/******************************************************************************
* FunctionName : strtmac
*******************************************************************************/
void ICACHE_FLASH_ATTR strtomac(uint8 *s, uint8 *macaddr)
{
uint8 pbuf[4];
s = cmpcpystr(pbuf, s, 0, ':', 3);
*macaddr++ = hextoul(pbuf);
int i = 4;
while(i--) {
s = cmpcpystr(pbuf, s, ':', ':', 3);
*macaddr++ = hextoul(pbuf);
}
s = cmpcpystr(pbuf, s, ':', ' ', 3);
*macaddr++ = hextoul(pbuf);
}
// bool convert_para_str(uint32 * dest, uint8 *s);
uint32 ICACHE_FLASH_ATTR ahextoul(uint8 *s)
{
/*
uint32 ret;
if(!convert_para_str(&ret, s)) return 0;
return ret;
*/
if((s[0]=='0') && ((s[1] | 0x20) =='x')) return hextoul(s+2);
return atoi(s);
}
/******************************************************************************
* FunctionName : ahextoul
* Convert str in decimal/hex/bool format to uint32
******************************************************************************/
uint32 ICACHE_FLASH_ATTR ahextoul(uint8 *s)
{
if((s[0]=='0') && ((s[1] | 0x20) =='x')) return hextoul(s+2);
if(os_strncmp(s, "true", 4) == 0) return 1;
return rom_atoi(s);
}
/*
* SfExtractDropper
*
* Purpose:
*
* Extract Sirefef/ZeroAccess from image resource.
*
* CNG variant
*
*/
UINT SfExtractDropper(
LPWSTR lpCommandLine
)
{
BOOL cond = FALSE, bSuccess = FALSE;
ULONG c, uKey = 0, imagesz;
WCHAR szInputFile[MAX_PATH + 1];
WCHAR szOutputFile[MAX_PATH + 1];
WCHAR szKey[MAX_PATH];
PVOID ImageBase = NULL, EncryptedData = NULL, DecryptedData = NULL;
IStream *pImageStream = NULL;
ULONG_PTR gdiplusToken = 0;
GdiplusStartupInput input;
GdiplusStartupOutput output;
PVOID BitmapPtr = NULL;
GdiPlusBitmapData BitmapData;
GdiPlusRect rect;
SIZE_T sz;
PULONG ptr, i_ptr;
//input file
c = 0;
RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));
GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);
if (c == 0) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTUSAGE,
g_ConsoleOutput, FALSE);
return (UINT)-1;
}
//output file
c = 0;
RtlSecureZeroMemory(&szOutputFile, sizeof(szOutputFile));
GetCommandLineParam(lpCommandLine, 2, (LPWSTR)&szOutputFile, MAX_PATH, &c);
if (c == 0) {
_strcpy(szOutputFile, TEXT("extracted.bin"));
}
//key
c = 0;
RtlSecureZeroMemory(&szKey, sizeof(szKey));
GetCommandLineParam(lpCommandLine, 3, (LPWSTR)&szKey, MAX_PATH, &c);
if ((c == 0) || (c > 10)) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTUSAGE,
g_ConsoleOutput, FALSE);
return (UINT)-1;
}
c = 0;
if (locase_w(szKey[1]) == 'x') {
c = 2;
}
uKey = hextoul(&szKey[c]);
do {
ImageBase = SfuCreateFileMappingNoExec(szInputFile);
if (ImageBase == NULL)
break;
c = 0;
EncryptedData = SfLdrQueryResourceData(1, ImageBase, &c);
if ((EncryptedData == NULL) || (c == 0))
break;
pImageStream = SHCreateMemStream((BYTE *)EncryptedData, (UINT)c);
if (pImageStream == NULL)
break;
RtlSecureZeroMemory(&input, sizeof(input));
RtlSecureZeroMemory(&output, sizeof(output));
input.GdiplusVersion = 1;
if (GdiplusStartup(&gdiplusToken, &input, &output) != GdiplusOk)
break;
BitmapPtr = NULL;
if (GdipCreateBitmapFromStream(pImageStream, &BitmapPtr) != GdiplusOk)
break;
RtlSecureZeroMemory(&rect, sizeof(rect));
if (
(GdipGetImageWidth(BitmapPtr, (UINT *)&rect.Width) == GdiplusOk) &&
(GdipGetImageHeight(BitmapPtr, (UINT *)&rect.Height) == GdiplusOk)
)
{
RtlSecureZeroMemory(&BitmapData, sizeof(BitmapData));
if (GdipBitmapLockBits(BitmapPtr, &rect, ImageLockModeRead, PixelFormat32bppARGB, &BitmapData) == GdiplusOk) {
c = (rect.Width * rect.Height);
imagesz = sizeof(ULONG) * c;
sz = imagesz;
DecryptedData = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), &DecryptedData, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (DecryptedData) {
i_ptr = (PULONG)BitmapData.Scan0;
ptr = DecryptedData;
while (c > 0) {
*ptr = *i_ptr ^ uKey;
ptr++;
i_ptr++;
c--;
}
bSuccess = (SfuWriteBufferToFile(szOutputFile, DecryptedData, imagesz, FALSE, FALSE) == imagesz);
sz = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &DecryptedData, &sz, MEM_RELEASE);
}
GdipBitmapUnlockBits(BitmapPtr, &BitmapData);
}
}
} while (cond);
if (bSuccess == FALSE) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTFAIL,
g_ConsoleOutput, FALSE);
}
else
{
SfcuiPrintText(g_ConOut,
szOutputFile,
g_ConsoleOutput, TRUE);
SfcuiPrintText(g_ConOut,
T_SFEXTRACTED,
g_ConsoleOutput, TRUE);
}
if (BitmapPtr != NULL) {
GdipDisposeImage(&BitmapPtr);
}
if (gdiplusToken != 0) {
GdiplusShutdown(gdiplusToken);
}
if (pImageStream != NULL) {
pImageStream->lpVtbl->Release(pImageStream);
}
if (ImageBase != NULL) {
NtUnmapViewOfSection(NtCurrentProcess(), ImageBase);
}
return 0;
}
