某软件的解密和另类监控代码,代码中有关键字,有心人可以搜索到。
CPP:
#include "StdAfx.h"
#include "QQMonitor.h"
#include "process.h"
CQQMonitor::CQQMonitor(void)
{
m_TrueSystemFunction041 = NULL;
m_TrueNotifyCallBack = NULL;
m_dwTimer = 30;
m_IsMon = 0;
m_hMonThread = NULL;
}
CQQMonitor::~CQQMonitor(void)
{
StopMonitor();
}
BOOL CQQMonitor::StartMonitor(ProcNotifyCallBack pCallBack)
{
if (!pCallBack && m_IsMon)
return FALSE;
//解密函数
HMODULE hMod = GetModuleHandleA("ADVAPI32.dll");
if (!hMod)
{
hMod = LoadLibraryA("ADVAPI32.dll");
if (!hMod)
return FALSE;
}
m_TrueSystemFunction041 = (ProcSystemFunction041)GetProcAddress(hMod, "SystemFunction041");
if (!m_TrueSystemFunction041)
return FALSE;
//启动线程
m_TrueNotifyCallBack = pCallBack;
m_IsMon = TRUE;
m_hMonThread = (HANDLE)_beginthreadex(NULL, 0, threadGetQQInfo, (void *)this, 0, NULL);
return TRUE;
}
BOOL CQQMonitor::StopMonitor()
{
if (m_hMonThread)
{
m_IsMon = FALSE;
//等待线程退出
WaitForSingleObject(m_hMonThread, 200);
TerminateThread(m_hMonThread, 0);
CloseHandle(m_hMonThread);
m_hMonThread = NULL;
}
return TRUE;
}
void CQQMonitor::GetQQMappingInfo()
{
TCHAR *pszData = NULL;
DWORD dwBufSize = 0;
//打开info的大小映射
HANDLE hMapInfoSize = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, "TX_SSO_SHARE_INFO_SIZE");
if (hMapInfoSize)
{
TCHAR *pszSizeBuf = (TCHAR *)MapViewOfFile(hMapInfoSize, FILE_MAP_ALL_ACCESS, NULL, NULL, 0x107);
if (pszSizeBuf)
{
//映射名索引号
unsigned short uIndex = *((WORD *)pszSizeBuf + 1);
TCHAR strInfoName[64];
sprintf(strInfoName, "TX_SSO_SHARE_INFO_%hu", uIndex);
//映射大小
DWORD dwShareInfoSize = *((DWORD *)pszSizeBuf + 1);
//释放空间
UnmapViewOfFile(pszSizeBuf);
//加一层校验
if (dwShareInfoSize > 10)
{
//打开share info
HANDLE hMapInfo = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, strInfoName);
if (hMapInfo)
{
TCHAR *pszBuffer = (TCHAR *)MapViewOfFile(hMapInfo, FILE_MAP_ALL_ACCESS, NULL, NULL, dwShareInfoSize);
if (pszBuffer)
{
//获取内容长度
dwBufSize = *(DWORD *)pszBuffer;
if (dwBufSize > 0)
{
__try
{
pszData = new TCHAR[dwBufSize];
memcpy(pszData, pszBuffer + 4, dwBufSize);
//尽早释放空间
UnmapViewOfFile(pszBuffer);
//解密
m_TrueSystemFunction041(pszData, dwBufSize, 1);
//TD数据的长度
DWORD dwDataSize = *(DWORD *)pszData;
TCHAR *pszDecryptData = pszData + 4;
//解析。。不解释
PUCHAR puchTxData;
UINT cchTxData;
UCHAR cType;
if (GetTxDataFromTdData((PUCHAR)pszDecryptData, dwDataSize, L"SSO_AccoutInfoList", puchTxData, cchTxData, cType))
{
PUCHAR puchTaData;
UINT cchTaData;
int nCount = 0;
while (GetTxDataFromTaData(puchTxData, cchTxData, nCount, puchTaData, cchTaData, cType))
{
PUCHAR pTmpData;
UINT uTmpData;
UCHAR uTmpType;
//获取号码
if (GetTxDataFromTdData(puchTaData, cchTaData, L"dwSSO_Account_dwAccountUin", pTmpData, uTmpData, uTmpType) && uTmpData == 4)
{
DWORD dwQQUin = *(DWORD *)pTmpData;
//获取是否登录
if (dwQQUin && GetTxDataFromTdData(puchTaData, cchTaData, L"cAllow_PTLOGIN", pTmpData, uTmpData, uTmpType))
{
if (uTmpData == 1 && *(BYTE *)pTmpData == 1)
m_TrueNotifyCallBack(dwQQUin, 1);
}
}
nCount++;
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
//
}
}
}
}
CloseHandle(hMapInfo);
}
}
}
CloseHandle(hMapInfoSize);
if (pszData)
delete[] pszData;
}
UINT WINAPI CQQMonitor::threadGetQQInfo(LPVOID lParam)
{
CQQMonitor *pMon = (CQQMonitor *)lParam;
Sleep(pMon->m_dwTimer);
while (pMon->m_IsMon)
{
//get
pMon->GetQQMappingInfo();
