How to make such a trap?

D

dollar2019-05-11 17:11:26

System administration

dollar, 2019-05-11 17:11:26

I want to make such a trap, but I don't know exactly how:
A passwords.txt file is created in the "my documents" folder, and some garbage is written in it. Then you need to track at the lowest level which programs (processes) are trying to read this file, its contents.
These programs should naturally be blocked and wait for user confirmation, or be killed at the user's discretion. Is it possible to implement this with little blood? You can use standard tools to hang on the taskbar, as long as it works reliably and there is no way to bypass this trap.
Maybe there is some popular software for this. Or very simple code to make your own miniprogram.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

sddvxd, 2019-05-11
@dollar

I would do this: I would make a program that is embedded in a process that creates processes (for example, explorer.exe), in the import section, I would change the process creation functions to my own and intercept the creation of processes. When intercepting process creation, call the original CreateProcess and remember the process handle. Inject a dll into the newly created process to handle the newly installed trap on the file open function. If filename == path_to_file/passwords.txt then process self-destructs

PROC replaceProcAddress(LPCSTR callerModule, PROC original, PROC swap){
    HMODULE callerHandle = GetModuleHandleA(callerModule);
    if(callerHandle == nullptr)
        throw Exception(L"callerHandle is NULL in Process::replaceProcAddress");

    ULONG size;
    bool found = false;
    PIMAGE_IMPORT_DESCRIPTOR pImageDesc = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(ImageDirectoryEntryToData(callerHandle, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &size));
    if(pImageDesc == nullptr)
        throw Exception(L"PIMAGE_IMPORT_DESCRIPTOR is NULL in Process::replaceProcAddress()");

    for(; pImageDesc->Name; pImageDesc++){
        PSTR pModName = reinterpret_cast<PSTR>(reinterpret_cast<PBYTE>(callerHandle) + pImageDesc->Name);
            PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(reinterpret_cast<PBYTE>(callerHandle) + pImageDesc->FirstThunk);
            for(; pThunkData->u1.Function; pThunkData++){
                PROC* ppOriginalFunc = reinterpret_cast<PROC*>(&pThunkData->u1.Function);
                if(*ppOriginalFunc == original){
                    found = true;
                    DWORD dwOldProtect;
                    if(VirtualProtect(ppOriginalFunc, sizeof(swap), PAGE_WRITECOPY, &dwOldProtect)){
                        if(!WriteProcessMemory(getHandle(), ppOriginalFunc, &swap, sizeof(swap), NULL))
                            throw Exception(L"Write memory is failed for replaceProcAddress");
                        VirtualProtect(ppOriginalFunc, sizeof(swap), dwOldProtect, &dwOldProtect);
                    }
                }
            }
    }
    if(found) return swap;
    throw Exception(L"Address of procedure is not found in Process::replaceProcAddress()");
}

This is a function to change the address of the function in the import section to your own. Geoffrey Richter