July 31, 2022 at 11:44 AM
Hello :)
In this tutorial I will go over sockets for malware communication. Every function used is documented and links will be provided.
In this tutorial I will go over sockets for malware communication. Every function used is documented and links will be provided.
SERVER VS CLIENT:
First, you need to understand servers and clients. Trust me this isn't very complicated. For our malware we want infected computers to connect to us.
If we connected to them we would need to know their IP address before-hand and have a port open on their gateway.
Obviously, that is NOT best practice.
So, we will be the server and infected computers (clients) will connect to us!
WRITING THE SERVER
The server code will closely resemble the client code, but keep in mind there are key differences.
To start we need two variables of type addrinfo
one of which will be an addrinfo* that will hold our result
and one addrinfo struct object that will hold our hints
our result will be a pointer because getaddrinfo() which we call to get result wants result to be a PADDRINFOA* (aka just addrinfo** to make it simpler)
https://docs.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-addrinfoa
https://docs.microsoft.com/en-us/windows/win32/api/ws2tcpip/nf-ws2tcpip-getaddrinfo
Now, we can fill up hints.
According to the documentation there are 8 members inside of addrinfo.
First, you need to understand servers and clients. Trust me this isn't very complicated. For our malware we want infected computers to connect to us.
If we connected to them we would need to know their IP address before-hand and have a port open on their gateway.
Obviously, that is NOT best practice.
So, we will be the server and infected computers (clients) will connect to us!
WRITING THE SERVER
The server code will closely resemble the client code, but keep in mind there are key differences.
To start we need two variables of type addrinfo
one of which will be an addrinfo* that will hold our result
and one addrinfo struct object that will hold our hints
our result will be a pointer because getaddrinfo() which we call to get result wants result to be a PADDRINFOA* (aka just addrinfo** to make it simpler)
https://docs.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-addrinfoa
https://docs.microsoft.com/en-us/windows/win32/api/ws2tcpip/nf-ws2tcpip-getaddrinfo
WSADATA wsadata;
WSAStartup(MAKEWORD(2,2), &wsadata); // we also need to initiate winsock2 https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup
struct addrinfo hints;
struct addrinfo* ai;
Now, we can fill up hints.
According to the documentation there are 8 members inside of addrinfo.
hints.ai_flags = AI_PASSIVE;
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPIPROTO_TCP;
// https://docs.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-addrinfoa
The ones we care about are:
ai_flags
ai_family
ai_socktype
ai_protocol
This is what our code looks like so far
WSADATA wsadata;
WSAStartup(MAKEWORD(2,2), &wsadata);
struct addrinfo hints;
struct addrinfo* ai;
hints.ai_flags = AI_PASSIVE; // we use the flag AI_PASSIVE because our server should accept all connections and not care about the IP addresses
hints.ai_family = AF_INET; // AF_INET because we want IPv4
hints.ai_socktype = SOCK_STREAM; // SOCK_STREAM 2way connection we want for tcp
hints.ai_protocol = IPPROTO_TCP; // IPPROTO_TCP for tcp ai_socktype needs to be SOCK_STREAM for this
Now, lets get our result from hints.
To do this we use the getaddrinfo() method.
If you were confused by result being a pointer and hints not the reason is getaddrinfo accepts our result as an addrinfo** or PADDRINFOA*.
The params are:
IP
PORT
HINTS
[OUT]RESULT
https://docs.microsoft.com/en-us/windows/win32/api/ws2tcpip/nf-ws2tcpip-getaddrinfo
We are almost finished let's finally create a sock with sock().
To do this we use the getaddrinfo() method.
If you were confused by result being a pointer and hints not the reason is getaddrinfo accepts our result as an addrinfo** or PADDRINFOA*.
The params are:
IP
PORT
HINTS
[OUT]RESULT
https://docs.microsoft.com/en-us/windows/win32/api/ws2tcpip/nf-ws2tcpip-getaddrinfo
getaddrinfo("ip", "port", &hints, &result);We are almost finished let's finally create a sock with sock().
sock() takes three arguments:
the family,
the type,
the protocol
SOCKET sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);We need to bind() the listening socket we just created. After we do this there is no need for our addrinfo*, so we will free it.
bind(sock, ai->ai_addr, ai->ai_addrlen);
freeaddrinfo(ai);All that we have to do now is listen() and accept().
listen(sock, SOMAXCONN);
SOCKET client = accept(sock, 0,0); // for multiple connections i created a linked list in my malware
https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-listen
https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-acceptCLIENT
I'm getting tired of writing this all out, so I'll finish this up with a video tutorial.
https://odysee.com/@SegFaulted:8/sockets:9 // odysee because yt likes to ban me
https://www.youtube.com/channel/UCIg7sT8WxDFHHDgwO0rReXg // might try to upload to yt so here's my channel atmFinal Remarks
link to example project: https://github.com/0xSegFaulted/LeetSpeak
I hope this tutorial helped someone learn a bit.
Make sure to tell me if I could improve at anything. I know I'm not the best at explaining things, that's why I referenced docs quite often.
Also, I am working on a few projects atm and want to know what people actually want put out. Currently, I am working on a ransomware-as-a-service, a file binder (this is actually finished from a while ago I just gotta find it), and a rat-as-a-service (which I'm gonna write as a challenge to learn golang as fast as possible).
Make sure to follow my Github and Odysee because fuck yt.
SegFaulted#5517
str