我不是腾迅的写手,我只是一个普通的做软件开发的工程师。
我发这个帖,不是讨论360谁是谁非,只是用技术的手段,来证明QQ并没有像360说的那样去
窥探用户的隐私.QQ扫描的都是一些EXE DLL以及自己有私有数据.这些在技术上来讲,只要
你不在EXE DLL上改写病毒代码,是不会对用户造成威胁的.
我是一个开发者,我把整个跟踪QQ的过程全写出来,也把源程序列出来.免得有人说我造假.
下面是步骤,如果你不明白,可以联系我的QQ:
13862956,我会告诉你一切真相.
其实这个程序也可以跟踪360的功能.如果你有一定的开发经验的话.
首先我要介绍的是DETOURS,这个东西是微软用来在API级HOOK的一种库,可以使用这个东西来
跟踪用户所有的WINDOWS的API操作.当然QQ也必须要使用API操作的.所以它也逃不了使用
打开文件的这个函数,也就是CreateFileW,至于为什么我不说OPENGFILE(),CREATEFILEA这些函数
,在这里我不多言,如果你不懂我为什么要HOOK CREATEFILEW,那只能说你对WINDOWS内核还不了解。
好了,不废话了,下面我把整个程序的编写过程帖 出来。
1.首先在微软的网站上
http://research.microsoft.com/en-us/projects/detours/ 下载Detours2.1
2.安装下载的DETOURSEXPRESS.MSI,使用默认的目录
3.安装编译器,如果你电脑没有装VS200X(X代表是3 5 8 10)或者是VC6.
请先安装其中某一个编译器,VC6安装的时候记得使用环境注册.
4.进入CMD命令行模式,
5.进入DetoursExpress安装的目录。一般情况下是:C:\Program Files\Microsoft Research\Detours Express 2.1\
然后在命令行上敲nmake ,系统将开始编译DETOURSEXPRESS。系统将会生成相应的LIB INCLUDE BIN资源
6.编译完成了以后,会在C:\Program Files\Microsoft Research\Detours Express 2.1\INCLUDE和
C:\Program Files\Microsoft Research\Detours Express 2.1\LIB目录下分别生成对应的库文件和头文件.
C:\Program Files\Microsoft Research\Detours Express 2.1\BIN目录下可以找到DETOURED.DLL文件.
把这个DLL文件复制到系统目录下,一般是C:\WINDOWS\SYSTEM32
7.打开VS或者是VC6,在你的路径设置中设置好对应的头文件目录和LIB文件目录
8.打开VS或者是VC6新建一个动态库工程.记住是动态库工程。
请把下面的源代码复制到你的工程主文件中.可以覆盖,记得去掉预编译选项.
// HookQQ.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"detoured.lib")
int IsQQ=0;
static LONG dwSlept = 0;
static HANDLE (WINAPI *TrueCreateFileA)(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)=CreateFileA;
static HANDLE (WINAPI *TrueCreateFileW)(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)=CreateFileW;
void WriteLogo(char *lpFileName)
{
HANDLE FHandle;
FHandle=TrueCreateFileW(L"d:\\outqq.txt",GENERIC_WRITE|GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING ,FILE_ATTRIBUTE_NORMAL,NULL);
if(FHandle==INVALID_HANDLE_VALUE)
{
FHandle=TrueCreateFileW(L"d:\\outqq.txt",GENERIC_WRITE|GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_NEW,FILE_ATTRIBUTE_NORMAL,NULL);
}
if (FHandle!=INVALID_HANDLE_VALUE)
{
SYSTEMTIME st;
DWORD ws=0;
char Str[1024];
memset(Str,0,sizeof(Str));
SetFilePointer(FHandle,0,0,FILE_END);
GetLocalTime(&st);
sprintf(Str,"QQ_OpenFileA,%04d-%02d-%02d %02d:%02d:%02d:%s\r\n",
st.wYear,
st.wMonth,
st.wDay,
st.wHour,
st.wMinute,
st.wSecond,
lpFileName);
WriteFile(FHandle,Str,strlen(Str),&ws,NULL);
CloseHandle(FHandle);
}
}
static HANDLE WINAPI RealCreateFileW(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)
{
DWORD lastErrorCode;
lastErrorCode = GetLastError();
CHAR fname[1024];
memset(fname,0,sizeof(fname));
WideCharToMultiByte(CP_ACP,0,lpFileName,wcslen(lpFileName),fname,sizeof(fname),NULL,NULL);
strupr(fname);
WriteLogo(fname);
SetLastError(lastErrorCode);
return TrueCreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}
HANDLE WINAPI RealCreateFileA(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)
{
return TrueCreateFileA(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
LONG error;
(void)hinst;
(void)reserved;
char PathName[4096];
memset(PathName,0,sizeof(PathName));
if(strlen(GetCommandLineA())<sizeof(PathName))
{
strcat(PathName,GetCommandLineA());
}
else
{
memcpy(PathName,GetCommandLineA(),sizeof(PathName)-1);
}
strupr(PathName);
if (strstr(PathName,"QQ.EXE")==NULL)return TRUE;
if (dwReason == DLL_PROCESS_ATTACH)
{
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueCreateFileA,RealCreateFileA);
DetourAttach(&(PVOID&)TrueCreateFileW,RealCreateFileW);
error = DetourTransactionCommit();
}
if (dwReason == DLL_PROCESS_DETACH)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueCreateFileA,RealCreateFileA);
DetourDetach(&(PVOID&)TrueCreateFileW,RealCreateFileW);
error = DetourTransactionCommit();
}
return TRUE;
}
//
///////////////////////////////////////////////////////////////// End of File.
