Rev 532 | Rev 534 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 532 | Rev 533 | ||
---|---|---|---|
Line 118... | Line 118... | ||
118 | xstrcpy(outfilename, out); |
118 | xstrcpy(outfilename, out); |
119 | } |
119 | } |
120 | return xstrlen(out); |
120 | return xstrlen(out); |
121 | } |
121 | } |
122 | 122 | ||
- | 123 | char* stristr(const char* str, const char* strSearch) { |
|
- | 124 | // Source: https://stackoverflow.com/questions/27303062/strstr-function-like-that-ignores-upper-or-lower-case |
|
- | 125 | char *sors, *subs, *res = NULL; |
|
- | 126 | if ((sors = _strdup(str)) != NULL) { |
|
- | 127 | if ((subs = _strdup(strSearch)) != NULL) { |
|
- | 128 | res = strstr(_strlwr(sors), _strlwr(subs)); |
|
- | 129 | if (res != NULL) |
|
- | 130 | res = (char*)str + (res - sors); |
|
- | 131 | free(subs); |
|
- | 132 | } |
|
- | 133 | free(sors); |
|
- | 134 | } |
|
- | 135 | return res; |
|
- | 136 | } |
|
- | 137 | ||
- | 138 | BOOL CalledFromRunDLL32(HINSTANCE hinst) { |
|
- | 139 | char exename[MAX_PATH]; |
|
- | 140 | GetModuleFileNameA(hinst, exename, 100); |
|
- | 141 | return stristr(exename, "rundll32") != NULL; |
|
- | 142 | } |
|
- | 143 | ||
123 | void CALLBACK FakeRundll32(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) { |
144 | void CALLBACK FakeRundll32(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) { |
124 | UNREFERENCED_PARAMETER(hwnd); |
145 | UNREFERENCED_PARAMETER(hwnd); |
125 | UNREFERENCED_PARAMETER(hinst); |
146 | UNREFERENCED_PARAMETER(hinst); |
126 | UNREFERENCED_PARAMETER(lpszCmdLine); |
147 | UNREFERENCED_PARAMETER(lpszCmdLine); |
127 | UNREFERENCED_PARAMETER(nCmdShow); |
148 | UNREFERENCED_PARAMETER(nCmdShow); |
Line 223... | Line 244... | ||
223 | #ifdef WIN_ENV |
244 | #ifdef WIN_ENV |
224 | activationContextUsed = ActivateManifest((HMODULE)hDllInstance, 1, &manifestVars); |
245 | activationContextUsed = ActivateManifest((HMODULE)hDllInstance, 1, &manifestVars); |
225 | #endif |
246 | #endif |
226 | 247 | ||
227 | #ifdef WIN_ENV |
248 | #ifdef WIN_ENV |
228 | if ((intptr_t)result == SW_SHOWDEFAULT) { |
249 | if ((intptr_t)result == SW_SHOWDEFAULT && CalledFromRunDLL32((HINSTANCE)pb)) { |
229 | // When the 8BF file is analyzed with VirusTotal.com, it will invoke each |
250 | // When the 8BF file is analyzed with VirusTotal.com, it will invoke each |
230 | // exported function by calling |
251 | // exported function by calling |
231 | // loaddll64.exe 'C:\Users\user\Desktop\attachment.dll' |
252 | // loaddll64.exe 'C:\Users\user\Desktop\attachment.dll' |
232 | // ==> rundll32.exe C:\Users\user\Desktop\attachment.dll,PluginMain |
253 | // ==> rundll32.exe C:\Users\user\Desktop\attachment.dll,PluginMain |
233 | // ==> C:\Windows\system32\WerFault.exe -u -p 6612 -s 480 |
254 | // ==> C:\Windows\system32\WerFault.exe -u -p 6612 -s 480 |
234 | // |
255 | // |
235 | // But RunDLL32 requires following signature: |
256 | // But RunDLL32 requires the following signature: |
236 | // void __stdcall EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow); |
257 | // void __stdcall EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow); |
237 | // Our signature is: |
258 | // Our signature is: |
238 | // void PluginMain(short selector, FilterRecordPtr pb, intptr_t *data, short *result); |
259 | // void PluginMain(short selector, FilterRecordPtr pb, intptr_t *data, short *result); |
239 | // |
260 | // |
240 | // Obviously, this will cause an Exception. (It crashes at *result=e because result is 0xA) |
261 | // Obviously, this will cause an Exception. (It crashes at *result=e because result is 0xA, which is SW_SHOWDEFAULT) |
241 | // Here is the problem: The crash will be handled by WerFault.exe inside the |
262 | // Here is the problem: The crash will be handled by WerFault.exe inside the |
242 | // VirusTotal virtual machine. WerFault connects to various servers (9 DNS resolutions!) and does |
263 | // VirusTotal virtual machine. WerFault connects to various servers (9 DNS resolutions!) and does |
243 | // a lot of weird things, but VirusTotal thinks that our plugin does all that stuff, |
264 | // a lot of weird things, but VirusTotal thinks that our plugin does all that stuff, |
244 | // and so they mark our plugin as "malware"! |
265 | // and so they mark our plugin as "malware"! |
245 | // This is a problem with VirusTotal! It shall not assume that WerFault.exe actions are our actions! |
266 | // This is a problem with VirusTotal! It shall not assume that WerFault.exe actions are our actions! |
246 | // Even processes like "MicrosoftEdgeUpdate.exe" and "SpeechRuntime.exe" are reported to be our |
267 | // Even actions from processes like "MicrosoftEdgeUpdate.exe" and "SpeechRuntime.exe" are reported to be our |
247 | // actions, although they have nothing to do with us! |
268 | // actions, although they have nothing to do with us! |
248 | // See https://www.virustotal.com/gui/file/1f1012c567208186be455b81afc1ee407ae6476c197d633c70cc70929113223a/behavior |
269 | // See https://www.virustotal.com/gui/file/1f1012c567208186be455b81afc1ee407ae6476c197d633c70cc70929113223a/behavior |
249 | // |
270 | // |
250 | // TODO: Usually, The first 64KB of address space are always invalid. However, in Win32s (Windows 3.11), the |
271 | // Note in re "*result": Usually, The first 64KB of address space are always invalid. However, in Win32s (Windows 3.11), the |
251 | // variable "result" is <=0xFFFF ! Let's just hope that it is never 0x000A (SW_SHOWDEFAULT), |
272 | // variable "result" is <=0xFFFF. So we cannot assume that result<=0xFFFF means that the call came from RunDLL32. |
252 | // otherwise we have a problem here! |
- | |
253 | // I don't understand why this works! Aren't we __cdecl and rundll expected __stdcall? But why is the parameter order correct and not reversed? |
- | |
- | 273 | ||
254 | FakeRundll32((HWND)(intptr_t)selector, (HINSTANCE)pb, (LPSTR)data, (int)(intptr_t)result); |
274 | FakeRundll32((HWND)(intptr_t)selector, (HINSTANCE)pb, (LPSTR)data, (int)(intptr_t)result); |
- | 275 | // (I don't understand why this works! Aren't we __cdecl and rundll expected __stdcall? But why is the parameter order correct and not reversed?) |
|
- | 276 | ||
255 | goto endmain; |
277 | goto endmain; |
256 | } |
278 | } |
257 | else { |
279 | else { |
258 | // will be changed if an error happens |
280 | // will be changed if an error happens |
259 | *result = noErr; |
281 | *result = noErr; |