$Id: //devel/tools/main/backstealth/README.TXT#1 $ This is the deliverable of my backstealth project, and it has all the stuff to let you build and test and validate this for yourself. The code was originally reversed from the executables, but has already been enhanced some for my own testing and experimentation. I include full source code, plus precompiled binaries that were built on my Windows 2000 system with MS Visual C/C++ 12.00.8804. I promise that the binaries were built directly from the source, and I'm not pulling any shenanigans at the binary or source level (if this promise means anything). Everything I do is console mode - open up a command window to build and run all of it. No GUI or MSVC Project files, sorry. Source code is all formatted with 8-char tabs. SOURCE CODE ------------ README.TXT - this file bs.cpp - Backstealth main driver. This is what you run to test this thing. mydll.cpp - source code to the DLL that bs.exe loads. enumwin.cpp - enumerates system windows (so you can find out how to get a handle on a particular program). makefile - builds everything: say "make" OBJECT FILES ------------- BS.EXE - backstealth console application: just say "bs" from a CMD window to try it. It reports lots of debugging to the standard output. MYDLL.DLL - the DLL loaded by the hijacked process. Must live in the same dir as BS.EXE. It reports progress via OutputDebugString (see DBMON.EXE below). ENUMWIN.EXE - just enumerates all system level windows and gives their names. Console app: run from cmd window. DBMON.EXE - debugging monitor: this console app simulates a debugger by listening for data from OutputDebugString() calls from various applications. The only way that the injected DLL can really talk to the outside world is via OutputDebugString() calls, and this app picks them up and displays on the output. Just run it and control-C when done. There will probably be random other output from system processes and such: this can be ignored. GMAKE.EXE - a copy of GNU make 3.79 that my makefiles use. Microsoft's make sucks. It's clean. HOW TO PLAY ----------- Park all these programs in a directory somewhere, and just run "bs" from a cmd window. It looks through the system windows for one that matches a known pattern, and when it finds one, it tries to open that process and bang on the firewall. But the window strings must match *exactly*, so ZoneAlarm and ZoneAlarm Pro aren't the same. There is a table early in the BS.CPP file that lists the strings we're matching, and if you find that your firewall is not found, you can use the ENUMWIN program to run through the system and find all the system windows listed. You can just add your own to the list and it will attempt to find the new one you included. Be careful to note the difference between "window class" and "window name": the name is the only one that ENUMWIN will see, and that's the last parameter. Use a NULL if you don't know anything about the class. Rebuild the program and run it with DBMON open in another cmd window. The program attempts to load MYDLL.DLL into the target process's addr space, and if successful, makes an HTTP connection to the web site www.pc-facile.com and downloads a small text file to RETRIEVE.DAT in the same directory as the BS.EXE launches in. If you give the "-R" parameter, this file is removed from the current dir before running: just a convenience. COMMAND LINE ------------ -S use the "self" process - BS.EXE - as the process to infect. Only used for testing the overall mechanism of the toolkit, tells *nothing* about any given firewall. -R remove the RETRIEVE.DAT file before running the DLL. Just a convenience. -H host use "host" to connect to. Can be an IP address to avoid the DNS lookup. Default = www.pc-facile.com. No "http:" prefix. -U url fetch the given URL from the remote. Default value is "/security/backstealth.txt". This should not include any "http:" or host part.