某软件的解密和另类监控代码
某软件的解密和另类监控代码,代码中有关键字,有心人可以搜索到。
CPP:
#include "StdAfx.h" #include "QQMonitor.h" #include "process.h" CQQMonitor::CQQMonitor(void) { m_TrueSystemFunction041 = NULL; m_TrueNotifyCallBack = NULL; m_dwTimer = 30; m_IsMon = 0; m_hMonThread = NULL; } CQQMonitor::~CQQMonitor(void) { StopMonitor(); } BOOL CQQMonitor::StartMonitor(ProcNotifyCallBack pCallBack) { if (!pCallBack && m_IsMon) return FALSE; //解密函数 HMODULE hMod = GetModuleHandleA("ADVAPI32.dll"); if (!hMod) { hMod = LoadLibraryA("ADVAPI32.dll"); if (!hMod) return FALSE; } m_TrueSystemFunction041 = (ProcSystemFunction041)GetProcAddress(hMod, "SystemFunction041"); if (!m_TrueSystemFunction041) return FALSE; //启动线程 m_TrueNotifyCallBack = pCallBack; m_IsMon = TRUE; m_hMonThread = (HANDLE)_beginthreadex(NULL, 0, threadGetQQInfo, (void *)this, 0, NULL); return TRUE; } BOOL CQQMonitor::StopMonitor() { if (m_hMonThread) { m_IsMon = FALSE; //等待线程退出 WaitForSingleObject(m_hMonThread, 200); TerminateThread(m_hMonThread, 0); CloseHandle(m_hMonThread); m_hMonThread = NULL; } return TRUE; } void CQQMonitor::GetQQMappingInfo() { TCHAR *pszData = NULL; DWORD dwBufSize = 0; //打开info的大小映射 HANDLE hMapInfoSize = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, "TX_SSO_SHARE_INFO_SIZE"); if (hMapInfoSize) { TCHAR *pszSizeBuf = (TCHAR *)MapViewOfFile(hMapInfoSize, FILE_MAP_ALL_ACCESS, NULL, NULL, 0x107); if (pszSizeBuf) { //映射名索引号 unsigned short uIndex = *((WORD *)pszSizeBuf + 1); TCHAR strInfoName[64]; sprintf(strInfoName, "TX_SSO_SHARE_INFO_%hu", uIndex); //映射大小 DWORD dwShareInfoSize = *((DWORD *)pszSizeBuf + 1); //释放空间 UnmapViewOfFile(pszSizeBuf); //加一层校验 if (dwShareInfoSize > 10) { //打开share info HANDLE hMapInfo = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, strInfoName); if (hMapInfo) { TCHAR *pszBuffer = (TCHAR *)MapViewOfFile(hMapInfo, FILE_MAP_ALL_ACCESS, NULL, NULL, dwShareInfoSize); if (pszBuffer) { //获取内容长度 dwBufSize = *(DWORD *)pszBuffer; if (dwBufSize > 0) { __try { pszData = new TCHAR[dwBufSize]; memcpy(pszData, pszBuffer + 4, dwBufSize); //尽早释放空间 UnmapViewOfFile(pszBuffer); //解密 m_TrueSystemFunction041(pszData, dwBufSize, 1); //TD数据的长度 DWORD dwDataSize = *(DWORD *)pszData; TCHAR *pszDecryptData = pszData + 4; //解析。。不解释 PUCHAR puchTxData; UINT cchTxData; UCHAR cType; if (GetTxDataFromTdData((PUCHAR)pszDecryptData, dwDataSize, L"SSO_AccoutInfoList", puchTxData, cchTxData, cType)) { PUCHAR puchTaData; UINT cchTaData; int nCount = 0; while (GetTxDataFromTaData(puchTxData, cchTxData, nCount, puchTaData, cchTaData, cType)) { PUCHAR pTmpData; UINT uTmpData; UCHAR uTmpType; //获取号码 if (GetTxDataFromTdData(puchTaData, cchTaData, L"dwSSO_Account_dwAccountUin", pTmpData, uTmpData, uTmpType) && uTmpData == 4) { DWORD dwQQUin = *(DWORD *)pTmpData; //获取是否登录 if (dwQQUin && GetTxDataFromTdData(puchTaData, cchTaData, L"cAllow_PTLOGIN", pTmpData, uTmpData, uTmpType)) { if (uTmpData == 1 && *(BYTE *)pTmpData == 1) m_TrueNotifyCallBack(dwQQUin, 1); } } nCount++; } } } __except(EXCEPTION_EXECUTE_HANDLER) { // } } } } CloseHandle(hMapInfo); } } } CloseHandle(hMapInfoSize); if (pszData) delete[] pszData; } UINT WINAPI CQQMonitor::threadGetQQInfo(LPVOID lParam) { CQQMonitor *pMon = (CQQMonitor *)lParam; Sleep(pMon->m_dwTimer); while (pMon->m_IsMon) { //get