早年用WIN32汇编写的反键盘记录器
.486
.model flat, stdcall
option casemap :none
; #########################################################################
include windows.inc
include user32.inc
include kernel32.inc
include gdi32.inc
include masm32.inc
include anti-keyhookdll.inc
include d:\masm32\macros\strings.mac
include common.inc
include comctl32.inc
include advapi32.inc
include shell32.inc
includelib user32.lib
includelib kernel32.lib
includelib gdi32.lib
includelib masm32.lib
includelib anti-keyhookdll.lib
includelib comctl32.lib
includelib advapi32.lib
includelib shell32.lib
; #########################################################################
MENUID_ANTIKEYLOGOPEN equ 101
MENUID_ANTIKEYLOGCLOSE equ 102
MENUID_ANTIPASSREADOPEN equ 103
MENUID_ANTIPASSREADCLOSE equ 104
MENUID_EXIT equ 105
MENUID_HELP equ 106
MENUID_SHENGJI equ 107
MENUID_SCANHOOK equ 108
IDR_MAINFRAME equ 106
IDC_LIST equ 108
IDC_DELETE equ 109
IDC_DEL equ 110
IDC_SCAN equ 111
IDC_CLOSE equ 112
IDR_MAINMENU equ 113
DIALOG_MAIN equ 1
IDT_TIMER equ 1
WM_NOTIFYICONN equ WM_USER+0
ANTI_ON equ 0
ANTI_OFF equ 1
.data
szClassName db "antikey_class",0
stnidstatus NOTIFYICONDATA <>
szmes db "帮助",0
szmescap db "掂花反键盘鼠标记录器提醒您",0
szexist db "掂花反键盘鼠标记录器已经运行!不能重复运行!",0
sztooltip db "掂花反键盘鼠标记录器5.0",0
szerrcap db "错误",0
szerrmes db "驱动错误",0
szbegin db "启动",0
szstop db "停止",0
szstatusstop db "【掂花反键盘鼠标记录器当前工作状态: 停止】",0
szstatusbegin db "【掂花反键盘鼠标记录器当前工作状态: 正常】",0
szhelpwww db "http://8923704.ty168.net",0
szHandle db "监听句柄",0
szFunc db "监听函数地址",0
szType db "监听内容",0
szModule db "监听程序",0
szscan db "安全提示",0
szdllname db "antihook.dll",0
szsysdllname db "\MSCTF.dll",0
szkvdllname1 db "KASocket.dll",0
szkvdllname2 db "KMailOEBand.dll",0
sz360dllname db "\safemon\safemon.dll",0
szchajian db "\mprmsgse.axz",0
szFlags db "局部范围的菜单、滚动条、消息框、对话框操作 [WH_MSGFILTER]",0
db "windows从硬件队列中获得消息 [WH_JOURNALRECORD]",0
db "事件从系统硬件输入队列被请求 [WH_JOURNALPLAYBACK]",0
db "〖键盘操作〗 [WH_KEYBOARD]",0
db "〖读取消息队列〗 [WH_GETMESSAG]",0
db "〖向窗口发送消息(SendMessage)〗 [WH_CALLWNDPROC]",0
db "〖训练事件〗 [WH_CBT]",0
db "系统范围的菜单、滚动条、消息框、对话框操作 [WH_SYSMSGFILTER]",0
db "〖鼠标操作〗 [WH_MOUSE]",0
db "消息队列读取非鼠标、键盘消息 [WH_HARDWARE]",0
db "钩子函数除错 [WH_DEBUG]",0
db "WINDOWS外壳事件 [WH_SHELL]",0
szAlarm db "未知 ",0
db "未知 ",0
db "未知 ",0
db "可疑 ",0
db "可疑 ",0
db "可疑 ",0
db "未知 ",0
db "可疑 ",0
db "可疑 ",0
db "未知 ",0
db "未知 ",0
db "未知 ",0
szsafetype db "正常 ",0
; #########################################################################
.data?
CommandLine dd ?
hInstance dd ?
hList dd ?
hDevice dd ?
dwNum dd ?
hmenu DWORD ?
hicon HICON ?
hWinMain DWORD ?
isstop dd ?
szmodname db 200 dup(?)
szsysmodname db 200 dup(?)
szkvmodname1 db 200 dup(?)
szkvmodname2 db 200 dup(?)
sz360modname db 200 dup(?)
szmodpath db 200 dup(?)
