search

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.26k stars 218 forks source link

Add notepad spy #79

Closed nowhey2 closed 2 years ago

nowhey2 commented 2 years ago

Idea based on: https://github.com/trainr3kt/NoteThief The original would only grab the top most Z item and stop. The original only did notepad. This module borrows code and searches all visible windows with non-null names for potential sources. This module has been written in a way to support changing the WindowName search text and ControlName search text in the future (Enum* functions don't easily support having 2 parameters so i passed on this for the time being)

The module grabs the text by calling GetWindowTextA on the control object for the editor ('Edit' for notepad and 'Scintilla' for notepad++) and is not reliant on the clipboard.

I opened 3 notepads, each having 'test1, test2, test3' in them respectively and one notepad++ containing 'this is a test in notepad ++'

Output of BOF:

> notepad
[*] Searching for open notepad windows
Running notepad

[*] Running notepad
[+] host called home, sent: 2690 bytes
received output:
[+] Notepad++ Found: Notepad++
this is a test in notepad ++

received output:
[+] Notepad++ Found: Notepad++

received output:
[+] Notepad++ Found: Notepad++

received output:
[+] Notepad++ Found: Notepad++

received output:
[+] Notepad Found: *Untitled - Notepad
test3

received output:
[+] Notepad Found: *Untitled - Notepad
test2

received output:
[+] Notepad Found: *Untitled - Notepad
test1

Notepad++ does have more than one scintilla control. I did not dig into that further (that is why you see several reported).

freefirex commented 2 years ago

Thanks for this pull request.

Wanted to let you know I'll be taking time Monday to review the existing pull requests and issues. Should have feedback for you on that day

nowhey2 commented 2 years ago

The memory leaks will fix. The issue with the length and it being statically set, that was legacy of the original BOF. Will get that fixed.

nowhey2 commented 2 years ago

Ok changes are all pushed. I fixed the memory leaks. I calculate the full text size rather than trying to truncate it (phear to those who dump a big file :) ) and use the new size to allocate for the buffer. I removed unused code. I moved some of the variable declarations down to where they are used as in most cases they are unnecessary. I tried to make my whitespace and bracket spacing consistent but at least as far as the whitespace something was lost in translation.

nowhey2 commented 2 years ago

Oh I just noticed I didn't update the readme, i guess that always feels presumptive to me to do so.