From 483b1505f5d1166cbc31306bb9f2b1704b683989 Mon Sep 17 00:00:00 2001
From: sysrom <88297660+sysrom@users.noreply.github.com>
Date: Sat, 30 Mar 2024 17:51:45 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BB=A5=E5=8F=96=E7=88=B6=E8=BF=9B=E7=A8=8BPI?=
 =?UTF-8?q?D=E6=9E=9A=E4=B8=BE=E6=A8=A1=E5=9D=97=E5=88=A4=E6=96=AD?=
 =?UTF-8?q?=E6=98=AF=E5=90=A6=E4=B8=BAQQ=E7=9A=84=E5=AD=90=E8=BF=9B?=
 =?UTF-8?q?=E7=A8=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 HijackMethod/dllmain.cpp     | 48 +++++++++++++++++++++++++++++++---
 HijackMethod_x86/dllmain.cpp | 50 ++++++++++++++++++++++++++++++++----
 2 files changed, 89 insertions(+), 9 deletions(-)

diff --git a/HijackMethod/dllmain.cpp b/HijackMethod/dllmain.cpp
index 45c741f..e421390 100644
--- a/HijackMethod/dllmain.cpp
+++ b/HijackMethod/dllmain.cpp
@@ -1,5 +1,7 @@
 #include <MinHook.h>
+#include <tlhelp32.h>
 #include <psapi.h>
+#include <tchar.h>
 #include "nt.h"
 #include "scanner.h"
 #define Sig_text "57 41 56 41 55 41 54 56 57 55 53 48 81 ec ?? ?? ?? ?? 0f 29 bc 24 ?? ?? ?? ?? 0f 29 b4 24 ?? ?? ?? ?? 48 8b 05 ?? ?? ?? ?? 48 31 e0 48 89 84 24 ?? ?? ?? ?? b9"
@@ -30,6 +32,47 @@ void Exploit() {
     }
 }
 
+DWORD GetParentProcessID() {
+    HANDLE hSnapshot;
+    PROCESSENTRY32 pe32;
+    DWORD ppid = 0, pid = GetCurrentProcessId();
+
+    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
+
+    pe32.dwSize = sizeof(PROCESSENTRY32);
+    if (Process32First(hSnapshot, &pe32)) {
+        do {
+            if (pe32.th32ProcessID == pid) {
+                ppid = pe32.th32ParentProcessID;
+                break;
+            }
+        } while (Process32Next(hSnapshot, &pe32));
+    }
+
+    CloseHandle(hSnapshot);
+    return ppid;
+}
+
+bool IsParentQQ() {
+    DWORD parentPID = GetParentProcessID();
+    TCHAR szProcessName[MAX_PATH] = TEXT("U N K N O W N");
+    bool isExplorer = false;
+
+    HANDLE hParentProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, parentPID);
+    if (hParentProcess) {
+        HMODULE hMod;
+        DWORD cbNeeded;
+        if (EnumProcessModules(hParentProcess, &hMod, sizeof(hMod), &cbNeeded)) {
+            GetModuleBaseName(hParentProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
+            isExplorer = (_tcsicmp(szProcessName, TEXT("QQ.exe")) == 0);
+        }
+        CloseHandle(hParentProcess);
+    }
+
+    return isExplorer;
+}
+
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
 {
     switch (fdwReason)
@@ -40,10 +83,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
         std::wstring processName(MAX_PATH, L'\0');
         GetModuleFileNameEx(hProc, nullptr, &processName[0], MAX_PATH);
         DisableThreadLibraryCalls(hinstDLL);
-        if (processName.find(L"QQ.exe") != std::wstring::npos) {
-            if (wcsstr(GetCommandLine(), L"--") != NULL) {
-                return true;
-            }
+        if (IsParentQQ()!=true) {
             Exploit();
             return true;
         }
diff --git a/HijackMethod_x86/dllmain.cpp b/HijackMethod_x86/dllmain.cpp
index 5aa8480..3d585c5 100644
--- a/HijackMethod_x86/dllmain.cpp
+++ b/HijackMethod_x86/dllmain.cpp
@@ -1,5 +1,7 @@
 #include "scanner.h"
-#include <Psapi.h>
+#include <tlhelp32.h>
+#include <psapi.h>
+#include <tchar.h>
 #define Sig_text "75 ?? e8 ?? ?? ?? ?? 84 c0 0f 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8"
 
 
@@ -22,6 +24,47 @@ void Exploit() {
     }
 }
 
+DWORD GetParentProcessID() {
+    HANDLE hSnapshot;
+    PROCESSENTRY32 pe32;
+    DWORD ppid = 0, pid = GetCurrentProcessId();
+
+    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
+
+    pe32.dwSize = sizeof(PROCESSENTRY32);
+    if (Process32First(hSnapshot, &pe32)) {
+        do {
+            if (pe32.th32ProcessID == pid) {
+                ppid = pe32.th32ParentProcessID;
+                break;
+            }
+        } while (Process32Next(hSnapshot, &pe32));
+    }
+
+    CloseHandle(hSnapshot);
+    return ppid;
+}
+
+bool IsParentQQ() {
+    DWORD parentPID = GetParentProcessID();
+    TCHAR szProcessName[MAX_PATH] = TEXT("U N K N O W N");
+    bool isExplorer = false;
+
+    HANDLE hParentProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, parentPID);
+    if (hParentProcess) {
+        HMODULE hMod;
+        DWORD cbNeeded;
+        if (EnumProcessModules(hParentProcess, &hMod, sizeof(hMod), &cbNeeded)) {
+            GetModuleBaseName(hParentProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
+            isExplorer = (_tcsicmp(szProcessName, TEXT("QQ.exe")) == 0);
+        }
+        CloseHandle(hParentProcess);
+    }
+
+    return isExplorer;
+}
+
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
 {
     switch (fdwReason)
@@ -32,10 +75,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
         std::wstring processName(MAX_PATH, L'\0');
         GetModuleFileNameEx(hProc, nullptr, &processName[0], MAX_PATH);
         DisableThreadLibraryCalls(hinstDLL);
-        if (processName.find(L"QQ.exe") != std::wstring::npos) {
-            if (wcsstr(GetCommandLine(), L"--") != NULL) {
-                return true;
-            }
+        if (IsParentQQ()!=true) {
             Exploit();
             return true;
         }