进程查找QQ号码

发表于 | 分类于 | 阅读次数:

进程抓取QQ号码

前天翻硬盘的时候,不知道什么时候写的一个C语言版本的通过进程抓取内存关键后面的QQ号码
原理很简单:

  1. 获取系统所有进程,查找QQ进程ID。
  2. 通过进程ID获取应用的内存空间。
  3. 根据内存关键字查找关键字后面的QQ号码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
//#include <iostream.h>
void GetQQ(DWORD dwQQID);
int main(int argc, char* argv[])
{
	PROCESSENTRY32 pe;
	DWORD id = 0;
	DWORD ids[5];
	int idleng =0;
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	pe.dwSize = sizeof(PROCESSENTRY32);
	if( !Process32First(hSnapshot,&pe) )
		return 0;
	do
	{
		pe.dwSize = sizeof(PROCESSENTRY32);
		if( Process32Next(hSnapshot,&pe)==FALSE )
			break;
		if(strcmp(pe.szExeFile,"QQ.exe") == 0)
		{
			ids[idleng] =pe.th32ProcessID;
			idleng++;
			//break;
		}
	} while(1);
	CloseHandle(hSnapshot);
	for (int k=0;k<idleng;k++)
	{
		GetQQ(ids[k]);
	}
	getchar();
	return 0;
}
void GetQQ(DWORD dwQQID)
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwQQID); //打开进程
	if (hProcess !=NULL)
	{
		SuspendThread(hProcess);
		DWORD dwBaseAddress;
		MEMORY_BASIC_INFORMATION mbi;
		char   process_mem[ 4096 ]  =   { 0 } ;
		DWORD number_of_bytes_read  =   0 ;
		SYSTEM_INFO si;
		GetSystemInfo( & si);
		int s =0;
		char strqqlent[50];
		char GetQQKey[] ="\\Msg3.0.db";
		dwBaseAddress  =  (DWORD)si.lpMinimumApplicationAddress;
		while (dwBaseAddress  <  (DWORD)si.lpMaximumApplicationAddress)
		{
			mbi.BaseAddress  =  (LPVOID)dwBaseAddress;
			VirtualQueryEx(hProcess, (LPVOID)dwBaseAddress,  & mbi,  sizeof (mbi));
			dwBaseAddress  =  (DWORD)mbi.BaseAddress  +  mbi.RegionSize;
			if (mbi.State  !=  MEM_COMMIT  ||  mbi.AllocationProtect  !=  PAGE_READWRITE)  // 跳过未分配或不可读写的区域
			{
				continue ;
			}
			// 搜索
			for (DWORD i  =  (DWORD)mbi.BaseAddress; i  <  dwBaseAddress; i += 4096 )
			{
				if ( ! ReadProcessMemory(hProcess,LPCVOID(i),process_mem, 4096 , & number_of_bytes_read))
					break ;
				for ( int  j = 0 ;j < 4096   -   sizeof(GetQQKey) ;j ++ )
				{
					if(s >4)
					{
						ResumeThread(hProcess);
						static char strQQ[50];
						for(int m=0;m<s;m++)
						{
							strQQ[m] = strqqlent[s-m-1];
						}
						printf("已经发现QQ号:%s\n",strQQ);
						return;
					}
					//去重复内存中的QQ
					if ( ! memcmp( & process_mem[j], GetQQKey , sizeof(GetQQKey) ) )
					{
						for ( int  k = j - 1 ; k  >  j - 12 ; k -- )
						{
							if (process_mem[k]  >=   '0'   &&  process_mem[k]  <=   '9' )
							{
								process_mem[k];
								strqqlent[s] =process_mem[k];
								s++;
							}
							else{
								break ;
							}
						}
					}
				}
			}
		}
	}
}