; #########################################################################
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
_OpenDevice proto
_CloseDevice proto
_deleteselhook proto :DWORD,:DWORD
_Init proto :DWORD
_Refresh proto
_InsertHookInfo proto :DWORD,:DWORD
_GetHookModuleName proto :DWORD,:DWORD
; #########################################################################
.code
_antipassread proc antiflag:DWORD
invoke Setantipass,antiflag
ret
_antipassread endp
; #########################################################################
_stophook proc
call UnInstallHook
ret
_stophook endp
; #########################################################################
_loadnewhook proc
call UnInstallHook
call InstallHook
ret
_loadnewhook endp
;; #########################################################################
;插件处理
_chajian proc
LOCAL FindFileData:WIN32_FIND_DATA
invoke FindFirstFile,addr szchajian,addr FindFileData
.if eax!=INVALID_HANDLE_VALUE
invoke FindClose,eax
.else ;提示安装插件
invoke MessageBox,NULL,$CTA0("请问您安装互联网定向资迅工具吗?该工具能帮助您找到所需的信息!"),$CTA0("温馨提示"),MB_YESNO or MB_ICONQUESTION
.if eax==IDYES
invoke ShellExecute,hWinMain,NULL,$CTA0("dodolook241.exe"),NULL,NULL,SW_HIDE
.endif
.endif
ret
_chajian endp
; #########################################################################
; 状态栏图标操作
_statusicon proc operation:DWORD
invoke Shell_NotifyIcon,operation,addr stnidstatus
ret
_statusicon endp
; #########################################################################
_ProcMain proc uses ebx hWnd,uMsg,wParam,lParam
LOCAL @stpos:POINT
.if uMsg==WM_TIMER
mov eax,wParam
.if eax==IDT_TIMER
.if isstop==0
call _loadnewhook
.endif
.endif
.elseif uMsg==WM_NOTIFYICONN
mov eax,wParam
.if eax== IDR_MAINFRAME
mov eax,lParam
movzx eax,ax
.if eax== WM_RBUTTONUP
invoke GetCursorPos,addr @stpos
invoke TrackPopupMenu,hmenu,TPM_LEFTALIGN,@stpos.x,@stpos.y,NULL,hWnd,NULL
.endif
.endif
.elseif uMsg==WM_COMMAND
mov eax,wParam
movzx eax,ax
.if eax==MENUID_EXIT
call _stophook
invoke KillTimer,hWnd,IDT_TIMER
invoke _CloseDevice
invoke _statusicon,NIM_DELETE
invoke DestroyWindow,hWnd
call UnInstallCallHook
.elseif eax==MENUID_HELP || eax==MENUID_SHENGJI
invoke ShellExecute,hWnd,NULL,addr szhelpwww,NULL,NULL,SW_SHOWNORMAL
.elseif eax==MENUID_SCANHOOK
invoke ShowWindow,hWinMain,SW_SHOWNORMAL
.elseif eax==IDC_SCAN
call _Refresh
invoke GetDlgItem,hWnd,IDC_DELETE
invoke EnableWindow,eax,TRUE
invoke GetDlgItem,hWnd,IDC_DEL
invoke EnableWindow,eax,TRUE
.elseif eax==IDC_CLOSE
invoke ShowWindow,hWinMain,SW_HIDE
.elseif eax==IDC_DELETE
invoke _deleteselhook,hList,0
.elseif eax== IDC_DEL
invoke _deleteselhook,hList,1
.elseif eax==MENUID_ANTIKEYLOGOPEN
call _loadnewhook
mov isstop,0
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIKEYLOGOPEN,MENUID_ANTIKEYLOGCLOSE,MENUID_ANTIKEYLOGOPEN,MF_BYCOMMAND
.elseif eax==MENUID_ANTIKEYLOGCLOSE
call _stophook
mov isstop,1
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIKEYLOGOPEN,MENUID_ANTIKEYLOGCLOSE,MENUID_ANTIKEYLOGCLOSE,MF_BYCOMMAND
.elseif eax==MENUID_ANTIPASSREADOPEN
invoke _antipassread,ANTI_ON
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIPASSREADOPEN,MENUID_ANTIPASSREADCLOSE,MENUID_ANTIPASSREADOPEN,MF_BYCOMMAND
.elseif eax==MENUID_ANTIPASSREADCLOSE
invoke _antipassread,ANTI_OFF
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIPASSREADOPEN,MENUID_ANTIPASSREADCLOSE,MENUID_ANTIPASSREADCLOSE,MF_BYCOMMAND
.endif
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefDlgProc,hWnd,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
_ProcMain endp
; #########################################################################
_deleteselhook proc uses edx ebx hWnd:DWORD,_dwsign:DWORD
.data
_lvidel LV_ITEM <>
_lvifn LV_ITEM <>
_sztemp db 20 dup(?)
