进程查找QQ号码

进程抓取QQ号码

前天翻硬盘的时候,不知道什么时候写的一个C语言版本的通过进程抓取内存关键后面的QQ号码
原理很简单:

  1. 获取系统所有进程,查找QQ进程ID。
  2. 通过进程ID获取应用的内存空间。
  3. 根据内存关键字查找关键字后面的QQ号码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
//#include <iostream.h>
void GetQQ(DWORD dwQQID);
int main(int argc, char* argv[])
{
PROCESSENTRY32 pe;
DWORD id = 0;
DWORD ids[5];
int idleng =0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot,&pe) )
return 0;
do
{
pe.dwSize = sizeof(PROCESSENTRY32);
if( Process32Next(hSnapshot,&pe)==FALSE )
break;
if(strcmp(pe.szExeFile,"QQ.exe") == 0)
{
ids[idleng] =pe.th32ProcessID;
idleng++;
//break;
}
} while(1);
CloseHandle(hSnapshot);
for (int k=0;k<idleng;k++)
{
GetQQ(ids[k]);
}
getchar();
return 0;
}
void GetQQ(DWORD dwQQID)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwQQID); //打开进程
if (hProcess !=NULL)
{
SuspendThread(hProcess);
DWORD dwBaseAddress;
MEMORY_BASIC_INFORMATION mbi;
char process_mem[ 4096 ] = { 0 } ;
DWORD number_of_bytes_read = 0 ;
SYSTEM_INFO si;
GetSystemInfo( & si);
int s =0;
char strqqlent[50];
char GetQQKey[] ="\\Msg3.0.db";
dwBaseAddress = (DWORD)si.lpMinimumApplicationAddress;
while (dwBaseAddress < (DWORD)si.lpMaximumApplicationAddress)
{
mbi.BaseAddress = (LPVOID)dwBaseAddress;
VirtualQueryEx(hProcess, (LPVOID)dwBaseAddress, & mbi, sizeof (mbi));
dwBaseAddress = (DWORD)mbi.BaseAddress + mbi.RegionSize;
if (mbi.State != MEM_COMMIT || mbi.AllocationProtect != PAGE_READWRITE) // 跳过未分配或不可读写的区域
{
continue ;
}
// 搜索
for (DWORD i = (DWORD)mbi.BaseAddress; i < dwBaseAddress; i += 4096 )
{
if ( ! ReadProcessMemory(hProcess,LPCVOID(i),process_mem, 4096 , & number_of_bytes_read))
break ;
for ( int j = 0 ;j < 4096 - sizeof(GetQQKey) ;j ++ )
{
if(s >4)
{
ResumeThread(hProcess);
static char strQQ[50];
for(int m=0;m<s;m++)
{
strQQ[m] = strqqlent[s-m-1];
}
printf("已经发现QQ号:%s\n",strQQ);
return;
}
//去重复内存中的QQ
if ( ! memcmp( & process_mem[j], GetQQKey , sizeof(GetQQKey) ) )
{
for ( int k = j - 1 ; k > j - 12 ; k -- )
{
if (process_mem[k] >= '0' && process_mem[k] <= '9' )
{
process_mem[k];
strqqlent[s] =process_mem[k];
s++;
}
else{
break ;
}
}
}
}
}
}
}
}