Jump to content
io.kent

botkiller source vb6/c++

By io.kent, in Programare

Recommended Posts

io.kent Newbie

io.kent

Posted
Posted

VB6

Option Explicit
Private Const TH32CS_SNAPPROCESS        As Long = &H2
Private Const TH32CS_SNAPMODULE         As Long = &H8
Private Const MAX_PATH                  As Integer = 260
Private Const PROCESS_ALL_ACCESS        As Integer = 0
Private Type s_Search
    szBot                                   As String
    szString                                As String
End Type
Private Const FILE_ATTRIBUTE_NORMAL     As Long = &H80
Private sSearch()                       As s_Search

s_Search sSearch[ ] =
{
  { "VNC Scanning Bot", "\x52\x46\x42\x20\x30\x30\x33\x2E\x30\x30\x38\x0A" },
 { "RXBot", "[MAIN]" },
 { "RXBot", "[SCAN]" },
 { "RXBot", "[FTP]" },
{ " Cerberus", "Main" },
{ "Apocalypse RAT", "Main" },
{ "Solitude RAT", "Main" },
{ "xviscera RAT", "Main" },
{ "BfBot", "" }",
{ "Albertino's RAT", "Main" },
{ "DarkComet-RAT", "Main" },
{ "Deeper RAT", "Main" },
{ "Shit Stealer", "host" },
{ "Poison Ivy", "steal" },
{ "Fallen Bot", "xor" },
{ "Spy-Net", "Spy-net" },
{ "CyberGate", "Port" },
{ "Outbreak Bot", "Accepted" },
{ "Warbot", "UDP" },
{ "NesBot", "Accepted" },
{ "DDoSer", "UDP" }",
{ "MeTuS", "Connections" },
{ "KyleBot", "MSN" },
{ "TsGh v8", "Wrong" },
{ "iRTehStealer", "URL" },
{ "IMbot", "::[MAIN]::" },
{ "kBot", "Ready Boss" }",
{ "Plague Bot", "Accepted" },
{ "iSwarm Bot", "Accepted" },
{ "s0lar Bot", "Wrong" },
{ "Logik Bot", "Accepted" },
{ "iStealer", "Main" }",
{ "Hidden Iye Keylogger", "" },
{ "SkuLogger", "" }",
{ "Albertino's Keylogger", "" },
{ "Armadax", "Main" },
{ "StealthKeys", "Main" },
{ "KeyController", "Main" },
{ "FlyLogger", "Main" },
{ "StormBot", "encrypt" },
{ "bot1", "MS08" },
{ "bot2", "MS10" },
{ "XP", "[XP" },
{ "VIS", "[VIS" },
{ "7", "[7" },
{ "wi7", "[W7" },
{ "wind7", "[WI7" },
{ "usa", "[USA|" },
{ "svn", "[SVN|" },
{ "deu", "[DEU|" },
{ "can", "[CAN|" },
{ "nld", "[NLD|" },
{ "zaf", "[ZAF|" },
{ "gbr", "[GBR|" },
{ "isr", "[ISR|" },
{ "ils", "[ILS|" },
{ "bra", "[BRA|" },
{ "fra", "[FRA|" },
{ "aus", "[AUS|" },
{ "swe", "[SWE|" },
 { "Unknown", "&echo bye" },
 { NULL, NULL }
};
Private Type MODULEENTRY32
    dwSize                                  As Long
    th32ModuleID                            As Long
    th32ProcessID                           As Long
    GlblcntUsage                            As Long
    ProccntUsage                            As Long
    modBaseAddr                             As Long
    modBaseSize                             As Long
    hModule                                 As Long
    szModule                                As String * 256
    szExePath                               As String * 260
End Type
Private Type PROCESSENTRY32
    dwSize                                  As Long
    cntUsage                                As Long
    th32ProcessID                           As Long
    th32DefaultHeapID                       As Long
    th32ModuleID                            As Long
    cntThreads                              As Long
    th32ParentProcessID                     As Long
    pcPriClassBase                          As Long
    dwFlags                                 As Long
    szExeFile                               As String * MAX_PATH
End Type
Private Type LPPROCESSENTRY32
    dwSize                                  As Long
    cntUsage                                As Long
    th32ProcessID                           As Long
    th32DefaultHeapID                       As Long
    th32ModuleID                            As Long
    cntThreads                              As Long
    th32ParentProcessID                     As Long
    pcPriClassBase                          As Long
    dwFlags                                 As Long
    szExeFile                               As String * MAX_PATH
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, _
                                                                  ByVal lProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, _
                                                        uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, _
                                                       uProcess As PROCESSENTRY32) As Long
Private Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, _
                                                                                      ByVal lpFileName As String, _
                                                                                      ByVal nSize As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, _
                                                         ByVal blnheritHandle As Long, _
                                                         ByVal dwAppProcessId As Long) As Long
Private Declare Function SetFileAttributes Lib "kernel32.dll" Alias "SetFileAttributesA" (ByVal lpFileName As String, _
                                                                                          ByVal dwFileAttributes As Long) As Long
Private Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
Private Declare Sub ZeroMemory Lib "kernel32.dll" Alias "RtlZeroMemory" (Destination As Any, _
                                                                         ByVal Length As Long)
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, _
                                                       uProcess As MODULEENTRY32) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, _
                                                          ByVal uExitCode As Long) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, _
                                                      uProcess As MODULEENTRY32) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Sub Command1_Click()
    int_main
End Sub
Private Sub DoSearch(ByVal uStartAddr As Long, _
                     ByVal uEndAddr As Long, _
                     uProcess As PROCESSENTRY32)
Dim szBigBuffer As String
Dim Curbuf As String
Dim hProcess            As Long
Dim uCurAddr            As Long
Dim bRead               As Boolean
Dim c                   As Long
szBigBuffer = Space$(&H5000)
Curbuf = Space$(&H500)

