My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

DiabloHorn

By: a guest | Jun 25th, 2009 | Syntax: C | Size: 8.71 KB | Hits: 78 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. /*
  2. Copyright (c) <2009> <DiabloHorn>
  3.  
  4. Permission is hereby granted, free of charge, to any person obtaining a copy
  5. of this software and associated documentation files (the "Software"), to deal
  6. in the Software without restriction, including without limitation the rights
  7. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  8. copies of the Software, and to permit persons to whom the Software is
  9. furnished to do so, subject to the following conditions:
  10.  
  11. The above copyright notice and this permission notice shall be included in
  12. all copies or substantial portions of the Software.
  13.  
  14. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  15. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  16. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  17. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  18. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  19. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  20. THE SOFTWARE.
  21. */
  22. /*
  23.         SALF - Scriptable Anti Live Forensics
  24.         Author: DiabloHorn
  25.         Version: 0.1
  26.         Comments: Run at your own risk!
  27.         License: MIT License
  28.         Todo: Fix security coding errors,tidy code up
  29.         Purpose: defeat http://www.youtube.com/watch?v=-G8sEYCOv-o & http://www.youtube.com/watch?v=erq4TO_a3z8
  30.         This will lock the computer when one of the several modules says it has to be locked.
  31.         If your computer is full disk encrypted then a simple lock(assuming you have a strong password)
  32.         is almost as good as a physical harddisk destruction. Cold Boot attack can defeat this, but then again...
  33.         the inet says there is a anti-cold boot method out there...
  34. */
  35.  
  36. #include "salf.h"
  37. /*
  38.         WARNING DIRTY CODE
  39.         The code you are about to see will probably not be bug free and probably contains a lot of
  40.         ugly code. I'm abusing the definition of POC to the fullest extent of it's meaning and grant myself the right
  41.         to produce ugly code. Who knows, maybe in a later alpha/beta/final version it will be cleaned up.
  42.  
  43. */
  44. char inifile[MAX_PATH] = {0};
  45. char pluginpath[MAX_PATH] = {0};
  46. char dll_filter[MAX_PATH] = {0};
  47. char py_filter[MAX_PATH] = {0};
  48. int refreshping = 0;
  49.  
  50. int main(int argc,char *argv[]){
  51.         int y,z,b;
  52.         int aDLLPlugins = 0;
  53.         int aPYPlugins = 0;
  54.         char **DLLPlugins;
  55.         char **PYPlugins;
  56.         HANDLE *DLLPluginsLoaded = {0};
  57.         BMyIsScrewed MyIsScrewed;
  58.        
  59.  
  60.         printf("\tStarting SALF - Scriptable Anti Live Forensics\n");
  61.         printf("\tPOC by DiabloHorn - http://diablohorn.wordpress.com\n");
  62.         //First let's see if we got arguments and if the ini is readable
  63.         if(argc != 2){
  64.                 printf("[*] %s\n","Please provide a ini file configuration");
  65.                 exit(0);
  66.         }
  67.  
  68.         strncpy(inifile,argv[1],MAX_PATH);
  69.         if(!ReadConfig()){
  70.                 printf("[*] %s %s\n","Failed to read INI",inifile);
  71.                 exit(0);
  72.         }
  73.         printf("[*] pluginpath: %s\n",pluginpath);
  74.         printf("[*] dll filter: %s\n",dll_filter);
  75.         printf("[*] python filter: %s\n",py_filter);
  76.         printf("[*] refreshping: %d\n",refreshping);
  77.  
  78.         //now we should be able to start loading plugins...so let's count them first.
  79.         aDLLPlugins = CountPluginFiles(dll_filter);
  80.         aPYPlugins = CountPluginFiles(py_filter);
  81.         printf("[*] %s\n","Searching for plugins");
  82.         if(aDLLPlugins == 0 && aPYPlugins == 0){
  83.                 printf("[*] %s\n","No kind of valid plugin found");
  84.                 exit(0);
  85.         }      
  86.         printf("[*] Starting to load plugins\n");
  87.         //counting has happend, let's load them
  88.         /*DONT FORGET TO FREE()*/
  89.         if(aDLLPlugins > 0){
  90.                 printf("[*] dll_plugins: %i\n", aDLLPlugins);
  91.                 DLLPlugins = (char **)malloc(aDLLPlugins*sizeof(char *));
  92.                 DLLPluginsLoaded = (HANDLE)malloc(aDLLPlugins*sizeof(HANDLE));
  93.                 for(z = 0; z < aDLLPlugins; z++){
  94.                         DLLPlugins[z] = malloc(MAX_PATH);
  95.                         DLLPluginsLoaded[z] = malloc(sizeof(HANDLE));
  96.                 }
  97.                
