From 0070add1f748410ae79ff1ac33bd61a70414b6b5 Mon Sep 17 00:00:00 2001 From: zeffy Date: Sat, 1 Jul 2017 04:33:29 -0700 Subject: [PATCH] simplified some code, security improvements, etc --- wufuc/core.c | 6 +++--- wufuc/rundll32.c | 31 ++++++++++++------------------- wufuc/service.c | 30 ++++++++++++++---------------- wufuc/util.c | 4 ++-- 4 files changed, 31 insertions(+), 40 deletions(-) diff --git a/wufuc/core.c b/wufuc/core.c index 38e9853..c47e72e 100644 --- a/wufuc/core.c +++ b/wufuc/core.c @@ -43,7 +43,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) { DETOUR_IAT(hm, LoadLibraryExA); DETOUR_IAT(hm, LoadLibraryExW); - TCHAR lpServiceDll[MAX_PATH + 1]; + TCHAR lpServiceDll[MAX_PATH]; get_svcdll(_T("wuauserv"), lpServiceDll, _countof(lpServiceDll)); HMODULE hwu = GetModuleHandle(lpServiceDll); @@ -130,7 +130,7 @@ HMODULE WINAPI _LoadLibraryExA( HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags); if (result) { dwprintf(L"Loaded library: %S", lpFileName); - CHAR path[MAX_PATH + 1]; + CHAR path[MAX_PATH]; if (!get_svcdllA("wuauserv", path, _countof(path))) { return result; } @@ -149,7 +149,7 @@ HMODULE WINAPI _LoadLibraryExW( HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags); if (result) { dwprintf(L"Loaded library: %s", lpFileName); - WCHAR path[MAX_PATH + 1]; + WCHAR path[MAX_PATH]; if (!get_svcdllW(L"wuauserv", path, _countof(path))) { return result; } diff --git a/wufuc/rundll32.c b/wufuc/rundll32.c index 5d6fe7e..803d79e 100644 --- a/wufuc/rundll32.c +++ b/wufuc/rundll32.c @@ -36,6 +36,7 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n } dwprintf(L"Processor: %S", brand + i); + SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT); if (!hSCManager) { return; @@ -50,34 +51,26 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n if (!result) { return; } - TCHAR lpLibFileName[MAX_PATH + 1]; + TCHAR lpLibFileName[MAX_PATH]; GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName)); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (!hProcess) { return; } - LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, _countof(lpLibFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); + LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(lpLibFileName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) { - HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); - if (hSnap) { - MODULEENTRY32 me; - me.dwSize = sizeof(me); - - if (Module32First(hSnap, &me)) { - do { - if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) { - break; - } - } while (Module32Next(hSnap, &me)); - - HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL); - CloseHandle(hThread); - } - CloseHandle(hSnap); - } + HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, + (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), + STRINGIZE(LoadLibrary)), + lpBaseAddress, 0, NULL + ); + WaitForSingleObject(hThread, INFINITE); + dwprintf(L"Injected into process: %d", dwProcessId); + CloseHandle(hThread); } + VirtualFreeEx(hProcess, lpBaseAddress, 0, MEM_RELEASE); CloseHandle(hProcess); close_log(); } diff --git a/wufuc/service.c b/wufuc/service.c index 58e23f3..ac6257a 100644 --- a/wufuc/service.c +++ b/wufuc/service.c @@ -6,27 +6,24 @@ #include "service.h" BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) { - CHAR lpSubKey[MAX_PATH + 1]; + CHAR lpSubKey[257]; sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName); - - DWORD uBytes = _MAX_PATH + 1; - LPBYTE pvData = malloc(uBytes); - - RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes); - - ExpandEnvironmentStringsA((LPSTR)pvData, lpServiceDll, dwSize); + DWORD cb = dwSize; + if (RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) { + return FALSE; + } + dwprintf(L"Service \"%S\" DLL path: %S", lpServiceName, lpServiceDll); return TRUE; } BOOL get_svcdllW(LPCWSTR lpServiceName, LPWSTR lpServiceDll, DWORD dwSize) { - WCHAR lpSubKey[MAX_PATH + 1]; + WCHAR lpSubKey[257]; swprintf_s(lpSubKey, _countof(lpSubKey), L"SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName); - - DWORD uBytes = _MAX_PATH + 1; - LPBYTE pvData = malloc(uBytes); - RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes); - - ExpandEnvironmentStringsW((LPWSTR)pvData, lpServiceDll, dwSize); + DWORD cb = dwSize; + if (RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) { + return FALSE; + } + dwprintf(L"Service \"%s\" DLL path: %s", lpServiceName, lpServiceDll); return TRUE; } @@ -59,6 +56,7 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam if (!get_svcpath(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) { return FALSE; } + int numArgs; LPWSTR *argv = CommandLineToArgv(lpBinaryPathName, &numArgs); if (numArgs < 3) { @@ -105,7 +103,7 @@ BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPat } BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) { - DWORD uBytes = 0x100000; + DWORD uBytes = 1 << 20; LPBYTE pvData = malloc(uBytes); RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"), lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes); diff --git a/wufuc/util.c b/wufuc/util.c index 6b99e8e..121286e 100644 --- a/wufuc/util.c +++ b/wufuc/util.c @@ -157,12 +157,12 @@ BOOL init_log(void) { if (log_fp) { return TRUE; } - WCHAR filename[MAX_PATH + 1]; + WCHAR filename[MAX_PATH]; GetModuleFileNameW(HINST_THISCOMPONENT, filename, _countof(filename)); WCHAR drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME]; _wsplitpath_s(filename, drive, _countof(drive), dir, _countof(dir), fname, _countof(fname), NULL, 0); - WCHAR basename[MAX_PATH + 1]; + WCHAR basename[MAX_PATH]; GetModuleBaseNameW(GetCurrentProcess(), NULL, basename, _countof(basename)); wcscat_s(fname, _countof(fname), L"."); wcscat_s(fname, _countof(fname), basename);