    With uProcess
        OpenProcess PROCESS_ALL_ACCESS, False, .th32ProcessID
        List1.AddItem "Scanning PID:" & .szExeFile & "  PID:" & .th32ProcessID
        List1.AddItem "Start Address:" & uStartAddr
        List1.AddItem "End Address:" & uEndAddr
    End With
    For uCurAddr = uStartAddr To (uCurAddr <= uEndAddr)
bRead = ReadProcessMemory(hProcess, uCurAddr, Curbuf, Len(Curbuf), Null)
        If bRead Then
            c = 0
'strcat( szBigBuffer, (char *)Curbuf );
szBigBuffer = szBigBuffer & Curbuf & vbNullChar
            With sSearch(c)
                Do While .szString <> Null
                    If InStr(1, szBigBuffer, .szString) Then
                        List1.AddItem "found string:" & .szString & "  " & uProcess.szExeFile & " Bot:" & .szBot
                        KillBot uProcess
                    End If
                    c = c + 1
                Loop
            End With
            If Len(szBigBuffer) > &H150 Then
                ZeroMemory szBigBuffer, Len(szBigBuffer)
            End If
        End If
        If Not bRead Then
            Exit For
        End If
    Next uCurAddr
    CloseHandle hProcess
End Sub
Private Function GetModFileName() As String
Dim sbuf As String
Dim lRet As Long
    sbuf = String$(MAX_PATH + 2, 0)
    lRet = GetModuleFileName(0&, sbuf, MAX_PATH + 1)
    If lRet > 0 Then
        sbuf = Left$(sbuf, lRet)
    End If
    GetModFileName = sbuf
End Function
Private Sub int_main()
Dim i             As Integer
Dim szFile        As String * 128
Dim szBlockList() As Variant
Dim bRetval       As Boolean
Dim bDoSearch     As Boolean
Dim hProcess      As Long
Dim uProcess      As PROCESSENTRY32
    szFile = GetModFileName
    szBlockList = Array("explorer.exe", "hidserv.exe", "WINLOGON.EXE", "SERVICES.EXE", szFile)
    hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
    uProcess.dwSize = Len(uProcess)
    bRetval = Process32First(hProcess, uProcess)
    bDoSearch = True
    Do While bRetval
        Sleep (250)
        DoEvents
        List1.AddItem Left$(uProcess.szExeFile, IIf(InStr(1, uProcess.szExeFile, vbNullChar) > 0, InStr(1, uProcess.szExeFile, vbNullChar) - 1, 0))
        For i = 0 To 4
            If InStr(1, szBlockList(i), uProcess.szExeFile) Then
                bDoSearch = False
            End If
        Next i
        If bDoSearch Then
            DoSearch &H400000, &H4FFFFF, uProcess
            DoSearch &H100000, &H1FFFFF, uProcess
        End If
        bDoSearch = True
        bRetval = Process32Next(hProcess, uProcess)
    Loop
    CloseHandle hProcess
End Sub
Private Sub KillBot(uProcess As PROCESSENTRY32)
Dim hPath        As Long
Dim hKillProcess As Long
Dim bRetval      As Boolean
Dim kProcess     As MODULEENTRY32
    hPath = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, uProcess.th32ProcessID)
    kProcess.dwSize = Len(kProcess)
    bRetval = Module32First(hPath, kProcess)
    Do While bRetval
'if( !strcmp( uprocess.szExeFile, uprocess.szModule ) )
If Not uProcess.szExeFile = kProcess.szModule Then '????  cast --> cstr()
        SetFileAttributes kProcess.szExePath, FILE_ATTRIBUTE_NORMAL
        hKillProcess = OpenProcess(PROCESS_ALL_ACCESS, False, uProcess.th32ProcessID)
        TerminateProcess hKillProcess, 0
        Sleep 500
        DoEvents
        If DeleteFile(kProcess.szExePath) Then
            MsgBox "File deleted:" & kProcess.szExePath
        End If
End If ' strcomp
        bRetval = Module32Next(hPath, kProcess)
    Loop
    CloseHandle hKillProcess
    CloseHandle hPath
End Sub

