研究星号密码查看器的工作原理
本帖最后由 元始天尊 于 2015-1-17 16:22 编辑很久以前就有这个东西了,不过一直不知道原理是什么。这个和灰色按钮破解还有些不同,灰色按钮那个是EnumWindow和EnableWindow搞定的,而星号密码经我研究发现是通过远程线程注入API实现的。从前不会调试,静态反汇编面对海量代码任你是谁也无法那么容易找到,然而熟悉了调试以后,这个就变的简单了。主窗口有个放大镜,拖动放大镜到任意窗口就可以显示密码文本框的实际字符串,根据这一点可以下SetWindowText系列API断点。
下面用WinDbg来调试:
bp User32!SetWindowTextA
bp User32!SetWindowTextW
bp User32!SetDlgItemTextA
bp User32!SetDlgItemTextW
再移动放大镜到某窗口,断在了SetWindowTextA,Shift+F11跳出后进入ViewPass,输入k查看调用栈:
0018f8e4 774b62fa ViewPass+0x1cf0
0018f910 774df943 USER32!gapfnScSendMessage+0x332
0018f98c 774df784 USER32!GetCursor+0x263
0018f9dc 774cafac USER32!GetCursor+0xa4
0018f9fc 774b62fa USER32!DrawTextExA+0xd4
0018fa28 774b6d3a USER32!gapfnScSendMessage+0x332
0018faa0 774b77c4 USER32!GetThreadDesktop+0xd7
0018fb00 774b788a USER32!CharPrevW+0x138
0018fb10 774dc81f USER32!DispatchMessageW+0xf
0018fb3c 774dcde7 USER32!IsDialogMessageW+0x11e
0018fb80 774dcf5c USER32!DialogBoxIndirectParamW+0x1f4
0018fbac 774dce8a USER32!DialogBoxIndirectParamAorW+0x108
0018fbcc 774fcb58 USER32!DialogBoxIndirectParamAorW+0x36
0018fbf8 004014f7 USER32!DialogBoxParamA+0x4c
0018fefc 00404145 ViewPass+0x14f7
0018ff88 775b338a ViewPass+0x4145
0018ff94 77d49f72 kernel32!BaseThreadInitThunk+0x12
0018ffd4 77d49f45 ntdll!RtlInitializeExceptionChain+0x63
0018ffec 00000000 ntdll!RtlInitializeExceptionChain+0x36
可以看出是个回调函数,再看剩下的代码:
00401CC7 68 C8F44000 PUSH ViewPass.0040F4C8
00401CCC 50 PUSH EAX
00401CCD E8 9E130000 CALL ViewPass.00403070
00401CD2 59 POP ECX
00401CD3 59 POP ECX
00401CD4 8D85 D8FEFFFF LEA EAX,DWORD PTR SS:
00401CDA 50 PUSH EAX
00401CDB 68 EC030000 PUSH 3EC
00401CE0 FF75 08 PUSH DWORD PTR SS:
00401CE3 FF15 B0A14000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; USER32.GetDlgItem
00401CE9 50 PUSH EAX
00401CEA FF15 2CA24000 CALL DWORD PTR DS:[<&USER32.SetWindowTex>; USER32.SetWindowTextA
00401CF0 33C0 XOR EAX,EAX
00401CF2 5F POP EDI
00401CF3 5E POP ESI
00401CF4 5B POP EBX
00401CF5 C9 LEAVE
发现上一句是GetDlgItem,第二个参数1004,用exescope查确实是编辑框id。执行结束再看调用栈,发现一堆USER32,一切迹象表明这个函数是个回调函数,那么有2个工作要做:①从栈上找到其参数②找到起始地址
①因为API函数序言部分为push ebp;mov ebp,esp;sub esp,???; 而调用之前为push param4;push param3;push param2;push param1;call func;因此从ebp推断,d ebp得:
0018f8e410 f9 18 00 fa 62 4b 77-84 0a 51 00 00 02 00 00.....bKw..Q.....
0018f8f44c 0d 0b 00 ac 16 00 00-fe 14 40 00 cd ab ba dcL.........@.....
0018f90401 00 00 00 00 00 00 00-fe 14 40 00 8c f9 18 00..........@.....
0018f91443 f9 4d 77 fe 14 40 00-84 0a 51 00 00 02 00 00C.Mw..@...Q.....
