 0, (LPARAM)&cds);
#endif
}
}
}
int __declspec(naked) Dummy_Sub300BE976()
{
__asm
{
mov eax, [esp + 8]
push ecx
push eax
call LogOut
pop ecx
jmp [__PatchFlashOcx].sub_300BE976
}
}
BOOL PatchFlashOcx(LPVOID lpBaseAddr)
{
__try
{
// search code
PIMAGE_DOS_HEADER pDosH = (PIMAGE_DOS_HEADER)lpBaseAddr;
PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((ULONG)pDosH + pDosH->e_lfanew);
PBYTE pb = (PBYTE)pDosH + pNtH->OptionalHeader.BaseOfCode;
PBYTE pe = pb + pNtH->OptionalHeader.SizeOfCode - 100;
while ( pb < pe )
{
/*
300910D3 >|> /FF76 1C push dword ptr [esi+1C]
300910D6 |. |68 F8A11A30 push 301AA1F8 ; ASCII "url_request"
300910DB |. |E8 96D80200 call <sub_300BE976>
*/
if (
pb[0] == 0xff && pb[1] == 0x76 && pb[2] == 0x1c &&
pb[3] == 0x68 && pb[8] == 0xe8
)
{
__try
{
const char* s = *(char**)(pb + 4);
if ( _stricmp(s, "url_request") == 0 )
{
DWORD dwCallOffset, dwWritten;
dwCallOffset = (DWORD)Dummy_Sub300BE976 - (DWORD)(pb + 8 + 5);
__PatchFlashOcx.PatchedCode = (DWORD)(pb + 9);
__PatchFlashOcx.sub_300BE976 = *(PDWORD)(pb + 9) + (DWORD)(pb + 8 + 5);
__PatchFlashOcx.bPatched = WriteProcessMemory(
GetCurrentProcess(), pb + 9, &dwCallOffset, 4, &dwWritten);
break;
}
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
}
}
pb++;
}
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
}
return __PatchFlashOcx.bPatched;
}
BOOL UnPatchFlashOcx()
{
if ( __PatchFlashOcx.bPatched )
{
DWORD dwWritten;
DWORD dwOffset = __PatchFlashOcx.sub_300BE976 - __PatchFlashOcx.PatchedCode - 4;
__PatchFlashOcx.bPatched = !WriteProcessMemory(GetCurrentProcess(),
(PVOID)__PatchFlashOcx.PatchedCode, &dwOffset, 4, &dwWritten);
}
return !__PatchFlashOcx.bPatched;
}
HMODULE
WINAPI
NewLoadLibraryExA(
LPCSTR lpFileName,
HANDLE hFile,
DWORD dwFlags
)
{
HMODULE hModule = LoadLibraryExA(lpFileName, hFile, dwFlags);
if ( hModule != NULL && (dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0 )
{
OutputDebugStringA(lpFileName);
PCSTR lpName = strrchr(lpFileName, L'\\');
if ( lpName == NULL )
{
lpName = strrchr(lpFileName, L'/');
if ( lpName == NULL )
lpName = lpFileName;
}
lpName++;
static PCSTR pszFlashOcx[] = {
"flash9c.ocx", "flash9d.ocx"
};
for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ )
{
if ( stricmp(lpName, pszFlashOcx[i]) == 0 )
{
PatchFlashOcx((LPVOID)hModule);
break;
}
}
HookImportTable((LPVOID)hModule, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0]));
}
return hModule;
}
HMODULE
WINAPI
NewLoadLibraryExW(
LPCWSTR lpFileName,
HANDLE hFile,
DWORD dwFlags
)
{
HMODULE hModule = LoadLibraryExW(lpFileName, hFile, dwFlags);
if ( hModule != NULL && (dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0 )
{
OutputDebugStringW(lpFileName);
PCWSTR lpName = wcsrchr(lpFileName, L'\\');
if ( lpName == NULL )
{
lpName = wcsrchr(lpFileName, L'/');
if ( lpName == NULL )
lpName = lpFileName;
}
lpName++;
static PCWSTR pszFlashOcx[] = {
L"flash9c.ocx", L"flash9d.ocx"
};
for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ )
{
if ( _wcsicmp(lpName, pszFlashOcx[i]) == 0 )
{
PatchFlashOcx((LPVOID)hModule);
break;
}
}
HookImportTable((LPVOID)hModule, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0]));
}
return hModule;
}
void HookModules(BOOL bHook)
{
MODULEENTRY32 me;
me.dwSize = sizeof (me);
HANDLE hModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
BOOL bContinue = hModSnap != NULL && Module32First(hModSnap, &me);
while ( bContinue )
{
if ( me.hModule !=__hModule )
{
if ( bHook )
{
HookImportTable(me.modBaseAddr, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0]));
static PCSTR pszFlashOcx[] = {
_T("flash9c.ocx"), _T("flash9d.ocx")
};
for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ )
{
if ( _tcsicmp(me.szModule, pszFlashOcx[i]) == 0 )
{
PatchFlashOcx(me.modBaseAddr);
break;
}
}
}
else
{
UnHookImportTable(me.modBaseAddr, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0]));
}
}
bContinue = Module32Next(hModSnap, &me);
}
if ( hModSnap != NULL )
{
CloseHandle(hModSnap);
}
}
LRESULT WINAPI MouseHookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx(__hMouseHook, nCode, wParam, lParam);
}
BOOL WINAPI InstallMonitor(HWND hWnd)
{
if ( __hMouseHook == NULL && IsWindow(hWnd) )
{
__hWnd = hWnd;
__hMouseHook = SetWindowsHookEx(WH_MOUSE, MouseHookProc, __hModule, 0);
return (__hMouseHook != NULL);
}
return FALSE;
}
BOOL WINAPI UninstallMonitor()
{
if ( __hMouseHook != NULL )
{
if ( !UnhookWindowsHookEx(__hMouseHook) )
{
return FALSE;
}
__hWnd = NULL;
__hMouseHook = NULL;
}
return TRUE;
}
void WINAPI SetMonitorState(int nState)
{
__nMonitorState = nState;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID p)
{
if ( dwReason == DLL_PROCESS_ATTACH )
{
__hModule = hModule;
HMODULE hKnl32Mod = GetModuleHandle(_T("kernel32.dll"));
__HookImpStc[0].pfnOldProc = GetProcAddress(hKnl32Mod, "LoadLibraryExA");
__HookImpStc[0].pfnNewProc = (FARPROC)NewLoadLibraryExA;
__HookImpStc[1].pfnOldProc = GetProcAddress(hKnl32Mod, "LoadLibraryExW");
__HookImpStc[1].pfnNewProc = (FARPROC)NewLoadLibraryExW;
HookModules(TRUE);
}
else if ( dwReason == DLL_PROCESS_DETACH )
{
HookModules(FALSE);
UnPatchFlashOcx();
}
return TRUE;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
都说以前那个头像是鬼,吓走了不少追我的女生
 嘿嘿 
|
|
|
|
|
|
强,可整合成IE插件
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
我觉得现在这个头像的脸型更像真人
|
|
|
|
|
|
|
|
|
|
|
|
强人啊!
|
|
|
非常同意
|
|
|
你们这么一说,我发现的确很像。
|
|
|
|
|
|
太无耻了,严重鄙视暗中偷换头像的行为
|
|
|
|
|
|
下载看看 支持
|
|
|
|
|
|
|