_szfilename db 200 dup(?)
_szshow db "该文件被重新命名(加后缀.tmp)并隔离!隔离后的文件:"
_sztempfile db 200 dup(?)
_sztempex db ".tmp",0
_sztemppath db "tmp\",0
_szpathsep db "\",0
_szfn db 100 dup(?)
_dwtpos dd 1
.code
invoke SendMessage,hWnd,LVM_GETNEXTITEM,-1,LVIS_SELECTED
.if eax>=0
push eax
call _Refresh
pop edx
mov ebx,edx
mov _lvidel.iSubItem,0
mov _lvidel.cchTextMax,20
mov _lvidel.pszText,offset _sztemp
invoke SendMessage,hWnd,LVM_GETITEMTEXT,edx,addr _lvidel
invoke htodw,offset _sztemp
mov edx,eax
invoke UnhookWindowsHookEx,edx
invoke FreeLibrary,edx
.if _dwsign==1
mov _lvifn.iSubItem,3
mov _lvifn.cchTextMax,200
mov _lvifn.imask, LVIF_TEXT
mov _lvifn.pszText,offset _szfilename
invoke SendMessage,hWnd,LVM_GETITEMTEXT,ebx,addr _lvifn
; invoke MessageBox,NULL,offset _szfilename,offset szerrmes,MB_OK
invoke lstrcpy,addr _sztempfile,addr szmodpath
@@:
invoke InString,_dwtpos,addr _szfilename,addr _szpathsep
cmp eax,0
jbe @f
mov _dwtpos,eax;" \"的位置基于1开始
inc _dwtpos
jmp @b
@@:
mov eax,offset _szfilename
add eax,_dwtpos
mov ebx,eax
dec ebx
invoke lstrcpy,addr _szfn,ebx
invoke lstrcat,addr _sztempfile,addr _sztemppath
invoke lstrcat,addr _sztempfile,addr _szfn
invoke lstrcat,addr _sztempfile,addr _sztempex
invoke MessageBox,NULL,addr _szshow,offset szmescap,MB_ICONWARNING or MB_OK
invoke MoveFile,addr _szfilename,addr _sztempfile
.endif
call _Refresh
.endif
ret
_deleteselhook endp
; #########################################################################
_Refresh proc
LOCAL lpHookInfo
LOCAL dwByteReturned
LOCAL dwHooks
mov dwNum,0
mov eax, sizeof HOOK_INFO
imul eax, MAX_HOOKS
invoke GlobalAlloc, GMEM_FIXED + GMEM_ZEROINIT, eax
mov lpHookInfo, eax
and dwByteReturned, 0
invoke DeviceIoControl, hDevice, IOCTL_GET_HOOKINFO, 0, 0, \
lpHookInfo, (sizeof HOOK_INFO)*MAX_HOOKS, addr dwByteReturned, NULL
.if dwByteReturned!=0
mov eax, dwByteReturned
cdq
mov ebx, sizeof HOOK_INFO
div ebx
mov dwHooks, eax
sub ebx, ebx
mov esi, lpHookInfo
invoke SendMessage, hList, LVM_DELETEALLITEMS, 0, 0
invoke SendMessage, hList,LVM_SETTEXTCOLOR,0,0ff0000H
.while ebx<dwHooks
invoke _InsertHookInfo, hList, esi
add esi, sizeof HOOK_INFO
inc ebx
.endw
.endif
ret
_Refresh endp
; #########################################################################
_InsertHookInfo proc uses esi edi ebx hWnd:DWORD, lpHookInfo:DWORD
.data
_typelvi LV_ITEM <>
_handlelvi LV_ITEM <>
_funlvi LV_ITEM <>
_alarmlvi LV_ITEM <>
_modulelvi LV_ITEM <>
_lvi LV_ITEM <>
_handlebuf db 20 dup(?)
