Decoder for gh0st backdoor. The gh0st backdoor is well known and documented. The structure of the gh0st protocol is:

  • A 5 byte value.
  • Length of entire compressed message.
  • Length of uncompressed zlib payload.
  • zlib payload (starts with 0x789c).

Once a gh0st message has been found it is buffered until the entire message is available. Once buffering is complete the message is decompressed. The first byte of most messages is a command or token. The list of commands and tokens are documented in the code.