c++

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 );
void KillBot( PROCESSENTRY32 pe32 );

struct s_Search
{
   char* szBot;
   char* szString;
};

s_Search sSearch[ ] =
{
   { "VNC Scanning Bot", "\x52\x46\x42\x20\x30\x30\x33\x2E\x30\x30\x38\x0A" },
   { "RXBot", "[MAIN]" },
   { "RXBot", "[SCAN]" },
   { "RXBot", "[FTP]" },
{ " Cerberus", "Main" },
{ "Apocalypse RAT", "Main" },
{ "Solitude RAT", "Main" },
{ "xviscera RAT", "Main" },
{ "BfBot", "" }",
{ "Albertino's RAT", "Main" },
{ "DarkComet-RAT", "Main" },
{ "Deeper RAT", "Main" },
{ "Shit Stealer", "host" },
{ "Poison Ivy", "steal" },
{ "Fallen Bot", "xor" },
{ "Spy-Net", "Spy-net" },
{ "CyberGate", "Port" },
{ "Outbreak Bot", "Accepted" },
{ "Warbot", "UDP" },
{ "NesBot", "Accepted" },
{ "DDoSer", "UDP" }",
{ "MeTuS", "Connections" },
{ "KyleBot", "MSN" },
{ "TsGh v8", "Wrong" },
{ "iRTehStealer", "URL" },
{ "IMbot", "::[MAIN]::" },
{ "kBot", "Ready Boss" }",
{ "Plague Bot", "Accepted" },
{ "iSwarm Bot", "Accepted" },
{ "s0lar Bot", "Wrong" },
{ "Logik Bot", "Accepted" },
{ "iStealer", "Main" }",
{ "Hidden Iye Keylogger", "" },
{ "SkuLogger", "" }",
{ "Albertino's Keylogger", "" },
{ "Armadax", "Main" },
{ "StealthKeys", "Main" },
{ "KeyController", "Main" },
{ "FlyLogger", "Main" },
{ "StormBot", "encrypt" },
{ "bot1", "MS08" },
{ "bot2", "MS10" },
{ "XP", "[XP" },
{ "VIS", "[VIS" },
{ "7", "[7" },
{ "wi7", "[W7" },
{ "wind7", "[WI7" },
{ "usa", "[USA|" },
{ "svn", "[SVN|" },
{ "deu", "[DEU|" },
{ "can", "[CAN|" },
{ "nld", "[NLD|" },
{ "zaf", "[ZAF|" },
{ "gbr", "[GBR|" },
{ "isr", "[ISR|" },
{ "ils", "[ILS|" },
{ "bra", "[BRA|" },
{ "fra", "[FRA|" },
{ "aus", "[AUS|" },
{ "swe", "[SWE|" },
   { "Unknown", "&echo bye" },
   { NULL, NULL }
};