  98.                 if(!LoadPluginFiles(DLLPlugins,dll_filter)){
  99.                         printf("[*] Loading dll plugin names failed\n");
  100.                         exit(0);//not sure if we should exit or continue with py_loading.
  101.                 }
  102.  
  103.                 for(y=0;y<aDLLPlugins;y++){
  104.                         DLLPluginsLoaded[y] = LoadLibrary(DLLPlugins[y]);
  105.                 }
  106.         }
  107.         /*DONT FORGET TO FREE()*/
  108.         if(aPYPlugins > 0){
  109.                 printf("[*] py_plugins: %i\n", aPYPlugins);
  110.                 PYPlugins = (char **)malloc(aPYPlugins*sizeof(char *));
  111.                 for(z = 0; z < aPYPlugins; z++){
  112.                         PYPlugins[z] = malloc(MAX_PATH);
  113.                 }
  114.  
  115.                 if(!LoadPluginFiles(PYPlugins,py_filter)){
  116.                         printf("[*] Loading python plugin names failed\n");
  117.                 }
  118.         }
  119.  
  120.         /*
  121.                 Main SALF loop.
  122.                 Loop through every loaded plugin and call it's "IsScrewed" function.
  123.         */
  124.         while(1){
  125.                 printf("[*] Running DLL plugins\n");
  126.                 for(y=0;y<aDLLPlugins;y++){
  127.                         MyIsScrewed = (BMyIsScrewed) GetProcAddress(DLLPluginsLoaded[y],"IsScrewed");
  128.                         if(MyIsScrewed != NULL){
  129.                                 if(MyIsScrewed()){
  130.                                         printf("[**] ALERT!!!\n");
  131.                                 }
  132.                         }
  133.                 }
  134.                
  135.                 printf("[*] Running Python plugins\n");
  136.                 for(b=0;b<aPYPlugins;b++){
  137.                         if(CreateRunObject(PYPlugins[b])){
  138.                                 printf("[**] ALERT!!!\n");
  139.                         }
  140.                 }
  141.                 printf("[*] Sleeping: %i seconds\n",refreshping/1000);
  142.                 Sleep(refreshping);
  143.         }
  144.         return 0;
  145. }
  146.  
  147. /*
  148.         Code modified from the original code @ http://docs.python.org/extending/embedding.html
  149. */
  150. int CreateRunObject(char *pypname){
  151.     PyObject *pName, *pModule, *pFunc;
  152.         PyObject *pValue;
  153.         char pyPath[MAX_PATH] = {0};
  154.         char *tvar = (char *)malloc(MAX_PATH);
  155.         char *tokstr = (char *)malloc(MAX_PATH);
  156.         int i = 0;
  157.         int pyRes = 1;//initialise to true
  158.         Py_Initialize();
  159.         pypname = strrchr(pypname,'\\');
  160.         pypname++;
  161.         while(pypname[i] != '\0'){
  162.                 if(pypname[i] == '.'){
  163.                         pypname[i] = '\0';
  164.                         break;
  165.                 }
  166.                 i++;
  167.         }
  168.     pName = PyString_FromString(pypname);
  169.     /* Error checking of pName left out */
  170.         PyRun_SimpleString("import sys");
  171.         strcat(pyPath,"sys.path.append(\"");
  172.         //double the slashes
  173.         //remove trailing slashes
  174.         tvar = strdup(pluginpath);
  175.         tokstr = strtok(tvar,"\\");
  176.         while(tokstr != NULL){
  177.                 strcat(pyPath,tokstr);
  178.                 strcat(pyPath,"\\\\");
  179.                 tokstr = strtok(NULL,"\\");
  180.         }
  181.         free(tvar);
  182.         free(tokstr);
  183.         pyPath[strlen(pyPath)-2] = '\0';
  184.         strcat(pyPath,"\")");
  185.         PyRun_SimpleString(pyPath);
  186.     pModule = PyImport_Import(pName);
  187.     Py_DECREF(pName);
  188.  