查msdn得知窗口回调函数格式为:int WINAPI DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
为原始ebp,为call func指令下一句地址,为hwndDlg=0x510a84,也就是为uMsg=0x200 查winuser.h可知为WM_MOUSEMOVE
②找到起始地址需要借助调用该回调函数的系统函数,查看调用栈,地址为774df943,那么用命令 u 0x774df943 l-10 看一下该地址处的前一条指令
0:000> u 774df943 l-10
USER32!GetCursor+0x253:
774df933 1cff sbb al,0FFh
774df935 7518 jne USER32!GetCursor+0x26f (774df94f)
774df937 ff7514 push dword ptr
774df93a ff7510 push dword ptr
774df93d 56 push esi
774df93e e89469fdff call USER32!gapfnScSendMessage+0x30f (774b62d7)
课件上一条指令为call USER32!gapfnScSendMessage+0x30f ,此时bp 774df93e重新运行,跟踪系统函数直到进入用户程序范围
774b62d7 55 push ebp
774b62d8 8bec mov ebp,esp
774b62da 56 push esi
774b62db 57 push edi
774b62dc 53 push ebx
774b62dd 68cdabbadc push 0DCBAABCDh
774b62e2 56 push esi
774b62e3 ff7518 push dword ptr
774b62e6 ff7514 push dword ptr
774b62e9 ff7510 push dword ptr
774b62ec ff750c push dword ptr
774b62ef 64800dca0f000001 or byte ptr fs:,1
774b62f7 ff5508 call dword ptr
走到这时,就进入了程序范围ViewPass+0x14fe=004014fe处,该处为函数起始位置:
0:000> u . l20
ViewPass+0x14fe:
004014fe 55 push ebp
004014ff 8bec mov ebp,esp
00401501 81ec28040000 sub esp,428h
00401507 8b4d0c mov ecx,dword ptr
0040150a b838010000 mov eax,138h
0040150f 53 push ebx
00401510 56 push esi
00401511 3bc8 cmp ecx,eax
00401513 57 push edi
00401514 0f87cf030000 ja ViewPass+0x18e9 (004018e9)
0040151a 0f847c030000 je ViewPass+0x189c (0040189c)
00401520 8bc1 mov eax,ecx
00401522 83e810 sub eax,10h
00401525 0f8466030000 je ViewPass+0x1891 (00401891)
0040152b 2d00010000 sub eax,100h
由于第一次运行是WM_MOVEMOUSE响应,因此去掉所有断点并下条件断点:bp 004014fe ".if poi()=0x200 {} .else {gc}",这样的结果是,无论是否移动放大镜,只要鼠标滑过就会触发,我们先来做一次:
执行的序列是:
004014fe 55 push ebp
004014ff 8bec mov ebp,esp
00401501 81ec28040000 sub esp,428h
00401507 8b4d0c mov ecx,dword ptr //ecx=uMsg
0040150a b838010000 mov eax,138h
0040150f 53 push ebx
00401510 56 push esi
00401511 3bc8 cmp ecx,eax//uMsg=0x200>0x138
00401513 57 push edi
00401514 0f87cf030000 ja ViewPass+0x18e9 (004018e9)
004018e9 8bc1 mov eax,ecx
004018eb 2d00020000 sub eax,200h//是WM_MOUSEMOVE。。。
004018f0 0f848c000000 je ViewPass+0x1982 (00401982)
00401982 8d45f8 lea eax,
00401985 50 push eax
00401986 ff1504a24000 call dword ptr //USER32!GetCursorPos获取鼠标位置
0040198c 33db xor ebx,ebx
0040198e 391dc0f44000 cmp dword ptr ,ebx //*(DWORD*)0x0040F4C0 == 0?
