📄 抓包代码.txt
字号:
这部份是主程序的。
// RemoteInpouringDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "RemoteInpouring.h"
#include "RemoteInpouringDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
DWORD __stdcall RMTFunc(MyData *pData)
{
MyData * Data = (MyData*)pData;
typedef HINSTANCE (__stdcall*MLoadLibrary)(LPCTSTR);
MLoadLibrary MLLib = (MLoadLibrary)Data->dwMessageBox;
HINSTANCE RDLL;
RDLL = MLLib(Data->sz);
return (DWORD)RDLL;
}
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
class CAboutDlg : public CDialog
{
public:
CAboutDlg();
// 对话框数据
enum { IDD = IDD_ABOUTBOX };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
END_MESSAGE_MAP()
// CRemoteInpouringDlg 对话框
CRemoteInpouringDlg::CRemoteInpouringDlg(CWnd* pParent /*=NULL*/)
: CDialog(CRemoteInpouringDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CRemoteInpouringDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CRemoteInpouringDlg, CDialog)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
//}}AFX_MSG_MAP
ON_BN_CLICKED(IDOK, &CRemoteInpouringDlg::OnBnClickedOk)
END_MESSAGE_MAP()
// CRemoteInpouringDlg 消息处理程序
BOOL CRemoteInpouringDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// 将“关于...”菜单项添加到系统菜单中。
// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标
ShowWindow(SW_MINIMIZE);
// TODO: 在此添加额外的初始化代码
return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}
void CRemoteInpouringDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}
// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。
void CRemoteInpouringDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CRemoteInpouringDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
int CRemoteInpouringDlg::RteThread(void)
{
// ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
HWND hWnd = ::FindWindow(NULL,"口袋西游"); // 以NOTEPAD为例
if(hWnd == NULL)
{
AfxMessageBox("not window");
return 0;
}
DWORD dwProcessId;
::GetWindowThreadProcessId(hWnd, &dwProcessId);
hProcess = ::OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|
PROCESS_VM_WRITE,FALSE,dwProcessId);
// ========= 代码结构 ================================================
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcat(data.sz, "D:\\RDLL.dll");
HINSTANCE hUser = ::LoadLibrary("kernel32.dll");
if (! hUser)
{
AfxMessageBox("Can not load library.\n");
return 0;
}
data.dwMessageBox = (DWORD)GetProcAddress(hUser, "LoadLibraryA");//获取LoadLibraryA地址
FreeLibrary(hUser);
if (! data.dwMessageBox)
return 0;
// ======= 分配空间 ===================================================
MyData *pData = (MyData*)::VirtualAllocEx(hProcess, NULL, sizeof (MyData), MEM_COMMIT, PAGE_READWRITE);
if (!pData)
return 0;
void *pRemoteThread = ::VirtualAllocEx(hProcess, NULL,1024*4, MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (! pRemoteThread)
return 0;
if (! ::WriteProcessMemory(hProcess, pRemoteThread,&RMTFunc, 1024*4, 0))
return 0;//向程序中写入线程所用的函数
if (! ::WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
return 0;//向程序中写入函数所用的参数
// =========== 创建远程线程 ===========================================
HANDLE hThread = ::CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);//在hProcess所指定和程序中建立一个线程
if (! hThread)
{
AfxMessageBox("远程线程创建失败");
return 0;
}
HINSTANCE m_dll;
::WaitForSingleObject( hThread, INFINITE ); //等待线程执行结束
::GetExitCodeThread(hThread,&ret);//在函数中第个参数是 RMTFunc()函数的返回值,他返回loadlibrary
//函数返回的模块地址。
m_dll = (HINSTANCE) ret;
char szbuff[20];
wsprintf(szbuff,"%x",ret);
AfxMessageBox(szbuff);
}
void CRemoteInpouringDlg::OnBnClickedOk()
{
RteThread();
}
这部份是DLL的关键代码
int WINAPI DllMain ( HINSTANCE hInstance, DWORD fdwReason, PVOID pvReserved)
{
return TRUE ;
}
void __stdcall ReturnPktInfo (char* p, int len ,UINT rORs,char* key)
{
char TmpBuff[1000] = {0},str[16] = {0};
UINT p1;
if(rORs == 0x57CB7C)
{
len += 3;
p1 = (UINT)p;
p1 -= 3;
p = (char*)p1;
}
int i;
// 格式化一下码流,方便传送和阅读
for ( i = 0; i < len; i++)
{
TmpBuff = p;
}
TmpBuff = '\0';
//如果是recv函数那么把key加入到后面
if(rORs == 0x57CB7C)
{
for ( i = 0;i <16;i++)
{
str = key;
}
str = '\0';
memcpy(TmpBuff+len,str,16);
}
HWND hWnd = ::FindWindow(NULL,"RemoteThread"); // InterceptTool要改成你抓包工具的窗口名
if(hWnd!=NULL)
{
COPYDATASTRUCT cpd; /*给COPYDATASTRUCT结构赋值*/
cpd.dwData = 0;
if(rORs == 0x57CB7C)
cpd.dwData = 1;
cpd.cbData = (len+16);
cpd.lpData = (void*)TmpBuff;
::SendMessage(hWnd,WM_COPYDATA,NULL,(LPARAM)&cpd); // 发送!
}
}
EXPORT __declspec(naked) BYTE* __stdcall InterceptPacket(char *p, int len)
{
__asm
{
push ebx
mov ebx,[esp+0x10]
pushad
lea edx, dword ptr [esi+7]
push ebp //KEY地址
push ebx //判定是send还是recv函数的地址
push eax // 开始压入包长度,调用上面的ReturnPktInfo
push edx
call ReturnPktInfo // 调用输出函数输出数据
cmp ebx,0x57CB7C
jz gorecv
popad
pop ebx
push edi
mov edi, -4
mov eax, 0x57EC20// 这里用EAX作为JMP回去的跳板,因为EAX一般做保存返回值用,这里可以接用,不会影响数据使用
jmp eax // 数据截取完成了,跳回去运行
gorecv:
popad
pop ebx
push edi
mov edi, -4
mov eax, 0x57EC70 // 解密函数返回
jmp eax // 数据截取完成了,跳回去运行
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -