Skip to content

Commit

Permalink
适配28060, arm64暂未修复
Browse files Browse the repository at this point in the history
  • Loading branch information
@sysrom
sysrom committed Sep 20, 2024
1 parent bd48a64 commit 148935a
Show file tree
Hide file tree
Showing 5 changed files with 247 additions and 20 deletions.
77 changes: 67 additions & 10 deletions HijackMethod/dllmain.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,36 @@
#include <tlhelp32.h>
#include <psapi.h>
#include <tchar.h>
#include <windows.h>
#include <Windows.h>
#include <aclapi.h>
#include <algorithm>
#include <iostream>
#include <fstream>
#include "nt.h"
#include "scanner.h"
#include "json.hpp"
#define Sig_text "57 41 56 41 55 41 54 56 57 55 53 48 81 ec ?? ?? ?? ?? 0f 29 bc 24 ?? ?? ?? ?? 0f 29 b4 24 ?? ?? ?? ?? 48 8b 05 ?? ?? ?? ?? 48 31 e0 48 89 84 24 ?? ?? ?? ?? b9"
#define Sig_text "57 41 56 41 55 41 54 56 57 55 53 48 81 ec ?? ?? ?? ?? 0f 29 bc 24 ?? ?? ?? ?? 0f 29 b4 24 ?? ?? ?? ?? 48 8b 05 ?? ?? ?? ?? 48 31 e0 48 89 84 24 ?? ?? ?? ?? b9" //Old Sig
#define Sig_text2 "57 41 56 41 55 41 54 56 57 55 53 48 81 ec ?? ?? ?? ?? 0f 29 b4 24 ?? ?? ?? ?? 48 8b 05 ?? ?? ?? ?? 48 31 e0 48 89 84 24 ?? ?? ?? ?? b9"

inline bool mulock1 = false;
inline bool mulock2 = false;

inline bool OldQQ = false;

def_CreateFileW Org_CreateFileW = NULL;
def_ReadFile Org_ReadFile = NULL;
def_GetFileSize Org_GetFileSize = NULL;
def_MessageBoxW Org_MessageBoxW = MessageBoxW;
//def_LoadLibraryExW Org_LoadLibraryExW = LoadLibraryExW;
//def_LoadLibraryExA Org_LoadLibraryExA = LoadLibraryExA;
def_LdrRegisterDllNotification Org_LdrRegisterDllNotification = NULL;


typedef __int64(*def_sub7FF67F97A5A0)();
def_sub7FF67F97A5A0 Org_sub_7FF67F97A5A0 = NULL;

__int64 Hk_sub_7FF67F97A5A0() {
return (unsigned int)"r.json";
return 1;
}

void GetCallStack(std::string& callStack) {
Expand Down Expand Up @@ -209,8 +216,8 @@ HANDLE WINAPI Hk_CreateFileW(
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
) {

if (wcsstr(lpFileName, L"\\resources\\app\\app_launcher\\index.js") != NULL&& mulock1 !=true&&mulock2!=true)
if (wcsstr(lpFileName, L"\\resources\\app\\app_launcher\\index.js") != NULL&& mulock1 !=true&&mulock2!=true&&OldQQ==true)
{

if (_taccess(L"PatchConfig.json", 0) != 0) {
Expand Down Expand Up @@ -305,16 +312,37 @@ void Exploit() {
exit(1);
}

static const auto FileVerify_MainPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text));
void* FileVerify_MainPointer = nullptr;
if (OldQQ)
{
FileVerify_MainPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text));
}
else
{
FileVerify_MainPointer = static_cast<void*>(sig(GetModuleHandleA("QQNT.dll"), Sig_text2));
}

HMODULE SelfModule = GetModuleHandleA("dbghelp.dll");
MODULEINFO SelfModuleInfo = { 0 };
GetModuleInformation(GetCurrentProcess(), SelfModule, &SelfModuleInfo, sizeof(SelfModuleInfo));

if ((FileVerify_MainPointer >= SelfModule && FileVerify_MainPointer < SelfModule+SelfModuleInfo.SizeOfImage)) {
MessageBoxA(nullptr, "Sig not found!", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}

if (FileVerify_MainPointer != nullptr) {
if (MH_CreateHook(FileVerify_MainPointer, &Hk_sub_7FF67F97A5A0, reinterpret_cast<LPVOID*>(&Org_sub_7FF67F97A5A0)) != MH_OK) {
MessageBoxA(nullptr, "MH Hook Patch failed!", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}
}


else
{
MessageBoxA(nullptr, "Sig not found!", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}

if (MH_CreateHook(&MessageBoxW, &Hk_MessageBoxW, reinterpret_cast<LPVOID*>(&Org_MessageBoxW)) != MH_OK) {
MessageBoxA(nullptr, "MH Hook MessageBoxW failed!", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
Expand Down Expand Up @@ -372,19 +400,48 @@ bool IsParentQQ() {
return IsQQ;
}

void CALLBACK DLLNotification(ULONG Reason, PLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context) {
if (Reason == LDR_DLL_NOTIFICATION_REASON_LOADED) {
wprintf(L"[LdrDllNotification] %s\n", NotificationData->Loaded.FullDllName->Buffer);
if (wcsstr(NotificationData->Loaded.FullDllName->Buffer, L"QQNT.dll")!=NULL) {
Exploit();
}
}
return;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
//MessageBoxA(nullptr,"Enter Entry","DEBUG",MB_OK);
/***DEBUG
AllocConsole();
freopen("CONIN$", "r", stdin);
freopen("CONOUT$", "w", stdout);
freopen("CONOUT$", "w", stderr);
***/

PVOID Cookie;
Org_LdrRegisterDllNotification = (def_LdrRegisterDllNotification)GetProcAddress(GetModuleHandleA("ntdll.dll"), "LdrRegisterDllNotification");

HANDLE hProc = GetCurrentProcess();
std::wstring processName(MAX_PATH, L'\0');
GetModuleFileNameEx(hProc, nullptr, &processName[0], MAX_PATH);
DisableThreadLibraryCalls(hinstDLL);
if (IsParentQQ() != true || wcsstr(GetCommandLine(), L"--from-multiple-login") != NULL) {
Exploit();

if (_taccess(L"ffmpeg.dll",0)==0)
{
OldQQ = true;
Exploit();
}
else
{
Org_LdrRegisterDllNotification(0, DLLNotification, NULL, &Cookie); //New Exploit
}

return true;
}
else
Expand Down
59 changes: 59 additions & 0 deletions HijackMethod/nt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,63 @@ typedef int(WINAPI* def_MessageBoxW)(
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType
);

typedef HMODULE(WINAPI* def_LoadLibraryExA)(
_In_ LPCSTR lpLibFileName,
_Reserved_ HANDLE hFile,
_In_ DWORD dwFlags
);

typedef HMODULE(WINAPI* def_LoadLibraryExW)(
_In_ LPCWSTR lpLibFileName,
_Reserved_ HANDLE hFile,
_In_ DWORD dwFlags
);


enum LDR_DLL_NOTIFICATION_REASON
{
LDR_DLL_NOTIFICATION_REASON_LOADED = 1,
LDR_DLL_NOTIFICATION_REASON_UNLOADED = 2,
};

typedef struct tag_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} __UNICODE_STRING, * PUNICODE_STRING, * PCUNICODE_STRING;

typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
ULONG Flags; //Reserved.
PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
PVOID DllBase; //A pointer to the base address for the DLL in memory.
ULONG SizeOfImage; //The size of the DLL image, in bytes.
} LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA;

typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
ULONG Flags; //Reserved.
PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
PVOID DllBase; //A pointer to the base address for the DLL in memory.
ULONG SizeOfImage; //The size of the DLL image, in bytes.
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA;

typedef union _LDR_DLL_NOTIFICATION_DATA {
LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
} LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA;

typedef VOID(CALLBACK* PLDR_DLL_NOTIFICATION_FUNCTION)(
_In_ ULONG NotificationReason,
_In_ PLDR_DLL_NOTIFICATION_DATA NotificationData,
_In_opt_ PVOID Context
);

typedef NTSTATUS(NTAPI* def_LdrRegisterDllNotification)(
_In_ ULONG Flags,
_In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
_In_opt_ PVOID Context,
_Out_ PVOID* Cookie
);
2 changes: 1 addition & 1 deletion HijackMethod_arm64/dllmain.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ void InitHookFramework() {
}

void Exploit() {
Org_sub_14032B99C = (def_sub14032B99)static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text));
Org_sub_14032B99C = (def_sub14032B99)static_cast<void*>(sig(GetModuleHandleA("QQNT.dll"), Sig_text));
if (Org_sub_14032B99C == nullptr) {
MessageBoxA(nullptr, "Sig not found!", "ERROR", MB_OK|MB_ICONERROR);
exit(1);
Expand Down
82 changes: 73 additions & 9 deletions HijackMethod_x86/dllmain.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,15 @@
#include <fstream>
#define Sig_text "75 ?? e8 ?? ?? ?? ?? 84 c0 0f 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8"
#define Sig_text2 "75 ?? e8 ?? ?? ?? ?? 84 c0 8d 7d" // Ver <=9.9.12_25765
#define Sig_text3 "85 ?? ?? ?? ?? 80 3d ?? ?? ?? ?? ?? 75 ?? a0 ?? ?? ?? ?? 84 c0 74 ?? b9 ?? ?? ?? ?? 34 ?? 88 41 ?? 8a 01 41 84 c0 75 ?? c6 05 ?? ?? ?? ?? ?? bf ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? 83 c4 ?? 50 57 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 89 c1 6a ?? e8 ?? ?? ?? ?? 89 46 ?? 8b 08 8b 49 ?? 01 c1 8d be ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? 89 f9 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 89 c7" //Ver 28060

inline bool mulock1 = false;
inline bool mulock2 = false;

inline bool OldQQ = false;

def_CreateFileW Org_CreateFileW = NULL;
def_LdrRegisterDllNotification Org_LdrRegisterDllNotification = NULL;

bool IsRunAsAdmin()
{
Expand Down Expand Up @@ -111,7 +116,7 @@ HANDLE WINAPI Hk_CreateFileW(
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
) {
if (wcsstr(lpFileName, L"\\resources\\app\\app_launcher\\index.js") != NULL && mulock1 != true && mulock2 != true)
if (wcsstr(lpFileName, L"\\resources\\app\\app_launcher\\index.js") != NULL && mulock1 != true && mulock2 != true&&OldQQ==true)
{

if (_taccess(L"PatchConfig.json", 0) != 0) {
Expand Down Expand Up @@ -186,23 +191,53 @@ HANDLE WINAPI Hk_CreateFileW(
}

void Exploit() {
static auto JNEPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text));
if (JNEPointer == nullptr) {
JNEPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text2));
void* JNEPointer = nullptr;

if (OldQQ)
{
JNEPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text));
if (JNEPointer == nullptr) {
MessageBoxA(nullptr, "Sig outdated", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
JNEPointer = static_cast<void*>(sig(GetModuleHandleA(NULL), Sig_text2));
if (JNEPointer == nullptr) {
MessageBoxA(nullptr, "Sig outdated", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}
}
}
else
{
JNEPointer = static_cast<void*>(sig(GetModuleHandleA("QQNT.dll"), Sig_text3));
}

HMODULE SelfModule = GetModuleHandleA("dbghelp.dll");
MODULEINFO SelfModuleInfo = { 0 };
GetModuleInformation(GetCurrentProcess(), SelfModule, &SelfModuleInfo, sizeof(SelfModuleInfo));

if ((JNEPointer >= SelfModule && JNEPointer < SelfModule + SelfModuleInfo.SizeOfImage)) {
MessageBoxA(nullptr, "Sig not found!", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}

if (JNEPointer == nullptr) {
MessageBoxA(nullptr, "Sig outdated", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}

static auto JNEPointer2 = static_cast<char*>(JNEPointer);
SIZE_T size = 1;
DWORD oldProtection;
if (!VirtualProtect(JNEPointer, size, PAGE_READWRITE, &oldProtection)) {
MessageBoxA(nullptr, "Failed to change memory protection.", "ERROR", MB_ICONERROR | MB_OK);
exit(1);
}

*JNEPointer2 = 0x74;
if (OldQQ) {
*JNEPointer2 = 0x74;
}
else
{
*JNEPointer2 = 0x84;
}


DWORD oldProtection_;
if (!VirtualProtect(JNEPointer, size, oldProtection, &oldProtection_)) {
Expand Down Expand Up @@ -268,18 +303,47 @@ bool IsParentQQ() {
return IsQQ;
}

void CALLBACK DLLNotification(ULONG Reason, PLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context) {
if (Reason == LDR_DLL_NOTIFICATION_REASON_LOADED) {

wprintf(L"[LdrDllNotification] %s\n", NotificationData->Loaded.FullDllName->Buffer);
if (wcsstr(NotificationData->Loaded.FullDllName->Buffer, L"QQNT.dll") != NULL) {
Exploit();
}
}
return;
}


BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
//MessageBoxA(nullptr,"Enter Entry","DEBUG",MB_OK);


PVOID Cookie;
Org_LdrRegisterDllNotification = (def_LdrRegisterDllNotification)GetProcAddress(GetModuleHandleA("ntdll.dll"), "LdrRegisterDllNotification");

HANDLE hProc = GetCurrentProcess();
std::wstring processName(MAX_PATH, L'\0');
GetModuleFileNameEx(hProc, nullptr, &processName[0], MAX_PATH);
DisableThreadLibraryCalls(hinstDLL);
if (IsParentQQ() != true || wcsstr(GetCommandLine(), L"--from-multiple-login") != NULL) {
Exploit();

if (_taccess(L"ffmpeg.dll", 0) == 0)
{
OldQQ = true;
Exploit();
}
else
{
Org_LdrRegisterDllNotification(0, DLLNotification, NULL, &Cookie); //New Exploit
}


return true;
}
else
Expand Down
Loading

0 comments on commit 148935a

Please sign in to comment.