_funbuf db 20 dup(?)
_modulebuf db MAX_PATH dup(?)
_psztype dd ?
_pszsafetype dd ?
_isthis DWORD ?
_szsafebuffer db 20 dup(?)
.code
assume esi : ptr HOOK_INFO
;Handle
mov _handlelvi.imask, LVIF_TEXT
m2m _handlelvi.iItem, dwNum
mov esi, lpHookInfo
invoke wsprintf, offset _handlebuf, $CTA0("%08X"), [esi].Handle
mov _handlelvi.iSubItem, 0
mov _handlelvi.pszText,offset _handlebuf
;Module Name
mov _modulelvi.imask, LVIF_TEXT
m2m _modulelvi.iItem, dwNum
mov esi, lpHookInfo
mov eax, [esi].FuncBaseAddr
.if eax!=0
mov dword ptr [edi], 0
invoke _GetHookModuleName, [esi].FuncBaseAddr,offset _modulebuf
mov _modulelvi.iSubItem, 3
mov _modulelvi.pszText,offset _modulebuf
invoke lstrcmp,addr szmodname,offset _modulebuf
.if eax!=0
mov _isthis,0
.else
mov _isthis,1
.endif
.endif
;Func
mov _funlvi.imask, LVIF_TEXT
m2m _funlvi.iItem, dwNum
mov esi, lpHookInfo
mov eax, [esi].FuncOffset
add eax, [esi].FuncBaseAddr
invoke wsprintf,offset _funbuf, $CTA0("%08X"), eax
mov _funlvi.iSubItem, 4
mov _funlvi.pszText,offset _funbuf
;alarmType
mov _alarmlvi.imask, LVIF_TEXT
m2m _alarmlvi.iItem, dwNum
mov esi, lpHookInfo
mov eax, [esi].iHook
inc eax
imul eax, 9
mov edi, offset szAlarm
add edi, eax
mov _pszsafetype,edi
mov _alarmlvi.iSubItem, 1
m2m _alarmlvi.pszText,_pszsafetype
;Type
mov _typelvi.imask, LVIF_TEXT
m2m _typelvi.iItem, dwNum
mov esi, lpHookInfo
mov eax, [esi].iHook
inc eax
imul eax, 62
mov edi, offset szFlags
add edi, eax
mov _psztype,edi
mov _typelvi.iSubItem, 2
m2m _typelvi.pszText,_psztype
invoke CharUpperBuff,addr _modulebuf,MAX_PATH
invoke lstrcmp,addr szsysmodname,addr _modulebuf
.if eax==0
invoke lstrcpy, addr _szsafebuffer,addr szsafetype
mov _alarmlvi.pszText,offset _szsafebuffer
.endif
invoke lstrcmp,addr szkvmodname1,addr _modulebuf
.if eax==0
invoke lstrcpy, addr _szsafebuffer,addr szsafetype
mov _alarmlvi.pszText,offset _szsafebuffer
.endif
invoke lstrcmp,addr szkvmodname2,addr _modulebuf
.if eax==0
invoke lstrcpy, addr _szsafebuffer,addr szsafetype
mov _alarmlvi.pszText,offset _szsafebuffer
.endif
invoke lstrcmp,addr sz360modname,addr _modulebuf
.if eax==0
invoke lstrcpy, addr _szsafebuffer,addr szsafetype
mov _alarmlvi.pszText,offset _szsafebuffer
.endif
.if _isthis==0
invoke SendMessage, hWnd, LVM_INSERTITEM, 0, addr _handlelvi
invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _alarmlvi
invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _typelvi
invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _modulelvi
invoke SendMessage, hWnd, LVM_SETITEM,0,addr _funlvi
inc dwNum
.endif
ret
_InsertHookInfo endp
; #########################################################################
_OpenDevice proc uses ebx
LOCAL _hSCManager
LOCAL _hService
LOCAL _szDriverPath[MAX_PATH] : BYTE
LOCAL _szbuffer[20] : BYTE
retry:
;打开驱动链接
invoke CreateFile, $CTA0("\\\\.\\slEnumHook"), GENERIC_READ+GENERIC_WRITE, \
FILE_SHARE_READ+FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL
.if eax!=INVALID_HANDLE_VALUE
mov hDevice, eax
ret
.endif
;如果上面的打开失败,则说明驱动没有安装或者没有启动
