Subversion Repositories filter_foundry

Rev

Rev 532 | Rev 534 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 532 Rev 533
Line 118... Line 118...
118 
                xstrcpy(outfilename, out);
 118 
                xstrcpy(outfilename, out);
119 
        }
 119 
        }
120 
        return xstrlen(out);
 120 
        return xstrlen(out);
121 
}
 121 
}
122 
 
 122 
 
- 
 
 123 
char* stristr(const char* str, const char* strSearch) {
- 
 
 124 
        // Source: https://stackoverflow.com/questions/27303062/strstr-function-like-that-ignores-upper-or-lower-case
- 
 
 125 
        char *sors, *subs, *res = NULL;
- 
 
 126 
        if ((sors = _strdup(str)) != NULL) {
- 
 
 127 
                if ((subs = _strdup(strSearch)) != NULL) {
- 
 
 128 
                        res = strstr(_strlwr(sors), _strlwr(subs));
- 
 
 129 
                        if (res != NULL)
- 
 
 130 
                                res = (char*)str + (res - sors);
- 
 
 131 
                        free(subs);
- 
 
 132 
                }
- 
 
 133 
                free(sors);
- 
 
 134 
        }
- 
 
 135 
        return res;
- 
 
 136 
}
- 
 
 137 
 
- 
 
 138 
BOOL CalledFromRunDLL32(HINSTANCE hinst) {
- 
 
 139 
        char exename[MAX_PATH];
- 
 
 140 
        GetModuleFileNameA(hinst, exename, 100);
- 
 
 141 
        return stristr(exename, "rundll32") != NULL;
- 
 
 142 
}
- 
 
 143 
 
123 
void CALLBACK FakeRundll32(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
 144 
void CALLBACK FakeRundll32(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
124 
        UNREFERENCED_PARAMETER(hwnd);
 145 
        UNREFERENCED_PARAMETER(hwnd);
125 
        UNREFERENCED_PARAMETER(hinst);
 146 
        UNREFERENCED_PARAMETER(hinst);
126 
        UNREFERENCED_PARAMETER(lpszCmdLine);
 147 
        UNREFERENCED_PARAMETER(lpszCmdLine);
127 
        UNREFERENCED_PARAMETER(nCmdShow);
 148 
        UNREFERENCED_PARAMETER(nCmdShow);
Line 223... Line 244...
223 
        #ifdef WIN_ENV
 244 
        #ifdef WIN_ENV
224 
        activationContextUsed = ActivateManifest((HMODULE)hDllInstance, 1, &manifestVars);
 245 
        activationContextUsed = ActivateManifest((HMODULE)hDllInstance, 1, &manifestVars);
225 
        #endif
 246 
        #endif
226 
 