00401994 0f8456030000 je ViewPass+0x1cf0 (00401cf0)
0040199a ff75fc push dword ptr
0040199d 209dd8feffff and byte ptr ,bl
004019a3 ff75f8 push dword ptr
004019a6 ff1508a24000 call dword ptr
004019ac 8bf0 mov esi,eax
004019ae 3bf3 cmp esi,ebx
004019b0 0f841e030000 je ViewPass+0x1cd4 (00401cd4)
004019b6 8b3d0ca24000 mov edi,dword ptr
004019bc 53 push ebx
004019bd 56 push esi
004019be 897510 mov dword ptr ,esi
004019c1 ffd7 call edi
004019c3 53 push ebx
004019c4 8bd0 mov edx,eax
004019c6 ff7508 push dword ptr
004019c9 895514 mov dword ptr ,edx
004019cc ffd7 call edi
004019ce 8b4d14 mov ecx,dword ptr
004019d1 3bc1 cmp eax,ecx
004019d3 0f8417030000 je ViewPass+0x1cf0 (00401cf0)
004019d9 8d85d8fbffff lea eax,
004019df 68ff000000 push 0FFh
004019e4 50 push eax
004019e5 56 push esi
004019e6 ff1510a24000 call dword ptr
004019ec 85c0 test eax,eax
004019ee 0f84e0020000 je ViewPass+0x1cd4 (00401cd4)
004019f4 8d85d8fbffff lea eax,
004019fa 50 push eax
004019fb 8d85d8fcffff lea eax,
00401a01 50 push eax
00401a02 e869160000 call ViewPass+0x3070 (00403070)
00401a07 8d85d8fcffff lea eax,
00401a0d 6838c24000 push offset ViewPass+0xc238 (0040c238)
00401a12 50 push eax
00401a13 e8d81d0000 call ViewPass+0x37f0 (004037f0)
00401a18 83c410 add esp,10h
00401a1b 85c0 test eax,eax
00401a1d 7532 jne ViewPass+0x1a51 (00401a51)
00401a1f 8b45f8 mov eax,dword ptr
00401a22 8945f0 mov dword ptr ,eax
00401a25 8b45fc mov eax,dword ptr
00401a28 8945f4 mov dword ptr ,eax
00401a2b 8d45f0 lea eax,
00401a2e 50 push eax
00401a2f 56 push esi
00401a30 ff1514a24000 call dword ptr
00401a36 ff75f4 push dword ptr
00401a39 ff75f0 push dword ptr
00401a3c 56 push esi
00401a3d e8c1f7ffff call ViewPass+0x1203 (00401203)
00401a42 59 pop ecx
00401a43 50 push eax
00401a44 e82b030000 call ViewPass+0x1d74 (00401d74)
00401a49 83c40c add esp,0Ch
00401a4c e947fbffff jmp ViewPass+0x1598 (00401598)
00401a51 8d85d8fcffff lea eax,
00401a57 50 push eax
00401a58 e8171e0000 call ViewPass+0x3874 (00403874)
00401a5d 8d85d8fcffff lea eax,
00401a63 c7042430c24000mov dword ptr ,offset ViewPass+0xc230 (0040c230)
00401a6a 50 push eax
00401a6b e8801d0000 call ViewPass+0x37f0 (004037f0)
00401a70 59 pop ecx
00401a71 bb28c24000 mov ebx,offset ViewPass+0xc228 (0040c228)
00401a76 85c0 test eax,eax
00401a78 59 pop ecx
00401a79 7417 je ViewPass+0x1a92 (00401a92)
00401a7b 8d85d8fcffff lea eax,
00401a81 53 push ebx
00401a82 50 push eax
00401a83 e8681d0000 call ViewPass+0x37f0 (004037f0)
00401a88 59 pop ecx
00401a89 85c0 test eax,eax
00401a8b 59 pop ecx
00401a8c 0f85be000000 jne ViewPass+0x1b50 (00401b50)
00401a92 56 push esi
00401a93 ff1518a24000 call dword ptr
00401a99 8bf0 mov esi,eax
00401a9b 8d85d8fcffff lea eax,
00401aa1 53 push ebx
00401aa2 50 push eax
00401aa3 e8481d0000 call ViewPass+0x37f0 (004037f0)
00401aa8 59 pop ecx
00401aa9 85c0 test eax,eax
00401aab 59 pop ecx
00401aac 7503 jne ViewPass+0x1ab1 (00401ab1)
00401aae 8b7510 mov esi,dword ptr
00401ab1 85f6 test esi,esi
00401ab3 0f8497000000 je ViewPass+0x1b50 (00401b50)
00401ab9 8b45f8 mov eax,dword ptr