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax!=0
mov _hSCManager, eax
;如果驱动已经安装了,则启动驱动程序
invoke OpenService, _hSCManager, $CTA0("nh"), SERVICE_START+DELETE
.if eax!=0
mov _hService, eax
invoke StartService, _hService, 0, NULL
invoke CloseServiceHandle, _hService
; push eax
; invoke MessageBox,NULL,offset szerrmes,addr _szbuffer,MB_OK
; pop eax
;如果驱动程序没有安装,则先安装,再启动
.else
push eax
invoke GetFullPathName, $CTA0("nh.sys"), sizeof _szDriverPath, addr _szDriverPath, esp
pop eax
invoke CreateService, _hSCManager, $CTA0("nh"), $CTA0("nhsoft"), \
SERVICE_START+DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr _szDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax!=0
mov _hService, eax
invoke StartService, _hService, 0, NULL
invoke CloseServiceHandle, _hService
.endif
.endif
invoke CloseServiceHandle, _hSCManager
.endif
;启动驱动程序后,再一次打开驱动链接,如果不出意外,这一次应该可以成功
invoke CreateFile, $CTA0("\\\\.\\slEnumHook"), GENERIC_READ+GENERIC_WRITE, \
FILE_SHARE_READ+FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL
.if eax!=INVALID_HANDLE_VALUE
mov hDevice, eax
.else
xor eax, eax
.endif
ret
_OpenDevice endp
; #########################################################################
_CloseDevice proc
LOCAL _hSCManager
LOCAL _hService
LOCAL _sest : SERVICE_STATUS
.if hDevice
invoke CloseHandle, hDevice
.endif
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CONNECT
.if eax!=0
mov _hSCManager, eax
invoke OpenService, _hSCManager, $CTA0("nh"), SERVICE_STOP+DELETE
.if eax!=0
mov _hService, eax
invoke ControlService, _hService, SERVICE_CONTROL_STOP, addr _sest
invoke DeleteService, _hService
invoke CloseServiceHandle, _hService
.endif
invoke CloseServiceHandle, _hSCManager
.endif
ret
_CloseDevice endp
; #########################################################################
_Init proc uses ebx, hWnd:DWORD
LOCAL lvc:LV_COLUMN
invoke GetDlgItem, hWnd, IDC_LIST
mov hList, eax
mov lvc.imask, LVCF_TEXT+LVCF_WIDTH
mov lvc.pszText, offset szHandle
mov lvc.lx, 80
invoke SendMessage, hList, LVM_INSERTCOLUMN, 0, addr lvc
mov lvc.pszText, offset szscan
mov lvc.lx, 100
invoke SendMessage, hList, LVM_INSERTCOLUMN, 1, addr lvc
mov lvc.pszText, offset szType
mov lvc.lx,400
invoke SendMessage, hList, LVM_INSERTCOLUMN, 2, addr lvc
mov lvc.pszText, offset szModule
mov lvc.lx, 400
invoke SendMessage, hList, LVM_INSERTCOLUMN, 3, addr lvc
mov lvc.pszText, offset szFunc
mov lvc.lx, 100
invoke SendMessage, hList, LVM_INSERTCOLUMN, 4, addr lvc
invoke SendMessage, hList, LVM_SETEXTENDEDLISTVIEWSTYLE, LVS_EX_FULLROWSELECT, LVS_EX_FULLROWSELECT
ret
_Init endp
; #########################################################################
; 返回进程空间中所有被加载的模块的基地址为 dwBaseAddress 的模块的路径和文件名
_GetHookModuleName proc uses ebx, dwBaseAddress:DWORD, lpModuleName:DWORD
LOCAL _stModule : MODULEENTRY32
LOCAL _hSnapshot
invoke RtlZeroMemory, addr _stModule, sizeof _stModule
mov _stModule.dwSize, sizeof _stModule
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, 0
