Code Crossroad: 2017

Tuesday, July 25, 2017

Using Windows API to get Active Window Title

This program will print out the window title every time it changes. It's a good example of using GetForegroundWindow(), GetWindowTextLength(), and GetWindowText().

#include <Windows.h>
#include <iostream>
#include <string>

using namespace std;

void main()
{
 wstring oldTitle = TEXT("not_real_title");
 while (1)
 {
  HWND winHandle = GetForegroundWindow();
  if (winHandle) {
   int titleLen = GetWindowTextLength(winHandle) + 1;
   wstring winTitle(titleLen, '\0');
   int good = GetWindowText(winHandle, &winTitle[0], titleLen);
   
   if (good)
    if (winTitle!=oldTitle)
     wcout << winTitle << endl;
   oldTitle = winTitle;
   Sleep(50);
  }
 }
}

The one thing that held me up was the second argument to GetWindowText(). The second argument is the variable that holds the value of the window title. Here's the function definition:

int WINAPI GetWindowText(
  _In_  HWND   hWnd,
  _Out_ LPTSTR lpString,
  _In_  int    nMaxCount
);

Since the second parameter is LPTSTR (Long Pointer T-String), I needed to specify the first element in the string ([0]) and use the address-of (&) to match the types up.

Strings in C++ / Windows API are the worst.

Tuesday, June 27, 2017

Python - MD5 Every File on your System, Filtering by File Extension

I wanted to get an MD5 for all the files on my (clean) Windows 7 machine, and compare them to a database of known malicious files to see if there were any matches. This script dumps a file of the format <hash>: <filename>.

import os, sys, hashlib, re

def md5(fname):
    hash_md5 = hashlib.md5()
    with open(fname, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_md5.update(chunk)
    return hash_md5.hexdigest()
    
    
    
def md5Path(path):
    try:
        dir1 = os.walk(path)
        for root, dirs, files in dir1:
            for eachFile in files:
                fileName = root + "\\" + eachFile
                # change the regex to look for certain file types
                hit = re.search('\.(exe|dll|vbs|bat|doc.|xls.|ppt.|pdf|com|sys|bat|js|vbe)$', fileName)
                if hit:
                    try:
                        f.write( md5(fileName) + ": " + fileName + "\n")
                    except Exception as e:
                        print "Inner Exception.  " + str(e) + " on " + fileName
                else:
                    continue
    except Exception as e:
        print "Outer Exception. " + str(e) + " on " + fileName
            
f=open('base_md5.txt', 'w')
md5Path(sys.argv[1])
f.close()

Friday, April 28, 2017

C++ Helper Functions for Output to File/HTTP GET/HTTP POST

Here's the combination of helper functions I'm using to send data to either files or an HTTP server, variable filename, server, URI path, etc...

int httpSendPost(string server, string path, string data)
{
 char* buf = &data[0];
 string url = path + data; //combine path + data
 wstring url1 = wstring(url.begin(), url.end()); // turn url into a wide string
 wstring server1 = wstring(server.begin(), server.end()); // turn server into wide string
 GetLastError();
 HINTERNET hInternet, hConnect, hRequest;
 hInternet = InternetOpen(TEXT("My UserAgent"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
 hConnect = InternetConnect(hInternet, server1.c_str(), INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
 hRequest = HttpOpenRequest(hConnect, TEXT("POST"), url1.c_str(), 0, 0, 0, INTERNET_FLAG_RELOAD, 0);
 if (hRequest == NULL)
  cout << "HttpOpenRequest error code: " << GetLastError() << endl;
 if (!HttpSendRequest(hRequest, 0, 0, buf, data.length()))
  cout << "HttpSendRequest error code: " << GetLastError() << endl;
 InternetCloseHandle(hInternet);
 InternetCloseHandle(hConnect);
 InternetCloseHandle(hRequest);
 return 0;
}

int httpSendGet(string server, string path, string data)
{
 string url = path + data; //combine path + data
 wstring url1 = wstring(url.begin(), url.end()); // turn url into a wide string
 wstring server1 = wstring(server.begin(), server.end()); // turn server into wide string
 GetLastError();
 HINTERNET hInternet, hConnect, hRequest;
 hInternet = InternetOpen(TEXT("My UserAgent"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
 hConnect = InternetConnect(hInternet, server1.c_str(), INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
 hRequest = HttpOpenRequest(hConnect, TEXT("GET"), url1.c_str(), 0, 0, 0, INTERNET_FLAG_RELOAD, 0);
 if (hRequest == NULL)
  cout << "HttpOpenRequest error code: " << GetLastError() << endl;
 if (!HttpSendRequest(hRequest, 0, 0, NULL, NULL))
  cout << "HttpSendRequest error code: " << GetLastError() << endl;
 InternetCloseHandle(hInternet);
 InternetCloseHandle(hConnect);
 InternetCloseHandle(hRequest);
 return 0;
}

int toTempFile(string fileName, string toFile)
{
 wstring fileName1 = wstring(fileName.begin(), fileName.end());

 wstring path;
 wchar_t wchPath[MAX_PATH];
 if (GetTempPathW(MAX_PATH, wchPath))
  path = wchPath;
 path = path.append(fileName1.c_str());
 ofstream out(path, ios::app);
 out << toFile << endl;
 out.close();
 return 0;
}

Wednesday, April 26, 2017

C++ Function For HTTP GET

Also often used function for sending HTTP GET requests...

int httpSendGet(string data)
{
 string url = "/hi/there/" + data;
 wstring url1 = wstring(url.begin(), url.end());
 GetLastError();
 HINTERNET hInternet, hConnect, hRequest;
 hInternet = InternetOpen(TEXT("My UserAgent"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
 hConnect = InternetConnect(hInternet, TEXT("www.site.com"), INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
 hRequest = HttpOpenRequest(hConnect, TEXT("GET"), url1.c_str(), 0, 0, 0, INTERNET_FLAG_RELOAD, 0);
 if (hRequest == NULL)
  cout << "HttpOpenRequest error code: " << GetLastError() << endl;
 if (!HttpSendRequest(hRequest, 0, 0, NULL, NULL))
  cout << "HttpSendRequest error code: " << GetLastError() << endl;
 InternetCloseHandle(hInternet);
 InternetCloseHandle(hConnect);
 InternetCloseHandle(hRequest);
 return 0;
}

C++ Function For HTTP POST

This is a function I use often to create POST requests by passing in a string.

int httpSendPost(string post)
{
 char* buf = &post[0];
 GetLastError();
 HINTERNET hInternet, hConnect, hRequest;
 hInternet = InternetOpen(TEXT("My UserAgent"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);
 hConnect = InternetConnect(hInternet, TEXT("www.site.com"), INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
 hRequest = HttpOpenRequest(hConnect, TEXT("POST"), TEXT("/hi/there"), 0, 0, 0, INTERNET_FLAG_RELOAD, 0);
 if (hRequest == NULL)
  cout << "HttpOpenRequest error code: " << GetLastError() << endl;
 if (!HttpSendRequest(hRequest, 0, 0, buf, post.length()))
  cout << "HttpSendRequest error code: " << GetLastError() << endl;
 InternetCloseHandle(hInternet);
 InternetCloseHandle(hConnect);
 InternetCloseHandle(hRequest);
 return 0;
}

I should also probably have the "www.site.com" and "/hi/there" be passed in via parameters, but meh, it works.

Batch Script to Find Process Connecting to IP Address

Recently I had to find what process on a remote machine was connecting to a certain IP address, to determine if it was malicious or not, using only the command line. This is how I did it, by using a batch file to watch netstat for the connection. If it sees it, it'll write the line from netstat into a file. If that file ever changes size, it'll also run tasklist to get the process name from the PID. There's probably nicer ways of doing it, but this was slapped together quickly to get the results we needed.

:loop
set file="netstat_hits.txt"
netstat -ano | findstr 10.1.2.3 >> netstat_hits.txt
netstat -ano | findstr ":80 " >> netstat_hits.txt
FOR /F "usebackq" %%A IN ('%file%') DO set size=%%~zA
IF %size% NEQ 1 goto tasker
ping 127.0.0.1
goto loop

:tasker
tasklist >> netstat_hits.txt
goto loop

The file started out as one byte (I just put an "a" in it). If the netstat | findstr >> file combo worked, it would trigger the :tasker call to write the tasklist into the same file. Then I just periodically checked to see if the file was ever more than 1 byte big, and ctrl-c'd the batch script.

If someone knows of a better way of doing it, I'm all ears.

Tuesday, January 17, 2017

Logging in with Python Requests

Hi hi. I just figured out how to use the session() object to log into websites using Python Requests. Should work anywhere. Here's the code!

import requests
import re
proxies = { 'http': '', 'https': '',}

#creates a session object to maintain cookies and shtuff
sesh = requests.session()

#gets the login page, you need to do this to extract a token from it
x = sesh.get('https://wikipage.whatever/wiki/index.php/Special:UserLogin', proxies=proxies)

#probably better ways to do this, but an RE will work...
reMatch = re.search('wpLoginToken\"\svalue=\"(.*?)\"', x.content)
token = reMatch.group(1)

#create the POST data.  In order to see what fields you'll need, inspect the request through your browser's debug window (f12 before sending request)
payload={'wpName':'<userHere>', 'wpPassword':'<passHere>', 'wpDomain':'domain', 'wpLoginAttempt':'Log+in', 'wpLoginToken':token}

#logs in.   the "&action=submitlogin&type=login" was also gathered during the previous step.
y = sesh.post('https://wikipage.whatever/wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login', data=payload, proxies=proxies)

#request whatever article you want
z = sesh.get('https://wikipage.whatever/wiki/index.php/articleYouWant', proxies=proxies)