 247 
 
227 
        #ifdef WIN_ENV
 248 
        #ifdef WIN_ENV
228 
        if ((intptr_t)result == SW_SHOWDEFAULT) {
 249 
        if ((intptr_t)result == SW_SHOWDEFAULT && CalledFromRunDLL32((HINSTANCE)pb)) {
229 
                // When the 8BF file is analyzed with VirusTotal.com, it will invoke each
 250 
                // When the 8BF file is analyzed with VirusTotal.com, it will invoke each
230 
                // exported function by calling
 251 
                // exported function by calling
231 
                // loaddll64.exe 'C:\Users\user\Desktop\attachment.dll'
 252 
                // loaddll64.exe 'C:\Users\user\Desktop\attachment.dll'
232 
                //        ==>  rundll32.exe C:\Users\user\Desktop\attachment.dll,PluginMain
 253 
                //        ==>  rundll32.exe C:\Users\user\Desktop\attachment.dll,PluginMain
233 
                //           ==> C:\Windows\system32\WerFault.exe -u -p 6612 -s 480
 254 
                //           ==> C:\Windows\system32\WerFault.exe -u -p 6612 -s 480
234 
                //
 255 
                //
235 
                // But RunDLL32 requires following signature:
 256 
                // But RunDLL32 requires the following signature:
236 
                //    void __stdcall EntryPoint(HWND hwnd,      HINSTANCE hinst,    LPSTR lpszCmdLine, int nCmdShow);
 257 
                //    void __stdcall EntryPoint(HWND hwnd,      HINSTANCE hinst,    LPSTR lpszCmdLine, int nCmdShow);
237 
                // Our signature is:
 258 
                // Our signature is:
238 
                //    void           PluginMain(short selector, FilterRecordPtr pb, intptr_t *data,    short *result);
 259 
                //    void           PluginMain(short selector, FilterRecordPtr pb, intptr_t *data,    short *result);
239 
                //
260 
                //
240 
                // Obviously, this will cause an Exception. (It crashes at *result=e because result is 0xA)
 261 
                // Obviously, this will cause an Exception. (It crashes at *result=e because result is 0xA, which is SW_SHOWDEFAULT)
241 
                // Here is the problem: The crash will be handled by WerFault.exe inside the
 262 
                // Here is the problem: The crash will be handled by WerFault.exe inside the
242 
                // VirusTotal virtual machine. WerFault connects to various servers (9 DNS resolutions!) and does
 263 
                // VirusTotal virtual machine. WerFault connects to various servers (9 DNS resolutions!) and does
243 
                // a lot of weird things, but VirusTotal thinks that our plugin does all that stuff,
 264 
                // a lot of weird things, but VirusTotal thinks that our plugin does all that stuff,
244 
                // and so they mark our plugin as "malware"!
 265 
                // and so they mark our plugin as "malware"!
245 
                // This is a problem with VirusTotal! It shall not assume that WerFault.exe actions are our actions!
 266 
                // This is a problem with VirusTotal! It shall not assume that WerFault.exe actions are our actions!
246 
                // Even processes like "MicrosoftEdgeUpdate.exe" and "SpeechRuntime.exe" are reported to be our
 267 
                // Even actions from processes like "MicrosoftEdgeUpdate.exe" and "SpeechRuntime.exe" are reported to be our
247 
                // actions, although they have nothing to do with us!
 268 
                // actions, although they have nothing to do with us!
248 
                // See https://www.virustotal.com/gui/file/1f1012c567208186be455b81afc1ee407ae6476c197d633c70cc70929113223a/behavior
 269 
                // See https://www.virustotal.com/gui/file/1f1012c567208186be455b81afc1ee407ae6476c197d633c70cc70929113223a/behavior
249 
                //
 270 
                //
250 
                // TODO: Usually, The first 64KB of address space are always invalid. However, in Win32s (Windows 3.11), the
 271 
                // Note in re "*result": Usually, The first 64KB of address space are always invalid. However, in Win32s (Windows 3.11), the
251 
                //       variable "result" is <=0xFFFF ! Let's just hope that it is never 0x000A (SW_SHOWDEFAULT),
 272 
                // variable "result" is <=0xFFFF. So we cannot assume that result<=0xFFFF means that the call came from RunDLL32.
252 
                //       otherwise we have a problem here!
 - 
 
253 
                // I don't understand why this works! Aren't we __cdecl and rundll expected __stdcall? But why is the parameter order correct and not reversed?
 - 
 
- 
 
 273 
 
254 
                FakeRundll32((HWND)(intptr_t)selector, (HINSTANCE)pb, (LPSTR)data, (int)(intptr_t)result);
 274 
                FakeRundll32((HWND)(intptr_t)selector, (HINSTANCE)pb, (LPSTR)data, (int)(intptr_t)result);
- 
 
 275 
                // (I don't understand why this works! Aren't we __cdecl and rundll expected __stdcall? But why is the parameter order correct and not reversed?)
- 
 
 276 
 
255 
                goto endmain;
 277 
                goto endmain;
256 
        }
 278 
        }
257 
        else {
 279 
        else {
258 
                // will be changed if an error happens
 280 
                // will be changed if an error happens
259 
                *result = noErr;
 281 
                *result = noErr;