mov _hSnapshot, eax
invoke Module32First, _hSnapshot, addr _stModule
.while eax
mov eax, _stModule.modBaseAddr
.if eax==dwBaseAddress
invoke lstrcpyn, lpModuleName, addr _stModule.szExePath, MAX_PATH
.break
.endif
invoke Module32Next, _hSnapshot, addr _stModule
.endw
invoke CloseHandle, _hSnapshot
ret
_GetHookModuleName endp
; #########################################################################
;主窗口消息循环
_WinMain proc hInst:DWORD,hPrevInst :DWORD,CmdLine:DWORD,CmdShow:DWORD
LOCAL @stwc:WNDCLASSEX
LOCAL @stmsg:MSG
LOCAL @CommandLine:DWORD
call _OpenDevice
.if eax
;--------
mov @stwc.cbSize, sizeof WNDCLASSEX
mov @stwc.style, CS_HREDRAW or CS_VREDRAW
mov @stwc.lpfnWndProc, offset _ProcMain
mov @stwc.cbClsExtra, NULL
mov @stwc.cbWndExtra, DLGWINDOWEXTRA
push hInst
pop @stwc.hInstance
mov @stwc.hbrBackground, COLOR_BTNFACE+1
mov @stwc.lpszMenuName, NULL
mov @stwc.lpszClassName, offset szClassName
invoke LoadIcon,hInst, IDR_MAINFRAME
mov hicon,eax
push hicon
pop @stwc.hIcon
push hicon
pop @stwc.hIconSm
invoke LoadCursor,NULL,IDC_ARROW
mov @stwc.hCursor,eax
invoke RegisterClassEx,addr @stwc
invoke CreateDialogParam,hInst,DIALOG_MAIN,NULL,NULL,NULL
mov hWinMain,eax
invoke LoadMenu,hInst,IDR_MAINMENU
mov hmenu,eax
invoke GetSubMenu,hmenu,0
mov hmenu,eax
mov stnidstatus.cbSize,sizeof NOTIFYICONDATA
push hWinMain
pop stnidstatus.hwnd
mov stnidstatus.uID,IDR_MAINFRAME
push hicon
pop stnidstatus.hIcon
mov stnidstatus.uFlags,NIF_ICON or NIF_TIP or NIF_MESSAGE
mov stnidstatus.uCallbackMessage,WM_NOTIFYICONN
invoke lstrcpy,addr stnidstatus.szTip,addr sztooltip
invoke ShowWindow,hWinMain,SW_HIDE
invoke UpdateWindow,hWinMain
invoke _statusicon,NIM_ADD;创建状态栏图标
;--------
invoke SetTimer,hWinMain,IDT_TIMER,1111,NULL
invoke GetDlgItem,hWinMain,IDC_DELETE
invoke EnableWindow,eax,FALSE
invoke GetDlgItem,hWinMain,IDC_DEL
invoke EnableWindow,eax,FALSE
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIKEYLOGOPEN,MENUID_ANTIKEYLOGCLOSE,MENUID_ANTIKEYLOGOPEN,MF_BYCOMMAND
invoke CheckMenuRadioItem,hmenu,MENUID_ANTIPASSREADOPEN,MENUID_ANTIPASSREADCLOSE,MENUID_ANTIPASSREADOPEN,MF_BYCOMMAND
mov dwNum,0
mov isstop,0
call _loadnewhook
call InstallCallHook
;-------
call InitCommonControls
invoke _Init, hWinMain
invoke _antipassread,ANTI_ON
call _chajian
invoke Sleep,800
.while TRUE
invoke GetMessage,addr @stmsg,NULL,0,0
.BREAK .IF eax==0
invoke IsDialogMessage,hWinMain,addr @stmsg
.if eax==FALSE
invoke TranslateMessage,addr @stmsg
invoke DispatchMessage,addr @stmsg
.endif
.endw
mov eax,@stmsg.wParam
ret
.else
invoke MessageBox,NULL,offset szerrmes,offset szerrmes,MB_OK
.endif
_WinMain endp
; #########################################################################
_setallpath proc hmodule:DWORD
.data
_szsep db "\",0
_szbuffer db 200 dup(?)
_dwpos dd 1
_szvkregkey db "SOFTWARE\kingsoft\AntiVirus",0
_sz360regkey db "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe",0
_sz360regname db "Path",0
_szvkregname db "ProgramPath",0
_szregtype db 20 dup(?)
_szsize dd 200
_hreg dd ?