然后编译生成出一个DLL文件。这个文件是我们用来跟踪QQ.EXE打开了哪些文件的库.
9.下面我们把生成的DLL复制到C:\根目录下(我暂时自己使用HOOKQQ.DLL)
10.关闭现在你打开的QQ.
11.修改注册表中的(XP系统的,如果是WIN7/VISTA需要再加一项,但你要是懂开发,
只要用REGEDIT打开注册表,就可以发现的,这个留给用户自己去参透)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\]
"AppInit_DLLs"="C:\HOOKQQ.DLL"
12.启动你的QQ.这个时候HOOK程序己经挂接了所有的QQ操作打开文件的部分.
13.为了不影响别的程序运行,你把上面的注册表项再打开,把APPINIT_DLLS改为空.但不要关QQ
14.这个时候你会发现在D:\有一个OUTQQ.TXT里面记录了一切QQ打开过的文件.
下面是我电脑中QQ曾经扫描过的文件列表:
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\WINDOWSSHELL.MANIFEST
QQ_OpenFileA,2010-11-04 12:37:21:\\.\WMIDATADEVICE
QQ_OpenFileA,2010-11-04 12:37:21:\\.\WMIDATADEVICE
QQ_OpenFileA,2010-11-04 12:37:21:\\.\IP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\BIN\VI.DAT
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\BIN\QQ.EXE
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\PLATFORM.TPC
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\I18N\CONFIG.XML
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\COMMON.XML.TXD
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\KERNEL.XML.TXD
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\APP.XML.TXD
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\GF-CONFIG.XML
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\REGISTRATION\R000000000008.CLB
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\SYSTEM32\MSXML3R.DLL
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\THEMES\DEFAULT.RDB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\I18N\2052\GFSTRINGBUNDLE.XML.ENC
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\I18N\2052\GFSTRINGBUNDLE.XML
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\I18N\2052\PRELOADSTRINGBUNDLE.XML.ENC
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\I18N\2052\PRELOADSTRINGBUNDLE.XML
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\TESTFILE29549
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\DATA.RDB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\SYSTEM32\MSCTFIME.IME
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\SYSTEM32\MSCTFIME.IME
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\MAINPANEL_MAINFRAMETITLE_FILE.PNG
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\MAINPANEL_MAINFRAMETITLE_FILE.PNG
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\XTML.RDB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\MAINPANEL_MAINFRAMETITLE_FILE.PNG
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\MAINPANEL_MAINFRAMETITLE_FILE.PNG
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\LOGOFILE\2052\LOGINING.GIF
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\LOGOFILE\2052\LOGINING.GIF
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\LOGOFILE\2052\LOGINING.GIF
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\LOGOFILE\2052\LOGINING.GIF
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\LOGINPANEL_WINDOW_WINDOWBKG.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\ALL_WINDOW_SIZEGRIPFILE.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MIN_NORMALBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MIN_HIGHLIGHTBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MIN_PUSHEDBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\USERS\ALL USERS\QQ\REGISTRY.DB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\RES.RDB
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MAX_NORMALBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MAX_HIGHLIGHTBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_MAX_PUSHEDBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH10H.OCX
QQ_OpenFileA,2010-11-04 12:37:21:C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH10H.OCX
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_RESTORE_NORMAL.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_RESTORE_HIGHLIGHTBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_RESTORE_PUSHEDBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:\\?\C:\WINDOWS\SYSTEM32\MACROMED\FLASH\SS.SGN
QQ_OpenFileA,2010-11-04 12:37:21:\\?\C:\WINDOWS\SYSTEM32\MACROMED\FLASH\SS.CFG
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_COLSE_NORMAL.BMP
QQ_OpenFileA,2010-11-04 12:37:21:\\?\C:\WINDOWS\SYSTEM32\MACROMED\FLASH\SS.SGN
QQ_OpenFileA,2010-11-04 12:37:21:C:\PROGRAM FILES\TENCENT\QQ\MISC\LOGINPANEL\BUTTON_CLOSE_HIGHLIGHTBACKGROUND.BMP
QQ_OpenFileA,2010-11-04 12:37:21:\\?\C:\WINDOWS\SYSTEM32\MACROMED\FLASH\MMS.CFG
由于文件太多,我列不完全。但大家可以用我给的源程序自己试。如果你不懂开发,那你联系我。我教你,让你明白QQ没有窥探我们的隐私。
另外,你们也想想, 为什么360可以免费。那他的钱从哪来?我只能说三个字:“保护费”。
