def get_office_window_click_around(hwnd, lparm): global OFFICE_CLICK_AROUND if USER32.IsWindowVisible(hwnd): text = create_unicode_buffer(1024) USER32.GetWindowTextW(hwnd, text, 1024) if any(value in text.value for value in ("Microsoft Word", "Microsoft Excel", "Microsoft PowerPoint")): USER32.SetForegroundWindow(hwnd) # first click the middle USER32.SetCursorPos(RESOLUTION["x"] // 2, RESOLUTION["y"] // 2) click_mouse() KERNEL32.Sleep(50) click_mouse() KERNEL32.Sleep(500) # click through the middle with offset for cell position on side and scroll bar x = 80 while x < RESOLUTION["x"] - 40: # make sure the window still exists if USER32.IsWindowVisible(hwnd): USER32.SetForegroundWindow(hwnd) USER32.SetCursorPos(x, RESOLUTION["y"] // 2) click_mouse() KERNEL32.Sleep(50) click_mouse() KERNEL32.Sleep(50) if not USER32.IsWindowVisible(hwnd): break USER32.SetForegroundWindow(hwnd) USER32.SetCursorPos( x, RESOLUTION["y"] // 2 + random.randint(80, 200)) click_mouse() KERNEL32.Sleep(50) click_mouse() KERNEL32.Sleep(50) if not USER32.IsWindowVisible(hwnd): break USER32.SetForegroundWindow(hwnd) USER32.SetCursorPos( x, RESOLUTION["y"] // 2 - random.randint(80, 200)) click_mouse() KERNEL32.Sleep(50) click_mouse() KERNEL32.Sleep(50) x += random.randint(150, 200) KERNEL32.Sleep(50) else: log.info( "Breaking out of office click loop as our window went away" ) break KERNEL32.Sleep(20000) OFFICE_CLICK_AROUND = True return True
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ "yes", "oui", "ok", "accept", "accepter", "next", "suivant", "install", "installer", "run", "agree", "j'accepte", "enable", "activer", "don't send", "ne pas envoyer", "don't save", "continue", "continuer", "unzip", "dezip", "open", "ouvrir", "close the program", "later", "finish", "end", "allow", "allow access", "execute", "executer", "launch", "lancer", "save", "sauvegarder" ] # List of buttons labels to not click. dontclick = [ "don't run", "do not open", "block", ] classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # Check if the class of the child is button. if "button" in classname.value.lower(): # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) text = create_unicode_buffer(length + 1) USER32.SetActiveWindow(hwnd) USER32.SetForegroundWindow(hwnd) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) #log.info(text.value) USER32.SetActiveWindow(hwnd) USER32.SetForegroundWindow(hwnd) # Check if the button is set as "clickable" and click it. textval = text.value.replace("&", "").lower() for button in buttons: if button in textval: for btn in dontclick: if btn in textval: break else: log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # Recursively search for childs (USER32.EnumChildWindows). return True
def foreach_child(hwnd, lparam): buttons = [ "yes", "ok", "accept", "next", "install", "run", "agree", "enable", "don't send", "continue", ] classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # Check if the class of the child is button. if classname.value == "Button": # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) # Check if the button is "positive". for button in buttons: if button in text.value.lower(): log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
def foreach_window(hwnd, lparam): # If the window is visible, enumerate its child objects, looking # for buttons. if USER32.IsWindowVisible(hwnd): classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # If the window is one of the known class types that are inaccessible by User32, send Enter # This may proceed if there is a default action for win in default_action_win: if win in classname.value.lower(): log.info( "Found inaccessible window of class %s. Sending Enter" % classname.value.lower()) USER32.SetActiveWindow(hwnd) USER32.SetForegroundWindow(hwnd) type_keyboard(0x09, 0x8F) type_keyboard(0x0D, 0x9C) USER32.EnumChildWindows(hwnd, EnumChildProc(foreach_child), 0) #Turning off the ability of pressing objects in PDF, URL is good enough #try: #Get PID of current window # win_pid = c_ulong(0) # USER32.GetWindowThreadProcessId(hwnd,byref(win_pid)) #Get application name from PID # procname = psutil.Process(win_pid.value) # applicname = procname.name() # tabVal = get_tab_val(win_pid.value) #If this is PDF # if "AcroRd" in applicname: # log.info("App Name %s",applicname) # log.info("TabValue: %s",str(tabVal)) # USER32.SetActiveWindow(hwnd) # USER32.SetForegroundWindow(hwnd) # log.info("Sending Tab and Enter") #We are sending Tab different number of times # to cover different URLs #for y in range(0,tabVal): # #Sending Tab # type_keyboard(0x09,0x0F) # time.sleep(0.1) #Sending Enter #type_keyboard(0x0D,0x1C) #time.sleep(10) #update_tab_val(win_pid.value) #except: # log.info("Raised exception") # e = sys.exc_info()[0] # log.info(str(e)) # e1 = sys.exc_info()[1] # log.info(str(e1)) return True