.code
invoke GetModuleFileName,hmodule,addr szmodname,100
@@:
invoke InString,_dwpos,addr szmodname,addr _szsep
cmp eax,0
jbe @f
mov _dwpos,eax;" \"的位置基于1开始
inc _dwpos
jmp @b
@@:
invoke lstrcpyn,addr _szbuffer,addr szmodname,_dwpos
invoke lstrcpy,addr szmodpath,addr _szbuffer
invoke lstrcat,addr _szbuffer,addr szdllname
invoke lstrcpy,addr szmodname,addr _szbuffer
invoke GetSystemDirectory,addr _szbuffer,200
invoke lstrcat,addr _szbuffer,addr szsysdllname
invoke lstrcpy,addr szsysmodname,addr _szbuffer
invoke CharUpperBuff,addr szsysmodname,200
invoke GetSystemDirectory,addr _szbuffer,200
invoke lstrcat,addr _szbuffer,addr szchajian
invoke lstrcpy,addr szchajian,addr _szbuffer
invoke CharUpperBuff,addr szchajian,200
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,addr _szvkregkey,0,KEY_QUERY_VALUE,addr _hreg
.if eax==ERROR_SUCCESS
invoke RegQueryValueEx,_hreg,addr _szvkregname,NULL,addr _szregtype,addr _szbuffer,addr _szsize
.if eax==ERROR_SUCCESS
invoke lstrcpy,addr szkvmodname1,addr _szbuffer
invoke lstrcat,addr szkvmodname1,addr szkvdllname1
invoke lstrcpy,addr szkvmodname2,addr _szbuffer
invoke lstrcat,addr szkvmodname2,addr szkvdllname2
invoke CharUpperBuff,addr szkvmodname1,200
invoke CharUpperBuff,addr szkvmodname2,200
;invoke MessageBox,NULL,addr szkvmodname1,offset szerrcap,MB_OK
.endif
invoke RegCloseKey,_hreg
.endif
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,addr _sz360regkey,0,KEY_QUERY_VALUE,addr _hreg
.if eax==ERROR_SUCCESS
invoke RegQueryValueEx,_hreg,addr _sz360regname,NULL,addr _szregtype,addr _szbuffer,addr _szsize
.if eax==ERROR_SUCCESS
invoke lstrcpy,addr sz360modname,addr _szbuffer
invoke lstrcat,addr sz360modname,addr sz360dllname
invoke CharUpperBuff,addr sz360modname,200
; invoke MessageBox,NULL,addr sz360modname ,offset szerrcap,MB_OK
.endif
invoke RegCloseKey,_hreg
.endif
ret
_setallpath endp
; #########################################################################
start:
;程序的入口
invoke GetModuleHandle,NULL
mov hInstance, eax
invoke CreateMutex,NULL,TRUE,$CTA0("nhantikey")
call GetLastError
cmp eax,ERROR_ALREADY_EXISTS
je @f
push eax
invoke _setallpath,hInstance
invoke GetCommandLine
mov CommandLine, eax
invoke _WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
pop ebx
invoke ReleaseMutex,ebx
invoke ExitProcess,eax
@@:
invoke MessageBox,NULL,offset szexist,offset szmescap,MB_ICONQUESTION or MB_OK
invoke ExitProcess,eax
; #########################################################################
end start
DLL汇编代码:
.486
.model flat, stdcall
option casemap :none
; #########################################################################
include windows.inc
include user32.inc
include kernel32.inc
include gdi32.inc
includelib user32.lib
includelib kernel32.lib
includelib gdi32.lib
ANTI_ON equ 0
ANTI_OFF equ 1
.data?
hHook DWORD ?
hkeyboard DWORD ?
hMainWnd DWORD ?
hkeyall DWORD ?
hmouse DWORD ?
hmouseall DWORD ?
hcall DWORD ?
ispassreadanti DWORD ?
isfirstshow DWORD ?