00401abc 8945f0 mov dword ptr ,eax
00401abf 8b45fc mov eax,dword ptr
00401ac2 8945f4 mov dword ptr ,eax
00401ac5 8d45f0 lea eax,
00401ac8 50 push eax
00401ac9 56 push esi
00401aca ff1514a24000 call dword ptr
00401ad0 6a00 push 0
00401ad2 ff75f4 push dword ptr
00401ad5 ff75f0 push dword ptr
00401ad8 56 push esi
00401ad9 ff151ca24000 call dword ptr
00401adf 8bf0 mov esi,eax
00401ae1 3b7510 cmp esi,dword ptr
00401ae4 752e jne ViewPass+0x1b14 (00401b14)
00401ae6 6a02 push 2
00401ae8 56 push esi
00401ae9 ff1520a24000 call dword ptr
00401aef 8bf0 mov esi,eax
00401af1 85f6 test esi,esi
00401af3 745b je ViewPass+0x1b50 (00401b50)
00401af5 8d45d8 lea eax,
00401af8 50 push eax
00401af9 56 push esi
00401afa ff159ca14000 call dword ptr
00401b00 ff75fc push dword ptr
00401b03 8d45d8 lea eax,
00401b06 ff75f8 push dword ptr
00401b09 50 push eax
00401b0a ff1524a24000 call dword ptr
00401b10 85c0 test eax,eax
00401b12 74d2 je ViewPass+0x1ae6 (00401ae6)
00401b14 85f6 test esi,esi
00401b16 897510 mov dword ptr ,esi
00401b19 7435 je ViewPass+0x1b50 (00401b50)
00401b1b 8d85d8fbffff lea eax,
00401b21 68ff000000 push 0FFh
00401b26 50 push eax
00401b27 56 push esi
00401b28 ff1510a24000 call dword ptr
00401b2e 8d85d8fbffff lea eax,
00401b34 50 push eax
00401b35 8d85d8fcffff lea eax,
00401b3b 50 push eax
00401b3c e82f150000 call ViewPass+0x3070 (00403070)
00401b41 8d85d8fcffff lea eax,
00401b47 50 push eax
00401b48 e8271d0000 call ViewPass+0x3874 (00403874)
00401b4d 83c40c add esp,0Ch
00401b50 6af0 push 0FFFFFFF0h
00401b52 ff7510 push dword ptr
00401b55 ff1528a24000 call dword ptr
00401b5b 8bd8 mov ebx,eax
00401b5d 8d85d8fcffff lea eax,
00401b63 6820c24000 push offset ViewPass+0xc220 (0040c220)
00401b68 50 push eax
00401b69 e8821c0000 call ViewPass+0x37f0 (004037f0)
00401b6e 59 pop ecx
00401b6f 85c0 test eax,eax
00401b71 59 pop ecx
00401b72 0f8400010000 je ViewPass+0x1c78 (00401c78)
00401b78 8d85d8fcffff lea eax,
00401b7e 6818c24000 push offset ViewPass+0xc218 (0040c218)
00401b83 50 push eax
00401b84 e8671c0000 call ViewPass+0x37f0 (004037f0)
00401b89 59 pop ecx
00401b8a 85c0 test eax,eax
00401a8e be00000056 mov esi,56000000h
00401a93 ff1518a24000 call dword ptr
00401a99 8bf0 mov esi,eax
00401a9b 8d85d8fcffff lea eax,
00401aa1 53 push ebx
00401aa2 50 push eax
00401aa3 e8481d0000 call ViewPass+0x37f0 (004037f0)
00401aa8 59 pop ecx
00401aa9 85c0 test eax,eax
00401aab 59 pop ecx
00401aac 7503 jne ViewPass+0x1ab1 (00401ab1)
00401aae 8b7510 mov esi,dword ptr
00401ab1 85f6 test esi,esi
00401ab3 0f8497000000 je ViewPass+0x1b50 (00401b50)
00401ab9 8b45f8 mov eax,dword ptr
00401abc 8945f0 mov dword ptr ,eax
00401abf 8b45fc mov eax,dword ptr
00401ac2 8945f4 mov dword ptr ,eax
00401ac5 8d45f0 lea eax,
00401ac8 50 push eax
00401ac9 56 push esi
00401aca ff1514a24000 call dword ptr
00401ad0 6a00 push 0
00401ad2 ff75f4 push dword ptr
00401ad5 ff75f0 push dword ptr
00401ad8 56 push esi
00401ad9 ff151ca24000 call dword ptr
00401adf 8bf0 mov esi,eax
00401ae1 3b7510 cmp esi,dword ptr
00401ae4 752e jne ViewPass+0x1b14 (00401b14)
00401ae6 6a02 push 2
00401ae8 56 push esi
00401ae9 ff1520a24000 call dword ptr
00401aef 8bf0 mov esi,eax
00401af1 85f6 test esi,esi
00401af3 745b je ViewPass+0x1b50 (00401b50)
00401af5 8d45d8 lea eax,
00401af8 50 push eax
00401af9 56 push esi
00401afa ff159ca14000 call dword ptr
00401b00 ff75fc push dword ptr
00401b03 8d45d8 lea eax,
00401b06 ff75f8 push dword ptr
00401b09 50 push eax
00401b0a ff1524a24000 call dword ptr
00401b10 85c0 test eax,eax
00401b12 74d2 je ViewPass+0x1ae6 (00401ae6)
00401b14 85f6 test esi,esi
00401b16 897510 mov dword ptr ,esi
00401b19 7435 je ViewPass+0x1b50 (00401b50)
00401b1b 8d85d8fbffff lea eax,
00401b21 68ff000000 push 0FFh
00401b26 50 push eax
00401b27 56 push esi
00401b28 ff1510a24000 call dword ptr
00401b2e 8d85d8fbffff lea eax,
00401b34 50 push eax
00401b35 8d85d8fcffff lea eax,
00401b3b 50 push eax
00401b3c e82f150000 call ViewPass+0x3070 (00403070)
00401b41 8d85d8fcffff lea eax,
00401b47 50 push eax
00401b48 e8271d0000 call ViewPass+0x3874 (00403874)
00401b4d 83c40c add esp,0Ch
00401b50 6af0 push 0FFFFFFF0h
00401b52 ff7510 push dword ptr
00401b55 ff1528a24000 call dword ptr
00401b5b 8bd8 mov ebx,eax
00401b5d 8d85d8fcffff lea eax,
00401b63 6820c24000 push offset ViewPass+0xc220 (0040c220)
00401b68 50 push eax
00401b69 e8821c0000 call ViewPass+0x37f0 (004037f0)
00401b6e 59 pop ecx
00401b6f 85c0 test eax,eax
00401b71 59 pop ecx
00401b72 0f8400010000 je ViewPass+0x1c78 (00401c78)
00401b78 8d85d8fcffff lea eax,
00401b7e 6818c24000 push offset ViewPass+0xc218 (0040c218)
00401b83 50 push eax
00401b84 e8671c0000 call ViewPass+0x37f0 (004037f0)
00401b89 59 pop ecx
00401b8a 85c0 test eax,eax
00401b8c 59 pop ecx
00401b8d 0f84e5000000 je ViewPass+0x1c78 (00401c78)
00401b93 8d85d8fcffff lea eax,
00401b99 6804c24000 push offset ViewPass+0xc204 (0040c204)
00401b9e 50 push eax
00401b9f e84c1c0000 call ViewPass+0x37f0 (004037f0)
00401ba4 59 pop ecx
00401ba5 85c0 test eax,eax
00401ba7 59 pop ecx
00401ba8 0f84ca000000 je ViewPass+0x1c78 (00401c78)
00401bae 8d85d8fcffff lea eax,
00401bb4 68f0c14000 push offset ViewPass+0xc1f0 (0040c1f0)
00401bb9 50 push eax
00401bba e8311c0000 call ViewPass+0x37f0 (004037f0)
00401bbf 59 pop ecx
00401bc0 85c0 test eax,eax
00401bc2 59 pop ecx
00401bc3 0f84af000000 je ViewPass+0x1c78 (00401c78)
00401bc9 8d85d8fcffff lea eax,
00401bcf 68dcc14000 push offset ViewPass+0xc1dc (0040c1dc)
00401bd4 50 push eax
00401bd5 e8161c0000 call ViewPass+0x37f0 (004037f0)
00401bda 59 pop ecx
00401bdb 85c0 test eax,eax
00401bdd 59 pop ecx
00401bde 0f8494000000 je ViewPass+0x1c78 (00401c78)
00401be4 8d85d8fcffff lea eax,
00401bea 68c8c14000 push offset ViewPass+0xc1c8 (0040c1c8)
00401bef 50 push eax
00401bf0 e8fb1b0000 call ViewPass+0x37f0 (004037f0)
00401bf5 59 pop ecx
00401bf6 85c0 test eax,eax
00401bf8 59 pop ecx
00401bf9 747d je ViewPass+0x1c78 (00401c78)
00401bfb 8d85d8fcffff lea eax,
00401c01 68b4c14000 push offset ViewPass+0xc1b4 (0040c1b4)
00401c06 50 push eax
00401c07 e8e41b0000 call ViewPass+0x37f0 (004037f0)
00401c0c 59 pop ecx
00401c0d 85c0 test eax,eax
00401c0f 59 pop ecx
