def get_office_window_click_around(hwnd, lparm):
global OFFICE_CLICK_AROUND
if USER32.IsWindowVisible(hwnd):
text = create_unicode_buffer(1024)
USER32.GetWindowTextW(hwnd, text, 1024)
if any(value in text.value
for value in ("Microsoft Word", "Microsoft Excel",
"Microsoft PowerPoint")):
USER32.SetForegroundWindow(hwnd)
# first click the middle
USER32.SetCursorPos(RESOLUTION["x"] // 2, RESOLUTION["y"] // 2)
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(500)
# click through the middle with offset for cell position on side and scroll bar
x = 80
while x < RESOLUTION["x"] - 40:
# make sure the window still exists
if USER32.IsWindowVisible(hwnd):
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(x, RESOLUTION["y"] // 2)
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
if not USER32.IsWindowVisible(hwnd):
break
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(
x, RESOLUTION["y"] // 2 + random.randint(80, 200))
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
if not USER32.IsWindowVisible(hwnd):
break
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(
x, RESOLUTION["y"] // 2 - random.randint(80, 200))
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
x += random.randint(150, 200)
KERNEL32.Sleep(50)
else:
log.info(
"Breaking out of office click loop as our window went away"
)
break
KERNEL32.Sleep(20000)
OFFICE_CLICK_AROUND = True
return True
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
"yes", "oui", "ok", "accept", "accepter", "next", "suivant", "install",
"installer", "run", "agree", "j'accepte", "enable", "activer",
"don't send", "ne pas envoyer", "don't save", "continue", "continuer",
"unzip", "dezip", "open", "ouvrir", "close the program", "later",
"finish", "end", "allow", "allow access", "execute", "executer",
"launch", "lancer", "save", "sauvegarder"
]
# List of buttons labels to not click.
dontclick = [
"don't run",
"do not open",
"block",
]
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# Check if the class of the child is button.
if "button" in classname.value.lower():
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
text = create_unicode_buffer(length + 1)
USER32.SetActiveWindow(hwnd)
USER32.SetForegroundWindow(hwnd)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
#log.info(text.value)
USER32.SetActiveWindow(hwnd)
USER32.SetForegroundWindow(hwnd)
# Check if the button is set as "clickable" and click it.
textval = text.value.replace("&", "").lower()
for button in buttons:
if button in textval:
for btn in dontclick:
if btn in textval:
break
else:
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# Recursively search for childs (USER32.EnumChildWindows).
return True
def foreach_child(hwnd, lparam):
buttons = [
"yes",
"ok",
"accept",
"next",
"install",
"run",
"agree",
"enable",
"don't send",
"continue",
]
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# Check if the class of the child is button.
if classname.value == "Button":
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
# Check if the button is "positive".
for button in buttons:
if button in text.value.lower():
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
def foreach_window(hwnd, lparam):
# If the window is visible, enumerate its child objects, looking
# for buttons.
if USER32.IsWindowVisible(hwnd):
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# If the window is one of the known class types that are inaccessible by User32, send Enter
# This may proceed if there is a default action
for win in default_action_win:
if win in classname.value.lower():
log.info(
"Found inaccessible window of class %s. Sending Enter" %
classname.value.lower())
USER32.SetActiveWindow(hwnd)
USER32.SetForegroundWindow(hwnd)
type_keyboard(0x09, 0x8F)
type_keyboard(0x0D, 0x9C)
USER32.EnumChildWindows(hwnd, EnumChildProc(foreach_child), 0)
#Turning off the ability of pressing objects in PDF, URL is good enough
#try:
#Get PID of current window
# win_pid = c_ulong(0)
# USER32.GetWindowThreadProcessId(hwnd,byref(win_pid))
#Get application name from PID
# procname = psutil.Process(win_pid.value)
# applicname = procname.name()
# tabVal = get_tab_val(win_pid.value)
#If this is PDF
# if "AcroRd" in applicname:
# log.info("App Name %s",applicname)
# log.info("TabValue: %s",str(tabVal))
# USER32.SetActiveWindow(hwnd)
# USER32.SetForegroundWindow(hwnd)
# log.info("Sending Tab and Enter")
#We are sending Tab different number of times
# to cover different URLs
#for y in range(0,tabVal):
# #Sending Tab
# type_keyboard(0x09,0x0F)
# time.sleep(0.1)
#Sending Enter
#type_keyboard(0x0D,0x1C)
#time.sleep(10)
#update_tab_val(win_pid.value)
#except:
# log.info("Raised exception")
# e = sys.exc_info()[0]
# log.info(str(e))
# e1 = sys.exc_info()[1]
# log.info(str(e1))
return True
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
"yes",
"ok",
"accept",
"next",
"install",
"run",
"agree",
"enable",
"don't send",
"continue",
"unzip",
"open",
]
# List of buttons labels to not click.
dontclick = [
"don't run",
]
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# Check if the class of the child is button.
if classname.value == "Button":
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
# Check if the button is set as "clickable" and click it.
textval = text.value.replace("&", "").lower()
for button in buttons:
if button in textval:
for btn in dontclick:
if btn in textval:
return False
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# Don't search for childs (USER32.EnumChildWindows).
return False
else:
# Recursively search for childs (USER32.EnumChildWindows).
return True
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
"yes", "ok", "accept", "next", "install", "run", "agree", "enable",
"don't send", "don't save", "continue", "unzip", "open",
"close the program", "save"
]
# List of buttons labels to not click.
dontclick = [
"don't run",
]
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# Check if the class of the child is button.
if classname.value == "Button":
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
textval = text.value.replace('&', '')
# Check if the button is set as "clickable" and click it.
for button in buttons:
if button in textval.lower():
dontclickb = False
for btn in dontclick:
if btn in textval.lower():
dontclickb = True
if not dontclickb:
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# only stop searching when we click a button
return False
return True
def click(hwnd):
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
# english
"yes",
"ok",
"accept",
"next",
"install",
"run",
"agree",
"enable",
"don't send",
"don't save",
"continue",
"unzip",
"open",
"close the program",
"save",
"later",
"finish",
"end",
"allow access",
"remind me later",
# german
"ja",
"weiter",
"akzeptieren",
"ende",
"starten",
"jetzt starten",
"neustarten",
"neu starten",
"jetzt neu starten",
"beenden",
"oeffnen",
"schliessen",
"installation weiterfuhren",
"fertig",
"beenden",
"fortsetzen",
"fortfahren",
"stimme zu",
"zustimmen",
"senden",
"nicht senden",
"speichern",
"nicht speichern",
"ausfuehren",
"spaeter",
"einverstanden"
]
# List of buttons labels to not click.
dontclick = [
# english
"check online for a solution",
"don't run",
"do not ask again until the next update is available",
"cancel",
"do not accept the agreement",
"i would like to help make reader even better",
# german
"abbrechen",
"online nach losung suchen",
"abbruch",
"nicht ausfuehren",
"hilfe",
"stimme nicht zu"
]
classname = create_unicode_buffer(128)
USER32.GetClassNameW(hwnd, classname, 128)
# Check if the class of the child is button.
if "button" in classname.value.lower(
) or classname.value == "NUIDialog" or classname.value == "bosa_sdm_msword":
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
if not length:
return True
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
textval = text.value.replace('&', '')
if "Microsoft" in textval and (classname.value == "NUIDialog" or
classname.value == "bosa_sdm_msword"):
log.info("Issuing keypress on Office dialog")
USER32.SetForegroundWindow(hwnd)
# enter key down/up
USER32.keybd_event(0x0d, 0x1c, 0, 0)
USER32.keybd_event(0x0d, 0x1c, 2, 0)
return False
# we don't want to bother clicking any non-visible child elements, as they
# generally won't respond and will cause us to fixate on them for the
# rest of the analysis, preventing progress with visible elements
if not USER32.IsWindowVisible(hwnd):
return True
# Check if the button is set as "clickable" and click it.
for button in buttons:
if button in textval.lower():
dontclickb = False
for btn in dontclick:
if btn in textval.lower():
dontclickb = True
if not dontclickb:
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# only stop searching when we click a button
return False
return True
def run(self):
try:
seconds = 0
randoff = random.randint(0, 10)
# add some random data to the clipboard
randchars = list(
" aaaabcddeeeeeefghhhiiillmnnnooooprrrsssttttuwy")
cliplen = random.randint(10, 1000)
clipval = []
for i in range(cliplen):
clipval.append(randchars[random.randint(0,
len(randchars) - 1)])
clipstr = "".join(clipval)
cliprawstr = create_string_buffer(clipstr)
USER32.OpenClipboard(None)
USER32.EmptyClipboard()
buf = KERNEL32.GlobalAlloc(GMEM_MOVEABLE, sizeof(cliprawstr))
lockbuf = KERNEL32.GlobalLock(buf)
memmove(lockbuf, cliprawstr, sizeof(cliprawstr))
KERNEL32.GlobalUnlock(buf)
USER32.SetClipboardData(CF_TEXT, buf)
USER32.CloseClipboard()
nohuman = self.options.get("nohuman")
if nohuman:
return True
officedoc = False
if hasattr(self.config, "file_type"):
file_type = self.config.file_type
file_name = self.config.file_name
if "Rich Text Format" in file_type or "Microsoft Word" in file_type or \
"Microsoft Office Word" in file_type or "MIME entity" in file_type or \
file_name.endswith((".doc", ".docx", ".rtf", ".mht", ".mso")):
officedoc = True
elif "Microsoft Office Excel" in file_type or "Microsoft Excel" in file_type or \
file_name.endswith((".xls", ".xlsx", ".xlsm", ".xlsb")):
officedoc = True
elif "Microsoft PowerPoint" in file_type or \
file_name.endswith((".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")):
officedoc = True
USER32.EnumWindows(EnumWindowsProc(getwindowlist), 0)
while self.do_run:
if officedoc and (seconds % 30) == 0 and not CLOSED_OFFICE:
USER32.EnumWindows(EnumWindowsProc(get_office_window), 0)
# only move the mouse 50% of the time, as malware can choose to act on an "idle" system just as it can on an "active" system
if random.randint(0, 3) > 1:
click_mouse()
move_mouse()
if (seconds % (15 + randoff)) == 0:
curwind = USER32.GetForegroundWindow()
other_hwnds = INITIAL_HWNDS[:]
try:
other_hwnds.remove(USER32.GetForegroundWindow())
except:
pass
if len(other_hwnds):
USER32.SetForegroundWindow(other_hwnds[random.randint(
0,
len(other_hwnds) - 1)])
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
seconds += 1
except Exception as e:
error_exc = traceback.format_exc()
log.exception(error_exc)
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
"yes",
"oui",
"ok",
"i accept",
"next",
"suivant",
"new",
"nouveau",
"install",
"installer",
"file",
"fichier",
"run",
"start",
"marrer",
"cuter",
"i agree",
"accepte",
"enable",
"activer",
"accord",
"valider",
"don't send",
"ne pas envoyer",
"don't save",
"continue",
"continuer",
"personal",
"personnel",
"scan",
"scanner",
"unzip",
"dezip",
"open",
"ouvrir",
"close the program",
"execute",
"executer",
"launch",
"lancer",
"save",
"sauvegarder",
"download",
"load",
"charger",
"end",
"fin",
"terminer"
"later",
"finish",
"end",
"allow access",
"remind me later",
"save",
"sauvegarder",
"update",
"allow",
]
# List of buttons labels to not click.
dontclick = [
"don't run", "i do not accept",
"check for a solution and close the program", "close the program",
"never allow opening files of this type",
"always allow opening files of this type"
]
classname = create_unicode_buffer(50)
USER32.GetClassNameW(hwnd, classname, 50)
# Check if the class of the child is button.
if "button" in classname.value.lower():
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
# Check if the button is set as "clickable" and click it.
textval = text.value.replace("&", "").lower()
for button in buttons:
if button in textval:
for btn in dontclick:
if btn in textval:
break
else:
log.info("Found button %r, clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# Recursively search for childs (USER32.EnumChildWindows).
return True
def foreach_child(hwnd, lparam):
# List of buttons labels to click.
buttons = [
"yes",
"ok",
"accept",
"next",
"install",
"run",
"agree",
"enable",
"don't send",
"don't save",
"continue",
"unzip",
"open",
"close the program",
"save",
"later",
"finish",
"end",
"allow access",
]
# List of buttons labels to not click.
dontclick = [
"don't run",
"do not ask again until the next update is available",
]
classname = create_unicode_buffer(128)
USER32.GetClassNameW(hwnd, classname, 128)
# Check if the class of the child is button.
if "button" in classname.value.lower() or classname.value == "NUIDialog":
# Get the text of the button.
length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0)
if not length:
return True
text = create_unicode_buffer(length + 1)
USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text)
textval = text.value.replace('&', '')
if classname.value == "NUIDialog" and "Microsoft" in textval:
log.info("Issuing keypress on Office dialog")
USER32.SetForegroundWindow(hwnd)
# enter key down/up
USER32.keybd_event(0x0d, 0x1c, 0, 0)
USER32.keybd_event(0x0d, 0x1c, 2, 0)
return False
# Check if the button is set as "clickable" and click it.
for button in buttons:
if button in textval.lower():
dontclickb = False
for btn in dontclick:
if btn in textval.lower():
dontclickb = True
if not dontclickb:
log.info("Found button \"%s\", clicking it" % text.value)
USER32.SetForegroundWindow(hwnd)
KERNEL32.Sleep(1000)
USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
# only stop searching when we click a button
return False
return True