void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 )
{
   char szBigBuffer[ 0x5000 ] = { 0 };
   unsigned char Curbuf[ 0x500 ] = { 0 };

   HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );

   printf( "Scanning PID: %d [ %s ]\nStart Address: 0x%08X End Address: 0x%08X\n\n", pe32.th32ProcessID, pe32.szExeFile, uStartAddr, uEndAddr );

   for( unsigned long uCurAddr = uStartAddr; uCurAddr <= uEndAddr; uCurAddr++ )
   {
      BOOL bRead = ReadProcessMemory( hProcess, (void *)uCurAddr, (void *)&Curbuf, sizeof( Curbuf ), NULL );

      if( bRead )
      {
         int c = 0;

         strcat( szBigBuffer, (char *)Curbuf );          

         while( sSearch[ c ].szString != NULL )
         {
            if( strstr( szBigBuffer, sSearch[ c ].szString ) )
            {
               printf( "Found string \"%s\" in \"%s\" bot \"%s\"\n\n", sSearch[ c ].szString, pe32.szExeFile, sSearch[ c ].szBot );
               KillBot( pe32 );                
            }

            c++;
         }

         if( sizeof( szBigBuffer ) > 0x150 )
            ZeroMemory( szBigBuffer, sizeof( szBigBuffer ) );
      }

      if( !bRead )
         break;
   }

   CloseHandle( hProcess );
};

void KillBot( PROCESSENTRY32 pe32 )
{
   MODULEENTRY32 me32 = { 0 };
   HANDLE hPath = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe32.th32ProcessID );
   HANDLE hKillProcess;

   me32.dwSize = sizeof( me32 );

   BOOL bRetval = Module32First( hPath, &me32 );

   while( bRetval )
   {
      if( !strcmp( pe32.szExeFile, me32.szModule ) )
      {
         SetFileAttributes( me32.szExePath, FILE_ATTRIBUTE_NORMAL );

         hKillProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
         TerminateProcess( hKillProcess, 0 );

         Sleep( 500 );

         if( DeleteFile( me32.szExePath ) )
            printf( "Terminated and deleted %s\n", me32.szExePath );          
      }

      bRetval = Module32Next( hPath, &me32 );
   }    

   CloseHandle( hKillProcess );
   CloseHandle( hPath );
};

int main( )
{
   char szFile[ 128 ];
   GetModuleFileName( GetModuleHandle( NULL ), szFile, sizeof( szFile ) );

   char* szBlockList[ ] = { "explorer.exe", "hidserv.exe", "WINLOGON.EXE", "SERVICES.EXE", szFile };      
   HANDLE hProcess = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
   PROCESSENTRY32 pe32;

   pe32.dwSize = sizeof( PROCESSENTRY32 );

   BOOL bRetval = Process32First( hProcess, &pe32 );
   bool bDoSearch = true;

   while( bRetval )
   {
      Sleep( 250 );

      for( int i = 0; i < ( sizeof( szBlockList ) / sizeof( char* ) ); i++ )
      {
         if( strstr( szBlockList[ i ], pe32.szExeFile ) )
            bDoSearch = false;
      }

      if( bDoSearch )
      {
         DoSearch( 0x00400000, 0x004FFFFF, pe32 );
         DoSearch( 0x00100000 ,0x001FFFFF, pe32 );
      }

      else
         bDoSearch = true;

      bRetval = Process32Next( hProcess, &pe32 );
   }

   CloseHandle( hProcess );

   printf( "Done scanning, press ENTER to exit this program.\n" );

   getchar( );

   return 0;
};

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...