def get_office_window_click_around(hwnd, lparm):
global OFFICE_CLICK_AROUND
if USER32.IsWindowVisible(hwnd):
text = create_unicode_buffer(1024)
USER32.GetWindowTextW(hwnd, text, 1024)
if any(value in text.value
for value in ("Microsoft Word", "Microsoft Excel",
"Microsoft PowerPoint")):
USER32.SetForegroundWindow(hwnd)
# first click the middle
USER32.SetCursorPos(RESOLUTION["x"] // 2, RESOLUTION["y"] // 2)
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(500)
# click through the middle with offset for cell position on side and scroll bar
x = 80
while x < RESOLUTION["x"] - 40:
# make sure the window still exists
if USER32.IsWindowVisible(hwnd):
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(x, RESOLUTION["y"] // 2)
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
if not USER32.IsWindowVisible(hwnd):
break
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(
x, RESOLUTION["y"] // 2 + random.randint(80, 200))
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
if not USER32.IsWindowVisible(hwnd):
break
USER32.SetForegroundWindow(hwnd)
USER32.SetCursorPos(
x, RESOLUTION["y"] // 2 - random.randint(80, 200))
click_mouse()
KERNEL32.Sleep(50)
click_mouse()
KERNEL32.Sleep(50)
x += random.randint(150, 200)
KERNEL32.Sleep(50)
else:
log.info(
"Breaking out of office click loop as our window went away"
)
break
KERNEL32.Sleep(20000)
OFFICE_CLICK_AROUND = True
return True
def click_mouse():
# Move mouse to top-middle position.
USER32.SetCursorPos(RESOLUTION["x"] / 2, 0)
# Mouse down.
USER32.mouse_event(2, 0, 0, 0, None)
KERNEL32.Sleep(50)
# Mouse up.
USER32.mouse_event(4, 0, 0, 0, None)
def click_mouse():
# Move mouse to either top or bottom of the screen, with a bit of randomness
USER32.SetCursorPos(RESOLUTION["x"] / random.choice([2, 4, 8]),
random.choice([0, RESOLUTION["y"]]))
# Mouse down.
USER32.mouse_event(2, 0, 0, 0, None)
KERNEL32.Sleep(random.choice([20, 30, 40, 50]))
# Mouse up.
USER32.mouse_event(4, 0, 0, 0, None)
def move_mouse():
x = random.randint(0, RESOLUTION["x"])
y = random.randint(0, RESOLUTION["y"])
# Originally was:
# USER32.mouse_event(0x8000, x, y, 0, None)
# Changed to SetCurorPos, since using GetCursorPos would not detect
# the mouse events. This actually moves the cursor around which might
# cause some unintended activity on the desktop. We might want to make
# this featur optional.
USER32.SetCursorPos(x, y)
def move_mouse():
# To avoid mousing over desktop icons, use 1/4 of the total resolution as tgestarting pixel
x = random.randint(RESOLUTION_WITHOUT_TASKBAR["x"] // 4,
RESOLUTION_WITHOUT_TASKBAR["x"])
y = random.randint(0, RESOLUTION_WITHOUT_TASKBAR["y"])
# Originally was:
# USER32.mouse_event(0x8000, x, y, 0, None)
# Changed to SetCurorPos, since using GetCursorPos would not detect
# the mouse events. This actually moves the cursor around which might
# cause some unintended activity on the desktop. We might want to make
# this featur optional.
USER32.SetCursorPos(x, y)
def run(self):
global OFFICE_CLICK_AROUND
try:
seconds = 0
randoff = random.randint(0, 10)
# add some random data to the clipboard
randchars = list(" aaaabcddeeeeeefghhhiiillmnnnooooprrrsssttttuwy")
cliplen = random.randint(10, 1000)
clipval = []
for i in range(cliplen):
clipval.append(randchars[random.randint(0, len(randchars) - 1)])
clipstr = "".join(clipval)
cliprawstr = create_unicode_buffer(clipstr)
USER32.OpenClipboard(None)
USER32.EmptyClipboard()
buf = KERNEL32.GlobalAlloc(GMEM_MOVEABLE, sizeof(cliprawstr))
lockbuf = KERNEL32.GlobalLock(buf)
memmove(lockbuf, cliprawstr, sizeof(cliprawstr))
KERNEL32.GlobalUnlock(buf)
USER32.SetClipboardData(CF_TEXT, buf)
USER32.CloseClipboard()
nohuman = self.options.get("nohuman")
if nohuman:
return True
officedoc = False
if hasattr(self.config, "file_type"):
file_type = self.config.file_type
file_name = self.config.file_name
if (
"Rich Text Format" in file_type
or "Microsoft Word" in file_type
or "Microsoft Office Word" in file_type
or "MIME entity" in file_type
or file_name.endswith((".doc", ".docx", ".rtf", ".mht", ".mso"))
):
officedoc = True
elif (
"Microsoft Office Excel" in file_type
or "Microsoft Excel" in file_type
or file_name.endswith((".xls", ".xlsx", ".xlsm", ".xlsb"))
):
officedoc = True
elif "Microsoft PowerPoint" in file_type or file_name.endswith(
(".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")
):
officedoc = True
USER32.EnumWindows(EnumWindowsProc(getwindowlist), 0)
while self.do_run:
if officedoc and seconds > 45 and (seconds % 30) == 0 and not OFFICE_CLICK_AROUND and not CLOSED_OFFICE:
USER32.EnumWindows(EnumWindowsProc(get_office_window_click_around), 0)
USER32.EnumWindows(EnumWindowsProc(get_office_window), 0)
# only move the mouse 75% of the time, as malware can choose to act on an "idle" system just as it can on an "active" system
if random.randint(0, 7) > 1:
USER32.SetCursorPos(RESOLUTION["x"] // 2, 0)
click_mouse()
move_mouse()
if (seconds % (15 + randoff)) == 0:
# curwind = USER32.GetForegroundWindow()
other_hwnds = INITIAL_HWNDS[:]
try:
other_hwnds.remove(USER32.GetForegroundWindow())
except Exception:
pass
if len(other_hwnds):
USER32.SetForegroundWindow(other_hwnds[random.randint(0, len(other_hwnds) - 1)])
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
seconds += 1
except Exception:
error_exc = traceback.format_exc()
log.exception(error_exc)
def move_mouse(x, y):
USER32.SetCursorPos(x, y)