pMon->GetQQMappingInfo(); //伪timer for (DWORD i = 0; i < pMon->m_dwTimer * 10; i++) { if (!pMon->m_IsMon) goto Ext; Sleep(100); } } Ext: return 0; } BOOL CQQMonitor::GetTxDataFromTaData(PUCHAR puchBuf, UINT cchBuf, INT nIdx, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType) { UINT nPos; UINT uItem; UINT i; __try { if(!puchBuf || !cchBuf) return FALSE; if(cchBuf < 8 || puchBuf[0] != 'T' || puchBuf[1] != 'A') return FALSE; nPos = 0; nPos += 4; uItem = *(LPUINT)&puchBuf[nPos]; nPos += sizeof(UINT); for(i=0; i<uItem; i++) { cType = puchBuf[nPos]; nPos += sizeof(UCHAR); cchTxData = *(LPUINT)&puchBuf[nPos]; nPos += sizeof(UINT); puchTxData = &puchBuf[nPos]; nPos += cchTxData; if(i == nIdx) return TRUE; } } __except(EXCEPTION_EXECUTE_HANDLER) { } return FALSE; } BOOL CQQMonitor::GetTxDataFromTdData(PUCHAR puchBuf, UINT cchBuf, LPWSTR pwszName, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType) { UINT nPos; WORD wItem; UINT cchKey; WCHAR wszKey[210]; UINT i; __try { if(!puchBuf || !cchBuf|| !pwszName) return FALSE; if(cchBuf < 6 || puchBuf[0] != 'T' || puchBuf[1] != 'D') return FALSE; nPos = 0; nPos += 4; wItem = *(LPWORD)&puchBuf[nPos]; nPos += sizeof(WORD); for(i=0; i<wItem; i++) { cType = puchBuf[nPos]; nPos += sizeof(UCHAR); cchKey = *(LPWORD)&puchBuf[nPos]; nPos += sizeof(WORD); memset(wszKey, 0, sizeof(wszKey)); DecryptTxData(&puchBuf[nPos], cchKey, (PUCHAR)wszKey); nPos += cchKey; cchTxData = *(LPUINT)&puchBuf[nPos]; nPos += sizeof(UINT); puchTxData = &puchBuf[nPos]; nPos += cchTxData; if(lstrcmpiW(wszKey, pwszName) == 0) return TRUE; } } __except(EXCEPTION_EXECUTE_HANDLER) { } return FALSE; } DWORD CQQMonitor::GetQQUinFromBuffer(PUCHAR puchSrcBuf, UINT cchSrcBuf) { PUCHAR puchTxData; UINT cchTxData; UCHAR cType; if (GetTxDataFromTdData(puchSrcBuf, cchSrcBuf, L"bSSO_Result_bSucceed", puchTxData, cchTxData, cType) && cchTxData == 4 && *(DWORD *)puchTxData == 1) { if (GetTxDataFromTdData(puchSrcBuf, cchSrcBuf, L"dwSSO_Account_dwAccountUin", puchTxData, cchTxData, cType) && cchTxData == 4 && *(DWORD *)puchTxData > 10000) return *(DWORD *)puchTxData; } return 0; } VOID CQQMonitor::DecryptTxData(PUCHAR puchSrcBuf, UINT cchSrcBuf, PUCHAR puchDestBuf) { UINT key; UINT i; key = (cchSrcBuf >> 8) | (cchSrcBuf & 0xff); for(i = 0; i < cchSrcBuf; i++) { puchDestBuf[i] = ~puchSrcBuf[i]; puchDestBuf[i] ^= key; } }
.H
#pragma once typedef unsigned int *LPUINT; typedef int (__stdcall *ProcSystemFunction041)(LPVOID, DWORD, DWORD); typedef void (WINAPI * ProcNotifyCallBack)(DWORD dwNum, int nType); class CQQMonitor { public: CQQMonitor(void); ~CQQMonitor(void); BOOL StartMonitor(ProcNotifyCallBack pCallBack); BOOL StopMonitor(); void GetQQMappingInfo(); static UINT WINAPI threadGetQQInfo(LPVOID lParam); BOOL GetTxDataFromTaData(PUCHAR puchBuf, UINT cchBuf, INT nIdx, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType); BOOL GetTxDataFromTdData(PUCHAR puchBuf, UINT cchBuf, LPWSTR pwszName, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType); VOID DecryptTxData(PUCHAR puchSrcBuf, UINT cchSrcBuf, PUCHAR puchDestBuf); DWORD GetQQUinFromBuffer(PUCHAR puchSrcBuf, UINT cchSrcBuf); DWORD m_dwTimer; BOOL m_IsMon; protected: ProcSystemFunction041 m_TrueSystemFunction041; ProcNotifyCallBack m_TrueNotifyCallBack; HANDLE m_hMonThread; };
留言列表: