-
Notifications
You must be signed in to change notification settings - Fork 4
/
Source.cpp
236 lines (194 loc) · 7.09 KB
/
Source.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#include <iostream>
#include<Windows.h>
#include <TlHelp32.h>
using namespace std;
ULONG QQPID[10] = { 0 };
//BYTE Patch4E80E[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
//BYTE Patch4E313[1] = { 0x90 };
//BYTE Patch4E317[5] = { 0x90,0x90,0x90,0x90,0x90 };
//BYTE Patch4E31E[4] = { 0x90,0x90,0x90,0x90 };
// 51 68 D0 6E 8B 5A 56 FF 50 78
BYTE Patch4DFBC[1] = { 0x90 };
BYTE Patch4DFC0[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch4DFC7[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch4E4B7[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
BYTE Patch4E96C[1] = { 0x90 };
BYTE Patch4E970[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch4E977[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch4EE67[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
BYTE Patch4EC21[1] = { 0x90 };
BYTE Patch4EC25[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch4EC2C[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch4F11C[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };//Version 9.1.5
BYTE Patch50B71[1] = { 0x90 };
BYTE Patch50B75[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch50B7C[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch5006C[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
// 9.1.7(25980)版本偏移
#define GROUP_PATCH_OFFEST1 0x50B71
#define GROUP_PATCH_OFFEST2 0x50B75
#define GROUP_PATCH_OFFEST3 0x50B7C
#define PRIVATE_PATCH_OFFEST 0x5006C
#define GROUP_PATCH_POINT1 (LPVOID)Patch50B71
#define GROUP_PATCH_POINT2 (LPVOID)Patch50B75
#define GROUP_PATCH_POINT3 (LPVOID)Patch50B7C
#define PRIVATE_PATCH_POINT (LPVOID)Patch5006C
// 9.1.8(26211)版本偏移
#define GROUP_PATCH_OFFEST1 0x52FC1
#define GROUP_PATCH_OFFEST2 0x52FC5
#define GROUP_PATCH_OFFEST3 0x52FCC
#define PRIVATE_PATCH_OFFEST 0x534BC
#define GROUP_PATCH_POINT1 (LPVOID)Patch52FC1
#define GROUP_PATCH_POINT2 (LPVOID)Patch52FC5
#define GROUP_PATCH_POINT3 (LPVOID)Patch52FCC
#define PRIVATE_PATCH_POINT (LPVOID)Patch534BC
//9.1.9(26361)版本偏移
#define GROUP_PATCH_OFFEST1 0x572B0
#define GROUP_PATCH_OFFEST2 0x572B4
#define GROUP_PATCH_OFFEST3 0x572BB
#define PRIVATE_PATCH_OFFEST 0x577AB
#define GROUP_PATCH_POINT1 (LPVOID)Patch572B0
#define GROUP_PATCH_POINT2 (LPVOID)Patch572B4
#define GROUP_PATCH_POINT3 (LPVOID)Patch572BB
#define PRIVATE_PATCH_POINT (LPVOID)Patch577AB
//9.2.0 版本偏移
#define GROUP_PATCH_OFFEST1 0x570D4
#define GROUP_PATCH_OFFEST2 0x570D8
#define GROUP_PATCH_OFFEST3 0x570DF
#define PRIVATE_PATCH_OFFEST 0x575CF
#define GROUP_PATCH_POINT1 (LPVOID)Patch570D4
#define GROUP_PATCH_POINT2 (LPVOID)Patch570D8
#define GROUP_PATCH_POINT3 (LPVOID)Patch570DF
#define PRIVATE_PATCH_POINT (LPVOID)Patch575CF
//9.2.1 版本偏移
#define GROUP_PATCH_OFFEST1 0x5AE5B
#define GROUP_PATCH_OFFEST2 0x5AE5F
#define GROUP_PATCH_OFFEST3 0x5AE66
#define PRIVATE_PATCH_OFFEST 0x5B354
#define GROUP_PATCH_POINT1 (LPVOID)Patch5AE5B
#define GROUP_PATCH_POINT2 (LPVOID)Patch5AE5F
#define GROUP_PATCH_POINT3 (LPVOID)Patch5AE66
#define PRIVATE_PATCH_POINT (LPVOID)Patch5B354
//9.2.2(26571) 版本偏移
BYTE Patch5B49C[1] = { 0x90 };
BYTE Patch5B4A0[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch5B4A7[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch5BA35[9] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
//9.3.7版本偏移
BYTE Patch5E68E[1] = { 0x90 };
BYTE Patch5E692[5] = { 0x90,0x90, 0x90, 0x90, 0x90 };
BYTE Patch5E699[4] = { 0x90,0x90, 0x90, 0x90 };
BYTE Patch5EB87[10] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
#define GROUP_PATCH_OFFEST1 0x5B49C
#define GROUP_PATCH_OFFEST2 0x5B4A0
#define GROUP_PATCH_OFFEST3 0x5B4A7
#define PRIVATE_PATCH_OFFEST 0x5BA35
#define GROUP_PATCH_POINT1 (LPVOID)Patch5B49C
#define GROUP_PATCH_POINT2 (LPVOID)Patch5B4A0
#define GROUP_PATCH_POINT3 (LPVOID)Patch5B4A7
#define PRIVATE_PATCH_POINT (LPVOID)Patch5BA35
//9.4.5版本偏移
#define GROUP_PATCH_OFFEST1 0x6285E
#define GROUP_PATCH_OFFEST2 0x62862
#define GROUP_PATCH_OFFEST3 0x62869
#define PRIVATE_PATCH_OFFEST 0x62D57
#define GROUP_PATCH_POINT1 (LPVOID)Patch6285E
#define GROUP_PATCH_POINT2 (LPVOID)Patch62862
#define GROUP_PATCH_POINT3 (LPVOID)Patch62869
#define PRIVATE_PATCH_POINT (LPVOID)Patch62D57
#define ERROR_REPORT printf("Error : 0x%08X \n", GetLastError());
BOOL ElevateDebugPrivileges()
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount = 1;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))//取得进程令牌句柄.
return FALSE;//失败返回0.
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);//获取对其他进程进行调试的特权.
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))//设定打开该特权
{
return FALSE;
}
return TRUE;
}
DWORD WINAPI GetQQID()
{
DWORD Id;
BYTE i = 0;
LPCWSTR PROCESSNAME = L"QQ.exe";
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32W ProcessInfo;
ProcessInfo.dwSize = sizeof(ProcessInfo);
BOOL bMore = Process32FirstW(hSnapShot, &ProcessInfo);
while (bMore)
{
if (wcscmp(PROCESSNAME, ProcessInfo.szExeFile) == 0)
{
Id = ProcessInfo.th32ProcessID;
QQPID[i] = Id;
i++;
}
bMore = Process32NextW(hSnapShot, &ProcessInfo);
}
CloseHandle(hSnapShot);
return i;
}
BYTE* GetIMModuleAddr(ULONG QQPid)
{
LPCWSTR ModName = L"IM.dll";
DWORD Id = QQPid;
HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Id);
if (Snapshot == 0 || Id == 0)
{
cout << "Invalid Snapshot Handle" << endl;
return 0;
}
MODULEENTRY32W Mod;
Mod.dwSize = sizeof(Mod);
BYTE* pbModBase = NULL;
BOOL bMore = Module32FirstW(Snapshot, &Mod);
while (bMore)
{
if (wcscmp(ModName, Mod.szModule) == 0)
{
pbModBase = Mod.modBaseAddr;
break;
}
bMore = Module32NextW(Snapshot, &Mod);
}
CloseHandle(Snapshot);
if (pbModBase != 0)
return pbModBase;
else return 0;
}
int main()
{
ElevateDebugPrivileges();
DWORD NumberOfQQ = GetQQID();
printf("Now %d QQ are Runing.\n \n", NumberOfQQ);
DWORD OldProtect = 0;
BYTE i = 0;
while (QQPID[i] != 0)
{
PBYTE IMBase = GetIMModuleAddr(QQPID[i]);
if (IMBase != 0)
{
printf("No. %d QQ's IM.dll BaseAddr is 0x%08X \n", i + 1, IMBase);
}
HANDLE QQHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, QQPID[i]);
VirtualProtectEx(QQHandle, (LPVOID)(IMBase + 0x1000), 0x324000, PAGE_EXECUTE_READWRITE, &OldProtect);
WriteProcessMemory(QQHandle, (PVOID)(IMBase + PRIVATE_PATCH_OFFEST), PRIVATE_PATCH_POINT, 10, 0);
ERROR_REPORT
WriteProcessMemory(QQHandle, (PVOID)(IMBase + GROUP_PATCH_OFFEST1), GROUP_PATCH_POINT1, 1, 0);
ERROR_REPORT
WriteProcessMemory(QQHandle, (PVOID)(IMBase + GROUP_PATCH_OFFEST2), GROUP_PATCH_POINT2, 5, 0);
ERROR_REPORT
WriteProcessMemory(QQHandle, (PVOID)(IMBase + GROUP_PATCH_OFFEST3), GROUP_PATCH_POINT3, 4, 0);
ERROR_REPORT
VirtualProtectEx(QQHandle, (LPVOID)(IMBase + 0x1000), 0x324000, OldProtect, &OldProtect);
i++;
}
system("pause");
return 0;
}