  189.     if (pModule != NULL) {
  190.         pFunc = PyObject_GetAttrString(pModule, "IsScrewed");
  191.         /* pFunc is a new reference */
  192.  
  193.         if (pFunc && PyCallable_Check(pFunc)) {
  194.             pValue = PyObject_CallObject(pFunc,NULL);
  195.             if (pValue != NULL) {
  196.                 pyRes = PyInt_AsLong(pValue);
  197.                 Py_DECREF(pValue);
  198.             }
  199.             else {
  200.                 Py_DECREF(pFunc);
  201.                 Py_DECREF(pModule);
  202.                 PyErr_Print();
  203.                                 printf("[**] Python: Call failed\n");
  204.             }
  205.         }
  206.         else {
  207.             if (PyErr_Occurred())
  208.                 PyErr_Print();
  209.             printf("[**] Python: Cannot find function \"%s\"\n", "IsScrewed");
  210.         }
  211.         Py_XDECREF(pFunc);
  212.         Py_DECREF(pModule);
  213.     }
  214.     else {
  215.         PyErr_Print();
  216.         printf("[**] Python: Failed to load \"%s\"\n", pypname);
  217.     }
  218.     Py_Finalize();
  219.     return pyRes;
  220.  
  221. }
  222. /*
  223.         Load the plugins based on the filter given
  224. */
  225. int LoadPluginFiles(char **ToLoad,char *filter){
  226.         WIN32_FIND_DATA ffd;
  227.         HANDLE hFind = INVALID_HANDLE_VALUE;
  228.         int i;
  229.         char FullPath[MAX_PATH] = {0};
  230.         char FilterPath[MAX_PATH] = {0};
  231.         strcat(FilterPath,pluginpath);
  232.         strcat(FilterPath,filter);
  233.         hFind = FindFirstFile(FilterPath, &ffd);
  234.        
  235.         if (INVALID_HANDLE_VALUE == hFind)
  236.         {
  237.                 printf("[*] Error\n");
  238.                 return 0;
  239.         }
  240.         i = 0;
  241.         do{
  242.                 strcat(FullPath,pluginpath);
  243.                 strcat(FullPath,ffd.cFileName);
  244.                 strcpy(ToLoad[i],FullPath);
  245.                 printf("[*] Found: %s\n",ToLoad[i]);
  246.                 i++;
  247.                 memset(&FullPath,0,MAX_PATH);
  248.         }while(FindNextFile(hFind,&ffd) != 0);
  249.         FindClose(hFind);
  250.         return 1;
  251. }
  252.  
  253. /*
  254.         Loop through the plugins directory to find all plugins
  255.         depending on the filter given
  256. */
  257. int CountPluginFiles(char *filter){
  258.         WIN32_FIND_DATA ffd;
  259.         HANDLE hFind = INVALID_HANDLE_VALUE;
  260.         char sFiles[MAX_PATH] = {0};
  261.         int i=0;
  262.         /*prone to overflow*/
  263.         strcat(sFiles,pluginpath);
  264.         strcat(sFiles,filter);
  265.         hFind = FindFirstFile(sFiles, &ffd);
  266.        
  267.         if (INVALID_HANDLE_VALUE == hFind)
  268.         {
  269.                 return i;
  270.         }
  271.  
  272.         do{
  273.                 i++;
  274.         }while(FindNextFile(hFind,&ffd) != 0);
  275.         FindClose(hFind);
  276.         return i;
  277. }
  278.  
  279.  
  280. /*
  281.         Read configuration from a ini file
  282. */
  283. int ReadConfig(){
  284.        
  285.         GetPrivateProfileString(INI_SECTION,PLUGINPATH,"ERROR",pluginpath,MAX_PATH,inifile);
  286.         GetPrivateProfileString(INI_SECTION,DLL_FILTER,"ERROR",dll_filter,MAX_PATH,inifile);
  287.         GetPrivateProfileString(INI_SECTION,PY_FILTER,"ERROR",py_filter,MAX_PATH,inifile);
  288.         refreshping = GetPrivateProfileInt(INI_SECTION,REFRESHPING,15000,inifile);
  289.         if(strcmp("ERROR",pluginpath) == 0 || strcmp("ERROR",dll_filter) == 0 || strcmp("ERROR",py_filter) == 0){
  290.                
  291.                 return 0;
  292.         }
  293.         return 1;
  294. }
create new paste | create new version of this paste RAW Paste Data