00401c10 7466 je ViewPass+0x1c78 (00401c78)
00401c12 8d85d8fcffff lea eax,
00401c18 68a4c14000 push offset ViewPass+0xc1a4 (0040c1a4)
00401c1d 50 push eax
00401c1e e8cd1b0000 call ViewPass+0x37f0 (004037f0)
00401c23 59 pop ecx
00401c24 85c0 test eax,eax
00401c26 59 pop ecx
00401c27 744f je ViewPass+0x1c78 (00401c78)
00401c29 8d85d8fcffff lea eax,
00401c2f 689cc14000 push offset ViewPass+0xc19c (0040c19c)
00401c34 50 push eax
00401c35 e8961f0000 call ViewPass+0x3bd0 (00403bd0)
00401c3a 59 pop ecx
00401c3b 85c0 test eax,eax
00401c3d 59 pop ecx
00401c3e 7538 jne ViewPass+0x1c78 (00401c78)
00401c40 8d85d8fcffff lea eax,
00401c46 6894c14000 push offset ViewPass+0xc194 (0040c194)
00401c4b 50 push eax
00401c4c e87f1f0000 call ViewPass+0x3bd0 (00403bd0)
00401c51 59 pop ecx
00401c52 85c0 test eax,eax
00401c54 59 pop ecx
00401c55 7521 jne ViewPass+0x1c78 (00401c78)
00401c57 f7c30000c880 test ebx,80C80000h
00401c5d 7575 jne ViewPass+0x1cd4 (00401cd4)
00401c5f 8d85d8feffff lea eax,
00401c65 50 push eax
00401c66 68ff000000 push 0FFh
00401c6b 6a0d push 0Dh
00401c6d ff7510 push dword ptr
00401c70 ff15d8a14000 call dword ptr
00401c76 eb5c jmp ViewPass+0x1cd4 (00401cd4)
00401c78 f6c320 test bl,20h
00401c78 f6c320 test bl,20h
00401c7b 7457 je ViewPass+0x1cd4 (00401cd4)
00401c7d 833dc4f4400000cmp dword ptr ,0
00401c84 74d9 je ViewPass+0x1c5f (00401c5f)
00401c86 8d4514 lea eax,
00401c89 50 push eax
00401c8a ff7510 push dword ptr
00401c8d ffd7 call edi
00401c8f ff7514 push dword ptr
00401c92 6a00 push 0
00401c94 683a040000 push 43Ah
00401c99 ff1538a04000 call dword ptr
00401c9f 8bf0 mov esi,eax
00401ca1 85f6 test esi,esi
00401ca3 741c je ViewPass+0x1cc1 (00401cc1)
00401ca5 8d85d8feffff lea eax,
00401cab 50 push eax
00401cac ff7510 push dword ptr
00401caf 56 push esi
00401cb0 e837f5ffff call ViewPass+0x11ec (004011ec)
00401cb5 83c40c add esp,0Ch
00401cb8 56 push esi
00401cb9 ff154ca14000 call dword ptr
00401cbf eb13 jmp ViewPass+0x1cd4 (00401cd4)
00401cc1 8d85d8feffff lea eax,
00401cc7 68c8f44000 push offset ViewPass+0xf4c8 (0040f4c8)
00401ccc 50 push eax
00401ccd e89e130000 call ViewPass+0x3070 (00403070)
00401cd2 59 pop ecx
00401cd3 59 pop ecx
00401cd4 8d85d8feffff lea eax,
00401cda 50 push eax
00401cdb 68ec030000 push 3ECh
00401ce0 ff7508 push dword ptr
00401ce3 ff15b0a14000 call dword ptr
00401ce9 50 push eax
00401cea ff152ca24000 call dword ptr
00401cf0 33c0 xor eax,eax
00401cf2 5f pop edi
00401cf3 5e pop esi
00401cf4 5b pop ebx
00401cf5 c9 leave
00401cf6 c21000 ret 10h
00401cf9 56 push esi
00401cfa 8b742408 mov esi,dword ptr
00401cfe 68ee030000 push 3EEh
00401d03 56 push esi
00401d04 ff15aca14000 call dword ptr
00401d0a 83f801 cmp eax,1
00401d0d 750c jne ViewPass+0x1d1b (00401d1b)
00401d0f 33c0 xor eax,eax
00401d11 6a0b push 0Bh
00401d13 50 push eax
00401d14 50 push eax
00401d15 50 push eax
00401d16 50 push eax
00401d17 6aff push 0FFFFFFFFh
00401d19 eb0a jmp ViewPass+0x1d25 (00401d25)
00401d1b 33c0 xor eax,eax
00401d1d 6a03 push 3
00401d1f 50 push eax
00401d20 50 push eax
00401d21 50 push eax