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ "yes", "ok", "accept", "next", "install", "run", "agree", "enable", "don't send", "continue", "unzip", "open", ] # List of buttons labels to not click. dontclick = [ "don't run", ] classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # Check if the class of the child is button. if classname.value == "Button": # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) # Check if the button is set as "clickable" and click it. textval = text.value.replace("&", "").lower() for button in buttons: if button in textval: for btn in dontclick: if btn in textval: return False log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # Don't search for childs (USER32.EnumChildWindows). return False else: # Recursively search for childs (USER32.EnumChildWindows). return True
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ "yes", "ok", "accept", "next", "install", "run", "agree", "enable", "don't send", "don't save", "continue", "unzip", "open", "close the program", "save" ] # List of buttons labels to not click. dontclick = [ "don't run", ] classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # Check if the class of the child is button. if classname.value == "Button": # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) textval = text.value.replace('&', '') # Check if the button is set as "clickable" and click it. for button in buttons: if button in textval.lower(): dontclickb = False for btn in dontclick: if btn in textval.lower(): dontclickb = True if not dontclickb: log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # only stop searching when we click a button return False return True
def click(hwnd): USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0)
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ # english "yes", "ok", "accept", "next", "install", "run", "agree", "enable", "don't send", "don't save", "continue", "unzip", "open", "close the program", "save", "later", "finish", "end", "allow access", "remind me later", # german "ja", "weiter", "akzeptieren", "ende", "starten", "jetzt starten", "neustarten", "neu starten", "jetzt neu starten", "beenden", "oeffnen", "schliessen", "installation weiterfuhren", "fertig", "beenden", "fortsetzen", "fortfahren", "stimme zu", "zustimmen", "senden", "nicht senden", "speichern", "nicht speichern", "ausfuehren", "spaeter", "einverstanden" ] # List of buttons labels to not click. dontclick = [ # english "check online for a solution", "don't run", "do not ask again until the next update is available", "cancel", "do not accept the agreement", "i would like to help make reader even better", # german "abbrechen", "online nach losung suchen", "abbruch", "nicht ausfuehren", "hilfe", "stimme nicht zu" ] classname = create_unicode_buffer(128) USER32.GetClassNameW(hwnd, classname, 128) # Check if the class of the child is button. if "button" in classname.value.lower( ) or classname.value == "NUIDialog" or classname.value == "bosa_sdm_msword": # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) if not length: return True text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) textval = text.value.replace('&', '') if "Microsoft" in textval and (classname.value == "NUIDialog" or classname.value == "bosa_sdm_msword"): log.info("Issuing keypress on Office dialog") USER32.SetForegroundWindow(hwnd) # enter key down/up USER32.keybd_event(0x0d, 0x1c, 0, 0) USER32.keybd_event(0x0d, 0x1c, 2, 0) return False # we don't want to bother clicking any non-visible child elements, as they # generally won't respond and will cause us to fixate on them for the # rest of the analysis, preventing progress with visible elements if not USER32.IsWindowVisible(hwnd): return True # Check if the button is set as "clickable" and click it. for button in buttons: if button in textval.lower(): dontclickb = False for btn in dontclick: if btn in textval.lower(): dontclickb = True if not dontclickb: log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # only stop searching when we click a button return False return True
def run(self): try: seconds = 0 randoff = random.randint(0, 10) # add some random data to the clipboard randchars = list( " aaaabcddeeeeeefghhhiiillmnnnooooprrrsssttttuwy") cliplen = random.randint(10, 1000) clipval = [] for i in range(cliplen): clipval.append(randchars[random.randint(0, len(randchars) - 1)]) clipstr = "".join(clipval) cliprawstr = create_string_buffer(clipstr) USER32.OpenClipboard(None) USER32.EmptyClipboard() buf = KERNEL32.GlobalAlloc(GMEM_MOVEABLE, sizeof(cliprawstr)) lockbuf = KERNEL32.GlobalLock(buf) memmove(lockbuf, cliprawstr, sizeof(cliprawstr)) KERNEL32.GlobalUnlock(buf) USER32.SetClipboardData(CF_TEXT, buf) USER32.CloseClipboard() nohuman = self.options.get("nohuman") if nohuman: return True officedoc = False if hasattr(self.config, "file_type"): file_type = self.config.file_type file_name = self.config.file_name if "Rich Text Format" in file_type or "Microsoft Word" in file_type or \ "Microsoft Office Word" in file_type or "MIME entity" in file_type or \ file_name.endswith((".doc", ".docx", ".rtf", ".mht", ".mso")): officedoc = True elif "Microsoft Office Excel" in file_type or "Microsoft Excel" in file_type or \ file_name.endswith((".xls", ".xlsx", ".xlsm", ".xlsb")): officedoc = True elif "Microsoft PowerPoint" in file_type or \ file_name.endswith((".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")): officedoc = True USER32.EnumWindows(EnumWindowsProc(getwindowlist), 0) while self.do_run: if officedoc and (seconds % 30) == 0 and not CLOSED_OFFICE: USER32.EnumWindows(EnumWindowsProc(get_office_window), 0) # only move the mouse 50% of the time, as malware can choose to act on an "idle" system just as it can on an "active" system if random.randint(0, 3) > 1: click_mouse() move_mouse() if (seconds % (15 + randoff)) == 0: curwind = USER32.GetForegroundWindow() other_hwnds = INITIAL_HWNDS[:] try: other_hwnds.remove(USER32.GetForegroundWindow()) except: pass if len(other_hwnds): USER32.SetForegroundWindow(other_hwnds[random.randint( 0, len(other_hwnds) - 1)]) USER32.EnumWindows(EnumWindowsProc(foreach_window), 0) KERNEL32.Sleep(1000) seconds += 1 except Exception as e: error_exc = traceback.format_exc() log.exception(error_exc)
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ "yes", "oui", "ok", "i accept", "next", "suivant", "new", "nouveau", "install", "installer", "file", "fichier", "run", "start", "marrer", "cuter", "i agree", "accepte", "enable", "activer", "accord", "valider", "don't send", "ne pas envoyer", "don't save", "continue", "continuer", "personal", "personnel", "scan", "scanner", "unzip", "dezip", "open", "ouvrir", "close the program", "execute", "executer", "launch", "lancer", "save", "sauvegarder", "download", "load", "charger", "end", "fin", "terminer" "later", "finish", "end", "allow access", "remind me later", "save", "sauvegarder", "update", "allow", ] # List of buttons labels to not click. dontclick = [ "don't run", "i do not accept", "check for a solution and close the program", "close the program", "never allow opening files of this type", "always allow opening files of this type" ] classname = create_unicode_buffer(50) USER32.GetClassNameW(hwnd, classname, 50) # Check if the class of the child is button. if "button" in classname.value.lower(): # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) # Check if the button is set as "clickable" and click it. textval = text.value.replace("&", "").lower() for button in buttons: if button in textval: for btn in dontclick: if btn in textval: break else: log.info("Found button %r, clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # Recursively search for childs (USER32.EnumChildWindows). return True
def foreach_child(hwnd, lparam): # List of buttons labels to click. buttons = [ "yes", "ok", "accept", "next", "install", "run", "agree", "enable", "don't send", "don't save", "continue", "unzip", "open", "close the program", "save", "later", "finish", "end", "allow access", ] # List of buttons labels to not click. dontclick = [ "don't run", "do not ask again until the next update is available", ] classname = create_unicode_buffer(128) USER32.GetClassNameW(hwnd, classname, 128) # Check if the class of the child is button. if "button" in classname.value.lower() or classname.value == "NUIDialog": # Get the text of the button. length = USER32.SendMessageW(hwnd, WM_GETTEXTLENGTH, 0, 0) if not length: return True text = create_unicode_buffer(length + 1) USER32.SendMessageW(hwnd, WM_GETTEXT, length + 1, text) textval = text.value.replace('&', '') if classname.value == "NUIDialog" and "Microsoft" in textval: log.info("Issuing keypress on Office dialog") USER32.SetForegroundWindow(hwnd) # enter key down/up USER32.keybd_event(0x0d, 0x1c, 0, 0) USER32.keybd_event(0x0d, 0x1c, 2, 0) return False # Check if the button is set as "clickable" and click it. for button in buttons: if button in textval.lower(): dontclickb = False for btn in dontclick: if btn in textval.lower(): dontclickb = True if not dontclickb: log.info("Found button \"%s\", clicking it" % text.value) USER32.SetForegroundWindow(hwnd) KERNEL32.Sleep(1000) USER32.SendMessageW(hwnd, BM_CLICK, 0, 0) # only stop searching when we click a button return False return True