//伪timer
for (DWORD i = 0; i < pMon->m_dwTimer * 10; i++)
{
if (!pMon->m_IsMon)
goto Ext;
Sleep(100);
}
}
Ext:
return 0;
}
BOOL CQQMonitor::GetTxDataFromTaData(PUCHAR puchBuf, UINT cchBuf, INT nIdx, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType)
{
UINT nPos;
UINT uItem;
UINT i;
__try
{
if(!puchBuf || !cchBuf)
return FALSE;
if(cchBuf < 8 || puchBuf[0] != 'T' || puchBuf[1] != 'A')
return FALSE;
nPos = 0;
nPos += 4;
uItem = *(LPUINT)&puchBuf[nPos];
nPos += sizeof(UINT);
for(i=0; i<uItem; i++)
{
cType = puchBuf[nPos];
nPos += sizeof(UCHAR);
cchTxData = *(LPUINT)&puchBuf[nPos];
nPos += sizeof(UINT);
puchTxData = &puchBuf[nPos];
nPos += cchTxData;
if(i == nIdx)
return TRUE;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return FALSE;
}
BOOL CQQMonitor::GetTxDataFromTdData(PUCHAR puchBuf, UINT cchBuf, LPWSTR pwszName, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType)
{
UINT nPos;
WORD wItem;
UINT cchKey;
WCHAR wszKey[210];
UINT i;
__try
{
if(!puchBuf || !cchBuf|| !pwszName)
return FALSE;
if(cchBuf < 6 || puchBuf[0] != 'T' || puchBuf[1] != 'D')
return FALSE;
nPos = 0;
nPos += 4;
wItem = *(LPWORD)&puchBuf[nPos];
nPos += sizeof(WORD);
for(i=0; i<wItem; i++)
{
cType = puchBuf[nPos];
nPos += sizeof(UCHAR);
cchKey = *(LPWORD)&puchBuf[nPos];
nPos += sizeof(WORD);
memset(wszKey, 0, sizeof(wszKey));
DecryptTxData(&puchBuf[nPos], cchKey, (PUCHAR)wszKey);
nPos += cchKey;
cchTxData = *(LPUINT)&puchBuf[nPos];
nPos += sizeof(UINT);
puchTxData = &puchBuf[nPos];
nPos += cchTxData;
if(lstrcmpiW(wszKey, pwszName) == 0)
return TRUE;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return FALSE;
}
DWORD CQQMonitor::GetQQUinFromBuffer(PUCHAR puchSrcBuf, UINT cchSrcBuf)
{
PUCHAR puchTxData;
UINT cchTxData;
UCHAR cType;
if (GetTxDataFromTdData(puchSrcBuf, cchSrcBuf, L"bSSO_Result_bSucceed", puchTxData, cchTxData, cType)
&& cchTxData == 4 && *(DWORD *)puchTxData == 1)
{
if (GetTxDataFromTdData(puchSrcBuf, cchSrcBuf, L"dwSSO_Account_dwAccountUin", puchTxData, cchTxData, cType)
&& cchTxData == 4 && *(DWORD *)puchTxData > 10000)
return *(DWORD *)puchTxData;
}
return 0;
}
VOID CQQMonitor::DecryptTxData(PUCHAR puchSrcBuf, UINT cchSrcBuf, PUCHAR puchDestBuf)
{
UINT key;
UINT i;
key = (cchSrcBuf >> 8) | (cchSrcBuf & 0xff);
for(i = 0; i < cchSrcBuf; i++)
{
puchDestBuf[i] = ~puchSrcBuf[i];
puchDestBuf[i] ^= key;
}
}
.H
#pragma once
typedef unsigned int *LPUINT;
typedef int (__stdcall *ProcSystemFunction041)(LPVOID, DWORD, DWORD);
typedef void (WINAPI * ProcNotifyCallBack)(DWORD dwNum, int nType);
class CQQMonitor
{
public:
CQQMonitor(void);
~CQQMonitor(void);
BOOL StartMonitor(ProcNotifyCallBack pCallBack);
BOOL StopMonitor();
void GetQQMappingInfo();
static UINT WINAPI threadGetQQInfo(LPVOID lParam);
BOOL GetTxDataFromTaData(PUCHAR puchBuf, UINT cchBuf, INT nIdx, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType);
BOOL GetTxDataFromTdData(PUCHAR puchBuf, UINT cchBuf, LPWSTR pwszName, PUCHAR &puchTxData, UINT &cchTxData, UCHAR &cType);
VOID DecryptTxData(PUCHAR puchSrcBuf, UINT cchSrcBuf, PUCHAR puchDestBuf);
DWORD GetQQUinFromBuffer(PUCHAR puchSrcBuf, UINT cchSrcBuf);
DWORD m_dwTimer;
BOOL m_IsMon;
protected:
ProcSystemFunction041 m_TrueSystemFunction041;
ProcNotifyCallBack m_TrueNotifyCallBack;
HANDLE m_hMonThread;
};