00401d22 50 push eax
00401d23 6afe push 0FFFFFFFEh
00401d25 56 push esi
00401d26 ff15eca14000 call dword ptr
00401d2c 5e pop esi
00401d2d c3 ret
结合IDA分析,得到大致代码如下:
主窗口回调
HWND hglasswnd;//放大镜窗口
HICON hglassicon_new,hglassicon_origin;//放大镜图标
BOOL IsMouseDown=FALSE;
HCURSOR hCursor;
HINSTANCE hInstance;
int WINAPI MainDlg(HWND hDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch(uMsg)
{
case WM_INITDIALOG:
{
}
break;
case WM_LBUTTONDOWN:
{
POINT pt={LOWORD(lParam),HIWORD(lParam)};
HWND hobjwnd=ChildWindowFromPoint(hDlg,pt);
if(hobjwnd == hglasswnd)
{
SetCapture(hDlg);
SetCursor(hCursor);
SendMessage(hglasswnd,STM_SETICON,(WPARAM)hglassicon_new,NULL);
IsMouseDown=TRUE;
}
return 0;
}
case WM_LBUTTONUP:
{
if(IsMouseDown)
{
ReleaseCapture();
IsMouseDown=FALSE;
SetCursor(LoadCursor(hInstance,MAKEINTRESOURCE(32512)));
SendMessage(hglasswnd,STM_SETICON,(WPARAM)hglassicon_origin,0);
}
return 0;
}
case WM_MOUSEMOVE:
{
POINT Point;
TCHAR String,ClassName;
GetCursorPos(&Point);
if(!IsMouseDown)
return 0;
String='\0';
HWND hobjwnd=WindowFromPoint(Point);//获取鼠标位置的窗口句柄
if(hobjwnd)
{
DWORD threadid=GetWindowThreadProcessId(hobjwnd,NULL);
if(threadid == GetWindowThreadProcessId(hDlg,0))
return 0;//所在窗口正是密码查看器窗口
if(GetClassName(hobjwnd,ClassName,256))
{
if(!strcmp(ClassName,"Internet Explorer_Server"))
{
POINT pt=Point;
ScreenToClient(hobjwnd,&pt);
htmlHWNDtoDocument(hobjwnd,pt);
return 1;
}
strupr(ClassName);
if(!strcmp(ClassName,"BUTTON") || !strcmp(ClassName,"#32770"))//#32770是对话框默认窗口类名
{
HWND hparent;
if(!strcmp(ClassName,"#32770"))
hparent=hobjwnd;
else
hparent=GetParent(hobjwnd);
if(hparent)
{
POINT pt=Point;
ScreenToClient(hparent,&pt);
HWND first=ChildWindowFromPointEx(hparent,pt,CWP_ALL);
if(first == hobjwnd)
{
while(first=GetWindow(first,GW_HWNDNEXT))//按z-order遍历当前鼠标位置所有窗口
{
RECT rt;
GetWindowRect(first,&rt);
if(PtInRect(&rt,Point))
break;
}
}
if(first)
{
hobjwnd=first;
GetClassName(first,ClassName,255);
_strupr(ClassName);
}
}
}
LONG style=GetWindowLong(hobjwnd,GWL_STYLE);
if(!strcmp(ClassName,"EDIT") || !strcmp(ClassName,"TEDIT") ||!strcmp(ClassName,"THUNDERRTTEXTBOX") ||
!strcmp(ClassName,"THUNDERRT3TEXTBOX") || !strcmp(ClassName,"THUNDERRT4TEXTBOX") ||
!strcmp(ClassName,"THUNDERRT5TEXTBOX") || !strcmp(ClassName,"THUNDERRT6TEXTBOX") ||
strstr(ClassName,"Pass") || strstr(ClassName,"pass"))
{
if(style&ES_PASSWORD/*且为Windows NT系统*/)
{
DWORD tid;
GetWindowThreadProcessId(hobjwnd,&tid);
HANDLE hproc=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_WRITE|PROCESS_VM_READ|PROCESS_VM_OPERATION|PROCESS_CREATE_THREAD,false,tid);
if(hproc)
{
GetPassFromStar(hproc,hobjwnd,String);//远程注入到该进程以获取密码
CloseHandle(hproc);
}
else
strcpy(String,"");
}
}
else if(!(style&(WS_POPUP|WS_CAPTION|WS_SYSMENU)))
SendMessage(hobjwnd,WM_GETTEXT,255,(LPARAM)String);
}
}
SetWindowText(GetDlgItem(hobjwnd,1004),String);//更新编辑框字符串
}
break;
//....................
}
}
未完待续。。。。
输入密码的文本框应该是有个属性的,大概用VB表示就是Text1.PasswordChar,目测干掉这个属性就OK 用API估计也是一样的。 0xAA55 发表于 2015-1-17 12:50
输入密码的文本框应该是有个属性的,大概用VB表示就是Text1.PasswordChar,目测干掉这个属性就OK ...