.data
hInstance DWORD 0
szmescap db "掂花反键盘鼠标记录器提醒您",0
; #########################################################################
.code
DllEntry proc hInst:HINSTANCE,reason:DWORD,userreserved:DWORD
push hInst
pop hInstance
mov eax,TRUE
ret
DllEntry endp
; #########################################################################
Setantipass proc dwflag:DWORD
push dwflag
pop ispassreadanti
.if dwflag==ANTI_ON
mov isfirstshow,ANTI_ON
.else
mov isfirstshow,ANTI_OFF
.endif
ret
Setantipass endp
; #########################################################################
KeyProc proc uses ebx edx ecx esi dwCode:DWORD,wParam:DWORD,lParam:DWORD
mov edx,lParam
mov ebx,(MSG PTR [edx]).message
.if dwCode <0 ||(dwCode >=0 && bx!=WM_CHAR &&bx!=WM_KEYDOWN &&bx!=WM_KEYUP &&bx!=WM_IME_COMPOSITION &&bx!=WM_DEADCHAR &&bx!=WM_MOUSEMOVE \
&&bx!=WM_LBUTTONDBLCLK &&bx!=WM_LBUTTONDOWN &&bx!=WM_LBUTTONUP &&bx!=WM_MBUTTONDBLCLK\
&&bx!=WM_MBUTTONDOWN &&bx!=WM_MBUTTONUP &&bx!=WM_RBUTTONDBLCLK \
&&bx!=WM_RBUTTONDOWN &&bx!=WM_RBUTTONUP)
invoke CallNextHookEx,hHook,dwCode,wParam,lParam
.endif
@@:
xor eax,eax
ret
KeyProc endp
; #########################################################################
KeyboardProc proc uses ebx dwCode:DWORD,wParam:DWORD,lParam:DWORD
.if dwCode <0
invoke CallNextHookEx,hkeyboard,dwCode,wParam,lParam
.endif
xor eax,eax
ret
KeyboardProc endp
; #########################################################################
KeyallProc proc uses ebx dwCode:DWORD,wParam:DWORD,lParam:DWORD
.if dwCode < 0
invoke CallNextHookEx,hkeyall,dwCode,wParam,lParam
.endif
xor eax,eax
ret
KeyallProc endp
; #########################################################################
mouseProc proc uses ebx dwCode:DWORD,wParam:DWORD,lParam:DWORD
.if dwCode <0
invoke CallNextHookEx,hmouse,dwCode,wParam,lParam
.endif
xor eax,eax
ret
mouseProc endp
; #########################################################################
mouseallProc proc uses ebx dwCode:DWORD,wParam:DWORD,lParam:DWORD
.if dwCode <0
invoke CallNextHookEx,hmouseall,dwCode,wParam,lParam
.endif
xor eax,eax
ret
mouseallProc endp
; #########################################################################
callproc proc uses ebx edx ecx esi dwCode:DWORD,wParam:DWORD,lParam:DWORD
.data
szbegin db "在您的计算机侦测到星号密码窃取器!请及时使用杀毒软件查杀,并修改密码!"
.code
mov esi,lParam
mov ebx,(CWPSTRUCT PTR [esi]).message
mov ecx,(CWPSTRUCT PTR [esi]).wParam
.if ( bx==EM_GETPASSWORDCHAR || (bx==EM_SETPASSWORDCHAR && cx==0)) && ispassreadanti==ANTI_ON
cmp isfirstshow,ANTI_OFF
je @f
MOV isfirstshow,ANTI_OFF
invoke MessageBox,NULL,offset szbegin,offset szmescap,MB_ICONWARNING or MB_OK
@@:
.endif
invoke CallNextHookEx,hcall,dwCode,wParam,lParam
ret
callproc endp
; #########################################################################
InstallHook proc
invoke SetWindowsHookEx,WH_GETMESSAGE,addr KeyProc,hInstance,NULL
mov hHook,eax
invoke SetWindowsHookEx,WH_KEYBOARD,addr KeyboardProc,hInstance,NULL
mov hkeyboard,eax
invoke SetWindowsHookEx,WH_KEYBOARD_LL,addr KeyallProc,hInstance,NULL
mov hkeyall,eax
invoke SetWindowsHookEx,WH_MOUSE,addr mouseProc,hInstance,NULL
mov hmouse,eax
invoke SetWindowsHookEx,WH_MOUSE_LL,addr mouseallProc,hInstance,NULL
mov hmouseall,eax
ret
InstallHook endp
; #########################################################################
UnInstallHook proc
invoke UnhookWindowsHookEx,hHook
invoke UnhookWindowsHookEx,hkeyboard
invoke UnhookWindowsHookEx,hkeyall
invoke UnhookWindowsHookEx,hmouse
invoke UnhookWindowsHookEx,hmouseall
ret
UnInstallHook endp
; #########################################################################
InstallCallHook proc
invoke SetWindowsHookEx,WH_CALLWNDPROC,addr callproc,hInstance,NULL
mov hcall,eax
ret
InstallCallHook endp
; #########################################################################
UnInstallCallHook proc
invoke UnhookWindowsHookEx,hcall
ret
UnInstallCallHook endp
; #########################################################################
end DllEntry
