Poison Ivy 2.3.0
(Backdoor.Win32.Poison.k for Server)

by shapeless

Written in Delphi

Released in February 2007

more versions


Poison Ivy is an advanced remote administration tool for Windows (the client is reported to run on WINE or other emulators
on various Linux/UNIX flavors), written in pure assembly (server), and Delphi (client).
The server contains no dependencies of any kind, and runs on 2000/XP/2003/Vista.
Since version 2.3.0, the server size is dependent on the settings, which means additional features (like key logger, etc.), will
make the final server larger.
Even so, the maximum size of the server is around 7KiB, unpacked.
Being independent code, the server builder can produce PEs, or shellcode(in the form of arrays for C, Delphi, Python, or
raw binary), depending on your needs.
The most important features are encrypted communications (256bit Camellia), compressed communications, full-featured
file manager, registry manager, key logger, services manager, relay server, process manager, remote audio capture, screen
capture, web cam capture, multiple simultaneous transfers, password manager, and the ability to share servers, based on
privilege levels, and various other things that you will find useful.
Poison Ivy is also special compared to other similar tools, because the server doesn't need to be updated, even if new
features are added.
Even though the server supports 3rd party plugins, it's important to know that all the features not listed in the “Plugins”
section are self-contained in the server, and no additional files are used at any time.
The plugins (as well as the server and key logger file) are stored encrypted in ADS (Alternative Data Stream) on NTFS
partitions (they are stored normally on FAT32).

[+] - Feature added
[-] - Feature removed
[*] - Bug fixed on existing feature
[+] New user interface.
-> Listen on multiple ports.
-> Save and Load build settings in form of Profiles.
-> Execute third party applications after build.
-> Configure the Connection list's columns.
-> Place connections in groups.
[+] Key File for password.
[+] Connection log.
[+] Highlight File Types in File Manager and File Search.
[+] Route connections through HTTP proxies (possible to mix HTTP and Socks4 proxies).
[+] Proxy Hijack; route through Internet Explorers HTTP or Socks4 proxy settings.
[+] Server file and ALL the files (keylog file and plugins) it drops to disk get stored into the Install Folder's ADS.
[+] Show/unload modules in Process Manager.
[+] Shellcode server. Generate a shellcode of the server in form of: binary, C Array, Python Array and Delphi Array.
[+]Plugin support.
-> Plugins will be stored in the install folder's ADS (if NTFS).
-> Optional to store it remotely.
-> The remote dll (server side) will be loaded in memory and is encrypted on disk.
-> The remote dll will be automatically updated if a newer version is available locally.
[+] Execute files with parameter.
[+] Notes.
[-] Packet Analyzer has been removed.
[*] ID and Group names are now 255 chars long when building.
[*] Fixed an Uninstall bug on limited accounts when autostart is being used.
[*] When a server disconnects, the client waits for all threads to clean up before removing the connection.
[*] Fixed a bug when downloading drives using Download Folder.
[*] "Test Connection" now runs in an own thread and you can cancel it by pressing OK or Cancel.
[*] "Test Connection" now also tests if the password is correct (not with Proxy DNS).
[*] Fixed a startup bug that occurred when explorer.exe was restarted.
[*] An "Access violation" bug has been fixed in the data transfer.
[*] Auto save in Audio Capture now appends the "Received time" to the file name.
[*] Folders that begin with "." are now visible in file manager.


size: 7,864 bytes

tested on Windows XP
June 15, 2007