同一个进程才有权限这么做,所以这里要注入到这个进程中,才能实现 本帖最后由 元始天尊 于 2015-1-17 16:23 编辑
com代码是最难还原的了。。。很麻烦
放大镜获取网页密码代码:
#pragma comment(lib, "comsuppw.lib")
typedef HRESULT(WINAPI* MyObjectFromLresult)(LRESULT lResult,REFIID riid,WPARAM wParam,void** ppvObject);
void CheckPassword(HWND hDlg,IHTMLDocument2* pDoc2,POINT pt)
{
if(pDoc2==NULL)
return ;
CComPtr<IHTMLElement> pElement;
HRESULT hr=pDoc2->elementFromPoint(pt.x,pt.y,&pElement);
if(SUCCEEDED(hr))
{
CComPtr<IHTMLInputTextElement> pPwdElement;
hr=pElement->QueryInterface(IID_IHTMLInputTextElement,(void**)&pPwdElement);
if(SUCCEEDED(hr))
{
CComBSTR type;
hr=pPwdElement->get_type(&type);
if(SUCCEEDED(hr))
{
if(type == _T("password"))
{
CComBSTR pwd;
hr=pPwdElement->get_value(&pwd);
if(SUCCEEDED(hr))
{
if(pwd.Length() != 0)
{
LPCTSTR result;//=(_bstr_t)pwd;
SetWindowText(GetDlgItem(hDlg,1004),result);
}
}
}
}
}
}
}
void htmlHWNDtoDocument(HWND hWnd,POINT pt)
{
HMODULE hmod=LoadLibrary("OLEACC.DLL");
IHTMLDocument2* objhtml;
if(!hmod)
{
MessageBox(NULL,"请您安装Microsoft Active Accessibility","提示",MB_OK);
return;
}
if(hWnd)
{
DWORD dwResult;
CComPtr<IHTMLDocument2>spDoc;
UINT htmlmsg=RegisterWindowMessage("WM_HTML_GETOBJECT");
SendMessageTimeout(hWnd,htmlmsg,0,0,SMTO_ABORTIFHUNG,1000,&dwResult);
MyObjectFromLresult ObjectFromLresult=(MyObjectFromLresult)GetProcAddress(hmod,"ObjectFromLresult");
if(ObjectFromLresult != NULL)
{
LRESULT lRes=ObjectFromLresult(dwResult,IID_IHTMLDocument,0,(void**)&spDoc);
if(SUCCEEDED(lRes))
{
CComPtr<IDispatch> spDisp;
CComQIPtr<IHTMLWindow2> spWin;
spDoc->get_Script( &spDisp );
spWin=spDisp;
spWin->get_document( &objhtml );
CheckPassword(hWnd,objhtml,pt);
}
}
}
FreeLibrary(hmod);
} 注入代码,已经第二次逆向了,所以得心应手
struct ParamStruct
{
HWND hWnd;//目标窗口句柄
FARPROC MySendMessage;
TCHAR Buffer;
};
_declspec(naked) DWORD WINAPI Injectbegin(ParamStruct* ps)
{
_asm
{
push esi;
mov esi,ps;
lea eax,;
push eax;
push 100h;
push 0Dh;
push ;
call ;//SendMessage(ps->hWnd,WM_GETTEXT,256,(LPARAM)ps->Bufer)
and byte ptr ,0;//ps->Buffer='\0'
pop esi;
retn 4;
}
}
_declspec(naked)void Injectend()
{//该函数只为定位Injectbegin函数结尾而已
_asm retn;
}
void GetPassFromStar(HANDLE hProcess,HWND hWnd,LPTSTR buf,BOOL IsUnicode)
{
DWORD writenum=0;
HANDLE hThread=NULL;
DWORD ThreadId=0;
DWORD ExitCode=0;
LPVOID lpParameter,lpStartAddress;
__try
{
HMODULE hmod=GetModuleHandle("user32");
if(hmod)
{
ParamStruct ps;
ps.hWnd=hWnd;
if(IsUnicode)
ps.MySendMessage=GetProcAddress(hmod,_T("SendMessageW"));
else
ps.MySendMessage=GetProcAddress(hmod,_T("SendMessageA"));
if(ps.MySendMessage)
{
//先在目标进程分配参数空间,以便把参数传给之后写入进程的代码
if(lpParameter=VirtualAllocEx(hProcess,NULL,sizeof(ParamStruct),MEM_COMMIT,PAGE_READWRITE))
{
WriteProcessMemory(hProcess,lpParameter,&ps,sizeof(ParamStruct),&writenum);
const intINJECTCODESIZE =(char*)Injectend-(char*)Injectbegin;//Release版有效
if(lpStartAddress=VirtualAllocEx(hProcess,NULL,INJECTCODESIZE,MEM_COMMIT,PAGE_EXECUTE_READWRITE))
{
WriteProcessMemory(hProcess,lpStartAddress,(LPVOID)Injectbegin,INJECTCODESIZE,&writenum);
HANDLE newthread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpStartAddress,lpParameter,0,&ThreadId);
if(newthread)
{
WaitForSingleObject(newthread,INFINITE);
ReadProcessMemory(hProcess,lpParameter,&ps,sizeof(ParamStruct),&writenum);
if(IsUnicode)
{//Unicode处理的不好
wcscpy((wchar_t*)buf,(wchar_t*)ps.Buffer);
}
else
{
strcpy((char*)buf,(char*)ps.Buffer);
}
}
}
}
}
}
}
__finally
{
if(lpParameter)
VirtualFreeEx(hProcess,lpParameter,0,MEM_RELEASE);
if(lpStartAddress)
VirtualFreeEx(hProcess,lpStartAddress,0,MEM_RELEASE);
if(hThread)
{
GetExitCodeThread(hThread,&ExitCode);
CloseHandle(hThread);
}
}
}
页:
[1]